Chapter 06: Exploiting and Pivoting Flashcards

Question

SSH

Answer 1

Secure Shell provides remote shell access via an encrypted connection, and exploiting it relies on two methods: 1. Look for a vulnerable version of the SSH server * If it's vulnerable, credential exposure or remote access is possible * Attackers can even replace the server with a Trojaned or modified version to capture credentials or provide silent access 2. Acquisition of SSH keys and their associated passphrases from compromised hosts * SSH keys are often shared inside orgs, and once shared they often remain static without a regular change process * Capturing an SSH key pair, specifically one embedded into scripts or otherwise part of an org's infrastructure can result in long-term access to the system or systems using the key

Answer 2

Pentesters who gain access to one VLAN will want to know if there are more VLANs, and then how to access them Segmentation can be tested by verifying that higher-security zones don't communicate with lower-security zones Additionally, VLANs can be detected by sniffing traffic and looking for packets with VLAN information included in them, like those with 802.1q tags Separation of networks using firewalls, SDN, or air-gapped (physical segment) can be challenging to detect and may require finding other clues like documentation, network traffic, IPs, or testing firewall rules

Answer 3

Secret keys can be used for remote logins, APIs, or access tokens (and much more) Pentesters commonly look for exposed keys to acquire as part of their efforts Tools like TruffleHog look for strings that match common formats for keys and then report the strings they find Consider where keys may be unintentionally uploaded or included, and where they're commonly stored Frequently keys are found on GitHub or other code repos, or Amazon S3 buckets

Answer 4

**Password Attacks** These come in many forms, ranging from attacks against an authorization system or login page to attacks that are focused on captured credential stores and password files Acquiring a password without cracking is the goal, but sometimes you have to use a more direct password attack Two of the most common attacks that don't rely on credential theft or social engineering: * Brute forcing * Rainbow tables on hashes Common methods of acquiring passwords from a compromised machine include: * pwdump and related utilities acquire Windows passwords from SAM (Security Account Manager) * Information about user accounts on Linux in /etc/passwd and shadow * cachedump and creddump focus on retrieving stored domain hashes, passwords, or other cached information from caches or Registry * SQL queries against system views or database admin tables can provide information about users, rights, and passwords depending on the db and schema used * Sniffing passwords on the wire is less frequently useful in modern networks because encryption is used, but still worthwhile if it's accessible since sniffing can help map networks and apps, and some creds are still passed in plaintext

Answer 5

Cross-compiling code is used when a target platform is running on a different architecture than the host that you can build an exploit on During a pentest you may gain admin access to an x86 architecture and then need to deploy an exploit on an Android device running ARM64 If you can't sneak the compiled binary for the exploit through security, you may be able to transfer the source code or replicate it on the compromised remote system

Answer 6

**Vertical Escalation** * Focus on gaining higher privileges * Sometimes the roundabout attack that slowly gains access bypasses controls that would stop attacks going straight for root **Horizontal Escalation** * Moving sideways to other accounts or services that have the same level of privilege Common exploit targets include: * Kernel exploits, which are one of the most commonly used local exploit methods for vertical escalation—many require local accounts and are less likely to be patched immediately by defenders who may focus on patching remote exploits or other critical vulnerabilities * Application and service exploits may target accounts that the service runs as or under, or they may target business logic or controls in the app or service itself * Database privilege escalation attacks may leverage SQL injection or other database software flaws to use elevated privilege or to query data from the db * Design and configuration issues can allow escalation, making it worth a pentester's time to validate which controls are applied to accounts and if accounts have rights or privileges that they wouldn't be expected to have

Answer 7

**Limited Shells** Attempt to prevent users who are assigned to use them from accessing commands that may allow exploits or abuse of the system, and they're commonly used on systems where there are concerns about external or unwanted access **Upgrading a Restrictive Shell** * Requires leveraging potential weaknesses in the restricted shell environment * Assess the availability of common commands like ls, echo, and cd as well as languages like Perl and Python, and what commands can be run as root with sudo

