Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson re-visits the main points of the module. This module covers reviews the main points of:

  • Information Gathering
  • Persistence and backdooring
  • Covering tracks
  • Password cracking

Video Transcription

00:04
Hello and welcome to this, the last in the post. Exploitation, persistence and continued access.
00:10
Uh, we've been together for
00:13
sometime now, working our way through all of the material in this court's. This will be the conclusion video. We're going to do a quick recap of everything covered, kind of
00:21
re hit the high level topics again.
00:26
So over the course, the last 50 hours or 1000 hours Or maybe it was eight hours. I forget. It's been a little while. We've covered a lot of material.
00:35
Obviously, a lot of that material was typing commands and
00:39
sort of analyzing, parsing, understanding their returns. So
00:44
it was very, very easy to get lost in the sauce and kind of dragged down. So we're gonna do this last recap of the material we examined to give and make sure that the high points and the important points are understood.
00:56
The first thing we did was information gathering analytics. Host
01:00
commands were used to go through and highlight all the commands. We used
01:04
user interfaces on the data link layer as we discussed.
01:07
I have config are interfaces on the network layer.
01:11
That's that
01:12
We used a lot of net step
01:15
interfaces on the transport layer
01:18
as well as some on the network layer. But we'll let that slide
01:21
at CNN switch dot com
01:23
Information on the next databases and servers
01:27
at to resolve dot com Information on name Resolution D. N s that sort of thing.
01:34
Information on Lenox Networks was N map and peas a rough We're both for
01:41
sort of for scanning, although again Peter Off was actually passive, so that's sort of a weird
01:46
distinction.
01:49
TCP DUMPING Tea Shark We're both sniffers. The distinction Being T shark is more fully fledged. And instead of being just a snipper, it's sort of back analyzer,
01:59
which is very much the difference between Peter Off and Map and T's been open T shirt
02:04
Is that p zero f and N map attempt to identify information and learn things about the targets? Where is TCP dumping de shark? Just present that information. Although admittedly T shirt
02:15
does a little bit of pre processing before it does so
02:19
next we did information gathering on a Lennox Hopes on a Windows host. Pardon me,
02:24
I mean that when we just did I peak and big all
02:29
and as I say here, all is all for a reason. I'm told us a lot of information. Most of the information we needed to know
02:36
to start working quickly on Ah Olynyk sora Windows Target,
02:39
um comes from my p config. Where's on Olynyk? Stargate? I have config just kind of gave us a little bit
02:46
nets that really nothing new,
02:49
except that a lot of what we were using that stuff or was covered by I p config and a lot of the analysis that nets to help this with help us with We're pretty well covered. A knife he could pick pretty quickly.
02:59
Herb take a
03:00
pretty much the same as the Lennox's version of our some slight formatting changes, but nothing else that was really noticeable.
03:07
And then our first excursion into the Net stuff,
03:10
Um, and this one we just covered local group, which is group users on a specific machine.
03:15
The config for work station
03:19
ah, share, which lists everything that we're sharing user, which obviously list user accounts and tells us, and we can use that obviously an analysis. As I mentioned during that video, too,
03:29
figure out how best to hide
03:32
Windows networks we covered Ennis, Look up which is a quick reference D N s I'm. It also has lots of other information on there, so it's worth examining
03:42
more of the Net stuff,
03:44
including accounts, which was more than just account name. There was actually a count rules for domain passwords and log in that sort of thing.
03:53
And Big Server.
03:55
It was just the server service config, just all of the information for the server service, which is a Windows native thing.
04:02
It just gave us to get big. For that, let us know who was connecting and
04:05
generally speaking for what
04:09
session list or eliminate connection with other computers. If we see someone connected to us that we don't connect that we don't want connected to us, we can tear him down with session
04:18
statistics. Just the connection stats for the worst station or server
04:24
view is the list of all the computers in the network
04:27
as well as if we don't get specific computers, we can find out what they're sharing
04:30
much in the way that user was good for hiding in that capacity in the capacity of on a local machine.
