Post Exploitation¶
Secure Shell (SSH)¶
Secure Shell is a network protocol that allows users to access remote systems securely through the use of encryption.
- Suite of tools that are bundled together that utilize the SSH protocol
- Written and released to replace a clear-text suite of programs called Remote Shell (RSH).
- All the capabilities of RSH were included with SSH along with many more features which make the SSH suite of programs more robust and can perform a plethora of tasks.
Secure Shell added capabilities include:
- Access remote systems using an SSH server as a proxy
- Securely transfer files
- Execute commands on a remote system
- VPN using the SSH protocol as a transport
- Forwarding the X Window System display to the client system
- And many others
Basic SSH command syntax
To remotely access a system with SSH the typical usage is:
1 | |
The default SSH port is 22, and the -p doesn't have to be specified unless the SSH server is listening on a different port.
No matter what port forwarding you are utilizing, you ALWAYS authenticate to an SSH server, so the basic SSH command syntax is required for all scenarios.
Local Port Forwarding Overview¶
Local port forward bind ports follow the rules of the security context of the user creating them since they are local to the system in which the commands are executed.
Any user can create a local port forward, by default the local bind port will be attached to the loopback address on the system where the command is executed.
- Root users can bind to any port to include ports below 1024
- Non-root users can only bind to ports 1024 and above
- Both root and non-root users can bind to any legal IP address on the system including the quad zeros (0.0.0.0)
Remote Port Forwarding Overview¶
Remote port forward bind ports follow the rules of the security context of the user authenticating to the remote system combined with configuration settings on the remote SSH server.
Any user can create a remote port forward. By default the remote bind port will be attached to the loopback address on the system to which you are authenticating.
- Root users can bind to any port to included ports below 1024
- Non-root users can only bind to ports 1024 and above
- Both root and non-root users can bind to any legal IP address on the system including the quad zeros (0.0.0.0)
Windows Port Proxy¶
Windows did not include an SSH client or server until Windows 10, after which OpenSSH was utilized. This allows the use of the same Local and Remote Port Forwarding techniques. An added capability unique to Windows is the use of NETSH and its PortProxy capability.
Portproxy allows you to listen on a certain port on one of your network interfaces (or all interfaces) and redirect all traffic to that interface (on your computer) to another port/IP address. Items to consider:
- Windows Firewall settings need to allow your desired ports
View the PortProxy:
Delete the PortProxy:
Delete all PortProxies set up:
Pivoting and Redirection¶
Introduction
You have compromised a system. Pat yourself on the back and call it a day, right? Wrong! Now it is time to start leveraging the territory you have taken, and dig further into the network, but realize that any action you take could give away your presence and cost all the work you have done up until this point. For example, uploading your best tools increases the noise level. If you get caught and booted from the system, then you just burned your tools, because now somebody else has them. What do you do to maneuver through the network and reduce the noise level? Operating systems include a plethora of tools, that although are meant to assist in the proper operation of a system, can be used in other ways to meet the goals of network infiltration, further exploitation, and exfiltration.
Discussion
What is pivoting? Why is it important?
- Makes the operation non attributable.
- Looks like your connection is coming from another location.
- Allows access to something that we may not have direct access to due to firewalls, routers, etc.
- Can make or break an operation, connection loss, malware, active administrator, unreliable, etc.
- Reliability, the pivot machine will be directly accessed, and COULD be attributable if the proper precautions aren't taken (encryption, VMs, nat and pat)
Would it be smart to directly connect to a remote machine from your local host machine?
What is a system used for redirection?
- A remote machine that is very trustworthy and reliable, used to pivot from
How much thought should be put into selecting a system for redirection?
- Geographical Location
- State of the machine
- Uptime
- Basically it's overall reliability
Where do you you want run all your commands from?
