WEBVTT

1
00:00:00.210 --> 00:00:01.950
In this lesson, we will learn

2
00:00:01.950 --> 00:00:05.670
about Initial Access and Escalation Methods.

3
00:00:05.670 --> 00:00:09.840
Initial access and escalation methods are the techniques

4
00:00:09.840 --> 00:00:13.980
attackers use to first gain entry into a system,

5
00:00:13.980 --> 00:00:16.020
and then elevate their privileges

6
00:00:16.020 --> 00:00:18.630
to gain broader network control.

7
00:00:18.630 --> 00:00:22.170
Initial access and escalation methods include

8
00:00:22.170 --> 00:00:25.500
threat actor tactics, techniques, and procedures,

9
00:00:25.500 --> 00:00:28.350
such as injections, credential dumping,

10
00:00:28.350 --> 00:00:30.420
and privilege escalation.

11
00:00:30.420 --> 00:00:33.240
Injections such as SQL injection

12
00:00:33.240 --> 00:00:37.500
or command injection are common methods attackers use

13
00:00:37.500 --> 00:00:40.860
to insert malicious code into a system

14
00:00:40.860 --> 00:00:43.200
to gain initial access.

15
00:00:43.200 --> 00:00:46.470
Next, credential dumping involves extracting

16
00:00:46.470 --> 00:00:50.790
stored usernames and passwords from compromised systems.

17
00:00:50.790 --> 00:00:54.120
Finally, privilege escalation is the process

18
00:00:54.120 --> 00:00:57.960
by which an attacker, having gained initial access,

19
00:00:57.960 --> 00:01:01.440
exploits vulnerabilities or misconfigurations

20
00:01:01.440 --> 00:01:04.080
to increase their access rights.

21
00:01:04.080 --> 00:01:06.390
Let's learn more about injections,

22
00:01:06.390 --> 00:01:09.660
credential dumping, and privilege escalation,

23
00:01:09.660 --> 00:01:14.040
then we will conduct a demonstration of credential dumping.

24
00:01:14.040 --> 00:01:16.470
First, we have injections.

25
00:01:16.470 --> 00:01:18.120
Injections are techniques

26
00:01:18.120 --> 00:01:22.050
where attackers insert malicious code into a system

27
00:01:22.050 --> 00:01:26.400
to gain access or execute unauthorized actions.

28
00:01:26.400 --> 00:01:30.600
Common forms of injection include structured query language,

29
00:01:30.600 --> 00:01:34.830
or SQL injection, and command injection.

30
00:01:34.830 --> 00:01:38.310
SQL injection occurs when an attacker inserts

31
00:01:38.310 --> 00:01:42.900
harmful SQL code into a user input field,

32
00:01:42.900 --> 00:01:46.230
allowing them to interact with the backend database

33
00:01:46.230 --> 00:01:51.230
in unintended ways, such as viewing unauthorized data

34
00:01:51.570 --> 00:01:54.900
or even modifying database contents.

35
00:01:54.900 --> 00:01:57.147
Command injection is another technique

36
00:01:57.147 --> 00:02:00.540
where attackers insert harmful commands

37
00:02:00.540 --> 00:02:05.070
into a vulnerable application to execute arbitrary code

38
00:02:05.070 --> 00:02:09.300
on the server, leading to unauthorized access.

39
00:02:09.300 --> 00:02:13.380
In SQL, sometimes called SQL injection attacks,

40
00:02:13.380 --> 00:02:17.640
attackers use tools like sqlmap, which automate the process

41
00:02:17.640 --> 00:02:22.640
of injecting SQL or SQL code into vulnerable fields

42
00:02:23.010 --> 00:02:26.820
to explore and manipulate backend databases.

43
00:02:26.820 --> 00:02:30.540
sqlmap further enables attackers to identify

44
00:02:30.540 --> 00:02:33.810
and exploit SQL injection flaws,

45
00:02:33.810 --> 00:02:37.380
retrieving sensitive data, modifying records,

46
00:02:37.380 --> 00:02:39.540
or even deleting databases

47
00:02:39.540 --> 00:02:42.480
if proper permissions are available.

