net-sec-samenvatting/05_post_exploitation.md

# Post-Exploitation

## Pilfering

* retrieve useful information from machine
    * passwords (`/etc/shadow`, `hashdump` SAM database)
    * cryptographic keys (SSH, PGP, GPG)
* `/etc/passwd` format: fields separated by colons
    * `jef:$y$salty$youwish:20022:0:99999:7:::`
        1. `jef`: username
        2. `$1$salty$youwish`: hash id, salt and password hash
        3. `20022`: day password was last changed (unix timestamp but in days)
        4. `0`: minimum age of password before it can be changed again
        5. `99999`: max age of password, after how many days password must be
        changed
        6. `7`: how many days before expiring the user should be warned
        7. number of days after password expired that user should be locked out
        (usually empty)
        8. expiration date of account
* moving files
    * push file directly if firewall allows it
    * otherwise send command to target to pull target from client
    * use whatever protocol works best (FTP, SMB...)
    * meterpreter supports sending files
* Windows
    * user credentials cached in Microsoft Credential Manager
        * extract using credential cache dumping tools
        * requires admin
    * service account passwords stored encrypted in LSA secrets section of
      registry
        * Mimikatz `lsadump` can dump these
    * wireless client profiles can be extracted if admin
* other
    * source code of services for vulnerability analysis
    * scripts for hardcoded passwords
    * files left behind by users that shouldn't be
    * browser passwords
    * machines with which machine has recently communicated (find pivot
      targets)
    * DNS servers
    * web servers
    * mail
    * ...

## Password attacks

* guessing
    * generates lots of traffic
    * can lock out accounts
    * slower than cracking
    * **spray attack**: try single password on list of users
* cracking
    * steal hashed password and compare hashes
    * runs on attacker's machine -> stealthier
* important for assessing security posture of network
    1. access control evaluation
        * assess password strength
        * password policies
    2. credential-based attacks
        * **brute force**: try many combination to expose weak or default
          passwords
        * **dictionary**: use list of common password
        * **credential stuffing**: use credentials from previous breaches
    3. privilege escalation
    4. social engineering: trick users into revealing passwords
* MFA
    * prevent leak of password from becoming a breach
    * bypassing
        * phishing or man-in-the-middle
        * expose implementation flaws
            * insecure methods, e.g. SMS or email
            * session hijacking, e.g. intercepting cookies
        * social engineering, e.g.  pose as tech support
        * SIM swapping: get victim's phone number reassigned to new SIM card
        * use backup codes or account recovery
        * push notification bombing
* using dictionaries
    * large word list for password cracking
    * small tailored list for password guessing
* cracking not always needed
    * sniff cleartext protocols
    * keystroke logging
    * pass-the-hash techniques use hash directly
* clean up after pentest (don't leave cracked passwords lying around)
* lockouts
    * password guessing can lock accounts
    * Windows: original admin account can't be locked out
        * admin has SID suffix of 500
        * if multiple admin accounts, only 1 is safe
    * Linux: lockouts not always configured
        * if so, done using PAM
        * root account not locked out by default
    * prevention
        * just don't guess passwords
        * ask target personnel for info on policy
        * create test account for pentest
        * attempt 1 password per observation window

## Password representation

* Windows
    * Security Accounts Manager (SAM) for modern desktop versions
        * stores all local account info
        * login info from domain users that connected to the machine
        * encrypted SAM database
        * password hashes stored in registry
    * LANMAN (LM) or NT hashes
    * Active Directory newer alternative

### Lanman hash

* operation
    1. truncate password to 14 characters (pad with NUL bytes if less)
    2. convert to uppercase
    3. split into two 7-char pieces
    4. use each piece as 7-byte DES key to encrypt 64-bit known constant `KGS!@#$%`
    5. hash is concatenation of two 8-byte outputs
* this hash is criminally bad

### NT hash

* operation
    1. convert password (max 256 chars) into UTF-16 little endian format
    2. hash using MD4 (no salt)
* better but still pretty bad

## Windows challenge-reponse authentication

* mutiple forms of network cryptographic authentication
    * **LANMAN challenge/response**: legacy-only, uses LM hash
    * **NTLMv1**: also legacy, uses NT hash
    * **NTLMv2**: stronger security, uses NT hash
    * **Microsoft Kerberos**

### LANMAN and NTLMv1

* operation
    1. client initiates authentication
    2. server sends 8-byte challenge
    3. client formulates response
        1. pad LM/NT hash to 21 bytes
        2. split hash in three 7-byte pieces
        3. use each piece as DES key to encrypt challenge
        4. response is 3 8-byte outputs
    4. server calculates same response and compares
* problems
    * attacker can sniff both challenge and response and try to crack
    * rogue server could issue static challenge for which it has rainbow tables
        * works because neither hash uses salting
    * without rogue server, method is slower than cracking hashes in SAM db
        * no access to actual hash
        * attacker needs to perform DES encryption

### NTLMv2

* operation
    1. client sends authentication request
    2. server sends 8-byte server challenge
    3. client formulates response
        1. creates NTLMv2 hash using HMAC-MD5
            * data: username and domain name
            * key: NT hash
        2. creates NTLMv2 response using HMAC-MD5
            * data: server challenge + data blob (client challenge, timestamp,
              fields for integrity / security)
            * key: NTLMv2 hash
    4. client sends response to server
    5. server computes validity of response using stored NT hash and received
    fields
* cracking still possible but much slower
    * stronger hash is used
    * timestamp protects against replay attacks
    * rainbow tables not useful due to variability of client challenge

### NTLM relay attacks

* both versions vulnerable
* possible if attacker can access server client usually uses
    * ARP or DNS spoofing
    * phishing
    * cross-site scripting attacks
* operation
    1. attacker poses as authentication server
    2. attacker relays authentication request messages to real server -> acts
       as authenticating client
    3. attacker receives authentication and returns error message to client
deel ch05 2024-12-30 12:32:55 +01:00			`# Post-Exploitation`

			`## Pilfering`

			`* retrieve useful information from machine`
			* passwords (`/etc/shadow`, `hashdump` SAM database)
			`* cryptographic keys (SSH, PGP, GPG)`
			* `/etc/passwd` format: fields separated by colons
			* `jef:$y$salty$youwish:20022:0:99999:7:::`
			1. `jef`: username
			2. `$1$salty$youwish`: hash id, salt and password hash
			3. `20022`: day password was last changed (unix timestamp but in days)
			4. `0`: minimum age of password before it can be changed again
			5. `99999`: max age of password, after how many days password must be
			`changed`
			6. `7`: how many days before expiring the user should be warned
			`7. number of days after password expired that user should be locked out`
			`(usually empty)`
			`8. expiration date of account`
			`* moving files`
			`* push file directly if firewall allows it`
			`* otherwise send command to target to pull target from client`
			`* use whatever protocol works best (FTP, SMB...)`
			`* meterpreter supports sending files`
			`* Windows`
			`* user credentials cached in Microsoft Credential Manager`
			`* extract using credential cache dumping tools`
			`* requires admin`
			`* service account passwords stored encrypted in LSA secrets section of`
			`registry`
			* Mimikatz `lsadump` can dump these
			`* wireless client profiles can be extracted if admin`
			`* other`
			`* source code of services for vulnerability analysis`
			`* scripts for hardcoded passwords`
			`* files left behind by users that shouldn't be`
			`* browser passwords`
			`* machines with which machine has recently communicated (find pivot`
			`targets)`
			`* DNS servers`
			`* web servers`
			`* mail`
			`* ...`

