3.9 Attacks & exploits: Post-Exploitation Exploits

Question 1

What is post-exploitation phase and are the post exploitation actions that a pentester can performed (6)?

Answer 1

Any actions taken after a successful initial attack or exploit:
● Host enumeration
● Network enumeration
● Infrastructure enumeration
● Additional permissions
● Persistence
● Covert channels

Question 2

Enumerating the Network: what is enumeration?

Answer 2

The process to identify and scan network ranges and host from a target network and map out an attack surface

Question 3

Enumerating the Network: list the targets that can be enumerated (6)

Answer 3

▪ Users
▪ Groups
▪ Hosts
▪ Forests
▪ Sensitive data
▪ Unencrypted files

Question 4

Enumerating the Network: what is the Active Directory?

Answer 4

A central directory service that allows our information to be stored, classified, and retrieved easily

Question 5

Enumerating the Network: explain this command “Get-NetDomain”

Answer 5

Get the current user’s domain

Question 6

Enumerating the Network: explain this command “Get-NetLoggedon”

Answer 6

Get users that are logged on a given computer

Question 7

Enumerating the Network: explain this command “cat/etc/passwd”

Answer 7

List all users on the system

Question 8

Enumerating the Network: explain this command “uname-a”

Answer 8

Displays the OS name, version, and other details

Question 9

Enumerating the Network: explain this command “env”

Answer 9

Outputs a list of all the environmental variables

Question 10

Enumerating the Network: how to find sensitive data when enumerating a network (3)?

Answer 10

▪ Set up a network Sniffer on a victimized host
▪ Use the interpreter payload and turn on the packet capturing function
▪ Start figuring out what things are on the share drive that is unencrypted

Question 11

Network Segmentation Testing: explain network segment

Answer 11

A portion of a network where all attached hosts can communicate freely with each other
● Subnets
● VLANs
● Firewalls

Question 12

Lateral Movement and Pivoting: explain Lateral Movement

Answer 12

A technique to progressively move through a network to search for the key data and assets that are ultimately the target of an attack campaign

Question 13

Lateral Movement and Pivoting: explain Pivoting

Answer 13

▪ The use of one infected computer to attack a different computer
▪ Pivoting uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations

Question 14

Pass the Hash: what is pass the hash and what is it used for?

Answer 14

A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.
▪ Pass the hash can be used to elevate privileges
▪ When pass the hash is used on a local workstation, then an attacker can gain local admin privileges

Question 15

Pass the Hash: explain how pass the hash attack works for SMB and Kerberos protocols (4)

Answer 15

It is possible to present the hash without cracking the original password to authenticate to network protocols such as SMB and Kerberos:
- Pass the Hash Attack for SMB:
1-The attacker gains access to the hashed credentials of a user, which are typically stored in the Security Account Manager (SAM) or the Active Directory database on a Windows system.
2- Instead of attempting to crack the hash to obtain the plaintext password, the attacker uses the captured hash directly to authenticate to other systems or resources within the same Windows domain that use the SMB protocol, such as file shares or printers.
3- By presenting the captured hash during the SMB authentication process, the attacker can gain access to the targeted resources without needing the actual password.

• Pass the Hash Attack for Kerberos:
  1- Similar to the SMB scenario, the attacker obtains the hashed credentials of a user from the Windows domain’s authentication database, which stores password hashes.
  2- The attacker uses the captured hash to request a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC) in the Kerberos authentication process. The TGT is used to request access to specific services within the domain.
  3- With the TGT in hand, the attacker can request a Service Ticket for a specific service, such as a file server, using the captured hash. The Service Ticket allows access to the requested service without needing the plaintext password.

Question 16

Pass the Hash: what tool can you use to perform pass the hash attack (4)?

Answer 16

▪ Mimikatz
▪ Metasploit
▪ Hydra
▪ Medusa

Question 17

Pass the Hash: what is Mimikatz and the related Local Security Authority Subsystem Service (lsass.exe) ?

Answer 17

▪ An open-source application that allows users to view and save authentication credentials in order to perform pass the hash attacks
▪ When you run the command “lsass.exe” in Mimikatz, it will attempt to extract login credentials from the memory of the lsass.exe process. This can include usernames and passwords that are currently in use on the system.

Question 18

Pass the Hash: what module of Metasploit can be used for pass the hash attack (2) and Mimikatz (7)?

Answer 18

Mimikatz in Metaspoit module:
● post/linux/gather/hashdump
● post/pro/multi/gather/hashdump
● post/windows/gather/credentials/ domain_hashdump
● post/windows/gather/credentials/mssql_local_hashdump
● post/windows/gather/credentials/skype
● post/windows/gather/credentials/avira_password
● post/windows/gather/credentials/mcafee_vse_hashdump

Test the usability and pass or crack them using a password attack in Metasploit:
● exploit/windows/smb/psexec
● auxilary/scanner/smb/smb_login

Question 19

Pass the Hash: How can you detect and mitigate against a pass the hash attack (4)?

Answer 19

▪ Detecting these types of attacks is very difficult because the attacker activity cannot be easily differentiated from legitimate authentication
▪ Most antivirus and antimalware software will block tools that allow pass the hash attack, such as Mimikatz or the Metasploit framework
▪ Restrict and protect high privileged domain accounts
▪ Restrict and protect local accounts with administrative privileges
▪ Restrict inbound traffic using the Windows Firewall to all workstations except for helpdesk, security compliance scanners, and servers

Question 20

Golden Ticket: what is a golden ticket?

Answer 20

While a pass the hash attack will work on local workstations, a Kerberos ticket is needed in an Active Directory environment. A golden ticket refers to a forged authentication ticket that grants an attacker unrestricted access to a network.
▪ Golden tickets can grant administrative access to other domains members and domain controllers

Question 21

Golden Ticket: explain krbtgt hash

Answer 21

KRBTGT account is a built-in account used by the Key Distribution Center (KDC) in a Kerberos authentication system. The KRBTGT account’s password hash is a critical component in the Kerberos authentication process, as it is used to encrypt and sign all Ticket Granting Tickets (TGTs) issued by the KDC

Question 22

Golden Ticket: explain how krbtgt hash and golden ticket are related (4)

Answer 22

The KRBTGT account’s password hash is related to the creation of a golden ticket in the following way:

1. Accessing ntds.dit: An attacker gains unauthorized access to the ntds.dit file, which is the Active Directory database containing sensitive information, including password hashes, stored on a domain controller.
2. Extracting the KRBTGT hash: Within the ntds.dit file, the attacker specifically targets the password hash of the KRBTGT account, which is used to encrypt and sign all Ticket Granting Tickets (TGTs) issued by the Key Distribution Center (KDC) in the Kerberos authentication process.
3. Creating the golden ticket: With the extracted KRBTGT hash in hand, the attacker uses it to craft a forged Ticket Granting Ticket (TGT) known as a “golden ticket.” The golden ticket is constructed to be valid for any user or service within the domain, effectively granting the attacker unrestricted access and the ability to impersonate any user without needing to authenticate to the KDC.
4. Persistence and access: The golden ticket, being signed with the KRBTGT hash, remains valid until the KRBTGT account’s password is changed. This provides the attacker with persistent and unrestricted access to the domain, allowing them to move laterally, access sensitive resources, and perform malicious activities without needing to re-authenticate.

Question 23

Golden Ticket: how to prevent krbtgt hash attack and what to do if a golden ticket was created?

Answer 23

Administrators should change the krbtgt account password regularly
Change the krbtgt account password twice in a short period of time to invalidate the golden ticket if a breach is suspected

Question 24

Lateral Movement: what are the remote access protocols and how is it related to lateral movement?

Answer 24

▪ Any combination of hardware and software to enable the remote access tools or information that typically reside on a network of IT devices
▪ SSH, telnet, RDP, and VNC provide attackers the ability to laterally move across the network
▪ Attackers can use remote access protocols to move from host to host

Question 25

Lateral Movement: explain Windows Management Instrumentation Command-Line (WMIC) and how is it related to lateral movement?