04:36
View can be good if we're trying to get ourselves included on the network wish on which we shouldn't be.
04:43
Let's identify names and figure out how this name, how this server or this system is set up.
04:48
It also allows us to identify high profile targets fairly easily if the name it seems are indicative.
04:55
On the very last night command we used was Net start, which just lists installed service's,
05:00
which, of course, are always good to know. Then we moved to W M I. C, which was the, uh, the winning the Windows sort of more technical control mechanism.
05:11
Um,
05:12
the two that we discussed in this course where a startup get caption command, which is just the list of every startup
05:19
on. Then use your account, which obviously was technical data, the best use of which is to find the CID for all the users and use that same toy terrify the admin and the guests and that sort of thing.
05:34
After we finished our information gathering, we moved over to persistence and back, during which we discussed how you can go about enabling Rdp.
05:42
I'm turning on, you know, gooey connection so that you can actually pop in and point and click and cheat
05:47
within that we had to get through the firewall and the registry. The exterior and the interior rules had to be set,
05:55
so we kind of touched on the registry and that didn't really dig in tow. What the registry is or how it works. We got a vague idea in a vague understanding of it. So that's that's something
06:03
that we created an end cap back door, hopefully changing the XY name so that it's not quite so noticeable, but created a backdoor which can listen persistently and started mad props who reconnected.
06:15
After that, we created a new user using the Net user ad for Windows, the Corolla Rita, which is user ad for Lennox
06:25
on. Then we obviously commencing aren't listed here. We added them to the admin group. We gave them every bit of power and permission that we could get our hands up.
06:33
Then we
06:34
went ahead and showed you how you can actually scheduled tasks scheduled arrival
06:41
for your end cat or for whatever your listener is. So rather than having it running all the time and risk getting caught, it's only available when you need it.
06:48
The two option for that, of course, were sketch task, which is the fully fledged, very capable, very smart version
06:56
or at which is dumb. But because it's dumb. It's one of those so crazy it just might work things that people kind of forget to check it.
07:04
Then we went after we actually created are back doors we covered our tracks noticing, of course, how much shorter covering cracks? Is that really anything else
07:13
personally, That's because
07:15
when you're covering your tracks, you're pretty much just getting rid of a few records. And the other part of it is because
07:20
this these air the simple means of covering your tracks rather than the extremely in depth, complex, difficult ones. So it's bound to take a little bit less time to get through.
07:30
But we did the linens bash history, which is the file started in each user's home directory. We discussed the show within a show. There's also the option of using the rather than the bash there's using Yes, h show.
07:42
Um,
07:45
I hate as H and frankly you probably will, too, but it's also extremely effective because S H doesn't keep a history.
07:53
There's also the linens touch, which is the touch Tak T
07:57
and then you can set a time stamp.
07:59
I was. I put it here.
08:01
It's very confusing when you log on to your computer and you find out it's been storing files since, you know, before the advent of flight,
08:09
it raises some questions.
08:11
Um, not the creation of flight, the advent of light. So before any
08:16
science nerds start attacking me,
08:18
yes,
08:20
before people started flying everywhere anyway, Windows logs clearing is it's noticeable. It's obviously you're going to draw some attention
08:31
when you knew, can entire Windows log an entire
08:35
record of everything that's supposed to be happening on the machine?
08:39
But it's better that they know something happened that made
08:41
look at the log and know exactly what happened. Cleared logs have happened in the past by accident,
08:48
and again, I t guys speaking from personal experience because I am in I t were a lazy bunch and we do lazy things. So if we can find an explanation,
09:00
we're probably gonna use that explanation. So
09:03
your odds of getting away with it when you nuka log are generally better than leaving all the evidence of your terrible, terrible deeds.
09:11
Once we learned how to cover our tracks, there were a few other topics that got discussed, and these were actually kind of interspersed through the whole thing. These were subjects which were not actually part of the direct course material, but subjects which I think are necessary
09:24
not just for this video of this course of this class, but just for people who are
09:30
becoming introduced to our field and learning about it.
