METASPLOIT - Linux - Samba

LINUX - SAMBA

- Layout for this exercise:




- The attacker scans possible open ports and servicies at the victim's machine using NMAP:





- On port 139 the victim is running Samba, service used for File Sharing that in this case suffers from a vulnerability. Metasploit provides the usermap_script exploit to take advantage of that vulnerability:




- Let's set the payload to cmd/unix/reverse:




- Required options include remote host (victim) and local host (attacker):




- Setting remote host's IP:




- Setting attacker's IP:




- Launching the exploit, the result is a remote shell that allow postexplotaition of the victim:



- For instance, from the remote shell both /etc/passwd and /etc/shadow content can be discovered:

METASPLOIT - Windows 7 - Bypassing DNS by HOSTS file injection

WINDOWS 7 - BYPASSING DNS BY HOSTS FILE INJECTION

- Layout for this exercise:




- The hosts file is a plain text file used by an operating systems to map hostnames and IP addresses.

https://en.wikipedia.org/wiki/Hosts_(file)

- In this practice we'll se how to inject a crafted hosts file into the victim machine, so that

the well known URL www.google.com is redirected to the attacker's website.

- This is a case of the so called phishing, where a trustworthy website is masqueraded by a fake website.

https://en.wikipedia.org/wiki/Phishing

- One of the keys for this attack to be successful is the name resolution order performed by Windows systems. First, the Windows 7 looks up into the hosts file entries. Second, Domain Name System (DNS) servers are queried.

- For this reason, if a crafted hosts file is injected into the victim's machine, the victim would not be able to notice that the web destination is actually a fake one.

https://support.microsoft.com/en-us/kb/172218

- Let's start the attack backgrounding the active meterpreter session:

- Now, the post explotaition inject_host exploit is used:

- Options for this exploit:

- The domain to be faked:




- The attacker's IP:

- The active meterpreter session:

- Now, all required options are fulfilled:

- The exploit is launched and successfully completed:

- As a result, back into the victim, the hosts file has got now a new entry, pointing www.google.com to the attacker's IP: 

- On the attacker's side, with the purpose of taking advantage of the attack, a web server is set up on port 80, adding a message of welcome:

- From the victim's machine, when trying to connect to www.google.com, the connection is redirected to the attacker's website:

- Let's notice that this redirection or phising could be done on the victim's site with any trustworthy type of websites, like banks, email services, businesss, ... , and on the attacker's side with a fake website where the victim could introduce valid credentials, potentially being stolen by the attacker.

- It is interesting to check the different way that commands ping and nslookup handle this situation.

- When ping-ing www.google.com, the resolution is between www.google.com and 192.168.1.12:

- On the other hand nslookup is a network administration command-line tool available for querying the Domain Name System (DNS) to obtain domain name or IP address mapping.

https://en.wikipedia.org/wiki/Nslookup

- In this way, nslookup only checks for DNS resolution, not paying attention to the hosts file, and resolves www.google.com into the real IP 216.58.216.228:

- As said before, hosts file is used before DNS resolution by Windows systems.

METASPLOIT - Windows 7 - Keylogger

WINDOWS 7 - KEYLOGGER

- Layout for this exercise:

- Keyscan_start command starts the process of capturing keystrokes at the victim's machine:

- Now, let's suppose that a user at the victim's machine writes a set of characters, like for instance:

- The attacker can achieve all those characters just using the command keyscan_dump:

- Once the attack succesfully performed, the keyscan process can be stopped:

METASPLOIT - Windows 7 - Desktop screen grabbing

WINDOWS 7 - DESKTOP SCREEN GRABBING

- Layout for this exercise:

- Windows systems automatically create an interactive window station. When an interactive user logs on, the system associates the interactive window station with the user logon session. The system also creates the default input desktop for the interactive window station (WinSta0\Default). Processes started by the logged-on user are associated with the WinSta0\Default desktop. In other words, WinSta0 stations is used to interact with users:

- The command enumdesktops enumerates all accessible desktops:

- Checking that the active desktop is interactive:

- Loading espia extension from meterpreter:

- Then, screengrab command allows to grab a screenshot from active desktop at the victim's machine. The picture is saved under the path /root, receiving a .jpeg extension:

METASPLOIT - Windows 7 - Sniffing

WINDOWS 7 - SNIFFING

- Layout for this exercise:

- Metasploit provides the module sniffer, what be loaded from a meterpreter session:

- Checking how many interfaces are available for sniffing, let's take one with parameter "usable:true":

- The sniffing process starts on interface 2, allocating 10000 packets to the buffer:




- Some traffic is generated, for instance pinging from the attacker Kali to the victim Windows 7:




- Statistics of the sniffing process:




 - Captured packets can be dumped to a file with pcap format, for instance let's name it readable_with_wireshark.pcap:




- Stopping the sniffing process:

- From another console, captured packets can be read with Wireshark application:

- Wireshark shows all the traffic generated by the ping's between the attacker and the victim:

METASPLOIT - Windows 7 - Mimikatz

WINDOWS 7 - MIMIKATZ

- Layout for this exercise:

- Once Windows 7 has been exploited and taken over control, mimikatz extension can be loaded and used for dumping credentials.

- For instance, Digest Authentication passwords that have been cached can be retrieve with command wdigest: