Chewing_Bever
/
net-sec-samenvatting
1
0
Fork 0
Code Issues Pull Requests Activity
net-sec-samenvatting/05_post_exploitation.md

3.7 KiB
Raw Blame History

Post-Exploitation

Pilfering

  • retrieve useful information from machine
    • passwords (/etc/shadow, hashdump SAM database)
    • cryptographic keys (SSH, PGP, GPG)
  • /etc/passwd format: fields separated by colons
    • jef:$y$salty$youwish:20022:0:99999:7:::
      1. jef: username
      2. $1$salty$youwish: hash id, salt and password hash
      3. 20022: day password was last changed (unix timestamp but in days)
      4. 0: minimum age of password before it can be changed again
      5. 99999: max age of password, after how many days password must be changed
      6. 7: how many days before expiring the user should be warned
      7. number of days after password expired that user should be locked out (usually empty)
      8. expiration date of account
  • moving files
    • push file directly if firewall allows it
    • otherwise send command to target to pull target from client
    • use whatever protocol works best (FTP, SMB...)
    • meterpreter supports sending files
  • Windows
    • user credentials cached in Microsoft Credential Manager
      • extract using credential cache dumping tools
      • requires admin
    • service account passwords stored encrypted in LSA secrets section of registry
      • Mimikatz lsadump can dump these
    • wireless client profiles can be extracted if admin
  • other
    • source code of services for vulnerability analysis
    • scripts for hardcoded passwords
    • files left behind by users that shouldn't be
    • browser passwords
    • machines with which machine has recently communicated (find pivot targets)
    • DNS servers
    • web servers
    • mail
    • ...

Password attacks

  • guessing
    • generates lots of traffic
    • can lock out accounts
    • slower than cracking
    • spray attack: try single password on list of users
  • cracking
    • steal hashed password and compare hashes
    • runs on attacker's machine -> stealthier
  • important for assessing security posture of network
    1. access control evaluation
      • assess password strength
      • password policies
    2. credential-based attacks
      • brute force: try many combination to expose weak or default passwords
      • dictionary: use list of common password
      • credential stuffing: use credentials from previous breaches
    3. privilege escalation
    4. social engineering: trick users into revealing passwords
  • MFA
    • prevent leak of password from becoming a breach
    • bypassing
      • phishing or man-in-the-middle
      • expose implementation flaws
        • insecure methods, e.g. SMS or email
        • session hijacking, e.g. intercepting cookies
      • social engineering, e.g. pose as tech support
      • SIM swapping: get victim's phone number reassigned to new SIM card
      • use backup codes or account recovery
      • push notification bombing
  • using dictionaries
    • large word list for password cracking
    • small tailored list for password guessing
  • cracking not always needed
    • sniff cleartext protocols
    • keystroke logging
    • pass-the-hash techniques use hash directly
  • clean up after pentest (don't leave cracked passwords lying around)
  • lockouts
    • password guessing can lock accounts
    • Windows: original admin account can't be locked out
      • admin has SID suffix of 500
      • if multiple admin accounts, only 1 is safe
    • Linux: lockouts not always configured
      • if so, done using PAM
      • root account not locked out by default
    • prevention
      • just don't guess passwords
      • ask target personnel for info on policy
      • create test account for pentest
      • attempt 1 password per observation window