Everyone does things differently, and explaining what goes through an attackers head when they get a shell is virtually impossible and even more so to generalize into a methodology, but I’ve tried to do that with the “3 ‘P’s of Post Exploitation” and they are in a certain order for a reason but certainly up to circumstance to what order is best. The first P is Presence. It is first because the attacker needs to get a sense of what he/she has got before they move on.
Submitted it to MSF via pull request here: https://github.com/rapid7/metasploit-framework/pull/538 Added to trunk: https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/tcpnetstat.rb I promised this one a while ago, sorry for the delay. This only does TCP, it’d be trivial to do UDP as well but never really found anything interesting and actively going on on the UDP side. It’s real simple, first we’ve gotta add the GetTcpTable function to railgun: session.railgun.add_function('iphlpapi', 'GetTcpTable', 'DWORD', [ ['PBLOB', 'pTcpTable', 'out'], ['PDWORD', 'pdwSize', 'inout'], ['BOOL', 'bOrder', 'in'] ]) Then gauge the size of the table:
Was messing with the Windows service binaries in Metasploit today and I noticed something unique I hadn’t noticed before. For the PSEXEC module, the service name (actually just the display name, ‘service name’ is random) always started with an uppercase ’M’. Curious to why that was I looked and found Line 246 of the PSEXEC module to be the culprit: I can guess why the M is there. Might be just a quirk with old Windows versions that didn’t allow lowercase service names, not sure.
Penetration Testing / Red Teaming requires the use of a lot of tools. I don’t mind getting called a “script kiddie” because I can accomplish more and faster when I don’t have to code every single task I need to do. This post is to point out companies that make this possible and give a small bit of thanks. (If you’ve ever tried to convince a company to give something away for free, you can understand how big this really is) Some give a lot, some only one tool, but even one is more than some.
One of the powers of Metasploit is it’s ability to stay memory resident. Through the use of reflective DLL injection even keeping new functionality the attack loads from ever touching disk. Well, the first thing I wanted to do with Mimikatz is get to that same level. Here is my first step to that end; a railgun based Meterpreter script. Now before going all reflective with it I needed to understand how the DLL worked.
I found a number of things interesting when reading the following post: http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ Too bad that nmap’s interactive mode was taken out, but there are a great number of other such methods, most notably VI’s shell mode. But when I started looking into appending or inserting lines into /etc/sudoers for CCDC, I happened upon an interesting function of that file. Near the end of the file there are two lines:
If you have never heard of PhantomJS ( http://phantomjs.org/ ) before, it’s a “Full Web Stack with No Browser Required”, basically it a GUI-less browser. One of the magical “example” files that it has is called “rasterize.js” Rasterize.JS essentially renders a URL, screen shots it and give it to you in a number of different formats, here’s it’s usage: Usage: rasterize.js URL filename [paperwidth*paperheight|paperformat] paper (pdf output) examples: "5in*7.5in", "10cm*20cm", "A4", "Letter" PhantomJS is sweet for sweeping a ton of IPs and suspected HTTP/S sites, and look through a gallery of them to start figuring out which looks the most interesting… and we are going to essentially just that, except from a Victim machine.
At CCDC, Sticky Keys via RDP was a very successful re-entry point for the Red Team. You can read more about how this works here: http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html So if you can get physical access or SYSTEM/Admin access at some point and enable + reach RDP, you can very easily follow those instructions and gain a level of persistance without the need of a pesky password :-) However, this doesn’t work so well with the advent of NLA or Network-Level-Authentication, which was enabled for Vista systems and beyond.
@egypt and I have teamed up this year to teach at DerbyCon at the end of September. Here is the very basic outline of the class and subject to change: (Sign up here: https://www.derbycon.com/training-courses/ ) THURSDAY Intro to the Framework The history of the Framework Ninja Demo Usage Recon Exploitation Pillaging Post modules Intro to Ruby Getting your environment set up Ruby Basics Strings, Arrays, and Methods oh my IRB, Pry - The No-Spoon Portion Navigating Documentation Module Writing Auxiliary Modules Exploit Modules Post Modules Railgun (Windows and ?
If you haven’t heard already about Jasager.. well you probably don’t read this blog, but for those who want to know a bit more about the history of Jasager - Karma on the Fon, where the project is now, and where it’s headed, then buckle up, and hang on while we first travel down memory lane. History: The time was ShmooCon 2006. It was my very first “HACKER” convention. I was there with my buddies from Hak5 and SploitCast.