Answer 25

▪ Provides users with a terminal interface and enables administrators to run scripts to manage those computers
▪ WMIC can be used a vector in post-attack lateral movement

Question 26

Lateral Movement: explain PsExec

Answer 26

A tool developed as an alternative to Telnet and other remote access services which utilizes the Windows SYSTEM account for privilege escalation

Question 27

Lateral Movement: explain Virtual Network Computing

Answer 27

Allows you to connect using a graphical user interface to any operating system

Question 27

Lateral Movement: explain Windows PowerShell and PowerShell Empire

Answer 27

▪ A task automation and configuration management framework from Microsoft, consisting of a command-line shell and the associated scripting language
▪ The PowerShell Empire toolkit contains numerous prebuilt attack modules

Question 28

Lateral Movement: explain RPC Decom

Answer 28

A remote procedure call distributed component object model:
▪ RPC: An inter-process communication between local and remote processes on Windows systems
▪ Decom: Enables the communication between different software components over a network

Question 29

Escalating Privileges: explain Privilege Escalation, Horizontal Privilege Escalation and Vertical Privilege Escalation

Answer 29

Privilege Escalation is the practice of exploiting flaws in an operating system or other application to gain a greater level of access than what is intended for the user application:
● Horizontal Privilege Escalation: Focused on obtaining access to a regular user account to a different privilege level than the one currently in use
● Vertical Privilege Escalation: Attackers try to obtain access to an account of higher privileges than the one they currently have access

Question 30

Escalating Privileges: short the following from the most privileged to least privileged: device drivers, kernel, application

Answer 30

1. Kernel
2. Device drivers
3. Applications

Question 31

Escalating Privileges: explain SUID and how is it related to privilege escalation

Answer 31

SUID stands for “Set User ID” and is a special type of permission in Unix and Unix-like operating systems. When a file is given the SUID permission, it allows the user who executes the file to do so with the permissions of the file’s owner rather than the permissions of the user who is running the file. This can be particularly significant in the context of privilege escalation.

In the context of privilege escalation, an attacker may seek out files with the SUID permission to exploit them and gain elevated privileges. This is because when a file has the SUID bit set and is executed, it runs with the permissions of the file’s owner, which may be a privileged user or system account.

Question 32

Escalating Privileges: explain SGID and how is it related to privilege escalation

Answer 32

SGID stands for “Set Group ID” and is a special type of permission in Unix and Unix-like operating systems. When a file is given the SGID permission, it allows the user who executes the file to do so with the permissions of the file’s group owner, rather than the permissions of the user who is running the file. This can also be significant in the context of privilege escalation.

In the context of privilege escalation, an attacker may seek out files with the SGID permission to exploit them and gain elevated privileges. This is because when a file has the SGID bit set and is executed, it runs with the permissions of the file’s group owner, which may be a privileged group.

Question 33

Escalating Privileges: explain sudo find / -perm -04000

Answer 33

• “sudo”: It is a command used to execute another command with elevated privileges, typically requiring administrative or superuser rights.
• “find”: This is the command used to search for files and directories within a specified path.
• ”/”: It specifies the root directory as the starting point for the search.
• “-perm -04000”: This flag instructs the “find” command to search for files with specific permissions. In this case, “-perm -04000” searches for files with the SUID or SGID bits set.

Question 34

Escalating Privileges: explain Sticky Bit, how is it related to privilege escalation and what tool/ Metasploit module can be used to detect it (2)?

Answer 34

The sticky bit is a special permission in Unix and Unix-like operating systems that can be applied to directories. When the sticky bit is set on a directory, it restricts the ability to delete or rename files within that directory to the file’s owner, the directory’s owner, or the root user. This means that even if other users have write permissions to the directory, they cannot delete or rename files that they do not own. This feature is often used on directories that are shared among multiple users to prevent accidental deletion or modification of files by unauthorized users.

