151. Post-exploitation (OBJ 3.7)
In this section of the course, we’re going to discuss different techniques that are used during the post exploitation part of your attacks against a target network. Now post exploitation actions are any actions that you take after the initial attack or exploit has been successful. For example, if you were able to conduct a spear phishing attack against an employee in your target organization, and then they clicked on a link in the email you sent and that downloaded some malicious code and this gives you remote access to their workstation, well, all of that is just the first step in a larger exploit that you can then use to conduct during your engagement. That initial access is going to be a great thing for you, but now you’re just acting as a regular user on that machine. So now you’re going to need to enumerate the host to determine what other user accounts are located on it. You’ll also enumerate the network to see what other hosts or servers are on it, and you’re going to enumerate their infrastructure to determine what other data exists across the network and its data stores.
In addition to all of that, you might also want to gain additional permissions using privilege escalation, or to begin to move laterally across the network into other hosts or servers. And there’s always a risk that somebody might discover you. So you’re going to want to establish persistence in that network by initiating callbacks and shells, as well as establishing covert channels to exfiltrate data that you’re trying to steal from that network. As you can see, there are lots of different things that you’re going to need to do after getting your initial a foothold into that network with your first exploit, and that is what we’re going to be focused on in the next two sections of the course as we start completing our coverage of domain three attacks and exploits by working through objective 3.7. Now in this section though, we’re going to be focused on the first part of objective 3.7. Objective 3.7 states that given a scenario, you must perform post exploitation techniques.
Now as we move through this section of the course, we’re going to begin by discussing the first step in your post exploitation, which involves the enumeration of the different users, groups, forests, hosts, sensitive data, and unencrypted files that may be located across the network. After that, we’re going to cover the concept of network segmentation and how you can test if an organization has properly segmented their network to prevent an attacker from laterally moving across it. Then we’ll dive into lateral movement as a way for you to expand your access throughout the target network, and your ability to pivot through different devices to gain access to more restricted areas or subnets of that larger enterprise network. After that, we’re going to discuss privilege escalation, both for horizontal and vertical privilege escalation and the different techniques used on Linux and Windows systems to conduct this escalation of your privileges. Finally, we’re going to discuss methods that can be used to upgrade a restrictive shell or non interactive shell during your post exploitation efforts. All right, it’s time for us to begin our post exploitation techniques as we continue our coverage of domain three. Attacks and exploits in this section of the course.
152. Enumerating the Network (OBJ 3.7)
In this lesson, we’re going to talk about enumerating the network. Now, if you remember from our earlier phases we already conducted enumeration once from outside of the network. But now that we have received a foothold into this network we are going to use our post-exploitation time to first enumerate the network. We’re going to be looking for: users, groups, hosts, forests, sensitive data, and unencrypted files, as we’re sitting on this network and trying to figure out what’s around us? Now, when I talk about enumeration this is the process to identify and scan network ranges and hosts belonging to that target network and map out an attack surface. Again, we’ve already done this from outside of the network.
But at this point, we’re now sitting inside the network, either as a regular user or an administrator because of some sort of exploit that we’ve run. And now we need to take a moment and look around and see what’s there. The first thing we’d like to do, if we’re on a Windows domain, is to start searching through Active Directory. Now remember Active Directory is a central directory service and it allows information to be stored, classified, and retrieved very easily. Now from Active Directory, we can start looking upwards through the directory at all the different users and groups, their organizational units, the domain, a tree, or even the forests. By doing this, we’re going to be able to see what this host can see and what they can communicate with, and what information might be out there on the network for us to grab.
