INFO3002 Ethical Hacking Principles and Practice

Lecture 8: Post Exploitation Part 1

School of Computer, Data and Mathematical Sciences

Western Sydney University
1
Where we are:

2: Scanning

1:Reconnaissance 3:Exploitation

4: Post
Exploitation

5: Writing
Report
2
Lecture outline
■ Post Exploitation Overview
■ Privilege Escalation
■ Information Gathering
■ Removing traces
■ About Rootkit

3
Post Exploitation Overview
■ This stage is as important as other stages. Many critical
tasks are done in this stage:
▬ Privilege escalation
▬ Network/system information gathering
▬ Removing traces
▬ Applying rootkits
▬ Installing backdoors
▬ and much more …

■ This lecture focuses on the first four, and the next lecture
will discuss installing backdoors.

4
Lecture outline
■ Post Exploitation Overview
■ Privilege Escalation
■ Information Gathering
■ Removing Traces
■ About Rootkit

5
Privilege escalation overview
■ Often, especially with client side exploitation, we only have
limited user privileges with Meterpreter or other sessions
obtained.
▬ Why?

■ This will greatly limit what we can perform on targets.

■ So we need to further exploit vulns in the targets to escalate
our privilege to administrator level.

6
Methods of privilege escalation
■ There are several methods to escalate privileges.
■ We'll talk about the following two in this lecture:
▬ The 'getsystem' command in Meterpreter
▬ Using certain local exploits

7
By ‘getsystem’ command

■ We choose the scenario of applying

exploit/windows/browser/ie_unsafe_scripting to demo the
usage of this command.
■ In this scenario, if the user using IE only has limited
privilege, then the Meterpreter session we get has limited
privilege as well.
■ Let's see how we can escalate to system privilege.

8
Obtain a meterpreter with user privilege first
■ Login Win7 with the account of ‘Alex’, which is an ordinary user
account. Alex browses the malicious page generated by
exploit/windows/browser/ie_unsafe_scripting
■ When you use the above exploit, make sure to:
▬ set prependmigrate true
▬ set prependmigrateproc explorer.exe
▬ NB: The migration to the true explorer.exe is optional.

■ Then, the Meterpreter session obtained has the privilege of Alex.

9
The usage of getsystem
'-h' gives the help information

10
Simply enter 'getsystem'

■ In some scenarios, getsystem will succeed; in some

scenarios, getsystem will fail.
■ ‘getsystem’ failed in the scenario above, although it has tried
all of its techniques.
■ If getsystem fail, we still have local exploits to try.

11
Local exploits overview
■ Local exploits are the exploits applied after you have gained
access to targets.
▬ E.g., after you have logged into a target through either its monitor or a
Meterpreter session.

■ Local exploits for Windows OSes can be found in the

following directory:
▬ /usr/share/metasploit-framework/modules/exploits/windows/local

12
Local exploit example
■ Next, we'll use the local exploit
exploit/windows/local/ms14_058_track_popup_menu as an
example.
▬ It exploits a NULL Pointer Dereference in win32k.sys. The vulnerability
can be triggered through the use of TrackPopupMenu. Under special
conditions, the NULL pointer dereference can be exploited to achieve
arbitrary code execution.
▬ It will create a new Meterpreter session with SYSTEM privileges.

■ Another local exploit you can try is:

exploit/windows/local/ms18_8120_win32k_privesc, which will
also be successful. We'll leave this to you.
▬ https://www.rapid7.com/db/modules/exploit/windows/local/ms18_8120_
win32k_privesc/
13
Step 1. Background the current
Meterpreter session
■ Make the current Meterpreter session run in background,
such that we can return to MSF to apply local exploit.

14
Step 2. Select a local exploit
■ Here we choose the aforementioned local exploit for privilege
escalation:
exploit/windows/local/ms14_058_track_popup_menu.

▬ Besides the existing Meterpreter session, this exploit can start a brand-
new Meterpreter session with system privilege.
▬ Note that the payload is defaulted to windows/meterpreter/reverse_tcp.
We need to change it to its x64 version:
windows/x64/meterpreter/reverse_tcp

15
Step 3. Show architectures supported
by this exploit
■ In the exploitations discussed in previous lectures, this
step is skipped.
■ But for local exploits, this step is usually needed.
■ The command for this step is 'show targets'

16
Step 4. Select the architecture matching
the target
■ Since our Win7 VM is a 64-bit OS, we need to do:
▬ set target 1

17
Step 5. Show options

We need to provide the ID of the We need to set the port number to a

existing Meterpreter session, which different one, as 4444 is used by the
will be leveraged by this local exploit. existing Meterpreter session.
18
Step 6. Set options
■ Set SESSION and LPORT
The id of the existing Meterpreter session

A new local port number to be used by the new

Meterpreter session

19
 Step 7. Launch the attack
■ Simply enter 'exploit'

Got system privilege; Successful!

NB: You may need to wait for a while (even 10 minutes) to see the Meterpreter session
opened, so pls be patient. Also, your first 'getuid' may not produce output, but if you try
'getpid' and then 'getuid', you'll see output.
20
Finishing notes
■ If you 'background' the Meterpreter session just obtained
and then list all active sessions, you'll see two of them:

■ Since the 1st one is no longer needed, you can kill it by

using sessions -k <no.>:

21
If the local exploit
'exploit/windows/local/ms18_8120_win32k_privesc' is
used instead, you'll be also successful.

The steps are the same.

You should try it yourself.

22
Lecture outline
■ Post Exploitation Overview
■ Privilege Escalation
■ Information Gathering
■ Removing Traces
■ About Rootkit

23
Information Gathering Overview
■ After exploitation, plenty of information can be gathered
with the gained access.
■ Meterpreter provides many commands and scripts for
gathering information. We'll talk about:
▬ Command sysinfo
▬ Command hashdump
▬ Command idletime

24
Meterpreter Command: sysinfo
■ Gets information about the remote system: hostname, OS version, CPU
architecture, the number of user accounts logged in, etc.

Really means hostname here

25
Meterpreter command: hashdump
■ Dump the password hash file to the screen.

▬ The first column is the username.

▬ The second column is the user ID.
▬ The third column is the LM hash of the password.
▬ The fourth column is the NTLM hash of the password.
NB: The LM hash is not so secure as the NTLM hash. It is for legacy
applications.
26
Meterpreter command: hashdump (cntd)
■ This command needs system privilege.
■ This command is not stable. If the meterpreter shell is
obtained directly through SMB vuln, it will almost always
succeed.
■ If the meterpreter shell is obtained via privilege escalation, it
may not succeed.
■ Knowing the hashes to those passwords, you can try
password cracking tools to figure out those passwords.

27
Notes on password cracking tools
■ Popular password cracking tools include:
▬ Hashcat
▬ John the ripper
▬ Brutus

■ This subject will not cover the details of password

cracking. However, it will be covered by other security-
related subjects such as Information Security offered by
our school.

28
Meterpreter command: idletime
■ Display the idle time of the logged-in user.

29
Lecture outline
■ Post Exploitation Overview
■ Privilege Escalation
■ Information Gathering
■ Removing Traces
■ About Rootkit

30
Events Logging Overview
■ Events logging is important for statistics, security, and
diagnosis purposes.
■ Unix-like systems such as Linux use the syslog standard
for logging events.
■ Windows has its own way.
▬ In Windows, logs can be viewed by Event Viewer.

It is important for hackers to remove their

traces from system logs!

31
About the syslog in Linux
■ The syslog standard employs a syslog daemon (syslogd) to
log events, thus allowing the separation of log generation,
log storage, and log analysis.
■ Each log basically consists of:
▬ Facility code: indicating the software type generating the log
▬ Severity level: indicating the severity of the log
▬ Message: the detailed log message

Reference: https://en.wikipedia.org/wiki/Syslog

32
Viewing system logs in Linux
■ Most log files in Linux are located under the /var/log
directory.
■ You can 'cd' that directory, and use any text editor to look
at those log files.
▬ You can try this with Kali Linux and Metasploitable2.

■ If you prefer GUI, you can use the 'System Log Viewer'.
▬ To start it, search 'system log' in desktop search
▬ Not all Linux distros provide a GUI for syslog.

Reference: https://www.linux.com/learn/sysadmin/viewing-
linux-logs-command-line

33
Removing traces from log files in Linux
■ You need to be clear which log files may contain your
traces.
▬ For Ubuntu Linux, see:
https://help.ubuntu.com/community/LinuxLogFiles
▬ Different Linux distros often use different log files, which requires you
to do some homework on the target system.