Answer 8

**Bind Shells** * Runs on a remote system and sets up a listener on a specific port, allowing remote access * You then connect to the shell via a console tool like SSH or Netcat and execute commands on the remote system * This requires inbound connections, which means it's likely to be detected by an IDS or IPS, or blocked by firewall rules **Reverse Shells** * Connects from the remote system back to a system of your choice * This is a common option when a firewall prohibits you from sending traffic to a target system but allows internally initiated traffic outbound

Answer 9

**Network Segment** A portion of the network where all attached hosts can communicate freely with each other * Logical barriers between each segment * Commonly done using subnets, VLANs, and firewalls * Segmentation will fail if there is a misconfigured firewall, legacy rules not removed from firewall or router ACL, or third party management service incorrectly allowing access between VLANs **To Test Segmentation** * Validate that the less secure networks can't communicate with higher-security networks * When you do this, you test controls to ensure segmentation is working properly * Check for TCP and UDP ports to ensure you can't talk to devices * Also check for any working applications between the two network segments, like a web app that's reaching into other VLANs * VPNs can also allow segmentation bypass, so make sure they're properly set up *Example* * You think somone shouldn't be able to get into the cardholder data environment from their local area workstation on the production network * Run a port scan as a regular user from that part of the network against the cardholder data network to ensure you can't get an IP * If you can't do this, you have proper segmentation

Answer 10

Network-based attack where the attacker steals hashed user credentials and uses them as-is to try and authenticate to the same network the hashed credentials originated on * It's possible to present the hash without cracking the original password to authenticate to network protocols like SMB and Kerberos * Can be used to elevate privileges, because some admin has most likely logged on to a workstation and their credentials are stored in SAM **How It Works** 1. Victim logs on to a machine --> DC verifies user with Kerberos 2. Victim logs on again --> Uses the Kerberos credentials cached in SAM 3. Attacker dumps SAM on victim's computer --> Hashed credentials revealed 4. Attacker uses hashed credentials on other computers --> Hashed credentials are recognized by Kerberos **Mimikatz** Open-source application that allows users to view and save authentication credentials in order to perform pass the hash attacks * Scans the system memory for cached passwords processed by lsass.exe *Dump Examples* * post/windows/gather/credentials/smart_hashdump * post/windows/gather/credentials/domain_hashdump * post/windows/gather/credentials/mssql_ local_ hashdump * post/windows/gather/credentials/skype * post/windows/gather/credentials/avira_password * post/windows/gather/credentials/mcafee_ vse_ hashdump * post/linux/gather/hashdump * post/pro/multi/gather/hashdump *To Use or Crack* Metasploit * exploit/windows/smb/psexec * auxilary/scanner/smb/smb_login Hydra Medusa **To Detect and Prevent** 1. Detection is hard because these attacks are not easily distinguished from legitimate authentication 2. Most AV/AM software will block tools like Mimikatz or Metasploit 3. Restrict and protect high privileged domain accounts 4. Restrict and protect local accounts with admin privileges 5. Restrict inbound traffic using the Windows Firewall to all workstations except for helpdesk, security compliance scanners, and serves