			`## Password attacks`

			`* guessing`
			`* generates lots of traffic`
			`* can lock out accounts`
			`* slower than cracking`
			`* spray attack: try single password on list of users`
			`* cracking`
			`* steal hashed password and compare hashes`
			`* runs on attacker's machine -> stealthier`
			`* important for assessing security posture of network`
			`1. access control evaluation`
			`* assess password strength`
			`* password policies`
			`2. credential-based attacks`
			`* brute force: try many combination to expose weak or default`
			`passwords`
			`* dictionary: use list of common password`
			`* credential stuffing: use credentials from previous breaches`
			`3. privilege escalation`
			`4. social engineering: trick users into revealing passwords`
			`* MFA`
			`* prevent leak of password from becoming a breach`
			`* bypassing`
			`* phishing or man-in-the-middle`
			`* expose implementation flaws`
			`* insecure methods, e.g. SMS or email`
			`* session hijacking, e.g. intercepting cookies`
			`* social engineering, e.g. pose as tech support`
			`* SIM swapping: get victim's phone number reassigned to new SIM card`
			`* use backup codes or account recovery`
			`* push notification bombing`
			`* using dictionaries`
			`* large word list for password cracking`
			`* small tailored list for password guessing`
			`* cracking not always needed`
			`* sniff cleartext protocols`
			`* keystroke logging`
			`* pass-the-hash techniques use hash directly`
			`* clean up after pentest (don't leave cracked passwords lying around)`
			`* lockouts`
			`* password guessing can lock accounts`
			`* Windows: original admin account can't be locked out`
			`* admin has SID suffix of 500`
			`* if multiple admin accounts, only 1 is safe`
			`* Linux: lockouts not always configured`
			`* if so, done using PAM`
			`* root account not locked out by default`
			`* prevention`
			`* just don't guess passwords`
			`* ask target personnel for info on policy`
			`* create test account for pentest`
			`* attempt 1 password per observation window`
ch05 deel 2024-12-30 15:22:33 +01:00
			`## Password representation`

			`* Windows`
			`* Security Accounts Manager (SAM) for modern desktop versions`
			`* stores all local account info`
			`* login info from domain users that connected to the machine`
			`* encrypted SAM database`
			`* password hashes stored in registry`
			`* LANMAN (LM) or NT hashes`
			`* Active Directory newer alternative`

			`### Lanman hash`

			`* operation`
			`1. truncate password to 14 characters (pad with NUL bytes if less)`
			`2. convert to uppercase`
			`3. split into two 7-char pieces`
			4. use each piece as 7-byte DES key to encrypt 64-bit known constant `KGS!@#$%`
			`5. hash is concatenation of two 8-byte outputs`
			`* this hash is criminally bad`

			`### NT hash`

			`* operation`
			`1. convert password (max 256 chars) into UTF-16 little endian format`
			`2. hash using MD4 (no salt)`
			`* better but still pretty bad`

			`## Windows challenge-reponse authentication`

			`* mutiple forms of network cryptographic authentication`
			`* LANMAN challenge/response: legacy-only, uses LM hash`
			`* NTLMv1: also legacy, uses NT hash`
			`* NTLMv2: stronger security, uses NT hash`
			`* Microsoft Kerberos`

			`### LANMAN and NTLMv1`

			`* operation`
			`1. client initiates authentication`
			`2. server sends 8-byte challenge`
			`3. client formulates response`
			`1. pad LM/NT hash to 21 bytes`
			`2. split hash in three 7-byte pieces`
			`3. use each piece as DES key to encrypt challenge`
			`4. response is 3 8-byte outputs`
			`4. server calculates same response and compares`
			`* problems`
			`* attacker can sniff both challenge and response and try to crack`
			`* rogue server could issue static challenge for which it has rainbow tables`
			`* works because neither hash uses salting`
			`* without rogue server, method is slower than cracking hashes in SAM db`
			`* no access to actual hash`
			`* attacker needs to perform DES encryption`

			`### NTLMv2`

			`* operation`
			`1. client sends authentication request`
			`2. server sends 8-byte server challenge`
			`3. client formulates response`
			`1. creates NTLMv2 hash using HMAC-MD5`
			`* data: username and domain name`
			`* key: NT hash`
			`2. creates NTLMv2 response using HMAC-MD5`
			`* data: server challenge + data blob (client challenge, timestamp,`
			`fields for integrity / security)`
			`* key: NTLMv2 hash`
			`4. client sends response to server`
			`5. server computes validity of response using stored NT hash and received`
			`fields`
			`* cracking still possible but much slower`
			`* stronger hash is used`
			`* timestamp protects against replay attacks`
			`* rainbow tables not useful due to variability of client challenge`

			`### NTLM relay attacks`

			`* both versions vulnerable`
			`* possible if attacker can access server client usually uses`
			`* ARP or DNS spoofing`
			`* phishing`
			`* cross-site scripting attacks`
			`* operation`
			`1. attacker poses as authentication server`
			`2. attacker relays authentication request messages to real server -> acts`
			`as authenticating client`
			`3. attacker receives authentication and returns error message to client`