Jump to content

Post exploitation

From Wikibooks, open books for an open world


Goals

[edit | edit source]
Pivoting
Manipulation. For example phishing, email fraud, click fraud.
Altering or destroying any kind of information. For example browser hijacking, domain hijacking, website defacement.
Stealing private information. For example : spyware, keystroke logging, data breach.
Finance. For example credit card hijacking, ransomware.
Access for physical resources. For example car hacking, Stuxnet.
Advanced persistent threat
Penetration test report

Maintaining control

[edit | edit source]

The ultimate gratification for a network intruder always is to obtain administrator privileges for a network. When an intruder is inside, one of his or her first undertakings is often to install a so-called rootkit on a target computer. This is a collection of programs to facilitate durable influence on a system. Some of these programs are used to compromise new user accounts or new computers on the network. Other programs are to obscure the presence of the intruder. These obscuring programs may include false versions of standard network utilities such as netstat, or programs that can remove all data from the log files of a computer that relate to the intruder. Yet other programs of a rootkit may be used to survey the network or to overhear more passwords that are travelling over it. Rootkits may also give the means to change the very operating system of the computer it is installed on.

The network intruder then proceeds with creating one or more so called back doors. These are access provisions that are hard to find for system administrators, and they serve to prevent the logging and monitoring that results from normal use of the network. A back door may be a concealed account or an account of which the privileges have been escalated. Or it may be a utility for remote access, such as Telnet, that has been configured to operate with a port number that is not customary.

The network intruder then proceeds with stealing files, or stealing credit card information, or preparing a computer to send spam emails at will. Another goal is to prepare for the next intrusion. A cautious intruder is protective against discovery of his or her location. The method of choice is to use a computer that already has been attacked as an intermediary. Some intruders use a series of intermediate computers, making it impracticable to locate them.[1]


Back doors

[edit | edit source]

The purpose of a back door is to maintain a communication channel and having methods to control a host that has been gained entry to. These methods include those for file transfer and the execution of programs. It is often important to make sure that the access or communication remains secret. And access control is desirable in order to prevent others from using the back door.[2]

Back Orifice 2000 was designed as a back door. The server runs on Windows, and there are clients for Windows, Linux and other operating systems. The server is configured easily with a utility. After configuration, the server needs to be uploaded to the target and then started. Back Orifice 2000 supports file transfer, file execution, logging of keystrokes, and control of connections. There is also an AES plug-in for traffic encryption and an STCPIO plug-in for further obfuscation of the traffic. The first plug-in adds security and the combination of these plug-ins makes it much harder for an IDS to relate the traffic to a back door. More information can be found at http://www.bo2k.com.[3]


Rootkits

[edit | edit source]

Rootkits specialize in hiding themselves and other programs.

Hacker Defender (hxdef) is an open source rootkit for Windows. It can hide its files, its process, its registry entries, and its port in multiple DLLs. Although it has a simple command-line interface as a back door, it is often better to use its ability to hide a more appropriate tool.[4]


Tools

[edit | edit source]
https://docs.rapid7.com/metasploit/about-post-exploitation
https://www.offensive-security.com/metasploit-unleashed/msf-post-exploitation/
https://www.offensive-security.com/metasploit-unleashed/maintaining-access/
  1. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 87, 275, 376-377, 385.
  2. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 323-324.
  3. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 334-335, 355-358.
  4. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 363-365.