Answer 11

Pass the hash will work on local workstations, but you need a Kerberos ticket in an AD environment * It will work if the same user has logged in to all systems on a domain, but if not you need a golden ticket **Golden Ticket** A Kerberos ticket that can grant other tickets in an AD environment * Can grant admin access to other domain members and DC * Very powerful **Kerberos Review** krbtgt (Kerberos Ticket Granting Ticket) Hash * The trust anchor of the AD domain which functions like a private key of a root certificate authority and generates ticket-granting tickets (TGT) that are used by users across the network to access services within Kerberos * Under Kerberos, a client is generally a user or a service * The client sends request for a ticket to the Key Distribution Center (KDC) * KDC creates the TGT for the client * TGT is encrypted using the client's password as the key * Sends the encrypted ticket back to the client * Client attempts to decrypt the TGT using the client's password * If they decrypt the TGT, this means the client gave the right password * Indicates proof of the client's identity * TGT expires after a certain time * User will obtain additional tickets when needed and gain permissions for specific services * Request and grant of additional tickets is user-transparent and happens all the way in background of Windows environment * krbtgt hash is trust anchor to all of this, as it grants TGT * If attacker can compromise krbtgt hash, they can create their own tickets for authorization to anything * That's a golden ticket **How the Golden Ticket Works** 1. Attacker attempst to access NTDS.DIT file 2. This allows attacker to gain access to the AD data store, which holds the krbtgt hash as well as all hashes for admin accounts 3. Attacker dumps NTDS.DIT, exposing Kerberos trust anchor 4. Response teams might identify the breach and reset credentials, but not the krbtgt hash 5. Attacker creates golden ticket with exploit module 6. Attacker can use the golden ticket to assume admin rights 7. Attacker can do anything they want now, you're done **Dion Pro Tips** When you think about golden tickets, remember that: * Golden tickets allow attackers to laterally move across the entire domain with ease * This is basically a skeleton key that can open any door they want on your network * Admins should change the krbtgt account password regularly * Change the krbtgt account password twice in a short period of time to invalidate the golden ticket if a breach is suspected * Change pass, reboot, change pass, reboot—this revokes all existing golden tickets and making sure new ones are being issued with new password

Answer 12

Attackers can use any remote access protocols to move from host to host **Weak Passwords** * People use shitty and dumb passwords * Make sure you're auditing passwords frequently and following complexity restrictions * If attacker guesses passwords, they can move laterally super easily * If they get admin, it's really bad **Remote Access Services** Any combination of hardware and software to enable the remote access tools or information that typically reside on a network of IT devices * Allows someone to access computers from a distance * SSH, telnet, RDP, and VNC are used for good, like users who need remote access * But they also allow lateral movement from attackers **WMIC** Windows Management Instrumentation Command-Line * Provides users with a terminal interface and enables admin to run scripts to manage those computers * As sysadmin, it gives you a lot of power * Attackers get that same power though—look at processes, BIOS data, recon from remote host, etc **PsExec** A tool developed as an alternative to Telnet and other remote access services with utilizes the Windows SYSTEM account for privilege escalation * Part of the sysinternals for admins * Attackers can open backdoors, run processes, and elevate permissions across the network **PowerShell** A task automation and configuration management framework from Microsoft consisting of a CLI shell and the associated scripting language * The PowerShell Empire toolkit contains numerous prebuilt attack modules **VNC** Virtual Network Computing, allows you to connect using a GUI to any OS * Windows: RDP * Mac: Apple Remote Desktop * Unix / Linux: X Window System **RCP DCOM** A remote procedure call distributed component object model * RCP is an inter-process communication between local and remote processes on Windows systems * DCOM enables the communication between different software components over a network * By using RCP DCOM, you can initiate and control lateral movement into an application

