View queencitycyber.github.io on GitHub

A recap on what we’ve done and where we are

The 5 primary steps in a successful penetration test

What we’ve done

  1. Reconnaissance

  2. Port Scanning

Where we are

  1. Vulnerability Scanning/Analysis
    1. Automated Scanning and Analysis
    2. Manual Scanning and Analysis

What we have left

  1. Exploitation
  2. Traffic Analysis

  3. FW/IDS/IPS Evasion

  4. Post-Exploitation/Lateral Movement
  5. Report Writing

Introduction to Vulnerability Scanning with Kali & Metasploit

Read Chapter 6 (link in BB) for an overview on vulnerability scanning/analysis and different techniques and tools.

Read Chapter 8 (link in BB) for an overview on the vulnerability you’ll exploit against Windows XP.

Review of Metasploit Framework and MSFConsole

The Metasploit Framework (MSF) is a security project that is a wealth of information regarding security vulnerabilities and exploits. It is a collection of exploits, network reconnaissance tools, web vulnerability plugins, and much more that you can utilize during a penetration test.

One of the most popular Metasploit Framework interfaces is the MSFconsole. The MSFconsole provides an “all-in-one” centralized console which allows you to efficiently and effortlessly take advantage of the Metasploit Framework. One of the most powerful features of the MSFconsole is its ability to rapidly configure and exploit a vulnerability against a target machine by delivering a payload. After identifying a vulnerability on a system, MSFconsole can be used to find the exploit information through its vast database of vulnerabilities, and deliver a payload which will then exploit the vulnerability and allow access to a system. MSFconsole is renowned for its simplicity when it comes to configuring payload parameters such as the target system IP address.

When exploiting a target with MSFconsole, Metasploit offers several types of payloads that it can drop on a system including:

  • Command Shell: Enables users to run collection scripts or run arbitrary commands against the host.

  • Meterpreter: Flexible payload that offers tons of functionality and flexibility.

  • Dynamic payloads: Enables users to evade anti-virus defenses by generating unique payloads.

  • Encoder: A program which encodes our payloads to avoid antivirus detection.

Term Definition
Vulnerability A weakness of flaw in a system or piece of software.
Exploit The method of taking advantage of the vulnerability.
Payload The actual code that exploits the vulnerability.

To bring it together: A penetration tester uses a particular **payload **that **exploits **a **vulnerability. **

Any other ways to say this?

Your ability to understand the difference and differentiate between the above terms will be extremely helpful moving forward.

Introduction to network vulnerability scanning tools

  • Though there are many vulnerability scanning tools, we will only focus on a few select few, primarily based on their cost (free! at least trial version), popularity, and robustness/features.

In this section, we will focus on network scanning tools, omitting web application scanners until we get to that section in the course. For a list of web scanning tools, check out OWASP’s list here - https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

Nessus

A very popular vulnerability scanning tool.

From their site - “Nessus is the most trusted vulnerability scanning platform for auditors and security analysts. Users can schedule scans across multiple scanners, use wizards to easily and quickly create policies, schedule scans and send results via email. Nessus supports more technologies than any other vendor, including operating systems, network devices, hypervisors, databases, tablets/phones, web servers and critical infrastructure.”

We will be using Nessus to scan target machines.

Link - https://www.tenable.com/downloads/nessus

OpenVAS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

A high level overview of the architecture.

Download the OpenVAS ISO and follow installation instructions here - http://www.openvas.org/vm.html

insightVM (previously Nexpose)

Simply fill out the info and get a free trial - https://www.rapid7.com/products/insightvm/download/

Exploiting Windows XP using Metasploit Framework

Using Metasploit to exploit a vulnerability and gain access.

####

Proposed Scenario:

We know from our reconnaissance that there are several different operating systems and services running on a target network. When first looking for a vulnerability to exploit, it is important to take note of the version a specific service or OS is running. A good starting point is looking for out-of-date software or systems. This is because out-of-date software usually lacks the vulnerability fixes (called patches) that software updates provide. If software is out-of-date, there is a good chance a vulnerability for it exists and your target is vulnerable.

