Introduction To Post-Exploitation Phase
In this article, we are going to learn about different stages of the post-exploitation phase. This is the phase prior to the last phase (clearing tracks and setting up records) of our penetration testing process. In this phase, we exploit our targets further, escalating privileges and penetrating the internal network even more. Meterpreter makes the post-exploitation process much easier. Meterpreter contains many built-in scripts. The greater feature of meterpreter is that we can modify scripts according to our needs. After making a connection with the host operating system now is time to exploit the host services and network for security testing.
Stages of Post Exploitation:
Acquiring Situation Awareness-
Immediately when compromising the host system, you wish to gather data regarding the host which is located on the inner network, which might contain a hostname, interfaces, routes, and services of our host. If you are familiar with the host operating system you can take advantage of this and enumerate more information about the host system and network. Windows would be one of our common targets since it’s the foremost used OS within the corporate surroundings. Since most of you are acquainted with Windows, it might be simple to enumerate it. Our main goals would be to enumerate the network, and determine whether other hosts are reachable or not from our compromised host, the interfaces, and also the services. Because this is also important to check the security of the network along with the host if the network is not secure then it may give unauthorized access to the attacker within our network.
In this stage, we should attempt to escalate the privileges to gain full access to the host machine. Now we are in the security process. there are many ways to escalate privileges but the fastest way among all others is escalating privileges with meterpreter is by using the “get system” command. which consists of many techniques. If one technique fails it will try another one and will report what technique succeeded in escalating the privileges. We can use the command getsystem –h to see what type of techniques the meterpreter uses to escalate the privileges.
- Bypassing User Access Control-
Windows Vista and the later versions of the OS has the security feature of User access control (UAC). The purpose of UAC is to prevent malware from compromising the system during any type of malware attack. It accomplishes this by assigning normal user privileges to an application even if a user has administrator privileges. The application then has to be approved by an administrator for it to make changes to your computer. The UAC can be configured easily depending upon the operating system you are using all you need to do is search for the keyword “UAC” using the search box. The default level of UAC is level 3 which is notified when programs try to make changes to your computer.
- Escalating Privileges on a Linux Machine
The ways we discussed above solely work only on a Windows-based package, therefore you might be curious as to why we didn’t discuss escalating privileges on a Linux box. The rationale is that there is a unit-specific privilege to step up exploits for a Linux-based package relying upon the kernel version that our target is compromised. The getsystem within the meterpreter is a smaller amount doubtless to figure on them.
Currently, we’ve managed to step up our privileges to either the administrator level or SYSTEM level. So far, we’ve managed to keep up stability, however, we haven’t managed to ascertain tenacity. Whenever the target laptop reboots, our meterpreter session gets closed, and we would lose access. therefore one may raise, why not access the system by exploiting the vulnerability we have to antecedently exploit. We will do this, however, it’s not the simplest approach, since time applications get updated, patches area unit applied, and, hence, vulnerabilities area unit patched. What we would like is a better way to access our system, that there area unit higher approaches. so we tend to don’t wish to travel through all the exertions of compromising the target once more.
Cracking the Hashes to realize Access to alternative Services:-
The second approach we’d remark is getting the hashes and then cracking them to get access to alternative services like remote desktop, VNC, or telnet. This approach isn’t really sneaky because the administrator might notice the changes you create. Considering that several users area unit allowed access thereto explicit service.
Disabling the Firewall:-
It is very important to disable firewall protections, to perform the various tasks on the host OS. The reason we wish to disable the firewall is that we don’t want it to interrupt the connection. whereas we have to perform our post-exploitation method. From our meterpreter shell, we’d issue the “shell” command to launch the Windows electronic communication. From the Windows electronic communication, we have to issue the subsequent command to disable the firewall. ex.netsh firewall set opmode disable
Killing the Antivirus:-
The reason to disable the antivirus is that we don’t want it to identify/delete our backdoor. we would like to stay unseen whereas conducting our penetration take a look at. we will check for the put-in antivirus by typewriting the “net start” command and “tasklist/svc” from the electronic communication to ascertain the method the antivirus is running.
Now is possible to use the “taskkill” command to kill a selected method or let the meterpreter modify it for us. In meterpreter, we will realize a script named “killav” which will mechanically kill all the processes related to Associate in Nursing antivirus. Let’s read the contents of the script by using the “cat” command followed by the trail of the script.
Compromising alternative Hosts on the Network Having an equivalent Password:-
A vulnerability within the security design of Windows permits us to use the parole hashes to log in to alternative hosts on an equivalent network having equivalent parole. the rationale for this can be unattainable in Linux is that it’s a novel salt for every user’s hash, whereas in Windows we tend to don’t have a salt extra to the hashes.
This vulnerability comes in handy wherever we have an area unit unable to crack Windows hashes and use its parole hashes to realize access to alternative systems on the network. within Metasploit, we have a module named psexec which will be wont to pass the credentials to take advantage of the system.
These are some stages we have follow in the post-exploitation phase, always keep in mind that we penetrate in the system to check the security architecture and finding the vulnerability in the host and network, therefore never run command which harms the host machine always choose the command by considering the safety of host machine.