PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014.

Slides:



Advertisements
Similar presentations
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Advertisements

and Mitigations Brady Bloxham
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.
Armitage and Metasploit Penetration Testing Lab
Learning to Live with an Advanced Persistent Threat
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Module 5: Configuring Access for Remote Clients and Networks.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Exposing the Secrets of Windows Credential Provider Presented By: Subrat Sarkar Give me your password.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
The Business of Penetration Testing
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Forensic Artifacts From A Pass The Hash (PtH) Attack
WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
1 Web Server Administration Chapter 9 Extending the Web Environment.
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Web Server Administration Chapter 10 Securing the Web Environment.
EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Penetration Testing Training Day Penetration Testing Tools and Techniques – pt 1 Mike Westmacott, IRM plc Supported by.
Module 7 Active Directory and Account Management.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
System Hacking Active System Intrusion. Aspects of System Hacking System password guessing Password cracking Key loggers Eavesdropping Sniffers Man in.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
Operating System Security Fundamentals Dr. Gabriel.
Introduction to Information Security Network Traversal nirkrako at post.tau.ac.il itamargi at post.tau.ac.il.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Penetration Testing 101 (Boot-camp)
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
Module 7: Implementing Security Using Group Policy.
CNIT 124: Advanced Ethical Hacking Ch 13: Post Exploitation Part 2.
FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
.  User groups o Cisco, SQL, Virtualization  Conferences o GrrCON, SQL Saturday  Hands-On o Capture the Flag o Forensics  RSS  Exploit-DB updates.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
CIS 4930 / CIS 5930 Offensive Computer Security Spring 2014 I only edited it again.
Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Penetration Testing Exploiting 2: Compromising Target by Metasploit tool CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou
Hacking Windows.
Hacking SQL Server a peek into the dark side by Dustin Prescott
Adversary playbook.
Hacking SQL Server The best defense is a good offence by Dustin
Configuring Windows Firewall with Advanced Security
Network Exploitation Tool
Metasploit a one-stop hack shop
Common Operating System Exploits
CIT 480: Securing Computer Systems
Module 36 (Expanding Your Control of Windows Victims)
Metasploit Project For this exploit I will be using the following strategy Create backdoor exe file Upload file to website Have victim computer download.
Incident Detection and Response
CIS 5930/4930 Offensive Security Spring 2013
Penetration Testing Dr. X.
Engineering Secure Software
Presentation transcript:

PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014

Overview of Post Exploitation o Basics o Tools o Goals Meterpreter o Passing the Hash o Pivoting Outline of Talk

Post Exploitation: "Ok I hacked it, now what?" Is about making the most out of every successful exploitation Common Activities / Targets: User credentials (for password cracking) Maintaining access Covering tracks Expanding attacker control Pivoting / passing the hash Post Exploitation

Techniques, Approaches, and Tools: Entirely architecture/platform specific o requires familiarity with target environment  Windows, *nix, Android, OSX, etc... Depends on the security model of target system o can differ drastically from platform to platform Post Exploitation

Application / Software / Network security has improved over the past decade o Defense in Depth, Layers, Multi-factor auth Applications have also grown more complex o May be able to get at your target indirectly  Exploit A, to get to B Attackers can no longer just directly hack their target o inch by inch, incremental progress Post Exploitation (Theory)

Exploit existing system: o features o Trust relationships o Account privileges o Account access across the network Post Exploitation (Theory) ROOT

Tokens may be present on compromised systems o may allow for privilege escalation o may allow for pivoting within the Domain Attackers want to enumerate available tokens o Tools: Incognito (part of Metasploit)Incognito Abusing Tokens The SYSTEM token is the holy grail of token stealing

Abusing Tokens Meterpreter has many nice features Here is an example of listing all the tokens, having already compromised a SYSTEM token. The SYSTEM token allows us to access everything in the system, and here we see the full list of tokens

