STEALTHPOST-EXPLOITATIONWITH PHPSPLOIT

Security Conference - 3rd edition

Hello!

I am nil0x42

French security enthusiast

Freelance penetration tester

Free software developer & contributor

SUMMARY

Answering your questions(or trying to)

Challenges of php post-exploitationin the real-world

Stealthy hacking with PhpSploit

POST-EXPLOITATIONFrom a real-world attacker point of view

What is Post-Exploitation ?1

POST EXPLOITATION: Don’t be spotted just before the POC !

DISCOVERY

- Analysis- Footprint- Identify

SERVICE ENUMERATION

- Ping- Map- Collect

APPLICATION LAYER TESTING

- Manual- Depth- Blind

EXPLOIT

- Penetrate - Compromise

POST EXPLOITATION

- Persistence- PrivEsc- Search- Exfiltrate

REMOTE CODE EXECUTION

PHP is used by 82.3% of all websites whose technology is known.”Usage of server-side programming languages for websites”

(W3Techs.com 2016)

86% of websites contain at least one 'serious' vulnerability“2015 Website Security Statistics Report”

(WhiteHat Security)

How, and Why PhpSploit is born ?2

THE SIMPLE

Very basic backdoor, commonly used on CTFs

- Hideable single line

- Depends on shell exec

- Suspicious URLs

THE CLASSIC

More sofisticated, php backdoor file for privesc

- Perform actions via PHP

- Suspicious File

- Suspicious URLs

VIDEO 1Demo

STEALTHY HACKING WITH PHPSPLOIT

Think like a defender1

COMMON WAYS TO DETECT INTRUSIONS

Running processes

◦ Unexpected running process

◦ Commands being executed

◦ Prevent command execution

# man top

# man ps

VIDEO 2Running invisible commands

COMMON WAYS TO DETECT INTRUSIONS

Network analysis

◦ Listening daemon

◦ Connected process

◦ Data being exflitrated

# man netstat

# man lsof

VIDEO 3Data exfiltration

COMMON WAYS TO DETECT INTRUSIONS

User activity

◦ User connected when it souldn’t

◦ Shell commands analysis

(~/.bash_history)

# man who

# man lastlog

VIDEO 4No user activity

COMMON WAYS TO DETECT INTRUSIONS

Suspicious web traffic

◦ Suspicious method and URI

◦ Uncommon User-Agent

◦ Multiple requests from same IP

# tail -n 2 /var/log/apache2/access.log

10.0.0.4 - - [23/Nov/2016:16:09:20 -0500] " POST

/zxclkj.php?cmd=cat%20/etc/passwd HTTP/1.1" 200 792 "-" " curl/7.51.0"`

10.0.0.4 - - [23/Nov/2016:16:09:22 -0500] " GET / HTTP/1.1" 200 891 "-"

"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"`

VIDEO 5Defeating suspicious web traffic

COMMON WAYS TO DETECT INTRUSIONS

Malicious file detection

◦ Search for suspicious functions

◦ Files altered during a given

period of time

# man grep

# man stat

VIDEO 6Prevent malicious file detection

Useful tips2

1 line of PHPOn target server

23 awesome pluginsTo pwn the world

7,047 lines of PythonOn attacker machine

SOME AWESOME COMMANDS

sessionSave and restore exploitation sessions

backlogOpen the last command’s output through your favorite text editor

uploadTransfer files between attacker and victim server

mysqlReimplementation of mysql standard client

suidrootMaintain an obtained root access

portscanInternal TCP port scanner

Reliable channel

Webserver might be the only availble communication channel (firewall)

PHPSPLOIT AS A PERSISTENT BACKDOOR ?

FallBack Access

Don’t put all your eggs in one basket. Don’t depend on a single backdoor ...

Web-based

Keep control over a website, even after it migrates on another server.

HONNEYPOT THE FORENSIC TEAMFor fun and profit

CONCLUSION

Be paranoidAs an attacker as well as a defensor

Try PhpSploit !And hack them all

Thanks!

ANY QUESTIONS?PHPSPLOIT PROJECT:

● http://github.com/nil0x42/phpsploit

CONTACT ME:

● https://www.exdemia.com/