Entrench

Whoami?

One of the first tasks of the attacker after penetrating a system is to figure out what account status is associated with the presence established and what permissions and privileges are available. In some cases, the attacker may be very familiar with the exploit technology being used and may know ahead of time exactly what […]

Escalate privileges

After penetration, if the established presence doesn’t have admin/root privileges, a top priority may become escalating privileges so that further action become possible. There are a variety of ways to escalate privileges through simple and allowed actions that are usually environment specific, depending on the OS, version and configuration of the target system and even […]

Add an admin user

Once admin/root privileges have been established, an attacker will often create a new account with high privilege levels in order to allow future access without needing to take extraordinary action. The advantage to this is that the password is known and the account controlled by the attacker. The disadvantage is the risk of attracting attention […]

Ensure future access

Once high privileges are established and an account for future use is established, the next need is to ensure there is a pathway for future access. Use a penetration agent/rootkit – both Core Impact and Canvas offer tools with rootkit like abilities to establish connections back out of the system. In some cases, they can […]

Exfiltrate data

There are several reasons why an attacker might want to get data back out of a system or network: Command and control communications Information collected about systems and network target data for future expansion Information that was the objective for penetration (identity theft, intellectual property) The process of getting the data out can be as […]

Password Cracking

Generally, password cracking takes place in the ENTRENCH phase of the attack, after an initial penetration has been successful and password hashes have been retrieved from the compromised system, but it can be done at any point if it will yield results and hashes are available. The attacker will probably need admin/root level access, but […]