Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC300 Offensive Security Dr. Ronny L. Bull, Ph.D. Post Exploitation

Published byJulius Jones Modified over 6 years ago

Similar presentations

Presentation on theme: "CSC300 Offensive Security Dr. Ronny L. Bull, Ph.D. Post Exploitation"— Presentation transcript:

1 CSC300 Offensive Security Dr. Ronny L. Bull, Ph.D. Post Exploitation

2 Overview Purpose Rules of Engagement Infrastructure Analysis Pillaging
High Value Targets Data Exfiltration Persistence Further Penetration into Infrastructure Cleanup

3 Purpose Determine value of compromised system
Determined by sensitivity of data Usefulness for compromising network Entry point to high profile targets Communication links Trust relationships Maintain point of entry and control for later use Backdoor Reverse shell Reverse tunnels VPN

4 Rules of Engagement Rules specific to post-exploitation
Ensure client machines are not subjected to unnecessary risk by actions of testers Mutually agreed upon procedure to conduct during post-exploitation Protect the client Protect yourself

5 Rules of Engagement Protecting the client
Modifications to critical systems and services should be minimal or non-existent. If modifications are performed they should be well documented Steps should be taken to roll back to original settings to ensure that potential compromise by outside attackers as a result of the modifications is mitigated

6 Rules of Engagement Protecting the client
Keep detailed notes on the actions that were performed against compromised systems Actions taken (procedures) Time frame Append this information to final report Notes should allow anyone to duplicate the attack scenario

7 Rules of Engagement Protecting the client
Before using any private or personal user data (passwords, history, documents) the following must be included in the client's Acceptable Use Policy: All systems and all data stored on those systems are owned by the client Connection to the client's network is considered as consent to the terms in the policy Connected machine may be searched and analyzed

8 Rules of Engagement Protecting the client
The client must ensure that every user reads and understands the Accepted Use Policy Never release recovered passwords in any documentation presented to the client, this includes the final report All gathered data by the testers should be stored on encrypted devices

9 Rules of Engagement Protecting the client
Any information included in documentation presented to the client should be sanitized of sensitive information Screenshots Tables Figures All systems used by the testers will be sanitized following the acceptance of the final report

10 Rules of Engagement Protecting the client
Be mindful of regulatory laws Downloading or manipulating data may violate some laws in certain states or countries If prohibited proof of access can be shown File permissions File names Directory structure Timestamps

11 Rules of Engagement Protecting the client
Someone may have gotten there before you! If evidence of prior compromise is found deliver current logs and documentation of actions and time frames to the client Further action should be handled by the client at this point Never delete logs unless specified by the client! Always keep backups!

12 Rules of Engagement Protecting yourself
Many of the topics discussed in protecting the client are applicable Ensure that all contracts are signed by all applicable parties NO LOOPHOLES! Obtain copies of all security policies for end users Acceptable Use Policy Ownership of systems & data

13 Rules of Engagement Protecting yourself
Confirm all regulations and laws for the areas in which testing will occur Use encryption! Establish procedures to follow if a prior compromise to the system is identified

14 Infrastructure Analysis
Network Configuration A compromised machine can help to identify additional targets Subnets Routers Servers DNS Servers Trust Relationships

15 Network Configuration
Interfaces Systems may have more than one network interface connected to different subnets Routing Interface addresses, routing tables, ARP tables can all provide information on other network segments and subnets

16 Network Configuration
DNS Servers Enumerate DNS servers from a host to find other hosts to target Take control of a DNS server and view its database to find all host entries Modify records (DNS Poisoning) to redirect traffic to malicious servers or perform man-in-the-middle attacks

17 Network Configuration
Proxy Servers If compromised can provide an attacker with the ability to modify, and identify traffic Also typically provide means to monitor the flow of traffic and the traffic itself Web proxies

18 Network Configuration
ARP Entries Identify hosts that interact with the compromised system Static entries may represent critical machines ARP Poisoning Modify ARP table entries of local and remote machines for malicious means

19 Network Services Listening Services
Compromised machine may be running services not identified in previous scans Services may be listening on non-standard ports netstat is a great tool for identifying open connections May provide for future points of entry

20 Network Services VPN Connections
Inbound and outbound connections should be identified Could be used to target new systems on remote network Could also be used as future entry point to the system May provide access to other credentials

21 Network Services Directory Services User account enumeration
Hosts or services on the network (printers) User details that can be used for social engineering Phone numbers Address Position

