Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on post exploitation, which occurs after exploitation, gaining access to the first machine on a network. This lesson discusses the rules of engagement:

  • 18 U.S.C. 1030: The Computer Fraud and Abuse Act: Violation of this act could cost millions of dollars in fines and jail time. Basically, if you don't have permission to be doing it, don't do it!
  • Expectations, permissions and ALL the paperwork: Speak with a client/customer at the beginning to find out exactly what they want and get it all on paper.

Participants also learn about protecting their client by documenting everything as well as protecting themselves by discussing everything with a client, making sure a statement of work is signed by themselves and the client and making sure they are in compliance and not breaking any laws.

Video Transcription

00:04
ladies and gentlemen, welcome to post exploitation, persistence and continued access.
00:10
This is part zero. The introduction and I will be your host slash me slash best friend for the next eight hours or so.
00:16
Joseph Perry,
00:18
I am
00:19
not this. This is not me. This is, in fact, a goat. This, however, is me. There's my address
00:26
on the cyber ery dot i t website
00:29
where you can get a hold of me. Tell me how awesome this class was. Something terrible. It was asked questions, Whatever.
00:36
This is why we're here.
00:38
You want to do this? You want to be the overly hacks or who's stealing passwords and data obviously, completely legitimately. Because someone paid you to do it.
00:46
Preferably, you know, the company who you're stealing the data from, paid you to do it. Not like the mob or something like that. But you know, none of my business. I'm staying out of it.
00:54
So we're gonna start out learning about post exploitation. For those of you uncertain as to where exactly that falls. Post exploitation comes after exploitation. Pretty straightforward name.
01:04
You make your way into a system, you gain some sort of access to a system. You use that access to
01:11
get higher credentials, preferably root access. We're going to most of the stuff that we do here on the assumption that you have root access.
01:19
Um,
01:19
and then you start doing the interesting stuff. You start doing data analysis, you start doing network analysis, you start seeing what's going on on the network, see what data you can get ahold of.
01:29
Then you start putting in back doors. You start excell trading data. You start
01:32
dropping your own stuff.
01:34
Um so is to get the things out that you want. After that, you're going to actually start creating a means by which to re access a network
01:44
you're going to put in the actual backdoors. You're going to create the persistence mechanisms, whatever you might need to do to continue access, persistence and continued access is the goal, and that's what we're gonna do.
01:53
All right, so
01:57
who is this class for? If you're here hoping to come a pen tester or if you want to learn about some interesting tools, this class is for you.
02:02
If you want to become a security professional, it's gonna give you a good idea of what the bad guys do or what the good guys who work for the bad guys do.
02:09
This is a very high level overview of the concept, and it's not for someone who's already a professional in the field.
02:15
You're going to be given a basic idea of how these practices work against a normal and user. You're not going to be learning how to assassinate an I. D. S or take down the CEO's machine or anything like that.
02:23
You're going to be learning how to actually
02:25
get data out, find out what data you're trying to get and then cover your tracks.
02:30
Uh,
02:31
and then again, of course, what is post exploitation? The answer. That is pretty simple. Whatever comes after gaining access to the first machine, everything after exploitation is post exploitation by definition.
02:46
All right, first thing we're gonna start out with are your rules of engagement.
02:50
Simply put, if you don't have permission to do this,
02:53
don't,
02:54
um,
02:55
U s code 18
02:58
10 30
02:59
Computer Fraud Abuse Act. It's ah, it's a hefty little piece of documentation, but it's worth the read.
03:05
Fines have reached several $1,000,000 for people who have broken the computer fraud and Abuse Act, and people have been awarded up to 50 60 years worth of jail time,
03:15
not dimensional. Besides all of that, it's kind of rude, you know, it's not your stuff. Don't touch it. Easy is that
03:22
expectations, permissions and all the paperwork.
03:24
You want to speak with your client, your customer Before you begin,
03:28
you're going to want, identify what they do and don't want you to do, and they're going to get it. On paper,
03:32
you're very often going to find yourself working in stir production network. And though the big red button that says self destruct is very shiny,
03:40
you're not going to want to press it.
03:43
Ah, a single hour of downtime for a company like Facebook can be millions or even billions of dollars when all things were said and done.
03:50
So they're going to be slightly miffed at you if you make that mistake. So I recommend against it
03:57
under the heading of protecting the client, we're gonna go through some quick things that you're gonna want to do before you actually start in on this. Unless you've previously agreed you're going to make no modification to anything they call critical.
04:06
The reason why you would want to do that would be to further escalate privileges on the network, to get access to specific data or to cause the dial of service.
