# Post-Exploitation

## Pilfering

* retrieve useful information from machine
    * passwords (`/etc/shadow`, `hashdump` SAM database)
    * cryptographic keys (SSH, PGP, GPG)
* `/etc/passwd` format: fields separated by colons
    * `jef:$y$salty$youwish:20022:0:99999:7:::`
        1. `jef`: username
        2. `$1$salty$youwish`: hash id, salt and password hash
        3. `20022`: day password was last changed (unix timestamp but in days)
        4. `0`: minimum age of password before it can be changed again
        5. `99999`: max age of password, after how many days password must be
        changed
        6. `7`: how many days before expiring the user should be warned
        7. number of days after password expired that user should be locked out
        (usually empty)
        8. expiration date of account
* moving files
    * push file directly if firewall allows it
    * otherwise send command to target to pull target from client
    * use whatever protocol works best (FTP, SMB...)
    * meterpreter supports sending files
* Windows
    * user credentials cached in Microsoft Credential Manager
        * extract using credential cache dumping tools
        * requires admin
    * service account passwords stored encrypted in LSA secrets section of
      registry
        * Mimikatz `lsadump` can dump these
    * wireless client profiles can be extracted if admin
* other
    * source code of services for vulnerability analysis
    * scripts for hardcoded passwords
    * files left behind by users that shouldn't be
    * browser passwords
    * machines with which machine has recently communicated (find pivot
      targets)
    * DNS servers
    * web servers
    * mail
    * ...

## Password attacks

* guessing
    * generates lots of traffic
    * can lock out accounts
    * slower than cracking
    * **spray attack**: try single password on list of users
* cracking
    * steal hashed password and compare hashes
    * runs on attacker's machine -> stealthier
* important for assessing security posture of network
    1. access control evaluation
        * assess password strength
        * password policies
    2. credential-based attacks
        * **brute force**: try many combination to expose weak or default
          passwords
        * **dictionary**: use list of common password
        * **credential stuffing**: use credentials from previous breaches
    3. privilege escalation
    4. social engineering: trick users into revealing passwords
* MFA
    * prevent leak of password from becoming a breach
    * bypassing
        * phishing or man-in-the-middle
        * expose implementation flaws
            * insecure methods, e.g. SMS or email
            * session hijacking, e.g. intercepting cookies
        * social engineering, e.g.  pose as tech support
        * SIM swapping: get victim's phone number reassigned to new SIM card
        * use backup codes or account recovery
        * push notification bombing
* using dictionaries
    * large word list for password cracking
    * small tailored list for password guessing
* cracking not always needed
    * sniff cleartext protocols
    * keystroke logging
    * pass-the-hash techniques use hash directly
* clean up after pentest (don't leave cracked passwords lying around)
* lockouts
    * password guessing can lock accounts
    * Windows: original admin account can't be locked out
        * admin has SID suffix of 500
        * if multiple admin accounts, only 1 is safe
    * Linux: lockouts not always configured
        * if so, done using PAM
        * root account not locked out by default
    * prevention
        * just don't guess passwords
        * ask target personnel for info on policy
        * create test account for pentest
        * attempt 1 password per observation window