169. Persistence and Covering Your Tracks (OBJ 3.7)
In this demonstration, I’m going to show you how you can set up scheduled tasks for persistence, as well as to cover your tracks in a basic windows environment. Now, for this particular demonstration, I am using a very old version of Windows, which is actually Windows XP. This is very, very old, and it is considered end of life at this point. But the same techniques we’ve been using, for many many years are still going to work on our latest systems. The only real difference is the actual exploits that you’ll be using when you’re attacking a more modern system based on those more modern vulnerabilities. That said, this is still a great demonstration because you’re going to be able to see the basic processes in an easy to demonstrate way, that we’re going to use using Meterpreter and the Metasploit Framework to gain access, create persistence, and then cover our tracks. So the first thing we’re going to do, is exploit the Windows machine to get back on the box.
Now that I’m there again, I’m going to check my SID, I am sitting there as a system level user. Again, I want to switch over to a normal admin user and in our case, we’re going to head and switch back into John Sim’s at this point. So what we’re going to do is we’re just going to go ahead and migrate into process 480, which is The Explorer and that will give us rights as if we are John Sim. And we’ll do the get sit again and verify that we are John Sim. Now, again, everything I’m going to do here is going to be from the Windows Prompt. So we’re going to go ahead and type in shell, and now we’re back on that box as if we are John Sim. Now the first thing I want to show you is how to set up a callback. So how do we get the machine to always start up that Netcat Listener for us so that it can call back to us whenever we want, whether we can call back to it whenever we want. Well, the way you do that is by using the At Command and at is just an automatic time scheduler. So the way at works is we can set up any program to run whenever we want. And we can do that based on every day, every week every month or specific day of the week at a certain time.
So what I’m going to do is I’m going to set up an at command, and first I’m going to check the time on the local system because if I don’t understand the time, everything’s going to be messed up because I bet you the Windows machine is not showing 951 like my Kali machine is. So let’s type in time and you’ll see that for them, it is 4:00 in the afternoon, 16:53. So what I’m going to do is we’re going to set up a time to do something and the time we’re going to do it is going to be 4:00 and 57 minutes, that’ll give us a couple of minutes to be ready and be there. So what we’re going to do is type in at and the time we want it to happen, so in our case, it’ll be 16:57 and we’re going to tell it to do it every Sunday. And then we’re going to give it the command we want. Now what I’m going to do, because I haven’t set up a listener yet is I’m just going to use something simple. I’m going to have it bring up a command prompt and in the command prompt, I’m going to have it run a system info command and pipe that to a file called info.txt in the C drive. That’ll work just fine for us, we could type and enter and there’s now a new job. To show the job we can just type in at and you’ll see that each Sunday at 4:57, that is what’s going to happen. Now, what will we see on the victim machine? Well, we’re going to go over that box and we’re going to see what the victim’s going to see at 4:57. So I want to show you what we’re going to see, right now, there’s nothing in the C drive as far as a file, and it is 4:56. Now at 4:57, it’s going to run the command and basically just do a system info which is a very quick command and dump all that information to a text file, and we should see a text file be created on our C drive.
Now, that particular campaign takes a little bit to run, so while it runs, it takes a minute or two, you could see now that we’ve finished and we have the info file and it has some data in it. So if we open it up, you can see all the information that you would get from a system info command. Now that’s not necessarily very useful to us but it does give us something and it shows us the capability of being able to run any program we want. And again, if you open that firewall, it can be doing things like pinging back to you and telling you, hey I’m still awake and I’m under your control or it can call you back so that every Thursday at 3:00 AM, there’s that call back to you and your machine can answer it, and then you can exploit that machine. So maybe you’ve set up call log, maybe you’ve set up password sniffers, maybe you set up network sniffers, maybe you set up key loggers and every week you need to go back and get those files. It can set up that connection and send those back to you, it all depends on what you want to do and what program you want it to run.
And that’s just a little bit of how you can use at as a way to create that backdoor and help set up ways to send things back to you as you need. Now, just a quick note, the at come has been deprecated since Windows XP and Windows 7 ever since windows 10 and 11, we use the sketch tasks which is a task scheduling command. The exact same thing works and it’ll do the exact function that you just saw here. The only difference is instead of using at you’re going to be using S-C-H-T-A-S-K-S. Now, let’s talk about how we’re going to hide some information. Well, we have this info file so we’ll use that as our information file. And you have this hacked file. Now I’m going to do this on John Sim’s machine, you can do this from the command prompt on the the Meterpreter box as well but we’re going to use it over here so you can see what the effect is of us doing this. So first I’m going to open up a Command Prompt, and what we’re going to do is we going to use what’s called an Alternate Data Stream, an ADS, and we talked about this in the lecture, but now we’re going to use it in practice.
So, let’s say I wanted to hide this info file inside this hacked file on the desktop. Now, instead of this being the hacked file, maybe this is the person’s Word Document or something like that. Alternate Data Streams work, any type of file you want executable or not. So what we’re going to do here is we’re going to get to the root directory first, so we’re going to go to the C drive and from the C drive, we can see that info file. Now in the desktop, we have the hacked file. So what we’re going to do is we’re going to go ahead and move into the John Sim desktop. And from the desktop, you can see he has one file called Hacked, and it is 37 bites, very small file. So what am I going to do? Well, what I’m going to do is I’m going to type the C:/info.txt, which is my info file and that’s the one I want to hide. So in my case, it could be malware or anything else, in our case, we’re just going to hide text inside other text. And we’re going to hide that inside the file that we have here on the desktop, which is the hacked file. And the way we do that is type, hack.txt, colon and then the name of the file, in our case info, and it’s done. So let’s see how large that file is, it’s still 37 bytes. And can I still open the hacked file? Yes, it still looks the same. How do I get that info file out? Well, the way we’re going to do that, we’re going to read it, you delete that so I’ll show you that it’s no longer there. Well, if I just type to the screen hack.txt, you’ll see, that’s all I have is that one line now. If I open it using notepad, well, if I open it, I can do notepad hack.txt, it opens up and I get the hacked file.
Now, if instead I want the info file, I have to do start and then do notepad, then do, hack.txt:info.txt and hit enter. And what do you see? The information that we hid, now is that information still in the original file? No, because we deleted it. And you can see here, that file doesn’t exist. So there’s really no hint that I’ve hidden a file inside this hacked file. If I open it as the user, I just see the normal file, I don’t see the hidden information. That’s what an Alternate Data Stream allows you to do, it just hides it.
And even from the operating system again you see that that file size has not changed, it’s still 37 bytes. Now in reality, it’s larger but that data is hidden inside this Alternate Data Stream. And this is a function of the way NTFS file systems work. Now, why is this useful to us? Well, instead of hiding text, I could be hiding malware. And then I can call that malware using the at program so I can actually hide things very cleverly inside the file system. No one’s going to ever see ’em because of that Alternate Data Stream but then I can actually start them using the at command every night at midnight or every night at 3:00 AM and that malware we’ll make that call back to me. This is how attackers maintain their access, they dig in, they hide and they cover their tracks. And that’s what we’re doing with the at command and the Alternate Data Streams.
170. Post-Exploitation Tools (OBJ 3.7)
In this lesson, we’re going to talk about three post-exploitation tools that are covered by the exam. These are, Empire, Mimikatz and BloodHound. Empire is a command and control framework that uses PowerShell for common post-exploitation tasks. If you want to be able to get this, you can simply go to the get hub page for Empire, and Empire gives you the ability to implement and run different PowerShell agents, without needing PowerShell itself, because you can rapidly deploy post-exploitation modules, ranging from key loggers to Mimikatz, adaptive communications to evade network detection, and all sorts of other things, in a greatly usable, focused framework, that is provided by github.com/bc-security/empire. Now, Empire was really one of the first tools to really show how easy it could be to use PowerShell and live off the land during your exploitation. Unfortunately, because it’s not really well maintained anymore by the original developers, it has lost favor with a lot of penetration testers. At this point, a lot of the tools and techniques used by Empire, are able to be detected by antivirus tools, and you will get blocked if you’re trying to use them, but, the idea is, that if you see empire on the exam, remember, Empire is a collection of PowerShell exploits that you can use during post-exploitation.
This includes the ability to do scanning, enumeration and further exploitation in lateral movement, throughout a Windows domain. The second tool you should be aware of during post-exploitation is Mimikatz. Mimikatz is an open-source tool that comes with several different modules. Mimikatz is really focused on its ability to be able to exploit Microsoft’s Kerberos protocols. This gives you the ability to list the active processes, view credential information on a Windows computer, either from memory, or from the hard drive, or from its registry, and then use that information to conduct Pass-the-Hash, Golden Ticket, and other credential exploitation attacks. The third one we have to talk about is BloodHound.
Now, BloodHound is a tool that is to explore active directory, trust relationships, and abuse rights on active directory objects. When you use BloodHound, its job is to start doing enumeration, and other exploitation against active directory, so you can find out more information about the different objects, security group memberships, and domain trust that exists. BloodHound provides a graphical user interface, and allows the penetration testing team to start planning out their next steps once they got their initial foothold into a network. Although these three tools are called out specifically by the exam objectives under post-exploitation tools, they are by no means the only tools you’re going to use during post-exploitation. These days, a lot of the tools you’re going to focus on during post-exploitation, are those that come built-in to Windows or Linux by default. Things like PowerShell, Virtual Basic Scripts, as well as Python, Bash, Perl, and other languages that you can use to exploit a system and pivot into others.
