Tactical Exploitation – Windows/UNIX

Abstract
Penetration testing often focuses on individual vulnerabilities and services, but the quickest
ways to exploit are often hands on and with unique techniques. This four-day course introduces
a tactical approach that does not rely on exploiting known vulnerabilities. Using a combination
of new tools and lesser-known techniques, attendees will learn how hackers compromise
systems without depending on standard exploits. The class alternates between lectures and
hands-on testing, providing attendees with an opportunity to try the techniques discussed.
In the first half of the course, this course uses a unique approach to compromising Windows
environments without relying on traditional exploits. In the first half of this course, students will
become proficient in the skills necessary to compromise Windows environments using the
same methods as real-world attackers rather than compliance-based penetration testing
techniques. Skills to be covered include: host recon, network recon, and credential hijacking as
well as tricks for taking advantage of configuration and design flaws.
The first portion of the course focuses primarily on Windows and Windows internals and how
to leverage them. Host and network recon, privilege escalation, credential stealing and passing,
persistence, and lateral movement techniques will be covered in depth. Once finished with the
course, students will have a foundation on how Windows attacks actually happen and how to
secure against them from the post-exploitation stage.
In the second half of the course, the focus will shift from compromising Windows based
networks to a true production level UNIX environment. Attendees will receive in-depth
exploitation techniques for becoming root in any UNIX environment and abusing these newly
found resources for unique lateral movement techniques. Students will learn complete
domination of a true production Windows/UNIX environment.
Our unique approach to compromising Unix environments without relying on traditional
exploits. In the second session, students will become proficient in the skills necessary to
compromise Unix environments using the same methods as real-world attackers rather than
compliance-based penetration testing techniques. Skills to be covered include: host recon,
network recon, and credential hijacking, and students will learn how to take advantage of
configuration and design flaws. This course focuses primarily on Linux, Solaris, and FreeBSD/OS
X. SSH, Kerberos, kernel modules, file sharing, privilege escalation, home directories, and
logging all will be covered in depth. Once finished with this course, students will have a
foundation on how attacks on Unix actually happen and how to secure against them from the
post-exploitation stage
Learning Objectives
Windows Topics Covered:

• Introductory Concepts and Thinking Like an Attacker

• Host Recon
• Privilege Escalation
• Credential Stealing and Passing
• Persistence
• Network Recon
• Lateral Movement
Additions:

• Infrastructure updated to include Windows 2016 and newer security practices

• Analyze how different techniques may or may not reveal themselves in a forensic tool
• Additional WMI-based techniques
• Attacking Unix from a Windows system (if taken in the 4-day Tactical Exploitation:
Attacking Windows/Attacking Unix series)
Unix Topics Covered:

• Introductory Concepts and Thinking Like an Attacker

• Host Recon
• Leveraging Trusts & Lateral Movement
• Kerberos Inherent Weaknesses
• SSH Abuse
• LD_PRELOAD Tricks
• PAM Trojaning
• X11 Attacks
Additions:

• Additional SSH agent content

• Attacking smart card authentication
 • Attacking Windows from a Unix system (if taken in the 4-day Tactical Exploitation:
Attacking Windows/Attacking Unix series)
Target Audience
Penetration Testers, Detection and Response Staff, System Administrators and
Developers

Course Outline

• Course Introduction

o Blue Team Perspective

o Offensive Concepts

o Post Exploitation Phases

• Unix Host Recon

o Basic Tools & Commands

o Important Files

o File Permissions & Abuse

o Useful Scripts

o sudo, sudoers

o Surveying Installed Software

o Logging, User History

o Full System Recon

o Finding Docker Containers/Misconfigurations

• Unix Trust & Lateral Movement

o Leveraging Trusts

o Unix Authentications

o Overview of NFS

o Finding NFS Mounts & Servers

o “Securing” NFS

• Kerberos

o Overview

o Basic Commands

o Kerberos Tickets
 o Kerberos Caching

o .k5login

o Hijacking Kerberos

o Stealing Kerberos Tickets

• SSH

o SSH Tunneling Basics

o Public Key Authentication

o SSH-Agent

o Master Mode

o Smart Card Credential Stealing

• X11

o What X11 is

o X11 Security

o X11 over SSH

o Screencapture and Window Information

o Xauth, Xdotool

o Hiding Behind Screensavers

• LD_PRELOAD

o Overview

o Dynamic Libraries

o Using LD_PRELOAD

o Hijacking rand()

