INE eJPT: Exploitation and Post Exploitation

Note: Much of the below information is summarized from Alexis Ahmed’s and Josh Mason’s eJPT training videos hosted on INE Penetration Testing Student learning path. Much credit goes to their expertise! Check out their training materials in the sources

Continuing with my notes from studying for the INE Junior Penetration Tester (eJPT) exam. The exam breaks down its curriculum into several sections, and this portion of my notes covers the “Exploitation” and “Post Exploitation” content.

Please keep in mind these are only my notes, and should not be used as the sole resource to study for the eJPT certification. Much of the necessary material is learned through interactive labs found in the Penetration Testing Student learning path. Additionally, the course constantly updates its material to remain up to current, meaning some of the below content may be out of date/missing important details.

• Exploitation
  • Anti-Virus (AV) Detection Methods
  • Anti-Virus Evasion Techniques
    • On-Disk
    • In-Memory
  • Tools
• Post-Exploitation
  • Post-Exploitation Methodology
  • Windows Enumeration
    • System Enumeration
    • User and Group Enumeration
    • Network Enumeration
    • Services and Processes Enumeration
    • Tools
  • Linux Enumeration
    • System Enumeration
    • User and Group Enumeration
    • Network Enumeration
    • Process and Cron Job Enumeration
    • Tools
  • Privilege Escalation
    • Tools
• Sources

Exploitation

• Exploitation: the techniques and tools used by adversaries/pentesters to gain an initial foothold on a target system or network
• Cross-Compilation: the process of compiling code for a platform other than the one performing the compilation
• Bind Shell: type of remote shell where the attacker connects directly to a listener on the target system, consequently allowing for execution of commands on the target system
• Reverse Shell: type of remote shell where the target connects directly to a listener on the attacker’s system, consequently allowing for execution of commands on the target system
• Defense Evasion: techniques that adversaries use to avoid detection throughout their compromise

Anti-Virus (AV) Detection Methods

• Signature Based Detection: an AV signature is a unique sequence of bytes that uniquely identifies malware
• Heuristic-based detection: relies on rules or decisions to determine whether a binary is malicious
  • Also looks for specific patterns within the code or program calls
• Behavior Based Detection: relies on identifying malware by monitoring it’s behavior
  • Often used for newer strains of malware

Anti-Virus Evasion Techniques

On-Disk

• Obfuscation: the process of concealing something important, valuable, or critical
  • Reorganises code in order to make it harder to analyze or reverse engineer
• Encoding: process involving chaining date into a new format using a scheme
  • A reversible process, data can be encoded to a new format and decoded to its original format
• Packing: generate executable with anew binary structure with a smaller size and therefore provides the payload with a new signature
• Cypters: encrypts code/payloads and decrypts the encrypted code in memory
  • The decryption key/function is usually stored in a stub

In-Memory

• Focuses on manipulation of memory and does not write files to disk
• Injects a payload into a process by leveraging various Windows APIs
• Payload is then executed in memory in a separate thread

Tools

• Netcat: AKA TCP/IP Swiss Army Knife, networking utility used to read and write data to network connections using TCP or UDP
  • Available for both *NIX and Windows operating systems
  • Utilizes a client-server communication architecture with two modes
    • Client Mode: used to connect to any TCP/UDP port as well as a Netcat listener (server)
    • Server Mode: used to listen for connections from clients on a specific port
• revshells.com: website to help generate reverse shells based upon requirements
• Shelter: AV evasion software to disguise shellcode/payloads
  • Found: shelterproject.com
• Invoke-Obfuscation: open source PowerShell v2.0+ compatible PowerShell command and script obfuscator
  • Found: https://github.com/danielbohannon/Invoke-Obfuscation

Post-Exploitation

• Post-Exploitation: the final phase of a pentest consisting of the tactics, techniques, and procedures that attackers/adversaries undertake after obtaining initial access on a target system
• Process: an instance of a running executable/program
• Service: a process which runs in the background and does not interact with the desktop

Post-Exploitation Methodology

1. Local Enumeration

• System Information
• Users and Groups
• Network Information
• Services
• Automating Local Enumeration

2. Transferring Files
3. Upgrading Shells
4. Privilege Escalation
5. Persistence
6. Dumping and Cracking Hashes
7. Pivoting
8. Clearing Tracks

