Previously I talked about enumeration being the most important stage of any penetration test. Building on this, my opinion is that the next most important stage of a penetration test is post exploitation.
Simply running an exploit and gaining access or a shell on a system can be valuable, but finding out what you can do after that is even more so. In this section, I will cover the types of information and access you can attempt to gain in post exploitation and some of the ways you could do so. I will also explain why these post exploitation steps would be valuable for a customer (or for a hacker!)
Before that, I’ll mention a poignant note in Georgia’s book about post exploitation regarding the importance of recording changes and undoing them before ending the penetration test. Otherwise, you run the risk of leaving the customers environment even more vulnerable than before the penetration test began!
Local files and directories can be uploaded to the exploited machine using the upload command. These files uploaded to the remote machine can then be accessed for later use, potentially as part of further exploits.
For example, Netcat can be uploaded to scan the remote machine and used to gain information about other machines and ports on the network.
The natural opposite of uploading files, downloading files to the local system means the information contained within them can be examined at a later time.
Two commands that can achieve this are wget and curl.
Using metasploit scripts or by manually uploading them, scripts can be executed on the remote machine to further exploit vulnerabilities or retrieve additional information.
Various exploits can be run on the remote system to gain additional control of the system. For example, compromising a user account and escalating it’s privileges to an admin account provides greater access to the system. Successful privilege escalations are valuable as they prove that user accounts with perceived “limited access” may not be so limited after all.
Privilege escalation can be done using metasploit modules. First, find out the type of system using getsystem for Windows and lsb_release -a for Linux. With the information gathered you can then search metasploit for modules and exploits that are likely to be effective.
Bash scripts can be created and run on the remote machines, often as part of bigger exploits such as privilege escalation described above.
Bash scripts start their syntax with #!/bin/bash
Key logging gathers the keystrokes and compiles them to a file for further examination. This effectively means the logged in user will inadvertently give the attacker various credentials by inputting the key sequence at some point during their session.
To use keylogging on a meterpreter session, enter keyscan_start to begin key logging, and keyscan_dump to see what keystrokes were logged.
An extremely well known example of key logging is the activation of the target machines webcam, to capture videos and photos of the target machines user.
The ability to gather username and passwords, especially for other users is extremely valuable for exposing security flaws in a system. Gathering either plaintext passwords or password hashes are two ways user credentials can be obtained.
In metasploit, there is a post exploitation module found in post/windows/gather/credentials that can be used to gather this information.
Gaining access to one system may not always be useful. But, if you can use that system to gain access to additional systems then it can be. Lateral movement is the act of turning access to one system into access to many. If privilege escalation is gaining more access vertically, then lateral movement is gaining more access horizontally.
Two interesting ways to do this are using methods known as pass the hash and token impersonation.
pass the hash – when passwords are hashed, it may be too difficult to crack it and gain the plaintext password. However, it could be possible to gain a dump of the hashes using hashdump and use these hashes as authentication in place of passwords. Because the remote system stores the hash of the passwords, if the corresponding hash is sent for authentication the system may assume you also have access to the correct plain text password. In this instance, the strength of the password hash works against the system as it tricks itself into thinking that the correct hash = the correct password.
token impersonation – Tokens are primarily used for access control, by issuing a token for a users session after successful authentication. These tokens typically persist until the system is shut down, meaning they can be stolen and used to gain the privileges of that user.
Incognito is a tool that can be used to steal the token from a user.
Expanding on the idea of escalation and movement, pivoting refers to using system access to gain access on another network entirely.
One way this can be done is via routing, where the compromised system is used as an intermediary to explore the second network. All traffic from the local machine can then be routed through the compromised system to the new target network.
A route in metasploit can be added using the command route add network <subnet mask> <session id>
Persistence and Backdoors
Once a vulnerability has been exploited and access has been gained on a system, it is a good idea to set up a way to regain the same access without having to go through the entire penetration process from scratch. This is called persistence, making sure the exploit is future proofed and access persists for later use.
There are several ways to ensure persistence, ranging from adding a user to advanced kernel-level rootkits that act as backdoors into the system. Overall, the goal remains the same; to ensure the exploit is sustained throughout multiple iterations of access.
I only scratched the surface when it comes to post exploitation. There are countless more interesting tools and techniques available that can be used to further leverage an exploited system. However, as my focus is on the OSCP exam I decided not to go into too much depth on this section, despite how interesting it is.
Next week, I’ll start to finish off the rest of Georgia’s book with an initial focus on client side attacks.
2 thoughts on “OSCP Prep – Episode 10: Exploits (Part 2)”
Great post again, are you working through Georgina’s book before signing up to OSCP? Another blog you may like to read, http://offsecnewbie.com. Like yourself documenting their journey through OSCP and sharing tips and thoughts.
Thank you! Yes, I am finishing up her book now and plan to write a book review soon. I haven’t decided on an exact date on when I want to start the PwK/OSCP course yet, I think it’s a case of there being no such thing as over prepared and I want to feel confident when I begin (especially since I am still a novice).
Thanks for the link to the other blog, he/she is going through a very similar learning process to mine but is much further along in the journey! Some great insights in there for sure 🙂