Cybersecurity for Beginners - Part 5: Command & Control

Welcome to Part five of my series on cybersecurity for beginners! In the first article in this series, I gave an overview on the different phases of attack. This article focuses on command and control.

Command & Control

The Command & Control phase describes itself very well. As we mentioned in the previous stage, now we have full control and access to the victim's machine. This usually means a shell with administrative permissions. Obviously we can now consider our attack phase complete, now we are ready to proceed on to the next phase. If a shell is available without admin rights, think of that like a first step has been taken, but the way to the final attack is still long. In fact, its like we are again at the starting point and the whole process should be done again from the reconnaissance phase, but this time from another point of view.

All the activity, this time, will take in place directly inside the machine, with a specific goal: privileges elevation (of course, if the user's permissions in the system were enough to meet your goals and achieve your objectives, then you can consider your attack concluded and you can take the next step). The privileges elevation is the exploitation of a flaw, an error or misconfiguration of a software or an operating system to gain control of resources normally off-limits to a normal user. You understand well that with more permissions than are allowed by the administrator you can perform unexpected and unauthorized actions (hypothetically).

The core of the command & control, however, is that thing which we can identify with the word "shell", it means the ability to run OS commands on the target machine. We start by splitting into two categories the various "shell" that can be achieved between two systems, which are defined by the connection type:

• Bind Shell: Software runs on the victim's computer starts listening on a specific port known by the hacker; at this point, we connect on that port from the attacking computer. The commands are requested by the attacker to the software that runs the command on the victim's machine and returns the result of the command.
• Reverse Shell: In this case, listening starts on a specific port, but on the attacking machine and then the victim machine is forced to connect to the attacker machine (literally reverse).

To summarize, in a reverse shell communication starts from the target machine vs the attacker machine that is in a state of listening to collect the shell. In a "blind shell", the target host waits for an incoming connection on a specific port that will start from the attacking machine.

You can find tools and scripts that generate this type of shell in big quantities, there are so many resources that it becomes almost impossible to know them all (consider that many developers/hackers write it by themselves and they don't share them, not for intellectual property reasons, but because they are only appropriate to specific scenarios).

Especially for the Linux world, the myriad of exploits to take control of a machine, extend from simple scripts written in different languages, to platforms or frameworks. Different the situation for Windows machine, also in this case the tools are many, but the general approach tends to use the more stable and reliable. Anyway, in this kind of scenarios, we can say that the most complete and the used tool to obtain a shell on a remote Windows system is Evil-WinRM.

Evil-WinRM

WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol, a standard SOAP-based protocol that allows interaction between hardware and different suppliers' operating systems.

Evil-WinRM is a shell based on this protocol which lets you connect to any Windows machine that has this feature enabled, the only condition is that you provide a valid user of the machine that can use this service.

This tool provides huge features, I refer you to the official page on github for a detailed description. There are currently four ways to use Evil-WinRM, the one I like, which normally prefer not to install too many tools in my machine, is the use of a docker container (of course, you need to have installed docker).

Here the command to activate the docker container that will allow you to use the shell towards a specific machine:

docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i <IP Address of the victim> -u <username> -p '<password>' -s '/ps1_scripts/' -e '/exe_files/'

After starting the tool and if you can connect a shell will be available. The shell is enriched with two commands that allow you to download and upload files to and from the victim.

upload <local_filename>
upload <local_filename> <destination_filename>

download <remote_filename>
download <remote_filename> <destination_filename>

If you do not specify the path of your local machine, will be considered the path specified in the docker command as default path; in the example above the local /home/foo/data that correspond to the folder /date of the docker machine.