Presentation is loading. Please wait.

Presentation is loading. Please wait.

Week 5.

Published byPatience Fleming Modified over 6 years ago

Similar presentations

Presentation on theme: "Week 5."— Presentation transcript:

1 Week 5

2 Housekeeping If you enjoy coming to these sessions please sign up ($3 - $5/year) - Last chance to buy a hoodie - CySCA participants have been selected Session format will now be: General session 6pm - 8pm CySCA training 8ish - 10:30pm (with dinner of course) If you applied to be on the team, you are welcome to stay for training. Dedicated training sessions will commence soon. You’re off the hook this week (ish)

3 Hardware hacking sessions
We will update the schedule on the site soon!

4 Before we tuck in Keep in mind that I am still learning too
If I get anything wrong, or you know of a better way to do things let me know! My knowledge on today’s topic is limited to things learned studying for the OSCP. This will not take into account avoiding SIEM, IDS & IPS Being a two hour session, we won’t be going into great depth, I just want to give you a taste and some fundamentals To get a real handle on anything technical in infosec you will have to do your own research, follow those rabbit holes, play with the tools in labs. Read read read!

5 Content Reconnaissance recap Finding vulnerabilities and exploits
Using exploits Generating payloads Modifying exploits Post-exploitation Post-exploitation techniques Post-exploitation tool sets Metasploit Empire

6 Recapping Recon Scanning for ports and services with Nmap
-sV: Probe open ports to determine service/version info --script=banner: NSE script to grab all banners (use with -sV) Banner grabbing to find versions Telnet or Netcat directly to ports telnet <address> <port> nc -v <address> <port> HEAD / HTTP/1.1: Manually request header on HTTP ports (You may run into issues if the server is expecting certain headers in your request eg. User-Agent) curl -I <address>: Grab headers with the CURL tool cd ~/DISCDEMO cat nmapscan_complete.txt

7 Finding vulnerabilities and Exploits
Searchsploit <term>: Search exploit-db (updates with apt update weekly) Findsploit <term>: Search exploit-db, nmap scripts & metasploit modules ( Pompem -s <term>: Search in aaaaaall the databases ( Read everything you can about the protocol you are considering, and look at extra ways you can enumerate info from that protocol ( enum4linux -o <ip> Searchsploit samba Samba ‘Username’ map script Command Execution (Metasploit)

8 Before the fun part Now that we’ve found a vulnerability with an exploit that should affect our targeted service, we need to understand what the exploit is going to do. Fully understand the vulnerability Read through the exploit code. Don’t execute an exploit unless you understand exactly how it will affect the target system. Modify the exploit to suit your needs and ship it! Generate a payload that points back to your C2 server’s IP Replace the exploit’s payload with your own CVE Securityfocus article from mitre

9 Recapping Shells Two primary types of shells:
Bind shell: Opens a listening service on the target that you connect to Reverse shell: Target connects to a listening service on your host (assuming you are already listening for it) There are shells available in almost every communication protocol available, some more reliable than others. The protocol you choose should be dependent on the situation, and should be informed by plenty of extensive reconnaissance if you are avoiding detection.

10 Completing the exploit
Once we’ve found a suitable exploit, you have to make sure it is working for you! If there is a section for shellcode, we want to replace it with a payload of our own. Using msfvenom, like any linux command use -h or --help for context. Ensure you set the minimum options on your payload with -p <payload> --payload-options Note that some exploits will require certain characters to be avoided, which you can omit from your payload with -b <list>, or for it to be a under a certain size with -s <length> Once you have a kosher payload, replace the section of code with your own and we’re ready to roll!

11 Post-sh3llation Linux: Windows: Get as much information as you can from the system (bash history, dump password hashes, dns history, processes running) Privilege Escalation: Get root/Local Admin, eventually Domain Admin! Persistence: Establish a way to re-establish connection to compromised hosts after a reboot or connection loss. Recon: Enumeration is key. With more access do as much recon as possible. Pivot: Once you have established a reliable foothold, you can use that as a new point to launch further attacks into the network or organization.

12 Post-exploitation tools
Assuming you have used an exploit that gained you remote console access (shell), you should now be able to execute commands, and thereby code on the remote PC. While a raw shell is great, there are well-developed frameworks out there that make the post-exploitation process much easier! Today we’re going to look into two of the most frequently used PE Frameworks, and for good reason: Metasploit Empire

13 Metasploit Meterpreter: A custom-built, kitted out shell that supports many useful post-exploitation functions such as gaining persistence and privesc made simple! (Out of date but still handy: %20Meterpreter%20Cheat%20%20Sheet.pdf) Metasploit (msfconsole): A framework that allows you to manage reconnaissance, exploits, multiple shell sessions and all your post-exploitation needs within one tool. While metasploit is great, it’s not always great for learning (don’t be a script kiddie). You can use meterpreter shells without metasploit, just choose an appropriate payload from msfvenom -l

14 Empire When dealing with Windows networks (which most enterprise networks are), there’s no better toolbelt than Empire ( Powershell agents for Windows targets Python agents for Linux & OSX targets Extremely modern in-memory techniques and cryptographically secure communication I really wanted to dive into Empire this week but I left it too last minute. If you rocked up to the session hopefully we dove into it but otherwise install it and start playing straight away! (

15 No CTF this week Unfortunately because I’m a procrastinator, we don’t have a CTF this week. However, by now you should have Kali and Metasploitable 2 or 3 set up in your virtual lab. (Assuming everything with the recording went well) Try to follow or recreate the techniques that were demo’d in the session and take notes. Pick some other services/ports on Metasploitable Research as much as you can about the service and it’s vulnerabilities See if you can hack every single one! (They’re all vulnerable to something)

Download ppt "Week 5."

Similar presentations

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.
Armitage and Metasploit Penetration Testing Lab

Armitage and Metasploit Penetration Testing Lab
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
The Business of Penetration Testing

The Business of Penetration Testing
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Forensic Artifacts From A Pass The Hash (PtH) Attack

Forensic Artifacts From A Pass The Hash (PtH) Attack
4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room 345 05/11/10.

4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10.
MIS 5212.001 Week 2 Site:

MIS Week 2 Site:
EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.

EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.
CS391 Computer & Network Security

CS391 Computer & Network Security
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Penetration Testing Training Day Penetration Testing Tools and Techniques – pt 1 Mike Westmacott, IRM plc Supported by.

Penetration Testing Training Day Penetration Testing Tools and Techniques – pt 1 Mike Westmacott, IRM plc Supported by.
MIS 5212.001 Week 1 Site:

MIS Week 1 Site:

Similar presentations

Ads by Google