3.9 Attacks & exploits: Post-Exploitation Exploits Flashcards
What is post-exploitation phase and are the post exploitation actions that a pentester can performed (6)?
Any actions taken after a successful initial attack or exploit:
● Host enumeration
● Network enumeration
● Infrastructure enumeration
● Additional permissions
● Persistence
● Covert channels
Enumerating the Network: what is enumeration?
The process to identify and scan network ranges and host from a target network and map out an attack surface
Enumerating the Network: list the targets that can be enumerated (6)
▪ Users
▪ Groups
▪ Hosts
▪ Forests
▪ Sensitive data
▪ Unencrypted files
Enumerating the Network: what is the Active Directory?
A central directory service that allows our information to be stored, classified, and retrieved easily
Enumerating the Network: explain this command “Get-NetDomain”
Get the current user’s domain
Enumerating the Network: explain this command “Get-NetLoggedon”
Get users that are logged on a given computer
Enumerating the Network: explain this command “cat/etc/passwd”
List all users on the system
Enumerating the Network: explain this command “uname-a”
Displays the OS name, version, and other details
Enumerating the Network: explain this command “env”
Outputs a list of all the environmental variables
Enumerating the Network: how to find sensitive data when enumerating a network (3)?
▪ Set up a network Sniffer on a victimized host
▪ Use the interpreter payload and turn on the packet capturing function
▪ Start figuring out what things are on the share drive that is unencrypted
Network Segmentation Testing: explain network segment
A portion of a network where all attached hosts can communicate freely with each other
● Subnets
● VLANs
● Firewalls
Lateral Movement and Pivoting: explain Lateral Movement
A technique to progressively move through a network to search for the key data and assets that are ultimately the target of an attack campaign
Lateral Movement and Pivoting: explain Pivoting
▪ The use of one infected computer to attack a different computer
▪ Pivoting uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations
Pass the Hash: what is pass the hash and what is it used for?
A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.
▪ Pass the hash can be used to elevate privileges
▪ When pass the hash is used on a local workstation, then an attacker can gain local admin privileges
Pass the Hash: explain how pass the hash attack works for SMB and Kerberos protocols (4)
It is possible to present the hash without cracking the original password to authenticate to network protocols such as SMB and Kerberos:
- Pass the Hash Attack for SMB:
1-The attacker gains access to the hashed credentials of a user, which are typically stored in the Security Account Manager (SAM) or the Active Directory database on a Windows system.
2- Instead of attempting to crack the hash to obtain the plaintext password, the attacker uses the captured hash directly to authenticate to other systems or resources within the same Windows domain that use the SMB protocol, such as file shares or printers.
3- By presenting the captured hash during the SMB authentication process, the attacker can gain access to the targeted resources without needing the actual password.
- Pass the Hash Attack for Kerberos:
1- Similar to the SMB scenario, the attacker obtains the hashed credentials of a user from the Windows domain’s authentication database, which stores password hashes.
2- The attacker uses the captured hash to request a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC) in the Kerberos authentication process. The TGT is used to request access to specific services within the domain.
3- With the TGT in hand, the attacker can request a Service Ticket for a specific service, such as a file server, using the captured hash. The Service Ticket allows access to the requested service without needing the plaintext password.
Pass the Hash: what tool can you use to perform pass the hash attack (4)?
▪ Mimikatz
▪ Metasploit
▪ Hydra
▪ Medusa
Pass the Hash: what is Mimikatz and the related Local Security Authority Subsystem Service (lsass.exe) ?
▪ An open-source application that allows users to view and save authentication credentials in order to perform pass the hash attacks
▪ When you run the command “lsass.exe” in Mimikatz, it will attempt to extract login credentials from the memory of the lsass.exe process. This can include usernames and passwords that are currently in use on the system.
Pass the Hash: what module of Metasploit can be used for pass the hash attack (2) and Mimikatz (7)?
Mimikatz in Metaspoit module:
● post/linux/gather/hashdump
● post/pro/multi/gather/hashdump
● post/windows/gather/credentials/ domain_hashdump
● post/windows/gather/credentials/mssql_local_hashdump
● post/windows/gather/credentials/skype
● post/windows/gather/credentials/avira_password
● post/windows/gather/credentials/mcafee_vse_hashdump
Test the usability and pass or crack them using a password attack in Metasploit:
● exploit/windows/smb/psexec
● auxilary/scanner/smb/smb_login
Pass the Hash: How can you detect and mitigate against a pass the hash attack (4)?
▪ Detecting these types of attacks is very difficult because the attacker activity cannot be easily differentiated from legitimate authentication
▪ Most antivirus and antimalware software will block tools that allow pass the hash attack, such as Mimikatz or the Metasploit framework
▪ Restrict and protect high privileged domain accounts
▪ Restrict and protect local accounts with administrative privileges
▪ Restrict inbound traffic using the Windows Firewall to all workstations except for helpdesk, security compliance scanners, and servers
Golden Ticket: what is a golden ticket?
While a pass the hash attack will work on local workstations, a Kerberos ticket is needed in an Active Directory environment. A golden ticket refers to a forged authentication ticket that grants an attacker unrestricted access to a network.
▪ Golden tickets can grant administrative access to other domains members and domain controllers