Enumeration is the process of extracting usernames, machine names, network resources, shares, and services from a system or network. In the enumeration phase, an attacker creates active connections with the system and sends directed queries to gain more information about the target.
Target Information
Network resources
Network shares
Routing tables
Audit and service settings
SNMP and FQDN
Machine Names
Users and Groups
Applications and banners
Techniques for Enumeration
Extract usernames using email IDs
Extract information using default passwords
Brute force active directory
Extract information using DNS Zone transfer
Extract user groups
Extract usernames from SNMP
Services and Ports to Enumerate
DNS Zone Transfer
TCP/UDP 53
MS RPC Endpoint Mapper
TCP/UDP 135
NetBIOS Name Service
UDP 137
NetBIOS Session Service
TCP 139
SMB over TCP
TCP 445
NFS
TCP 2049
LDAP
TCP/UDP 389
SNMP
UDP 161
SMTP
TCP 25
SNMP Trap
TCP/UDP 162
IKE (Internet Key Exchange)
UDP 500
SSH
TCP 22
SIP (Session Initiation Protocol)
TCP/UDP 5060
RPC port mapper service
TCP/UDP 111
FTP
TCP 21
Telnet
TCP 23
TFTP
UDP 69
Border Gateway Protocol
TCP 179
Printer
TCP 9100
NetBIOS Enumeration : UDP 137, UDP 138, TCP 139
Attackers use NetBIOS enumeration to obtain the following: – The list of computers that belong to a domain – The list of shares on the individual hosts in a network – Policies and passwords
nbstat Utility
nbtstat -a <ip address> nbtstat -c
Tools
NetBIOS Enumerator – NetBIOS names, usernames, Domain names and MAC address NMAP – nmap -sV -v –script nbstat.nse <target ip> – NetBIOS and MAC address Others : Global Network Inventory, Advance IP scanner, Hyena, Nsauditor Network Security Auditor
Enumerating User Account
Enumerating user accounts using the PsTools suite helps to control and manage remote systems from the command line
Enumerating Shared Resources
Net View list of all the shared resources of a remote host or workgroup – net view \\<computername> – net view /domain:<domain name>
SNMP consist of a manager and an agent. Agents are embedded on every network device, manager is installed on a separate computer
SNMP holds 2 password to access and configure SNMP agent from the management station – Read community string: Public – Read/Write community string: Private
Attackers use these default community strings to extract info
Can extract info of network resources, host, routers, devices and shares and network info like ARP tables, routing tables and traffic
Communication process between manager and agent
Management Information Base (MIB) info that can be retrieved
DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts
HOSTMIB.MIB: Monitors and manages host resources
LNMIB2.MIB: Contains object types for workstation and server services
MIB_II.MIB: Manages TCP/IP-based Internet using a simple architecture and system
WINS.MIB: For the Windows Internet Name Service {WINS)
Manager X uses GetRequest to send a request for active session
Agent Y receives the msg and verifies if the community string is present on its MIB, checks request against list of access permissions and verifies the source IP
if agent does not find the community string or access permission Y MIB database, send authentication failure trap to trap destination Z
In Y the master agent component of the SNMP agent calls the appropriate extension agent to retrieve the requested session info from the MIB
In Y using info retrieved from extension agent, SNMP service forms a return message that contains the requested info and destination IP of SNMP manager X
Y sends the response to X
Tools
SnmpWalk – scan numerous SNMP nodes and identify a set of variables that are available for accessing the target network
NFS – Network File System – centralization of data
Attackers can gather into, exported directories, list of clients connected, IP address and shared data.
