Network Domination & Persistence
*Note: This article was originally published by the author on November 17, 2018.
Achieving domination of the network requires continued stealth but also knowledge of the target OS environment. Once an attacker has gained access to the system they will attempt to remain hidden and elevate permissions on the network. There are several methods for achieving network dominance and stealth. If an attacker’s existence were to be discovered on the network, then there is a high probability that the attacker will lose network or client access and possibly risk losing all of the time, effort, and resources they invested in gaining system access, to begin with. It is relatively safe to assume that once a system’s defenses have been compromised, an attacker will attempt to plant more than one backdoor to regain entry to the system for future exploitation perhaps utilizing some type of Remote Access Tool (RAT) or other technique.
Once an attacker has established a foothold within the Enterprise by gaining system-level access, sadly it is usually quite a simple task to elevate permissions to the domain or even enterprise admin level. Let’s explore some methods of accomplishing this that focus on Windows systems specifically as Linux OS exploits are covered elsewhere within this Guide.
**DUMB@$$ HACKER DISCLAIMER** Before we go any further, please note that the tools and techniques outlined here are intended to be used in conjunction with sanctioned Red Team activities as part of legally contracted services with the explicit permission of the target entity. When conducting pentesting it is highly advisable to first secure a proper contract signed by the client that details the scope and limits of the activities. Exercise due caution accordingly and ignore this warning at your own peril.
Gaining Domain Admin
When encountering older Windows OS environments, Red Teamers may well be able to obtain NTLMv1 and NTLMv2 hashes along with recovered credentials by intercepting hashes using a packet sniffing tool such as Inveigh, Impacket, or Wireshark. Inveigh is a .NET framework packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows Server Message Block (SMB) service. Inveigh was designed to be used in combination with Windows PowerShell to spoof ADIDNS, LLMNR, mDNS, NBNS and conduct man-in-the-middle (MITM) attacks. Using Inveigh has the advantage of avoiding port conflicts with default running services and it also contains HTTP/HTTPS/Proxy listeners for capturing incoming authentication requests and performing attacks. Inveigh relies on creating multiple run spaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process.
Wireshark is another well-known packet capture and network protocol analyzer that is compatible with Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and other OS in either Graphical User Interface (GUI) or command line mode. What is great about Wireshark is that it allows Red Teamers to be able to intercept and analyze live data from Ethernet, IEEE 802.11 (Wi-Fi), PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform). Additionally, it offers decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
In addition to the decryption support offered by tools such as Wireshark, Red Teamers can use software tools that come pre-loaded in the Kali Linux image such as Metasploit’s SMB Capture or Responder to crack intercepted NTLMv1/NTLMv2 hashes.
As unlikely as it may seem, there are still places running Windows 98, ME, NT, 2000, and XP on their computer systems. Many organizations have refused to upgrade their computer technology either due to budget limitations or legacy system code that won’t mesh well with newer operating systems. This presents an enormously dangerous window of opportunity for attackers to exploit. Using a password cracking tool such as John the Ripper, Red Teamers can easily crack NTLMv1/NTLMv2 hashes and gain domain administrator permissions on an older Windows OS. Of course, not everyone is still running outdated, end-of-life software anymore. Some organizations are more advanced with newer IT infrastructure components and software.
For newer versions of Windows, there are other methods of gaining domain admin such as sending spear-phishing emails that contain malicious payloads disguised as something else (e.g., a cleverly named MS Word .docx file with macros that run VB scripts). Spear phishing, however, is a technique that could take up too much precious time that Red Teamers simply don’t have depending on the specific timeframe they are operating within (e.g., often it is commonly limited to 5-working days maximum contract length).
Kerberos, besides being a mythical 3-headed creature is also, of course, a network authentication protocol in the IT security domain that uses a ticket-granting system to provide strong authentication for client/server applications using secret-key cryptography. Kerberoasting is a technique that abuses Kerberos and that doesn’t require elevated permissions, allowing attackers to obtain service account passwords by obtaining a listing of Service Principle Name (SPNs) values for user accounts. A thorough explanation of exactly how Kerberoasting works is beyond the scope of this chapter, but readers are welcome to dig further here or elsewhere if so desired.
Gaining Asset Admin
If you have physical access to a Windows computer, then there are several methods of owning the system. One relatively easy method that doesn’t involve any hardware hacking or external devices to gain local administrator access on the asset is by rebooting the Windows OS computer in Safe Mode which, by default, logs the user back into the machine as the local administrator account with limited functionality. Safe mode boot can be done from the command prompt or by power cycling the computer and enter the BIOS to select the safe mode boot option.
If the safe mode user account is password-protected, try pressing enter without entering a password, or trying using the default user Windows password if you happen to know it. This hack will not work without being able to log into the computer in Safe mode. Once in Safe Mode, open Cmd.exe and change directories to:
C:\WINDOWS\system32>net user pentester1 /ADD
Next, create the new account password by entering:
C:\WINDOWS\system32>net user pentester1 *
Once the password for the new account has been created, then add the new account to the local administrator group:
C:\WINDOWS\system32>net localgroup administrators pentester1 /ADD
Next, from the command prompt, type “msconfig” which will open the System Configuration GUI and navigate to the “Boot” tab to unselect “Safe boot,” and click “OK.” Lastly, restart the computer in regular boot mode and log in with your newly established administrator account.
Depending on how much time the Red Team has, they might also choose to install a keylogger on a target system to capture all of the keystrokes entered. Spyrix offers a free keylogger that is an excellent option. By installing a keylogger, the attackers will capture account login credentials that can be used by the attacker or that enable privilege escalation. Spyrix allows for remote monitoring and data is saved to the Cloud. If possible, the attackers will attempt to blend in and the stolen user credentials (esp. for an administrator account) will allow them to act as verified system users on the network.
