- 560.3
- Day 3: Exploitation
- about exploitation
- Exploitation is not all that pentesting is about
- Exploit = technique that a threat uses to take advantage of a vuln
- Why exploit?
- proving a vuln
- assign a risk to the vuln
- false positive reduction
- note: most vuln scanners actually exploit system to prove vuln exists
- use one exploited system to pivot and get deeper inside network
- Exploitation risks
- crashing
- system
- service
- intoducing instability
- appears later
- violating integrity
- data exposure
- therefore make sure exploitation is allowed by rules of engagement
- exploit success is probabilistic
- failure does not mean no vuln or no risk
- categories
- server-side
- generally what customers expect
- traditional pentest: thru firewall, exploit a service
- but you can pivot
- client-side
- when in scope, client-side compromise is almost always successful
- Windows
- MS03-026
- plug and play one
- see slide 10 for list of other common WIndows ones
- MS products
- IIS
- Backup systems
- tremendous amount of power
- password files for other systems
- *nix
- see slide 11 for list
- not as many services as Windows, not as chatty
- concept of segmentation more ingrained in OS
- have the client come to you
- send an email with a link to retrieve PDF exploit
- maybe just a script, not exploit, is enough
- notable targets
- browsers
- IE
- FF
- media players
- real
- qt
- winabl
- doc readers
- acrobat
- ms office
- honeymonkey project
- MS scouring Internet
- found 10 0days in first week
- java
- big target because cross-platform
- determining what clients are in use
- document metadata
- ask people
- user-agent strings
- outbound proxy may disguise
- browser autopwn
- pretty clunky
- inventory tools
- Hyena exporter pro
- exports installed software for entire domain
- free version too
- MBSA
- dir /s "C:\program files"
- shavlik HFNetChk
- send a script that fires up IE, FF, etc and surfs out to attack system
- use appropriate client machines
- you may be given fully-patched systems
- steal a notebook
- check out a loaner
- make sure rules of engagement say you get a "representative system"
- privilege escalation
- user-level privs are often enough
- for instance, botnets
- be comfortable with user access
- you usually start with standard user privs when you exploit a client side app
- categories
- race condition
- time of check vs time of use
- kernel attacks
vmsplice for linux
- compromise a SUID 0 program
- ping
- LSASS
- lsass memory dump has all passwords of active users
- 2003 has only hashes though
- csrss.exe
- winlogin.exe
- dump memory of apps
- then run strings
- sometimes you can then grep -i password
- cleartext passwords
- PGP password
- even though memory was wiped by code
- does not work
- compiler optimization
- thiks it is redundant
- memory not needed again
- so just mark as free
- Metasploit
H. D. Moore- insane, never sleeps
- work 5 days
- sleep 2 days
- responds to emails within 15 minutes
- better than many commercial products
- original goal: exploit development project
- test harness
- ver 3 switched over to Ruby
- ver 2 was Perl
- portable
- exploit separated from payload
- this was the breakthough
- exploit: takes advantage of vuln
- payload: makes the target do something
- add user
- vnc session
- shell
- meterpreter
- versions
- tip: different (older) versions work better for different exploits
- start downgrading to older if not working
- older may not be detected by same IDS signatures
- trunk version is bleeding edge
- beta
- more exploits
- svn update to stay current
- 10 versions on the course DVD
apt-get install milk- response: mooooo
- tour of metasploit
- see paper notes to fill in here
- msfgui
- no password
- listens on 5555/tcp
- list of sessions
- msfd
- no methods for authentication or encyption
- default 55554/tcp
- makes a msfconsole that other users can connect to using netcat
- modules
- auxiliary
- look for IIS
- encoders
- exploits
- the arsenal of exploits
- payloads
- the arsenal of payloads
- nops
- modules that create NOP sleds to improve odds of success
- see slide 28
shikata ga nai = "theres nothing that can be done" in Japanese- exploits
- sorted by OS
- .rb means written in Ruby
- Windows
- dcerpc
- slightly different from nmap's categorization
- browser
- iis
- smb
- vnc
- payloads
- singles
- adduser.rb
- one-shot, send whole payload at once
- see slide 33
- bind_tcp
- stagers
- get beachhead
- load enough code to pull rest over
- slide 34
- bind_tcp
- a stager version
- for when you have less memory to work with than the single version uses
- reverse_tcp
- connects back from victim back to attack on TCP port of attacker's choosing
- reverse_ord_tcp
- listen using ws2_32.dll already running
- findtag_ord
- lets metaspolit listen on an already-open connection
- passivex
- reverse HTTP connection
- 1. deliver exploit
- 2. reconfigs IE and fetches URL
- 3. connect to attackers' passivex server
- 4. send in activex ctrl "passivex stager"
- 5. meterpreter gets commands through the HTTP connection
- stages
- vncinject
- installs no files
- running in memory
- downside: as VNC, visible on the console
- very unstable
sethc.exe- replace the exe with cmd prompt
- explorer.exe
- log out
- hit shift 5 times
- updating
- # svn update
- from within metaspolit dir
- don't use auto update
exercise 506.3 slides 41-49- msf 3.0
- bind_tcp
- you sometimes must run same exploit multiple times before it works; probabilistic
morning break- if metasploit does not recognize a command, it passes it to local OS shell
- the meterpreter
- about
- flexible beachhead
- core impact agent is similar
- does not install any files
- does .dll injection
- tripwire does not detect
- development mostly by Skape
- DEP does not always prevent
- functions
- ? or help
- "the it crowd" mentioned again
- exit
- sysinfo
- first command to type
- get info on system (proof of access)
- filesystem commands
- as in FTP
- download/upload
- edit
- process commands
- getpid
- which process you compromised
- getuid
- what user you are
- like 'set username' in Windows
- if not defined, you are SYSTEM
- kill
- ps
- execute
- migrate
- move to another process ID
- target must have same or less privs
- may be a more stable process
- migrating closes everything you had open
- when in a process, you now have access to files it has a lock on
- ipconfig
- portfwd
- like a netcat relay (TCP)
- route
- makes the system like a VPN endpoint for you
- attack another target through this target's meterpreter
- idletime
- uictl
- to turn on/off user's keyboard, mouse, etc.
- additional modules
- MAFIA
- anti-forensics toolkit
- slacker: hide files in slack space, encrypted
- priv
- hashdump
- dump the password hashes
- best proof of access
- user:RID:lanman hash(repeated twice):NT hash
- AAD3 etc = no password
- no file and print sharing needed
- timestamp
- 0 = 1/1/1601 (windows)
- alters MACEtimes
- E = MFT entry
- Server-side exploit and meterpreter exercise slide 60
- install bad Icecast server
- disable DEP for Icecast
- turn off firewalls
- payload reverse tcp
- set TARGET
- chooses the OS
- set TARGET 0 = automatically try all known memory address locations
- make sure local firewall isoff, because a connection comes back to us!
- execute -f cmd.exe -c
- c = create channel
- execute -h
- h = suppress from being shown on local console
- migrate
- use ps to find PID of notepad
- migrate to it
- Non-Metasploit exploits
- from milw0rm, say
- sometimes edit then compile
- sometimes edit hex
- exercise
- format-sploit.exe
- lunch break
- shell vs. terminal access
- remember what a terminal used to be
- control characters
- shell
- netcat is like a terminal
- ctrl-C kills the netcat client, doesn't pass through
- Exercise slide 96
- Linux reverse shell
- not working
- vi
- emacs
- more
- use less
- top
- anything that prompts for password
- working
- most scrolling commands
- su - (if no password required)
- Windows reverse shell
- not working
- edit
- workarounds
- on Windows
- command-by-command
- cls
- <enter> several times
- edit
- echo srf >> file many times
- runas
- schtasks
- at
- see slide 110
- wmic
- equiv commands
- net localgroup
- net use'
- dark operator has cool script
- telnet
- nc with -t option
- ssh
- get terminal access
- make sure rules of engagement allows this
- activate telnet access
- lowers security
- outside fips 140-2
- active remote desktop
- install ssh daemon
- openssh on windows
- can't use installation GUI though
- install vnc
- activating windows telnet
- sc query tlntsrvr
- to learn status
- sc query tlntsvr start= demand
- sc start tlntsvr
- net user foo pwd /all
- net localgroup TelnetClients /add
- net localgroup TelnetClients foo /add
- netsh firewall add portopening protocol = etc.etc. slide 113
- activating remote desktop
- slide 114
- sc query termservice
- ..
- ..
