187 lines
6.8 KiB
Markdown
187 lines
6.8 KiB
Markdown
# Post-Exploitation
|
|
|
|
## Pilfering
|
|
|
|
* retrieve useful information from machine
|
|
* passwords (`/etc/shadow`, `hashdump` SAM database)
|
|
* cryptographic keys (SSH, PGP, GPG)
|
|
* `/etc/passwd` format: fields separated by colons
|
|
* `jef:$y$salty$youwish:20022:0:99999:7:::`
|
|
1. `jef`: username
|
|
2. `$1$salty$youwish`: hash id, salt and password hash
|
|
3. `20022`: day password was last changed (unix timestamp but in days)
|
|
4. `0`: minimum age of password before it can be changed again
|
|
5. `99999`: max age of password, after how many days password must be
|
|
changed
|
|
6. `7`: how many days before expiring the user should be warned
|
|
7. number of days after password expired that user should be locked out
|
|
(usually empty)
|
|
8. expiration date of account
|
|
* moving files
|
|
* push file directly if firewall allows it
|
|
* otherwise send command to target to pull target from client
|
|
* use whatever protocol works best (FTP, SMB...)
|
|
* meterpreter supports sending files
|
|
* Windows
|
|
* user credentials cached in Microsoft Credential Manager
|
|
* extract using credential cache dumping tools
|
|
* requires admin
|
|
* service account passwords stored encrypted in LSA secrets section of
|
|
registry
|
|
* Mimikatz `lsadump` can dump these
|
|
* wireless client profiles can be extracted if admin
|
|
* other
|
|
* source code of services for vulnerability analysis
|
|
* scripts for hardcoded passwords
|
|
* files left behind by users that shouldn't be
|
|
* browser passwords
|
|
* machines with which machine has recently communicated (find pivot
|
|
targets)
|
|
* DNS servers
|
|
* web servers
|
|
* mail
|
|
* ...
|
|
|
|
## Password attacks
|
|
|
|
* guessing
|
|
* generates lots of traffic
|
|
* can lock out accounts
|
|
* slower than cracking
|
|
* **spray attack**: try single password on list of users
|
|
* cracking
|
|
* steal hashed password and compare hashes
|
|
* runs on attacker's machine -> stealthier
|
|
* important for assessing security posture of network
|
|
1. access control evaluation
|
|
* assess password strength
|
|
* password policies
|
|
2. credential-based attacks
|
|
* **brute force**: try many combination to expose weak or default
|
|
passwords
|
|
* **dictionary**: use list of common password
|
|
* **credential stuffing**: use credentials from previous breaches
|
|
3. privilege escalation
|
|
4. social engineering: trick users into revealing passwords
|
|
* MFA
|
|
* prevent leak of password from becoming a breach
|
|
* bypassing
|
|
* phishing or man-in-the-middle
|
|
* expose implementation flaws
|
|
* insecure methods, e.g. SMS or email
|
|
* session hijacking, e.g. intercepting cookies
|
|
* social engineering, e.g. pose as tech support
|
|
* SIM swapping: get victim's phone number reassigned to new SIM card
|
|
* use backup codes or account recovery
|
|
* push notification bombing
|
|
* using dictionaries
|
|
* large word list for password cracking
|
|
* small tailored list for password guessing
|
|
* cracking not always needed
|
|
* sniff cleartext protocols
|
|
* keystroke logging
|
|
* pass-the-hash techniques use hash directly
|
|
* clean up after pentest (don't leave cracked passwords lying around)
|
|
* lockouts
|
|
* password guessing can lock accounts
|
|
* Windows: original admin account can't be locked out
|
|
* admin has SID suffix of 500
|
|
* if multiple admin accounts, only 1 is safe
|
|
* Linux: lockouts not always configured
|
|
* if so, done using PAM
|
|
* root account not locked out by default
|
|
* prevention
|
|
* just don't guess passwords
|
|
* ask target personnel for info on policy
|
|
* create test account for pentest
|
|
* attempt 1 password per observation window
|
|
|
|
## Password representation
|
|
|
|
* Windows
|
|
* Security Accounts Manager (SAM) for modern desktop versions
|
|
* stores all local account info
|
|
* login info from domain users that connected to the machine
|
|
* encrypted SAM database
|
|
* password hashes stored in registry
|
|
* LANMAN (LM) or NT hashes
|
|
* Active Directory newer alternative
|
|
|
|
### Lanman hash
|
|
|
|
* operation
|
|
1. truncate password to 14 characters (pad with NUL bytes if less)
|
|
2. convert to uppercase
|
|
3. split into two 7-char pieces
|
|
4. use each piece as 7-byte DES key to encrypt 64-bit known constant `KGS!@#$%`
|
|
5. hash is concatenation of two 8-byte outputs
|
|
* this hash is criminally bad
|
|
|
|
### NT hash
|
|
|
|
* operation
|
|
1. convert password (max 256 chars) into UTF-16 little endian format
|
|
2. hash using MD4 (no salt)
|
|
* better but still pretty bad
|
|
|
|
## Windows challenge-reponse authentication
|
|
|
|
* mutiple forms of network cryptographic authentication
|
|
* **LANMAN challenge/response**: legacy-only, uses LM hash
|
|
* **NTLMv1**: also legacy, uses NT hash
|
|
* **NTLMv2**: stronger security, uses NT hash
|
|
* **Microsoft Kerberos**
|
|
|
|
### LANMAN and NTLMv1
|
|
|
|
* operation
|
|
1. client initiates authentication
|
|
2. server sends 8-byte challenge
|
|
3. client formulates response
|
|
1. pad LM/NT hash to 21 bytes
|
|
2. split hash in three 7-byte pieces
|
|
3. use each piece as DES key to encrypt challenge
|
|
4. response is 3 8-byte outputs
|
|
4. server calculates same response and compares
|
|
* problems
|
|
* attacker can sniff both challenge and response and try to crack
|
|
* rogue server could issue static challenge for which it has rainbow tables
|
|
* works because neither hash uses salting
|
|
* without rogue server, method is slower than cracking hashes in SAM db
|
|
* no access to actual hash
|
|
* attacker needs to perform DES encryption
|
|
|
|
### NTLMv2
|
|
|
|
* operation
|
|
1. client sends authentication request
|
|
2. server sends 8-byte server challenge
|
|
3. client formulates response
|
|
1. creates NTLMv2 hash using HMAC-MD5
|
|
* data: username and domain name
|
|
* key: NT hash
|
|
2. creates NTLMv2 response using HMAC-MD5
|
|
* data: server challenge + data blob (client challenge, timestamp,
|
|
fields for integrity / security)
|
|
* key: NTLMv2 hash
|
|
4. client sends response to server
|
|
5. server computes validity of response using stored NT hash and received
|
|
fields
|
|
* cracking still possible but much slower
|
|
* stronger hash is used
|
|
* timestamp protects against replay attacks
|
|
* rainbow tables not useful due to variability of client challenge
|
|
|
|
### NTLM relay attacks
|
|
|
|
* both versions vulnerable
|
|
* possible if attacker can access server client usually uses
|
|
* ARP or DNS spoofing
|
|
* phishing
|
|
* cross-site scripting attacks
|
|
* operation
|
|
1. attacker poses as authentication server
|
|
2. attacker relays authentication request messages to real server -> acts
|
|
as authenticating client
|
|
3. attacker receives authentication and returns error message to client
|