In the context of privilege escalation, the sticky bit is not typically a direct target for exploitation. However, understanding the presence of the sticky bit on directories is important for security assessments and maintaining proper access control. It can be relevant in scenarios where an attacker is attempting to manipulate files or directories to gain unauthorized access or escalate privileges.

▪ enum4linux
▪ auxiliary/scanner/smb/smb_enumshares

Question 35

Escalating Privileges: explain SUDO

Answer 35

Allows users to run programs with the privileges of another user

Question 36

Escalating Privileges: explain Ret2libc

Answer 36

An attack technique that relies on overwriting the program stack to create a new stack frame that calls the system function

Question 37

Escalating Privileges: explain CronJobs and how is it related to privilege escalation

Answer 37

Cron is a time-based job scheduler in Unix-like operating systems. It allows users to schedule tasks, called cron jobs, to run periodically at specified intervals or specific times. These tasks can include running scripts, executing commands, or performing system maintenance.

In the context of privilege escalation, Cron jobs can be related to security risks if they are misconfigured or if they execute with elevated privileges. If a cron job is set to run with administrative or root-level privileges and it contains a vulnerability that can be exploited by an attacker, it could potentially be used as a means to gain elevated permissions and escalate privileges

Question 38

Escalating Privileges: explain Cpassword and how is it related to privilege escalation

Answer 38

The “Cpassword” is a specific attribute within the Active Directory database. It is related to privilege escalation in the context of Windows networks.

The Cpassword attribute is used to store an encrypted version of a user’s password. When an attacker gains access to this attribute, they may attempt to decrypt it or use it in conjunction with other attack techniques to gain unauthorized access, escalate privileges, or perform lateral movement within the network.

If an attacker can access and decrypt the Cpassword attribute, they may obtain the plaintext password, allowing them to gain the privileges associated with the compromised account. This can potentially lead to privilege escalation and unauthorized access to sensitive resources within the network.

Question 39

Escalating Privileges: explain Kerberoasting

Answer 39

Allows any domain user account that has a service principal name (SPN) set can have a service ticket (TGS)

Question 40

Escalating Privileges: explain LSASS

Answer 40

Local Security Authority Subsystem Service

Question 41

Escalating Privileges: explain Credentials in LSASS

Answer 41

The process in Windows that enforces the security policy of the system

Question 42

Escalating Privileges: explain SAM Database

Answer 42

▪ A database file that stores the user passwords in Windows as a LM hash or NTLM hash
▪ Passwords can be cracked offline if the SAM file is stolen

Question 43

Escalating Privileges: explain Dynamic Link Library (DLL)

Answer 43

Provides a method for sharing code and allows a program to upgrade its functionality without requiring re-linking or re-compiling of the application

Question 44

Escalating Privileges: explain Hijacking

Answer 44

A technique used to load a malicious DLL in the place of an accepted DLL

Question 45

Escalating Privileges: explain Unsecure File and Folder Permissions

Answer 45

Older versions of Windows allow administrators to access any non admin user’s files and folder

Question 46

Escalating Privileges: explain Keylogger

Answer 46

Surveillance technology used to monitor and record the keystrokes of a victim user

Question 47

Escalating Privileges: explain Kernel Exploits

Answer 47

▪ Unpatched Windows and Linux systems are vulnerable to many different exploits
▪ Metasploit has a library of existing exploits
▪ You can attempt to bypass user local UAC (User Access Control): Guest accounts should be disabled

Question 48

Upgrading Restrictive Shells: explain a restrictive shell and how to upgrade it (2)?

Answer 48

A shell where you might be confined from being able to do certain functions:
● python -c ‘import pty; pty.spawn(“/bin/bash”)’
● perl -e ‘exec /bin/sh”;’

Question 49

Upgrading Restrictive Shells: explain VI

Answer 49

▪ A text editor that can also run commands
▪ :set shell=/bin/sh :shell
▪ The same type of restricted environments doesn’t exist in Windows systems
▪ /bin/bash -i