Module 06: System Hacking
Lab 1: Gain Access to the System
Task 1: Perform Active Online Attack to Crack the System’s Password using Responder
### Step -1 : Using Responder on ParrotOS
sudo responder -I eth0
Capturing the hash via logging into :
run (Win+R) --> //CEH-Tools
## Step -2 : Cracking hash using JohntheRipper
john <input_file.txt>
Task 2: Gain Access to a Remote System using Reverse Shell Generator
Step -1 : Reverse shell generator
1.1 : Running reverse shell generator on docker :
docker run -d -p 80:80 reverse_shell_generator
1.2 : Reverse shell generator on web :
https://www.revshells.com
Step -2 : Modules used for cracking :
1. Msfvenom
2. HoaxShellTask 3: Perform Buffer Overflow Attack to Gain Access to a Remote System
1. Setting Up the Vulnerable Server
Objective: Launch the
vulnserverapplication on a Windows 11 machine to simulate a vulnerable service for testing buffer overflow attacks.Steps:
Restart the machine and log in as the admin user.
Navigate to the
vulnserver.exefile and run it as an administrator.Configure Windows Security settings to allow access, ensuring the server runs without firewall interference.
Explanation: vulnserver is a deliberately vulnerable program used to practice exploitation techniques, like buffer overflow, in a controlled environment. Running it as an administrator and allowing network access ensures it functions correctly.
2. Installing and Setting Up Immunity Debugger
Objective: Use Immunity Debugger to monitor and analyze the behavior of the vulnerable application.
Steps:
Install Immunity Debugger and Python (required for running debugger scripts).
Launch Immunity Debugger and attach it to the
vulnserverprocess.Change the debugger status to "Running."
Explanation: Immunity Debugger allows you to observe application memory, register states, and interactions with system resources. Attaching it to vulnserver facilitates the identification of vulnerabilities like buffer overflows.
3. Establishing a Connection with Netcat
Objective: Test the
vulnserverfunctionality using Netcat from the Parrot Security machine.Steps:
Connect to the
vulnserverusing thenc -nv <IP> 9999command.Test commands like
HELPandEXITto verify server responses.
Explanation: Netcat is a versatile tool for network diagnostics and testing. In this context, it’s used to verify that the vulnerable server is accessible and responds to commands.
4. Performing Spiking
Objective: Identify vulnerable functions in the server by sending malformed inputs.
Steps:
Create spike scripts for specific functions (
STATSandTRUN).Use the
generic_send_tcptool to send these scripts to the server and observe responses in Immunity Debugger.
Explanation: Spiking involves crafting specific inputs to test server functions for buffer overflow vulnerabilities. The debugger's status change to "Paused" indicates a possible vulnerability.
5. Conducting Fuzzing
Objective: Send a large volume of data to identify the exact buffer size that causes an overflow.
Steps:
Use Python scripts to send incrementally larger payloads to the vulnerable function.
Note the size of the payload when the server crashes.
Explanation: Fuzzing determines the threshold at which a buffer overflow occurs, helping pinpoint the exploit size. The overflow size is critical for crafting an exploit.
6. Generating and Identifying Offsets
Objective: Determine the exact location of the overflow within the memory (EIP register).
Steps:
Use
pattern_create.rbto generate a unique payload.Overwrite the server with the pattern and use
pattern_offset.rbto calculate the EIP offset.
Explanation: The EIP register controls execution flow. Identifying its offset ensures you can control execution by overwriting the register with malicious shellcode.
7. Locating Bad Characters
Objective: Identify characters that could disrupt the exploit payload.
Steps:
Send all possible byte values to the server and analyze memory dumps for discrepancies.
Explanation: Bad characters, like null bytes (\x00), can terminate strings prematurely, corrupting payloads. Removing these ensures a reliable exploit.
8. Identifying Vulnerable Modules
Objective: Find server modules lacking security protections, such as ASLR or DEP.
Steps:
Use
mona.pyin Immunity Debugger to list modules and their memory protections.Identify a module (e.g.,
essfunc.dll) without protections.
Explanation: Exploiting a module without memory protections simplifies the attack, as it ensures predictable memory addresses.
9. Finding a JMP ESP Address
Objective: Locate an instruction (
JMP ESP) to redirect execution to the payload.Steps:
Use
mona.pyto find a usableJMP ESPinstruction in the identified module.Convert the address to hexadecimal for use in the exploit.
Explanation: A JMP ESP instruction is crucial for redirecting execution to the payload stored on the stack.
