Post Exploitation Standard

Purpose

The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network. The methods described in this phase are meant to help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time. In cases where these methods differ from the agreed upon Rules of Engagement, the Rules of Engagement must be followed.

Rules of Engagement

The following Rules of Engagement are specific to the Post-Exploitation phase of a penetration test and are intended to ensure that the client’s systems are not subjected to unnecessary risk by the (direct or indirect) actions of the testers and to ensure a mutually agreed procedure to follow during the post-exploitation phase of the project.

Protect the Client

The following rules are to be used as a guideline of rules to establish with a client to ensure that the day to day operations and data of the client are not exposed to risk:

• Unless previously agreed upon, there will be no modification of services which the client deems “critical” to their infrastructure. The purpose of modifying such services would be to demonstrate to the client how an attacker may:
  • Escalate privileges
  • Gain access to specific data
  • Cause denial of service
• All modifications, including configuration changes, executed against a system must be documented. After finishing the intended purpose of the modification, all settings should be returned to their original positions if possible. The list of changes should be given to the client after the engagement to allow them to ensure all changes were properly undone.
• A detailed log of actions taken against compromised systems must be kept. The log should include the action taken and the time period in which it occurred. Upon completion, this log should be included as an appendix to the final report.
• Any and all private and/or personal user data (including passwords and system history) uncovered during the course of the penetration test may be used as leverage to gain further permissions or to execute other actions related to the test only if the following conditions are met:
  • The client’s Acceptable Use Policy states all systems are owned by the client and all data stored on those systems are the property of the client.
  • The Acceptable Use Policy states connection to the client’s network is considered consent for the connected machine to be searched and analyzed (including all present data and configurations).
  • The client has confirmation that all employees have read and understand the Acceptable Use Policy.
• Passwords (including those in encrypted form) will not be included in the final report. This is done to safeguard the confidentiality of the users the passwords belong to, as well as to maintain the integrity of the systems they protect.
• Any method or device used to maintain access to compromised systems and that could affect the proper operation of the system or whose removal may cause downtime may not be implemented without the prior written consent of the client.
• Any method or device which is used to maintain access to compromised systems must employ some form of user authentication such as digital certificates or login prompts. A reverse connection to a known controlled system is also acceptable.
• All data gathered by the testers must be encrypted on the systems used by the testers.
• All data gathered will be destroyed once the client has accepted the final report. Method used and proof of destruction will be provided to the client.
• If data gathered is regulated by any law, the systems used and their locations will be provided by the client to ensure that the data collected and processed does not violate any applicable laws. If the systems will be those of the penetration testing team the data may not be downloaded and stored on to their systems and only proof of access will be shown (File Permissions, Record Count, file names..etc).
• Third party services for password cracking will not be used, nor will there be sharing of any other type of data with third parties without the clients prior consent.
• In case a compromise of a system is found by a third party all logs with actions and times recorded during the assessment by the penetration team will be saved, hashed and provided to the client and the client will determine if an incident response plan should come to effect.
• No logs should be cleared or altered unless the client has authorized this in the engagement contract/statement of work. If it is to be done, a proper backup of such logs must first be made.

Protecting Yourself

Due to the nature of a penetration test, you must ensure that you cover all your bases when dealing with the client and the tasks you will be performing. Discussions should take place with the client to clarify the following to ensure a clear understanding of the roles and responsibilities of both client and provider.

• Ensure that the contract and/or statement of work signed by both the client and provider that the actions taken on the systems being tested are on behalf and in representation of the client.
• Require prior to starting engagement that a copy of the security policies that govern user use of company systems and infrastructure is provided. Verify that policy covers:
  • Personal use of equipment and storage of personal employee data on the client systems and ownership and rights on that data.
  • Ownership of data stored on company equipment.
• Confirm regulations and laws that govern the data that is managed and used by the client on their systems and the restrictions imposed on such data.
• Use full drive encryption for those systems that will receive and store the clients data.
• Discuss and establish with the client the procedures to follow in the case that a compromise from a third party is found.
• Check for laws concerning the capture of audio and video since the use of this methods in post-exploitation may be considered a violation of local or country wiretap laws.