- reg add "hklm\system\currentcontolset\ etc etc
- netstat -na | find "45454"
- (then add only yourself)
- there's a Metaspolit script soon that will do this, in trunk now
- installing SSHD
- install SSH on lab machine
- use reg /export to dump applicable registry keys
- open up port through target firewall with 'netsh firewall'
- install VNC
- or as payload for Metasploit
- many metaspolit stager options
- bind_tcp
- reverse_tcp
- reverse_http
- find_tag
- may crash system
- reverse_ord_tcp
- may crash system
- install VNC on lab system
- config the way we want
- export registry settings
- copy to target
- wm_hooks.dll
- winvnc4.exe
- ther registry file
- enable port on target firewall
- on Linux
- slide 123 for command-by-command
- ssh is probably already there
- useradd -o -u 0 {loginname}
- -o overrides error of having more than one "0" UID
- or just use UID 00 !!
- or use echo
- echo lines >> /etc/passwd
- echo lines >> /etc/shadow
- line created on our lab system
- echo login:\$1|$@#%Rswal\etc. slide 126
- activate telnetd
- is system using inetd or xinetd?
- ps -aux | grep inetd
- if inetd
- edit /etc/inetd.conf
- see slide
- chkconfig sshd on
- service sshd start
- exercise: relay to get terminal access
- slide 132
- nc relay
- mknod backpipe p
- nc -l -p 1234 0<backpipe | nc 127.0.0.1 22 1>backpipe
- therefore we have ssh "listening" on port 1234
- ssh login@target -p 1234
- ping, port, parse
- ping to check network
- check port is listening
- build command up a bit at a time
- long-term workarounds
- moving files with exploits
- push
- services
- tftp
- ftp
- scp
- http, https
- windows file sharing
- SMB
- NFS mounts
- nc
- meterpreter
- upload
- download
- edit
- cat
- echo in one line at a time
- issues
- EOL transformations
- dos2unix:
- tr -d '-r' < dosfile > unixfile.txt
- unix2dos
- slide 145
- pilfering from target machines
- pilfer as much as possible
- if allowed in Rules of Engagement
- what?
- password hashes
- windows using fgdump
- /etc/shadow
- always dump it and crack it again
- crypto keys
- RSA seed files: Cain can calculate tokencode at points in future
- John the Ripper too
- netstat -na
- arp -a
- MAC addr of def gw for ARP cache poisoning
- ipconfig /displaydns
- zonefiles
- webservers
- document root
- scripts
- php include files (with db pwds in them)
- mailservers
- installed software list
- how?
see Josh Wright's "Vista wireless power tools for the penetration tester"- PSK isn't crackable
- but you can import it
also see "The Brady Bunch boondoggle" hacker challenge
- Windows cmdline Kung Fu
- why learn?
- leverage Windows to gain access elsewhere
- Linux is well-documented
- There are many Windows boxes
- inconsistent conventions on programs
- many patchlevels
- avoid having to install other tools
- file scraping
- type
- more
- type file | find /i "string"
- findstr "regex"
- env vars
- set
- to see all
- set variable
- to see one
- set username
- set systemroot
- use %varname% to further interact
- searching filesystem
- dir /b /s dir\file
- account mgt
- net user
- net localgroup
- to see names of groups
- net localgroup administrators
- to see membership
- net user username password /add
- net user username /del
- ossec HIPS
- linux and windows
- free
- awesome
- firewall settings
- netsh firewall show config
- netsh firewall set opmode disable
- disables firewall
- registry keys
- reg query [keyname]
- reg add [keyname] /v valuename /t type /d [data]
- find other machines
- arp -a
- ipconfig /displaydns
- set up SMB sessions
- net use * \\target password /u: [user]
- with server 2003, must specify /u:[machinename]\[user]
- net use * /del
- gets rid of all SMB sessions
- clean up if too many in use
- service controller (sc)
- sc query
- sc query state= all
- helpful in finding service names
- shows all services, whether started or not
- sc qc [servicename]
- sc config servicename start= demand
- to set a "disabled" service to "manual"
- sc start servicename
- cmd1 & cmd2
- execute multiple commands
- && = do next only if successful
- pause
- @ping -n 5 127.0.0.1
- output
- stderr = 2
- command 2>nul
- command 2>>errors.txt
- print blank line
- echo.
- no space between echo and .
- beep
- echo ^G
- actually hit ctrl-G
- loops
- for
- for /L %i in (start, step, stop) do [command]
- increments i
- never reaches stop value
- ping sweep
- for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"
- for /f loop: each line of a file
- for /f %i in (password.lst) do @echo %i & @net use \\trargetIP %i /u:username 2>nul && pause
- envvars in FOR loops; use %% instead of %
- exercise of 4 challenges slide 179 ff.
- end of day