Impersonating Tokens Example of abusing impersonation tokens

Incognito commands

Local Privilege Escalation Impersonation tokens may allow this if present Example: a. Attacker compromises some server/service b. Any administrators who connect using windows auth, will expose their token to the attacker c. Attacker uses token to escalate to local administrator Abusing Tokens Exploited Process Client Process Administrator Network Service Windows Auth

Pivoting Delegation tokens may allow this if present Example: a. Attacker compromises some server/service b. Any administrators who connect using windows auth, will expose their token to the attacker c. Attacker uses token to escalate to local administrator, and perhaps even on other systems. Abusing Tokens Exploited Process Client Process Administrator Network Service Windows Auth Remote System Administrator Remote System Administrator Remote System Administrator

Active Directory For getting around easily LSASS For stealing passwords Network logon services (netlogon) For establishing hidden users Post Exploitation: Relevant Windows Features

Meterpreter

An advanced, dynamically extensible payload uses in-memory DLL injection stagers extended over the network at runtime Mixture of C / Ruby components. Client = Ruby Server = C Meterpreter

1.The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc. 2.The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL. 3.The Metepreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client. 4.Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol. Meterpreter – Cont.

Designed as a payload to be: Stealthy o resides entirely in memory (nothing on disk) o no new processes created, injected into compromised process  can migrate to other processes o Always uses encrypted communication Powerful o Feature-rich and encrypted Extensible o Features can be augmented at runtime over the network o New features can be added without rebuilding Meterpreter Design

Say the attacker manages to exploit a vulnerable service through the firewall (say port 80) From the Defender's Perspective Metasploit + Meterpreter Vulnerable Service Administrator FIREWALLFIREWALL 1) Encoded exploit + (reverse) Meterpreter payload (perhaps staged) 2) Vuln service is injected with the Meterpreter DLLs 3) outgoing TLS/SSL connection back to attacker 4) Encrypted pwnage Can a network-based IDS system detect any part of this?

Designed to provide similar functionality to linux shells ls (instead of dir) cat cd & pwd getuid ipconfig (actually windows style) ps See: unleashed/Meterpreter_Basics Meterpreter Features

upload o send file to victim download o download file from victim getsystem o will attempt a number of ways to steal & use a SYSTEM token (5 or so ways) hashdump (windows) o will dump the contents of the SAM database o requires system See for dumping hashes on OSX Meterpreter Features

Demo of getsystem & hashdump hashdump fails without SYSTEM privileges Meterpreter Features

execute, ps, migrate demo

webcam_list & webcam_snap (from Meterpreter Features

Meterpreter Features: User interface commands

In certain cases, it is not necessary to crack password hashes. They sometimes are used as-is in machine-to-machine authentication on the Domain (NTLANMAN/LANMAN) allows attacker to quickly pivot into other systems Metasploit: windows/smb/psexec Pass the hash

SSH keys (linux) usually in ~/.ssh/ Active Directory NTDS.DIT file Password reuse s + spear-phishing netlogon / ssh CMS logon / web application logon Other ways to pivot

Goals: survive reboot/BSOD/crash survive patching survive/avoid discovery Windows: Incognito o add users autorun? Linux: Can add users with root shell access Maintaining Access

Leveraging the Win32 API with Meterpreter's RAILGUN irb o command to drop into meterpreter scripting mode o can access meterpreter modules and devise custom scripts Injecting backdoors disguised as bugs Stuxnet did this in existing applications in the kernel? Advanced

These are just the basics One's post-exploitation kung-fu is limited only by one's creativity and system familiarity Conclusion

Windows Internals books SysInternals Suite us/sysinternals/bb aspxhttp://technet.microsoft.com/en- us/sysinternals/bb aspx Security Implications of Windows Access Tokens - A Penetration Tester's Guide implications-of-windows-access-tokens_ pdf implications-of-windows-access-tokens_ pdf The textbooks Related Resources

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.