3.9 Attacks & exploits: Post-Exploitation Exploits Flashcards

1
Q

What is post-exploitation phase and are the post exploitation actions that a pentester can performed (6)?

A

Any actions taken after a successful initial attack or exploit:
● Host enumeration
● Network enumeration
● Infrastructure enumeration
● Additional permissions
● Persistence
● Covert channels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Enumerating the Network: what is enumeration?

A

The process to identify and scan network ranges and host from a target network and map out an attack surface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Enumerating the Network: list the targets that can be enumerated (6)

A

▪ Users
▪ Groups
▪ Hosts
▪ Forests
▪ Sensitive data
▪ Unencrypted files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Enumerating the Network: what is the Active Directory?

A

A central directory service that allows our information to be stored, classified, and retrieved easily

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Enumerating the Network: explain this command “Get-NetDomain”

A

Get the current user’s domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Enumerating the Network: explain this command “Get-NetLoggedon”

A

Get users that are logged on a given computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Enumerating the Network: explain this command “cat/etc/passwd”

A

List all users on the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Enumerating the Network: explain this command “uname-a”

A

Displays the OS name, version, and other details

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Enumerating the Network: explain this command “env”

A

Outputs a list of all the environmental variables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Enumerating the Network: how to find sensitive data when enumerating a network (3)?

A

▪ Set up a network Sniffer on a victimized host
▪ Use the interpreter payload and turn on the packet capturing function
▪ Start figuring out what things are on the share drive that is unencrypted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Network Segmentation Testing: explain network segment

A

A portion of a network where all attached hosts can communicate freely with each other
● Subnets
● VLANs
● Firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Lateral Movement and Pivoting: explain Lateral Movement

A

A technique to progressively move through a network to search for the key data and assets that are ultimately the target of an attack campaign

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Lateral Movement and Pivoting: explain Pivoting

A

▪ The use of one infected computer to attack a different computer
▪ Pivoting uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Pass the Hash: what is pass the hash and what is it used for?

A

A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.
▪ Pass the hash can be used to elevate privileges
▪ When pass the hash is used on a local workstation, then an attacker can gain local admin privileges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Pass the Hash: explain how pass the hash attack works for SMB and Kerberos protocols (4)

A

It is possible to present the hash without cracking the original password to authenticate to network protocols such as SMB and Kerberos:
- Pass the Hash Attack for SMB:
1-The attacker gains access to the hashed credentials of a user, which are typically stored in the Security Account Manager (SAM) or the Active Directory database on a Windows system.
2- Instead of attempting to crack the hash to obtain the plaintext password, the attacker uses the captured hash directly to authenticate to other systems or resources within the same Windows domain that use the SMB protocol, such as file shares or printers.
3- By presenting the captured hash during the SMB authentication process, the attacker can gain access to the targeted resources without needing the actual password.

  • Pass the Hash Attack for Kerberos:
    1- Similar to the SMB scenario, the attacker obtains the hashed credentials of a user from the Windows domain’s authentication database, which stores password hashes.
    2- The attacker uses the captured hash to request a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC) in the Kerberos authentication process. The TGT is used to request access to specific services within the domain.
    3- With the TGT in hand, the attacker can request a Service Ticket for a specific service, such as a file server, using the captured hash. The Service Ticket allows access to the requested service without needing the plaintext password.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Pass the Hash: what tool can you use to perform pass the hash attack (4)?

A

▪ Mimikatz
▪ Metasploit
▪ Hydra
▪ Medusa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Pass the Hash: what is Mimikatz and the related Local Security Authority Subsystem Service (lsass.exe) ?

A

▪ An open-source application that allows users to view and save authentication credentials in order to perform pass the hash attacks
▪ When you run the command “lsass.exe” in Mimikatz, it will attempt to extract login credentials from the memory of the lsass.exe process. This can include usernames and passwords that are currently in use on the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Pass the Hash: what module of Metasploit can be used for pass the hash attack (2) and Mimikatz (7)?

A

Mimikatz in Metaspoit module:
● post/linux/gather/hashdump
● post/pro/multi/gather/hashdump
● post/windows/gather/credentials/ domain_hashdump
● post/windows/gather/credentials/mssql_local_hashdump
● post/windows/gather/credentials/skype
● post/windows/gather/credentials/avira_password
● post/windows/gather/credentials/mcafee_vse_hashdump

Test the usability and pass or crack them using a password attack in Metasploit:
● exploit/windows/smb/psexec
● auxilary/scanner/smb/smb_login

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Pass the Hash: How can you detect and mitigate against a pass the hash attack (4)?

A

▪ Detecting these types of attacks is very difficult because the attacker activity cannot be easily differentiated from legitimate authentication
▪ Most antivirus and antimalware software will block tools that allow pass the hash attack, such as Mimikatz or the Metasploit framework
▪ Restrict and protect high privileged domain accounts
▪ Restrict and protect local accounts with administrative privileges
▪ Restrict inbound traffic using the Windows Firewall to all workstations except for helpdesk, security compliance scanners, and servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Golden Ticket: what is a golden ticket?