22 Network Services Neighbors Neighbor discovery services
Help to identify other systems or devices to target CDP (Cisco Discovery Protocol) LLDP (Link Layer Discovery Protocol) NetBios Avahi

23 Pillaging The act of obtaining information from a compromised system
Personal information Credit card information Passwords Could be part of satisfying goals or used to gain further access into the network May require special tools to identify and extract data from some systems

24 Installed Programs Startup items
May reveal potential countermeasures in place Anti-virus software Application Firewall Host based IPS/IDS Identify applications installed on system and versions Identify OS updates applied

25 Installed Services Security Services
Designed to keep attackers out and keep data safe Identify to find ways to circumvent File / Printer Shares Data! Trust relationships Places to put trojans or autorun files with sneaky names!

26 Installed Services Database Servers Enumerate database names
Determine purpose and type of data Database permissions Users, password hashes, groups and roles Anyone know the MYSQL command to retrieve the list of users and their password hashes on a system? Also reviles where they can connect from

27 Installed Services Directory Servers
All sorts of good info about users and hosts on the network Name Servers The phone book of the network! Can be harnessed for many malicious purposes Deployment Services Unattended answer files can provide username and password info for admin accounts Backdoor installations

28 Installed Services Source Code Managmenet (SVN, GIT, CVS)
Enumerate projects Obtain source code Alter source code Enumerate developer information DHCP Server Enumerate leases Add reservations Change options (TFTP server) Consume all leases (DOS)

29 Installed Services Virtualization Enumerate VM information
Virtualization software configuration Host configuration VLAN info Access network storage devices Control VM state Export an entire machine! Intercept VM network traffic

30 Installed Services Monitoring and Management SNMP Syslog
Some services may use other services to interface with hosts SSH Telnet RDP Can provide access to additional targets

31 Installed Services Backup Systems Enumerate hosts
Access to backup data Enumerate users Possible access to host credentials rsync over SSH May provide keys to system as backup or root user

32 Sensitive Data Key logging
Monitor keystrokes for username and password information Monitor all data that a user inputs Documents Instant messages Screen capture Provide evidence of compromise

33 Sensitive Data Network Traffic Capture Identify hosts Intercept data
Identify services Identify relationships between hosts Capture credentials

34 User Information On System History files Encryption keys Documents
User specific application configuration Enumerate removable media Network shares & Permissions

35 User Information Web Browsers Browser history Bookmarks
Download history Credentials Proxies Plugins/Extensions

36 User Information IM Clients Account configuration Chat logs

37 System Configuration Password policy
Makes brute force password attacks more efficient if the policy is understood Security policies Wireless information Access times Failed login attempts Lockout policies

38 High Profile Targets Further refinement and expansion can be obtained for high value/profile targets Compromised systems can yield a wealth of information and new ways of entry Trust relationships between a compromised machine and a high profile target can provide easy and trusted access

39 Data Exfiltration Map all possible exfiltration paths
Multiple paths should be identified to get data out of the network Testing exfiltration paths Should simulate real world scenarios All identified paths should be tested Measuring control strengths Can the exfiltration be detected and mitigated?

40 Persistence Maintaining access to compromised systems
Backdoor installations Should survive reboots Modification or installation of services to allow connections back into the system New user Keys Reverse connections to a single IP Creation of alternate accounts with complex passwords

41 Further Penetration Into Infrastructure
Pivot off of already compromised systems From the compromised system: Upload tools to compromised system Use local system tools ARP scans Ping sweeps Internal DNS enumeration Directory services enumeration Brute force attacks Remote exploits

42 Further Penetration Into Infrastructure
Thru a compromised system Port forwarding Tunneling Proxy to internal network (SSH) VPN connection Remote exploits

43 Cleanup Sanitize all systems used to store sensitive data captured during the assessment Remove all executable, scripts, and temporary files from compromised systems Use secure delete methods if possible Return systems to original configurations Remove all backdoors and rootkits Remove any created user accounts

44 Just Like Camping!

45 For Next Week Read the material on Reporting at the Pentest- Standard.org website Sign up for an account at

Download ppt "CSC300 Offensive Security Dr. Ronny L. Bull, Ph.D. Post Exploitation"

Similar presentations

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
JMU GenCyber Boot Camp Summer, 2015. Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.

JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.
Module 4: Add Client Computers and Devices to the Network.

Module 4: Add Client Computers and Devices to the Network.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Software Security Testing Vinay Srinivasan cell: +91 9823104620.

Software Security Testing Vinay Srinivasan cell:

Similar presentations

Ads by Google