showmount -e <Target IP>
Tools
RPCScan – communicates with RPC services and checks misconfigurations of NFS shares – python3 rpc-scan.py <Target IP> –rpc
SuperEnum – script that does basic enumeration of any open port
SMTP and DNS Enumeration : TCP 25, TCP/UDP 53
SMTP 3 built in commands – VRFY – Validates users EXPN – Shows the actual delivery addresses of aliases and mailing lists RCPT TO- Defines the recipients of a message
SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users, based on which we can determine valid users on the SMTP server
Attackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP server
Metasploit – contains SMTP enumeration module, allow attackers to connect to the target SMTP server and enumerate usernames using a predefined wordlists
NetScan Tools Pro – email generator tool tests the process of sending an email via the SMTP server
smtp-user-enum – OS-level user account on Solaris via SMTP service, inspect responsed to VRFY, EXPN and RCPT TO command
DNS If the target DNS server allows zone transfers, then attackers use this technique to obtain DNS server names, hostnames, machine names, usernames, IP addresses, aliases, etc. assigned within a target domain
Tools
Linux DNS zone transfer using dig command – dig ns <target domain> Windows DNS zone transfer using nslookup – nslookup, set querytype=soa, <target domain> DNSRecon – checks aall NS records of the target domain for zone transfers.
DNS Cache Snooping – DNS cache snooping is a DNS enumeration technique whereby an attacker queries the DNS server for a specific cached DNS record
None-recursive Method – Attackers send a non-recursive query by setting a recursion desired bit in the query. dig @ <IP adddress of DNS> <Target domain> A +norecurse, NOERROR means accepted but not cached
Recursive Method – dig @ <IP adddress of DNS> <Target domain> A +recurse, a high TTL values means that the record is not in the cache
DNSSEC Zone Walking – DNS enumeration technique where an attacker attempts to obtain internal records of the DNS server if the DNS zone is not properly configured
Tools
Tools perform zone enumeration on NSEC and NSEC3 record files
LDNS – enumerates the DNSSEC zone and obtain results on the DNS records
DNSRecon – enumerating DNS records such as A, AAAA, and CNAME.
IPsec provides data security by employing various components such as Encapsulating Security Payload (ESP), Authentication Header (AH), and Internet Key Exchange (IKE) to secure communication between VPN endpoints
Implemented technology for both gateway-to-gateway (LAN-to-LAN) and host-to-gateway (remote access) enterprise VPN solutions.
nmap -sU -p 500 <target IP>
ike-scan – discovering IKE hosts, fingerprint, transform enumeration, user enumeration, pre-shared key cracking
VoIP gateway/servers, IP-PBX systems, client software, (softphones)/VolP phones, User-agent IP addresses, and user extensions
VoIP attacks, such as Denial-of-Service (DoS), Session Hijacking, Caller ID spoofing, eavesdropping, Spamming over Internet Telephony (SPIT), and VoIP phishing (Vishing)
svmap – identifies SIP and PBX servers on a target network.
Metasploit – SIP enumerator to scan numeric/extensions of VoIP phones
RPC Enumeration : Port Mapper Service TCP/UDP 111
RPC allow clients and servers to communicate in distributed client/server programs
Identify any vulnerable services on this service ports
nmap -A <Target IP 10.10.1.0/24>
NetScanPro Tools – port 111
Unix/Linux User Enumeration
rusers – displays a list of users who are logged on to the remote machines or machines on LAN
rwho – displays a list ofusers who are logged on to the LAN
finger – displays info about system users – login name, real name, terminal name, idle time, login time..
Packet Fragmentation – splitting packet into several smaller packets, TCP header – nmap -sS -T4 -f -v <Target IP>
Source Routing – sending a route to the destination with a specified route in order to evade firewall/IDS
Source Port Manipulation – manipulating actual port number with common port numbers – namp -g 80 <Target IP>
IP Address Decoy – generating or manually specifying the IP addresses of decoys, appears that the decoys and the hosts are scanning the network – nmap -D RND:10 <Target IP>, nmap -D <decoyIPs> <Target IP>
IP Address Spoofing – changing the source IP address to appear to be coming from someone else, when victim replies, it goes back to the spoofed address. Hping3 xxx.com -a <spoofed address>
MAC Address Spoofing – spoofing MAC address with the MAC address of a legit user on the network- nmap -sT -Pn –spoof-mac 0 <Target IP>
Creating Custom Packets – Create and send custom packets to scan target behind IDS/FW – Colasoft Packet Builder, NetScanTools Pro
Randomizing Host Order – scan the number of host in the network in random order – nmap –randomize-host <Target IP>
Sending Bad Checksums – Send packets with bad/bugus TCP/UDP checksums – namp –badsum <Target IP>
Proxy Servers – Hide the actual source of the scan, Proxy chaining – user requests a resource from the destination – proxy client connected to a proxy server and passes the request the proxy server – proxy server strips the user info and passes to the next proxy server – repeat this process, until finally unencrypted request is passed to the websever Proxy Tools – Proxy switcher, CyberGhost VPN
Anonymizers – Removes all identity from the users computers, make activity untracable, access restricted content ,bypass IDS/FW – Networked Anonymizers – Transfer info through a network of computers before passing it to a website – Single-Point Anonymizers – Transfer info through a website before passing it on a website Anonymizer Tools – Whonix, Psiphon, TunnelBear, Invisible Internet Project, Orbot
Direct TTL Probes – Send a packet to the host of the suspected spoofed packet that triggers a reply and compare the TTL with that of the suspected packet. if its different, its spoofed – Works if the attacker is in a different subnet
IP Identification Number – Send a probe to the host of the suspected spoofed traffic that triggers a reply and compare the IPID. if its not close in value, its spoofed – Works if attacker is in a same subnet
TCP Flow Control Method – Attackers sending spoofed TCP packet will not receive target SYN-ACK packets, attackers cannot response to a change to smaller congestion windows size. When received traffic continues after window size is exhausted, the packets are most likely spoofed
Countermeasure
Encrypt all the network tracffic
multiple firewalls
do not rely on IP based authentication
Use a random initial sequence number
Ingress Filtering – router/fw to filter incoming packets that appear to come from an internet IP address
Engress Filtering – filter all outgoing packets with invalid local IP address as a source
The first step involves the use of various techniques by attackers to gain access to the target system. These techniques include cracking passwords, exploiting buffer overflows, and exploiting identified vulnerabilities.
Gain Access
Microsoft Authentication
Security Accounts Manager Database (SAM) – AD database – Passwords are hashed and stored in SAM
NTLM Authentication – NTLM and LM authentication protocol – Protocals store the password in the SAM database using different hash methods
Kerboros Authentication – MS upgraded default authentication protocol to Kerberos
Security Accounts Manager Database (SAM) – AD database
NTLM Authentication
Kerberos Authentication
Password Cracking
Process of recovering passwords from data in transit or stored.
Non-Electronic Attacks
Attacker does not need technical knowledge – Shoulder Surfing — looking at screens or keyboard
– Social Engineering — convincing people to reveal password
Directly communicating with the victim machine – Dictionary, Brute force, rule based attack — dictionary file loaded to run against uses account — Brute force every combination of characters — Rules-based having some information about the password
– Mask attack — recover password from hashes – hashcat
– Hash injection / Pass-the-hash attack — Compromise server(Domain controller) using local/remote exploit — Extract logged-on domain admin account hash — inject a compromised hash into a local session (victim)
– LLMNR/NBT-NS poisoning — Windows OS for name resolution — attacker cracks hash obtained from the victim’s authentication process — extracted credentials are used to log on to the host system in the network
– Trojan/spyware/keyloggers — runs in the background, collects usernames and passwords
– Password Guessing — Find a valid user — Create list of possible passwords — Rank passwords from high to low probability — Key in each password, until the correct password is discovered
– Default password — password supplied by manufacturer
– Password Spraying — target multiple user accounts and crack password using a small set of commonly used password.
Internal Monologue Attack – attackers use SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on user
Cracking Kerberos Password AS-REP Roasting (Cracking TGT) — request a TGT from the KDC in the form or an AS-REQ packet Kerberoasting (Cracking TGS) — request a TGS for the SPN of the target service account Pass the ticket Attack – Mimikatz, Rubeus, Windows CredentialsEditor — Authenticating a user to a system without using Kerberos with password — dunmps kerberos tickets of legit accounts using credential dumping tools. — attack by stealing the ST/TGT from an end user or compromised authorization server — Mimikatz allows attacker to pass Kerberos TGT to other computers and sign in using the victims ticket — extract plain-text passwords, hashes, PIN codes and Kerberos tickets from memory
Other Active Online Attacks – Combinator Attack – Combine the entries of one dictionary with those of a second dictionary to generate a new wordlist – Fingerprint Attack – break down the passphrase into fingerprints comprising single and multi-character combinations. – PRINCE attack (PRobability INfinite Chained Elements) – advance version of Combinator, uses a single input dictionary to build chains of combined words instead of taking input from 2 dictionary. – Toggle-Case attack – combination of upper and lower case version of a word present in the input dictionary – Markov Chain attack – split each password entry into 2-3 char long syllables, using these char element, a new alphabet is developed, which is then matched with the existing password database – GPU-based attack – exploit the OpenGL API on GPUs to set up a spy on the victim device that infers user activities and passwords entered on a browser
Passive Online Attacks
Wire Sniffing – Runs packet sniffing tools on LANs to access and record network data – captured data may include sensitive information such as password and emails – sniffed credentials are used to gain unauthorized access
Man-in-the-middle – acquires access to the communication channels between the victim and the server – can be broken by invalidating the traffic Replay attack – packets and authentication tokens captured by the sniffer, where after information is extracted, tokens are placed back on the network to gain access.
