Presentation is loading. Please wait.

Presentation is loading. Please wait.

PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014.

Published byWilfrid Osborne Strickland Modified over 7 years ago

Similar presentations

Presentation on theme: "PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014."— Presentation transcript:

1 PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014

2 Overview of Post Exploitation o Basics o Tools o Goals Meterpreter o Passing the Hash o Pivoting Outline of Talk

3 Post Exploitation: "Ok I hacked it, now what?" Is about making the most out of every successful exploitation Common Activities / Targets: User credentials (for password cracking) Maintaining access Covering tracks Expanding attacker control Pivoting / passing the hash Post Exploitation

4 Techniques, Approaches, and Tools: Entirely architecture/platform specific o requires familiarity with target environment  Windows, *nix, Android, OSX, etc... Depends on the security model of target system o can differ drastically from platform to platform Post Exploitation

5 Application / Software / Network security has improved over the past decade o Defense in Depth, Layers, Multi-factor auth Applications have also grown more complex o May be able to get at your target indirectly  Exploit A, to get to B Attackers can no longer just directly hack their target o inch by inch, incremental progress Post Exploitation (Theory)

6 Exploit existing system: o features o Trust relationships o Account privileges o Account access across the network Post Exploitation (Theory) ROOT

7 Tokens may be present on compromised systems o may allow for privilege escalation o may allow for pivoting within the Domain Attackers want to enumerate available tokens o Tools: Incognito (part of Metasploit)Incognito Abusing Tokens The SYSTEM token is the holy grail of token stealing

8 Abusing Tokens Meterpreter has many nice features Here is an example of listing all the tokens, having already compromised a SYSTEM token. The SYSTEM token allows us to access everything in the system, and here we see the full list of tokens

9 Impersonating Tokens Example of abusing impersonation tokens

10 Incognito commands

11 Local Privilege Escalation Impersonation tokens may allow this if present Example: a. Attacker compromises some server/service b. Any administrators who connect using windows auth, will expose their token to the attacker c. Attacker uses token to escalate to local administrator Abusing Tokens Exploited Process Client Process Administrator Network Service Windows Auth

12 Pivoting Delegation tokens may allow this if present Example: a. Attacker compromises some server/service b. Any administrators who connect using windows auth, will expose their token to the attacker c. Attacker uses token to escalate to local administrator, and perhaps even on other systems. Abusing Tokens Exploited Process Client Process Administrator Network Service Windows Auth Remote System Administrator Remote System Administrator Remote System Administrator

13 Active Directory For getting around easily LSASS For stealing passwords Network logon services (netlogon) For establishing hidden users Post Exploitation: Relevant Windows Features

14 Meterpreter

15 An advanced, dynamically extensible payload uses in-memory DLL injection stagers extended over the network at runtime Mixture of C / Ruby components. Client = Ruby Server = C Meterpreter

16 1.The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc. 2.The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL. 3.The Metepreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client. 4.Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol. Meterpreter – Cont.

17 Designed as a payload to be: Stealthy o resides entirely in memory (nothing on disk) o no new processes created, injected into compromised process  can migrate to other processes o Always uses encrypted communication Powerful o Feature-rich and encrypted Extensible o Features can be augmented at runtime over the network o New features can be added without rebuilding Meterpreter Design

18 Say the attacker manages to exploit a vulnerable service through the firewall (say port 80) From the Defender's Perspective Metasploit + Meterpreter Vulnerable Service Administrator FIREWALLFIREWALL 1) Encoded exploit + (reverse) Meterpreter payload (perhaps staged) 2) Vuln service is injected with the Meterpreter DLLs 3) outgoing TLS/SSL connection back to attacker 4) Encrypted pwnage Can a network-based IDS system detect any part of this?

19 Designed to provide similar functionality to linux shells ls (instead of dir) cat cd & pwd getuid ipconfig (actually windows style) ps See: http://www.offensive-security.com/metasploit- unleashed/Meterpreter_Basics Meterpreter Features

20 upload o send file to victim download o download file from victim getsystem o will attempt a number of ways to steal & use a SYSTEM token (5 or so ways) hashdump (windows) o will dump the contents of the SAM database o requires system See http://www.darkoperator.com/tools-and-scripts/ for dumping hashes on OSX http://www.darkoperator.com/tools-and-scripts/ Meterpreter Features

21 Demo of getsystem & hashdump hashdump fails without SYSTEM privileges Meterpreter Features

22 execute, ps, migrate demo

23 webcam_list & webcam_snap (from http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics) Meterpreter Features

24 Meterpreter Features: User interface commands

25 In certain cases, it is not necessary to crack password hashes. They sometimes are used as-is in machine-to-machine authentication on the Domain (NTLANMAN/LANMAN) allows attacker to quickly pivot into other systems Metasploit: windows/smb/psexec Pass the hash

26 SSH keys (linux) usually in ~/.ssh/ Active Directory NTDS.DIT file Password reuse emails + spear-phishing netlogon / ssh CMS logon / web application logon Other ways to pivot

27 Goals: survive reboot/BSOD/crash survive patching survive/avoid discovery Windows: Incognito o add users autorun? Linux: Can add users with root shell access Maintaining Access

28 Leveraging the Win32 API with Meterpreter's RAILGUN irb o command to drop into meterpreter scripting mode o can access meterpreter modules and devise custom scripts Injecting backdoors disguised as bugs Stuxnet did this in existing applications in the kernel? Advanced

29 These are just the basics One's post-exploitation kung-fu is limited only by one's creativity and system familiarity Conclusion

30 Windows Internals books SysInternals Suite http://technet.microsoft.com/en- us/sysinternals/bb545021.aspxhttp://technet.microsoft.com/en- us/sysinternals/bb545021.aspx Security Implications of Windows Access Tokens - A Penetration Tester's Guide http://labs.mwrinfosecurity.com/assets/142/mwri_security- implications-of-windows-access-tokens_2008-04-14.pdf http://labs.mwrinfosecurity.com/assets/142/mwri_security- implications-of-windows-access-tokens_2008-04-14.pdf http://www.darkoperator.com/ The textbooks Related Resources

Download ppt "PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014."

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
and Mitigations Brady Bloxham

and Mitigations Brady Bloxham
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.
Armitage and Metasploit Penetration Testing Lab

Armitage and Metasploit Penetration Testing Lab
Learning to Live with an Advanced Persistent Threat

Learning to Live with an Advanced Persistent Threat
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.

© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.

Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
The Business of Penetration Testing

The Business of Penetration Testing
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Similar presentations

Ads by Google