1 1 00:00:00,339 --> 00:00:03,334 Maintaining access, hold on tight. 2 2 00:00:03,334 --> 00:00:05,082 So, at this point we've gained our access, 3 3 00:00:05,082 --> 00:00:06,814 we've escalated our privileges and now we want 4 4 00:00:06,814 --> 00:00:08,296 to maintain access. 5 5 00:00:08,296 --> 00:00:10,163 How are we going to do that? 6 6 00:00:10,163 --> 00:00:11,477 Well, as an attacker, 7 7 00:00:11,477 --> 00:00:13,104 we're gonna use a couple different techniques. 8 8 00:00:13,104 --> 00:00:14,686 One is we're gonna have networks sniffers, 9 9 00:00:14,686 --> 00:00:16,585 we're gonna steal additional passwords, 10 10 00:00:16,585 --> 00:00:18,423 we're gonna do lateral movement to other targets, 11 11 00:00:18,423 --> 00:00:20,883 and we're gonna open ports to start services. 12 12 00:00:20,883 --> 00:00:22,823 So, one of the first things we want to do 13 13 00:00:22,823 --> 00:00:25,064 is we wanna survey the host and understand it's posture. 14 14 00:00:25,064 --> 00:00:26,181 We want to look for others on the system. 15 15 00:00:26,181 --> 00:00:27,245 Am I really alone here? 16 16 00:00:27,245 --> 00:00:28,741 What if I broke into a system, 17 17 00:00:28,741 --> 00:00:30,978 and that target had already had some other attacker 18 18 00:00:30,978 --> 00:00:31,949 on there. 19 19 00:00:31,949 --> 00:00:33,960 Well, I don't want to be fighting with another attacker, 20 20 00:00:33,960 --> 00:00:36,030 so I either want to kick them off, and secure the system 21 21 00:00:36,030 --> 00:00:37,679 for myself, or I might want 22 22 00:00:37,679 --> 00:00:39,823 to go look for a different target. 23 23 00:00:39,823 --> 00:00:41,926 Our goal here is we want to keep persistent access. 24 24 00:00:41,926 --> 00:00:43,334 If there's two of us on the system, 25 25 00:00:43,334 --> 00:00:45,067 we can actually start tripping each other up. 26 26 00:00:45,067 --> 00:00:47,054 And the system admins can find us quicker. 27 27 00:00:47,054 --> 00:00:48,274 That's not going to be good for us, 28 28 00:00:48,274 --> 00:00:50,584 that's not going to be good for our persistent access. 29 29 00:00:50,584 --> 00:00:53,230 So, once we've done this, we maintain our access 30 30 00:00:53,230 --> 00:00:54,706 we're going to be ready for our data exfil, 31 31 00:00:54,706 --> 00:00:56,644 we're going to be able to do our data compromise, 32 32 00:00:56,644 --> 00:00:57,975 we'll be able to take over the system, 33 33 00:00:57,975 --> 00:01:00,258 and do whatever it is for our long term benefit. 34 34 00:01:00,258 --> 00:01:02,403 But in the mean time we want to make sure we 35 35 00:01:02,403 --> 00:01:03,578 maintain access. 36 36 00:01:03,578 --> 00:01:07,745 So that target is there when I want it, anytime I want it. 37 37 00:01:09,864 --> 00:01:11,775 So one of the first things we can do is we can use 38 38 00:01:11,775 --> 00:01:13,012 network sniffers. 39 39 00:01:13,012 --> 00:01:15,614 Now, if you're on the same network as the target, 40 40 00:01:15,614 --> 00:01:18,184 you can use Wireshark, and Wireshark is great for this. 41 41 00:01:18,184 --> 00:01:20,520 You turn on Wireshark, you can capture all of the 42 42 00:01:20,520 --> 00:01:23,844 data into a pcat file, which is network data. 43 43 00:01:23,844 --> 00:01:25,621 And then you can go through it at your leisure 44 44 00:01:25,621 --> 00:01:26,679 and take what you want. 45 45 00:01:26,679 --> 00:01:28,607 Now, if you're not on there and you're doing this 46 46 00:01:28,607 --> 00:01:31,211 remote access, you can use Meterpreter, 47 47 00:01:31,211 --> 00:01:33,549 because Meterpreter has a built in sniffer as well. 48 48 00:01:33,549 --> 00:01:35,474 And so if I attack from my Meterpreter 49 49 00:01:35,474 --> 00:01:38,173 coli-box, into a Windows environment or a Linux 50 50 00:01:38,173 --> 00:01:40,744 environment, I can actually use Meterpreter's built-in 51 51 00:01:40,744 --> 00:01:44,027 sniffer to start capturing traffic and download those 52 52 00:01:44,027 --> 00:01:46,194 PCAT files back to myself. 53 53 00:01:47,187 --> 00:01:48,952 So, in Meterpreter how do we do that? 54 54 00:01:48,952 --> 00:01:51,033 Well if you R from the meterpreter prompt, 55 55 00:01:51,033 --> 00:01:53,666 you just type in "load sniffer", and it loads in 56 56 00:01:53,666 --> 00:01:54,985 the sniffer module. 57 57 00:01:54,985 --> 00:01:56,947 And at that point type in "help", and you'll get 58 58 00:01:56,947 --> 00:01:59,543 the information about how to use this system. 59 59 00:01:59,543 --> 00:02:02,801 So when we type in "help", you'll see something like this. 60 60 00:02:02,801 --> 00:02:04,941 So if you do "sniffer_start", you'll actually be able to 61 61 00:02:04,941 --> 00:02:07,562 start capturing the network data on the network. 62 62 00:02:07,562 --> 00:02:09,176 If you do "sniffer_stats", it'll tell you how much 63 63 00:02:09,176 --> 00:02:12,289 has been captured and the statistics currently there. 64 64 00:02:12,289 --> 00:02:15,280 If you do stop, and dump, you'll be able to get that data 65 65 00:02:15,280 --> 00:02:17,062 back to yourself. 66 66 00:02:17,062 --> 00:02:18,865 One of the things we do during this phase, 67 67 00:02:18,865 --> 00:02:20,840 is we also want to move laterally. 68 68 00:02:20,840 --> 00:02:22,048 And by moving laterally, 69 69 00:02:22,048 --> 00:02:23,927 we have gotten into a certain target. 70 70 00:02:23,927 --> 00:02:27,141 For instance we may have attacked a vulnerable web server, 71 71 00:02:27,141 --> 00:02:28,348 as in this picture here. 72 72 00:02:28,348 --> 00:02:30,828 Now I might want to move from there onto a client that's 73 73 00:02:30,828 --> 00:02:32,917 not checked as often, so that I can have that 74 74 00:02:32,917 --> 00:02:34,415 persistent access. 75 75 00:02:34,415 --> 00:02:37,646 And so from one system, I can jump from one, to another, 76 76 00:02:37,646 --> 00:02:40,897 to another, to another, and work my way around the network. 77 77 00:02:40,897 --> 00:02:44,244 Everywhere I go, I can drop and keep myself persistent 78 78 00:02:44,244 --> 00:02:47,751 access so that I have additional points of presence. 79 79 00:02:47,751 --> 00:02:50,416 The other thing we talked about was getting more passwords. 80 80 00:02:50,416 --> 00:02:51,443 How do we do that? 81 81 00:02:51,443 --> 00:02:53,675 Well, if we're doing network sniffing, we're going to be 82 82 00:02:53,675 --> 00:02:56,115 able to capture more usernames and passwords that way. 83 83 00:02:56,115 --> 00:02:58,424 If we do keystroke logging, we can get more 84 84 00:02:58,424 --> 00:03:01,007 usernames and passwords that way. 85 85 00:03:01,007 --> 00:03:03,450 We can also go, and if we've gotten system or domain 86 86 00:03:03,450 --> 00:03:05,754 level admin, we can start creating additional 87 87 00:03:05,754 --> 00:03:07,182 user accounts for ourselves, 88 88 00:03:07,182 --> 00:03:10,424 so we have them in the future as well. 89 89 00:03:10,424 --> 00:03:12,889 So as we do this lateral movement, we're going to jump 90 90 00:03:12,889 --> 00:03:13,987 from place to place. 91 91 00:03:13,987 --> 00:03:15,649 How do we find places to go? 92 92 00:03:15,649 --> 00:03:17,545 Well one of the great ways is ARP. 93 93 00:03:17,545 --> 00:03:21,336 And ARP is a way to find potential Ips to go after. 94 94 00:03:21,336 --> 00:03:22,994 One of the things that's provided for us inside 95 95 00:03:22,994 --> 00:03:26,086 Metasploit is an ARP scanner. 96 96 00:03:26,086 --> 00:03:29,706 Again if we are using the PCAP, in PCAP we're 97 97 00:03:29,706 --> 00:03:31,519 going to be able to find ARP callouts from 98 98 00:03:31,519 --> 00:03:33,315 machine to machine, because machines do this 99 99 00:03:33,315 --> 00:03:34,773 all the time. 100 100 00:03:34,773 --> 00:03:37,205 As I generate this list of IPs, I can use 101 101 00:03:37,205 --> 00:03:39,049 more different techniques going back again to 102 102 00:03:39,049 --> 00:03:42,498 that enumeration phase, and restarting that part 103 103 00:03:42,498 --> 00:03:45,722 as an internal look, and see what's going on. 104 104 00:03:45,722 --> 00:03:48,785 There's also scanners like port scanners and TCP scanners 105 105 00:03:48,785 --> 00:03:50,873 built into Meterpreter that you can use, such as 106 106 00:03:50,873 --> 00:03:53,959 the auxiliary/scanner/portscan/tcp. 107 107 00:03:53,959 --> 00:03:56,563 But again as you're getting this network data and you start 108 108 00:03:56,563 --> 00:03:58,081 looking around, you're going to start going through 109 109 00:03:58,081 --> 00:04:01,348 and doing more of that reconnaissance and enumeration again, 110 110 00:04:01,348 --> 00:04:03,796 and we start figuring out where else we can go inside 111 111 00:04:03,796 --> 00:04:05,219 the network. 112 112 00:04:05,219 --> 00:04:07,309 These are the keys to maintaining your access. 113 113 00:04:07,309 --> 00:04:10,645 It's all about more usernames, more passwords, 114 114 00:04:10,645 --> 00:04:12,857 more targets, and moving laterally. 115 115 00:04:12,857 --> 00:04:15,088 If you can do this, you can start spreading yourself out 116 116 00:04:15,088 --> 00:04:17,293 and putting hooks in everywhere, makes it very 117 117 00:04:17,293 --> 00:04:19,526 difficult for the defenders to start clearing you out 118 118 00:04:19,526 --> 00:04:21,081 when they find you.