Module 7 – Gaining Access &Privilege Escalation

Phase II Controls Assessment Scheduling

○ Information Gathering○ Network Mapping○ Vulnerability Identification○ Penetration○ Gaining Access & Privilege Escalation○ Enumerating Further○ Compromise Remote Users/Sites○ Maintaining Access○ Cover the Tracks

Heorot.net

Gaining Access &Privilege Escalation Gain Least Privilege Gain Intermediate Privilege Compromise Final Compromise

Problem: We don't have access

Heorot.net

Enumerating Further

Phase II Controls Assessment Scheduling

○ Information Gathering○ Network Mapping○ Vulnerability Identification○ Penetration○ Gaining Access & Privilege Escalation○ Enumerating Further○ Compromise Remote Users/Sites○ Maintaining Access○ Cover the Tracks

Heorot.net

*Enumerating Further

E-mail address gathering Perform Password attacks **Sniff traffic and analyze it **Gather cookies **Identifying routes and networks **Mapping internal networks

*ISSAF does not cover this topic in great detail**Advance topics not covered in this class

Heorot.net

E-mail Address Gathering

May already have some○ WHOIS information○ Forums○ archive.org

Blind e-mails○ Admin@...○ Webmaster@...○ abuse@...○ Asdfasdf@...

Web site

Heorot.net

E-mail Address Gathering

Web page Demonstration

Perform Password Attacks

Remote AttackHydraUnicorn

Local AttackJohn the Ripper (JTR)

Additional resources required:WordlistsPatience

Heorot.net

Remote Attack

Hydra Demonstration

Enumerating Further

Perform Password attacksHydra results: Access Gained

What to do next?Continue on with EnumerationReturn to “Gain Access & Privilege Escalation”

Heorot.net

Gaining Access &Privilege Escalation Gain Least Privilege Gain Intermediate Privilege Compromise Final Compromise

We now have access

Heorot.net

Gaining Access &Privilege Escalation Gain Least Privilege through:

Exploitable vulnerabilityMis-configured systemPoor security practices

“In general when someone has physical access to the local host the game is over,because there is usually one or more ways to get all information from the system.” -ISSAF

Heorot.net

Gaining Access &Privilege Escalation Gain Least Privilege Gain Intermediate Privilege Compromise Final Compromise

“How to do this” isnot covered in any methodology

Heorot.net

Gain Intermediate Privilege

Exploitable vulnerabilityApplication exploit

Mis-configured systemApplication running at higher-than-needed

privilegesAccess to applications they shouldn't haveImproper maintenance (core dumps)

Poor security practicesUsers given elevated privileges

Heorot.net

Gain Intermediate Privilege

sudo Demonstration

Gaining Access &Privilege Escalation Gain Least Privilege Gain Intermediate Privilege Compromise Final Compromise

Heorot.net

Compromise

“A system is fully compromised anywhere in the target network and further attack from this system can be

performed. This system can be used as a step stone for other attacks to the final goal.”

Best example of this is “Got Root?”

Gaining Access &Privilege Escalation Gain Least Privilege Gain Intermediate Privilege Compromise Final Compromise

Heorot.net

Final Compromise

“In this step, the “real” victim like the company master DB or a specific system/file is compromised.” - ISSAF

DatabaseWeb PagesMail Serversetc.

Module 7 – Gaining Access &Privilege Escalation

Phase II Controls Assessment Scheduling

○ ...○ Vulnerability Identification○ Penetration○ Gaining Access & Privilege Escalation

Gain Least PrivilegeGain Intermediate PrivilegeCompromiseFinal Compromise

Heorot.net