ebook img

SANS 560.4 - Post-Exploitation and Merciless Pivoting PDF

188 Pages·2017·16.48 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview SANS 560.4 - Post-Exploitation and Merciless Pivoting

Post-Exploitation an: Merciless Pivoting Copyright© 2017,The SANSInstitute.Allrightsreserved. The entire contents ofthispublication are theproperty ofthe SANSInstitute. PLEASEREAD THETERMS AND CONDITIONSOF THIS COURSEWARELICENSE AGREEMENT ("CLA")CAREFULLYBEFOREUSING ANY OF THE COURSEWARE ASSOCIATEDWITH THE SANS COURSE.THIS IS A LEGALAND ENFORCEABLE CONTRACTBETWEENYOU (THE "USER")AND THE SANSINSTITUTE FOR THE COURSEWARE.YOU AGREE THATTHIS AGREEMENT IS ENFORCEABLE LIKEANY WRITTENNEGOTIATED AGREEMENT SIGNEDBY YOU. Withthe CLA,the SANSInstitutehereby grants User apersonal, non-exclusive licenseto use the Coursewaresubjectto the terms ofthis agreement.Courseware includes allprinted materials, including coursebooks andlabworkbooks, as well as anydigitalor othermedia, virtual machines, and/or data sets distributedby the SANS Institute to theUser for use inthe SANSclass associatedwith the Courseware. User agreesthat the CLA is the completeandexclusivestatement ofagreementbetween The SANS Institute andyou andthat this CLA supersedesanyoral orwritten proposal, agreementorother communicationrelatingto the subjectmatter ofthis CLA. BYACCEPTING THIS COURSEWAREYOUAGREE TOBE BOUND BY THE TERMSOF THIS CLA.BYACCEPTING THIS SOFTWARE,YOUAGREE THATANY BREACH OF THE TERMS OF THIS CLAMAY CAUSE IRREPARABLEHARMAND SIGNIFICANTINJURYTO THE SANS INSTITUTE,AND THAT THE SANS INSTITUTEMAY ENFORCE THESE PROVISIONSBY INJUNCTION (WITHOUTTHENECESSITY OF POSTING BOND), SPECIFICPERFORMANCE, OR OTHEREQUITABLE RELIEF. Ifyou do not agree,you may return the Coursewareto the SANS Institute for a fullrefund, ifapplicable. User maynot copy,reproduce, re—publish, distribute,display,modify or create derivativeworks based upon alloranyportion ofthe Courseware,in any mediumwhether printed, electronicorotherwise, for anypurpose, withoutthe expressprior written consentofthe SANSInstitute. Additionally, User may not sell, rent, lease,trade, orotherwisetransferthe Courseware in anyway, shape,or formwithout the expresswritten consentofthe SANSInstitute. Ifanyprovision ofthis CLAis declaredunenforceablein anyjurisdiction, then suchprovision shallbe deemedto be severablefromthis CLAand shall not affecttheremainder thereof. An amendment or addendumto this CLAmay accompanythis courseware. SANSacknowledgesthat anyand allsoftwareand/ortools, graphics,images, tables, charts orgraphs presented in this courseware arethe sole property oftheirrespective trademark/registered/copyright owners,including: AirDrop, AirPort,AirPort Time Capsule,Apple,Apple Remote Desktop, Apple TV,AppNap, Back to My Mac,Boot Camp,Cocoa,FaceTime,FileVault,Finder, FireWire, FireWire logo, iCal,iChat, iLife, iMac, iMessage,iPad, iPadAir, iPadMini,iPhone,iPhoto, iPod, iPod classic,iPod shuffle, iPodnano, iPodtouch,iTunes,iTunes logo, iWork,Keychain,Keynote, Mac, Mac Logo,MacBook,MacBook Air, MacBook Pro,Macintosh, Mac OS, MacPro,Numbers, OS X, Pages, Passbook, Retina, Safari, Siri, Spaces, Spotlight,There’s an app forthat, TimeCapsule, Time Machine, TouchID, Xcode, Xserve, App Store, andiCloud areregistered trademarksofApple Inc. GoverningLaw: This Agreement shallbe governedby the laws ofthe StateofMaryland,USA. SEC560_4_CO1__03 Post Exploitation & Merciless Pivoting ©20|7EdSkoudis.All RightsReserved I VersionCOI_03 | IQI7 Welcome to SANSSecurity560.4! Inthissession,wefocusonpost exploitationandsomepivoting,zoominginto techniques apenetration testercanapplyaftersuccessfullyexploitingatargetenvironment.Westartbylookinginto moving files andpillagingtarget systemsforusefulinformation.WethencoversomeusefulWindows cmd.exe command—linetechniquesforcontrollingtargetmachinesandpilfering dataonthem. Next,we applywhatwe’ve learnedbycoveringmethodsforgettingatargetWindowsmachinetoruncommandson