SSH Keys¶
Introduction
An SSH key is a private/pubic key pair that can be used for authication. SSH keys can be use to replace password authintication or be used in comibination with passwords. Because they are cryptographic keys it can be considered more secure than using a password. Cryptographic keys are harder to bruteforce or crack compared to passwords.
SSH keys are broken down into two keys:
- Authorized Keys
- The public key part of the pair
- Grants access to the system they are on
- Identity Keys
- The private key part of the pair
- Used to authenticate to the computer that has the paired public key
Stealing SSH Identity Keys¶
The purpose of stealing a users identity key is to give an attacker a potential way to access other targets. It would be the same thing as finding a password on the system and then trying that password on other tragets to try and gain access
While enumerating a target machine it may be possible to find a users identity key (private key) in a location where the attacker has access to the key. If an attacker is able to access the private key they can bring that key onto their own system and use it in an attempt to gain acess to to other systmes on the target network.
Note
The stolen identity key must have its paired authorized key on any system you are trying to access in order for you to authenticate to the targeted system
Using Stolen Identity Key¶
Once an identity key has been taken from a target it must be prepped before use on your box
On your attack box
- Set permissions to user only read and write
- Use -i option when SSHing to new target:
-i lets you select a specific identity key to use. By default, it will look in your own .ssh/ folder for a key to use.
Note
When logging in with a stolen key, login as the user who owned the key you stole. For example if you stole a key from user "jane" log in as user "jane"
--
- If target system has a authorized key (public key) that pairs with the key you stole you should get logged into the system
SSH Control Sockets¶
Introduction
Control sockets are used during operations...
Discusion
What are Control Sockets?
- Master Control sockets
- Slaves
Why use control sockets over regular SSH port fowarding?
- Multiplexing - Create more than one connection through an already established secure channel
- Data exfiltration - Downloading through an already established secure connection
- Less logging - One log entry for initial connection and additional connections over the multiplexed channel produce no addtional log entries.
- Produces less noise which reduces the chances of getting noticed.
Utilizing control sockets with SSH is client-driven. They can be employed by specifying SSH commands with the appropriate command line arguments, or can be made persistent by adding/modifying the settings in the clients configuration file(s). In Linux the system wide SSH client configuration file is /etc/ssh/ssh_config, and the per-user SSH client configuration file is the ~/.ssh/config.
Man Page SSH Switches
Demo: SSH Control Sockets¶
SSH without Control Sockets, showing the various connections and logs that are grenerated
-
From one terminal, connect to the destination using typical SSH
-
View established connections on destination system
-
Examine SSH authentication entries on destination system
SSH with Control Sockets, showing that it does not create repeated events.
-
SSH to destination system, set master mode, set control path to /tmp/s
-
View control path on Terminal 1 (not required, but used to understand that a socket is created for subsequent shared connections if used)
-
View established connections on destination system
-
Examine SSH authentication entries on destination system
Note
Only the first connection where the control socket was created and is the only connection that has a respective established connection and authentication log entry. As long as each connection from the same source system utilizes the existing control path, no further connections or authentication log entries will be generated on the remote system. This reduces the noise level and aids in not getting noticed.
Demo: Manipulate SSH Config to make Persistent Master Control Socket¶
As discussed previously, SSH control sockets can be made persistent even when not specifying the command line options to use them. The following settings can be configured in either or both the system wide SSH configuration file /etc/ssh/ssh_config, or the per-user configuration file ~/.ssh/config, but the per-user configuration file will take precedence over the system wide SSH client configuration file.
If it is only desired to use control sockets to specified systems, then create individual entries for each host by using the approprate hostname and control socket configuration entries:
In this preceding example, a control socket is used when connecting to "machine1.example.org." For connections to systems other than "machine1.example.org" will need their own configuration.
The socket will be created in the "~/.ssh/controlsmasters/" directory and will be given the name user@host:port (%r - remote user name, %h - remote host name, %p - remote port).
ControlMaster accepts five different values: 'no', 'yes', 'ask', 'auto', and 'autoask'.
