Week 5

Housekeeping If you enjoy coming to these sessions please sign up ($3 - $5/year) - https://www.dusa.org.au/Clubs-Sport/Clubs/Deakin-Information-Security-Club-(DISC) Last chance to buy a hoodie - https://dischoodies.getqpay.com/ CySCA participants have been selected Session format will now be: General session 6pm - 8pm CySCA training 8ish - 10:30pm (with dinner of course) If you applied to be on the team, you are welcome to stay for training. Dedicated training sessions will commence soon. You’re off the hook this week (ish)

Hardware hacking sessions We will update the schedule on the https://deakininfosec.com.au/ site soon!

Before we tuck in Keep in mind that I am still learning too If I get anything wrong, or you know of a better way to do things let me know! My knowledge on today’s topic is limited to things learned studying for the OSCP. This will not take into account avoiding SIEM, IDS & IPS Being a two hour session, we won’t be going into great depth, I just want to give you a taste and some fundamentals To get a real handle on anything technical in infosec you will have to do your own research, follow those rabbit holes, play with the tools in labs. Read read read!

Content Reconnaissance recap Finding vulnerabilities and exploits Using exploits Generating payloads Modifying exploits Post-exploitation Post-exploitation techniques Post-exploitation tool sets Metasploit Empire

Recapping Recon Scanning for ports and services with Nmap -sV: Probe open ports to determine service/version info --script=banner: NSE script to grab all banners (use with -sV) Banner grabbing to find versions Telnet or Netcat directly to ports telnet <address> <port> nc -v <address> <port> HEAD / HTTP/1.1: Manually request header on HTTP ports (You may run into issues if the server is expecting certain headers in your request eg. User-Agent) curl -I <address>: Grab headers with the CURL tool http://www.hackingarticles.in/5-ways-banner-grabbing/ cd ~/DISCDEMO cat nmapscan_complete.txt

Finding vulnerabilities and Exploits Searchsploit <term>: Search exploit-db (updates with apt update weekly) Findsploit <term>: Search exploit-db, nmap scripts & metasploit modules (https://github.com/1N3/Findsploit) Pompem -s <term>: Search in aaaaaall the databases (https://github.com/rfunix/Pompem) Read everything you can about the protocol you are considering, and look at extra ways you can enumerate info from that protocol (http://www.0daysecurity.com/penetration-testing/enumeration.html) enum4linux -o <ip> Searchsploit samba Samba 3.0.20 ‘Username’ map script Command Execution (Metasploit)

Before the fun part Now that we’ve found a vulnerability with an exploit that should affect our targeted service, we need to understand what the exploit is going to do. Fully understand the vulnerability https://cve.mitre.org/ https://nvd.nist.gov/ Read through the exploit code. Don’t execute an exploit unless you understand exactly how it will affect the target system. Modify the exploit to suit your needs and ship it! Generate a payload that points back to your C2 server’s IP Replace the exploit’s payload with your own CVE-2007-2447 Securityfocus article from mitre

Recapping Shells Two primary types of shells: Bind shell: Opens a listening service on the target that you connect to Reverse shell: Target connects to a listening service on your host (assuming you are already listening for it) There are shells available in almost every communication protocol available, some more reliable than others. The protocol you choose should be dependent on the situation, and should be informed by plenty of extensive reconnaissance if you are avoiding detection.

Completing the exploit Once we’ve found a suitable exploit, you have to make sure it is working for you! If there is a section for shellcode, we want to replace it with a payload of our own. Using msfvenom, like any linux command use -h or --help for context. Ensure you set the minimum options on your payload with -p <payload> --payload-options Note that some exploits will require certain characters to be avoided, which you can omit from your payload with -b <list>, or for it to be a under a certain size with -s <length> Once you have a kosher payload, replace the section of code with your own and we’re ready to roll!

Post-sh3llation Linux: https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List Windows: http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf Get as much information as you can from the system (bash history, dump password hashes, dns history, processes running) Privilege Escalation: Get root/Local Admin, eventually Domain Admin! Persistence: Establish a way to re-establish connection to compromised hosts after a reboot or connection loss. Recon: Enumeration is key. With more access do as much recon as possible. Pivot: Once you have established a reliable foothold, you can use that as a new point to launch further attacks into the network or organization.

Post-exploitation tools Assuming you have used an exploit that gained you remote console access (shell), you should now be able to execute commands, and thereby code on the remote PC. While a raw shell is great, there are well-developed frameworks out there that make the post-exploitation process much easier! Today we’re going to look into two of the most frequently used PE Frameworks, and for good reason: Metasploit Empire

Metasploit Meterpreter: A custom-built, kitted out shell that supports many useful post-exploitation functions such as gaining persistence and privesc made simple! (Out of date but still handy: http://www.scadahackr.com/library/Documents/Cheat_Sheets/Hacking%20- %20Meterpreter%20Cheat%20%20Sheet.pdf) Metasploit (msfconsole): A framework that allows you to manage reconnaissance, exploits, multiple shell sessions and all your post-exploitation needs within one tool. While metasploit is great, it’s not always great for learning (don’t be a script kiddie). You can use meterpreter shells without metasploit, just choose an appropriate payload from msfvenom -l

Empire When dealing with Windows networks (which most enterprise networks are), there’s no better toolbelt than Empire (https://github.com/EmpireProject/Empire). Powershell agents for Windows targets Python agents for Linux & OSX targets Extremely modern in-memory techniques and cryptographically secure communication I really wanted to dive into Empire this week but I left it too last minute. If you rocked up to the session hopefully we dove into it but otherwise install it and start playing straight away! (https://github.com/EmpireProject/Empire/wiki/Quickstart)

No CTF this week Unfortunately because I’m a procrastinator, we don’t have a CTF this week. However, by now you should have Kali and Metasploitable 2 or 3 set up in your virtual lab. (Assuming everything with the recording went well) Try to follow or recreate the techniques that were demo’d in the session and take notes. Pick some other services/ports on Metasploitable Research as much as you can about the service and it’s vulnerabilities See if you can hack every single one! (They’re all vulnerable to something)