We begin with the fun stuff in this chapter: pwnage! For those who do not know, pwn is how a hacker would say "own." If you have been pwned, your systems have been "owned." When you fully compromise a server, you own it. Exploitation is the process of owning or compromising the machine. Thus far, we have gathered information on our target by gathering public information on the target and scanning the target network for vulnerabilities. We are now ready for the attack.
"Yes, I have just pwned your Windows server in under 3 minutes."
We will learn the following in this chapter, in order to mount an attack:
- Using the Metasploit Framework to exploit Windows operating systems
- Using advanced footprinting beyond mere vulnerability scanning
- Exploiting a segmented network using the pivot
Black Hats will pick the busiest times to hit your network and do it as slowly and quietly as possible. They will try to stay under the noise of normal operation. Yes, there are more eyes on the network at that time, but a smart cracker knows that if they are slow and quiet, heavy traffic is a good cover. If you have good intel on the workflows and staffing of the target company, you might choose to attack at a sparsely staffed moment, such as weekends or holidays. This often works better at smaller companies.
If you're the Security Operations guy and you're testing your own network, this is not a good idea. Test during your off hours – it's best when the CEO is asleep. If any accidents happen during the test, things can be fixed and running properly before the next day when the CEO is awake. Exploitation doesn't normally kill a system beyond repair during testing, but some exploits will sometimes hang a service or completely hang the system to the point where it needs a reboot. The entire purpose of some exploits is the Denial of Service (DoS) to a service or a system. We don't see these as true exploits. Yes, you have attacked the system and taken it offline; however, you haven't penetrated the machine. You have made a successful attack but you do not pwn it. The real bad guys don't use DoS attacks. They want to get in and steal or copy data from all over your network. Services going down draw the attention of the IT staff. This is not a good thing if you are trying to break in. It could, however, be used as a diversion, if you are exfiltrating data from a different machine or attacking another host.
DoS tools are also considered exploits because they work on the system in the same way as exploits might. A DoS hangs a system. To gain access, an exploit also may hang a system long enough for the exploit to inject some type of code to gain access. Basically, you make the machine go stupid for long enough to establish a connection. When your exploit tool fails, it may just look like a DoS attack. If you have a choice, it is better to have the failed exploit look like a temporary denial of service, which can be misinterpreted as an innocent NIC failure at an origin host, than as a cracker testing exploit code on the target system.
Tip
Hacker Trick
Whenever you are testing, always have someone or some way to reboot the service of a system when you are testing them. Always have contact information for people to call "when things go wrong" before you start testing. Though you may try to be quiet and not knock anything offline, you should always have your Plan B in place.
"Exploiting Windows Systems with Metasploit Fear Not the Command Line." | ||
| -->BoWeaver | ||
The Metasploit Framework is the ultimate toolkit. There was a time when building a pen-testing machine would take days. Every individual exploit tool would have to be:
- Tracked down and researched
- Downloaded (over a dial-up Internet connection)
- Compiled from source
- Tested on your cracking platform
Now, from the great people at Rapid7, comes the Metasploit Framework. Metasploit brings just about every tool you'll ever need as a plugin or function within the framework. It doesn't matter what OS or even what kind of device you discover on the network you are testing, Metasploit is likely to have a module to exploit it. We do 90% of our work with Metasploit.