- 'no' is the default. New sessions will not try to connect to an established master session, but additional sessions can still multiplex by connecting explicitly to an existing socket.
- 'yes' creates a new master session each time, unless explicitly overridden. The new master session will listen for connections.
- 'ask' creates a new master each time, unless overridden, which listen for connections. If overridden, ssh-askpass(1) will popup an message in X to ask the master session owner to approve or deny the request. If the request is denied, then the session being created falls back to being a regular, standalone session.
- 'auto' creates a master session automatically but if there is a master session already available, subsequent sessions are automatically multiplexed.
- 'autoask' automatically assumes that if a master session exists, that subsequent sessions should be multiplexed, but ask first before adding a session.
Refused connections are logged to the master session.
The ControlPersist option specifies whether to keep the control socket active when idle, or for how long. The options are 'yes', 'no' or a time interval. If a time interval is given, the default is in seconds. Units can extend the time to minutes, hours, days, weeks or a combination. If 'yes' the master connection stays in the background indefinitely.
To make SSH user control sockets for all SSH connections, a wildcard can be specified with the Host option:
Host Enumeration¶
Each situation will dictate the method of enumeration. If accessing one of your own systems, you need not be concerned with the noise level, as you are an authorized user. If you are performing a penetration test, or are on an adversary box, your techniques will have to change, in order to avoid detection and provide situational-awareness, before you take your next steps.
Enumerating Users¶
Risk associated with users
- How do we differentiate the various levels of users?
- Logged in Console vs. TTY
Why do we need to characterize the users on a system?
- Users have access to resources. If an organization is performing its due care and due diligence, then each user has access only to the resources required to perform their duties. Knowing which users to target will aid in quickly reaching the goals of mission at hand.
- Don't always think that you must escalate privileges vertically. Horizontal, or lateral, movement can have great value. As mentioned, each individual may have different access, and by laterally moving from user to user, you are continuing to gain access to additional resources. Each user, on their own, may not have the keys to the kingdom, but lateral movement can incrementally expose the keys.
- Organizations, through haste in providing users the access they need to perform their job, are sometimes negligent in removing unnecessary access. For example: Mary is in Sales, and she is provided access to "Sales" resources. She is transferred into Marketing, so the administrators place her user account in the Marketing group, and fail to remove her from the Sales group. This privilege creep can give users more access than they need, and focusing on these types of users could provide more benefit than a user of a single group.
- There are users that typically have special access such as Administrator or Root. Although these names are used for us humans, there are numeric identifiers for accounts that are just as important to know, and understand, as logical names can be changed.
Windows User Enumeration Commands¶
Linux User Enumeration Commands¶
Note
Commands such as w, id (and others): The output of these commands is distinctive and an IDS/IPS rule can be written to detect its use. Although they are benign commands, they are infrequently used, and its use indicates that someone is attempting to enumerate a system. Although these rules will potentially produce false positives because of legitimate command utilization, it is sometimes best to side on paranoid and ensure that they are being used legitimately. Knowing this, to avoid detection, it is often best to run commands that will give the same information, but produce output in a way that would be challenging to detect. For example: Instead of the "id" command, use the commands "whoami" and groups as their output is too generic for a reliable rule.
Enumerating processes¶
What is the system doing?
- Investigating process activity can provide valuable information about a system.
- Can assist in finding unauthorized activity.
Kernel process vs. standard process
- Kernel-mode is typically reserved for the lowest-level, most trusted functions of the operating system. Crashes in kernel mode are catastrophic and can destroy data, and bring the entire system down
- User-mode processes have no ability to directly access hardware or reference memory and have to ask the kernel for access.
Windows Process Enumeration Commands¶
Linux process enumeration commands¶
Enumerating Services/Daemons¶
What is a service/daemon/unit?
- The terms service, daemon, and unit are relatively interchangeable. Windows uses the term "service", UNIX SystemV systems use the term "daemon", and UNIX systemd systems use the term "unit." Whatever term you use should be applicable to the system to which you are referring.
- Services/daemons/units are programs that run in the background that generally provide access to resources although not always. For example, sshd (SSH service), will run in the background on a system in anticipation of a remote user attempting to connect to said system. Once a user initiates the connection, the ssh service/daemon/unit will negotiate parameters, test authentication, and if all conditions are satisfied, allow the remote user access to the system.
What type of server is the host?
- Operating system flavor will dictate how to enumerate the system.
- Knowing some of the functions of the server may reveal its purpose and how to leverage it.
Windows Service Enumeration Commands¶
Linux Daemon/Unit Enumeration Commands¶
Enumerating Network Connections¶
Why is this a concern?
-
Offensive view:
- Who else is connected to this device that could notice my connection?
-
Defensive view:
- Am I the only one that should be connecting remotely to the system?
- What connections don't look normal and what ports are being used?
- Remote administration and Remote Logging
Windows Network Enumeration Commands¶
Linux Network Enumeration Commands¶
Additional areas of focus¶
The list of commands above is not a complete list. There are other commands to get additional information, along with deprecated commands.
Windows Additional Enumeration Commands¶
Linux Additional Enumeration Commands¶
Deprecated Linux Networking Commands (And Their Replacements)¶
| Deprecated Command | Replacement Command(s) |
|---|---|
arp |
ip n (ip neighbor) |
ifconfig |
ip a (ip addr), ip link, ip -s (ip -stats) |
iptunnel |
ip tunnel |
iwconfig |
iw |
nameif |
ip link, ifrename |
netstat |
ss, ip route (for netstat -r), ip -s link (for netstat -i), ip maddr (for netstat -g) |
route |
ip r (ip route) |
Data Exfiltration¶
There are many ways to perform data exfiltration, but the ones you use will depend on your goals. Obfuscating the data is a technique that involves implementing a reversible encoding on the data to ensure that Data Loss Prevention devices/software do not trigger and/or casual eavesdropping doesn't notice the contents of the data, but basic obfuscation is trivial to decode and a seasoned analyst can see patterns in the chaos and would tag it for further analysis. Encryption will also ensure hiding of the contents of the data, while also ensuring protection of the data from decryption. Chunking is technique used to break up large amounts of data into smaller pieces so that it can be sent out piece-by-piece, so it doesn't look like one large stream of data. Utilizing commonly used protocols on the network to blend in also assists to avoid detection. Varying the time in which they are sent out will ensure that it looks random. Combining all of these techniques together can make detection very difficult if employed correctly. You could also use a transport, like SSH, so that your entire session is encrypted so obfuscation of data in transit is not required.
Data exfiltration is the unauthorized transfer of data from a computing device. Data has value and the same data's value may vary to different cyber entities.
Capturing your session for later extraction of data¶
Consider that if you start another connection, such as SSH, SCP, FTP ,etc., then this may raise the noise level. It may be beneficial to utilize the existing connection and display the data in a way that it can be copied/pasted and converted back to its original format. Rather than copy and paste, you can capture the activity in your session.
-
Linux session logging:
-
Windows session logging:
Linux data obfuscation Techniques¶
Using the "tr" command, a simple cipher can be used to obfuscate the data and is easily reversible.
The following is a simple ROT1 cipher that will shift the characters 'a-zA-Z0-9' over by one, that is 'a' becomes 'b', etc.
This can be implemented to convert any character to any other character, not just a ROT cipher. With this example, it doesn't replace the colon ':' character, so even after using it, it is easy to identify that original file from the patterns of colons. This can be fixed by ensuring that every source character is taken into consideration when using this, but you have to know your data.
- Pros - easy to use, easy to reverse
- Cons - easy to detect and reverse. Can work with binary files, but if you want to completely change the source file, you will have to consider every different input value to change.
