Back to Subject

Unit 5 - Notes

INT245 7 min read

Unit 5: System Hacking and Post Exploitation

1. System Hacking Overview

System hacking is the methodology used to gain access to a computer system, escalate privileges, execute applications, hide files, and cover tracks. It is the core phase of a penetration test where the attacker moves from enumeration to active control.

The System Hacking Cycle (CEH Methodology)

  1. Gaining Access: Bypassing security controls (password cracking, exploits).
  2. Escalating Privileges: Moving from a low-privileged user to Administrator/Root.
  3. Executing Applications: Installing malware, backdoors, or RATs.
  4. Hiding Files: Using steganography or OS attributes to conceal data.
  5. Covering Tracks: Clearing logs to avoid detection.

2. Password Cracking

Password cracking is the process of recovering passwords from data stored in or transmitted by a computer system.

Attack Types

  • Passive (Offline) Attacks: The attacker steals the hash database (e.g., SAM file, /etc/shadow) and cracks it locally without communicating with the target.
  • Active (Online) Attacks: The attacker interacts directly with the login portal (e.g., SSH, RDP, HTTP).

Cracking Techniques

  1. Dictionary Attack: Uses a file containing a list of common passwords.
  2. Brute-Force Attack: Tries every possible combination of characters. Guarantees success but is time-consuming.
  3. Hybrid Attack: Combines dictionary words with numbers or symbols (e.g., "Password123").
  4. Rainbow Tables: Pre-computed tables for reversing cryptographic hash functions (time-memory trade-off). Effective against unsalted hashes.
  5. Credential Stuffing: Using username/password pairs breached from one service to log into another.
  6. Rule-Based: Generating candidates based on specific rules (e.g., first letter capitalized, end with two digits).

Key Tools

  • John the Ripper (JtR): CPU-based password cracker (good for varied formats).
  • Hashcat: GPU-accelerated cracker (industry standard for speed).
  • Hydra/Medusa: Online parallel login crackers (for FTP, SSH, etc.).
  • Mimikatz: Windows tool to dump plaintext passwords, hashes, and PIN codes from memory.

Hashing Concepts

  • Salt: Random data added to a password before hashing to defend against Rainbow Tables.
  • NTLM: Standard Windows hash format.
  • SHA-512 ($6$): Standard Linux hash format.

3. Enumerating Users and Assets (Post-Exploitation)

Once access is gained, the tester must determine the context of the compromise ("Who am I?" and "Where am I?").

User Enumeration

  • Windows:
    • whoami /all: Shows current user and group memberships (SIDs).
    • net user: Lists all users.
    • net localgroup administrators: Lists admins.
  • Linux:
    • id: Shows UID, GID, and groups.
    • who / w: Shows currently logged-in users.
    • cat /etc/passwd: Lists all user accounts.

Asset and System Enumeration

  • Network Config:
    • Windows: ipconfig /all, route print, arp -a.
    • Linux: ifconfig or ip a, netstat -antup (active connections).
  • OS & Patch Level:
    • Windows: systeminfo (crucial for finding kernel exploits).
    • Linux: uname -a, cat /etc/*release.
  • Installed Applications: Searching for vulnerable software installed on the host.
  • Sensitive Files: Searching for "password", "config", "backup", or "id_rsa".

4. Privilege Escalation

The process of gaining higher permissions than the initial compromised account.

Privilege Escalation: Windows

  1. Kernel Exploits: Utilizing vulnerabilities in the Windows OS kernel (e.g., checking systeminfo against a database of CVEs).
  2. Unquoted Service Paths: If a service path contains spaces and is not quoted (e.g., C:\Program Files\My Service\service.exe), Windows looks for C:\Program.exe first.
  3. Weak Service Permissions: If the current user can modify a service binary configuration, they can point the binPath to a malicious payload.
  4. AlwaysInstallElevated: A registry setting that, if enabled, allows users to install MSI files with elevated privileges.
  5. DLL Hijacking: Placing a malicious DLL in a directory where an application looks for it before finding the legitimate one.

Privilege Escalation: Linux

  1. Kernel Exploits: Exploiting the Linux kernel (e.g., Dirty COW).
  2. Sudo Rights: Checking sudo -l to see if the user can run specific commands as root without a password.
    • GTFOBins: A repository of Unix binaries that can be used to bypass local security restrictions.
  3. SUID/SGID Binaries: Executables that run with the permissions of the file owner (root) rather than the user.
    • Command to find SUID files: find / -perm -4000 2>/dev/null
  4. Cron Jobs: If a script running as a cron job is writable by the current user, it can be modified to execute malicious commands.
  5. NFS Root Squashing: Misconfigured Network File Systems allowing remote users to mount shares as root.

5. Analyze Exploit Code

Penetration testers often use public exploits (e.g., from Exploit-DB). Analyzing the code before execution is critical to prevent system crashes or running hidden malicious payloads.

Analysis Steps

  1. Identify the Language: Typically Python (.py), C (.c), Ruby (.rb), or Perl (.pl).
  2. Locate Variables: Find where IP addresses (RHOST) and ports (RPORT) are defined.
  3. Understand the Payload:
    • Look for shellcode (often hex strings like \x90\xeb...).
    • Determine if the shellcode generates a reverse shell or bind shell.
  4. Check for Offsets: In buffer overflows, verify the buffer length (EIP offset) matches the target version.
  5. Sanitize: Ensure the script does not contain "rm -rf /" or calls back to a rogue server controlled by the exploit author.

6. Reverse Engineering

Reverse Engineering (RE) involves deconstructing software to reveal its design, architecture, or to extract secrets.

Static Analysis

Analyzing the code without executing it.

  • Disassemblers: Convert binary machine code into Assembly language (e.g., IDA Pro, Ghidra, Hopper).
  • Strings Analysis: Using the strings command to find readable text (IPs, passwords, URLs) embedded in the binary.
  • File Headers: Analyzing PE (Windows) or ELF (Linux) headers to understand dependencies.

Dynamic Analysis

Analyzing the code while it is running.

  • Debuggers: Tools that allow pausing execution, inspecting memory/registers, and stepping through instructions (e.g., OllyDbg, x64dbg, GDB).
  • Sandboxing: Running malware in an isolated VM to observe behavior (file system changes, network callbacks).

Key Assembly Concepts

  • Registers: Small storage areas in the CPU (EAX, EBX, EIP/RIP). EIP/RIP is the Instruction Pointer—it points to the next code to execute.
  • Instructions: MOV (move data), PUSH/POP (stack operations), JMP (jump to location), CMP (compare).

7. Remote Access Tools (RATs)

A RAT is a program that provides a backdoor for administrative control over a target computer.

Characteristics

  • Client-Server Model: The attacker runs the Client (Controller), and the victim runs the Server (Stub).
  • Capabilities:
    • File management (upload/download).
    • Shell access (cmd.exe / /bin/bash).
    • Screen/Webcam capture.
    • Keylogging.
    • Process management.

Types

  • Legitimate: TeamViewer, VNC, LogMeIn (often used by attackers for persistence if credentials are stolen).
  • Malicious: DarkComet, NjRAT, PoisonIvy.
  • Framework-based: Meterpreter (part of Metasploit) is an advanced, in-memory RAT.

8. Automating Tasks Using Scripting

Scripting allows testers to automate repetitive tasks and interact with the OS effectively during post-exploitation.

Languages

  • Bash: Native to Linux. Best for piping commands and file manipulation.
  • PowerShell: Native to Windows. Powerful access to the .NET framework and Windows API.
  • Python: Cross-platform. Excellent for writing custom network tools and exploit scripts.

Common Automation Scenarios

  1. Ping Sweeps (Bash):
    BASH
        for i in {1..254}; do ping -c 1 192.168.1.$i | grep "64 bytes"; done
  2. Log Cleaning (Bash):
    BASH
        echo "" > /var/log/auth.log
    export HISTSIZE=0
  3. Port Scanning (Python): Using the socket library to attempt connections to a range of ports.
  4. File Exfiltration: Automating the encoding of files (Base64) to bypass network filters during data theft.

9. Maintaining Persistence

Persistence ensures the attacker retains access to the system even after reboots, password changes, or network interruptions.

Windows Persistence Techniques

  1. Registry Keys: Adding entries to HKCU\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce.
  2. Scheduled Tasks: Using schtasks to run a backdoor every hour or at logon.
  3. Services: Creating a new service that auto-starts a malicious binary.
  4. Startup Folder: Placing shortcuts in the user's Startup directory.
  5. RDP Sticky Keys: Replacing sethc.exe with cmd.exe. Pressing Shift 5 times at the login screen launches a system-level command prompt.

Linux Persistence Techniques

  1. Cron Jobs: Adding entries to /etc/crontab to spawn a reverse shell periodically.
  2. SSH Keys: Adding the attacker's public key to the victim's ~/.ssh/authorized_keys file allows password-less login.
  3. Modified rc.local: Adding scripts to system startup files.
  4. Shell Configuration: Adding backdoor aliases or reverse shells to .bashrc or .profile, which execute whenever the user logs in.
  5. SUID Binary: Creating a copy of /bin/bash with SUID permissions hidden in a temp folder.
Previous
Unit 4
Next
Unit 6