04:15
All modifications, including configuration changes executed against the system, have to be documented.
04:20
Anything you do, write it down.
04:23
If you don't write it down, you didn't do it
04:26
or you didn't claim to have done it, and they're going to get mad.
04:29
That's a very detailed list of actions that you take should be kept.
04:32
It's not only done to protect you and say this is what I did It was all in line with what you said I should do. It's also so that when you're done, they can reverse what you've actually done.
04:45
Private and user data needs to be
04:48
in some way obfuscated or covered.
04:53
You're going on. Lee actually collect that
04:56
if you actually have permission from the client. The client Acceptable use policy states that this can be done,
05:01
and the client has confirmation that all of the employees understand that that's the case.
05:06
It's very, very dangerous to dig into someone's computer history. You can get bank information, you can get lots and lots of stuff they really aren't supposed to have, sir. Going to want to be sure, if not doing that
05:17
of not getting into personal data. You're not so slow. Getting into
05:19
passwords should never be in your final report or in any documentation.
05:24
If they are, they need to be masked so that you can ensure that no one's going to recreate or guess the password.
05:30
MP five hashing used to be the go to, but it has lots of collisions, so shallow one is usually good. Way to go or just don't include it. Just put in, ah, blanket password that wasn't actually used. Bacon substitute in for a password.
05:43
You do this to safeguard confidentiality and to maintain integrity. If any one person knows all the passwords, that's a danger.
05:49
And, of course, any method or device you used to maintain access,
05:54
Um, or whose removal
05:58
could cause downtime you should not implement unless you have written consent to implement it again. That's for the simple fact of an hour of downtime Can destroy a company's bottom line, and they will destroy your bottom line intern.
06:11
Any method or device you used to maintain access should have some sort of log in.
06:15
That's simply done so that if you're using it against a production server,
06:19
you're going to be able to ensure that no one else is going to get in. That's not part of your test.
06:25
Um, any data you gather should be encrypted and on your system.
06:30
Any information that could contain sensitive data needs to be sanitized,
06:34
and then all gathered data should be destroyed after your client is accepted. The final report
06:40
your method used in perfect destruction will be provided to the client.
06:46
A few more things. If it's regulated by law,
06:47
then you need to make sure you're following the law. Simple is that
06:51
never break the law. When you're doing this, it gets you in lots of trouble. Remember the Computer Fraud and Abuse Act I mentioned earlier?
06:58
Third party service is for pastor. Dragging should not be used.
07:01
There should not be any sharing or any data
07:04
that is exchanged with third parties that client consent.
07:09
If evidence of a prior compromises found, then you need to save. You need to stop all actions
07:15
you need to save everything you've done,
07:16
and you need to show your client what happened
07:20
Then again, no log should be removed, cleared, modified unless specifically authorized to do so.
07:27
Protecting yourself due to the nature again, you have to cover all of your bases and make sure you know what you're doing.
07:32
Insure your contract and statement of work to sign by. Both declined, and the provider
07:35
and everything is represented inside of that contract
07:40
obtained a company of security policies as well as the acceptable use policies.
07:45
Confirm you're not breaking any laws. Use full drive encryption. Discuss an established with the client. The procedures to follow in case of compromise.
07:53
Check for laws again, just over and over again. Make sure you're not breaking the law.
07:58
That's very, very important.
07:59
Now for most of what I just went over the paperwork, the documentation, all the legalities. They aren't really going to be something that I'm going to cover directly in this class. It's not going to be something you need to know because you're going to be targeting
08:11
your own VM your own system. I'm going to show you how these practices are done
08:16
so that you can more easily learn them again. This is a very high level course, very high level overview and the intent of it is to give you a sense of how these things work.
08:26
So you're not going to go into it actually, navigating through a corporate network, you don't need any major things. All you really need are an open source. V. M. I personally tend to use VM where, which isn't open source. But they do have of'em or player, which is free for use virtual boxes, of course, free for use as well.
08:45
And then you're going to want a couple of the EMS. My case I'm using Lennox and that I'm using Windows seven machine,
08:50
um, with possibly some touching on Windows eight elements as we go. But
08:56
primarily you're just going to want to have access to both operating system so that you can learn all of the things that you're about to go through. Other than that,
09:03
just a willingness to learn and an excitement about the subject. So
09:07
with no further ado, we're going to go ahead and dive in,
09:11
enjoy

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor