METASPLOIT - Windows 7 - Sniffing

WINDOWS 7 - SNIFFING

- Layout for this exercise:

- Metasploit provides the module sniffer, what be loaded from a meterpreter session:

- Checking how many interfaces are available for sniffing, let's take one with parameter "usable:true":

- The sniffing process starts on interface 2, allocating 10000 packets to the buffer:




- Some traffic is generated, for instance pinging from the attacker Kali to the victim Windows 7:




- Statistics of the sniffing process:




 - Captured packets can be dumped to a file with pcap format, for instance let's name it readable_with_wireshark.pcap:




- Stopping the sniffing process:

- From another console, captured packets can be read with Wireshark application:

- Wireshark shows all the traffic generated by the ping's between the attacker and the victim:

METASPLOIT - Windows 7 - Mimikatz

WINDOWS 7 - MIMIKATZ

- Layout for this exercise:

- Once Windows 7 has been exploited and taken over control, mimikatz extension can be loaded and used for dumping credentials.

- For instance, Digest Authentication passwords that have been cached can be retrieve with command wdigest:

METASPLOIT - Windows 7 - Remote Desktop Protocol - Weak passwords

WINDOWS 7 - REMOTE DESKTOP PROTOCOL - WEAK PASSWORDS

- Layout for this exercise:




- Under similar circumstances than the previous example, the victim Windows 7 allows remote connections at the RDP port TCP 3389, with the less secure option:

- The attacker scans the victim and detects that RDP port 3389 is open

- For the purpose of simplicity, let's create a couple of easy wordlists: UserList and PasswordList.

- With the help of both wordlists, ncrack discovers the credentials attacking the RDP port ,open on victim 192.168.1.14:

METASPLOIT - Windows 7 - Remote Desktop Protocol: Denial Of Service / Blue Screen

WINDOWS 7 - RDP - DoS - BLUE SCREEN

- Layout for this exercise:

- Remote Desktop Protocol (RDP) is a Microsoft protocol which provides a graphical interface for connecting to a computer through a network connection. RDP accepts connections at port TCP 3389

- Operating systems like Windows 7 offer three options for RDP, regarding security: Control Panel -> System and Security -> System -> Remote settings -> System Properties -> Remote:

- An attacker can detect that the RDP 3389/tcp port is open at the victim's computer:

- The less secure option allows any type of RDP connections, which is a vulnerability that can be taken advantage by exploiting it with the appropriate Metasploit module:

- Required options for this module are simple, just the victim's IP and the RDP port (3389):

- Running this module some crafted packets are sent to the victim:

- As a consequence a Denial Of Service attack results in a Blue Screen at the target machine:

- To avoid this DoS attack, the RDP service should be disabled by default:

- Also, the secure option with Network Level Authentication could be considered:

METASPLOIT - Windows 7 - Reverse Shell TCP Allports

WINDOWS 7 - REVERSE SHELL TCP ALLPORTS

- Layout for this process:

- So far we have considered blocking only some specific ports. However, in this case the OUTBOUND rule blocks a set or range of ports, for instance from 3000 to 6000:

- Now, reverse_tcp_allports payload is converted into an executable file. This module tries to connect back to the attacker on all possible TCP ports, from 1 to 65535. In this way, the payload will try sistematically to go port by port until it finds one open or allowed by the firewall.

- Later, we'll see the reason because LPORT is still 4444, although it is inside the range of blocked ports by the firewall.

- Checking that it is an executable file:

- Because all connections on 3000 to 6000 are going to be blocked by the firewall, the first allowed connection will be on port 6001. However, because the attacker does not know it, he tries to redirect connections to a well-known port like 4444. For achieving that goal Iptables can be used.

- First, all Iptables rules are cleared:

- Then, connections on the range 3000:6000 plus 6001 are redirected to local port 4444 (that is the reason because LPORT = 4444):

- The attacker sets up a handler exploit, waiting the connection from the victim:

- Also, a web server is running on the attacker side:

- The client or victim connects, downloads and runs the executable reverse_tcp_allports.exe:

- A meterpreter session is successfully achieved on the attacker side:

- It is interesting to compare netstat output from both sides. From the attacker perspective the connection is on local port 4444:

- On the other hand, from the victim's point of view, the connection comes from remote port 6001, as expected, because the ports from 3000 to 6000 are blocked by the firewall, and in that range only port 6001 was redirected towards port 4444 by Iptables:

METASPLOIT - Windows 7 - Reverse Shell HTTPS / HTTP

WINDOWS 7 - REVERSE SHELL HTTPS / HTTP

- Layout to this exercise:




- In the previous exercise an OUTBOUND rule was created with Windows Advanced Firewall for Security for blocking reverse shell connections to remote port TCP 4444, used by default by Metasploit:

   





- However, this rule would not block OUTBOUND connections to any other remote port, for instance port 443 (HTTPS) or port 80 (HTTP).

- On next two exercises, let's see how it is possible to install backdoors on the victim machine, bypassing firewalls, using Social Engineering so that the victim downloads executables files from the attacker's wep page.

REVERSE_HTTPS.exe

- Let's create the executable reverse_https.exe, using msfvenom and meterpreter reverse_https payload:

- Checking that it is an executable file for Windows:

- The attacker opens a web server on port 8000:




- Also, the attacker Kali sets up a handler exploit with local port 443 (HTTPS) and local IP, waiting for the victim:




- Then, the victim Windows 7 connects to the web server, downloads and runs the executable reverse_https.exe:




- Automatically, a meterpreter session is open on the attacker's console, and the post exploitation process can be started:

REVERSE_HTTP.exe

- Same goal could be achieved with HTTP protocol. The attacker creates the binary reverse_http.exe with msfvenom. In this case the LPORT corresponds to 80 (HTTP), and local IP corresponds to the attacker's machine:

- The file is executable on Microsoft systems:






- A web server is set up by the attacker:

- Also, a handler exploit waits until the clients connects and runs the binary:

- The victim Windows 7 downloads and runs reverse_http.exe:

- Automatically, a meterpreter session is achieved on the attacker's machine: