Post Exploitation
Post Exploitation with MSF
🗒️ Post Exploitation is the process of gaining further information or access to the target's internal network, after the initial exploitation phase, using various techniques like:
local enumeration
maintaining persistent access
pivoting
dumping hashes
covering tracks
There are many post exploitation modules provided by the MSF.🗒️ Persistence consists of techniques used by adversaries to maintain access to systems across restarts, changed credentials, or other interruptions.🗒️ Keylogging is the action of (secretly) recording/capturing the keystrokes entered on a target system.🗒️ Pivoting is a post exploitation technique of using a compromised host, a foothold
/ plant
, to attack other systems on its private internal network.
Fundamentals - Meterpreter
Meterpreter is a post-exploitation payload used in penetration testing and ethical hacking. It is primarily associated with the Metasploit Framework, a popular penetration testing and exploitation tool. Meterpreter provides a powerful and flexible means for an attacker to interact with a compromised system after gaining initial access. Its functions and capabilities include:
Remote Control: Meterpreter allows an attacker to maintain control over a compromised system remotely. It provides a command-line interface (CLI) that allows the attacker to execute various commands on the target system.
File System Manipulation: An attacker can use Meterpreter to browse, upload, download, and manipulate files and directories on the compromised system. This can be useful for exfiltrating data, planting files, or carrying out other malicious activities.
Privilege Escalation: Meterpreter can be used to escalate privileges on the target system, enabling the attacker to gain administrator or root-level access, which provides greater control over the system.
Port Forwarding: It allows the attacker to set up port forwarding on the compromised system, which can be used to pivot through the target system to reach other systems on the network.
Network Enumeration and Exploitation: Meterpreter can gather information about the compromised system's network configuration, such as open ports and active connections. It can also be used to exploit vulnerabilities in other systems on the network.
Screenshot Capture: The attacker can capture screenshots of the target system's desktop, providing visual information about what the user is currently doing.
Keylogging: Meterpreter can log keystrokes on the compromised system, which can be used to capture sensitive information such as login credentials.
Shell Access: Meterpreter provides a fully interactive shell, allowing the attacker to run arbitrary commands on the target system. This shell can be upgraded to a more stable and feature-rich shell.
Persistence: It can be used to establish persistence on the compromised system, ensuring that the attacker can regain access even if the system is rebooted or undergoes maintenance.
Automated Post-Exploitation Modules: Metasploit includes a wide range of post-exploitation modules that leverage Meterpreter for various tasks, making it easier for attackers to carry out specific actions on the compromised system.
Scriptable and Extendable: Meterpreter can be scripted and extended to create custom post-exploitation capabilities, allowing attackers to tailor their activities to the specific target environment.
📌 MSF has various types of
Meterpreter
payloads based on the target environment
🔬 Check the Meterpreter Labs for various
Meterpreter
commands and techniques examples and how to upgrade shells to Meterpreter sessions.
Meterpreter Commands
UUsing workspace is very helpful, because it saves results locally, and permits to find them with loot
command.
Meterpreter Commands
In the
Meterpreter
session
help
sysinfo
getuid
Unprivileged session with the
www-data
user
background
Keyboard shortcut:
CTRL+Z
sessions
shell
Open a native Linux
bash
sessions by running after theshell
command
Terminate the
shell
session withCTRL+C
or withexit
command
ps
migrate
It could not work due to lack of sufficient privileges/permissions
Windows PE Modules
Windows post exploitation MSF modules can be used to:
Enumerate user privileges, logged-on users, installed programs, antiviruses, computers connected to a domain, installed patches and shares
VM check
🔬 Check out the Windows Post Exploitation with MSF Labs with post-exploitation techniques for various Windows services.
Enabling RDP
RDP stands for Remote Desktop Protocol, and it is a proprietary protocol developed by Microsoft. RDP allows one computer to connect to and control another computer remotely over a network connection. This technology is primarily used for remote administration of computers and virtual desktops.
RDP uses TCP port 3389 by default and is disabled by default on Windows systems, but, we can utilize an MSF exploit to enable RDP and consequently utilize it to connect on the target system.
After exploiting the target and starting Meterpreter Shell, we can search and use this module:
set session to meterpreter's session number and exploit.
To check if RDP is enabled (3389 open port), we can do a db_nmap scan on port 3389
Back on the last meterpreter's session, we change credentials:
Connecting with RDP from Linux
If we want to use RDP to access from linux, we can use this tool: xfreerdp:
A good things to do is create and access with a new windows account and utilize it.
Windows Keylogging
A keylogger, short for "keystroke logger," is a type of software or hardware device that records the keystrokes made on a computer or mobile device keyboard without the user's knowledge or consent. The primary purpose of a keylogger is to monitor and record everything a user types, including usernames, passwords, messages, and any other text entered via the keyboard.
Keyloggers can be used for both legitimate and malicious purposes:
Legitimate Use:
Security Monitoring: Some organizations and individuals use keyloggers for security purposes to monitor and log activity on their own systems. This can help detect unauthorized access or suspicious behavior.
Parental Control: Parents may use keyloggers to monitor their children's online activities and ensure they are using the internet responsibly.
Employee Monitoring: Employers may use keyloggers to monitor employee activities on company-owned devices to ensure compliance with company policies.
Malicious Use:
Cybercrime: Keyloggers can be deployed by cybercriminals to steal sensitive information such as login credentials, credit card numbers, and personal data.
Identity Theft: Keyloggers can capture personal information that can be used for identity theft or fraud.
Espionage: State-sponsored actors and espionage organizations may use keyloggers to gather sensitive information from targeted individuals or organizations.
It's the best alternative to RDP, because ther're not interaction with mouse.
To record keyboard, first we need to migrate explorer.exe process In a the meterpreter target session:
we can use these three command to manage keylogger process:
Clearing Windows Event Logs
Windows Event Logs
Windows Event Log or Security Audit Log, is a crucial component of the Microsoft Windows operating system that records various events and activities on a Windows-based computer or server. These logs are essential for monitoring system and security-related events, troubleshooting issues, and identifying potential security threats. There are three primary categories of Windows Audit Logs:
Security Log: This log records security events such as login attempts, privilege usage, and resource access. It is a valuable tool for tracking user activity and detecting potential security breaches. Common security events logged include:
Successful and failed logon attempts.
Account lockouts.
Changes to user or group memberships.
Object access (file and folder access).
Security policy changes.
Authentication and authorization events.
Application Log: This log records events related to applications, including both Windows system components and third-party software. It can help diagnose issues with software installations or usage. Common application events logged include:
Application crashes and errors.
Installation and configuration events.
Updates and patch installations.
Service start and stop events.
System Log: This log records events related to the operating system's core components and drivers. It is crucial for troubleshooting system-related issues. Common system events logged include:
System startup and shutdown events.
Driver and hardware-related errors.
Disk and file system errors.
Service control events.
To access the Windows Audit Log and view these logs, you can use the Windows Event Viewer. Here's how to access it:
Press Win + X: This will open the Power User menu. From there, select "Event Viewer."
In the Event Viewer: Expand the "Windows Logs" section to access the various logs, including Security, Application, and System logs.
Select the desired log: Double-click on one of the logs to view its entries. You can filter, search, and analyze events based on specific criteria.
🗒️ Windows Event Logs, accessed via the Event Viewer
on Windows, are categorized into:
Event Viewer
on Windows, are categorized into:Application logs
- apps startups, crashes, etcSystem logs
- system startups, reboots, etcSecurity logs
- password changes, authentication failures/success, etc
How to clear event logs?
Clearing event logs is an important part of the system assessment, in additional, it's important to delete files uploade on target system.
In a the meterpreter target session we can use these commands to delete event logs:
Pivoting
Pivoting with two targets in two different subnets (Subnet A and Subnet B) involves a scenario where an attacker gains access to one system in one subnet (the initial entry point) and then uses that compromised system to move laterally into another subnet, where they target two different systems. This is an advanced attack technique that requires the attacker to breach network boundaries and potentially access resources in different network segments.
Here's a simplified example:
Scenario:
Subnet A: Contains the compromised system (Initial Entry Point) and Target 1.
Subnet B: Contains Target 2.
Attack Steps:
Initial Compromise: The attacker gains access to a system in Subnet A, which serves as their initial entry point into the network.
Exploration: The attacker performs reconnaissance to identify other systems in Subnet A and learns that Subnet B is part of the network.
Pivot to Subnet B: Using the compromised system in Subnet A as a pivot point, the attacker attempts to move into Subnet B. This might involve exploiting vulnerabilities, using stolen credentials, or employing other methods to breach the perimeter between the two subnets.
Access Target 2: Once inside Subnet B, the attacker identifies and gains access to Target 2.
Access Target 1: The attacker may choose to pivot back to Subnet A using the compromised system in Subnet B as a pivot point. From there, they identify and gain access to Target 1 in Subnet A.
