- Gaining Access
- Escalating Privileges
- Maintaining Access
- Clearing Logs
The first step involves the use of various techniques by attackers to gain access to the target
system. These techniques include cracking passwords, exploiting buffer overflows, and
exploiting identified vulnerabilities.
Gain Access
Microsoft Authentication
| Security Accounts Manager Database (SAM) – AD database – Passwords are hashed and stored in SAM |
| NTLM Authentication – NTLM and LM authentication protocol – Protocals store the password in the SAM database using different hash methods |
| Kerboros Authentication – MS upgraded default authentication protocol to Kerberos |
Security Accounts Manager Database (SAM) – AD database
NTLM Authentication
Kerberos Authentication
Password Cracking
Process of recovering passwords from data in transit or stored.
Non-Electronic Attacks
Attacker does not need technical knowledge
– Shoulder Surfing
— looking at screens or keyboard
– Social Engineering
— convincing people to reveal password
– Dumpster Diving
— checking user’s bins, printer’s trash
Active online Attacks
Directly communicating with the victim machine
– Dictionary, Brute force, rule based attack
— dictionary file loaded to run against uses account
— Brute force every combination of characters
— Rules-based having some information about the password
– Mask attack
— recover password from hashes – hashcat
– Hash injection / Pass-the-hash attack
— Compromise server(Domain controller) using local/remote exploit
— Extract logged-on domain admin account hash
— inject a compromised hash into a local session (victim)
– LLMNR/NBT-NS poisoning
— Windows OS for name resolution
— attacker cracks hash obtained from the victim’s authentication process
— extracted credentials are used to log on to the host system in the network
– Trojan/spyware/keyloggers
— runs in the background, collects usernames and passwords
– Password Guessing
— Find a valid user
— Create list of possible passwords
— Rank passwords from high to low probability
— Key in each password, until the correct password is discovered
– Default password
— password supplied by manufacturer
– Password Spraying
— target multiple user accounts and crack password using a small set of commonly used password.
Internal Monologue Attack
– attackers use SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on user
Cracking Kerberos Password
AS-REP Roasting (Cracking TGT)
— request a TGT from the KDC in the form or an AS-REQ packet
Kerberoasting (Cracking TGS)
— request a TGS for the SPN of the target service account
Pass the ticket Attack – Mimikatz, Rubeus, Windows CredentialsEditor
— Authenticating a user to a system without using Kerberos with password
— dunmps kerberos tickets of legit accounts using credential dumping tools.
— attack by stealing the ST/TGT from an end user or compromised authorization server
— Mimikatz allows attacker to pass Kerberos TGT to other computers and sign in using the victims ticket
— extract plain-text passwords, hashes, PIN codes and Kerberos tickets from memory
Other Active Online Attacks
– Combinator Attack – Combine the entries of one dictionary with those of a second dictionary to generate a new wordlist
– Fingerprint Attack – break down the passphrase into fingerprints comprising single and multi-character combinations.
– PRINCE attack (PRobability INfinite Chained Elements) – advance version of Combinator, uses a single input dictionary to build chains of combined words instead of taking input from 2 dictionary.
– Toggle-Case attack – combination of upper and lower case version of a word present in the input dictionary
– Markov Chain attack – split each password entry into 2-3 char long syllables, using these char element, a new alphabet is developed, which is then matched with the existing password database
– GPU-based attack – exploit the OpenGL API on GPUs to set up a spy on the victim device that infers user activities and passwords entered on a browser
Passive Online Attacks
Wire Sniffing
– Runs packet sniffing tools on LANs to access and record network data
– captured data may include sensitive information such as password and emails
– sniffed credentials are used to gain unauthorized access
Man-in-the-middle
– acquires access to the communication channels between the victim and the server
– can be broken by invalidating the traffic
Replay attack
– packets and authentication tokens captured by the sniffer, where after information is extracted, tokens are placed back on the network to gain access.