Linux typically includes at least two of the preceding commands that can alter the data in a way that can be reversed. All convert files to a text equivalent, some are a little more challenging to work with, but you use what you have. The easiest one to work with is base64.
- Pros - easy to use, easy to reverse. Works well with binary files and converts them into a text format which can be copied and pasted in the existing session as opposed to tranfering using a separate network connection.
- Cons - easy to detect and reverse.
OpenSSL is more than likely installed on every modern Linux distribution. It can be used to encrypt, and convert the text so that can be copied and pasted as opposed to tranferred. There are many ways to implement it, but the below demonstrates how to encrypt the file with a password, convert to base64 and use nosalt. The below also shows a password on the command line which is a no-no, but the -k option can be removed and you will be prompted for a passphrase.
- Pros - easy to use, easy to reverse. Works well with binary files and converts them into a text format which can be copied and pasted in the existing session as opposed to tranfering using a separate network connection. The output encoding can be changed.
- Cons - Encoding types have patterns that are sometimes easy to detect. You may not be able to decrypt it, but you can look for these patterns which will stand out.
Combination of Techniques
- You could use OpenSSL, and then add some more obfuscation techniques previously discussed to make it much more challenging to detect.
- Forward and reverse // through regular tunnels and control sockets // throttling.
Windows Data Obfuscation Techniques¶
String-Replace¶
Implement a simple cipher, Character trasposition is a bit challenging in Windows but can be done with powershell
It will be a long command as you have to do each character, but this can be scripted to automate the conversion. Be careful because if you don't translate every character at once, they you may permanently alter the data in a way that is not reversible. This can be implemented to convert any character to any other character, not just a ROT cipher. With this example, it doesn't replace the colon ':' character, so even after using it, it is easy to identify that original file from the patterns of colons. This can be fixed by ensuring that every source character is taken into consideration when using this, but you have to know your data.
- Pros - easy to use, easy to reverse.
- Cons - easy to detect and reverse. Can work with binary files, but if you want to completely change the source file, you will have to consider every different input value to change.
Base64 Encoding of Data¶
- Pros - easy to use, easy to reverse. Works well with binary files and converts them into a text format which can be copied and pasted in the existing session as opposed to tranfering using a separate network connection.
- Cons - easy to detect and reverse.
Enter Encrypting Data, Needs further development. Link below provides further examples.
PowerShell Script: Encrypting / Decrypting A String – Function Encrypt-String
Data Transfer Through SSH¶
Tip
Usage of these tools will involve establishing an additional connection, to transport the data. This may not be optimal; however, these methods will transport the data securely + Since OpenSSH is on Windows and Linux, you are able use the same commands.
ssh command was used to demonstrate control sockets, all three of these commands will utilize control sockets exactly the same way SSH does and will use them as per the system wide, and per-user configuration file or from the command line with the ssh option -o 'ControlPath=Upload Through Regular Tunnels¶
Download/Exfil Through Regular Tunnels¶
Upload Through Control Sockets¶
The operator creates an SSH session to TARG_IP and uses the -M option to place the the SSH client into "master" mode for connection sharing. This provides the operator the ability to use the control socket for connection sharing specified by the -S (referred to in the man page as ctl_path). In this example, /tmp/s is an arbitrary location selected as the control path. +The /tmp/s file is, for all intents and purposes, acting as a FIFO whenever another SSH client (be that SSH or SCP) sends data, or a file, to it via the -o option in the scp line. + The operator executes an scp (secure copy) command to transfer an arbitrary file to the /DEST/FILENAME on TARG_IP. Instead of having to authenticate again, the SCP command utilizes the ControlPath located at /tmp/s to transfer the file. By using the ControlPath, the scp command does not have to authenticate to TARG_IP, therefore, saving another /var/log/secure or auth.log entry from being made, besides the original SSH connection.
Download/Exfil Through Control Sockets¶
Downloads¶
References¶
SSH and SCP man pages