2.4 Exploitation
⚡ Prerequisites
Basic familiarity with Linux & Windows
Basic understanding of TCP & UDP protocols
Basic familiarity with Metasploit
📕 Learning Objectives
Identify services vulnerabilities
Search for and manipulate public exploit code
Utilize exploitation frameworks, bind & reverse shells
Perform exploitation in a black box pentest
Evade signature-based antivirus solutions
🔬 Training list - PentesterAcademy/INE Labs
subscription required
🔬 Home Labs
Vulnerability Scanning
Banner Grabbing
Banner Grabbing: is an information gathering technique used to enumerate information regarding the target operating system and services that're running on its open ports.
It can be performed through various techniques:
Performing a service vs detection scan with Nmap
Connecting to the open port with Netcat
Authenticating with the service (if it supports authentication), like as SSH, FTP, Telnet, etc..
Nmap
We can use -sV and -O flags to check service and OS version:
in alternative using nmap script or script engine:
Netcat
Netcat is a TCP/IP swiss army knife, we can explore its functionality by:
to do banner grabbing we need to specify port to scan, it usually is more accurate than nmap.
After that, we can use tools like as searchsploit to find exploit/vulnerabilities associeted at their service vs.
Authentication
Retrieve banner using authentication, it usually isn't very helpful because not show always service version. We can use this technic for service such as: ssh, telnet, etc.
Trying SSH authentication:
shell show banner message after this command, and next it ask us password (we can't need to say it, but it's not a problem).
Vulnerability scanning with NMAP Script
We can find a list of NSE on www.nmap.org/books/nse.html or locally:
If one sites has shellshock vulnerability, we can check it using this script:
countdown time showed in this photo maybe means that website use a dynamic counter, probably on the server side, viewing source we see that in the js script code there's a script called gettime.cgi.
CGI scripts are used to execute system commands, commands on the actual server or on the OS that is running or hosting web server and the website and display output on the website.
Shellshock vulnerability affects them, if we try to search IP/gettime.cgi one browser, we see only dynamic counter, to check if is it vulnerable we can use: http-shellshock script with URL how argument.
Searching for Exploits
After identification potential vulnerabilities of target, we need to search how to exploit it. Exploit code can easily found online, however, downloading and running them against a target can be quite dangerous, than, it's therefore recommended to analyze the exploit code and check if it works as intended.
Verifiable online sources:
always check for the Verified column
use search filters
We can use google dorks to find vulnerabilities quickly:
Another good resource to know is packet storm that provides the latest info about vulnerabilities. It's a good attitude check on them and active RSS feed.
In additional, packet storm website contains a good section with all security tools.
❗ Always pay attention at publicly available exploits. An exploit can be weaponized to attack the actual attacker system!
📌 Analyze the exploit code behavior to ensure that it works as intended.
Useful for security assessments on networks without Internet access
Pre-packed with Kali Linux
exploitdb
local directory is:/usr/share/exploitdb
Fixing Exploits
🔬 Check the Fixing Exploits Lab here
Cross-Compiling Exploits
Exploit code developed in C
, C++
, C#
has to be compiled into a portable executable or binary.
🗒️ Cross-compilation is the process of building on one platform a binary that will run on another platform.
Compiling
C
code is a necessary skill
📌 ExploitDB bin-sploits - useful for pre-compiled binaries
e.g. of Windows and Linux exploit code compiling
Tools:
Windows
Download the VLC exploit or use
searchsploit
Compile the
C
exploitcheck for comments in the code regarding the compilation commands
Linux
Download the DirtyCow exploit or use
searchsploit
Compile the
C
exploitcheck for comments in the code regarding the compilation commands to compile it successfully
Bind & Reverse Shells
Netcat
nc
- a network utility used for a variety of tasks associated with TCP/UDP.
Client mode - used for connection to any TCP/UDP port or to a listener
Server Mode - used as a listener for connection from clients on a specific port
Functionalities:
open TCP connections, listen on TCP or UDP ports
Banner grabbing, Port scanning, Files transferring
Bind/Reverse shells
🔬 Some HFS Lab commands
Setup a listener:
Transfer
nc.exe
to the windows target
Setup a listener on the attacker machine
Transfer files with
nc
Bind Shells
🗒️ Bind Shell - a remote shell where the attacker connects to the listener running on the target system and execute commands on the target system.
Bind shells issues:
Must have access to the target system
Inbound traffic can be blocked by a firewall, it is very suspect
A
netcat
listener must be configured on the target system to execute:cmd.exe
- Windows/bin/bash
- Linux
🔬 Same lab as above (IPs might change)
Once uploaded the
nc.exe
on the target system, proceed with the bind shell
Reverse Shells
🗒️ Reverse Shell - a remote shell where the target connects to a listener running on the attacker's system (e.g.
Metasploit Meterpreter).
Reverse shells advantages:
The connection can be initialized without
netcat
tooOutgoing traffic may not be blocked by firewalls
Reverse shells issues:
used exploit have to know the attacker's IP
the attacker's IP can be logged as malicious or present in the exploit file
Reverse Shell without Netcat
📌 PayloadsAllTheThings - Reverse Shell Cheatsheet
Examples of Reverse Shell with different code (bash, Python, Powershell, PHP, etc)
e.g.
