diff --git a/05_post_exploitation.md b/05_post_exploitation.md new file mode 100644 index 0000000..1fdfa03 --- /dev/null +++ b/05_post_exploitation.md @@ -0,0 +1,97 @@ +# Post-Exploitation + +## Pilfering + +* retrieve useful information from machine + * passwords (`/etc/shadow`, `hashdump` SAM database) + * cryptographic keys (SSH, PGP, GPG) +* `/etc/passwd` format: fields separated by colons + * `jef:$y$salty$youwish:20022:0:99999:7:::` + 1. `jef`: username + 2. `$1$salty$youwish`: hash id, salt and password hash + 3. `20022`: day password was last changed (unix timestamp but in days) + 4. `0`: minimum age of password before it can be changed again + 5. `99999`: max age of password, after how many days password must be + changed + 6. `7`: how many days before expiring the user should be warned + 7. number of days after password expired that user should be locked out + (usually empty) + 8. expiration date of account +* moving files + * push file directly if firewall allows it + * otherwise send command to target to pull target from client + * use whatever protocol works best (FTP, SMB...) + * meterpreter supports sending files +* Windows + * user credentials cached in Microsoft Credential Manager + * extract using credential cache dumping tools + * requires admin + * service account passwords stored encrypted in LSA secrets section of + registry + * Mimikatz `lsadump` can dump these + * wireless client profiles can be extracted if admin +* other + * source code of services for vulnerability analysis + * scripts for hardcoded passwords + * files left behind by users that shouldn't be + * browser passwords + * machines with which machine has recently communicated (find pivot + targets) + * DNS servers + * web servers + * mail + * ... + +## Password attacks + +* guessing + * generates lots of traffic + * can lock out accounts + * slower than cracking + * **spray attack**: try single password on list of users +* cracking + * steal hashed password and compare hashes + * runs on attacker's machine -> stealthier +* important for assessing security posture of network + 1. access control evaluation + * assess password strength + * password policies + 2. credential-based attacks + * **brute force**: try many combination to expose weak or default + passwords + * **dictionary**: use list of common password + * **credential stuffing**: use credentials from previous breaches + 3. privilege escalation + 4. social engineering: trick users into revealing passwords +* MFA + * prevent leak of password from becoming a breach + * bypassing + * phishing or man-in-the-middle + * expose implementation flaws + * insecure methods, e.g. SMS or email + * session hijacking, e.g. intercepting cookies + * social engineering, e.g. pose as tech support + * SIM swapping: get victim's phone number reassigned to new SIM card + * use backup codes or account recovery + * push notification bombing +* using dictionaries + * large word list for password cracking + * small tailored list for password guessing +* cracking not always needed + * sniff cleartext protocols + * keystroke logging + * pass-the-hash techniques use hash directly +* clean up after pentest (don't leave cracked passwords lying around) +* lockouts + * password guessing can lock accounts + * Windows: original admin account can't be locked out + * admin has SID suffix of 500 + * if multiple admin accounts, only 1 is safe + * Linux: lockouts not always configured + * if so, done using PAM + * root account not locked out by default + * prevention + * just don't guess passwords + * ask target personnel for info on policy + * create test account for pentest + * attempt 1 password per observation window