José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]
-
Upload
rootedcon -
Category
Technology
-
view
2.609 -
download
5
Transcript of José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]
![Page 1: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/1.jpg)
Unprivileged NetworkPost-Exploitation
![Page 2: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/2.jpg)
$ whois jselvi
Jose Selvi
Ethical Hacking & Pentesting
S21sec (http://www.s21sec.com)
Pentester.Es (http://www.pentester.es)
![Page 3: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/3.jpg)
ÍndicePost-Explotación
Acceso No-Privilegiado
Relaying Clásico
Relaying 2.0
Route + Socks4a
Multi-Relaying
ToDo
![Page 4: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/4.jpg)
Post-Explotación
RECON PORTSCAN VULNSCAN EXPLOITPOST-EXPLOIT
![Page 5: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/5.jpg)
Post-ExplotaciónElevación de Privilegios
Password Cracking
Pass-the-Hash
Sniffing
BackDoors
Pivoting
Buscar Información
![Page 6: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/6.jpg)
ÍndicePost-Explotación
Acceso No-Privilegiado
Relaying Clásico
Relaying 2.0
Route + Socks4a
Multi-Relaying
ToDo
![Page 7: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/7.jpg)
Privilegios
Privilegios Usuarios
Control Total
Administrador
Usuario Estándar
Invitado
rootSYSTEM
rootAdministrador
www-datajselvi
Invitado
![Page 8: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/8.jpg)
Sistemas Operativos
Hardware
Operating System
App1 App2 App3
UserA UserB
![Page 9: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/9.jpg)
Explotación
Exploit Process
UserA
ShellCode
![Page 10: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/10.jpg)
Acceso No-PrivilegiadoPodemos:
- Leer/Escribir ALGUNOS Ficheros
- Ejecutar ALGUNOS binarios
- Establecer conexiones de red
NO podemos:
- Acceder a memoria
- Acceder a ficheros de contraseñas
- Acceder a la tarjeta de red
![Page 11: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/11.jpg)
Post-ExplotaciónElevación de Privilegios
Password Cracking
Pass-the-Hash
Sniffing
BackDoors *
Pivoting
Buscar Información *
![Page 12: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/12.jpg)
ÍndicePost-Explotación
Acceso No-Privilegiado
Relaying Clásico
Relaying 2.0
Route + Socks4a
Multi-Relaying
ToDo
![Page 13: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/13.jpg)
Relaying Clásico
Concepto:
- Hacer de “pasarela” entre dos conexiones de red
Herramientas:
- NetCat
- /dev/tcp
![Page 14: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/14.jpg)
Relaying Clásico
TARGET1 TARGET2ATACKER
NCSSH
![Page 15: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/15.jpg)
Relaying Clásico
TARGET1 TARGET2ATACKER
NCSSH
NC
![Page 16: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/16.jpg)
NetCat
Hobbit, 1996
- http://nc110.sourceforge.net/
- # aptitude install netcat
Apodada “la navaja suiza”
Versiones: Unix, Windows y MacOS
Conexiones TCP/UDP
![Page 17: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/17.jpg)
NetCat Linux
NC NCHOST A HOST B
PIPE
|
$ mknod pipe p$ nc -l -p 2222 0<pipe | nc hostb 22 1>pipe
![Page 18: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/18.jpg)
NetCat Windows
NC NCHOST A HOST B
> echo nc.exe hostb 22 > relay.bat> nc.exe -L -p 2222 -e relay.bat
![Page 19: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/19.jpg)
Limitaciones NetCatNo persistente
- Tras cerrarse la conexión se cierra
- Bucle en Shell -> no muy efectivo
Mono-hilo
- Solo una conexión
No muy mantenido
Requiere subir el binario
![Page 20: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/20.jpg)
ÍndicePost-Explotación
Acceso No-Privilegiado
Relaying Clásico
Relaying 2.0
Route + Socks4a
Multi-Relaying
ToDo
![Page 21: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/21.jpg)
Relaying 2.0Mejoras:
- Cifrado, Persistencia, Multihilo
Herramientas:
- Socat
- Cryptcat
- Ncat
- Meterpreter
![Page 22: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/22.jpg)
NCat
Fyodor, 2009
- http://nmap.org/ncat/
- # aptitude install nmap
Perteneciente a la Suite NMap
Versiones: Unix, Windows y MacOS
Conexiones TCP/UDP
![Page 23: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/23.jpg)
NCat
NC NCHOST A HOST B
$ ncat -l 2222 --sh-exec “ncat hostb 22”
![Page 24: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/24.jpg)
Ventajas y LimitacionesVentaja:
- Persistente
- Multihilo
- Sintaxis cómoda
Limitaciones:
- Poco portable.
- Requiere subir el binario
![Page 25: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/25.jpg)
MeterpreterPayload de Metasploit Framework
- http://www.metasploit.com
Versiones Windows, Linux, BSD, ...
Completa Suite de Post-Explotación
Pivoting:
- Route
- Portfwd
![Page 26: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/26.jpg)
Meterpreter Route
FW
Host A
Host B
Host C
MSF
M
![Page 27: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/27.jpg)
Ventajas y LimitacionesVentajas:
- Da acceso automáticamente toda la red
- No requiere subir binarios
Limitaciones:
- Solo funciona dentro de MSF
- No se pueden utilizar herramientas externas
![Page 28: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/28.jpg)
Meterpreter Portfwd
FW
Host A
Host B
Host C
MSF
M
![Page 29: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/29.jpg)
Ventajas y Limitaciones
Ventajas:
- Se pueden usar herramientas externas
- No requiere subir binarios
Limitaciones:
- Hay que configurar puerto a puerto
- Requiere descubrimiento de red
![Page 30: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/30.jpg)
ÍndicePost-Explotación
Acceso No-Privilegiado
Relaying Clásico
Relaying 2.0
Route + Socks4a
Multi-Relaying
ToDo
![Page 31: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/31.jpg)
Route + Socks4a
FW
Host A
Host B
Host C
MSF
M
Socks4
NMAP
![Page 32: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/32.jpg)
ProxyChains
# tail -1 /etc/proxychains.confsocks4 127.0.0.1 1080
# proxychains nmap 172.16.146.148ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-02-27 14:27nexthost: failed to determine route to 172.16.146.148QUITTING!