A

While a pass the hash attack will work on local workstations, a Kerberos ticket is needed in an Active Directory environment. A golden ticket refers to a forged authentication ticket that grants an attacker unrestricted access to a network.
▪ Golden tickets can grant administrative access to other domains members and domain controllers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Golden Ticket: explain krbtgt hash

A

KRBTGT account is a built-in account used by the Key Distribution Center (KDC) in a Kerberos authentication system. The KRBTGT account’s password hash is a critical component in the Kerberos authentication process, as it is used to encrypt and sign all Ticket Granting Tickets (TGTs) issued by the KDC

22
Q

Golden Ticket: explain how krbtgt hash and golden ticket are related (4)

A

The KRBTGT account’s password hash is related to the creation of a golden ticket in the following way:

  1. Accessing ntds.dit: An attacker gains unauthorized access to the ntds.dit file, which is the Active Directory database containing sensitive information, including password hashes, stored on a domain controller.
  2. Extracting the KRBTGT hash: Within the ntds.dit file, the attacker specifically targets the password hash of the KRBTGT account, which is used to encrypt and sign all Ticket Granting Tickets (TGTs) issued by the Key Distribution Center (KDC) in the Kerberos authentication process.
  3. Creating the golden ticket: With the extracted KRBTGT hash in hand, the attacker uses it to craft a forged Ticket Granting Ticket (TGT) known as a “golden ticket.” The golden ticket is constructed to be valid for any user or service within the domain, effectively granting the attacker unrestricted access and the ability to impersonate any user without needing to authenticate to the KDC.
  4. Persistence and access: The golden ticket, being signed with the KRBTGT hash, remains valid until the KRBTGT account’s password is changed. This provides the attacker with persistent and unrestricted access to the domain, allowing them to move laterally, access sensitive resources, and perform malicious activities without needing to re-authenticate.
23
Q

Golden Ticket: how to prevent krbtgt hash attack and what to do if a golden ticket was created?

A

Administrators should change the krbtgt account password regularly
Change the krbtgt account password twice in a short period of time to invalidate the golden ticket if a breach is suspected

24
Q

Lateral Movement: what are the remote access protocols and how is it related to lateral movement?

A

▪ Any combination of hardware and software to enable the remote access tools or information that typically reside on a network of IT devices
▪ SSH, telnet, RDP, and VNC provide attackers the ability to laterally move across the network
▪ Attackers can use remote access protocols to move from host to host

25
Q

Lateral Movement: explain Windows Management Instrumentation Command-Line (WMIC) and how is it related to lateral movement?

A

▪ Provides users with a terminal interface and enables administrators to run scripts to manage those computers
▪ WMIC can be used a vector in post-attack lateral movement

26
Q

Lateral Movement: explain PsExec

A

A tool developed as an alternative to Telnet and other remote access services which utilizes the Windows SYSTEM account for privilege escalation

27
Q

Lateral Movement: explain Virtual Network Computing

A

Allows you to connect using a graphical user interface to any operating system

27
Q

Lateral Movement: explain Windows PowerShell and PowerShell Empire

A

▪ A task automation and configuration management framework from Microsoft, consisting of a command-line shell and the associated scripting language
▪ The PowerShell Empire toolkit contains numerous prebuilt attack modules

28
Q

Lateral Movement: explain RPC Decom

A

A remote procedure call distributed component object model:
▪ RPC: An inter-process communication between local and remote processes on Windows systems
▪ Decom: Enables the communication between different software components over a network

29
Q

Escalating Privileges: explain Privilege Escalation, Horizontal Privilege Escalation and Vertical Privilege Escalation

A

Privilege Escalation is the practice of exploiting flaws in an operating system or other application to gain a greater level of access than what is intended for the user application:
● Horizontal Privilege Escalation: Focused on obtaining access to a regular user account to a different privilege level than the one currently in use
● Vertical Privilege Escalation: Attackers try to obtain access to an account of higher privileges than the one they currently have access

30
Q

Escalating Privileges: short the following from the most privileged to least privileged: device drivers, kernel, application

A
  1. Kernel
  2. Device drivers
  3. Applications
31
Q

Escalating Privileges: explain SUID and how is it related to privilege escalation

A

SUID stands for “Set User ID” and is a special type of permission in Unix and Unix-like operating systems. When a file is given the SUID permission, it allows the user who executes the file to do so with the permissions of the file’s owner rather than the permissions of the user who is running the file. This can be particularly significant in the context of privilege escalation.

In the context of privilege escalation, an attacker may seek out files with the SUID permission to exploit them and gain elevated privileges. This is because when a file has the SUID bit set and is executed, it runs with the permissions of the file’s owner, which may be a privileged user or system account.

32
Q

Escalating Privileges: explain SGID and how is it related to privilege escalation

A

SGID stands for “Set Group ID” and is a special type of permission in Unix and Unix-like operating systems. When a file is given the SGID permission, it allows the user who executes the file to do so with the permissions of the file’s group owner, rather than the permissions of the user who is running the file. This can also be significant in the context of privilege escalation.

