Chapter 06: Exploiting and Pivoting

Question 1

Choosing a Target

Answer 1

Always consider the primary goals of your pentest as it relates to the SOW and RoE

In most cases, you’ll target the most vulnerable systems for yout initial exploitation to gain a foothold and pivot

Question 2

AD

Answer 2

Active Directory
A central directory service that allows our information to be stored, classified, and retrieved easily
* From here, we can begin looking upwards at the users, groups, OUs, the domain, trees, or even the forests
* Doing this shows us what this host can see and what they can communicate with
* Shows what information might be out there on the network for us to grab

To Do This
PowerShell
* Get-NetDomain: Get the current user’s domain
* Get-NetLoggedon: Get users that are logged on to a given computer

Linux
* cat/etc/passwd: Lists all users on the system
* uname-a: Displays the OS name, version, and other details
* env: Outputs a list of all the environmental variables

Question 3

Enumeration of Users

Answer 3

This takes many forms:
* Brute force enumeration by attempting logins via a login page or system login
* Use of forgotten password tools to identify legitimate userIDs
* Checking for users by reviewing /etc/passwd
* Gathering user info via AD queries
* Listing users by looking for user directories and other fileystem artifacts
* Querying directory services for an org
* Gathering email addresses from OSINT
* Discovering if user is admin, belongs to certain groups, has roles, etc

Question 4

Enumeration of Groups

Answer 4

Helps pentesters find other targets who may have similar access rights or who may otherwise make sense to compromise

Groups can also help identify admin users and accounts

/etc/groups on Linux
AD or PowerShell on Windows using local Users and Groups GUI

Question 5

Enumeration of Forests

Answer 5

In MS AD environments, a forest is the topmost container for the AD environment

Enumerating the forest means enumerating all the objects inside

This can provide a massive amount of data about the computers, users, and other AD contents

In some cases where domains have trust relationships with other domains, it can be possible to enumerate forests that aren’t part of your own domain

Question 6

Enumeration of Sensitive Data

Answer 6

Challenging because the data may not be in predictable places

Likely to require multiple pieces of information like:
* The org’s or individual’s practices and habits
* Security policies or procedures like encryption or other sensitive data storage techniques
* Compliance requirements that may impact how the data is stored and protected
* Other influences on the data’s storage and format

Question 7

Enumeration of Unencrypted Files

Answer 7

Can be as simple as using a tool like strings to search for text that isn’t encrypted

More complext techniques take advantage of file entropy (randomness) to programmatically determine whether files are likely encrypted, although it can result in false positives

Many pentests will use cat to quickly view discovered files and filesystems

Question 8

Metasploit

Answer 8

Full walkthrough of a Metasploit example

Page 206 to 212

Question 9

PowerSploit

Answer 9

A set of Windows PowerShell scripts designed to provide capabilities like AV bypass, code execution, exfiltration, presistence, reverse engineering, and recon

It will be picked up by Windows Defender and other AV AM tools as soon as you download it

Kali includes PowerSploit by default

One of the most popular tools to use with PowerSploit is Mimikatz, which injects it into memory and then allows you to dump credentials without having Mimikatz on disk where it can be discovered by AV

Question 10

Empire

Answer 10

A PowerShell and Python based post-exploitation tool

It uses encrypted comms to allow PowerShell agents to run without powershell.exe and it has many modules designed to help with post-exploitation activities on Windows

Similar functionality and interface to Metasploit

Question 11

BloodHound

Answer 11

A tool used to visualize AD objects and permissions

It can’t be used by itself—you have to acquire AD information and then feed it into BloodHound in order to analyze the data more easily

SharpHound will enumerate the AD domain if you run it as a domain member

Question 12

RPC/DCOM

Answer 12

Remote Procedure Call / Distributed Component Object Model

Historically, a common way to attack Windows NT, 2000, XP, and 2003 server systems

More modern exploits tend to focus on other elements like the .NET interoperability layers for DCOM

Although RPC/DCOM continuer to appear, the exploits are far less common today

Question 13

PsExec

Answer 13

The Sysinternals Windows toolkit includes PsExec, a tool designed to allow admins to run programs on remote systems via SMB port 445

If available during a pentest, incredibly useful because you can execute arbitrary commands, up to and including running an interactive shell

Most AV AM tools will flag PsExec the second it lands on a system though

Question 14

PS Remoting/WinRM

Answer 14

Windows systems running 7 or later use Windows Remote Management (WinRM) to support remote PowerShell command execution

For pentesters, being able to run PowerShell commands on a remote system is awesome, but this feature needs to be turned on first

Remote PowerShell command execution can be turned on using the “enable-PSRemoting -force” command while running PowerShell as admin

If the systems aren’t part of the same domain, you’ll need to set up trust between them using the TrustedHosts settings:

Set-Item wsman:\localhost\client\trustedhosts [ipaddress or hostname]

After doing that, restart WinRM and you can run remote PowerShell commands at will

Question 15

WMI

Answer 15

Windows Management Instrumentation

Allows for remote management and data gathering installed on all Windows systems, making it an attractive target for pentesters and attackers

Provides access to a huge variety of information from Windows Defender and SNMP to Application Inventory listings

WMI can allow remote execution of commands, file transfers, and data gathering from files and the Registry (and much more)

Multiple PowerShell tools have been written to exploit WMI including WMImplant and WmiSploit

Question 16

Fileless Malware and Living Off the Land

Answer 16

Fileless Malware
* Used to avoid leaving IoC
* Memory-resident tools insert themselves into legitimate processes to hide from AV AM while allowing attackers to take action like those processes would

Common fileless malware targets for Windows include:
* PowerShell
* WMI
* .NET framework
* Dozens of other options

Living Off the Land
* Once pentesters have successfully used fileless malware to gain access to a system, the next step is living off the land
* Only use existing tools that are on the system
* That includes built-in Linux utilities, Windows commands and PowerShell features, or other accessible tools or programs on the system

Tools like CrackMapExec can be helpful when using LotL techniques—it uses native tools for AD-enabled systems to conduct attacks and supprots pass-the-hash, null session, and more in a single unified shell

Question 17

Scheduled Tasks and Cron Jobs

Answer 17

Using these to perform actions on a compromised host is tried-and-true method for retaining access

Unlike memory-resident exploits, scheduled tasks and cron jobs can survive system rebootsl

Question 18

SMB

Answer 18

Server Message Block is a file-sharing protocol with multiple common implementations

SMB provides name resolution, file services, authentication, authorization, and print services, which makes it an attractive target for pentesters who want access to remote systems that provide SMB services

If you discover SMB services in your pentest, the varity of implementations makes identifying the host OS and the SMB implementation important when attempting exploits

Klai includes SMB scanner, and Metasploit has SMB scanning capabilities as well

Credentials for SMB can be acquired by tools like Responder, which reply to queries for resoruces

Once you have hashed credentials you can replay them to servers, in plaintext, Kerberos, or NTLM modes with Impacket, Mimikatz, or Metasploit

Question 19

Impacket

Answer 19

SecureAuth’s Python-based toolset and library that provides many functions outside of SMB playback, including:
* Tools to create WMI persistence
* Dump secrets from remote machines with clients
* Handle MSSQL authentication
* Replicate PsExec services

Some examples of core Impacket tools are:
* psexec.py: Replicates the functionality of PsExec in Python
* wmiexec.py: A shell for user via WMI and which doesn’t install a service or agent to run on a remote system
* smbclient.py: Python SMB client
* reg.py: Allows Registry manipulation
* sniff.py / sniffer.py: Lightweight Python packet sniffers—sniff uses pcap and sniffer uses raw sockets

Question 20

DNS

Answer 20

Attacks can occur at server or host level

The simplest attacks add arbitrary hosts to a system’s host file, directing traffic to a chosen destination without the host ever querying an upstream DNS server

More complex attacks include malicious changes of DNS information, whether via changing configurations on hosts, responding to DHCP requests, or targeting and taking over legitimate DNS servers

Question 21

mitm6

Answer 21

A tool used to exploit a Windows DNS server by replying to DHCPv6 messages and giving them a link-local IPv6 address paired with a system controlled by the attacker as the default DNS server

Once this is established, they can do mitm attacks and direct targets to destinations of their choice

Question 22

RDP

Answer 22

Remote Desktop Protocol

Rare to see these exploits, but powerful when they’re used

Captured credentials and an accessible RDP port 3389 service provide a useful path into a Windows system, particularly Windows servers which often use RDP as a remote admin access method

Question 23

Apple Remote Desktop

Answer 23

ARD for short

Provides a great way to get GUI access to a remote system, but when they’re vulnerable they’re high priority targets for pentesters and attackers

Used in two major ways:
1. Via known vulnerable versions that can be exploited for access
2. Remote access method for compromised macOS systems and may provide a way for pentesters to log into a Mac remotely using captured credentials if the service is running and exposed

Question 24

VNC

Answer 24

Virtual Network Computing

Another common remote desktop tool

Many variants including versions for Windows, MacOS, and Linux

Like RDP and ARD, VNC provides a GUI access but can also have vulnerabilities that can be exploited

Attackers can use captured credentials or they can brute force the remote system—Metasploit has VNC payloads as well

Question 25

SSH

Answer 25

Secure Shell provides remote shell access via an encrypted connection, and exploiting it relies on two methods:
1. Look for a vulnerable version of the SSH server
* If it’s vulnerable, credential exposure or remote access is possible
* Attackers can even replace the server with a Trojaned or modified version to capture credentials or provide silent access

2. Acquisition of SSH keys and their associated passphrases from compromised hosts
   * SSH keys are often shared inside orgs, and once shared they often remain static without a regular change process
   * Capturing an SSH key pair, specifically one embedded into scripts or otherwise part of an org’s infrastructure can result in long-term access to the system or systems using the key

Question 26

Network Segmentation Testing and Exploits

Answer 26

Pentesters who gain access to one VLAN will want to know if there are more VLANs, and then how to access them

Segmentation can be tested by verifying that higher-security zones don’t communicate with lower-security zones

Additionally, VLANs can be detected by sniffing traffic and looking for packets with VLAN information included in them, like those with 802.1q tags

Separation of networks using firewalls, SDN, or air-gapped (physical segment) can be challenging to detect and may require finding other clues like documentation, network traffic, IPs, or testing firewall rules

Question 27

Leaked Keys

Answer 27

Secret keys can be used for remote logins, APIs, or access tokens (and much more)

Pentesters commonly look for exposed keys to acquire as part of their efforts

Tools like TruffleHog look for strings that match common formats for keys and then report the strings they find

Consider where keys may be unintentionally uploaded or included, and where they’re commonly stored

Frequently keys are found on GitHub or other code repos, or Amazon S3 buckets

Question 28

Common Post-Exploit Attacks

Answer 28

Password Attacks
These come in many forms, ranging from attacks against an authorization system or login page to attacks that are focused on captured credential stores and password files

Acquiring a password without cracking is the goal, but sometimes you have to use a more direct password attack

Two of the most common attacks that don’t rely on credential theft or social engineering:
* Brute forcing
* Rainbow tables on hashes

Common methods of acquiring passwords from a compromised machine include:
* pwdump and related utilities acquire Windows passwords from SAM (Security Account Manager)
* Information about user accounts on Linux in /etc/passwd and shadow
* cachedump and creddump focus on retrieving stored domain hashes, passwords, or other cached information from caches or Registry
* SQL queries against system views or database admin tables can provide information about users, rights, and passwords depending on the db and schema used
* Sniffing passwords on the wire is less frequently useful in modern networks because encryption is used, but still worthwhile if it’s accessible since sniffing can help map networks and apps, and some creds are still passed in plaintext

Question 29

Cross Compiling

Answer 29

Cross-compiling code is used when a target platform is running on a different architecture than the host that you can build an exploit on

During a pentest you may gain admin access to an x86 architecture and then need to deploy an exploit on an Android device running ARM64

If you can’t sneak the compiled binary for the exploit through security, you may be able to transfer the source code or replicate it on the compromised remote system

Question 30

Privilege Escalation

Answer 30

Vertical Escalation
* Focus on gaining higher privileges
* Sometimes the roundabout attack that slowly gains access bypasses controls that would stop attacks going straight for root

Horizontal Escalation
* Moving sideways to other accounts or services that have the same level of privilege

Common exploit targets include:
* Kernel exploits, which are one of the most commonly used local exploit methods for vertical escalation—many require local accounts and are less likely to be patched immediately by defenders who may focus on patching remote exploits or other critical vulnerabilities
* Application and service exploits may target accounts that the service runs as or under, or they may target business logic or controls in the app or service itself
* Database privilege escalation attacks may leverage SQL injection or other database software flaws to use elevated privilege or to query data from the db
* Design and configuration issues can allow escalation, making it worth a pentester’s time to validate which controls are applied to accounts and if accounts have rights or privileges that they wouldn’t be expected to have

Question 31

Escaping and Upgrading Limited Shells

Answer 31

Limited Shells
Attempt to prevent users who are assigned to use them from accessing commands that may allow exploits or abuse of the system, and they’re commonly used on systems where there are concerns about external or unwanted access

Upgrading a Restrictive Shell
* Requires leveraging potential weaknesses in the restricted shell environment
* Assess the availability of common commands like ls, echo, and cd as well as languages like Perl and Python, and what commands can be run as root with sudo

Question 32

Bind and Reverse Shells

Answer 32

Bind Shells
* Runs on a remote system and sets up a listener on a specific port, allowing remote access
* You then connect to the shell via a console tool like SSH or Netcat and execute commands on the remote system
* This requires inbound connections, which means it’s likely to be detected by an IDS or IPS, or blocked by firewall rules

Reverse Shells
* Connects from the remote system back to a system of your choice
* This is a common option when a firewall prohibits you from sending traffic to a target system but allows internally initiated traffic outbound

Question 33

Network Segmentation Testing

Answer 33

Network Segment
A portion of the network where all attached hosts can communicate freely with each other
* Logical barriers between each segment
* Commonly done using subnets, VLANs, and firewalls
* Segmentation will fail if there is a misconfigured firewall, legacy rules not removed from firewall or router ACL, or third party management service incorrectly allowing access between VLANs

To Test Segmentation
* Validate that the less secure networks can’t communicate with higher-security networks
* When you do this, you test controls to ensure segmentation is working properly
* Check for TCP and UDP ports to ensure you can’t talk to devices
* Also check for any working applications between the two network segments, like a web app that’s reaching into other VLANs
* VPNs can also allow segmentation bypass, so make sure they’re properly set up

Example
* You think somone shouldn’t be able to get into the cardholder data environment from their local area workstation on the production network
* Run a port scan as a regular user from that part of the network against the cardholder data network to ensure you can’t get an IP
* If you can’t do this, you have proper segmentation

Question 34

Pass the Hash

Answer 34

Network-based attack where the attacker steals hashed user credentials and uses them as-is to try and authenticate to the same network the hashed credentials originated on
* It’s possible to present the hash without cracking the original password to authenticate to network protocols like SMB and Kerberos
* Can be used to elevate privileges, because some admin has most likely logged on to a workstation and their credentials are stored in SAM

How It Works
1. Victim logs on to a machine –> DC verifies user with Kerberos
2. Victim logs on again –> Uses the Kerberos credentials cached in SAM
3. Attacker dumps SAM on victim’s computer –> Hashed credentials revealed
4. Attacker uses hashed credentials on other computers –> Hashed credentials are recognized by Kerberos

Mimikatz
Open-source application that allows users to view and save authentication credentials in order to perform pass the hash attacks
* Scans the system memory for cached passwords processed by lsass.exe

Dump Examples
* post/windows/gather/credentials/smart_hashdump
* post/windows/gather/credentials/domain_hashdump
* post/windows/gather/credentials/mssql_ local_ hashdump
* post/windows/gather/credentials/skype
* post/windows/gather/credentials/avira_password
* post/windows/gather/credentials/mcafee_ vse_ hashdump
* post/linux/gather/hashdump
* post/pro/multi/gather/hashdump

To Use or Crack
Metasploit
* exploit/windows/smb/psexec
* auxilary/scanner/smb/smb_login
Hydra
Medusa

To Detect and Prevent
1. Detection is hard because these attacks are not easily distinguished from legitimate authentication
2. Most AV/AM software will block tools like Mimikatz or Metasploit
3. Restrict and protect high privileged domain accounts
4. Restrict and protect local accounts with admin privileges
5. Restrict inbound traffic using the Windows Firewall to all workstations except for helpdesk, security compliance scanners, and serves

Question 35

Golden Ticket

Answer 35

Pass the hash will work on local workstations, but you need a Kerberos ticket in an AD environment
* It will work if the same user has logged in to all systems on a domain, but if not you need a golden ticket

Golden Ticket
A Kerberos ticket that can grant other tickets in an AD environment
* Can grant admin access to other domain members and DC
* Very powerful

Kerberos Review
krbtgt (Kerberos Ticket Granting Ticket) Hash
* The trust anchor of the AD domain which functions like a private key of a root certificate authority and generates ticket-granting tickets (TGT) that are used by users across the network to access services within Kerberos
* Under Kerberos, a client is generally a user or a service
* The client sends request for a ticket to the Key Distribution Center (KDC)
* KDC creates the TGT for the client
* TGT is encrypted using the client’s password as the key
* Sends the encrypted ticket back to the client
* Client attempts to decrypt the TGT using the client’s password
* If they decrypt the TGT, this means the client gave the right password
* Indicates proof of the client’s identity
* TGT expires after a certain time
* User will obtain additional tickets when needed and gain permissions for specific services
* Request and grant of additional tickets is user-transparent and happens all the way in background of Windows environment
* krbtgt hash is trust anchor to all of this, as it grants TGT
* If attacker can compromise krbtgt hash, they can create their own tickets for authorization to anything
* That’s a golden ticket

How the Golden Ticket Works
1. Attacker attempst to access NTDS.DIT file
2. This allows attacker to gain access to the AD data store, which holds the krbtgt hash as well as all hashes for admin accounts
3. Attacker dumps NTDS.DIT, exposing Kerberos trust anchor
4. Response teams might identify the breach and reset credentials, but not the krbtgt hash
5. Attacker creates golden ticket with exploit module
6. Attacker can use the golden ticket to assume admin rights
7. Attacker can do anything they want now, you’re done

Dion Pro Tips
When you think about golden tickets, remember that:
* Golden tickets allow attackers to laterally move across the entire domain with ease
* This is basically a skeleton key that can open any door they want on your network
* Admins should change the krbtgt account password regularly
* Change the krbtgt account password twice in a short period of time to invalidate the golden ticket if a breach is suspected
* Change pass, reboot, change pass, reboot—this revokes all existing golden tickets and making sure new ones are being issued with new password

Question 36

Lateral Movement

Answer 36

Attackers can use any remote access protocols to move from host to host

Weak Passwords
* People use shitty and dumb passwords
* Make sure you’re auditing passwords frequently and following complexity restrictions
* If attacker guesses passwords, they can move laterally super easily
* If they get admin, it’s really bad

Remote Access Services
Any combination of hardware and software to enable the remote access tools or information that typically reside on a network of IT devices
* Allows someone to access computers from a distance
* SSH, telnet, RDP, and VNC are used for good, like users who need remote access
* But they also allow lateral movement from attackers

WMIC
Windows Management Instrumentation Command-Line
* Provides users with a terminal interface and enables admin to run scripts to manage those computers
* As sysadmin, it gives you a lot of power
* Attackers get that same power though—look at processes, BIOS data, recon from remote host, etc

PsExec
A tool developed as an alternative to Telnet and other remote access services with utilizes the Windows SYSTEM account for privilege escalation
* Part of the sysinternals for admins
* Attackers can open backdoors, run processes, and elevate permissions across the network

PowerShell
A task automation and configuration management framework from Microsoft consisting of a CLI shell and the associated scripting language
* The PowerShell Empire toolkit contains numerous prebuilt attack modules

VNC
Virtual Network Computing, allows you to connect using a GUI to any OS
* Windows: RDP
* Mac: Apple Remote Desktop
* Unix / Linux: X Window System

RCP DCOM
A remote procedure call distributed component object model
* RCP is an inter-process communication between local and remote processes on Windows systems
* DCOM enables the communication between different software components over a network
* By using RCP DCOM, you can initiate and control lateral movement into an application

Question 37

Pivoting

Answer 37

When an attacker uses a compromised host (the pivot) as a platform from which to spread an attack to other points in the network
* If you have an attack point established, and you’re conducting attacks from that point, that is a pivot

Port Forwarding
The attacker uses a host as a pivot and is then able to access one of its open TCP/IP ports to send traffic from this port to a port of a host on a different subnet
1. Host A: Attacker initially gains access through an exploit
2. Host B: Attacker conducts recon and identifies another target
3. Host C: Attacker conducts recon and identifies another target
4. I have Host A, and I can reach Host B, but I can’t reach Host C because it’s on a different subnet
5. Set up exploit shell between A and B like nc connection
6. Host B is on same subnet as Host C because of its network configuration, like firewall trusting it
7. I want to get into Host C
8. Set up port forwarder on Host B for 3389
9. That forwards port 3389 from Host B to Host C
10. Attacker sets up listener on Host A for port 3389
11. Anything received on Host B for port 3389 gets forwarded from B to C
12. Attacker can now initiate the RDP session with the Host C from Host A. by going through Host B
13. This allows us to successfully pivot from A, through B, and into C

SSH
SSH can also be used to pivot to other hosts using the -D flag which sets up a local proxy and port forwarding

Proxy Chaining
Attackers can chain proxy servers together in order to continue pivoting from host to host until they reach a mission critical host or server

VPN Pivoting
Start a VPN client on the network interface of a compromised host, then run a VPN server outside the network to relay frames of data from the VPN server to the client

Modify Routing Tables
Modifying routers and compromised hosts using the route command in the CLI
* Can open a shell on the host and add new routes to the pivot host routing table
* It then routes information to and from different subnets based on that host having dual connections to the internet and internal network
* You can define your gateway as your own exploit session and then send traffic through that subnet that tunnels through your session first
* Allows you to do an on-path attack as you adjust the routing tables to reach into different subnets and act as a person in the middle

Question 38

Privilege Escalation

Answer 38

LINUX
SUID
Set-User Identification
* Linux permissions, it’s the first S in the trios
* Indicates the program can be run as the user
* sudo chmod 4755 script.sh

SGID
Set-Group Identification
* Linux permissions, second S in the trios
* Indicates the program can be run as the group
* sudo chmod 2755 script.sh

sudo find / -perm -04000
* This will find any programs that have the SUID bit set

Sticky Bit
Allows users to create files, read, and execute files owned by other users if the sticky bit is set
* Can’t remove files owned by other users though
* -t is the sticky bit in the Linux permissions
* sudo chmod 1755 script.sh

Ret2libc
An attack technique that relies on overwriting the program stack to create a new stack frame that calls the system function
* FOR EXAM: Just know this is a privilege escalation attack run in Linux

Processes
* ps -x = All processes owned by you
* ps -fU root = All processes owed by root
* Once you identify those processes, find weaknesses to take over or inject code into the processes

WINDOWS
Cpassword
The name of the attribute that stores te passwords in a Group Policy preference item inside the Windows server
* Stored inside SYSVOL folder on the DC in an encrypted XML file
* XML file is easily decrypted by any authenticated user in the domain

LDAP
If SSL isn’t enabled for LDAP, this protocol is going to pass credentials over the network in plain text
* Sniffers can capture that data
* PowerShell script can check for it and display insecure accounts in a CSV file
* .\Query-InsecureLDAPBinds.ps1 -ComputerName dc1.corp[.]com -Hours 24

Kerberoasting
Allows any domain user account that has a service principal name (SPN) to set a service-granting ticket (TGS)
* Tickets can be requested by any user in the domain
* Allows for offline cracking of the service account plaintext password
* Used to grab passwords, and if you can get the service account password you’re operating in ring 1 or 2 closer to kernel

lsass
Local Security Authority Subsystem Service
* Process in Windows that enforces the security of a system
* Used for logon, password changes, creating access tokens by getting you TGT or TGS depending on what you need for Kerberos
* If you can get a copy of the creds stored in lsass and decrypt them, you have creds for privilege escalation

SAM Database
Database file that stores the user passwords in Windows as a LM hash or NTLM hash
* %SystemRoot%/system32/config/SAM
* Authenticates local and remote users on a machine
* You can dump the hashes with Metasploit, pass the hash, etc

DLL Hijacking
DLLs provide a method for sharing code and allowing programs to upgrade their functionality without requiring re-linking or re-compiling of the app
* Attackers will load malicious DLLs in place of the acceptable DLL
* When software calls the DLL it calls malware instead
* Commonly used with malware to achieve persistence

Exploitable Services
Attackers use the way services normally operate to cause an unintended program to run
* Normal: C:\Dion\My Files\server.exe
* Malicious: C:\Dion\My\server.exe

Unsecure File and Folder Permissions
Older versions of Windows allow admin to access any non-admin user’s files and folders

WINDOWS + LINUX
Kernel Exploits
Unpatched Windows and Linux systems are vulnerable to many different exploits
* Search CVE database for the specific version of the OS
* Once you find that, use exploits
* Metasploit has a full library of exploits loaded inside it

Question 39

Upgrading Restrictive Shells

Answer 39

If you exploit and find yourself in a restricted or non-interactive shell, you gotta get out

Restrictive Shell
A shell where you’re confined from being able to do certain functions

Non-Interactive Shell
Send commands but don’t get responses
* No tab finish, no up arrow for repeat, no ls response, etc
* Operating in the blind

LINUX
Python
python -c ‘import pty;pty.spawn(“/bin/bash”)’
* Imports the PTY terminal and spawn a new Bash shell

Perl
perl -e ‘exec /bin/sh”;’
* Executes the bin/sh command and spawns Bash shell

Vim
:set shell=/bin/sh
:shell
* Launches a fully interactive shell in the Vim environment ot use
* If there’s no Python or Perl, you can use Vim
* Text editor that can also run commands

Non-Interactive Linux
/bin/bash -i
* Spawns new Bash shell outside of non-interactive one you’re in

WINDOWS
The same type of restricted environments don’t exist in Widows systems
* You’re either in the command prompt, PowerShell, or blocked from both
* You can use something like Shell Pack zip file that contains compiled and ready to use shell files for bypassing AppLocker, GPO, and SRP restrictions
* Nopowershell, NPS, PowerLine, PowerOPS, etc

Meterpreter
An interactive shell you can use instead of relying on the command prompt, PowerShel, or Bash

Question 40

Persistence

Answer 40

A method that you can use to maintain access to a victim machine or a network for an extended period of time

Creating New User Accounts
On Windows, create a user and add to group:
* net user / add USERNAME PASSWORD
* net localgroup administrators USERNAME /add

On Linux
* user# su -
* user# useradd NAME
* user# passwd PW

Crontab
Used by system admins to do tasks at a routine interval inside Linux
* Minute, hour, day of month, month, day of week [COMMAND]
* 45 23 * * 6 /home/user/scripts/exportdump.sh
* crontab guru

Windows Task Scheduler
Same function as Linux Crontab
* schtasks create / delete / query / run / change / end
* schtasks /create /sc [ schedule type ] /tn [ task name] /tr [task run]

Services and Daemons
A background process that exists to handle periodic service requests that the computer system expects to receive
* Not always malicious, like HTTPD and SSHD
* But you can exploit services and daemons for malicious gain

Registry
You can add keys to the Registry using the GUI regedit or the CLI version
* reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v malware /d c:\malware.exe
* If you do this, malware.exe is run every time the system boots up
* In Linux modify the /etc/init.d and /etc/systemd

Question 41

LOTL

Answer 41

Basic Five-Step Modern Attack Process
1. Dropper or downloader
2. Maintain access
3. Strengthen access
4. Actions on objectives
5. Concealment

Dropper
Malware that’s designed to install or run other types of malware embedded in a payload on an infected host

Downloader
A piece of code that connects to the internet to retrieve additional tools after the initial infection by a dropper

Shellcode
Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting langauages to binary code
* EXAM: Doesn’t have to give you a shell, just has to give you some kind of exploit that’s going to be run

Code Injection
Exploit technique that runs malicious code with the idenfitication number of a legitimate process
* EX: Running code as Explorer.exe by injecting code into it

Masquerading
Dropper replaces a genuine executable with a malicious one

DLL Injection
Dropper forces a process to load as part of a DLL

DLL Sideloading
Dropper exploits a vulnerability in a legitimate program’s manifest to load a malicious DLL at runtime

Process Hollowing
Dropper starts a process in a suspended state and rewrites the memory locations containing the process code with the malware code

Living Off the Land
Exploit technique that uses standard system tools and packages to perform intrusions
* Makes it very hard to find a pentester
* Using the tools native to your OS that have been isntalled for admins