behalfofapenetration testerorethicalhacker.Wecoversometried-and-truemethodsfordoingthis,likescheduling ajob torunonthetarget. We’ll alsocover someless-knownbutpowerfulmethodsformakingaremotemachine runprograms withlocalSYSTEMoradminprivilegesusingtheservicecontrollerandwmic commands.We completeourexploitationsectionwithhands-onlabswiththeselasttwotechniques. Then,wecoverWindowsPowerShell forpenetrationtesters,discussingmanyusefulfeaturesofPowerShellandhow theycanbe appliedbypenetration testers,especiallyduringthepost-exploitationphase ofapenetration test. Next,weturnourattentiontopassword attacks,spendingtherestofthedayanalyzingpassword guessingand gainingaccesstohashes.Wegoovernumeroustipsbasedonreal-world experiencesto helppenetration testersand ethicalhackers maximizetheeffectiveness oftheirpasswordattacks.Wecoveroneofthebestautomatedpassword- gues‘singtoolsavailabletoday,THCHydra,and11m itagainsttargetmachinesto guessWindows SMBandLinux SSHpasswords. Wethenzoominonthepasswordrepresentationformatsformostmajoroperatingsystems, discussingmethodsforhowto obtainthosehashesfromtargetmachinesusinggreattoolssuchas theMeterpreter hashdumping capability andthemimikatzKiwitool,usingeachinahands-onlab. Wealsolookatsomedifferent kinds ofpivots,buildingonournetcatrelay discussionin560.3,aswellasusingthemsfconsoleroutepivoting technique. That'salotofmaterialtocover,so let's begin. ©2017 Ed Skoudis 1 TABLE OF CONTENTS(I) Moving Files with Exploits 4 p,|fermgfromTargetMachmes9 ......................................................................................................... l3“ WmdowscommandLmeKungFuforpenetratlon-resters LABwmdowscommand_LmeCha“enges37 MakmgwmeWSRuncommandSRemOte'y49 LABRunningcommandsw'thscandwmlc6| powerShe”KungFuforpenetratlon-resters73 LABPowershellforPost_EXPIOItatlonChauenges95 .............................................................................................................................. i6: PasswordAttaCksMOtlvaflonandDefimtlons .......................................................................................................................................................................... iii-ow PasswordAttaCleps .... . ......................................................................................................................................................... ... D.éalmg.Wi.t.h.AccountL.o.c.l.«.>.u.t I..2..0. SEC560I NetworkPenetration TestingandEthicalHacking 2 Hereis ourtableofcontents,showingeachtopicandlab wecoverin560.4. 2 ©2017 Ed Skoudis SEC560| NetworkPenetrationTestingandEthicalHacking 3 Here istherest ofourtableofcontents,showingeachtopicandlabwecoverin560.4. ©2017 Ed Skoudis Course Roadma 1“ . Pen Test Planning - Moving Files with Exploits . Recon ° Pilferin3 from Targat Machines -Windows Command Line , ° Scanning Kung Fu for PenTesters . Exploitation > LAB: cmd.exe Challenges - MakingWin Run Commands Post-Explm, tatl,on ° > LAB: sc and wmic Password Attacks ° PowerShell Kung Fu for Pen Testers 0 and Merciless Pivoting > LAB: PowerShell Post—Exploitation Challenges Web App Attacks SEC560| NetworkPenetrationTestingandEthicalHacking 4 Afterinitialexploitationoccurs,penetration testersorethicalhackersoftenwantstomovefiles to orfromthetarget machinethattheyhaveexploited.Thefiles movedto atargetcouldincludetoolstoanalyzethattargetinmoredetail ortouseitas ajump-offpointto find andexploitothervulnerablesystems.Thefiles movedfromatargetmay includesensitivedocumentsthat are partoftheoverallgoalofapenetrationtestorethicalhackingproject. Atesterhasmanyoptionsformovingfiles toorfroma systemdependingonthecircumstances ofthetestandthe targetsystem.Inthissection,weexplorethevariousoptionsformovingfiles to andfromexploitedtargetmachines. 4 ©2017 Ed Skoudis Moving;File-Sitoa, fargetriPushgyers'us;Pull _,‘ . - Depending on the access the tester has to the target, he or she may — Push files to a target I PushFile Firewall ' Target allows Machi.ne W5_51 inbound — Havethe target pullfilesback in Firewall Fil blocks Target some SEC560| NetworkPenetrationTesting andEthicalHacking 5 When exploitingmachines,youfrequentlywanttoputfiles ontoamachineortakethemoffofthesystem.Youcan eitherpush files to atargetorpullthemfromit, as illustratedontheslide.Thetester choosesthemethod for transferring filesbasedonseveralfactors: ' Whether movingfiles toorfromthetargetis allowedbytheproject’sRulesofEngagement ° Theprotocolsthatareallowedinboundandoutboundbetweenthetesterandthetarget system,including network firewalls,network-basedIntrusionPrevention Systems(IPSs),routerACLs, andlocalport filtersor firewalls onthetarget ° The softwareinstalledonthetargetmachine,especially softwareassociatedwithfile transfer ° Thekindofexploitthetesterhasused andhowitintegrateswithfile transferfunctionality Ifafirewall allowsinboundtraffic, youmayjustpushafile tothetarget.Ifonlylimitedinboundtraffic is allowed, youmaycompromiseatargettoestablisha commandchannel.Youthenissuecommandstodirectthetarget machine topullthefile fromthetester’sbox. Theimagesintheslidearefocusedonmovingafile tothetarget.Alternatively,thetestermaywantto getafile fromatarget.Thesametwooptionsareavailable.Youcouldtrytopullthefile fromthetargetdirectly orissue commands to havethetargetpushthefilebackto thetester’smachine. ©2017 Ed Skoudis 5 Moving Files to aTarget: Using FileTransfer Services - Protocols and services designed to movefiles: TFI‘P -— - Unauthenticated,UDPport69 - Mostsystems include TFI‘Pclient FTP — - Common, usesTCP20 (data) andTCP 21(control) bydefault - Correctstextfile anomalies betweendifferent systems SCP, partofSSH suite —- . Encrypts data . Oftenallowedoutbound,using TCPport22bydefault . Included onmostLinuxandUNIXmachines bydefault — H'ITPor HTTPS . Almost alwaysallowedoutboundonatleastTCP 80and443 - EvensupportstransferthroughHTTP/HTTPS proxy . Command—line browserhelpful, likewget,Lynx, H'ITrack, orPowerShell’sWebClient/wget SEC560| NetworkPenetrationTesting andEthicalHacking 6 Tomovefiles toatargetmachine, testerscouldrelyonvariousservicesandtheirassociatedprotocolsthatare designedto transferfiles. Someofthemostcommonmechanismsusedtomovefiles duringpenetration testsand ethicalhackingfollow: - TFTP(TrivialFile Transfer Protocol):Thisstripped—downservicemovesfileswithnoauthentication between atftpclientandtftpdusingUDPport69. - FTP:Thisfamiliarserviceconvenientlymovesfilesusingtwoconnections:anFTPdataconnection associatedwithTCPport20andanFTPcontrolconnectionassociatedwithTCPport 21. FTP,whenusedin ASCIImode,correctssomeissueswithmovingtextfilesbetweendifferentoperatingsystems,as we’ll discussshortly. - SCP (Secure Copy): Thisprogram ispart oftheSecureShell(SSH)suiteandtransfersfiles usingTCPport 22bydefault.Itis anidealcandidateforfiletransfer,giventhata) itencryptsallauthentication information anddataintransit,b)mostnetworksallowoutboundSSH, and0) manyLinuxandUNIX systemshavean sop clientbuiltin. - HTTPorHTTPS: Theseprotocols arealmostalwaysallowedoutbound,usingatleastTCPports 80 and 443. Eveniftheyare sentthroughawebproxy,theycanstillbeusedtocarryfiles.Astesters,we often invoketext-basedbrowsers onacompromisedvictimmachine,usingthatbrowsertofetchfiles fromthe attackersystemandmovingthemback ontothetargetmachine. Some usefultext-basedbrowser—style programsincludewget,Lynx,andHTTrack. Also,PowerShellincludesaWebClientfeature andanaliasof wgettopullfiles,whichwewilluseinanupcominglab laterin560.4. 6 ©2017 Ed Skoudis EL; oving Filés‘to;a ' - Additional services and protocols for moving files WindowsFile Sharing NetBIOS / SMB — — - Itcould beuseful tohavethetargetmachinemount ashareon thepentester’sbox, providedthat outboundSMB is allowed fromtargetto pentester - Withthis approach,you can have thetarget access files withoutpushingthem onto thetarget’s hard drive NFS mounts Command to Firewall Mount Share Netcat allows —— . Is itinstalled?Ifnot, this Shi‘gbgfgs Access orExecuteFile is a chicken—and—egg ”’ C} problem Others —— . Must have appropriateclient and server installed SEC560| NetworkPenetrationTestlng and EthicalHacking 7 Someadditionalfile transfer servicesusedbytesters alsoinclude - Windows file sharing:Ofcourse,mostWindowsmachines canusethismeansto movefiles acrossthe NetBIOS and/orSMBprotocols (TCPports 135-139or445).Furthermore,LinuxandUNIXmachines supportthiskindofaccessusing Samba,withcommandssuchas smbclient,smbmount,andthe Samba Daemon (smbd).Itcouldbeusefultohavethetargetmachinemount ashareonthepentester’s box, providedthatthenetworkallowsoutboundSMB (orevenNFS) accessfromthetargetto thepen tester’s machine. Withthisapproach,youcanhavethetarget systemaccessfiles (suchasscriptsorexecutables) withoutpushingthemontothetarget’sharddrive.Instead,thetargetjustrunsthegivenprograms fromtheir locationonthemountedfile share,givingthepentester amuchsmallerfootprintonthetarget machine. ' NFS (NetworkFile System): Thisprotocolis mostcommonlyusedtomovefiles betweenUNIX/Linux systems;although,therearealsoWindowsNFSimplementations.Bydefault,itusesTCPandUDP2049; althoughitmayinvolveotherportsas well. ' Netcat:Netcat canmovefilesback andf01thbetween systems(amongotherfunctions)using arbitraryTCP orUDPports.Unfortunately,to usenetcat to moveafile,youfirsthaveto getthenetcat executable onthe targetmachine. Ifit’salreadythere,thetester canstartusing it. Ifitisnot,youhavetomovenetcat’s file firsttouseitto moveadditionalfiles,resultinginachicken-and—egg condition. There areothermechanismsto movefiles as well,butthesearethemostcommonandpopular. Note thattouse anyofthesemechanisms,thetargetmachinemusthavetheappropriateclientorserver software installed,andtheattacker’smachinemusthavetheotherside(serverorclient)installed. ©2017 Ed Skoudis 7 Alternative Methods for FileTransfer: Meterpreter,Paste, and Echo . Metasploit Meterpreter upload and downloadfunction can move and interact withfiles meterpreter > upload meterpreter > download meterpreter > cat meterpreter > edit — Opens file inyourLinux system’s defaulteditor(usually vim) — RemembertouseforwardslashesU) infile system paths (even onWindows) . With a terminal session,youcan copy and paste the contents offiles — Might seem like aweak waytomove afile,butitishandyandcan work well . Even withlimited shell, echo can enter lines $ echo “this is part of the file” >> file.txt C:\> echo this is part of the file >> file.txt - Whatever it takes getthe filethere SEC560| NetworkPenetration TestingandEthica'Hacking 8 Beyondthosetraditionalfile transfermechanisms, testersmayalsomovefilesusinglessconventionalmeans. Onehelpfulwayto movefiles involvescompromisinga systemusingMetasploittoexploitsomebuffer overflow or otherflaw, andthenloadingtheMeterpreter as apayload. TheMeterpreter,aswediscussedearlier,is a smallshell environment.InrecentversionsofMetasploit,theMeterpreter includesseveralbuilt-incommandsformoving files includingupload anddownloadtosendfiles toorfroma compromisedmachine.TheMeterpreter’s cat commanddumpsafile to standardoutputonthe screen.TheeditcommandoftheMeterpreter grabsthefile and opensitinthedefaulteditorofyourLinuxmachine,whichis typicallyvim. Iftheattackerhascommandshellterminalaccess onthetargetmachine,anotheroptionformovingfiles isto invoke aneditor,suchasvi,emacs,pico,orother.Then,theattackercouldsimplycutandpastethecontentsofafile into theeditor.Somepeoplethinkthatcut-and-pasteis acheatbecause it’s tooobviousandsimple.Butsomehacks are elegantandothersarenot. Penetrationtestersandethicalhackersare oftenfocusedmoreonutility (doesitwork?) thanelegance(isitpretty orclever?). Evenwitha limitedshellthatdoesn’timplementaterminal,youcanstillcreatefiles byusingtheechocommandto appendthingstoafile,buildingafile linebylinewith>>redirects, aswecoveredearlier inourdiscussionofthe terminalversusrawshelldilemma. 8 ©2017 Ed Skoudis

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.