Table Of ContentPost-Exploitation an:
Merciless
Pivoting
Copyright© 2017,The SANSInstitute.Allrightsreserved. The entire contents ofthispublication are
theproperty ofthe SANSInstitute.
PLEASEREAD THETERMS AND CONDITIONSOF THIS COURSEWARELICENSE
AGREEMENT ("CLA")CAREFULLYBEFOREUSING ANY OF THE COURSEWARE
ASSOCIATEDWITH THE SANS COURSE.THIS IS A LEGALAND ENFORCEABLE
CONTRACTBETWEENYOU (THE "USER")AND THE SANSINSTITUTE FOR THE
COURSEWARE.YOU AGREE THATTHIS AGREEMENT IS ENFORCEABLE LIKEANY
WRITTENNEGOTIATED AGREEMENT SIGNEDBY YOU.
Withthe CLA,the SANSInstitutehereby grants User apersonal, non-exclusive licenseto use the
Coursewaresubjectto the terms ofthis agreement.Courseware includes allprinted materials, including
coursebooks andlabworkbooks, as well as anydigitalor othermedia, virtual machines, and/or data sets
distributedby the SANS Institute to theUser for use inthe SANSclass associatedwith the Courseware.
User agreesthat the CLA is the completeandexclusivestatement ofagreementbetween The SANS
Institute andyou andthat this CLA supersedesanyoral orwritten proposal, agreementorother
communicationrelatingto the subjectmatter ofthis CLA.
BYACCEPTING THIS COURSEWAREYOUAGREE TOBE BOUND BY THE TERMSOF THIS
CLA.BYACCEPTING THIS SOFTWARE,YOUAGREE THATANY BREACH OF THE TERMS
OF THIS CLAMAY CAUSE IRREPARABLEHARMAND SIGNIFICANTINJURYTO THE SANS
INSTITUTE,AND THAT THE SANS INSTITUTEMAY ENFORCE THESE PROVISIONSBY
INJUNCTION (WITHOUTTHENECESSITY OF POSTING BOND), SPECIFICPERFORMANCE,
OR OTHEREQUITABLE RELIEF.
Ifyou do not agree,you may return the Coursewareto the SANS Institute for a fullrefund, ifapplicable.
User maynot copy,reproduce, re—publish, distribute,display,modify or create derivativeworks based
upon alloranyportion ofthe Courseware,in any mediumwhether printed, electronicorotherwise, for
anypurpose, withoutthe expressprior written consentofthe SANSInstitute. Additionally, User may
not sell, rent, lease,trade, orotherwisetransferthe Courseware in anyway, shape,or formwithout the
expresswritten consentofthe SANSInstitute.
Ifanyprovision ofthis CLAis declaredunenforceablein anyjurisdiction, then suchprovision shallbe
deemedto be severablefromthis CLAand shall not affecttheremainder thereof. An amendment or
addendumto this CLAmay accompanythis courseware.
SANSacknowledgesthat anyand allsoftwareand/ortools, graphics,images, tables, charts orgraphs
presented in this courseware arethe sole property oftheirrespective trademark/registered/copyright
owners,including:
AirDrop, AirPort,AirPort Time Capsule,Apple,Apple Remote Desktop, Apple TV,AppNap, Back to
My Mac,Boot Camp,Cocoa,FaceTime,FileVault,Finder, FireWire, FireWire logo, iCal,iChat, iLife,
iMac, iMessage,iPad, iPadAir, iPadMini,iPhone,iPhoto, iPod, iPod classic,iPod shuffle, iPodnano,
iPodtouch,iTunes,iTunes logo, iWork,Keychain,Keynote, Mac, Mac Logo,MacBook,MacBook Air,
MacBook Pro,Macintosh, Mac OS, MacPro,Numbers, OS X, Pages, Passbook, Retina, Safari, Siri,
Spaces, Spotlight,There’s an app forthat, TimeCapsule, Time Machine, TouchID, Xcode, Xserve,
App Store, andiCloud areregistered trademarksofApple Inc.
GoverningLaw: This Agreement shallbe governedby the laws ofthe StateofMaryland,USA.
SEC560_4_CO1__03
Post Exploitation &
Merciless
Pivoting
©20|7EdSkoudis.All RightsReserved I VersionCOI_03 | IQI7
Welcome to SANSSecurity560.4! Inthissession,wefocusonpost exploitationandsomepivoting,zoominginto
techniques apenetration testercanapplyaftersuccessfullyexploitingatargetenvironment.Westartbylookinginto
moving files andpillagingtarget systemsforusefulinformation.WethencoversomeusefulWindows cmd.exe
command—linetechniquesforcontrollingtargetmachinesandpilfering dataonthem.