Answer 13

When an attacker uses a compromised host (the pivot) as a platform from which to spread an attack to other points in the network * If you have an attack point established, and you're conducting attacks from that point, that is a pivot **Port Forwarding** The attacker uses a host as a pivot and is then able to access one of its open TCP/IP ports to send traffic from this port to a port of a host on a different subnet 1. Host A: Attacker initially gains access through an exploit 2. Host B: Attacker conducts recon and identifies another target 3. Host C: Attacker conducts recon and identifies another target 4. I have Host A, and I can reach Host B, but I can't reach Host C because it's on a different subnet 5. Set up exploit shell between A and B like nc connection 6. Host B is on same subnet as Host C because of its network configuration, like firewall trusting it 7. I want to get into Host C 8. Set up port forwarder on Host B for 3389 9. That forwards port 3389 from Host B to Host C 10. Attacker sets up listener on Host A for port 3389 11. Anything received on Host B for port 3389 gets forwarded from B to C 12. Attacker can now initiate the RDP session with the Host C from Host A. by going through Host B 13. This allows us to successfully pivot from A, through B, and into C **SSH** SSH can also be used to pivot to other hosts using the -D flag which sets up a local proxy and port forwarding **Proxy Chaining** Attackers can chain proxy servers together in order to continue pivoting from host to host until they reach a mission critical host or server **VPN Pivoting** Start a VPN client on the network interface of a compromised host, then run a VPN server outside the network to relay frames of data from the VPN server to the client **Modify Routing Tables** Modifying routers and compromised hosts using the route command in the CLI * Can open a shell on the host and add new routes to the pivot host routing table * It then routes information to and from different subnets based on that host having dual connections to the internet and internal network * You can define your gateway as your own exploit session and then send traffic through that subnet that tunnels through your session first * Allows you to do an on-path attack as you adjust the routing tables to reach into different subnets and act as a person in the middle

Answer 14

**LINUX** **SUID** Set-User Identification * Linux permissions, it's the first S in the trios * Indicates the program can be run as the user * sudo chmod 4755 script.sh **SGID** Set-Group Identification * Linux permissions, second S in the trios * Indicates the program can be run as the group * sudo chmod 2755 script.sh sudo find / -perm -04000 * This will find any programs that have the SUID bit set **Sticky Bit** Allows users to create files, read, and execute files owned by other users if the sticky bit is set * Can't remove files owned by other users though * -t is the sticky bit in the Linux permissions * sudo chmod 1755 script.sh **Ret2libc** An attack technique that relies on overwriting the program stack to create a new stack frame that calls the system function * FOR EXAM: Just know this is a privilege escalation attack run in Linux **Processes** * ps -x = All processes owned by you * ps -fU root = All processes owed by root * Once you identify those processes, find weaknesses to take over or inject code into the processes **WINDOWS** **Cpassword** The name of the attribute that stores te passwords in a Group Policy preference item inside the Windows server * Stored inside SYSVOL folder on the DC in an encrypted XML file * XML file is easily decrypted by any authenticated user in the domain **LDAP** If SSL isn't enabled for LDAP, this protocol is going to pass credentials over the network in plain text * Sniffers can capture that data * PowerShell script can check for it and display insecure accounts in a CSV file * .\Query-InsecureLDAPBinds.ps1 -ComputerName dc1.corp[.]com -Hours 24 **Kerberoasting** Allows any domain user account that has a service principal name (SPN) to set a service-granting ticket (TGS) * Tickets can be requested by any user in the domain * Allows for offline cracking of the service account plaintext password * Used to grab passwords, and if you can get the service account password you're operating in ring 1 or 2 closer to kernel **lsass** Local Security Authority Subsystem Service * Process in Windows that enforces the security of a system * Used for logon, password changes, creating access tokens by getting you TGT or TGS depending on what you need for Kerberos * If you can get a copy of the creds stored in lsass and decrypt them, you have creds for privilege escalation **SAM Database** Database file that stores the user passwords in Windows as a LM hash or NTLM hash * %SystemRoot%/system32/config/SAM * Authenticates local and remote users on a machine * You can dump the hashes with Metasploit, pass the hash, etc **DLL Hijacking** DLLs provide a method for sharing code and allowing programs to upgrade their functionality without requiring re-linking or re-compiling of the app * Attackers will load malicious DLLs in place of the acceptable DLL * When software calls the DLL it calls malware instead * Commonly used with malware to achieve persistence **Exploitable Services** Attackers use the way services normally operate to cause an unintended program to run * Normal: C:\Dion\My Files\server.exe * Malicious: C:\Dion\My\server.exe **Unsecure File and Folder Permissions** Older versions of Windows allow admin to access any non-admin user's files and folders **WINDOWS + LINUX** **Kernel Exploits** Unpatched Windows and Linux systems are vulnerable to many different exploits * Search CVE database for the specific version of the OS * Once you find that, use exploits * Metasploit has a full library of exploits loaded inside it

