Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition by Gerard Johansen Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  4. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  5. Credits
  6. Disclaimer
  7. About the Authors
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Beginning with Kali Linux
  17. Kali Linux tool categories
  18. Downloading Kali Linux
  19. Using Kali Linux
  20. Configuring the virtual machine
  21. Updating Kali Linux
  22. Network services in Kali Linux
  23. Installing a vulnerable server
  24. Installing additional weapons
  25. Summary
  26. 2. Penetration Testing Methodology
  27. Vulnerability assessment versus penetration testing
  28. Security testing methodologies
  29. General penetration testing framework
  30. Information gathering
  31. The ethics
  32. Summary
  33. 3. Target Scoping
  34. Preparing the test plan
  35. Profiling test boundaries
  36. Defining business objectives
  37. Project management and scheduling
  38. Summary
  39. 4. Information Gathering
  40. Using public resources
  41. Querying the domain registration information
  42. Analyzing the DNS records
  43. Getting network routing information
  44. Utilizing the search engine
  45. Metagoofil
  46. Accessing leaked information
  47. Summary
  48. 5. Target Discovery
  49. Identifying the target machine
  50. OS fingerprinting
  51. Summary
  52. 6. Enumerating Target
  53. Understanding the TCP/IP protocol
  54. Understanding the TCP and UDP message format
  55. The network scanner
  56. Unicornscan
  57. Zenmap
  58. Amap
  59. SMB enumeration
  60. SNMP enumeration
  61. VPN enumeration
  62. Summary
  63. 7. Vulnerability Mapping
  64. Vulnerability taxonomy
  65. Automated vulnerability scanning
  66. Network vulnerability scanning
  67. Web application analysis
  68. Fuzz analysis
  69. Database assessment tools
  70. Summary
  71. 8. Social Engineering
  72. Attack process
  73. Attack methods
  74. Social Engineering Toolkit
  75. Summary
  76. 9. Target Exploitation
  77. Vulnerability and exploit repositories
  78. Advanced exploitation toolkit
  79. MSFConsole
  80. MSFCLI
  81. Ninja 101 drills
  82. Writing exploit modules
  83. Summary
  84. 10. Privilege Escalation
  85. Password attack tools
  86. Network spoofing tools
  87. Network sniffers
  88. Summary
  89. 11. Maintaining Access
  90. Working with tunneling tools
  91. Creating web backdoors
  92. Summary
  93. 12. Wireless Penetration Testing
  94. Wireless network recon
  95. Wireless testing tools
  96. Post cracking
  97. Sniffing wireless traffic
  98. Summary
  99. 13. Kali Nethunter
  100. Installing Kali Nethunter
  101. Nethunter icons
  102. Nethunter tools
  103. Third-party applications
  104. Wireless attacks
  105. HID attacks
  106. Summary
  107. 14. Documentation and Reporting
  108. Types of reports
  109. The executive report
  110. The management report
  111. The technical report
  112. Network penetration testing report (sample contents)
  113. Preparing your presentation
  114. Post-testing procedures
  115. Summary
  116. A. Supplementary Tools
  117. Web application tools
  118. Network tool
  119. Summary
  120. B. Key Resources
  121. Paid incentive programs
  122. Reverse engineering resources
  123. Penetration testing learning resources
  124. Exploit development learning resources
  125. Penetration testing on a vulnerable environment
  126. Online web application challenges
  127. Virtual machines and ISO images
  128. Network ports
  129. Index

Chapter 11. Maintaining Access

In the previous chapter, we talked about the privilege escalation process in the target machine. In this chapter, we will discuss the last penetration testing process by making the target machines accessible to us at any time.

After escalating the privilege to the target machines, the next step we should take is to create a mechanism to maintain our access to the target machines. So, in the future, if the vulnerability you exploited got patched or turned off, you can still access the system. You may need to consult with your customer about this, before you do it on your customer systems. In addition, it is critical during penetration testing that you ensure all backdoors that are placed are properly documented so that they can be removed after the test.

Now, let's take a look at some of the tools that can help us maintain our access to the target machines. The tools are categorized as follows:

  • Operating system backdoors
  • Tunneling tools
  • Web backdoors

Using operating system backdoors

In simple terms, a backdoor is a method that allows us to maintain access to a target machine without using normal authentication processes and remaining undetected. In this section, we will discuss several tools that can be used as backdoors to the operating system.

Cymothoa

Cymothoa is a backdoor tool that allows you to inject its shellcode into an existing process. The reason for this is to disguise it as a regular process. The backdoor should be able to coexist with the injected process in order to not arouse the suspicion of the administrator. Injecting shellcode to the process also has another advantage; if the target system has security tools that only monitor the integrity of executable files but do not perform checks of the memory, the process's backdoor will not be detected.

To run Cymothoa, just type the following command:

cymothoa

You will see the Cymothoa helper page. The mandatory options are the process ID (PID) -p to be injected and the shellcode number –s.

To determine the PID, you can use the ps command in the target machine. You can determine the shellcode number by using the –S (list available shellcode) option:

Cymothoa

Once you have compromised the target, you can copy the Cymothoa binary file to the target machine to generate the backdoor.

After the Cymothoa binary file is available in the target machine, you need to find out the process you want to inject and the shellcode type.

To list the running process in a Linux system, we can use the ps command with -aux options. The following screenshot displays the result of running that command. There are several columns available in the output, but for this purpose, we only need the following columns:

  • USER (the first column)
  • PID (the second column)
  • COMMAND (the eleventh column)
    Cymothoa

In this exercise, we will inject to PID 2765 (udevd) and we will use payload number 1. We need to set the port number for the payload by using the option -y [port number 4444]. The following is the Cymothoa command for this scenario:

./cymothoa –p 4255 –s 1 –y 4444

The following is the result of this command:

Cymothoa

Let's try to log in to our backdoor (port 4444) from another machine by issuing the following command:

nc –nvv 172.31.99.244 4444

Here, 172.31.99.244 is the IP address of the target server.

The following is the result:

Cymothoa

We have successfully connected to our backdoor in the remote machine and we were able to issue several commands to the remote machine.

Note

Due to the backdoor being attached to a running process, you should be aware that this backdoor will not be available anymore after the process is killed or when the remote machine has been rebooted. For this purpose, you need a persistent backdoor.

Intersect

Intersect is a tool that can be used to automate post-exploitation tasks such as collecting password files, copying SSH keys, collecting network information, and identifying antivirus and firewall applications.

To be able to automate these post-exploitation tasks, you need to create a custom script containing specific post-exploitation functions. In Intersect, each post-exploitation function is packed in a module.

Intersect comes with several default modules. The following are some of the modules provided, which are related to post-exploitation information gathering:

  • creds: Gathers credentials
  • extras: Searches for system and application configurations and tries to find certain apps and protection measures
  • network: Collects network information such as listening port and DNS info
  • lanmap: Enumerates live hosts and gathers IP addresses
  • osuser: Enumerates operating system information
  • getrepos: Tries to find source code repositories
  • openshares: Finds SMB open shares on a specific host
  • portscan: A simple port scanner that scans ports 1 to 1000 on a specified IP address
  • egressbuster: Checks a range of ports to find available outbound ports
  • privesc: Checks the Linux kernel for privilege escalation exploiting availability
  • xmlcrack: Sends hash lists to remote XMLRPC for cracking

In this chapter, we will take a look at the modules related to creating a shell connection for maintaining access:

  • reversexor: This opens a reverse XOR ciphered TCP shell to a remote host
  • bshell: This starts a TCP bind shell on the target system
  • rshell: This opens a reverse TCP shell to a remote host
  • xorshell: This starts a TCP bind shell on the target system
  • aeshttp: This starts a reverse HTTP shell with AES encryption
  • udpbind: This starts a UDP bind shell on port 21541
  • persistent: This installs any Intersect shell module as a persistent backdoor and starts a shell on every system reboot

To create the script for maintaining access, the following are the general steps to be followed:

  1. Choose the shell module you want.
  2. Define the variable for that module (for example, shell port and host).
  3. Build the script.

To start Intersect, open the console and type the following command:

intersect

This will display the following Intersect menu:

Intersect

Select Create Custom Script to obtain the following result:

Intersect

To list the available modules, you can give the following command:

modules

The following is the list of modules available:

Intersect

To select a module, just type its name on the command prompt, denoted by =>. To get information about each module, you can use the info command. To find out information about the creds module, type the following command:

:info creds

In this example, we are going to create a persistent backdoor using the reversexor module:

=>  reversexor
reversexor added to queue.

To create the module, you may need to adjust the default options as follows:

Intersect

Note

To be able to run the generated script, the remote machine should have scapy.py installed. I got the following error message when I tried to run the script:

AttributeError: 'module' object has no attribute 'linux_distribution'

Apparently, the problem is due to the remote machine still using Python 2.5.

To solve the problem, I changed the generated script and found the following line:

distro2 = platform.linux_distribution()[0]

I also changed this line to the following:

distro2 = platform.dist()[0]

After successfully creating the backdoor, you need to upload it and run it on the exploited machine.

The meterpreter backdoor

The Metasploit meterpreter has the metsvc backdoor, which will allow you to get the meterpreter shell at any time.

Be aware that the metsvc backdoor doesn't have authentication, so anyone who can access the backdoor's port will be able to use it.

For our example, we will use a Windows XP operating system as the victim machine, whose IP address is 192.168.2.21; our attacking machine has the IP address of 192.168.2.22.

To enable the metsvc backdoor, you first need to exploit the system and get the meterpreter shell. After this, migrate the process using the meterpreter's migrate command to other processes such as explorer.exe (2), so you still have access to the system even though the victim closed your payload (1):

The meterpreter backdoor

To install the metsvc service, we just need to type the following command:

run metsvc

The following is the result of that command:

The meterpreter backdoor

Now let's go to the victim machine. The backdoor is available at C:\Documents and Settings\Administrator\Local Settings\Temp\PvtgZxEAL:

The meterpreter backdoor

You can see the metsvc EXE and DLL files there. Now, let's restart the victim machine to see whether the backdoor will work.

In the attacking machine, we start the multihandler with the metsvc payload using the following options, which is also shown in the next screenshot:

The meterpreter backdoor

We see the following settings for the Multi-handler payload:

  • RHOST: 192.168.2.22 (the victim's IP address)
  • LPORT: 31337 (the backdoor's port number)

After all the options have been set, just type execute to run the attack:

The meterpreter backdoor

The attack was executed successfully; we now have the meterpreter session again. You can do anything with the meterpreter session.

To remove the metsvc service from the victim machine, you can run the following command from the meterpreter shell:

run metsvc –r

After that, remove the metsvc files from the victim machine.