Offline Attacks
Rainbow table attack – rtgen
– precomputed table that contains wordlist like dictionary files, brute force lists and their hash values
Distributed Network Attack
– DNA – used for recovering passwords from hashes or password protect files using the unused processing power of machines across the network
Password recovery tools
Elcomsoft distributed password recovery
Password recovery toolkit
hashcat
WIndows passsword recovery tool
– pwdump7 – extracts LM and NTLM password hashes of local user accounts from the SAM database.
other tools – mimikatz, powershell empire, ntdsxtract
Password cracking tools
Password cracking using domain password audit tool (DPAT)
– python script that generates password use statistics from password hashes dumped from a domain controller and password crack file such as hashcat.pot
– generates a html report which can be used to analyze usernames, passwords and other statistics
L0phtCrack
– audit password and recover applications
ophcrack
– windows password cracker base on rainbow tables.
Password cracking tools
– RainbowCrack – crack hashes with rainbows tables, uses a time-memory tradeoff algorithm to crack hashes
– john the ripper, hashcat, THC-hydra, Medusa, secure-shell bruteforcer
Password Salting
Technique where a random string of characters are added to the password before calculating their hashes.
– makes is more difficult to reverse hashes and defeat pre-computed hash attacks
Defence against Password Cracking
| information security audit to monitor and track password attacks |
| disallow use of same password during password change |
| disallow password sharing |
| disallow use of passwords that can be found in a dictionary |
| do not use clear text and protocols with weak encryption |
| password change policy 30 days |
| storing passwords in unsecured location |
| do not use default passwords |
| make password hard to guess 8-12 alphanumberic char, upper and lower case, numbers and symbols |
| ensure applications neither store passwords in memory nor write them to disks in clear texts |
| random string(dslt) as a prefix or suffix before encryption |
| enable SYSKEY with strong password to encrpyt and protect the SAM database |
| monitor server logs for brute force |
| lockout account subjected to too many incorrect guesses |
| disallow use of passwords such as DOB, spouse, pet names |
Defense against LLMNR/NBT-NS Poisoning
Disabling LMBNR – Turn off multicast name resolution
Disabling NBT-NS – disable net bio over TCP/IP
Tools to Detect LLMNR/NBT-NS Poisoning
Vindicate – LLMNR/NBNS/mDNS spoofing detection toolkit to detect name service spoofing
Respounder – helps security professional to detect rogue hosts running on public wifi networks
got-responded – check for LLMNR/NBTNS spoofing
Vulnerability Exploitation
| identify the vulnerability |
| determine the risk associated with the vulnerability |
| determine the capability of the vulnerability |
| develop the exploit |
| select the method for delivering – local or remote |
| generate and deliver the payload |
| gain remote access |
Exploit sites
exploit-db.com
vuldb.com
vulners.com
MITRE CVE
Buffer Overflow
A buffer is an area of adjacent memory locations allocated to a program or application to handle its runtime data.
– Allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations
– Attackers exploit this vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges gain shell access, etc.
Types of Buffer Overflow: Stack-Based Buffer Overflow
Stacks stored variable in last in first out order. When a function is called, the required memory for storing the variables is declared on the stock and when the function returns, the memory is automatically deallocated.
PUSH, which stores data onto the stack, and POP, which removes data from the stack.
If an application or program is vulnerable to buffer overflow attack, then attackers take control of the EIP register to replace the return address of the function with malicious code that allows them to gain shell access to the target system.
Types of Buffer Overflow: Heap-Based Buffer Overflow
A heap is used for dynamic memory allocation. Heap memory is dynamically allocated at run time during the execution of the program, and it stores the program data. Accessing heap memory is slower than accessing stack memory. The allocation and deallocation of heap memory is not performed automatically.
Heap-based overflow occurs when a block of memory is allocated to a heap and data is written without any bound checking. This vulnerability leads to overwriting links to dynamic memory allocation (dynamic object pointers), heap headers, heap-based data, virtual function tables, etc. Attackers exploit heap-based buffer overflow to take control of the program’s execution.
Windows Buffer Overflow Exploitation
Steps involved in exploiting Windows based buffer overflow vulnerbility:
| 1. Perform spiking | 5. Identify dad characters |
| 2. Perform fuzzing | 6. identify the right module |
| 3. identify the offset | 7. generate shellcode |
| 4. overwrite the EIP register | 8. gain root access |
Spiking
– send crafted TCP or UDP packets to the vulnerable server in order to make it crash
– help attacker identify the buffer overflow vulnerabilities in the target applications
Fuzzing
– send a large amount of data to the target server so that it experiences buffer overflow and overwrites the EIP register
– helps identify number of bytes required to crash the target server
– this information helps in determining location of EIP register, which further helps in injecting the malicious shellcode
identifying the offset
– attackers use the metaspoit framework pattern_create and pattern_offset ruby tools to identify the offset and exact location of the EIP register is being overwritten
overwrite the EIP register
– overwriting the EIP register allows attackers to identify whether the EIP register can be controlled and can be overwritten with malicious shellcode
Identify bad characters
– before injecting the shellcode into the EIP register, attackers identify bad characters that may cause issues in the shellcode
– use immunity debugger look for: no byte , \x00 are bad chars
Identify the right module
– identify the right module of the vulnerable server that lacks memory protection
– use script mona.py to identify these modules
Generate shellcode and gain shell access
– msfvenom command to generate the shellcode and inject it into the EIP register to gain shell access to the target
Return-Oriented Programming (ROP) Attack
exploitation technique used by attackers to execute arbitrary malicious code in the presence of security protections such as code signing and executable space protection.
| Return oriented programming is an exploitation technique |
| hijacks the target program control flow by gaining access to the call stack and execute arbitrary machine instructions by reusing available libraries known as gadgets |
| gadgets are collection of instructions that end with the x86 RET instruction |
| the attacker selects a chain of existing gadgets to create a new program and executes it with malicious intentions |
| ROP attacks are very effective as they utilize available and legal code libraries and not identified by security protection such as code signing and executable space protection |
Exploit Chaining
– Vulnerability chaining – combines various exploits or vulnerabilities to infiltrate and compromise the target from its root level
– during exploit chaining, an attacker first initiates the reconnaissance operation and then starts enumerating various digital footprints and underlying vulnerabilities one after another within the software or hardware
Active Directory Enumeration
Attackers perform Active Directory (AD) enumeration to extract sensitive information such as users, groups, domains, and other resources from the target AD environment.
Before performing enumeration using PowerView,
Attackers perform Active Directory (AD) enumeration to extract sensitive information such as users, groups, domains, and other resources from the target AD environment
– Attackers disable the security monitoring option using the following command:
Set-MpPreference -DisableRealtimeMonitoring $true
Domain Mapping and Exploitation with Bloodhound
Attackers attempt to identify a complex attack path in the target – organization’s AD environment using tools such as Bloodhound and Docusnap
– Bloodhound uses graph theory to reveal the hidden and often unintended relationships within an AD environment
Identifying Insecurities Using GhostPack Seatbelt
GhostPack Seatbelt is used to perform various security checks and collect information from a host system in both defensive and offensive ways
– Attackers use Seatbelt to collect host information including PowerShell security settings, Kerberos tickets, and items present in the Recycle Bin
Buffer Overflow Detection Tools
OllyDbg dynamically traces stack frames and program execution, and it logs arguments of known functions
Veracode
Flawfinder
Kiuwan
Splint
BOVSTT
Defense against Buffer Overflows
| Develop programs by following secure coding pratices | always protect the return pointer of the stack |
| use address space layout randomization (ASLR) technique | never allow the execution of code outside the code space |
| minimize code that requires root privileges | regularly patch application and OS |
| perform code review at source level using using static/dynamic code analyzers | perform code inspection |
| allow complier to add bounds to all the buffers | employ data execution prevention to mark the memory regions as non-executable |
| implement automatic bounds checking | implement code pointer integrity checking to detect whether a code pointer has been corrupted |
Escalating Privileges
Horizontal privileges escalation – unauthorized user tries to access the resource that below to an authorized user who has a similar access permission. example: online banking user A accessing user B’s bank account
Vertical privileges escalation – gain access to resource of a user with higher privileges such as administrator/
Privilege Escalation Using DLL Hijacking
Most windows applications do not use fully qualified path when loading an external DDL library. instead they search the directory from which they have been loaded.
