stealth post-exploitation with phpsploit
TRANSCRIPT
STEALTHPOST-EXPLOITATIONWITH PHPSPLOIT
Security Conference - 3rd edition
Hello!
I am nil0x42
French security enthusiast
Freelance penetration tester
Free software developer & contributor
SUMMARY
Answering your questions(or trying to)
Challenges of php post-exploitationin the real-world
Stealthy hacking with PhpSploit
POST-EXPLOITATIONFrom a real-world attacker point of view
What is Post-Exploitation ?1
POST EXPLOITATION: Don’t be spotted just before the POC !
DISCOVERY
- Analysis- Footprint- Identify
SERVICE ENUMERATION
- Ping- Map- Collect
APPLICATION LAYER TESTING
- Manual- Depth- Blind
EXPLOIT
- Penetrate - Compromise
POST EXPLOITATION
- Persistence- PrivEsc- Search- Exfiltrate
REMOTE CODE EXECUTION
PHP is used by 82.3% of all websites whose technology is known.”Usage of server-side programming languages for websites”
(W3Techs.com 2016)
86% of websites contain at least one 'serious' vulnerability“2015 Website Security Statistics Report”
(WhiteHat Security)
How, and Why PhpSploit is born ?2
THE SIMPLE
Very basic backdoor, commonly used on CTFs
- Hideable single line
- Depends on shell exec
- Suspicious URLs
THE CLASSIC
More sofisticated, php backdoor file for privesc
- Perform actions via PHP
- Suspicious File
- Suspicious URLs
VIDEO 1Demo
STEALTHY HACKING WITH PHPSPLOIT
Think like a defender1
COMMON WAYS TO DETECT INTRUSIONS
Running processes
◦ Unexpected running process
◦ Commands being executed
◦ Prevent command execution
# man top
# man ps
VIDEO 2Running invisible commands
COMMON WAYS TO DETECT INTRUSIONS
Network analysis
◦ Listening daemon
◦ Connected process
◦ Data being exflitrated
# man netstat
# man lsof
VIDEO 3Data exfiltration
COMMON WAYS TO DETECT INTRUSIONS
User activity
◦ User connected when it souldn’t
◦ Shell commands analysis
(~/.bash_history)
# man who
# man lastlog
VIDEO 4No user activity
COMMON WAYS TO DETECT INTRUSIONS
Suspicious web traffic
◦ Suspicious method and URI
◦ Uncommon User-Agent
◦ Multiple requests from same IP
# tail -n 2 /var/log/apache2/access.log
10.0.0.4 - - [23/Nov/2016:16:09:20 -0500] " POST
/zxclkj.php?cmd=cat%20/etc/passwd HTTP/1.1" 200 792 "-" " curl/7.51.0"`
10.0.0.4 - - [23/Nov/2016:16:09:22 -0500] " GET / HTTP/1.1" 200 891 "-"
"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"`
VIDEO 5Defeating suspicious web traffic
COMMON WAYS TO DETECT INTRUSIONS
Malicious file detection
◦ Search for suspicious functions
◦ Files altered during a given
period of time
# man grep
# man stat
VIDEO 6Prevent malicious file detection
Useful tips2
1 line of PHPOn target server
23 awesome pluginsTo pwn the world
7,047 lines of PythonOn attacker machine
SOME AWESOME COMMANDS
sessionSave and restore exploitation sessions
backlogOpen the last command’s output through your favorite text editor
uploadTransfer files between attacker and victim server
mysqlReimplementation of mysql standard client
suidrootMaintain an obtained root access
portscanInternal TCP port scanner
Reliable channel
Webserver might be the only availble communication channel (firewall)
PHPSPLOIT AS A PERSISTENT BACKDOOR ?
FallBack Access
Don’t put all your eggs in one basket. Don’t depend on a single backdoor ...
Web-based
Keep control over a website, even after it migrates on another server.
HONNEYPOT THE FORENSIC TEAMFor fun and profit
CONCLUSION
Be paranoidAs an attacker as well as a defensor
Try PhpSploit !And hack them all
Thanks!
ANY QUESTIONS?PHPSPLOIT PROJECT:
● http://github.com/nil0x42/phpsploit
CONTACT ME:
● https://www.exdemia.com/