09:33
1st 1 obviously was the basics. Networking, addressing headers.
09:37
This is a big deal.
09:39
Knowing how all of this works and knowing how the headers look and how they're put together
09:43
I can give you a huge edge in the field can give you a really, really solid head start against people who just kind of think of networks is magic
09:52
if you really get what a packet analyzer is looking at, if you really understand what's going on,
09:56
you're going to be ableto ignore a lot of the defeats and a lot of the tricks that get put into place
10:03
to defeat things like wire shirt, TCP dumper to defeat things like firewalls. If you're actually looking at the packets themselves, you're able to do a lot more with them because you can understand them
10:13
TFT be can't always get what you want. But if you try sometime, just might find. I think that's all we can sing that song before copyright kicks in, so
10:22
I guess you can try and figure out how that one ends. T FTP is Trivial File transfer protocol. It's the easiest, most quiet way to get your tools on our target network. However, if it's a target, I work that doesn't see you d be traffic. For whatever reason,
10:37
it is sometimes better to drop that team. Just a normal FTP server.
10:43
It's all about you know, what you actually have access to and what's actually normal in the network.
10:48
We also discussed creating batch files, which is essentially just automating your job.
10:52
Um, sort of a quick story. A quick aside about that one is a good friend of mine. When he first got into programming, he was working for a company where he had to do lots of very tedious data entry on very simple files,
11:05
and he hated the job. It was a summer internship that he was doing basically disrespect for cash,
11:09
so he finally decided. Okay, I'm bored with this. I really don't want to do this. I just want to, you know, play video games or surf the Internet rather than just typing in these basic fields all day, every day.
11:20
So he wrote a script, automated his his job completely
11:24
and then told no one.
11:26
So by the end of the week, he was capable of doing his entire summer job in two or three hours.
11:33
So they kept giving him more work. And, of course, his script kept up with it. No problems. Over the end of it,
11:39
he was the star data entry clerk and he was being showered with happiness and everyone was friends with him. And
11:46
this day no one. If that company ever did figure out that
11:50
he hadn't actually entered a single field in nearly two months.
11:54
So bad scripts and generally automating your job can make you look like a rock star. Even when you're not even trying.
12:01
I was recommend using them.
12:03
Then we discussed the last big thing we really discussed was password cracking.
12:07
Um, you saw if you watch the practical videos you saw
12:11
Ah, simple python script that demonstrates how it looks and how it works.
12:15
Brute force. We hit it. We just hit it and hit it hidden until finally it says, Okay, that's a password I could accept
12:22
dictionary. We hit it. But we hit it in specific ways with specific terms and hopes that we can get through a little bit faster.
12:30
That was pretty much it. That was all we really discussed. And, you know,
12:33
it's taking up the last eight hours. I hope you've learned something. I hope your ah, a little bit more comfortable with this material than you were when you first started.
12:41
A big focus of this class of one of my big goals was to make it clear that
12:45
you know,
12:46
hacking and post exploit hacking. And all of these crazy movie star style things aren't actually that complicated or heart. It's just a matter of familiarity, practice and understanding.
12:56
So by all means that there's anything with which you're uncertain or any subject material that you'd really like to cover again.
13:03
You can go to my page on the site.
13:07
Remember Jr Perry,
13:09
and you can go over there and you can check out. You asked me questions. I'm happy to answer him.
13:13
Well,
13:13
I'll answer him. I can't promise to be happening. Answer. But I'll probably be happy.
13:18
Um,
13:20
and, you know, keep looking through the class materials, all the courses on the site and keep practicing. Keep learning.
13:26
And ah,
13:28
for you know, you will be the uber elitist of all possible hack sores.
13:31
So with that, we're gonna go ahead and end of this course and ah, I have been Use me, Joseph Perry. And you've been watching this on cyber harry dot i t

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor