CompTIA Pentest+ (PT0-002) – Lesson 16: Performing Post-Exploitation Pivoting and System Penetration

CompTIA Pentest+ (PT0-002) – Lesson 16: Performing Post-Exploitation Pivoting and System Penetration

Guide on Performing Post-Exploitation Pivoting and System Penetration

Objectives:

• When given a scenario, research attack vectors and perform network attacks.
• When given a scenario, perform post-exploitation techniques.
• Explain the use cases of the following tools in the phases of a penetration test.

Topic 16A: Testing Login Credentials

After gaining initial access to the target system, obtaining user login credentials is a top priority for CertMaster’s Pentest Team. These credentials can be exploited to gain deeper access to the network and escalate privileges. There are various techniques to obtain credentials, from brute-force password guessing to dictionary attacks and password spraying. The team can also use social engineering techniques like phishing and keylogging. Testing and exploiting login credentials is a crucial step in the penetration testing process.

An offline password attack is when an attacker obtains a copy of usernames and passwords and then attacks offline.

• An example could be /etc/shadow in Linux or the SAM database in Windows
• Once they have the login information, they will run an attack on their own machine
• This is called “password cracking”
• Alternatively, obtaining login information in hash format
• This is also called hash cracking

Example: After successfully infiltrating a Windows server at comptia.edu.vn, CertMaster’s Pentest Team extracts the SAM file containing user password hashes. They use a tool like John the Ripper to perform an offline dictionary attack on these hashes, eventually recovering cleartext passwords for several admin accounts.

A dictionary attack is the simplest type of automated password attack.

• The password cracking tool runs through a list of words until it finds the password or runs out of words.
• There are practical limitations to using dictionary attacks.
• You must know the username in advance.
• The password list can become too unwieldy and difficult for the password cracker (or its system) to load or manage.
• Most systems have policies to lock out users after exceeding a certain limit.

Example: When testing a web service on comptia.edu.vn, CertMaster’s Pentest Team notes that it allows multiple failed login attempts without locking out accounts. They exploit this by using the Hydra tool to run a dictionary attack on the login page, eventually guessing the password for an admin account.

There are some techniques used to overcome lock out limits when attempting online attacks. These include:

• Stealing a copy of the file or database containing user login information and attempting to crack passwords offline
• Causing the system to “dump” its hashed passwords so you can crack them offline
• Running the password cracker against a network service that has no account lockout policy
• Running the password cracker against user accounts like administrator or root that are exempt from account lockout policies

Example: CertMaster’s Pentest Team discovers a vulnerability in comptia.edu.vn’s web application that allows them to trigger an SQL injection attack. They use this to dump user password hashes from the database. They then crack these hashes offline, allowing them to obtain cleartext passwords without worrying about account lockout policies.

A brute force attack is an attack where the attacker tries many passwords with the hope of eventually guessing the correct password.

• Brute force attacks are limited by processing power and other resources (such as memory and storage space).
• Password spraying is the concept of controlling brute forcing by checking a number of accounts with common or targeted passwords.

Example: CertMaster’s Pentest Team notices that many users in the comptia.edu.vn environment have weak passwords. Instead of trying to guess each password individually, they create a short list of common passwords based on the organization’s password policy. They then “spray” these passwords across multiple accounts, eventually gaining access to several without triggering account lockouts.

Linux passwords are stored as hash values in /etc/shadow.

• Identify the hashing algorithm being used then attempt to crack the hash

Windows stores local usernames and passwords in the Security Account Manager (SAM).

• Passwords are stored as two types of hashes: LanMan (LM) and NT hash

The Windows Local Security Authority (LSASS) uses LSA secrets to store various types of user, service, and application passwords.

• In some cases, they can be found in memory after a user logs in or a computer boots and can be dumped using tools like Mimikatz.

Example: After infiltrating a Linux server at Comptia.edu.vn, CertMaster’s Pentest Team extracts the /etc/shadow file. They identify that the hashes use the SHA-512 algorithm. Using hashcat with a large password dictionary, they are able to crack several user passwords, including the root user.

There are many password cracking tools, many of which are multi-featured.

• hashcat – can accelerate the process by using different attack methods (dictionary, mask, hybrid) to add complexity and variation.
• medusa – Parallel brute-forcer for network logins. Its focus is on supporting numerous network services that allow remote authentication.
• brutespray – Tool that allows for the interpretation of results from Nmap scans to automatically start medusa against identified open ports.

Example: CertMaster’s Pentest Team uses the hashcat toolkit to crack comptia.edu.vn’s password hashes they’ve extracted. They use a combination of GPU-accelerated attacks, hybrid dictionary/mask attacks, and custom rules to optimize the cracking process. This allows them to recover cleartext passwords quickly, even for complex hashes.

Using social engineering to obtain user login credentials
Installing a hardware or software keylogger to capture login information

• Hardware USB keylogger (requires physical access)
• Meterpreter keyscan_start and keyscan_dump

Example: As part of the penetration test at comptia.edu.vn, CertMaster’s Pentest Team conducts a phishing attack targeting employees. They send emails with links to a fake login page, asking users to enter their credentials. Some users fall for it and the team collects their authentication information. They also physically install a USB keylogger on a compromised computer to record passwords as they’re typed in.

Review Activities:

1. Describe what occurs in an offline password attack
2. Outline how a Dictionary attack works
3. List ways the team can overcome account lockout limits
4. Discuss what’s involved when using a brute force attack
5. Compare Linux and Windows password attack methods
6. List some password cracking tools
7. Review alternative methods for obtaining credentials

Topic 16B: Moving Through the System

After obtaining credentials, CertMaster’s Pentest Team needs to expand their presence on the target network. This involves moving to other systems, escalating privileges, and gaining access to additional resources. Techniques like lateral movement, pivoting, and pass-the-hash are crucial at this stage. By exploiting trust relationships and leveraging compromised credentials, the team can simulate how an attacker would spread through the target environment.

There are instances where the shell we obtain is a restrictive shell.

• There are important technical limitations for the penetration tester
• For instance, SSH doesn’t work properly in a restrictive shell, which can affect our efforts to create a tunnel through it to continue our attack.
• To be able to continue manipulating the environment, the team will need to upgrade the shell

Example: After successfully infiltrating a Linux server at comptia.edu.vn, CertMaster’s Pentest Team notices that they only have restricted shell access. They can’t change directories, view certain files, or use SSH. To overcome these limitations, they use shell upgrade techniques to obtain a fully interactive shell, providing them with the control necessary to move to other systems.

Lateral movement is the process of moving from one part of the computer environment to another.

• You may discover additional or new vulnerabilities in the environment that you would miss if you stayed in one place.
• When you compromise the initial server, you can:
• Scan the network for other servers, as well as enumerate network protocols, ports, and logical mappings.
• Help discover the location of additional servers and which servers you can move to.

Example: After taking control of a Windows workstation in the comptia.edu.vn network, CertMaster’s Pentest Team uses BloodHound to map trust relationships across the entire domain. They identify that the compromised machine has admin access to several critical servers. They use Pass-the-Hash logins to access these machines, then perform further reconnaissance to identify attractive targets for further attacks.

You can leverage shells for remote access. Similarly, you can use CLI services to move laterally:

• Remote Desktop Protocol (RDP) comes with Windows systems.
• Virtual Network Computing (VNC) is cross-platform and allows for full remote control.
• Remote management services allow you to issue commands to remote systems:
• WinRM and PowerShell, and PsExec.
• Using RPC/DCOM can help you avoid detection.

Example: CertMaster’s Pentest Team discovers a critical server with RDP enabled in the comptia.edu.vn environment. Using compromised credentials, they establish an RDP session to access the server’s GUI. From here, they can install additional tools, gather data, and even pivot to additional network segments that were previously inaccessible.

Pivoting is when you compromise a server that allows you to spread to other servers that were otherwise inaccessible.

• This is necessary when you want to move to a different network segment than the one you’re currently on.
• Techniques that can allow for pivoting include:
• Port forwarding, VPN pivoting, SSH pivoting
• Modifying routing tables

Example: During the penetration test, CertMaster’s Pentest Team compromises a web server in comptia.edu.vn’s DMZ network. They note that this server also has a network interface connected to the internal network. By setting up dynamic port forwarding over SSH, they’re able to use the compromised web server as a jump point to scan and attack systems in the internal network, significantly expanding the scope of their attack.

A pass the hash attack is when you log in using a username and the hash of the password, instead of the password itself.

• You obtain the hash by forcing the operating system or application to dump them from RAM, Windows Registry, or credential files.
• You can use Mimikatz and other tools like Responder.py to obtain hashes from various services on the network.
• Once you have the hashes, there are some tools you can use to test usability and pass or crack them like Hydra and Medusa.

Example: After extracting NTLM hashes from the memory of a compromised server at comptia.edu.vn, CertMaster’s Pentest Team uses Mimikatz to pass these hashes to other systems in the same domain. This allows them to impersonate compromised users, leveraging their credentials without knowing the actual passwords. They can then access additional resources and move to new machines.

Privilege escalation is one of the primary goals in any penetration test.

• It allows the attacker to control, access, or change sensitive files and to leave permanent backdoors.
• Privilege escalation (PrivEsc) is used to gain access to restricted resources:
• Vertical Privilege Escalation – Gaining access to an account with higher privileges than the account you currently have.
• Horizontal Privilege Escalation – Gaining access to a normal user account with different privileges than the account currently in use.

Example: After initial access to a workstation, CertMaster’s Pentest Team notes a service running with system privileges. They discover a vulnerability in the service that allows them to execute arbitrary code. Exploiting this, they obtain a system shell and escalate privileges vertically. They then use this access to extract credentials for other users, allowing for horizontal privilege escalation.

Apart from specific kernel exploits, there are other types of exploits that can elevate privileges.

• They take advantage of services, drivers, and applications running in SYSTEM or administrator privileges.
• Like kernel exploits, most are run locally after gaining access to the target.
• Some examples include:
• Credential attacks, local UAC bypass,
• Searching for sensitive information in shared folders, Looking for missing patches or common misconfigurations that can lead to privilege escalation.

Example: During the test, CertMaster’s Pentest Team uses Metasploit to launch several common privilege escalation modules against the compromised Windows server. One of these modules exploits a file permission misconfiguration to write a custom service to the system directory. When run, this service provides them with a shell with full system privileges.

Once you have compromised a Linux server, you will need to escalate privileges to achieve your goals. Here are some examples of how to escalate privileges in Linux:

• Compromising user applications
• Locating services owned (running as) root and seeing if you can compromise them
• Exploiting loosely configured cron jobs to gain root access.

Example: After gaining access to a Linux server as a regular user, CertMaster’s Pentest Team runs LinEnum to identify potential privilege escalation vectors. The tool discovers that they have write permissions to a shell script that’s run by a root cron job. By adding malicious code to this script, they eventually obtain a root shell.

Review Activities:

1. Explain why the team would need to upgrade a restrictive shell
2. Outline what the team can accomplish when moving laterally
3. Describe how the team can achieve lateral movement with remote access services
4. Discuss what can be accomplished when pivoting to other areas
5. Review ways to escalate privileges
6. Compare ways to gain control in Windows and Linux environments

Topic 16C: Maintaining Persistence in the System

Even after CertMaster’s Pentest Team has successfully infiltrated a system, their work is not done. To maximize the impact of the penetration test, they often need to maintain access to the target environment for an extended period. At this stage, they will deploy persistent techniques to ensure their continued presence in the system. This may involve installing backdoors, creating compromised accounts, scheduling malicious tasks, or disabling security controls. By doing so, they demonstrate the real risk of a successful attack, where hackers can persist in the environment undetected for long periods.

Persistence is the quality of a threat continuing to exploit a target while remaining undetected for a significant amount of time.

• Some goals related to persistence include:
• Moving a portion of sensitive data over a period of time instead of all at once.
• Moving sensitive data that changes over time.
• Compromising systems, networks, applications, and other assets over many days, weeks, months, or even years.
• Monitoring user behavior over time.

Example: After gaining initial access to comptia.edu.vn’s network, CertMaster’s Pentest Team installs several different persistence mechanisms. On one server, they configure a scheduled task to periodically call back to their C2 server, providing access even if passwords are changed. On another machine, they install a kernel rootkit that hides their presence from standard administration tools. These techniques allow them to maintain a foothold in the environment for an extended period.

An Advanced Persistent Threat (APT) is a continuous attack aimed at establishing a long-term and undetected presence in an organization’s network to steal sensitive data.

• APTs are an implementation of persistence
• Rely on complex, highly customized exploits.
• APTs tend to target organizations that hold a large amount of power over others.
• Can take years before being detected, moving a large amount of sensitive data from a target
• Represent some of the most dangerous and harmful threats to target organizations.

Example: Throughout the test, CertMaster’s Pentest Team pretends to be a state-sponsored APT. They spend weeks developing custom tools and building a presence in comptia.edu.vn’s network, slowly exfiltrating confidential data in a careful manner to avoid detection. They route their traffic through a series of proxies to obscure their true origin. This simulated attack highlights the difficulty in defending against persistent and sophisticated adversaries.

Different techniques can help you maintain access to the target.

• For example, some user accounts are monitored more closely or have tighter access controls than others.
• Creating a new account can help you bypass these restrictions when you need to authenticate.
• Remote access services can also be used to maintain connections. Other common persistence techniques include:
• Backdoors and Trojans, Bind and Reverse Shells
• Services and Daemons, Registry Startup and Scheduled Tasks

Example: To maintain persistence in comptia.edu.vn’s network, CertMaster’s Pentest Team creates a new admin account with a legitimate-looking name. They also enable RDP on several critical servers and configure the firewall to allow access to them from their IP address. Additionally, they configure some machines to periodically connect back to their C2 server through an encrypted communication channel.

A backdoor is a hidden mechanism that provides you access to a system through some alternative means.

• The goal is to avoid the attention of typical users of the system while allowing unauthorized users to access that system.

An example of a backdoor is a Remote Access Tool (RAT), also known as a remote access trojan.

• Primarily downloaded onto a victim’s computer through trojan malware
• The functionality of RATs can range from providing just an interactive shell to full GUI services and are designed to be hidden from view

Example: In the simulated attack, CertMaster’s Pentest Team infects several comptia.edu.vn computers with a custom RAT. The RAT appears as a legitimate program, but it opens a backdoor that the team can use to access the machine remotely at any time. It also has functionality allowing them to upload and execute additional code, creating a pathway for deeper infiltration into the network.

Remote access services such as Telnet, SSH, RDP, VNC, etc., can also allow for persistence.

• You can even leverage backdoor accounts with these services to remotely control the target.
• However, maintaining anonymity while using these services is particularly challenging.

Example: After gaining root access on a critical server, CertMaster’s Pentest Team configures OpenSSH to allow key-based logins. They create a key pair and install the public key on the server. This allows them to securely log in at any time without a password, while avoiding leaving traces in system logs like they would if using RDP or VNC.

A shell is any program that can be used to execute commands. Essentially, there are two types of shell attacks: bind and reverse.

• A bind shell is established when the target system “binds” its shell to a local network port.
• A reverse shell is established when the target machine communicates with the attacking machine that is listening on a specific port.

Example: After successfully exploiting a vulnerability in comptia.edu.vn’s web server, CertMaster’s Pentest Team creates a reverse shell. They set up a listener on their attack machine and configure the exploit to connect back to it, establishing a covert communication channel. If the organization’s firewall blocks incoming connections, they might switch to using a bind shell to listen on the web server’s port.

In the Windows world, a service is any program that runs in the background and is a type of non-interactive process.

In the Unix-like world, a daemon is like a service.

• They run in the background but are not attached to any terminal; therefore, they can continue to run on the system even when the terminal is closed.
• If you install a remote access daemon on the target:
• You can access the target at any time and even regain that access right after the system is rebooted.

Example: To maintain access in comptia.edu.vn’s Windows environment, CertMaster’s Pentest Team compiles their own custom C++ RAT into a Windows service. They install the RAT as a system service on several machines, creating a hidden remote access channel that runs continuously, even after reboots. The RAT connects back to their C2 server, allowing them to execute commands and download additional tools as they wish.

In Windows, to run a specific program or command at startup, you can add the program or modify the Registry key.

In Linux, (depending on the distribution) /etc/init.d/ and /etc/systemd/ can provide similar run-at-startup functionality.

• Some distributions maintain backward compatibility with RC scripts: /etc/rc.local/ and entries in the rc.common file.

Example: On a Linux system they’ve compromised in comptia.edu.vn, CertMaster’s Pentest Team modifies the /etc/rc.local file to execute a reverse shell at boot. In a Windows environment, they modify the Run Registry key to automatically run a malicious script every time a user logs in. These changes help ensure they’ll maintain access even if the machines are rebooted.

A scheduled task or job is will initiate a process or run a script that the system performs according to a predetermined schedule.

• Scheduled tasks can be helpful throughout the PenTest campaign:
• You can create a scheduled task that quietly runs a command transferring extracted data in the background to automate persistence while remaining undetected.
• Using Task Scheduler you can do quite a bit, including:
• Setting the actual action of the task, e.g., running a program, which account to run the task under, along with special conditions when the task will run

Example: To maintain access to comptia.edu.vn’s financial data, CertMaster’s Pentest Team creates a scheduled task on the database server. This task executes every night at 2 AM, exporting the latest copy of the database, compressing it, and transferring it to the team’s C2 server via an encrypted connection, allowing for continuous monitoring and data exfiltration.

In Linux, cron jobs are the primary method for scheduling tasks.

• The cron daemon runs the specified shell command at the specified day and/or time in the user’s crontab file.
• You can edit this file by typing crontab -e at the shell.
• Note that jobs you create with crontab -e will run as the current user.

Example: On a Linux web server in the comptia.edu.vn environment, CertMaster’s Pentest Team modifies the root user’s crontab file to create a job that runs every 5 minutes. This job executes a malicious PHP script, providing them with a stealthy web-based shell allowing remote command execution. The cron job ensures the shell is reloaded if it’s terminated or deleted.

When using persistence techniques, some guidelines include:

• Try to maintain a foothold in the organization to continue your attack after the primary phase has ended.
• Demonstrate persistence to the client without necessarily keeping compromised assets for an extended period.
• Create a shell using Netcat to open a backdoor for command execution.
• Use Task Scheduler in Windows to run a compromising command or program on a consistent schedule.
• Use cron jobs in Linux to do the same.

Example: To illustrate persistence in their report, CertMaster’s Pentest Team describes a series of techniques they used in Comptia.edu.vn’s environment. These techniques include creating compromised accounts, setting up persistent callbacks using scheduled tasks and cron jobs, installing backdoor services, and even modifying firewall configurations. They also note that they cleaned up after themselves when finished, removing persistent payloads to avoid leaving the client’s environment in a compromised state.

Review Activities:

1. Describe the concept of reverse and bind shells
2. Discuss the benefits of using remote access daemons
3. Compare ways to schedule tasks and jobs in Windows or Linux environments
4. List some guidelines when using persistence techniques

Lesson Summary: In this lesson, we’ve explored crucial aspects of a successful penetration test: accessing login credentials, moving through the network, and maintaining persistence in the system. These techniques allow CertMaster’s Pentest Team to maximize the impact of an initial compromise, expand their presence in the target environment, and gather valuable intelligence.

We started by looking at methods to authenticate user credentials. From offline password attacks using dictionaries and brute force to gathering password hashes for use in pass-the-hash attacks, there are many ways to bypass authentication. We also discussed using social engineering techniques like phishing and keylogging to obtain credentials, as well as common tools used for password cracking.

Next, we moved on to the topic of moving through the network. Skills like lateral movement, pivoting, and privilege escalation are crucial here. By exploiting trust relationships, using compromised credentials, and leveraging misconfigurations or vulnerabilities, pentesters can expand their presence in the target network. We looked at specific examples of how this works in both Windows and Linux environments.

Finally, we explored the topic of maintaining persistence. This is the stage where attackers install backdoors and leverage mechanisms to ensure long-term access to the target environment, even if initial vulnerabilities are patched. Techniques include installing rootkits, creating hidden accounts, scheduling malicious tasks, and manipulating configurations, all of which were discussed. We also looked at more advanced concepts like APTs and how to simulate them in a penetration test.

Throughout these topics, we emphasized the importance of goal-oriented thinking. Like real adversaries, pentesters must always be looking for opportunities to gain and maintain access to critical assets, whether that’s customer lists, intellectual property documents, or even control systems in production environments. The aim is to gather detailed insights into how an attack could unfold and provide clients with actionable information on how to improve their defensive deployments.

If you’re looking to solidify your pentesting skills related to these techniques, I recommend practicing the CompTIA Pentest+ Learning Path on TryHackMe and earning the completion certificate. Hands-on experience with real lab systems will help you master the tools and processes, from password cracking to lateral movement and persistence creation. The certificate will be tangible proof of your competence for potential employers.

For those seeking a more comprehensive training path for the CompTIA PenTest+ certification, consider the live courses at Comptia Vietnam (website comptia.edu.vn). With experienced instructors and modern facilities, they provide an ideal environment to develop practical pentesting skills. If you prefer more flexibility, the online courses through CertMaster Academy’s Learning Management System (website security365.vn) are a suitable option.

With the ever-increasing landscape of cyber threats, the demand for skilled pentesters has never been greater. By mastering the techniques presented in this lesson, you’ll be well-equipped to contribute to the ongoing battle to secure cyberspace. Whether conducting external penetration tests or hardening defenses from the inside, your knowledge will be invaluable in keeping organizations safe and secure in this digital age.