Offline Attacks
Rainbow table attack – rtgen – precomputed table that contains wordlist like dictionary files, brute force lists and their hash values
Distributed Network Attack – DNA – used for recovering passwords from hashes or password protect files using the unused processing power of machines across the network
– pwdump7 – extracts LM and NTLM password hashes of local user accounts from the SAM database. other tools – mimikatz, powershell empire, ntdsxtract
Password cracking tools
Password cracking using domain password audit tool (DPAT) – python script that generates password use statistics from password hashes dumped from a domain controller and password crack file such as hashcat.pot – generates a html report which can be used to analyze usernames, passwords and other statistics
L0phtCrack – audit password and recover applications ophcrack – windows password cracker base on rainbow tables.
Password cracking tools – RainbowCrack – crack hashes with rainbows tables, uses a time-memory tradeoff algorithm to crack hashes – john the ripper, hashcat, THC-hydra, Medusa, secure-shell bruteforcer
Password Salting
Technique where a random string of characters are added to the password before calculating their hashes. – makes is more difficult to reverse hashes and defeat pre-computed hash attacks
Defence against Password Cracking
information security audit to monitor and track password attacks
disallow use of same password during password change
disallow password sharing
disallow use of passwords that can be found in a dictionary
do not use clear text and protocols with weak encryption
password change policy 30 days
storing passwords in unsecured location
do not use default passwords
make password hard to guess 8-12 alphanumberic char, upper and lower case, numbers and symbols
ensure applications neither store passwords in memory nor write them to disks in clear texts
random string(dslt) as a prefix or suffix before encryption
enable SYSKEY with strong password to encrpyt and protect the SAM database
monitor server logs for brute force
lockout account subjected to too many incorrect guesses
disallow use of passwords such as DOB, spouse, pet names
Defense against LLMNR/NBT-NS Poisoning
Disabling LMBNR – Turn off multicast name resolution Disabling NBT-NS – disable net bio over TCP/IP
Tools to Detect LLMNR/NBT-NS Poisoning Vindicate – LLMNR/NBNS/mDNS spoofing detection toolkit to detect name service spoofing Respounder – helps security professional to detect rogue hosts running on public wifi networks got-responded – check for LLMNR/NBTNS spoofing
Vulnerability Exploitation
identify the vulnerability
determine the risk associated with the vulnerability
determine the capability of the vulnerability
develop the exploit
select the method for delivering – local or remote
generate and deliver the payload
gain remote access
Exploit sites
exploit-db.com vuldb.com vulners.com MITRE CVE
Buffer Overflow
A buffer is an area of adjacent memory locations allocated to a program or application to handle its runtime data. – Allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations – Attackers exploit this vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges gain shell access, etc.
Types of Buffer Overflow: Stack-Based Buffer Overflow
Stacks stored variable in last in first out order. When a function is called, the required memory for storing the variables is declared on the stock and when the function returns, the memory is automatically deallocated. PUSH, which stores data onto the stack, and POP, which removes data from the stack.
If an application or program is vulnerable to buffer overflow attack, then attackers take control of the EIP register to replace the return address of the function with malicious code that allows them to gain shell access to the target system.
Types of Buffer Overflow: Heap-Based Buffer Overflow
A heap is used for dynamic memory allocation. Heap memory is dynamically allocated at run time during the execution of the program, and it stores the program data. Accessing heap memory is slower than accessing stack memory. The allocation and deallocation of heap memory is not performed automatically.
Heap-based overflow occurs when a block of memory is allocated to a heap and data is written without any bound checking. This vulnerability leads to overwriting links to dynamic memory allocation (dynamic object pointers), heap headers, heap-based data, virtual function tables, etc. Attackers exploit heap-based buffer overflow to take control of the program’s execution.
Windows Buffer Overflow Exploitation
Steps involved in exploiting Windows based buffer overflow vulnerbility:
1. Perform spiking
5. Identify dad characters
2. Perform fuzzing
6. identify the right module
3. identify the offset
7. generate shellcode
4. overwrite the EIP register
8. gain root access
Spiking – send crafted TCP or UDP packets to the vulnerable server in order to make it crash – help attacker identify the buffer overflow vulnerabilities in the target applications
Fuzzing – send a large amount of data to the target server so that it experiences buffer overflow and overwrites the EIP register – helps identify number of bytes required to crash the target server – this information helps in determining location of EIP register, which further helps in injecting the malicious shellcode
identifying the offset – attackers use the metaspoit framework pattern_create and pattern_offset ruby tools to identify the offset and exact location of the EIP register is being overwritten
overwrite the EIP register – overwriting the EIP register allows attackers to identify whether the EIP register can be controlled and can be overwritten with malicious shellcode
Identify bad characters – before injecting the shellcode into the EIP register, attackers identify bad characters that may cause issues in the shellcode – use immunity debugger look for: no byte , \x00 are bad chars
Identify the right module – identify the right module of the vulnerable server that lacks memory protection – use script mona.py to identify these modules
Generate shellcode and gain shell access – msfvenom command to generate the shellcode and inject it into the EIP register to gain shell access to the target
Return-Oriented Programming (ROP) Attack
exploitation technique used by attackers to execute arbitrary malicious code in the presence of security protections such as code signing and executable space protection.
Return oriented programming is an exploitation technique
hijacks the target program control flow by gaining access to the call stack and execute arbitrary machine instructions by reusing available libraries known as gadgets
gadgets are collection of instructions that end with the x86 RET instruction
the attacker selects a chain of existing gadgets to create a new program and executes it with malicious intentions
ROP attacks are very effective as they utilize available and legal code libraries and not identified by security protection such as code signing and executable space protection
Exploit Chaining
– Vulnerability chaining – combines various exploits or vulnerabilities to infiltrate and compromise the target from its root level – during exploit chaining, an attacker first initiates the reconnaissance operation and then starts enumerating various digital footprints and underlying vulnerabilities one after another within the software or hardware
Active Directory Enumeration
Attackers perform Active Directory (AD) enumeration to extract sensitive information such as users, groups, domains, and other resources from the target AD environment.
Before performing enumeration using PowerView, Attackers perform Active Directory (AD) enumeration to extract sensitive information such as users, groups, domains, and other resources from the target AD environment
– Attackers disable the security monitoring option using the following command: Set-MpPreference -DisableRealtimeMonitoring $true
Domain Mapping and Exploitation with Bloodhound Attackers attempt to identify a complex attack path in the target – organization’s AD environment using tools such as Bloodhound and Docusnap
– Bloodhound uses graph theory to reveal the hidden and often unintended relationships within an AD environment
Identifying Insecurities Using GhostPack Seatbelt GhostPack Seatbelt is used to perform various security checks and collect information from a host system in both defensive and offensive ways
– Attackers use Seatbelt to collect host information including PowerShell security settings, Kerberos tickets, and items present in the Recycle Bin
Buffer Overflow Detection Tools
OllyDbg dynamically traces stack frames and program execution, and it logs arguments of known functions Veracode Flawfinder Kiuwan Splint BOVSTT
Defense against Buffer Overflows
Develop programs by following secure coding pratices
always protect the return pointer of the stack
use address space layout randomization (ASLR) technique
never allow the execution of code outside the code space
minimize code that requires root privileges
regularly patch application and OS
perform code review at source level using using static/dynamic code analyzers
perform code inspection
allow complier to add bounds to all the buffers
employ data execution prevention to mark the memory regions as non-executable
implement automatic bounds checking
implement code pointer integrity checking to detect whether a code pointer has been corrupted
Escalating Privileges
Horizontal privileges escalation – unauthorized user tries to access the resource that below to an authorized user who has a similar access permission. example: online banking user A accessing user B’s bank account Vertical privileges escalation – gain access to resource of a user with higher privileges such as administrator/
Privilege Escalation Using DLL Hijacking
Most windows applications do not use fully qualified path when loading an external DDL library. instead they search the directory from which they have been loaded. – Attacker can place malicious DLL in the application directory, , it will be executed in place of the real DLL – attackers use tools such as Robber and PowerSploit to detect hijackable DLLs and perform DLL hijacking
Privilege Escalation by Exploiting Vulnerabilities
– Attackers exploit software vulnerabilities by taking advantage of programming flaws, services, OS software or kernel to execute malicious code. – exploit to gain higher privileges then those existing or to bypass security mechainsms – exploits can based on OS and software applications can be searched on ExploitDB and VulDB
Privilege Escalation Using Dylib Hijacking
In macOS, when application load an external dylib, loader searchers for the dylib in multiple directories – attackers can inject a malicious dylib into one of the primary directories, it will be executed in place of the original dylib. – Dylib Hijack Scanner helps attackers to detect dylibs that are vulnerable to hijacking attacks
Defense: Dependency Walker – detects many common application problems such as missing modules, import/export mismatches and circular dependency errors
Dylib hijack scanners- scan for applications that are susceptible to dylib hijacking or have been hijacked.
Privilege Escalation Using Spectre and Meltdown Vulnerabilities
Spectre and Meltdown are vulnerabilities found in the desgin of modern processor chips from AMD, ARM and Intel. – Performance and CPU optimizations in processors such as branch prediction, out of order execution , caching lead to these vulnerabilities – attackers can gain unauthorize access and steal critical system information such as credential and secret keys stored in the application’s memory to escalate privileges
Spectre – read adjacent memory locations of a process to access information – read the kernel memory or perform web based attack using javascript
Meltdown – escalate privileges by forcing an unprivileged process to read other adjacent memory location such as kernel memory and physical memory – leads to revealing critical system information such as credential, private keys
Defense:
Regularly patch and update OS and firmware
Enabled continuous monitoring of critical applications and services running on the systems and network
Regularly patch vulnerable software such as browsers
Install and update ad-blockers and anti-malware to block injection of malware through websites
Enable traditional protection measures such as endpoint security tools to prevent unauthorized system access
block services and application that allow unprivileged users to execute code
never install unauthorized software or access untrusted websites from systems storing sensitive information
Use Data Loss Prevention (DLP) solutions to prevent leakage of critical information from runtime memory
Frequently check with the manufacturer for BIOS updates
Tool for defense: InSpectre – examines and discloses any windows system’s hardware and software vulnerabilities to meltdown and spectre attacks Spectre and Meltdown checker – shell script to tell if system is vulnerable to meltdown and spectre
Privilege Escalation Using Named Pipe Impersonation
In windows OS, named pipes provide legitimate communication between running processes. – often use for gaining higher access privileges – Metasploit to perform named pipe impersonation – getsystem to gain administrative-level privileges and extract password hashes of the admin accounts.
Privilege Escalation by Exploiting Misconfigured Services
Unquoted service Paths – Windows OS, when starting up a service, the system attempts to find the location of the executable file to launch the service. – The executable file is enclosed in quotation marks – attackers can exploit services with unquoted paths running under SYSTEM privileges to elevate their privileges
Service Object Permissions – misconfigured service permission may allow attacker to modify or reconfigure the attributes associated with the service – attackers can even add new users to the local administrator group and then hijack the new account to elevate their privileges
Unattended Installs – configuration settings used during the installation process are stored in Unattend.xml file – stored in application directories or system32 or system32\sysprep – attackers can use Unattend.xml to escalate privilege
Pivoting and Relaying to Hack External Machines
– Bypass the firewall to pivot via the compromised system to access other vulnerable systems in the network
Pivoting 1. Discover live hosts in the network 2. Setup routing rules 3. Scan ports of live systems 4. Exploit vulnerable services
Relaying 1. Setup port forwarding rules 2. Access the system resources
Privilege Escalation Using Misconfigured NFS
– misconfigured NFS paves the way for attackers to gain root-level access through regular user account – It uses port 2049 to provide communication between a client and server through the Remote Procedure Call (RPC). – attackers can sniff sensitive data and files passing through the intranet and launch further attacks use showmount -e to check if there’s any share available for mounting
Privilege Escalation Using Windows Sticky Keys
– in windows OS, sticky keys allows a combination of keys – after gaining access to the remote system, attacker escalate privileges by simply altering the file associated with the sticky keys features and pressing the shift key five times in rapid succession once the system has been booted. – replacing the file sethc.exe with cmd.exe
Privilege Escalation by Bypassing User Account Control (UAC)
– When attackers fail to escalate privileges using a simple payload, they attempt to evade windows security feature such as UAC and to gain system level access – UAC protection level is set to any option, attackers can abuse a few windows applications to escalate privileges without triggering a UAC notification.
