Contact Form

Name

Email *

Message *

Tips for an Information Security Analyst/Pentester career - Ep. 46: Post-exploitation (pt. 2)

In this post, we'll keep analyzing post-exploitation tools and techniques.



a) Recording keystrokes 

We can start a keylogger on the victim machine with keyscan_start.

Anything we type in the victim machine will be logged and we can view it with keyscan_dump.


b) Grabbing SCP credentials:

 Our Windows XP target includes a software called WINSCP, allowing to use Secure Copy (SCP), a UNIX protocol based on SSH, working on TCP port 22, in Windows.

We purposefully saved the password in the program settings (which is not recommended by the software itself) and, thanks to the post/windows/gather/credentials/winscp post-exploitation module, we're able to grab the credentials so we can successfully copy files from XP to Ubuntu.


c) Analyzing bash command history:

In the previous post, we had gotten a reverse shell from Ubuntu by using a public exploit. 

As we're still connected as root, we can analyze the bash command history for user georgia, located under /home/georgia/.bash_history.

We notice a very interesting line; Georgia was so kind to tell us what her password was. 

We could have saved some time in the previous post, but everything you learn isn't wasted time, anyway.


d) Leveraging an SMB vulnerability

We can use a post-exploitation module (exploit/windows/smb/psexec) alike PsExec (belonging to Sysinternals' PsTools) to run arbitrary commands against SMB.
According to its official description, PsExec "is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems".

We need to configure a couple of parameters to make this work.

Analyzing the list of current processes with ps might reveal other ways to get in, through vulnerable services not uncovered by our initial Nmap scan.

For example, we can see there's a 3com server that's vulnerable to an attack and we hadn't uncovered it initially.

e) Meterpreter extensions:

Meterpreter contains additional extensions, which aren't automatically loaded manually when we get a session, but may be loaded manually through the load <extension_name> syntax.

1) incognito

Incognito lists all tokens available in the target system, allowing you to steal a token belonging to a specific user and impersonate him/her. 


2 ) mimikatz: Quoting Offensive Security, Mimikatz is 
"a great post-exploitation script tool (..), an attempt to bundle together some of the most useful tasks that attackers will want to perform (..) in order to get a firmer foothold on the computer/network".

Here we're using it to understand if there are some Kerberos passwords saved in plaintext and, lo and behold, we found some.


3) search tool: 

We can search for files related to specific keywords in our target machine. I found a file called financial_information,txt, which I could've missed otherwise.


We're gonna continue analyzing post-exploitation tools and techniques in the coming posts, so stay tuned!

Episode 47

Episode 45 

Comments

Related Posts Plugin for WordPress, Blogger...