Answer 15

If you exploit and find yourself in a restricted or non-interactive shell, you gotta get out **Restrictive Shell** A shell where you're confined from being able to do certain functions **Non-Interactive Shell** Send commands but don't get responses * No tab finish, no up arrow for repeat, no ls response, etc * Operating in the blind **LINUX** **Python** python -c 'import pty;pty.spawn("/bin/bash")' * Imports the PTY terminal and spawn a new Bash shell **Perl** perl -e 'exec /bin/sh";' * Executes the bin/sh command and spawns Bash shell **Vim** :set shell=/bin/sh :shell * Launches a fully interactive shell in the Vim environment ot use * If there's no Python or Perl, you can use Vim * Text editor that can also run commands **Non-Interactive Linux** /bin/bash -i * Spawns new Bash shell outside of non-interactive one you're in **WINDOWS** The same type of restricted environments don't exist in Widows systems * You're either in the command prompt, PowerShell, or blocked from both * You can use something like Shell Pack zip file that contains compiled and ready to use shell files for bypassing AppLocker, GPO, and SRP restrictions * Nopowershell, NPS, PowerLine, PowerOPS, etc **Meterpreter** An interactive shell you can use instead of relying on the command prompt, PowerShel, or Bash

Answer 16

A method that you can use to maintain access to a victim machine or a network for an extended period of time **Creating New User Accounts** On Windows, create a user and add to group: * net user / add USERNAME PASSWORD * net localgroup administrators USERNAME /add On Linux * user# su - * user# useradd NAME * user# passwd PW **Crontab** Used by system admins to do tasks at a routine interval inside Linux * Minute, hour, day of month, month, day of week [COMMAND] * 45 23 * * 6 /home/user/scripts/exportdump.sh * crontab guru **Windows Task Scheduler** Same function as Linux Crontab * schtasks create / delete / query / run / change / end * schtasks /create /sc [ schedule type ] /tn [ task name] /tr [task run] **Services and Daemons** A background process that exists to handle periodic service requests that the computer system expects to receive * Not always malicious, like HTTPD and SSHD * But you can exploit services and daemons for malicious gain **Registry** You can add keys to the Registry using the GUI regedit or the CLI version * reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v malware /d c:\malware.exe * If you do this, malware.exe is run every time the system boots up * In Linux modify the /etc/init.d and /etc/systemd

Answer 17

**Basic Five-Step Modern Attack Process** 1. Dropper or downloader 2. Maintain access 3. Strengthen access 4. Actions on objectives 5. Concealment **Dropper** Malware that's designed to install or run other types of malware embedded in a payload on an infected host **Downloader** A piece of code that connects to the internet to retrieve additional tools after the initial infection by a dropper **Shellcode** Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting langauages to binary code * EXAM: Doesn't have to give you a shell, just has to give you some kind of exploit that's going to be run **Code Injection** Exploit technique that runs malicious code with the idenfitication number of a legitimate process * EX: Running code as Explorer.exe by injecting code into it **Masquerading** Dropper replaces a genuine executable with a malicious one **DLL Injection** Dropper forces a process to load as part of a DLL **DLL Sideloading** Dropper exploits a vulnerability in a legitimate program's manifest to load a malicious DLL at runtime **Process Hollowing** Dropper starts a process in a suspended state and rewrites the memory locations containing the process code with the malware code **Living Off the Land** Exploit technique that uses standard system tools and packages to perform intrusions * Makes it very hard to find a pentester * Using the tools native to your OS that have been isntalled for admins **PsExec** Uses the SMB suite to issue commands to remote systems without the need to install client software * psexec \\ IP -s [ command path ] * psexec \\ 10.0.0.2 -s "C:\malware.exe" * Runs the malware script located on that machine **WMI** Windows Management Instrumentation, provides an interface for local and remote computer management * Can get status of host, configured security settings, and manipulate environmental variables * Useful during enumeration * Can change security settings on devices during post-exploit **PowerShell** Command shell and scripting language built on the .NET framework * Tons of bad shit you can do * Empire toolkit **WinRM** Windows Remote Management, which allows for the configuration of machines to access them using the CLI environment or through PowerShell * You can go in and execute commands to monitor and manage the clients and servers across the domain **VBScripts** Visual Basic Script, which is a command shell and scripting language built on the .NET framework that allows admins and devs to manage computers and add features to different toolsets * Add features to the MS Office Suite **Combinations** You can, and should, combine a lot of these tools during attacks when LOTL * Trick someone into opening an attachment that has a malicious VBScript * When they open the file, the script executes * That script executes further PowerShell or WMI tasks * Might also execute commands using psexec * Etc, etc, etc **IN LINUX** Go after things using Perl, Python, Bash, or other languages that are installed by default