48
00:02:42.480 --> 00:02:45.750
So preventing injection attacks involves

49
00:02:45.750 --> 00:02:49.500
securing input fields through parameterized queries

50
00:02:49.500 --> 00:02:53.850
and validating user inputs through input validation,

51
00:02:53.850 --> 00:02:57.840
ensuring no executable code can pass through.

52
00:02:57.840 --> 00:03:00.690
These processes limit the possibility

53
00:03:00.690 --> 00:03:05.690
of malicious code being executed through injection paths.

54
00:03:05.700 --> 00:03:08.640
Additionally, web application firewalls,

55
00:03:08.640 --> 00:03:12.240
or WAFs, can also be used to identify

56
00:03:12.240 --> 00:03:14.850
and block injection attempts.

57
00:03:14.850 --> 00:03:19.590
Finally, regularly testing applications for vulnerabilities

58
00:03:19.590 --> 00:03:22.770
and ensuring that database systems are configured

59
00:03:22.770 --> 00:03:26.820
with the principle of least privilege can reduce the impact

60
00:03:26.820 --> 00:03:29.610
of injection-based exploits.

61
00:03:29.610 --> 00:03:32.100
Second, we have credential dumping.

62
00:03:32.100 --> 00:03:35.730
Credential dumping is the extraction of stored usernames

63
00:03:35.730 --> 00:03:38.880
and passwords from compromised systems.

64
00:03:38.880 --> 00:03:41.940
Attackers use credential dumping techniques

65
00:03:41.940 --> 00:03:44.910
to acquire legitimate user credentials,

66
00:03:44.910 --> 00:03:48.060
allowing them to bypass security measures

67
00:03:48.060 --> 00:03:51.000
by impersonating legitimate users.

68
00:03:51.000 --> 00:03:54.480
Once credentials are stolen, attackers can use them

69
00:03:54.480 --> 00:03:58.320
for further network penetration or lateral movement,

70
00:03:58.320 --> 00:04:02.250
making it a powerful tool for sustained access.

71
00:04:02.250 --> 00:04:03.510
A well-known tool

72
00:04:03.510 --> 00:04:06.870
that enables credential dumping is Mimikatz.

73
00:04:06.870 --> 00:04:11.312
Mimikatz allows attackers to extract plaintext passwords,

74
00:04:11.312 --> 00:04:15.270
hashes, and Kerberos tickets from memory,

75
00:04:15.270 --> 00:04:19.320
enabling them to gain access to high-value accounts

76
00:04:19.320 --> 00:04:22.200
within a Windows-based organization.

77
00:04:22.200 --> 00:04:25.860
Once the credentials are acquired, attackers can use them

78
00:04:25.860 --> 00:04:28.470
to move laterally within the network,

79
00:04:28.470 --> 00:04:32.700
access critical assets, and even escalate their privileges

80
00:04:32.700 --> 00:04:35.910
by finding administrator-level accounts.

81
00:04:35.910 --> 00:04:38.790
So to prevent credential dumping,

82
00:04:38.790 --> 00:04:43.050
organizations should consider disabling outdated protocols

83
00:04:43.050 --> 00:04:45.570
like LM, or the LAN Manager,

84
00:04:45.570 --> 00:04:49.170
and NTLM, or NT LAN Manager,

85
00:04:49.170 --> 00:04:52.350
in favor of stronger encryption methods.

86
00:04:52.350 --> 00:04:54.180
Additionally, implementing

87
00:04:54.180 --> 00:04:58.470
multi-factor authentication can also reduce risk,

88
00:04:58.470 --> 00:05:02.280
as attackers will need more than just the stolen credentials

89
00:05:02.280 --> 00:05:04.710
to gain full network access.

90
00:05:04.710 --> 00:05:08.233
Finally, limiting the ability to read from memory

91
00:05:08.233 --> 00:05:12.060
by disabling unnecessary administrator rights

92
00:05:12.060 --> 00:05:16.740
and using secure, updated password policies can also help

93
00:05:16.740 --> 00:05:19.590
mitigate credential dumping risks.

