GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens, and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption in our documentation.
| |**Facilitation:** Data Exfiltration | 50 minutes
|===
toc::[]
== Facilitation: Post Exploitation
== Post Exploitation
*Outcome*: +
...
...
@@ -136,45 +127,59 @@ Delete all PortProxies set up:
You have compromised a system. Pat yourself on the back and call it a day, right? Wrong! Now it is time to start leveraging the territory you have taken, and dig further into the network, but realize that any action you take could give away your presence and cost all the work you have done up until this point. For example, uploading your best tools increases the noise level. If you get caught and booted from the system, then you just burned your tools, because now somebody else has them. What do you do to maneuver through the network and reduce the noise level? Operating systems include a plethora of tools, that although are meant to assist in the proper operation of a system, can be used in other ways to meet the goals of network infiltration, further exploitation, and exfiltration.
*Discussion* +
What is pivoting? Why is it important? +
=== SSH Keys +
* Makes the operation non attributable.
* Looks like your connection is coming from another location.
* Allows access to something that we may not have direct access to due to firewalls, routers, etc.
* Can make or break an operation, connection loss, malware, active administrator, unreliable, etc.
* Reliability, the pivot machine will be directly accessed, and COULD be attributable if the proper precautions aren't taken (encryption, VMs, nat and pat)
*Introduction* +
Would it be smart to directly connect to a remote machine from your local host machine? +
An SSH key is a private/pubic key pair that can be used for authication. SSH keys can be use to replace password authintication or be used
in comibination with passwords. Because they are cryptographic keys it can be considered more secure than using a password. Cryptographic keys are harder
to bruteforce or crack compared to passwords. +
What is a system used for redirection? +
SSH keys are broken down into two keys: +
* A remote machine that is very trustworthy and reliable, used to pivot from
* Authorized Keys
** The public key part of the pair
** Grants access to the system they are on
* Identity Keys
** The private key part of the pair
** Used to authenticate to the computer that has the paired public key
How much thought should be put into selecting a system for redirection? +
==== Stealing SSH Identity Keys
* Geographical Location
* State of the machine
* Uptime
* *Basically it's overall reliability*
The purpose of stealing a users identity key is to give an attacker a potential way to access other targets. It would be the same thing as finding a password on the system and then trying that password on other tragets to try and gain access +
While enumerating a target machine it may be possible to find a users identity key (private key) in a location where the attacker has access to the key. If an attacker is able to access the private key they can bring that key onto their own system and use it in an attempt to gain acess to to other systmes on the target network. +
Where do you you want run all your commands from?
NOTE: The stolen identity key must have its paired authorized key on any system you are trying to access in order for you to authenticate to the targeted system
=== SSH Control Sockets* +
===== Using Stolen Identity Key
*Introduction* +
Once identity key has been taken from a target it must be prepped before use on you box +
Control sockets used during operations...
.On your attack box
. Set permissions to user only read and write
[source,bash]
chmod 600 /home/user/stolenkey
. Use `-i` option when SSHing to new target
[source,bash]
ssh -i /home/user/stolenkey jane@10.20.30.40
+
--
`-i` lets you select a specific identity key to use. By default it will look in you own `.ssh/` folder for a key to use
*Discussion* +
NOTE: When logging in with a stolen key, login as the user who owned the key you stole. For example if you stole a key from user "jane" log in as user "jane"
--
What are Control Sockets? +
. If target systme has a authorized key (public key) that pairs with the key you stole you should get logged into the system
=== SSH Control Sockets +
*Introduction* +
Control sockets used during operations...
* Master Control sockets
* Slaves
Why use control sockets over regular SSH port fowarding?
...
...
@@ -414,8 +419,8 @@ service --status-all - SystemV method of l
@@ -457,7 +462,7 @@ arp -an - Displays the arp cache on the syst
ip route *OR* route *OR* netstat -r - Displays the system's routing table.
----
==== Additional areas of focus* +
==== Additional areas of focus +
The list of commands above is not a complete list. There are other commands to get additional information, along with deprecated commands.
How can the information from these extra commands be helpful in an offensive or defensive view?
...
...
@@ -502,8 +507,6 @@ There are many ways to perform data exfiltration, but the ones you use will depe
Data exfiltration is the unauthorized transfer of data from a computing device. Data has value and the same data's value may vary to different cyber entities. +
*Discussion* +
==== Capturing your session for later extraction of data