# proxychains nmap -PN -sT --max-retries 1 172.16.146.148
![Page 33: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/33.jpg)
Ventajas y LimitacionesVentajas:
- No requiere mapeo
- Se pueden usar herramientas externas
- No requiere subir binarios
- No requiere privilegios
Limitaciones:
- Lento para Discovery y PortScan
- Fallos ante muchas conexiones
![Page 34: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/34.jpg)
ÍndicePost-Explotación
Acceso No-Privilegiado
Relaying Clásico
Relaying 2.0
Route + Socks4a
Multi-Relaying
ToDo
![Page 35: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/35.jpg)
Acceso No-PrivilegiadoPodemos:
- Leer/Escribir ALGUNOS Ficheros
- Ejecutar ALGUNOS binarios
- Establecer conexiones de red
NO podemos:
- Acceder a memoria
- Acceder a ficheros de contraseñas
- Acceder a la tarjeta de red
![Page 36: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/36.jpg)
RequisitosPodemos ejecutar ALGUNOS binarios
- Herramientas que no requieran privilegios
- Herramientas build-in de los SO
Podemos establecer conexiones de red
- Ping, Telnet, Ftp, Relay
Multi-versión
Multi-idioma
Multi-plataforma
![Page 37: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/37.jpg)
Fases MultiRelay1.Discovery
- Ideal: ARP Scan (requiere privilegios)
- Real: Command Line Kung Fu...
2.PortScan
- Ideal: SYN Scan (requiere privilegios)
- Real: Command Line Kung Fu...
3.Relaying
- No se puede hacer build-in
![Page 38: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/38.jpg)
Command Line Kung Fu
![Page 39: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/39.jpg)
Discovery Fu
Windows:
FOR /L %i in (1,1,255) do @ping #NET#.%i -w 1 -n 1 > NUL & arp -a | find /V \"00-00-00-00-00-00\" | find " #NET#.%i "
Linux:
for i in `seq 1 255`; do ping -c 1 #NET#.$i > /dev/null ; /usr/sbin/arp -a | grep \"(#NET#.$i)\" | egrep \"[0-9a-fA-F]+\:[0-9a-fA-F]+\:[0-9a-fA-F]+\:[0-9a-fA-F]+\:[0-9a-fA-F]+\:[0-9a-fA-F]+\" ; done"
![Page 40: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/40.jpg)
PortScan Fu
Windows:
FOR %i in (#PORTS#) do @netsh.exe diag connect iphost #IP# %i | find "[%i]"
Linux:
PPID=$$\nfor i in #PORTS#\ndo\nftp #IP# $i 1>/dev/null 2>/dev/null &\ndone\nnetstat -n | grep \" #IP#:\" | cut -d':' -f 3 | cut -d' ' -f 1 | sort | uniq\nkillall ftp 1>/dev/null 2>/dev/null\nexit\n
![Page 41: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/41.jpg)
RelayingLevanta interfaces con cada IP descubierta
- MSF sobre Linux, como root
Meterpreter -> Script (Ruby) & API
- Multiplataforma
Meterpreter -> portfwd
- Cada vez disponible en más plataformas
Tuneliza a través de Meterpreter Session
Modulable cambiando de Scripts
![Page 42: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/42.jpg)
Meterpreter Scripts
multirelayMeterpreterMSF
landiscovery
portscan
portfwd
ifconfig
![Page 43: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/43.jpg)
Escenario Final
FW
Host A
Host B
Host C
MSF
A
B
C
M
![Page 44: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/44.jpg)
landiscovery.rb
![Page 45: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/45.jpg)
portscan.rb
![Page 46: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/46.jpg)
multirelay.rb
![Page 47: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/47.jpg)
DEMOMultiRelay
![Page 48: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/48.jpg)
MSF FW
WIN
LIN
![Page 49: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/49.jpg)
Ventajas y LimitacionesVentajas:
- Mapeo automático
- Se pueden usar herramientas externas
- No requiere subir binarios
- No requiere privilegios
Limitaciones:
- No detecta nuevos puertos abiertos
- Requiere Discovery y PortScan local
![Page 50: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/50.jpg)
ÍndicePost-Explotación
Acceso No-Privilegiado
Relaying Clásico
Relaying 2.0
Route + Socks4a
Multi-Relaying
ToDo
![Page 51: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/51.jpg)
ToDoMejorar el código Ruby
Mejorar el “Command Line Kung Fu”
Desarrollar nuevos módulos de Discovery y PortScan más eficientes
Errores TargetLAN = LocalLAN
Esperar mejoras de Meterpreter...
¿Combinar con Socks4a?
![Page 52: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/52.jpg)
Ficha MultiRelay
Autor: Jose Selvi
Version 0.1: Marzo 2011
Descarga:
- http://tools.pentester.es
- http://www.pentester.es
Quizá más adelante... ¿MSF?
![Page 53: José Selvi - Unprivileged Network Post-Exploitation [RootedCON 2011]](https://reader033.fdocuments.us/reader033/viewer/2022042714/557b864bd8b42aff318b57c0/html5/thumbnails/53.jpg)
¡GRACIAS!Jose Selvi
http://twitter.com/JoseSelvi
[email protected]://www.s21sec.com
[email protected]://www.pentester.es