Understanding Privilege Escalation and Backdoor Installation in Cybersecurity

 
1
 
Cybersecurity (Security+) and P4
Programmable Switches
 
Escalating Privileges and Installing a Backdoor
 
Ali AlSabeh, Jorge Crichigno
University of South Carolina
http://ce.sc.edu/cyberinfra
 
Western Academy Support and Training Center (WASTC)
University of South Carolina (USC)
Energy Sciences Network (ESnet)
 
June 19
th
, 2023
 
Lab 3: Escalating Privileges and Installing a Backdoor
 
2
 
Privilege Escalation
 
Modern Operating Systems (OSs) allow each user to have specific access rights (known as
privileges) to files and directories
A malware executed by a regular user cannot perform operations that require elevated privileges
Privilege escalation is the act of exploiting a vulnerability in the OS to gain elevated access to
resources (e.g., a malware can disable antivirus, delete system files, etc.)
Horizontal privilege escalation: a regular user gains access to another regular user
Vertical privilege escalation: a regular user gains access to a higher privileged user
 
3
 
Administrator
 
Alice
 
Bob
 
Vertical Privilege escalation
 
Horizontal privilege escalation
 
Backdoor
 
A backdoor enables the attacker to have persistent access to the victim’s machine
1
Backdoors allow the attacker to return later to the victim’s machine and bypass any security
settings
Installing a backdoor requires modifying system files, and thus, requires elevated privileges
 
4
 
1
 M. Ciampa, “CompTIA security+ guide to network security fundamentals,” Cengage Learning, 2021.
 
Victim
 
Attacker
 
C2 server
 
Send
backdoor
 
Backdoor connects
to the C2 via the
available ports
1
2
 
Attack Scenario
 
The attacker compromises a website visited by a victim user and gains control over it
The victim visits the compromised website and downloads the malicious file
The downloaded file is a Remote Access Trojan (RAT) that is crafted by the attacker using 
msfvenom
1
tool
The crafted payload is a “reverse TCP meterpreter”  that allows the attacker to establish a reverse shell
to the victim’s device
The attacker keeps listening to incoming connections from the RAT (using 
msfconsole
2
 
tool
)
. The
listening process is the C2 server
Once the victim executes the malicious file (RAT), a connection is initiated to the C2 server
The attacker gains elevated privileges by tricking the victim into confirming a pop-up dialog (using the
Metasploit
 module 
windows/local/ask
)
The attacker installs a backdoor that provides permanent access to the victim’s machine (using the
Metasploit 
module 
windows/local/persistence_service
 
5
 
1
 
Metasploit Documentation, “
How to use msfvenom,
[Online]. Available: https://tinyurl.com/3mskkvax
2
 
Rapid7, “
Metasploit Framework,
” [Online]. Available: 
https://tinyurl.com/5c8drz3b
 
Attack Scenario
 
The attacker compromises a website visited by a victim user and gains control over it
 
6
 
Attacker /
C2 server
 
Web server
 
Compromise
 
Attack Scenario
 
The victim visits the compromised website and downloads the malicious file
The downloaded file is a Remote Access Trojan (RAT) that is crafted by the attacker using
msfvenom
1
 
tool
The crafted payload is a “reverse TCP meterpreter”  that allows the attacker to establish a
reverse shell to the victim’s device
 
 
 
 
 
 
7
 
Attacker /
C2 server
 
Compromise
 
Connect to the
compromised
web server
 
1
 
Metasploit Documentation, “
How to use msfvenom,
[Online]. Available: https://tinyurl.com/3mskkvax
2
 
Rapid7, “
Metasploit Framework,
” [Online]. Available: 
https://tinyurl.com/5c8drz3b
 
Web server
 
Victim
 
Send 
RAT
 
Attack Scenario
 
The attacker keeps listening to incoming connections from the RAT (using 
msfconsole
2
 
tool
)
.
The listening process is the C2 server
Once the victim executes the malicious file (RAT), a connection is initiated to the C2 server
 
 
 
 
8
 
Attacker /
C2 server
 
Web server
 
Victim
 
Connect to the C2 server
 
Attack Scenario
 
The attacker gains elevated privileges by tricking the victim into confirming a pop-up dialog
(using the 
Metasploit
 module 
windows/local/ask
)
The attacker installs a backdoor that provides permanent access to the victim’s machine (using
the 
Metasploit 
module 
windows/local/persistence_service
 
 
9
 
Attacker /
C2 server
 
Web server
 
Victim
 
Connect to the C2 server
 
Gain elevated privileges, send commands, etc.
 