Exploitation Frameworks
The Metasploit Framework
Focus on the Exploitation phase
Modular
MSF turns the exploit code into a module, using the
Ruby
programming language
🔬 Check the Workflow Platform Lab here
Empire
- PowerShell post-exploitation framework for Win, Linux and macOS
Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers. The Empire server is written in Python 3 and is modular to allow operator flexibility. Empire comes built-in with a client that can be used remotely to access the server. There is also a GUI available for remotely accessing the Empire server, Starkiller.
PowerShell-Empire is primarily designed for Windows targets
Starkiller
- GUI frontend forPowerShell-Empire
🔬 Home Lab based on a Kali Linux attacker VM and Win7 target VM with IP
192.168.31.131
In another terminal tab
Open Starkiller
http://localhost:1337/index.html#/
Credentials:
empireadmin
:password123
Run the
csharpserver
Create a
http
listener to receive the reverse connection from the target systemGenerate a Stager with
windows_csharp_exe
typeActions - Download the
Sharpire.exe
stager
Back on the Starkiller Agents page, check for the active agent
Back in the Empire terminal session
Windows Black Box Exploitation
🗒️ Black Box penetration test - security assessment conducted without any internal system or network knowledge.
The pentester act like an external unprivileged hacker from outside the network
No information about the target system
Typical Black Box Methodology:
Host discovery ➡️ Port Scanning ➡️ Enumeration
Vulnerability detection
Exploitation ➡️ Manual/Automated
Post Exploitation - PrivEsc ➡️ Persistence ➡️ Dumping Hashes
e.g.
Scenario
Penetration Test to gain access and exploit a Win Server 2008 host.
Scope
Identify running and vulnerable services on the target
Exploit the vulnerabilities to obtain a foothold
🔬 The techniques will be covered in the dedicated Win Black Box Pentest Lab here. This is a lab containing a Metasploitable3 target.
Identify easily exploitable services
Pick the target as efficiently as possible
Time is a factor
Linux Black Box Exploitation
Scenario
Penetration Test to gain access and exploit a Linux server host.
Scope
Identify running and vulnerable services on the target
Exploit the vulnerabilities to obtain a foothold and gain access to the system
🔬 The techniques will be covered in the dedicated Linux Black Box Pentest Lab here. This is a lab containing a Metasploitable2 target.
AV Evasion & Obfuscation
🗒️ Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. (MITRE)
Antivirus detection methods can be classified as follows:
Signature based detection
A signature is a static unique sequence of bytes of known malware, created using essential elements of an analyzed file. The AV comes with a signature database
Heuristic base detection
Statically examine files for suspicious specific characteristics, relying on rules to determine a malicious binary
Behavior based detection
Monitor malware for suspicious behavior
On-disk Evasion techniques
Obfuscation - The act of hiding anything crucial, useful, or vital. Code is reorganized through obfuscation to make it more difficult to decipher or reverse engineer.
Encoding - The process of transforming data into a new format using an encoding strategy. Data can be encoded to a new format and then decoded back to its original format since encoding is a reversible operation.
Packing - Generate executables with updated binary structures, lower in size and a new payload's signature.
Crypters - Encrypts payloads, then the encrypted code is decrypted in memory. The decryption key is typically kept in a stub. (ransomware)
In-memory Evasion techniques
Memory manipulation rather than writing files to disk
Payload is injected into a process, then executed in memory in a separate thread
Shellter
- dynamic shellcode injection tool and dynamic PE (Portable Executable) infector ever created.
Uses a unique dynamic approach based on the execution flow of the target app
Takes advantage of the original structure of the PE file
Supports any 32-bit payload (generated either by metasploit or custom ones by the user)
Portable
Compatible with Windows x86/x64 (XP SP3 and above) & Wine/CrossOver for Linux/Mac
🔬 Home lab with Kali Linux and Win7 VMs
Shellter Kali Linux Installation:
Execute an
exe
file on Linux
Inject the shellcode into
/usr/share/windows-binaries/vncviewer.exe
file after copying it to a folder
In the
SHELLTER
windows, chooseA
for automaticPE Target:
/home/kali/certs/ejpt/AVBypass/vncviewer.exe
Stealth Mode:
Y
=vncviewer
will function as normal and the shellcode will be executed in the backgroundPayload:
L
-1
LHOST: Attacker's IP -
192.168.31.128
LPORT:
1234
Now the
/home/kali/certs/ejpt/AVBypass/vncviewer.exe
file has been replaced by the Shellter generated malicious executableCopy the
vncviewer.exe
file to the target machine
Run the
vncviewer.exe
file and chheck themsfconsole
Meterpreter session
PowerShell Code Obfuscation
Invoke-Obfuscation
- a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
🔬 Home lab with Kali Linux and Win7 VMs
Kali Linux install PowerShell
Run
pwsh
Create the reverse PowerShell script in a new file
PowerShell Reverse Shell code will be
Back in
Invoke-Obfuscation
Obfuscated code is:
Run the
obfuscated.ps1
file on the Win10 VMBack on the Kali VM check the PowerShell reverse shell
Last updated