– Attacker can place malicious DLL in the application directory, , it will be executed in place of the real DLL
– attackers use tools such as Robber and PowerSploit to detect hijackable DLLs and perform DLL hijacking
Privilege Escalation by Exploiting Vulnerabilities
– Attackers exploit software vulnerabilities by taking advantage of programming flaws, services, OS software or kernel to execute malicious code.
– exploit to gain higher privileges then those existing or to bypass security mechainsms
– exploits can based on OS and software applications can be searched on ExploitDB and VulDB
Privilege Escalation Using Dylib Hijacking
In macOS, when application load an external dylib, loader searchers for the dylib in multiple directories
– attackers can inject a malicious dylib into one of the primary directories, it will be executed in place of the original dylib.
– Dylib Hijack Scanner helps attackers to detect dylibs that are vulnerable to hijacking attacks
Defense: Dependency Walker – detects many common application problems such as missing modules, import/export mismatches and circular dependency errors
Dylib hijack scanners- scan for applications that are susceptible to dylib hijacking or have been hijacked.
Privilege Escalation Using Spectre and Meltdown Vulnerabilities
Spectre and Meltdown are vulnerabilities found in the desgin of modern processor chips from AMD, ARM and Intel.
– Performance and CPU optimizations in processors such as branch prediction, out of order execution , caching lead to these vulnerabilities
– attackers can gain unauthorize access and steal critical system information such as credential and secret keys stored in the application’s memory to escalate privileges
Spectre – read adjacent memory locations of a process to access information
– read the kernel memory or perform web based attack using javascript
Meltdown – escalate privileges by forcing an unprivileged process to read other adjacent memory location such as kernel memory and physical memory
– leads to revealing critical system information such as credential, private keys
Defense:
| Regularly patch and update OS and firmware |
| Enabled continuous monitoring of critical applications and services running on the systems and network |
| Regularly patch vulnerable software such as browsers |
| Install and update ad-blockers and anti-malware to block injection of malware through websites |
| Enable traditional protection measures such as endpoint security tools to prevent unauthorized system access |
| block services and application that allow unprivileged users to execute code |
| never install unauthorized software or access untrusted websites from systems storing sensitive information |
| Use Data Loss Prevention (DLP) solutions to prevent leakage of critical information from runtime memory |
| Frequently check with the manufacturer for BIOS updates |
Tool for defense:
InSpectre – examines and discloses any windows system’s hardware and software vulnerabilities to meltdown and spectre attacks
Spectre and Meltdown checker – shell script to tell if system is vulnerable to meltdown and spectre
Privilege Escalation Using Named Pipe Impersonation
In windows OS, named pipes provide legitimate communication between running processes.
– often use for gaining higher access privileges
– Metasploit to perform named pipe impersonation – getsystem to gain administrative-level privileges and extract password hashes of the admin accounts.
Privilege Escalation by Exploiting Misconfigured Services
Unquoted service Paths
– Windows OS, when starting up a service, the system attempts to find the location of the executable file to launch the service.
– The executable file is enclosed in quotation marks
– attackers can exploit services with unquoted paths running under SYSTEM privileges to elevate their privileges
Service Object Permissions
– misconfigured service permission may allow attacker to modify or reconfigure the attributes associated with the service
– attackers can even add new users to the local administrator group and then hijack the new account to elevate their privileges
Unattended Installs
– configuration settings used during the installation process are stored in Unattend.xml file
– stored in application directories or system32 or system32\sysprep
– attackers can use Unattend.xml to escalate privilege
Pivoting and Relaying to Hack External Machines
– Bypass the firewall to pivot via the compromised system to access other vulnerable systems in the network
Pivoting
1. Discover live hosts in the network
2. Setup routing rules
3. Scan ports of live systems
4. Exploit vulnerable services
Relaying
1. Setup port forwarding rules
2. Access the system resources
Privilege Escalation Using Misconfigured NFS
– misconfigured NFS paves the way for attackers to gain root-level access through regular user account
– It uses port 2049 to provide communication between a client and server through the Remote Procedure Call (RPC).
– attackers can sniff sensitive data and files passing through the intranet and launch further attacks
use showmount -e to check if there’s any share available for mounting
Privilege Escalation Using Windows Sticky Keys
– in windows OS, sticky keys allows a combination of keys
– after gaining access to the remote system, attacker escalate privileges by simply altering the file associated with the sticky keys features and pressing the shift key five times in rapid succession once the system has been booted.
– replacing the file sethc.exe with cmd.exe
Privilege Escalation by Bypassing User Account Control (UAC)
– When attackers fail to escalate privileges using a simple payload, they attempt to evade windows security feature such as UAC and to gain system level access
– UAC protection level is set to any option, attackers can abuse a few windows applications to escalate privileges without triggering a UAC notification.
Techniques to Bypass UAC Using Metasploit
– Bypassing UAC protection – process injection
msf > use exploit/windows/local/bypassuac
It generates another session or shell without a UAC flag. After gaining shell access, attackers execute the getsystem and getuid commands to retrieve the privileges of system authority .
– Bypassing UAC protection via Memory Injection
msf> use exploit/windows/local/bypassuac_injection
Employs reflective DLL mechanisms to inject only DLL payload binaries. Using this command, attackers can obtain AUTHORITY\SYSTEM privileges.
– Bypassing UAC protection through FodHelper Registry key
msf> use exploit/windows/local/pypassuac_fodhelper
Hijacks a special key from the HKCU registry hive to bypass the UAC and attaches it to a fodhelper.exe. The custom commands can be invoked when the fodhelper.exe file is executed.
– Bypassing UAC protection through Eventvwr Registry key
msf> use exploit/windows/local/bypassuac_eventvwr
Hijacks a special key from the HKCU registry, and custom commands can be executed with the launch of Event Viewer. it will be wiped once the malicious commands or payloads are invoked.
– Bypassing UAC protection through COM handler Hijack
msf> use exploit/windows/local/bypassuac_comhijack
allows attackers to build COM handler registry entries within the current user hive to bypass UAC protection. These registry entries can be referenced to the execution of some high-level processes, which results in the loading of attacker-controlled DLLs. These DLLs can be injected with a malicious payload that allows attackers to establish elevated sessions.
Privilege Escalation by Abusing Boot or Logon Initialization Scripts
– Attackers can take advantage of boot or logon initialization scripts for escalating privileges or maintaining persistence on a target system
– Boot or logon initialization scripts also allow attackers to perform administrative tasks, using which they can run other programs on the system.
| Logon Script (Windows) | Attackers create persistence and escalate privileges on a system by embedding the path to their script in the following registry key: HKCU\environment\UserInitMprLogonScript |
| Logon Script (Mac) | known as login hooks. Execute automatically during system login. Can use to run malicious payload. |
| Network Logon Scripts | Allocated using AD or GPO gain administrator or local credentials based on the access configuration |
| RC Scripts | Embedding malicious binary shell or path in RC scripts such as rc.common or rc.local within UNIX-based systems |
| Startup Items | malicious files or folders within /library/StartupItems directory to maintain persistence StartupItems will be executed at the bootup with root level privilege |
Privilege Escalation by Modifying Domain Policy
Domain policy comprises the configuration settings that may be implemented between the domains in the forest domain environment
– attackers modify the domain settings by changing the group policy and trust relationship between domains
– can also implant a fake domain controller to maintain a foothold and escalate privileges
Group Policy Modification
– Modify the scheduledTasks.xml file to create a malicious schedule task/job using scripts such as New-GPOImmediateTask:
<GPO_PATH>\Machine\Preference\ScheduledTasks\ScheduleTasks.xml
Domain Trust Modification
– Use the domain_trusts utility to collect information about trusted domains and modify the settings of existing domain trusts:
C:\windows\system32>nltest/domain_trusts
Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack – Mimikatz
In a DCSync attack, an attacker initially compromises and obtains privileged account access with domain replication rights and activates replication protocols to create a virtual domain controller similar to the original AD.
allows an attacker to send requests to the DC, retrieve administrator NTLM password hashes, and perform further attacks such as golden ticket, account manipulation and living-off-the-land attacks.
mimikatz includes a DCSync command that utilizes MS-DRSR to replicate the behavior of a legitimate DC.
Defense : Examine permissions assigned to the users and administrators, keep track of account s that request domain replication rights.
– conduct security awareness training on the system configuration, system patch management, thread detection and response system
– deploy network surveillance tool and decide which IP need to be included in the replication list.
Other Privilege Escalation Techniques
Access token Manipulation
Windows uses access tokens to determine the security context of a process.
Obtain access tokens of other users or generate spoofed tokens to escalate privileges and perform malicious activities while avoiding detection
Parent PID Spoofing
PPID can be set to the process that is derived from the SYSTEM through system processes such as svchost.exe or consent.exe
Defense : Verify PPID fields where information is stored to detect irregularities
– identify the legit parent process using the event header PID specified by ETW
– analyse windows API calls such as CreateProcess for malicious PIDs
– Monitor system API calls exclusively assigning PPIDs to new processes
Application Shimming
Windows Application Compatibility Framework called Shim is used to provide compatibility between older and newer version of windows.
Shims such as RedirectEXE, InjectDLL and GetProcAddress can be used to escalate privileges, install backdoors and disable windows defender.
Filesystem Permission Weakness
if the filesystem permissions of binaries are not properly set, an attacker can replace the target binary with a malicious file.
Path Interception
Applications include many weaknesses and misconfigurations such as unquoted paths, paths environment variable misconfiguration and search order hijacking, which lead of path interception
Abusing Accessibility Features
Running malicious code within windows accessibility features
Replacing the features with cmd.exe or replacing binaries in the registry
SID-History Injection
The Windows Security Identifier (SID) us a unique value assigned to each user and group account by the DC
Attacker can inject the SID value of an administrator into the compromised user account’s history
COM Hijacking
COM hijacking process involves with tampering with object references or replacing them with malicious content in the windows registry
Scheduled Task in Windows
Windows Task Scheduler, can be used to schedule programs to be executed at a specific date and time.
Malicious program can be schedule to run at startup
Scheduled Task in Linux
Linux utilized cron or crond for automating task scheduling
scripts executed by cron located at /etc/crontab
Launch Daemon
Launchd is used in macOS boot up. Daemons have plists that are linked to executables that run at startup. plist can be altered with running malicious code
SetUID and SetGID
In Linux and MacOS, if an application uses setuid or setgid, then the application will execute with the privileges of the owning user or group. Exploit the applications with setuid or setgid flags to execute malicious code.
Web Shell
Web-based script that allows access to a webserver
attackers create web shells to inject malicious scripts on a webserver.
Abusing Sudo Rights
Sudo is a UNIX and Linux system utility that permits users to run commands as superuse.
Attackers can overwrite the sudo configuration file /etc/sudoers with their own malicious file
Defense – strong password policy for sudo users
– turn off password caching by setting time-stamp to 0
– separate sudo-level admin accounts from administrator regular account to prevent theft
– update user permissions and accounts at regular intervals
– test sudo users with access to programs containing parameters for arbitrary code execution
Kernel Exploits
Exploit kernel into executing arbitrary commands or code
Privilege Escalation Tools
BeRoot – check common misconfigurations to find a way to escalate privilege
linpostexp – obtains detailed information on the kernel which can be used to escalate privilege
PowerSploit
FullPower
PEASSng
Windows Exploit Suggester
Defense against Privilege Escalation
| restrict interactive login privileges | Change the UAC settings to Always Notify |
| run users and application with the lowest privileges | Restrict users from writing files to the search paths for applications |
| Implement multi-factor authentication and authorization | Continuously monitor files-system permissions using auditing tools |
| Run services as unprivileged accounts | Reduce the privileges of users and groups |
| Implement a privilege separation methodology to limit the scope of programming errors and bugs | whitelisting tools to identify and block malicious software |
| Use encryption technique to protect sensitive data | Use fully qualified paths in all windows applications |
| Reduce the amount of code that runs with a particular privilege | Ensure that executables are placed in write protected directories |
| perform debugging using bounds checkers and stress tests | In MacOS, make plist files read only |
| thoroughly test the system for application coding errors and bugs | Block unwanted systems utilities that may be used to schedule tasks |
| Regularly patch and update the kernel | Regularly patch and update webserver |
CY - Technical Memory extension 