Example
After exploiting the target and starting Meterpreter Shell, we can rename session 1 to "victim-1" to facilitate our work:
Now, we need to find subnet of victim 2, then we use ifconfig command, and add it to our network:
After that, we need to find open port on the second target using portscan module:
If we find open ports (f.e. port 80), but we can't see service version. For do this, we need to do port forwarding to execute nmap scan:
Searching on browser 127.0.0.1:1234 we can see website, but it's not rendering correctly, because it's not running on the target system.
Then, we can exploit vulnerabilities of target 2 and set bind tcp payload:
Bind TCP refers to a program or service to listen for incoming connections on a specific network address (IP address) and port. It's a way to enable communication between devices over a network.
and after exploit, it's a good thing rename session:
Linux PE Modules
Linux post exploitation MSF modules can be used to:
Enumerate system configuration, environment variables, network configuration, user's history
VM check
🔬 Check out the Linux Post Exploitation with MSF Labs with post-exploitation techniques for various Unix services.
After exploiting the target and starting Meterpreter Shell, we can explore info about target, f.e.:
then, we can enumerate target with post exploitation modules:
enum_configs: enumerates linux configuration files.
env: enumerates generic operating system environment.
enum_network: collects all network information (ssh conf, routing table, firewall conf, dns conf, etc).
to explore more info, we can open with cat
command the filepath.
enum_protections: checks whether popular system hardening mechanisms are in place, such as: SMEP, SMAP, SELinux, PaX and grsecurity.
enum_system: collects installed packages, services, mount information, user list, bash history and cron jobs.
checkcontainer: checks if system use container (good for priv esc).
checkvm: checks if system use VM.
checkvm: checks if system use VM.
enum_users_history gets users history.
Others
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
chkrootkit: shell script that checks system binaries for rootkit modification.
ifpromisc.c: checks if the interface is in promiscuous mode.
chklastlog.c: checks for lastlog deletions.
chkwtmp.c: checks for wtmp deletions.
check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
chkproc.c: checks for signs of LKM trojans.
chkdirs.c: checks for signs of LKM trojans.
strings.c: quick and dirty strings replacement.
chkutmp.c: checks for utmp deletions.
If chkrootkit is running on target machine, and vs is less than 0.5, we can exploit it.
Duping Hashes With Hashdump
In Linux OS hashes are stored in the /etc/shadow file and can only be accessed by the root user or a user with root privileges.
After exploiting the target and starting Meterpreter Shell, we need to check if the target has root permission using getuid command, or we need to elevate it.
uid equals to 0 means that we've root permissions, then we can use meterpreter hashdump module:
This exploit generates a txt file with all hashes, we can see list of dump with loot
command and read them using cat
command.
After it, we can launch shell /bin/bash and f.e. change root psw:
or we can add a new user:
Analyzing root hash of /etc/shadow, file we can see that
the initial characters of the password field value in /etc/shadow identify the encryption algorithm:
$1$ is Message Digest 5 (MD5)
$2a$ is blowfish
$y$ (or $7$) is yescrypt
none of the above means DES
Critically, as of this writing, yescrypt with its contest entry yescrypt v2 and current specification, is widely-adopted and the default password hashing scheme for many recent versions of major distributions like Debian 11/12, Fedora 35+, Kali Linux 2021.1+, and Ubuntu 22.04+. Further, it’s supported on Fedora 29+ and RHEL 9+. Still, many standard tools still don’t support yescrypt.
Unlike Windows, on Linux we cannot use the hash to authenticate ourselves.
Establishing Persistence On Linux
Create backdoor user
NB: This technic only work if the target server is running with SSH or a remote access protocol, that can provide us with access whenever we need it (with usr and psw).
After exploiting the target and starting Meterpreter Shell, we need to check if the target has root permission using getuid command, or we need to elevate it.
Now, we can use MSF module to take linux persistence using SSK Key (it's more reccomended because if the connection goes down, we can restablish it and in add, it's difficult to detect than others, infact we never need to change psw on the target system).
In details, this module will add an SSH key to a specified user (or all), to allow remote login via SSH at any time. If we don't specify user, module will add an SSH key to all users by default.
If we log in as the root user, it's not a suspicious activity, because if we both log in on the same account, we can't understand the detection.
After exploit it, will be added public key in all user accounts home directory and save in a txt file and see it with path visibile byloot
command. After that, we can terminate all sessions exit -y,
opening txt file that contains id rsa, and copy private key in a new file:
We're in without creating a new user, cronjob or other.
In alternatively, we can use MSF module to take linux persistence using cron jobs:
If it doesn't work or in alternatively, we can use service_persistence module (it creates a service on the box, and mark it for autorestart):