■ Then, you can use any text editor to search and remove
logs about you.

This subject will not require trace removal in Linux OSes.

34
Event Viewer in Windows
■ Event Viewer is a component of MS Windows to allow
administrators and users to view the logs generated by OS
and applications.
▬ To start the Event Viewer: search it or run 'eventvwr'

■ Event Viewer retrieves logs of the following two categories

(since Win7).
▬ Windows Logs: store events that apply to the entire system, and
events from legacy applications before Win7.
▬ Applications and Services Logs: store events of contemporary
applications and Windows services that use Windows logging system
to handle logs.

35
Log types in 'Windows Logs'
■ Application: from legacy applications for Windows
▬ At that time, there is no 'Applications and Services' category yet.

■ Security: These events are called audits and are described

as successful or failed.
▬ E.g., whether a user login is successful or not.

■ Setup: related to software installation, configuration, update,

etc.
■ System: logged by Windows OS and Windows system
services.
■ Forwarded Events: events that are forwarded to this
computer from other computers.
36
Typical Applications in 'Applications
and Services Logs'
■ Hardware events
■ Internet Explorer
■ Key management service
■ Windows Powershell
■ And more …

37
Viewing logs in Event Viewer
■ You can simply click on a log type and view all log records under
that type.
■ It is better to apply a filter such that you only view the log records
you want to view. The filtering can be done by Event Level, Event
Sources, etc.

38
Clear all logs in Event Viewer
■ If you want to completely delete all logs such that Event
Viewer sees no logs, Meterpreter provides an easy
command for achieving this: clearev (clear events).
■ In a Meterpreter session with system privilege, you simply
enter clearev:

39
'Clearev' Example: in Win7 VM
■ Before executing clearev: e.g., 1887 events in Application

■ After executing clearev: e.g., 0 event in Application

40
Notes to 'clearev'
■ Though it is not stealthy, it can remove all events such
that no trace for a hacker can be found.
■ In this subject, we simply require you to know that you can
do trace removal with 'clearev' on Windows platforms, and
will not dive deeper than this.

41
Lecture outline
■ Post Exploitation Overview
■ Privilege Escalation
■ Information Gathering
■ Removing Traces
■ About Rootkit

42
Rootkit Overview
■ Rootkit typically refers to a kind of software that gains
unauthorized access to computers and can hide its
existence or other programs' existence.
▬ Mostly, it is purely for hiding the existence of other programs.

■ The term is a concatenation of "root" and "kit".

▬ Originally refers to a maliciously modified set of administrative tools
for Unix-like OSes that gained "root" access.

References:
1. http://www.microsoft.com/security/portal/mmpc/threat/ro
otkits.aspx
2. https://en.wikipedia.org/wiki/Rootkit

43
How Rootkit Works
■ Rootkit intercepts or modifies system calls provided by
OSes.
▬ This means that after a rootkit is installed, you can’t trust any
information that system calls return.

■ For example,
▬ If you ask your PC to list all processes that are running, the rootkit
can remove the processes it doesn’t want you to see.
▬ The same applies to files and folders.

44
How to remove rootkits?
■ In general, you need to boot your computer with another
OS and then use antivirus software to scan the disks.
▬ Another OS is needed as the current OS is already modified.

■ If you still cannot find the problem, you have to reinstall

the OS.
▬ Make sure you backup your data before reinstallation.

45
Remarks on rootkits
■ Similar to trace removal, rootkits are another mechanism
for hiding hacking activities.
■ Since 'rootkit' is an advanced topic, this subject won't
have lab tasks on rootkits. However, it is important for you
to know the basic working principle of rootkits mentioned
in the previous slides.

46
Example Short Answer Question:
■ Give two examples on what rootkits can do.

47
Lecture Summary
■ The stage of Post Exploitation happens after the access to
the target has been gained. It includes activities such as
privilege escalation, backdoor installation, etc.
■ A key technique for privilege escalation is to apply local
exploits.
■ Removing traces enables hackers to hide their behaviour.

48
References
■ Online Tutorial from Offensive Security: Metasploit
Unleashed
▬ https://www.offensive-security.com/metasploit-unleashed/

■ The web links mentioned in the slides of this lecture

Big reminder:
• Lab 8 is very long, consisting of tasks for
this lecture and the next lecture. You should
start working on it right now!

49