PsExec
Uses the SMB suite to issue commands to remote systems without the need to install client software
* psexec \ IP -s [ command path ]
* psexec \ 10.0.0.2 -s “C:\malware.exe”
* Runs the malware script located on that machine

WMI
Windows Management Instrumentation, provides an interface for local and remote computer management
* Can get status of host, configured security settings, and manipulate environmental variables
* Useful during enumeration
* Can change security settings on devices during post-exploit

PowerShell
Command shell and scripting language built on the .NET framework
* Tons of bad shit you can do
* Empire toolkit

WinRM
Windows Remote Management, which allows for the configuration of machines to access them using the CLI environment or through PowerShell
* You can go in and execute commands to monitor and manage the clients and servers across the domain

VBScripts
Visual Basic Script, which is a command shell and scripting language built on the .NET framework that allows admins and devs to manage computers and add features to different toolsets
* Add features to the MS Office Suite

Combinations
You can, and should, combine a lot of these tools during attacks when LOTL
* Trick someone into opening an attachment that has a malicious VBScript
* When they open the file, the script executes
* That script executes further PowerShell or WMI tasks
* Might also execute commands using psexec
* Etc, etc, etc

IN LINUX
Go after things using Perl, Python, Bash, or other languages that are installed by default

Question 42

Exfiltration

Answer 42

HTTP or HTTPS Transfer
Using commercial file sharing services to upload the exfiltrated data from a victim
* Like Dropbox, GDrive, OneDrive, etc

HTTP Requests to Database Services
Using SQL injection or similar techniques to copy records from the database to which they should not have access
* Commin IOC: Spike in requests to PHP files or other scripts, and unusually large HTTP response packets

DNS
Using DNS queries to transmit data out of a network
* Common IOC: Atypical query types being used like TXT, MX, CNAME, and NULL

Overt Channels
Using things like FTP, instant message, p2p, email, and other obvious file and data sharing tools

Explicit Tunnel
Using SSH or VPNs to create a tunnel to transmite data across a given network
* Common IOC: Atypical endpoints involved in tunnels due to geographic locations

Covert Chanels
Communications path that allows data to be sent outside of the network without alerting any intrusion detection or data loss countermeasures
* They can enable the stealthy transmission of data from node to node using means that security controls don’t anticipate
* Covert channels can be created using different storage and timing methods, or hybrid of both
* Covert Storage: Uses one process to write to a storage location and another process to read from that location
* Covert Timing: Uses one process to alter a system resource so that changes in its response time can signal information to a recipient process

Examples
* Transmitting data over nonstandard ports
* Encoding data in TCP/IP packet headers
* Segmenting data into multiple packets
* Obfuscating data using hex
* Transmitting encrypted data

Question 43

Covering Your Tracks

Answer 43

To cover your tracks, you can:
* Erase, modify, or disable evidence
* Clear log files (most SOW will not allow you to do this)
* Delete installed malware
* Hide files and folders

Timestopming
Changes the access time of a file to a time that you want as the attacker
* touch will add today’s date, but for older files you need…
* ctime: changes the time to a given date or time
* Meterpreter has a timestomp tool built in
* timestomp log.txt -m “02/03/2022 10:11:12”

Bash History
Bash will automatically save all of the commands run
* export HISTIZE=0 will prevent saving the history
* echo “ “ > ~.bash_history or history-c

Command Prompt
On Windows, you can clear cmd by
* alt + f7
* Terminate the process because Windows does not remember your commands

PowerShell
Windows will remember
* Clear-History

Shredding Files
Overwrites the HD with 0, forensics cannot find
* Linux: shread -zu FILENAME
* Windows: No shred, but you can format the drive—format s: /fs:NTFS /p:1

Question 44

Post-Exploit Tools

Answer 44

Empire
A C2 framework that uses PowerShell for common post-exploit tasks
* Gives you the ability to implement and run PowerShell agents
* You can rapidly deploy post-exploitation modules
* Most Empire tools will be detected by AV now
* EXAM: Just remember that it’s a collection of ps1 exploits

Mimikatz
Open-source tool that’s focused on exploiting Kerberos protocols

Bloodhound
Used to explore AD trust relationships and abuse rights on AD objects
* Enumerates AD and shows your fastest path to elevated privileges in GUI form