o Building a Real Attack

• PAM Trojaning

o Overview

o Attack Paths

o How PAM works

o PAM Modules

o Reading Creds with PAM

o PAM Configuration

o PAM Control Flags

 o Example Attacks

• Windows Host Recon

o Overview

o System Enumeration

▪ Installed Software

▪ Event Logs

▪ System Logon

▪ PuTTY

▪ Terminal Services

▪ Run

▪ Registry Checking in Logs

▪ WMI

▪ Selfhash

o Browser Recon

▪ Extracting data from browser

▪ Decrypting TLS

o Enumerating Current Active Users

• Getting root

o Windows ACLs and ACEs

▪ Viewing ACLs

▪ Usage for Privilege Escalation

o Insecure Services

▪ Overview

▪ Attacking Insecure Services

▪ Integrity Levels

o Path Exploitation

o PowerUp

▪ Bypassing Execution Policy

o Vulnerable Files & Resources

▪ ShellExecuteW

o Abusing the Scheduler

 o DLL Hijacking

• Mimikatz

o Overview

o Basic Use Examples

o Useful Commands

o Customizing from Source

o Automating Mimikatz

o Minidump

o Dumping local credentials offline

o MScache

• System Persistency

o Overview

o Registry Persistency

o Terminal Services

o Sticky Keys

▪ How to Exploit

o Service Manipulation

▪ Service Executables

o Volume Shadows

▪ VSS Overview

▪ Mounting Shadow Volumes

▪ Exploiting Shadow Volumes

• Network Recon

o Overview of SAMBA

o SMB

o Network Accessories

▪ Null sessions

▪ Enumeration Examples

▪ Other Useful Commands

o Search.vbs

o SIDS, RIDS
 o Netvol, sysvol & Gettting GPOs

o Finding Domain Controllers

o Password service task group

o Active Sessions on a Server

o Shares

• Lateral Movement

o Methods to Lateral

o Dumping SAM Database

▪ Windows Tokens

▪ Mimikatz Token Elevation

▪ Hash Dumping Example

o Mimikatz Pass the Hash/PTT

o PsExec

▪ Minimizing Noise with PsExec

▪ Metasploit Example

o WMI

o Cross Pollination

o Attacking Windows from Unix

o Attacking Unix from Windows

REQUIREMENTS

Student Machine/ Laptop Requirements

We provide a windows based virtual machine for each student to connect to via the Remote
Desktop Protocol (RDP). All exercises are performed in that environment.

Student machines must meet the minimum specifications to run:

• One of the following Operating Systems:

o Windows 7 or higher
o Mach OS X Lion 10.7 or higher
o Linux with a windowing system that supports RDP
• An RDP client
• Gigabit Ethernet preferred. Limited wireless access is available
o A USB/Thunderbolt Ethernet adaptor for laptops that don’t have Ethernet is
recommended
• Student must have appropriate access and knowledge to change their network
configuration to support DHCP or static IP addresses.
• Must be able to run at least 1 virtual machine utilizing VMWare workstation 8.0 and above
(which can be obtained through a demo license).
• Must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc.

Students Knowledge Pre-Requisites:

Students must have the following:

• A conceptual knowledge of scripting languages such as Python/Peri/Ruby

• A medium level of systems administration knowledge on Windows, OSX, or Linux systems
• The ability to work with the command line
• An understanding of basic network protocols
• The ability to modify configuration files