94
00:05:19.590 --> 00:05:23.435
Third and last, we have privilege escalation.

95
00:05:23.435 --> 00:05:26.340
Privilege escalation is the process

96
00:05:26.340 --> 00:05:28.590
of exploiting vulnerabilities

97
00:05:28.590 --> 00:05:32.460
to increase access rights on a compromised system.

98
00:05:32.460 --> 00:05:35.520
This is a critical step for attackers,

99
00:05:35.520 --> 00:05:39.630
as it allows them to perform unauthorized actions

100
00:05:39.630 --> 00:05:41.287
that require higher privileges

101
00:05:41.287 --> 00:05:45.090
than their initial access level permitted.

102
00:05:45.090 --> 00:05:48.090
Privilege escalation can be vertical,

103
00:05:48.090 --> 00:05:52.050
where attackers gain administrator or root level access,

104
00:05:52.050 --> 00:05:56.010
or horizontal, where they gain access to accounts

105
00:05:56.010 --> 00:05:59.820
with different resources and similar levels of access

106
00:05:59.820 --> 00:06:02.970
to further their control over the network.

107
00:06:02.970 --> 00:06:07.470
One example of privilege escalation utilizes Metasploit,

108
00:06:07.470 --> 00:06:10.260
an open-source platform that attackers use

109
00:06:10.260 --> 00:06:12.810
to exploit known vulnerabilities.

110
00:06:12.810 --> 00:06:15.930
With Metasploit, attackers can search for

111
00:06:15.930 --> 00:06:18.930
and exploit privilege escalation flaws

112
00:06:18.930 --> 00:06:22.560
in the operating system, such as outdated software

113
00:06:22.560 --> 00:06:24.900
or misconfigured permissions.

114
00:06:24.900 --> 00:06:28.975
This often leads to attackers obtaining full control

115
00:06:28.975 --> 00:06:32.820
over the compromised system, enabling actions

116
00:06:32.820 --> 00:06:36.630
like data exfiltration, system reconfiguration,

117
00:06:36.630 --> 00:06:38.370
or malware deployment.

118
00:06:38.370 --> 00:06:42.750
So preventing privilege escalation attacks involves keeping

119
00:06:42.750 --> 00:06:47.370
systems and applications up-to-date with the latest patches

120
00:06:47.370 --> 00:06:50.550
and to address known vulnerabilities.

121
00:06:50.550 --> 00:06:54.060
Next, organizations should employ the principle

122
00:06:54.060 --> 00:06:57.480
of least privilege, granting users and services

123
00:06:57.480 --> 00:07:01.950
only the minimum access rights needed for their roles.

124
00:07:01.950 --> 00:07:05.925
And finally, monitoring systems for unusual behavior

125
00:07:05.925 --> 00:07:09.540
such as attempts to access sensitive files

126
00:07:09.540 --> 00:07:13.206
or execute commands with elevated privileges can help

127
00:07:13.206 --> 00:07:18.090
in detecting privilege escalation attempts early on.

128
00:07:18.090 --> 00:07:21.930
Now let's conduct a demonstration of credential dumping

129
00:07:21.930 --> 00:07:23.760
and password cracking.

130
00:07:23.760 --> 00:07:27.750
In this demonstration, I have a Kali Linux machine running

131
00:07:27.750 --> 00:07:29.368
on the same virtual network

132
00:07:29.368 --> 00:07:33.990
as an intentionally vulnerable Metasploitable 2 machine.

133
00:07:33.990 --> 00:07:36.300
In order to start my exploration,

134
00:07:36.300 --> 00:07:39.185
I'll first run an Nmap service version scan

135
00:07:39.185 --> 00:07:42.060
to determine which ports are open

136
00:07:42.060 --> 00:07:44.463
on the Metasploitable 2 machine.

137
00:07:46.890 --> 00:07:48.030
There we go.