Next,we applywhatwe’ve learnedbycoveringmethodsforgettingatargetWindowsmachinetoruncommandson
behalfofapenetration testerorethicalhacker.Wecoversometried-and-truemethodsfordoingthis,likescheduling
ajob torunonthetarget. We’ll alsocover someless-knownbutpowerfulmethodsformakingaremotemachine
runprograms withlocalSYSTEMoradminprivilegesusingtheservicecontrollerandwmic commands.We
completeourexploitationsectionwithhands-onlabswiththeselasttwotechniques.
Then,wecoverWindowsPowerShell forpenetrationtesters,discussingmanyusefulfeaturesofPowerShellandhow
theycanbe appliedbypenetration testers,especiallyduringthepost-exploitationphase ofapenetration test.
Next,weturnourattentiontopassword attacks,spendingtherestofthedayanalyzingpassword guessingand
gainingaccesstohashes.Wegoovernumeroustipsbasedonreal-world experiencesto helppenetration testersand
ethicalhackers maximizetheeffectiveness oftheirpasswordattacks.Wecoveroneofthebestautomatedpassword-
gues‘singtoolsavailabletoday,THCHydra,and11m itagainsttargetmachinesto guessWindows SMBandLinux
SSHpasswords. Wethenzoominonthepasswordrepresentationformatsformostmajoroperatingsystems,
discussingmethodsforhowto obtainthosehashesfromtargetmachinesusinggreattoolssuchas theMeterpreter
hashdumping capability andthemimikatzKiwitool,usingeachinahands-onlab. Wealsolookatsomedifferent
kinds ofpivots,buildingonournetcatrelay discussionin560.3,aswellasusingthemsfconsoleroutepivoting
technique.
That'salotofmaterialtocover,so let's begin.
©2017 Ed Skoudis 1
TABLE OF CONTENTS(I)
Moving Files with Exploits 4
p,|fermgfromTargetMachmes9
.........................................................................................................
l3“
WmdowscommandLmeKungFuforpenetratlon-resters
LABwmdowscommand_LmeCha“enges37
MakmgwmeWSRuncommandSRemOte'y49
LABRunningcommandsw'thscandwmlc6|
powerShe”KungFuforpenetratlon-resters73
LABPowershellforPost_EXPIOItatlonChauenges95
.............................................................................................................................. i6:
PasswordAttaCksMOtlvaflonandDefimtlons
..........................................................................................................................................................................
iii-ow
PasswordAttaCleps
.... . ......................................................................................................................................................... ...
D.éalmg.Wi.t.h.AccountL.o.c.l.«.>.u.t I..2..0.
SEC560I NetworkPenetration TestingandEthicalHacking 2
Hereis ourtableofcontents,showingeachtopicandlab wecoverin560.4.
2 ©2017 Ed Skoudis
SEC560| NetworkPenetrationTestingandEthicalHacking 3
Here istherest ofourtableofcontents,showingeachtopicandlabwecoverin560.4.
©2017 Ed Skoudis
Course Roadma
1“
. Pen Test Planning - Moving Files with Exploits
. Recon ° Pilferin3 from Targat Machines
-Windows Command Line
,
° Scanning Kung Fu for PenTesters
. Exploitation > LAB: cmd.exe Challenges
- MakingWin Run Commands
Post-Explm, tatl,on
° > LAB: sc and wmic
Password Attacks ° PowerShell Kung Fu for Pen Testers
0
and Merciless Pivoting > LAB: PowerShell Post—Exploitation
Challenges
Web App Attacks
SEC560| NetworkPenetrationTestingandEthicalHacking 4
Afterinitialexploitationoccurs,penetration testersorethicalhackersoftenwantstomovefiles to orfromthetarget
machinethattheyhaveexploited.Thefiles movedto atargetcouldincludetoolstoanalyzethattargetinmoredetail
ortouseitas ajump-offpointto find andexploitothervulnerablesystems.Thefiles movedfromatargetmay
includesensitivedocumentsthat are partoftheoverallgoalofapenetrationtestorethicalhackingproject.
Atesterhasmanyoptionsformovingfiles toorfroma systemdependingonthecircumstances ofthetestandthe
targetsystem.Inthissection,weexplorethevariousoptionsformovingfiles to andfromexploitedtargetmachines.
4 ©2017 Ed Skoudis
Moving;File-Sitoa, fargetriPushgyers'us;Pull
_,‘
.
- Depending on the access the tester has to the target, he or she may
— Push files to a target
I
PushFile
Firewall ' Target
allows Machi.ne
W5_51 inbound
— Havethe target pullfilesback in
Firewall Fil
blocks Target
some
SEC560| NetworkPenetrationTesting andEthicalHacking 5
When exploitingmachines,youfrequentlywanttoputfiles ontoamachineortakethemoffofthesystem.Youcan
eitherpush files to atargetorpullthemfromit, as illustratedontheslide.Thetester choosesthemethod for
transferring filesbasedonseveralfactors:
' Whether movingfiles toorfromthetargetis allowedbytheproject’sRulesofEngagement
° Theprotocolsthatareallowedinboundandoutboundbetweenthetesterandthetarget system,including
network firewalls,network-basedIntrusionPrevention Systems(IPSs),routerACLs, andlocalport filtersor
firewalls onthetarget
° The softwareinstalledonthetargetmachine,especially softwareassociatedwithfile transfer
° Thekindofexploitthetesterhasused andhowitintegrateswithfile transferfunctionality
Ifafirewall allowsinboundtraffic, youmayjustpushafile tothetarget.Ifonlylimitedinboundtraffic is allowed,
youmaycompromiseatargettoestablisha commandchannel.Youthenissuecommandstodirectthetarget
machine topullthefile fromthetester’sbox.
Theimagesintheslidearefocusedonmovingafile tothetarget.Alternatively,thetestermaywantto getafile
fromatarget.Thesametwooptionsareavailable.Youcouldtrytopullthefile fromthetargetdirectly orissue
commands to havethetargetpushthefilebackto thetester’smachine.
©2017 Ed Skoudis 5
Moving Files to aTarget: Using FileTransfer Services
- Protocols and services designed to movefiles:
TFI‘P
-—
- Unauthenticated,UDPport69
- Mostsystems include TFI‘Pclient
FTP
—
- Common, usesTCP20 (data) andTCP 21(control) bydefault
- Correctstextfile anomalies betweendifferent systems
SCP, partofSSH suite
—-
. Encrypts data
. Oftenallowedoutbound,using TCPport22bydefault
. Included onmostLinuxandUNIXmachines bydefault
— H'ITPor HTTPS
. Almost alwaysallowedoutboundonatleastTCP 80and443
- EvensupportstransferthroughHTTP/HTTPS proxy
. Command—line browserhelpful, likewget,Lynx, H'ITrack, orPowerShell’sWebClient/wget
SEC560| NetworkPenetrationTesting andEthicalHacking 6
Tomovefiles toatargetmachine, testerscouldrelyonvariousservicesandtheirassociatedprotocolsthatare
designedto transferfiles. Someofthemostcommonmechanismsusedtomovefiles duringpenetration testsand
ethicalhackingfollow:
- TFTP(TrivialFile Transfer Protocol):Thisstripped—downservicemovesfileswithnoauthentication
between atftpclientandtftpdusingUDPport69.
- FTP:Thisfamiliarserviceconvenientlymovesfilesusingtwoconnections:anFTPdataconnection
associatedwithTCPport20andanFTPcontrolconnectionassociatedwithTCPport 21. FTP,whenusedin
ASCIImode,correctssomeissueswithmovingtextfilesbetweendifferentoperatingsystems,as we’ll
discussshortly.
- SCP (Secure Copy): Thisprogram ispart oftheSecureShell(SSH)suiteandtransfersfiles usingTCPport
22bydefault.Itis anidealcandidateforfiletransfer,giventhata) itencryptsallauthentication information
anddataintransit,b)mostnetworksallowoutboundSSH, and0) manyLinuxandUNIX systemshavean
sop clientbuiltin.
- HTTPorHTTPS: Theseprotocols arealmostalwaysallowedoutbound,usingatleastTCPports 80 and
443. Eveniftheyare sentthroughawebproxy,theycanstillbeusedtocarryfiles.Astesters,we often
invoketext-basedbrowsers onacompromisedvictimmachine,usingthatbrowsertofetchfiles fromthe
attackersystemandmovingthemback ontothetargetmachine. Some usefultext-basedbrowser—style
programsincludewget,Lynx,andHTTrack. Also,PowerShellincludesaWebClientfeature andanaliasof
wgettopullfiles,whichwewilluseinanupcominglab laterin560.4.
6 ©2017 Ed Skoudis
EL; oving Filés‘to;a '
- Additional services and protocols for moving files
WindowsFile Sharing NetBIOS / SMB
— —
- Itcould beuseful tohavethetargetmachinemount ashareon thepentester’sbox,
providedthat outboundSMB is allowed fromtargetto pentester
- Withthis approach,you can have thetarget access files withoutpushingthem onto
thetarget’s hard drive
NFS mounts Command to
Firewall Mount Share
Netcat allows
——
. Is itinstalled?Ifnot, this Shi‘gbgfgs Access orExecuteFile
is a chicken—and—egg ”’
C}
problem
Others
——
. Must have appropriateclient and server installed
SEC560| NetworkPenetrationTestlng and EthicalHacking 7
Someadditionalfile transfer servicesusedbytesters alsoinclude
- Windows file sharing:Ofcourse,mostWindowsmachines canusethismeansto movefiles acrossthe
NetBIOS and/orSMBprotocols (TCPports 135-139or445).Furthermore,LinuxandUNIXmachines
supportthiskindofaccessusing Samba,withcommandssuchas smbclient,smbmount,andthe Samba
Daemon (smbd).Itcouldbeusefultohavethetargetmachinemount ashareonthepentester’s box,
providedthatthenetworkallowsoutboundSMB (orevenNFS) accessfromthetargetto thepen tester’s
machine. Withthisapproach,youcanhavethetarget systemaccessfiles (suchasscriptsorexecutables)
withoutpushingthemontothetarget’sharddrive.Instead,thetargetjustrunsthegivenprograms fromtheir
locationonthemountedfile share,givingthepentester amuchsmallerfootprintonthetarget machine.
' NFS (NetworkFile System): Thisprotocolis mostcommonlyusedtomovefiles betweenUNIX/Linux
systems;although,therearealsoWindowsNFSimplementations.Bydefault,itusesTCPandUDP2049;
althoughitmayinvolveotherportsas well.
' Netcat:Netcat canmovefilesback andf01thbetween systems(amongotherfunctions)using arbitraryTCP
orUDPports.Unfortunately,to usenetcat to moveafile,youfirsthaveto getthenetcat executable onthe
targetmachine. Ifit’salreadythere,thetester canstartusing it. Ifitisnot,youhavetomovenetcat’s file
firsttouseitto moveadditionalfiles,resultinginachicken-and—egg condition.
There areothermechanismsto movefiles as well,butthesearethemostcommonandpopular.
Note thattouse anyofthesemechanisms,thetargetmachinemusthavetheappropriateclientorserver software
installed,andtheattacker’smachinemusthavetheotherside(serverorclient)installed.
©2017 Ed Skoudis 7
Alternative Methods for FileTransfer: Meterpreter,Paste, and Echo
. Metasploit Meterpreter upload and downloadfunction can move and
interact withfiles
meterpreter > upload
meterpreter > download
meterpreter > cat
meterpreter > edit
— Opens file inyourLinux system’s defaulteditor(usually vim)
— RemembertouseforwardslashesU) infile system paths (even onWindows)
. With a terminal session,youcan copy and paste the contents offiles
— Might seem like aweak waytomove afile,butitishandyandcan work well
. Even withlimited shell, echo can enter lines
$ echo “this is part of the file” >> file.txt
C:\> echo this is part of the file >> file.txt
- Whatever it takes getthe filethere
SEC560| NetworkPenetration TestingandEthica'Hacking 8
Beyondthosetraditionalfile transfermechanisms, testersmayalsomovefilesusinglessconventionalmeans.
Onehelpfulwayto movefiles involvescompromisinga systemusingMetasploittoexploitsomebuffer overflow or
otherflaw, andthenloadingtheMeterpreter as apayload. TheMeterpreter,aswediscussedearlier,is a smallshell
environment.InrecentversionsofMetasploit,theMeterpreter includesseveralbuilt-incommandsformoving files
includingupload anddownloadtosendfiles toorfroma compromisedmachine.TheMeterpreter’s cat
commanddumpsafile to standardoutputonthe screen.TheeditcommandoftheMeterpreter grabsthefile and
opensitinthedefaulteditorofyourLinuxmachine,whichis typicallyvim.
Iftheattackerhascommandshellterminalaccess onthetargetmachine,anotheroptionformovingfiles isto invoke
aneditor,suchasvi,emacs,pico,orother.Then,theattackercouldsimplycutandpastethecontentsofafile into
theeditor.Somepeoplethinkthatcut-and-pasteis acheatbecause it’s tooobviousandsimple.Butsomehacks are
elegantandothersarenot. Penetrationtestersandethicalhackersare oftenfocusedmoreonutility (doesitwork?)
thanelegance(isitpretty orclever?).
Evenwitha limitedshellthatdoesn’timplementaterminal,youcanstillcreatefiles byusingtheechocommandto
appendthingstoafile,buildingafile linebylinewith>>redirects, aswecoveredearlier inourdiscussionofthe
terminalversusrawshelldilemma.
8 ©2017 Ed Skoudis
