deel ch05

05_post_exploitation.md

@@ -0,0 +1,97 @@
+# Post-Exploitation
+
+## Pilfering
+
+* retrieve useful information from machine
+    * passwords (`/etc/shadow`, `hashdump` SAM database)
+    * cryptographic keys (SSH, PGP, GPG)
+* `/etc/passwd` format: fields separated by colons
+    * `jef:$y$salty$youwish:20022:0:99999:7:::`
+        1. `jef`: username
+        2. `$1$salty$youwish`: hash id, salt and password hash
+        3. `20022`: day password was last changed (unix timestamp but in days)
+        4. `0`: minimum age of password before it can be changed again
+        5. `99999`: max age of password, after how many days password must be
+        changed
+        6. `7`: how many days before expiring the user should be warned
+        7. number of days after password expired that user should be locked out
+        (usually empty)
+        8. expiration date of account
+* moving files
+    * push file directly if firewall allows it
+    * otherwise send command to target to pull target from client
+    * use whatever protocol works best (FTP, SMB...)
+    * meterpreter supports sending files
+* Windows
+    * user credentials cached in Microsoft Credential Manager
+        * extract using credential cache dumping tools
+        * requires admin
+    * service account passwords stored encrypted in LSA secrets section of
+      registry
+        * Mimikatz `lsadump` can dump these
+    * wireless client profiles can be extracted if admin
+* other
+    * source code of services for vulnerability analysis
+    * scripts for hardcoded passwords
+    * files left behind by users that shouldn't be
+    * browser passwords
+    * machines with which machine has recently communicated (find pivot
+      targets)
+    * DNS servers
+    * web servers
+    * mail
+    * ...
+
+## Password attacks
+
+* guessing
+    * generates lots of traffic
+    * can lock out accounts
+    * slower than cracking
+    * **spray attack**: try single password on list of users
+* cracking
+    * steal hashed password and compare hashes
+    * runs on attacker's machine -> stealthier
+* important for assessing security posture of network
+    1. access control evaluation
+        * assess password strength
+        * password policies
+    2. credential-based attacks
+        * **brute force**: try many combination to expose weak or default
+          passwords
+        * **dictionary**: use list of common password
+        * **credential stuffing**: use credentials from previous breaches
+    3. privilege escalation
+    4. social engineering: trick users into revealing passwords
+* MFA
+    * prevent leak of password from becoming a breach
+    * bypassing
+        * phishing or man-in-the-middle
+        * expose implementation flaws
+            * insecure methods, e.g. SMS or email
+            * session hijacking, e.g. intercepting cookies
+        * social engineering, e.g.  pose as tech support
+        * SIM swapping: get victim's phone number reassigned to new SIM card
+        * use backup codes or account recovery
+        * push notification bombing
+* using dictionaries
+    * large word list for password cracking
+    * small tailored list for password guessing
+* cracking not always needed
+    * sniff cleartext protocols
+    * keystroke logging
+    * pass-the-hash techniques use hash directly
+* clean up after pentest (don't leave cracked passwords lying around)
+* lockouts
+    * password guessing can lock accounts
+    * Windows: original admin account can't be locked out
+        * admin has SID suffix of 500
+        * if multiple admin accounts, only 1 is safe
+    * Linux: lockouts not always configured
+        * if so, done using PAM
+        * root account not locked out by default
+    * prevention
+        * just don't guess passwords
+        * ask target personnel for info on policy
+        * create test account for pentest
+        * attempt 1 password per observation window