138
00:07:48.030 --> 00:07:50.550
Now, looking at this, I happen to know

139
00:07:50.550 --> 00:07:55.550
that VSFTPD version 2.3.4 is vulnerable to attack,

140
00:07:57.300 --> 00:08:01.260
and that there is a Metasploit exploit already written

141
00:08:01.260 --> 00:08:03.390
to attack this vulnerability,

142
00:08:03.390 --> 00:08:05.460
so that's what we're going to use.

143
00:08:05.460 --> 00:08:09.540
I'll open up Metasploit on this Kali Linux machine

144
00:08:09.540 --> 00:08:11.763
and load up the correct module.

145
00:08:15.030 --> 00:08:18.843
We'll open up Metasploit with the MSFconsole command.

146
00:08:25.620 --> 00:08:29.553
Next, I'm going to search for ftpd 2.3.4,

147
00:08:33.990 --> 00:08:34.830
and there it is.

148
00:08:34.830 --> 00:08:37.050
That's the exploit that I'd like to use,

149
00:08:37.050 --> 00:08:42.050
exploit/unix/ftp/vsftpd_234_backdoor.

150
00:08:47.700 --> 00:08:51.660
I could write out use and then that entire string,

151
00:08:51.660 --> 00:08:56.660
exploit/unix/ftp/vsftpd_234_backdoor,

152
00:08:57.180 --> 00:08:59.760
or I can look just to the left of that line

153
00:08:59.760 --> 00:09:02.640
and see that it's been given a number, zero,

154
00:09:02.640 --> 00:09:05.373
so I'm just going to say use zero.

155
00:09:06.300 --> 00:09:07.653
Now it's loaded up.

156
00:09:08.490 --> 00:09:11.400
Next, I will configure the IP address

157
00:09:11.400 --> 00:09:16.400
of the vulnerable machine as my R host, or my remote host.

158
00:09:17.160 --> 00:09:22.160
I'll do this by setting RHOSTS to 192.168.56.105.

159
00:09:28.050 --> 00:09:29.790
Our host is set.

160
00:09:29.790 --> 00:09:33.393
Now all I need to do is run the exploit.

161
00:09:38.100 --> 00:09:39.690
I've got a shell.

162
00:09:39.690 --> 00:09:42.093
It looks like it'll be a root level shell,

163
00:09:44.040 --> 00:09:46.980
and I've got a shell opened in session one.

164
00:09:46.980 --> 00:09:50.160
So this exploit has gotten me a root shell,

165
00:09:50.160 --> 00:09:53.760
but to make things a little easier, I'm going to upgrade

166
00:09:53.760 --> 00:09:56.880
to a Meterpreter shell, which is an attacker shell

167
00:09:56.880 --> 00:09:59.490
with prebuilt malicious functions.

168
00:09:59.490 --> 00:10:02.250
To do this, I need to put my current shell

169
00:10:02.250 --> 00:10:03.540
in the background.

170
00:10:03.540 --> 00:10:05.913
I'll do that with Control Z,

171
00:10:06.780 --> 00:10:09.390
and then answer yes to the question.

172
00:10:09.390 --> 00:10:11.310
Now I'm back at a command line,

173
00:10:11.310 --> 00:10:14.850
and my shell is running in the background.

174
00:10:14.850 --> 00:10:19.830
Now I just need to upgrade my session, which is session one.

175
00:10:19.830 --> 00:10:24.830
I'll do this with the sessions upgrade session one command.

176
00:10:28.530 --> 00:10:31.203
It is attempting to upgrade my session,

177
00:10:36.450 --> 00:10:40.470
and a Meterpreter under session two is open.

178
00:10:40.470 --> 00:10:42.900
I can take a look at my sessions

179
00:10:42.900 --> 00:10:47.550
with the session list command, or session -l,

180
00:10:47.550 --> 00:10:50.970
and I can see that I do have a Meterpreter shell

181
00:10:50.970 --> 00:10:53.130
under session ID two.

182
00:10:53.130 --> 00:10:55.530
Now I need to interact with it,

183
00:10:55.530 --> 00:11:00.530
so I'll say sessions -i for interact with session two.

184
00:11:01.500 --> 00:11:04.950
There you go, now I have a Meterpreter shell.