Exfiltrating Sensitive Data
Once an attacker has made it through the previous stages of a Red Team operation or that is otherwise called a ‘malware attack,’ the final step of exfiltration and corruption is relatively easy. Whether attempting to exfiltrate sensitive data from a standard computer client, server, or some type of ‘sensitive’ asset, there are multiple methods of accomplishing this feat. Attackers can use Windows Secure Copy, a freeware tool to perform sensitive data exfiltration by transferring files to and from a compromised system.
Data can be exfiltrated and anonymously leaked via different channels such as Pastebin, Peerlyst Secure Drop, Github, Google Drive, Dropbox, or email to name a few methods. If none of these options are available, then it may be necessary to use a side-channel attack method such as digital steganography to exfiltrate the data without detection. For instance, an attacker could use Martin Fiedler’s tcsteg.py to hide a TrueCrypt encrypted container that is embedded within a larger file type such as a .mp4 movie file to exfiltrate a large amount of data. OpenStego is another potential option for uploading hidden data in the form of a video file to an Internet Service Provider (ISP) such as YouTube. There are many different methods for exfiltrating data, some methods will naturally be less noisy than others and the attacker will need to select the method based on the particular circumstances of the target environment.
Depending on how sophisticated the physical and network security of a target organization facility is, physical exfiltration of data may be possible. Exfiltration of data using an external USB drive, CD/DVDs, or perhaps shoving an HDD or laptop in a backpack or briefcase and walking out of the facility might actually work assuming the HDD doesn’t have Full Disk Encryption (FDE) and there aren’t detectors or security guards checking bags. It may also be possible to exploit air-gapped computer systems via electromagnetic frequency spectrum vulnerabilities that emanate from WiFi, electrical power lines, computer tower fan noise, monitor display refresh rate, PC speakers/microphones, LED, or Bluetooth signal. It is beyond the scope of this chapter to get too far down into the weeds on how these types of attacks work and it may also seem like a long shot that requires special equipment and advanced skills/knowledge, but the Israelis have truly made an art form out of these types of covert-channel attacks.
Long-Term Persistence via ‘Living-off-the-Land’
Let’s face it, just as many hackers prefer to use Linux and the command line because it is so much faster than point-and-click GUIs, most of the computers in the world run some version of the Windows OS which is why Windows is the most heavily attacked OS in history. There are far greater numbers of exploits for Windows than other OS because it is the predominant OS and attackers have concentrated their efforts accordingly for maximum effect.
Like digital steganography, it is very difficult to detect malicious activity that is disguised as normal network traffic or normal OS functions and tool activity. ‘Living off the land’ refers to a tactic that attackers have migrated to as a result of sandboxing technologies discovering fileless malware, and instead attackers are using the organic tools that are already built into the OS such as PowerShell to propagate malware-like functions.
Formally introduced by Microsoft in 2006, PowerShell was initially a command-line interpreter (CLI) application known as Monad, or Microsoft Shell- MSH, derived from a long history of tools like MS-DOS, netsh, and WMIC that was designed to allow the automation of a full complement of core administrative tasks. All modern versions of Windows come with PowerShell installed and unless it’s been locked down and continuously monitored, it can be a nightmare for the IT department to defend against. PowerShell is a very powerful tool and can be used to slurp up plaintext passwords, hashes, PIN codes, and Kerberos tickets that are temporarily stored in the system’s volatile memory when combined with other traditional hacking tools such as Mimikatz. PowerShell can also be used to modify system configuration, and even laterally hop from one system to another (poppin’ shells like a boss).
If Red Teamers already have a cmd.exe shell but no way to download files to a victim Windows machine, the BITSadmin.exe is a good alternative if worried that running PowerShell scripts might trip detection alarms.
Other innate Windows double-edged tools can also be misused such as PsExec to launch remote system processes or elevate privilege on accounts. A common technique Red Teamers will use is to take passwords stolen using Mimikatz and combine them with PsExec to move laterally and log into other systems.
Also, Windows Management Instrumentation (WMI) allows an attacker to execute code on another Windows host machine. Using PowerShell with other tools such as PowerLurk enables an attacker to build malicious WMI Event Subscriptions making Red Team engagements easier. To use PowerLurk, the PowerLurk.ps1 module must first be imported into your instance of PowerShell.
It is worth noting that with long-term persistence, the goal is nearly always to remain low-key and behave like a normal user on the network whenever possible to avoid discovery. Performing administrator functions, however, an attacker chooses to execute them, is bound to draw adversarial attention if anyone is paying attention on the opposite end. Maintaining stealth, therefore, is critical to continued network domination and persistence.
So, what happens if you hack into a machine and determine that someone else has beat you to it? The chances are that if you are a Red Teamer, then it is of no concern to you and business goes on. However, in real life, an attacker that discovered the presence of another hacker on a system would likely want to patch the machine to prevent other attackers from regaining access to the target system and then plant their own backdoor for continued persistence.
Some of the other ‘tricks’ of the trade that experienced hackers sometimes exhibit are using Tor or other proxies for anonymous connections to a victim host to reduce traceability. Some experienced hackers rent out the infrastructure they use to launch attacks from paying for this with some variant of stolen cryptocurrency funds to reduce the likelihood of it all being traced back to them. When it’s all said and done, the gloves are removed and there is no ‘sticky’ residue that can be forensically-traced linking them back to the crime. At that point, forensic investigators are just chasing bits in the Cloud and .onion land.