Now to do this, we can use PowerShell and be able to use different cmdlets to be able to get information about the current user’s domain, by using commands like: Get-NetDomain. Or, seeing what users are logged into a given computer or system, by using Get-NetLoggedon. There’s lots of different PowerShell commands you can use. For the exam, you don’t need to know every single PowerShell command, but as you start working in the field as a penetration tester, you will want to get comfortable using PowerShell because it is one of the easy techniques to be able to gather information in a Windows domain. Now, if you happen to find yourself on a Linux system, you can also use lots of different command tools to find information out about the people on that system, too. For example, if you display the password file to the screen this is going to list all of the users on that system. If you use you uname-a, this will display the OS name, version, and other details to the screen for you to understand what system you’re on. You can also look at all the environmental variables by typing ENV at the command prompt, and then hitting Enter. As I said, you’re going to get more comfortable with each of the tools in Windows and Linux as you do more of this in the field and you start practicing on your virtual machines. But for the exam, the first thing you want to do inside of post-exploitation, is to start enumerating that system. Looking for different users and groups, forests, and other data that might be interesting. Now, speaking of sensitive data, how might you find sensitive data? Well, one of the ways you can do this is by setting up a network Sniffer on the victimized host that you’re in. If you’re able to use something like Metasploit to gain access to this machine, you can then use the interpreter payload and turn on the packet capturing function. This will allow you to start capturing all the data you’re seeing crossing that network, and then ex-filtrating that back to your attack machine. From there, you can load it up using something like Wireshark, and use that to discover different network hosts by looking at the different NetBIOS Name service messages that are going across the network.
Or looking at data such as carbios authentications that are happening over the network too, and getting different user accounts that are going across that wire. All of this is considered part of your enumeration, and this is part of your post-exploitation as you start gathering additional information about the network, you’ve just exploited. Finally, as you’re looking through the packet captures you might also come across unencrypted files and sensitive data that was being transferred across the network in an unencrypted format. In addition to that, you can start figuring out what things are on the share drive, and anything that’s on the share drive that is unencrypted, you can then look at and see if there is sensitive data that be something you want to use as part of your proof that you’re able to exploit this network.
153. Network Segmentation Testing (OBJ 3.7)
As a penetration tester, it’s often important for you to test network segmentation. If you’re doing a penetration test for PCI DSS, for example, you must prove that the organization has ensured proper segmentation between their cardholder data environment and the rest of their network. For this reason, it’s important that you understand what methods you can use for testing that network segmentation. Now, first, let’s talk about what network segmentation is. Well, network segments are simply a portion of a network where all attached hosts can communicate freely with each other. So by contrast, anytime we have network segmentation, we are creating logical barriers between each of those segments. This is most commonly done by using subnets and VLANs or firewalls to isolate those two different network segments from each other. Now, as a penetration tester, you’re normally going to find that segmentation fails if there is a misconfigured firewall or legacy rules were not removed from those firewalls or routers ACLs or there’s some kind of third-party management service that is incorrectly allowing access between the two VLANs.
To conduct a segmentation check, you’re basically going to conduct a series of penetration tests to validate the less secure networks are not able to communicate with a higher security network, such as the one that contains the cardholder data. When you’re doing this, you’re testing the different controls to make sure segmentation is working properly. So if you believe that somebody should not be able to get into the cardholder data environment from their local area workstation on the production network, you need to run a port scan as a regular user from that part of the network against the cardholder data environment to make sure that you can’t get an IP address from inside the cardholder data environment. If you can’t, this proves you have proper segmentation. The idea is, you should not be able to see any IP addresses inside that local area network segment that is sitting behind that router or firewall because it is logically isolated and separated from the rest of the network. To make sure you’re doing these tests properly, you should have a proper test plan set up that lists out all of the different areas that you want to test. And that way, you can go through them logically and methodically in a sequence that makes sense.
When you’re conducting your segmentation checks, you want to make sure you’re testing not just TCP or UDP ports to verify you can’t talk to those devices but also you want to check any kind of applications that are working between the two network segments. For example, if there is a web application that’s reaching into the cardholder data environment, you want to make sure you’re testing that application to ensure it is properly blocking any type of access from those who are not supposed to have access. This will make sure you have proper segmentation both of the network layer and the higher application layer. One other common area of misconfiguration that allows segmentation to be bypassed is the use of VPNs. You want to make sure that any VPNs are properly set up and configured to have the proper access controls so people cannot bypass the logical network segmentation that exists between the routers, firewalls, and ACLs.