185
00:11:04.950 --> 00:11:07.080
Now that I have a Meterpreter shell,

186
00:11:07.080 --> 00:11:12.080
I'm going to download the passwd and shadow files

187
00:11:12.150 --> 00:11:16.979
from the Metasploitable 2 machine to my local machine.

188
00:11:16.979 --> 00:11:20.343
This is done with two commands,

189
00:11:22.200 --> 00:11:27.200
download /etc/password,

190
00:11:33.000 --> 00:11:36.723
and download /etc/shadow.

191
00:11:39.600 --> 00:11:41.370
Both files are now downloaded

192
00:11:41.370 --> 00:11:45.150
and they're in my home Kali folder,

193
00:11:45.150 --> 00:11:47.740
so now I'm going to go to another shell

194
00:11:51.240 --> 00:11:53.340
and look for those files.

195
00:11:53.340 --> 00:11:55.080
There they are, they've been downloaded,

196
00:11:55.080 --> 00:11:58.443
the passwd and the shadow file.

197
00:11:59.580 --> 00:12:01.620
In order to do password cracking,

198
00:12:01.620 --> 00:12:05.280
I need to combine these two files into one,

199
00:12:05.280 --> 00:12:08.193
so I'll use a command called unshadow,

200
00:12:09.177 --> 00:12:13.830
unshadow the passwd and the shadow file

201
00:12:13.830 --> 00:12:16.743
into a new file called unshadowed.

202
00:12:18.420 --> 00:12:21.990
That created a directory, which is home/kali,

203
00:12:21.990 --> 00:12:24.630
and then a hidden directory, .john.

204
00:12:24.630 --> 00:12:27.810
That's because the unshadowed command is associated

205
00:12:27.810 --> 00:12:30.120
with John the Ripper, which is the tool

206
00:12:30.120 --> 00:12:33.570
that I will next use to crack these hashes.

207
00:12:33.570 --> 00:12:37.550
Now all I need to write is john and unshadowed.

208
00:12:39.600 --> 00:12:43.020
There you go, John has cracked some usernames

209
00:12:43.020 --> 00:12:47.520
and passwords from the Metasploitable 2 machine.

210
00:12:47.520 --> 00:12:49.800
Specifically, it looks like there were

211
00:12:49.800 --> 00:12:51.720
six different passwords

212
00:12:51.720 --> 00:12:53.970
that were cracked by John the Ripper.

213
00:12:53.970 --> 00:12:58.320
So remember, attackers use initial access

214
00:12:58.320 --> 00:13:02.160
and escalation methods to first enter a system,

215
00:13:02.160 --> 00:13:03.959
and then increase their control

216
00:13:03.959 --> 00:13:06.660
by gaining higher privileges.

217
00:13:06.660 --> 00:13:10.770
They often achieve entry by injecting harmful code

218
00:13:10.770 --> 00:13:12.600
or stealing credentials,

219
00:13:12.600 --> 00:13:16.770
both of which grant them access without raising alarms.

220
00:13:16.770 --> 00:13:20.580
Techniques like SQL injection allow attackers

221
00:13:20.580 --> 00:13:22.770
to manipulate databases,

222
00:13:22.770 --> 00:13:26.490
where credential dumping lets them extract stored usernames

223
00:13:26.490 --> 00:13:30.330
and passwords to bypass security measures.

224
00:13:30.330 --> 00:13:32.340
Once inside the network,

225
00:13:32.340 --> 00:13:34.513
attackers may use privilege escalation

226
00:13:34.513 --> 00:13:39.180
to exploit vulnerabilities and gain broader access,

227
00:13:39.180 --> 00:13:41.310
even administrative rights,

228
00:13:41.310 --> 00:13:45.330
enhancing their ability and control of the network.

229
00:13:45.330 --> 00:13:48.960
In the end, organizations can mitigate these risks

230
00:13:48.960 --> 00:13:53.580
by securing inputs, using multi-factor authentication,

231
00:13:53.580 --> 00:13:58.113
and keeping systems up-to-date to reduce vulnerabilities.