Looking back at our trusty reconnaissance information, we can see a Windows XP system exists on the network. This is great for us because we know Microsoft ended support for its popular Windows XP operating system on April 8th, 2014. Even though Microsoft pleaded with the tech community to upgrade, many did not heed the warning. Using this information, we can reason the Windows XP system is vulnerable as it lacks the critical vulnerability patches Microsoft no longer provides.

Launch msfconsole and move to the next section

Once our MSFconsole is loaded, let’s search for exploits pertaining to Windows XP that we can use to gain access to our target system.

At first glance, the results returned can be overwhelming. We have tons of resources to help us find the most suitable exploit for the job.

In this case, one our returned exploits is “MS08-067 Microsoft Server Service Relative Path Stack Corruption”. Windows XP is vulnerable to this exploit and has not only a perfect score of 10/10 on CVE Details, but Metasploit ranks it as “great”. Great for us, bad for our victim.

Now that we have identified a possible exploit to use, let’s load the exploit into our MSFconsole and configure it to target and exploit the vulnerability on our victims machine

After loading our exploit, we can use show options to show us the list of configurable parameters for this specific exploit

  • RHOST: The remote target address (in our case, the Windows XP machine located at 192.168.5.129)

  • RPORT: The remote port that the SMB service runs on. In this case, Metasploit automatically configured it for us to use the default SMB port – port 445.
  • SMBPIPE: The pipe name to use. Again, Metasploit came in handy and pre-configured this for us.
  • Exploit target: This setting tells Metasploit specifically what OS version our target is running. In this case, Metasploit is able to automatically identify and exploit the correct target OS.

Let’s set the RHOST (remote host) setting. We will type: Set RHOST 192.168.5.129 We can then use the check command to have Metasploit check and see if our target is vulnerable to this specific exploit. While not available for all exploits, this ability is very useful in seeing whether or not your chosen exploit will work against the target system.

At this point, we are ready to use our exploit and gain access to the system. The beauty of MSFconsole is its ability to make everything so simple for us. All we have to do is type exploit, and hit enter!

Success! Metasploit was able to successfully exploit the vulnerability and deliver our payload. By default, Metasploit delivered a Meterpreter payload. As we learned above, Meterpreter is an advanced, dynamic payload that was designed to be stealthy, powerful, and extensible. Allowing us to interact with our victim in many useful ways.

Armed with an exploited machine and a meterpreter session, we can begin to interact with our victim. The power we have now gained over our target is immense. Using Meterpreter, we can upload, download, read, delete, and edit remote files. Meterpreter can also run commands on the target, dump password hashes, and even view the webcam along with many other useful commands.

Before we have any fun, however, let’s see what user and process our Meterpreter shell is running as. Meterpreter is successful because it is able to inject itself into a running process (in memory) on the vulnerable system and seemingly make everything look normal.

We can typegetuidandgetpidto get the user ID and process ID of our running Meterpreter shell. Then, typepsto see the process list on the target system.

We see we are running as svchost.exe and as a SYSTEM user. The SYSTEM user is the highest level of rights and access you can have on a machine, higher than the Administrator! Before we can spy on our user and take a screenshot of what they are doing, we need to migrate our Meterpreter shell from the svchost.exe process to the explorer.exe process. We also must first activate a built-in script module in Meterpreter called **espia **by typingmeterpreter>useespia

Then, migrate the meterpreter shell over to the Explorer.exe process. This will gives us more control and options over our system. Use the migrate command to migrate to the corresponding PID of Explorer.exe.

With espia loaded and our Meterpreter shell running as Explorer.exe, we can typemeterpreter>screengraband Meterpreter will take a screenshot on the target machine and send it to us.

Conclusion

By exploiting a vulnerable operating system, we were able to deliver a Meterpreter payload that allowed us to interact with the target machine.