Adventure Time – Warsaw Windows

DISCLAIMER: All the opinions and information expressed here are my own. At the time of writing I am still looking at Warsaw internals, now the Windows version which, like the OSX version has a very large attack surface (much larger I would guess) and as such this should be considered a work in progress.

This time I'll try to be very short, since I'm not reporting a vulnerability. As I described before, in short, Warsaw works very similarly to a rootkit and in a similar fashion it is quite an invasive software that can trace the user's actions.

After the installation process I notice some new drivers installed in my Windows 7 and 10 machines for testing purpose. As shown in the image below:

For now let's forget about the first four drivers/filters and keep focus in the last, WinDivert. After Googling, I realised the purpose of WinDivert and this was a bit shocking for me because I started almost immediately drawing some attack scenarios in my mind. You can find more information about WinDivert.

All my attack scenarios are post-exploitation, so none described here will give you access to the target, you obviously need previous access to the target and most important you will need to have administrator's privileges. Easy task for malware (infect after escalating privileges).

Before I describe my attack scenarios there is an important note. Microsoft is always implementing new security features to make Windows more secure and one of these key features since Windows 7 is that all drivers have to be signed. I strongly recommend you look for details in Windows documentation. For us, is only important to know that Warsaw give us a signed and installed driver, ready to use.

I will describe here 3 scenarios that I have in mind, since I have some legal doubts I'll not provide code for the 2 offensive scenarios here and I also need to do some additional work, but I'll give you the code samples that I used as a starting point in my POCs.

Regular Sniffer

Maybe this is the most useful scenario for Penetration Testers, like me. After gaining access to a target, one of our post-exploitation tasks is start to collect info (packets) from the network, aka Sniff. The sniffing task is not only popular in penetration tests but also, several malware and implants are able to collect network traffic from a compromised target using their own sniffer modules.

I tried to find good documentation about Network Sniffer plugins in Advanced Persistent Threats (APT), and there's too much. APTnotes is a good repository for APT reports. Maybe the best sample is that image from EquationDrug Kaspersky's report. Look the Plugin libraries.

And an additional sample is from Immunity Innuendo implant, not related with APT. Video. In this video they upload the WinPcap library to the target in order to enable the sniffer module. For instance, if the target was a Brazilian host, before uploading the WinPcap a simple task checks if Warsaw is installed and if it can address the lack of WinPcap library.

Simple Sniffer

Copy & Paste from Documentation

Attacking DNS

This scenario is pretty offensive and helpful for us Penetration Testers, but is also very helpful to cyber criminals, mainly in Brazil one of their favorite techniques is to change the DNS server of a compromised host or border router. One of Warsaw's tasks is the ability to easily monitor and notify of any changes in the hosts file.

Now can you imagine malware can changing the DNS queries/responses on the fly?

As promised no codes here, but you can use the TorWall project as your starting point. Keep your eyes on flush_dns_cahe and handle_dns functions, implemented in the redirect.c file.

SSL Local 'Decryption'

Like the previous scenario, this one is also helpful for Penetration Testers and cyber criminals. But here a malware can compromise all encrypted communication (SSL) on the infected host, man-in-the-middle. To be honest my implementation is working fairly well yet sometimes still misses HTTPS packets.
In order to develop my POC I used as sample code of another project described on the WinDivert page. The project is: Stahp It

After speaking with friends in the Security Industry, this scenario is certainly the most alarming one for the reasons mentioned above.

A malware can install a root CA like the Warsaw.

Additionally, WinDivert have bindings for Python and C# (.Net).

Pydivert & Divert.Net