Lab Topology
 
The topology consists of:
Internal network containing victim’s
machine
DMZ network with three servers
External network containing attacker’s
machine
Border router (BR/FW) that interconnects
the three network
 
10
 
Weaponization using 
msfvenom
 
11
 
Attacker creates the malicious payload
 
Attacker creates the C2 server to listen for multiple
victims
 
Attacker sets the C2 session configuration
 
Weaponization using 
msfvenom
 
12
 
Victim downloads and runs the file from the
compromised website
 
A session is established between the C2 server and the
victim. No administrator privileges are given yet
 
Privilege Escalation
 
13
 
Attacker uses a Metasploit module to ask the user for
privilege escalation
 
Victim accepts the pop-up, thinking it
is a legitimate application
 
Attacker gains root privileges to the victim’s machine
 
Privilege Escalation
 
14
 
Attacker uses a Metasploit module to gain a permanent
session with the victim
 
Attacker gains access after the 
victim’s machine is rebooted
 
Victim tries to reboot to the machine to kill the
established session with the C2 server
Slide Note
Embed
Share

Privilege escalation allows unauthorized access to system resources, while backdoors enable persistent access for attackers. The attack scenario involves compromising a website to deploy malicious files, such as Remote Access Trojans, leading to potential system compromise.


Uploaded on Aug 03, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Cybersecurity (Security+) and P4 Programmable Switches Escalating Privileges and Installing a Backdoor Ali AlSabeh, Jorge Crichigno University of South Carolina http://ce.sc.edu/cyberinfra Western Academy Support and Training Center (WASTC) University of South Carolina (USC) Energy Sciences Network (ESnet) June 19th, 2023 1

  2. Lab 3: Escalating Privileges and Installing a Backdoor 2

  3. Privilege Escalation Modern Operating Systems (OSs) allow each user to have specific access rights (known as privileges) to files and directories A malware executed by a regular user cannot perform operations that require elevated privileges Privilege escalation is the act of exploiting a vulnerability in the OS to gain elevated access to resources (e.g., a malware can disable antivirus, delete system files, etc.) Horizontal privilege escalation: a regular user gains access to another regular user Vertical privilege escalation: a regular user gains access to a higher privileged user Administrator Bob Alice Horizontal privilege escalation 3

  4. Backdoor A backdoor enables the attacker to have persistent access to the victim s machine1 Backdoors allow the attacker to return later to the victim s machine and bypass any security settings Installing a backdoor requires modifying system files, and thus, requires elevated privileges 1 Attacker C2 server 2 Victim 1M. Ciampa, CompTIA security+ guide to network security fundamentals, Cengage Learning, 2021. 4

  5. Attack Scenario The attacker compromises a website visited by a victim user and gains control over it Attacker / C2 server Compromise Web server 6

  6. Attack Scenario The victim visits the compromised website and downloads the malicious file The downloaded file is a Remote Access Trojan (RAT) that is crafted by the attacker using msfvenom1tool The crafted payload is a reverse TCP meterpreter that allows the attacker to establish a reverse shell to the victim s device Send RAT Attacker / C2 server Victim Compromise Connect to the compromised web server Web server 1Metasploit Documentation, How to use msfvenom, [Online]. Available: https://tinyurl.com/3mskkvax 2Rapid7, Metasploit Framework, [Online]. Available: https://tinyurl.com/5c8drz3b 7

  7. Attack Scenario The attacker keeps listening to incoming connections from the RAT (using msfconsole2tool). The listening process is the C2 server Once the victim executes the malicious file (RAT), a connection is initiated to the C2 server Connect to the C2 server Attacker / C2 server Victim Web server 8

  8. Attack Scenario The attacker gains elevated privileges by tricking the victim into confirming a pop-up dialog (using the Metasploit module windows/local/ask) The attacker installs a backdoor that provides permanent access to the victim s machine (using the Metasploit module windows/local/persistence_service Gain elevated privileges, send commands, etc. Connect to the C2 server Attacker / C2 server Victim Web server 9

  9. Lab Topology The topology consists of: Internal machine DMZ network with three servers External network containing attacker s machine Border router (BR/FW) that interconnects the three network network containing victim s 10

  10. Weaponization using msfvenom Attacker creates the C2 server to listen for multiple victims Attacker creates the malicious payload Attacker sets the C2 session configuration 11

  11. Weaponization using msfvenom A session is established between the C2 server and the victim. No administrator privileges are given yet Victim downloads and runs the file from the compromised website 12

  12. Privilege Escalation Victim accepts the pop-up, thinking it is a legitimate application Attacker uses a Metasploit module to ask the user for privilege escalation Attacker gains root privileges to the victim s machine 13

  13. Privilege Escalation Victim tries to reboot to the machine to kill the established session with the C2 server Attacker uses a Metasploit module to gain a permanent session with the victim Attacker gains access after the victim s machine is rebooted 14

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#