Techniques to Bypass UAC Using Metasploit – Bypassing UAC protection – process injection msf > use exploit/windows/local/bypassuac It generates another session or shell without a UAC flag. After gaining shell access, attackers execute the getsystem and getuid commands to retrieve the privileges of system authority .
– Bypassing UAC protection via Memory Injection msf> use exploit/windows/local/bypassuac_injection Employs reflective DLL mechanisms to inject only DLL payload binaries. Using this command, attackers can obtain AUTHORITY\SYSTEM privileges.
– Bypassing UAC protection through FodHelper Registry key msf> use exploit/windows/local/pypassuac_fodhelper Hijacks a special key from the HKCU registry hive to bypass the UAC and attaches it to a fodhelper.exe. The custom commands can be invoked when the fodhelper.exe file is executed.
– Bypassing UAC protection through Eventvwr Registry key msf> use exploit/windows/local/bypassuac_eventvwr Hijacks a special key from the HKCU registry, and custom commands can be executed with the launch of Event Viewer. it will be wiped once the malicious commands or payloads are invoked.
– Bypassing UAC protection through COM handler Hijack msf> use exploit/windows/local/bypassuac_comhijack allows attackers to build COM handler registry entries within the current user hive to bypass UAC protection. These registry entries can be referenced to the execution of some high-level processes, which results in the loading of attacker-controlled DLLs. These DLLs can be injected with a malicious payload that allows attackers to establish elevated sessions.
Privilege Escalation by Abusing Boot or Logon Initialization Scripts
– Attackers can take advantage of boot or logon initialization scripts for escalating privileges or maintaining persistence on a target system – Boot or logon initialization scripts also allow attackers to perform administrative tasks, using which they can run other programs on the system.
Logon Script (Windows)
Attackers create persistence and escalate privileges on a system by embedding the path to their script in the following registry key: HKCU\environment\UserInitMprLogonScript
Logon Script (Mac)
known as login hooks. Execute automatically during system login. Can use to run malicious payload.
Network Logon Scripts
Allocated using AD or GPO gain administrator or local credentials based on the access configuration
RC Scripts
Embedding malicious binary shell or path in RC scripts such as rc.common or rc.local within UNIX-based systems
Startup Items
malicious files or folders within /library/StartupItems directory to maintain persistence StartupItems will be executed at the bootup with root level privilege
Privilege Escalation by Modifying Domain Policy
Domain policy comprises the configuration settings that may be implemented between the domains in the forest domain environment – attackers modify the domain settings by changing the group policy and trust relationship between domains – can also implant a fake domain controller to maintain a foothold and escalate privileges
Group Policy Modification – Modify the scheduledTasks.xml file to create a malicious schedule task/job using scripts such as New-GPOImmediateTask: <GPO_PATH>\Machine\Preference\ScheduledTasks\ScheduleTasks.xml
Domain Trust Modification – Use the domain_trusts utility to collect information about trusted domains and modify the settings of existing domain trusts: C:\windows\system32>nltest/domain_trusts
Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack – Mimikatz
In a DCSync attack, an attacker initially compromises and obtains privileged account access with domain replication rights and activates replication protocols to create a virtual domain controller similar to the original AD.
allows an attacker to send requests to the DC, retrieve administrator NTLM password hashes, and perform further attacks such as golden ticket, account manipulation and living-off-the-land attacks.
mimikatz includes a DCSync command that utilizes MS-DRSR to replicate the behavior of a legitimate DC.
