- Initial Reconnaissance – Complete
- Initial Compromise – Complete
- Establish Footholds – Now
- Escalate Privileges
- Additional Reconnaissance where we will move laterally and continue to maintain presence
- We now need to maintain presence on the initial system through one of several methods listed below (we have taken the favorite ones from the team here)
- Read Intercepts (read): I represent myself as the Windows operating system to the anti-virus software. I intercept the AV program request and either deny the request or give the anti-virus program a fake, clean version of the requested file. The interception is possible by injecting code into the actual OS files that handle the read request.
- Self modification: Some classes of viruses hide by tracking the code snippets anti-virus programs use to identify them and then altering the code snippet every time the virus is injected into a new machine. They change their signature so that it is unique on every infected machine. The anti-virus program is then duped. It doesn’t get any positive matches and believes no virus is present.
- Self-Encryption: Either using an XOR cypher that will allow rapid unpacked and re-used with minimal issues (and can be encoded without using a separate cypher. Other way is to encrypt the body of the virus, but a lot of AV companies are seeing this and detecting…however easiest way is to simply hide within the executable files itself, typically this is done when the Trojan detects an AV update and the core OS files are vulnerable…from there it can reside/live and also disable the AV.
- Polymorphic or mutating viruses: This beast contains “an engine” which functions like a unique re-coding agent that modifies the virus on every infection or when certain criteria are met. The engine is programmed to re-program key parts of the virus such that they accomplish the same function only they do so via different code strings. This makes them harder to identify and crack. (NOTE: This is what is running in Africa as my Vaccine incase anyone wants to talk about it one day J)
- Metamorphic virus, these are polymorphs on steroids…the whole virus rewrites itself PER infection/per target. The engine in this instance is a huge undertaking (the one I have is about 13-15,000 lines of code JUST for the engine itself…)
So at this point we have the computer, we have tentacles into it to the point where we can comfortable maintain presence even during the harshest of scans etc. Next up, privileges and reconnaissance outside of this initial system.
And this is where the new breed of Deception technology steps out of the shadows.
As the attacker our next move is to understand the system we are on, and then to do some initial investigation into the surroundings. We have a number of tactics we can employ, some are covert or hidden, some are more overt in nature and require the electronic equivalent of an introduction and handshake with anything else in the vicinity.
Let’s take a look at the less overt first, those are the reconnaissance weapons of first choice:
- Local network scan, this is the simplest and is done by looking at the network configuration (ipconfig/all) that will give all the data (DHCP, DNS, WINS, NTP etc.) that allows me to see what/where I am in relation to the rest of the network AND where my targets likely are, it also provides the following “ideas”
- Server network, are the DHCP/DNS servers at the top or bottom of the IP range
- Server network, where’s the primary WINS or other AD servers, any order to the chaos?
- How many different networks am I looking at, what is the likelihood that servers are spread out?
- At this point we are going to check the local printers, shares and other connections (ping, tracert etc.) We need to know where we are, who are we and what can we get into.
- Tracert (tracing between my host and another host on the same network, direct or something in the way….
- Arp options, we want to see what the MAC addresses around us are, specific types, is it random, what’s dynamic etc.
- Netstat is going to be a crucial part of our looking around the network, we want to know what connections we have, as well as what is around us, is there Internet (aside from me) and who else/what else is connected ALSO the address structure of the local/foreign addresses, what is the construct (abc.corp, or what else is close/connected) ALSO crucial to know is netstat –s, HOW active has this host been, is it crucial to the system or sitting idle etc.
- Nbtstat (especially –c for names/and IP addresses) and –r for hosts (local and remote) and –n to see what is registered.
- Nslookup is useful for some of the internal/external sites, especially if you can execute –type=any
At this point we have pretty much everything we need to familiarize ourselves with the immediate landscape…now we need to pick a target and work out what IS there on it we can use against it. For that we will start by falling back on the (windows) command suite of “net services” for which there is a TON that can be used to interrogate a host. The list below is some of the common stuff we look for when attacking:
- DNS name
- NetBIOS names
- User accounts (including logged on/in user if we can enumerate)
- MAC address (once we have this we can look up the platform, version and other data points)
- What role the computer has (if we can get it from the machine OR from AD using dsquery command OR net group/net localgroup or AdFind etc.
- Remote support options (if it gives that up without scanning ports)
- Network adapters (how many, what config…helps work out if PC/Laptop/Server/VM etc.)
- Shares (can enumerate the basics easily and see what else is open (C$, Admin$, IPC$ etc.)
- Services, if we can get these we can work out roles and see what the machine is doing/running etc.
So I have my intelligence packet full of fun facts about the local machine we are on, the network it’s located in and basically anything that is advertising for an audience. It’s time to put some of this intelligence to work… and that’s where the future changes.