10. Crafting and Running the Exploit
Objective: Inject malicious shellcode to achieve control of the target machine.
Steps:
Write a Python script that includes the calculated offset,
JMP ESPaddress, and malicious shellcode.Send the crafted payload to the server and verify execution control via Immunity Debugger.
Explanation: By overwriting the EIP and injecting shellcode, you gain control over the vulnerable application, demonstrating the exploitation of the buffer overflow vulnerability.
Lab 2: Perform Privilege Escalation to Gain Higher Privileges
Task 1: Escalate Privileges by Bypassing UAC and Exploiting Sticky Keys
As the result 1 meterpreter shell will be opened and now we will excelate the priviledges using bypassing UAC
Lab 3: Maintain Remote Access and Hide Malicious Activities
Task 1: User System Monitoring and Surveillance using Spyrix
Task 2: Maintain Persistence by Modifying Registry Run Keys
Registry keys labeled as Run and RunOnce are crafted to automatically run programs upon each user login to the system. The command line specified as a key's data value is restricted to 260 characters or fewer. If attackers discover a service connected to a registry key with full permissions, they can execute persistence attacks or exploit privilege escalation. Upon any authorized user's login attempt, the associated service link within the registry triggers automatically.
Lab 4: Clear Logs to Hide the Evidence of Compromise
Task 1: Clear Windows Machine Logs using Various Utilities
Task 2: Clear Linux Machine Logs using the BASH Shell
Lab 5: Perform Active Directory (AD) Attacks Using Various Tools
Task 1: Perform Initial Scans to Obtain Domain Controller IP and Domain Name
Task 2: Perform AS-REP Roasting Attack
Task 3: Spray Cracked Password into Network using CrackMapExec.
Task 4: Perform Post-Enumeration using PowerView
Get-NetComputer command in PowerShell. This command will display all the information related to computers in AD.
Get-NetGroup in PowerShell. The Get-NetGroup command in PowerView lists all groups in AD, which helps in identifying group memberships and potential targets for privilege escalation.
Get-NetUser in PowerShell. Get-NetUser in PowerView retrieves detailed information about AD user accounts, such as usernames and group memberships.
Get-NetOU - Lists all organizational units (OUs) in the domain.
Get-NetSession - Lists active sessions on the domain.
Get-NetLoggedon - Lists users currently logged on to machines.
Get-NetProcess - Lists processes running on domain machines.
Get-NetService - Lists services on domain machines.
Get-NetDomainTrust - Lists domain trust relationships.
Get-ObjectACL - Retrieves ACLs for a specified object.
Find-InterestingDomainAcl - Finds interesting ACLs in the domain.
Get-NetSPN - Lists service principal names (SPNs) in the domain.
Invoke-ShareFinder - Finds shared folders in the domain.
Invoke-UserHunter - Finds where domain admins are logged in.
Invoke-CheckLocalAdminAccess - Checks if the current user has local admin access on specified machines.
Task 5: Perform Attack on MSSQL service
Save the username SQL_srv in a text file and name it as user.txt using command pluma user.txt.
Now we wil use hydra to execute password spray on the user and get the password of the user SQL_srv
Now using the script to get the database
Now, as we know that xp_cmdshell is enabled on SQL server we can use Metasploit to exploit this service. Type exit and press Enter; then execute the command msfconsole to launch Metasploit.
Task 6: Perform Privilege Escalation
Task 7: Perform Kerberoasting Attack
Rubeus is a tool for exploiting Kerberos weaknesses in Windows environments. Kerberoasting is a method to extract ticket granting ticket (TGT) hashes from AD. Attackers target service accounts with associated Kerberos service principal names (SPNs). TGTs are requested from the DC for these accounts, then cracked offline to reveal user passwords. Kerberoasting exploits weak service account passwords and the nature of Kerberos authentication.
-m 13100: This specifies the hash type. 13100 corresponds to Kerberos 5 AS-REQ Pre-Auth etype 23 (RC4-HMAC), a specific format for Kerberos hashes.
--force: This option forces Hashcat to ignore warnings and run even if there are compatibility issues. Use this with caution, as it might cause instability or incorrect results.
-a 0: This specifies the attack mode. 0 stands for a straight attack, which is a simple dictionary attack where Hashcat tries each password in the dictionary as it is.
hash.txt: is the input file containing the hashes to crack
/root/ADtools/rockyou.txt: is the wordlist file used for the attack
Last updated