Windows Enumeration

System Enumeration

• hostname: provides the name of the computer/device
• systeminfo: gives all of the operating system information
  • Such as build number, edition, hot fixes/updates, host name, OS name/version/manufacturer/configuration, processor, directory info, boot device, system locale, domain, network interfaces, etc.
• wmic qfe get Caption,Description,HotFixID,InstalledOn: additional information surrounding hotfixes
• type C:\\Windows\System32\eula.txt: more operating system version/build/service pack information

User and Group Enumeration

• whoami: who the current user is
  • whoami /priv: privileges associated with the current user
• query user: information about the current logged on user(s)
• net users: display all other accounts on the system
  • net user <username>: display detailed information about the selected user’s account
• net localgroup: list all groups on the system
  • net localgroup <groupname>: display all users associated with that group

Network Enumeration

• ipconfig: current adapter with IP information, subnet, gateway router, info
  • ipconfig /all: additional information about adapters
• route print: display routing table
• arp -a: display arp table (containing information of other services on the network)
• netstat -ano: display a list of services that are currently running/listening
• netsh firewall show state: display firewall settings and configurations
  • In newer systems, firewall is deprecated and replaced with advfirewall

Services and Processes Enumeration

• ps: display a list of running processes
• net start: list of services that have been started (are running)
• wmic service list: list of all running services
  • Can append with brief to shorten results
• tasklist /SVC: display a list of processes running and services running under a particular process
• schtasks /query /fo LIST: entire list of scheduled tasks configured to run on the system
  • Can append with /v to include additional information

Tools

• JAWS (Just Another Windows Script): PowerShell script designed to help pentesters quickly identify potential priv-esc vectors on Windows systems
  • Found: https://github.com/411Hall/JAWS

Linux Enumeration

System Enumeration

• hostname: retrieve the name of the device
• cat /etc/issue: retrieve what distribution is running
• cat /etc/*release: display even more information about the current distribution
• uname -a: display the current kernel version and adjacent information
  • uname -r: clean up the display and only show the kernel version
• env: list the current environment variables
• lscpu: display CPU information
• free -h: display RAM usage information
• df -h: display a list of file systems, size, used/available storage, and mounting location
  • df -ht <fileExtension>: limit results to showing what drives are storing that file extension
• lsblk | grep sd: display a list of storage devices and usages
• dpkg -l: list all installed packages on the device

User and Group Enumeration

• whoami: identifies the current user being used
• groups: list all groups on the system
  • groups <username>: list what groups the user is part of
• cat /etc/passwd: list all user and service accounts on the system
  • cat /etc/passwd | grep -v /nologin: list all user accounts (exclude service accounts)
• ls /home: list all user accounts (excluding root)
• w: list out currently logged on users
  • who: also lists currently logged on users
• last: display a list of users to last log on to the system
• lastlog: display a list of users who have logged on to the system

Network Enumeration

• ifconfig: display current interfaces configured on the device with their network information
  • ip a s: displays current configured interfaces in the case ifconfig is not installed/enabled
• cat /etc/networks: display a list of interfaces and their configuration
• cat /etc/hostname: display the hostname of the system
• cat /etc/hosts: display all hosts and corresponding domain-names on the system
• cat /etc/resolv.conf: display the nameserver and DNS information
• arp -a: display the ARP table

Process and Cron Job Enumeration

• ps: list out currently running processes
  • ps aux: list out currently running processes with additional information
• top: display a list of all running processes in a dynamic view updating as they run/execute
• crontab -l: display a list of cronjobs for the current user
• ls /etc/cron*: display all cronjobs in the system
  • cat /etc/cron*: show specifically the cronjobs and tasks

Tools

• LinEnum: a simple bash script that automates common Linux local enumeration checks in addition to identifying priv-esc vulns
  • Found: https://github.com/rebootuser/LinEnum

Privilege Escalation

Tools

• PrivescCheck: script to enumerate common Windows configuration issues that can be leveraged for local priv-esc
  • Also gathers various information for use in exploitation/post exploitation
  • Found: https://github.com/itm4n/PrivescCheck

Sources

• Official INE Site
• INE eJPT Study Course