In the context of privilege escalation, an attacker may seek out files with the SGID permission to exploit them and gain elevated privileges. This is because when a file has the SGID bit set and is executed, it runs with the permissions of the file’s group owner, which may be a privileged group.

33
Q

Escalating Privileges: explain sudo find / -perm -04000

A
  • “sudo”: It is a command used to execute another command with elevated privileges, typically requiring administrative or superuser rights.
  • “find”: This is the command used to search for files and directories within a specified path.
  • ”/”: It specifies the root directory as the starting point for the search.
  • “-perm -04000”: This flag instructs the “find” command to search for files with specific permissions. In this case, “-perm -04000” searches for files with the SUID or SGID bits set.
34
Q

Escalating Privileges: explain Sticky Bit, how is it related to privilege escalation and what tool/ Metasploit module can be used to detect it (2)?

A

The sticky bit is a special permission in Unix and Unix-like operating systems that can be applied to directories. When the sticky bit is set on a directory, it restricts the ability to delete or rename files within that directory to the file’s owner, the directory’s owner, or the root user. This means that even if other users have write permissions to the directory, they cannot delete or rename files that they do not own. This feature is often used on directories that are shared among multiple users to prevent accidental deletion or modification of files by unauthorized users.

In the context of privilege escalation, the sticky bit is not typically a direct target for exploitation. However, understanding the presence of the sticky bit on directories is important for security assessments and maintaining proper access control. It can be relevant in scenarios where an attacker is attempting to manipulate files or directories to gain unauthorized access or escalate privileges.

▪ enum4linux
▪ auxiliary/scanner/smb/smb_enumshares

35
Q

Escalating Privileges: explain SUDO

A

Allows users to run programs with the privileges of another user

36
Q

Escalating Privileges: explain Ret2libc

A

An attack technique that relies on overwriting the program stack to create a new stack frame that calls the system function

37
Q

Escalating Privileges: explain CronJobs and how is it related to privilege escalation

A

Cron is a time-based job scheduler in Unix-like operating systems. It allows users to schedule tasks, called cron jobs, to run periodically at specified intervals or specific times. These tasks can include running scripts, executing commands, or performing system maintenance.

In the context of privilege escalation, Cron jobs can be related to security risks if they are misconfigured or if they execute with elevated privileges. If a cron job is set to run with administrative or root-level privileges and it contains a vulnerability that can be exploited by an attacker, it could potentially be used as a means to gain elevated permissions and escalate privileges

38
Q

Escalating Privileges: explain Cpassword and how is it related to privilege escalation

A

The “Cpassword” is a specific attribute within the Active Directory database. It is related to privilege escalation in the context of Windows networks.

The Cpassword attribute is used to store an encrypted version of a user’s password. When an attacker gains access to this attribute, they may attempt to decrypt it or use it in conjunction with other attack techniques to gain unauthorized access, escalate privileges, or perform lateral movement within the network.

If an attacker can access and decrypt the Cpassword attribute, they may obtain the plaintext password, allowing them to gain the privileges associated with the compromised account. This can potentially lead to privilege escalation and unauthorized access to sensitive resources within the network.

39
Q

Escalating Privileges: explain Kerberoasting

A

Allows any domain user account that has a service principal name (SPN) set can have a service ticket (TGS)

40
Q

Escalating Privileges: explain LSASS

A

Local Security Authority Subsystem Service

41
Q

Escalating Privileges: explain Credentials in LSASS

A

The process in Windows that enforces the security policy of the system

42
Q

Escalating Privileges: explain SAM Database

A

▪ A database file that stores the user passwords in Windows as a LM hash or NTLM hash
▪ Passwords can be cracked offline if the SAM file is stolen

43
Q

Escalating Privileges: explain Dynamic Link Library (DLL)

A

Provides a method for sharing code and allows a program to upgrade its functionality without requiring re-linking or re-compiling of the application

44
Q

Escalating Privileges: explain Hijacking

A

A technique used to load a malicious DLL in the place of an accepted DLL

45
Q

Escalating Privileges: explain Unsecure File and Folder Permissions

A

Older versions of Windows allow administrators to access any non admin user’s files and folder

46
Q

Escalating Privileges: explain Keylogger

A

Surveillance technology used to monitor and record the keystrokes of a victim user

47
Q

Escalating Privileges: explain Kernel Exploits

A

▪ Unpatched Windows and Linux systems are vulnerable to many different exploits
▪ Metasploit has a library of existing exploits
▪ You can attempt to bypass user local UAC (User Access Control): Guest accounts should be disabled

48
Q

Upgrading Restrictive Shells: explain a restrictive shell and how to upgrade it (2)?

A

A shell where you might be confined from being able to do certain functions:
● python -c ‘import pty; pty.spawn(“/bin/bash”)’
● perl -e ‘exec /bin/sh”;’

49
Q

Upgrading Restrictive Shells: explain VI

A

▪ A text editor that can also run commands
▪ :set shell=/bin/sh :shell
▪ The same type of restricted environments doesn’t exist in Windows systems
▪ /bin/bash -i