Infrastructure Analysis

Network Configuration

The network configuration of a compromised machine can be used to identify additional subnets, network routers, critical servers, name servers and relationships between machine. This information can be used to identify additional targets to further penetrate the client’s network.

Interfaces

Identify all of the network interfaces on the machine along with their IP address, subnet mask, and gateway. By identifying the interfaces and settings networks and services can be identify and prioritized for targeting.

Routing

Identify all static and dynamic routes on the machine. For multi-homed machines determine if it is acting as a router. The routing table will contain other networks and subnets to target and enumerate. The identification of other subnets can be used to escape outside segmented network and identify possible filtering, addressing schemes can also be identified when the data from the interfaces, routing table and discovery of other hosts in ARP Tables, NetBios and other network protocols used for service and host discovery.

DNS Servers

Identify all DNS servers in use, the domain settings configured like name and services on a host that integrate with DNS so as to develop and execute a plan for discovering additional hosts and services on the target network. In the case that a DNS Server is compromised the access to the DNS database will provide information about hosts and service so target prioritization can be done and further penetration can be achieved. The modification and addition of new records could be used for the interception of data of services that depend on DNS.

Cached DNS Entries

Identify high value DNS entries in the cache, which may include login pages for Intranet sites, management interfaces, or external sites. Cached interfaces provide information of the most recent and most used host used by the compromised host providing a view of the relations and interactions of the hosts providing information that could be used to prioritization of targets for further penetration of the target network and infrastructure. Modification of cached entries if permitted can be used to capture authentication credential, authentication tokens or to gain further information on services used by the compromised hosts leading to further penetration of the target network and its infrastructure.

Proxy Servers

Identify network level and application level proxy servers. These identified proxy servers can be targeted since the communication flow of the application that traverse thru them could be of great value and risk for the customer. If an application proxy the possibility of being able to identify and modify the flow of traffic used by the applications configured to use the service provide the means to show impact and risk to the customer.

ARP Entries

Enumerate cached and static ARP table entries, which can reveal other hosts that interact with the compromised machine. Static ARP entries may represent critical machines. If modification of ARP entries is in scope for the test this could be used for the interception of data or to show the possibility of disrupting a service in a hard to identify manner showing a medium to large risk impact.

Network Services

Listening Services

Identify all the network services offered by the machine. This may lead to the discovery of services not identified by initial scanning as well as the discovery of other machines and networks. The identification of services not shown in scanning can also provide information on possible filtering and control systems implemented in the network and/or host. In addition, the tester may be able to leverage these services to compromise other machines. Most operating system include a method of identifying TCP and UDP connections made to and from the machine. By checking both connections to and from a compromised machine it is possible to find relationships that were previously unknown. As well as the host the service should also be considered, this may reveal services listening on non-standard ports and indicate trust relationships such as keyless authentication for SSH.

VPN Connections

All VPN connections into and out of the machine or network should be identified. Outbound connections can give a path in to new systems which may not previously have been identified. Both in and outbound can identify new systems and possible business relationships if the connection is from a customer/supplier etc. VPN connections generally bypass firewalls and IDS/IPS due to them being unable to decrypt the traffic, this makes them idea to launch attacks through. If new targets are identified it should be confirmed as to whether they are in scope before launching attacks against them. The presence of VPN client or server capability may also provide access to credentials preciously not known that could be used to target other hosts and services.

Directory Services

The identification that a compromised host uses an directory services may provide the opportunity to abuse such service to enumerate and find user accounts, hosts and services that are managed by the directory service in addition to details of users that could be used for Social Engineering and phishing campaign attacks providing a possible higher success rate.

Neighbors

Need to fill this in. Network Layout (net view /domain) Check the neighbourhood network/OS X browser (mdns? or bonjour)

Pillaging

Pillaging talks to what information (files, links, documentation, etc.) the tester should be looking at using either as part of client requirements (personal information, credit card information etc.) or as part of the pivoting process to gain further access to the network. (matt)

Installed Programs

Startup Items

• List of applications and versions installed on the system.
• List of updates applied to the system.

Installed Services

Security Services

Firewall Status and ruleset. HIPS, AV installed - Identifying countermeasures installed on a single compromised machine give an idea of what to expect when targeting other machines in the network. It also gives an idea of what alerts may have been triggered during the test, these can be discssed with the client during the project debrief Security Policies, UAC, selinux, ipsec, windows security templates

File/Printer Shares

• File Server configurations by protocol (SMB, AFP). - The configuration files can be used to identify shares which are available, who has access to them and their permissions. This can help with gaining remote access to the shares and in gathering information which can be used in other areas of attacks, for example user name enumeration which also can give hints on the roles of the users found.
• Shares offered by File Servers - Any file shares offered by target systems should be examined. Just by checking the names of the shares important information may be leaked such as the name of internal applications or projects
• Access Control Lists and permissions for shares. - From the client side, if it is possible to connect to the share, then it should be checked to see if the connection is read/only or read/write. Remember that if a share contains directories then different permissions may apply to different directories. From the server side both server configuration and file/directory permissions should be examined.
• Listing of content of shares
• Identification of files of interest (Source code, backups, installation files, confidential data..etc)
• Place Trojan files - Placing Trojans on popular shares can encourage network users to access them so triggering payloads.
• Place autorun files

Database Servers

• Databases
• Tables
• Table Content, row count for regulated content
• Permission
• Users, Passwords, Groups and Roles

Directory Servers

• List of objects (Users, passwords, Machines..etc)

Name Servers

• Enumerate allowed servers for zone transfer.
• Enumerate Records.
• Modify and Add Records.

Deployment Services

• Unattended answer files
• Permission on files
• Updates included
• Applications and versions
• Backdoor installation

Certificate Authority

• Root CA
• Enumeration Certificate Revocation List
• Enumeration issued certificates
• Try to insert Root CA Certificate
• Export certificate with private key

Source Code Management Server

• Enumerate projects - The project names can give away sensitive information on company projects.
• Verify access to source code files
• Modify source code files - If it is allowed in scope then modifying source code proves that an attacker could make changes that would affect the system
• Enumerate developers - Developers details can be use for social engineering attacks as well as as inputs for attacking other areas of the system
• Enumerate configuration

Dynamic Host Configuration Server

• Enumerate leases given
• Enumerate configuration
• Enumerate Options
• Modify configuration

Virtualization

• Enumerate Virtual Machines (name, configurations, OS)
• Enumerate passwords and digital certificates for administration systems.
• Enumerate virtualization software configuration

Messaging

• ????

Monitoring and Management

Identification of services or client software for the purpose of monitoring and/or management may provide identification of additional servers and services on the target network, in addition the configuration parameters gained may provide access to other targets host and to determine what actions performed by the tester can be detected by the client. Some services to look for:

• SNMP (Simple Network Management Protocol)
• Syslog

Some Management Services and Software to look for to gain credentials, identify host and gain access to other services may be:

• SSH Server/Client
• Telnet Server/Client
• RDP (Remote Desktop Protocol) Client
• Terminal Server
• Virtual Environment Management Software

Networking Services (RADIUS,TACACS..etc)

• ???

Sensitive Data

Key-logging

By monitoring key strokes it is possible to detect sensitive information including passwords and PII - Don’t know what the legality of this is if the user is say chatting on private IM while also using company software, anyone know? If the company says that all data on the network can be monitored then this should be ok. If the second bullet point in Protect Yourself is present and it states that use of equipment can be monitored and no personal use is permitted yes, if policy does not cover personal user or ownership of data, no. It should be extended to cover Network also.

Screen capture

Network traffic capture

Previous Audit reports

User Information

In this section the main focus is on the information present on the target system related to user accounts either present on the system or that have connected remotely and have left some trace that the personnel performing the assessment can gather and analyze for further penetration or provide the desired goal of the assessment.

On System

• History files - History files store recent commands the user has executed. Reading through these can reveal system configuration information, important applications, data locations and other system sensitive information.
• Encryption Keys (SSH, PGP/GPG)
• Interesting Documents (.doc/x, .xls/x , password.*) - Users often store passwords and other sensitive information in clear text documents. These can be located in two ways, either searching through file names for interesting words, such as password.txt, or searching through the documents themselves. Indexing services can help with this, for example the Linux locate database.
• User specific application configuration parameters
• Individual Application History (MRU Windows only, history files..etc)
• Enumerate removable media
• Enumerate network shares / domain permission (gpresult)

Web Browsers

• Browser History
• Bookmarks
• Download History
• Credentials
• Proxies
• Plugins/Extensions

IM Clients

• Enumerate Account Configuration (User, Password, Server, Proxy)
• Chat Logs

System Configuration

Password Policy

By enumerating the systems password policy the ability to brute force and crack passwords becomes much more efficient, for example knowing that the minimum password length is 8 characters you can remove any word less than 8 characters from a dictionary.

Security Policies

Configured Wireless Networks and Keys

By finding the targets wireless information it becomes possible to launch physical attacks through the companies wifi when on site. It can also allow a fake AP to be set up to lure targets to connect when away from site.

High Value/Profile Targets

Need someone to fill this in.

Business Impact Attacks

Need someone to fill this in.

Data Exfiltration

Mapping of all possible exfiltration paths

from each of the areas where access has been achieved, a full exfiltration paths should be created. This includes secondary and tertiary means of getting to the outside world (through different accessible subnetc, etc). Once the mapping is provided, the actual exfiltration testing should be commenced.

Testing exfiltration paths

Per exfiltration paths mapping, data should be exfiltarted from the organization being tested. This should already be covered in the Pre-engagement scoping and adequate infrastructure should have been setup which adheres to the customer's acceptable engagement policy (i.e. data being exfiltrated is usually exfiltrated to a server in the full control of the tester, and will access and ownership right to the tested organization). The exfiltration itself should simulate real-world exfiltration strategies used by the threat actors that correspond to the Threat Modeling Standard relevant for the organization (i.e. if criminal mostly then "standard" exfiltration using a staging area inside the network where data is archived inside zip/7z encrypted files and then sent to FTP/HTTP servers on the Internet, if a more sophisticated threat actor then using means that simulate such strategies and tactics used for exfiltration).

Measuring control strengths

When performing exfiltration testing, the main goal of the test is to see whether the current controls for detecting and blocking sensitive information from leaving the organization actually work, as well as exercise the response teams if anything has been detected in terms of how they react to such alerts and how are the events being investigated and mitigated.

Persistance

• Installation of backdoor that requires authentication.
• Installation and/or modification of services to connect back to system. User and complex password should be used as a minimum; use of certificates or cryptographic keys is preferred where possible. (SSH, ncat, RDP). Reverse connections limited to a single IP may be used.
• Creation of alternate accounts with complex passwords.
• When possible backdoor must survive reboots.

Further Penetration Into Infrastructure

Pivoting is the action in which the tester will use his presence of on the compromised system to further enumerate and gain access to other systems on the client’s infrastructure. This action can be executed from the compromised host it self using local resourced or tools uploaded to the compromised system.

From Compromised System

• Upload tools
• Use local system tools
• ARP Scan
• Ping Sweep
• DNS Enumeration of internal network
• Directory Services Enumeration
• Brute force attacks
• Enumeration and Management thru Management Protocols and compromised credentials (WinRM, WMI, SMB, SNMP..etc)
• Abuse of compromised credentials and keys (Webpages, Databases..etc)
• Execute Remote Exploits

Thru Compromised System

• Port Forwarding
• Proxy to internal network (SSH)
• VPN to internal network
• Execute Remote Exploit
• Abuse of compromised credentials and keys (Webpages, Databases..etc)

Cleanup

The cleanup process covers the requirements for cleaning up systems once the penetration test has been completed. This will include all user accounts and binaries used during the test.

• Remove all executable, scripts and temporary file from a compromised system. If possible use secure delete method for removing the files and folders.
• Return to original values system settings and application configuration parameters if they where modified during the assessment.
• Remove all backdoors and/or rootkits installed.
• Remove any user accounts created for connecting back to compromise systems.