On a recent gig I was hit with hundreds of hosts running a service on port TCP 5405, the NetSupport remote management application. Running a version port scan on them revealed nothing more than:
5405/tcp open netsupport NetSupport PC remote control (Name: HOSTNAME)
The version scan didn't reveal anything apart from the hostname. Connecting to the port with Netcat just returned the hostname.
Looking at the known vulnerabilities associated with the service, the most notable was a buffer overflow Not wanting to potentially cause disruption to hundreds of clients running the exploit against all of them I needed to find the version of the software running and also see if any of the hosts could be taken over using no authentication, for the quick win.
A quick search around revealed there wasn't many free tools available to perform such checks.
Downloading an evaluation copy of the software from NetSupport's website revealed the software provided its own proprietary scripting language (which looked a bit like VBScript) to help automate tasks. Although I couldn't find any manuals on using the scripting language, the examples provided with the software gave enough information to mash up a script to find all clients running the NetSupport client, check their version and check if authentication was required. This was all I needed for the time being.
The following was written locally and tested before running using the evaluation software:
Print "NetSupport Manager Script to find clients and get their version numbers"// Set the transport protocol to use SetTransport(T_TCPIP)// Declares the variables used in the main functionDim ClientDim ClientlistDim CountDim MaskDim MajorVersion, MinorVersion// Starts the count to equal 0Count = 0 // Performs a network browse for all available Clients Client = Lookup(Mask, Clientlist) // This will run the below condition for each client found in the browse For each Client in Clientlist // Error checks the connection to the Client If Connect(CLIENT) = FALSE then Print " " Print "Could not connect to: - " Print Client Wait(0.2) Else Print " " Print "You have successfully connected to Client: - ", Client // Do some stuff while connected If GetClientVersion (MajorVersion, MinorVersion) then Print "Client ", CurrentClient (), " is running NetSupport version ", MajorVersion, ".", MinorVersion endif Wait (0.2)// Checks if the disconnect from the Client machine worked or not If disconnect(Client) = FALSE then Print " " Print " Could not disconnect to " Print Client Wait(0.2) Else Print "You have successfully disconnected from Client: -", Client Wait(0.2) Endif Endif Count = Count + 1 Next // Informs you if no Client machines were found in the lookup If Count = 0 then Print " " Print "No Clients were found in the lookup!" Wait (0.2) Else Print " " Print "The number of Clients found was ", Count Wait(0.2) Endif
The results of the script are stored in the corresponding log file with the same name as the SCP file.
A typical response for hosts that require no authentication when a successful connection is made would be:
You have successfully connected to Client: - HOSTNAME|>192.168.1.110:5405 (HOSTNAME)Retrieving client versionRetrieving default client nameClient HOSTNAME is running NetSupport version 12.0Disconnecting from client 'HOSTNAME|>192.168.1.110:5405 (HOSTNAME)'You have successfully disconnected from Client: -HOSTNAME|>192.168.1.110:5405 (HOSTNAME) The number of Clients found was 10
For hosts configured with authentication whereby a password was required before connection, a typical response would be:
NetSupport Manager Script to find clients and get their version numbersSetting a new default network transportSearching network for clientsConnecting to client 'HOSTNAME|>192.168.1.111:5405 (HOSTNAME)'Could not connect to: - HOSTNAME|>192.168.1.111:5405 (HOSTNAME)The number of Clients found was 10
And if no clients were found (unlikely or why would you go to this trouble!) the response would be:
> No Clients were found in the lookup!
I was later able to upload to another compromised host on the network and use the "runscrip.exe" exe provided to run the script:
C:\Program Files (x86)\NetSupport\NetSupportManager>runscrip.exe /B ./dk_findclients.scp
Now, before using this there are a couple of things to be aware of:
- If the script is invoked using the "runscrip.exe" file, it will bring up a window in the Manager host with the output, which may give the game away with a big log window suddenly popping up from where the script was run!
- It appears that only hosts configured as Managers in some versions have this EXE installed and clients don't appear to have it in the directory.
- The alternative is to run the script from the GUI using the "Automation" option in the Manager which allows you to create new scripts from the GUI. This does not lead to the log window popup being displayed but the results will be stored in the log file. But I guess you can only do this if you have some other method of gaining remote access e.g. Terminal Services.
- The script will also bring up a popup in the client's bottom right hand corner if it successfully connects. This means that once the connection is made, the client will be notified. I've attempted to reduce the risk of the user noticing this by adding a "Wait(0.2)" which essentially has the effect of flashing the popup for 0.2secs. I couldn't prevent it from notifying the client. You can configure the client to run in "Silent" mode to stop the client from receiving any notifications, but this would mean messing around with the ini file and possibly risk corrupting it.
So using the NetSupport scripting engine I was able to find the versions of the software running on the hundreds of hosts on the network and target those that may be vulnerable. More notable were the number of hosts running with no authentication required. Of course the power of this application can allow anyone to compromise hosts easily allowing for remote commands, file uploads and total control of the clients on the network. Therefore due care and attention should be applied when running it on your corporate network and at the very least ensure that all clients require a strong password before the manager can connect.
It was a bit surprising there isn't more free testing tools out there for this service. There are public exploits available and the natural follow up to this would involve writing my own test script without the need to use the NetSupport Manager to run the script. I couldn't find any reference to the NetSupport Manager packet format. I did perform some quick protocol analysis on port 5405 between a manager and client and wrote a quick nmap script to output the response from the client when sending it a query (captured with Wireshark) from a manager which worked in the test environment but didn't work in the customer environment. I'll carry out further testing and post it in my next blog update.