Defense : Examine permissions assigned to the users and administrators, keep track of account s that request domain replication rights. – conduct security awareness training on the system configuration, system patch management, thread detection and response system – deploy network surveillance tool and decide which IP need to be included in the replication list.
Other Privilege Escalation Techniques
Access token Manipulation
Windows uses access tokens to determine the security context of a process. Obtain access tokens of other users or generate spoofed tokens to escalate privileges and perform malicious activities while avoiding detection
Parent PID Spoofing
PPID can be set to the process that is derived from the SYSTEM through system processes such as svchost.exe or consent.exe Defense : Verify PPID fields where information is stored to detect irregularities – identify the legit parent process using the event header PID specified by ETW – analyse windows API calls such as CreateProcess for malicious PIDs – Monitor system API calls exclusively assigning PPIDs to new processes
Application Shimming
Windows Application Compatibility Framework called Shim is used to provide compatibility between older and newer version of windows. Shims such as RedirectEXE, InjectDLL and GetProcAddress can be used to escalate privileges, install backdoors and disable windows defender.
Filesystem Permission Weakness
if the filesystem permissions of binaries are not properly set, an attacker can replace the target binary with a malicious file.
Path Interception
Applications include many weaknesses and misconfigurations such as unquoted paths, paths environment variable misconfiguration and search order hijacking, which lead of path interception
Abusing Accessibility Features
Running malicious code within windows accessibility features Replacing the features with cmd.exe or replacing binaries in the registry
SID-History Injection
The Windows Security Identifier (SID) us a unique value assigned to each user and group account by the DC Attacker can inject the SID value of an administrator into the compromised user account’s history
COM Hijacking
COM hijacking process involves with tampering with object references or replacing them with malicious content in the windows registry
Scheduled Task in Windows
Windows Task Scheduler, can be used to schedule programs to be executed at a specific date and time. Malicious program can be schedule to run at startup
Scheduled Task in Linux
Linux utilized cron or crond for automating task scheduling scripts executed by cron located at /etc/crontab
Launch Daemon
Launchd is used in macOS boot up. Daemons have plists that are linked to executables that run at startup. plist can be altered with running malicious code
SetUID and SetGID
In Linux and MacOS, if an application uses setuid or setgid, then the application will execute with the privileges of the owning user or group. Exploit the applications with setuid or setgid flags to execute malicious code.
Web Shell
Web-based script that allows access to a webserver attackers create web shells to inject malicious scripts on a webserver.
Abusing Sudo Rights
Sudo is a UNIX and Linux system utility that permits users to run commands as superuse. Attackers can overwrite the sudo configuration file /etc/sudoers with their own malicious file
Defense – strong password policy for sudo users – turn off password caching by setting time-stamp to 0 – separate sudo-level admin accounts from administrator regular account to prevent theft – update user permissions and accounts at regular intervals – test sudo users with access to programs containing parameters for arbitrary code execution
Kernel Exploits
Exploit kernel into executing arbitrary commands or code
Privilege Escalation Tools
BeRoot – check common misconfigurations to find a way to escalate privilege linpostexp – obtains detailed information on the kernel which can be used to escalate privilege PowerSploit FullPower PEASSng Windows Exploit Suggester
Defense against Privilege Escalation
restrict interactive login privileges
Change the UAC settings to Always Notify
run users and application with the lowest privileges
Restrict users from writing files to the search paths for applications
Implement multi-factor authentication and authorization
Continuously monitor files-system permissions using auditing tools
Run services as unprivileged accounts
Reduce the privileges of users and groups
Implement a privilege separation methodology to limit the scope of programming errors and bugs
whitelisting tools to identify and block malicious software
Use encryption technique to protect sensitive data
Use fully qualified paths in all windows applications
Reduce the amount of code that runs with a particular privilege
Ensure that executables are placed in write protected directories
perform debugging using bounds checkers and stress tests
In MacOS, make plist files read only
thoroughly test the system for application coding errors and bugs
Block unwanted systems utilities that may be used to schedule tasks
CY - Technical Memory extension 