Answer 18

**HTTP or HTTPS Transfer** Using commercial file sharing services to upload the exfiltrated data from a victim * Like Dropbox, GDrive, OneDrive, etc **HTTP Requests to Database Services** Using SQL injection or similar techniques to copy records from the database to which they should not have access * Commin IOC: Spike in requests to PHP files or other scripts, and unusually large HTTP response packets **DNS** Using DNS queries to transmit data out of a network * Common IOC: Atypical query types being used like TXT, MX, CNAME, and NULL **Overt Channels** Using things like FTP, instant message, p2p, email, and other obvious file and data sharing tools **Explicit Tunnel** Using SSH or VPNs to create a tunnel to transmite data across a given network * Common IOC: Atypical endpoints involved in tunnels due to geographic locations **Covert Chanels** Communications path that allows data to be sent outside of the network without alerting any intrusion detection or data loss countermeasures * They can enable the stealthy transmission of data from node to node using means that security controls don't anticipate * Covert channels can be created using different storage and timing methods, or hybrid of both * Covert Storage: Uses one process to write to a storage location and another process to read from that location * Covert Timing: Uses one process to alter a system resource so that changes in its response time can signal information to a recipient process *Examples* * Transmitting data over nonstandard ports * Encoding data in TCP/IP packet headers * Segmenting data into multiple packets * Obfuscating data using hex * Transmitting encrypted data

Answer 19

To cover your tracks, you can: * Erase, modify, or disable evidence * Clear log files (most SOW will not allow you to do this) * Delete installed malware * Hide files and folders **Timestopming** Changes the access time of a file to a time that you want as the attacker * touch will add today's date, but for older files you need... * ctime: changes the time to a given date or time * Meterpreter has a timestomp tool built in * timestomp log.txt -m "02/03/2022 10:11:12" **Bash History** Bash will automatically save all of the commands run * export HISTIZE=0 will prevent saving the history * echo " " > ~.bash_history or history-c **Command Prompt** On Windows, you can clear cmd by * alt + f7 * Terminate the process because Windows does not remember your commands **PowerShell** Windows will remember * Clear-History **Shredding Files** Overwrites the HD with 0, forensics cannot find * Linux: shread -zu FILENAME * Windows: No shred, but you can format the drive—format s: /fs:NTFS /p:1

Answer 20

**Empire** A C2 framework that uses PowerShell for common post-exploit tasks * Gives you the ability to implement and run PowerShell agents * You can rapidly deploy post-exploitation modules * Most Empire tools will be detected by AV now * EXAM: Just remember that it's a collection of ps1 exploits **Mimikatz** Open-source tool that's focused on exploiting Kerberos protocols **Bloodhound** Used to explore AD trust relationships and abuse rights on AD objects * Enumerates AD and shows your fastest path to elevated privileges in GUI form