Stealth post-exploitation with phpsploit
-
Upload
nullbyte-security-conference -
Category
Technology
-
view
280 -
download
0
Transcript of Stealth post-exploitation with phpsploit
![Page 1: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/1.jpg)
STEALTHPOST-EXPLOITATIONWITH PHPSPLOIT
Security Conference - 3rd edition
![Page 2: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/2.jpg)
Hello!
I am nil0x42
French security enthusiast
Freelance penetration tester
Free software developer & contributor
![Page 3: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/3.jpg)
SUMMARY
Answering your questions(or trying to)
Challenges of php post-exploitationin the real-world
Stealthy hacking with PhpSploit
![Page 4: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/4.jpg)
POST-EXPLOITATIONFrom a real-world attacker point of view
![Page 5: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/5.jpg)
What is Post-Exploitation ?1
![Page 6: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/6.jpg)
POST EXPLOITATION: Don’t be spotted just before the POC !
DISCOVERY
- Analysis- Footprint- Identify
SERVICE ENUMERATION
- Ping- Map- Collect
APPLICATION LAYER TESTING
- Manual- Depth- Blind
EXPLOIT
- Penetrate - Compromise
POST EXPLOITATION
- Persistence- PrivEsc- Search- Exfiltrate
REMOTE CODE EXECUTION
![Page 7: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/7.jpg)
PHP is used by 82.3% of all websites whose technology is known.”Usage of server-side programming languages for websites”
(W3Techs.com 2016)
86% of websites contain at least one 'serious' vulnerability“2015 Website Security Statistics Report”
(WhiteHat Security)
![Page 8: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/8.jpg)
How, and Why PhpSploit is born ?2
![Page 9: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/9.jpg)
THE SIMPLE
Very basic backdoor, commonly used on CTFs
- Hideable single line
- Depends on shell exec
- Suspicious URLs
![Page 10: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/10.jpg)
THE CLASSIC
More sofisticated, php backdoor file for privesc
- Perform actions via PHP
- Suspicious File
- Suspicious URLs
![Page 11: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/11.jpg)
![Page 12: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/12.jpg)
VIDEO 1Demo
![Page 13: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/13.jpg)
STEALTHY HACKING WITH PHPSPLOIT
![Page 14: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/14.jpg)
Think like a defender1
![Page 15: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/15.jpg)
COMMON WAYS TO DETECT INTRUSIONS
Running processes
◦ Unexpected running process
◦ Commands being executed
◦ Prevent command execution
# man top
# man ps
![Page 16: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/16.jpg)
VIDEO 2Running invisible commands
![Page 17: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/17.jpg)
COMMON WAYS TO DETECT INTRUSIONS
Network analysis
◦ Listening daemon
◦ Connected process
◦ Data being exflitrated
# man netstat
# man lsof
![Page 18: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/18.jpg)
VIDEO 3Data exfiltration
![Page 19: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/19.jpg)
COMMON WAYS TO DETECT INTRUSIONS
User activity
◦ User connected when it souldn’t
◦ Shell commands analysis
(~/.bash_history)
# man who
# man lastlog
![Page 20: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/20.jpg)
VIDEO 4No user activity
![Page 21: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/21.jpg)
COMMON WAYS TO DETECT INTRUSIONS
Suspicious web traffic
◦ Suspicious method and URI
◦ Uncommon User-Agent
◦ Multiple requests from same IP
# tail -n 2 /var/log/apache2/access.log
10.0.0.4 - - [23/Nov/2016:16:09:20 -0500] " POST
/zxclkj.php?cmd=cat%20/etc/passwd HTTP/1.1" 200 792 "-" " curl/7.51.0"`
10.0.0.4 - - [23/Nov/2016:16:09:22 -0500] " GET / HTTP/1.1" 200 891 "-"
"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"`
![Page 22: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/22.jpg)
VIDEO 5Defeating suspicious web traffic
![Page 23: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/23.jpg)
COMMON WAYS TO DETECT INTRUSIONS
Malicious file detection
◦ Search for suspicious functions
◦ Files altered during a given
period of time
# man grep
# man stat
![Page 24: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/24.jpg)
VIDEO 6Prevent malicious file detection
![Page 25: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/25.jpg)
Useful tips2
![Page 26: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/26.jpg)
1 line of PHPOn target server
23 awesome pluginsTo pwn the world
7,047 lines of PythonOn attacker machine
![Page 27: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/27.jpg)
SOME AWESOME COMMANDS
sessionSave and restore exploitation sessions
backlogOpen the last command’s output through your favorite text editor
uploadTransfer files between attacker and victim server
mysqlReimplementation of mysql standard client
suidrootMaintain an obtained root access
portscanInternal TCP port scanner
![Page 28: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/28.jpg)
Reliable channel
Webserver might be the only availble communication channel (firewall)
PHPSPLOIT AS A PERSISTENT BACKDOOR ?
FallBack Access
Don’t put all your eggs in one basket. Don’t depend on a single backdoor ...
Web-based
Keep control over a website, even after it migrates on another server.
![Page 29: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/29.jpg)
HONNEYPOT THE FORENSIC TEAMFor fun and profit
![Page 30: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/30.jpg)
CONCLUSION
Be paranoidAs an attacker as well as a defensor
Try PhpSploit !And hack them all
![Page 31: Stealth post-exploitation with phpsploit](https://reader034.fdocuments.in/reader034/viewer/2022052312/587960c41a28ab1e388b6325/html5/thumbnails/31.jpg)
Thanks!
ANY QUESTIONS?PHPSPLOIT PROJECT:
● http://github.com/nil0x42/phpsploit
CONTACT ME:
● https://www.exdemia.com/