AdSense

Tuesday, June 14, 2016

METASPLOIT - Double Pivoting


DOUBLE PIVOTING

- Layout for this exercise:




- First, the XP system must be exploited, because it is the closest to the attacker, being located in the same network 192.168.0.0/24.
It will used as the first pivot, for further attacks to other inside networks.

- Scanning available ports and services at pivot 1 XP::




- Let's try to attack XP on port 445, using the ms08_067_netapi exploit:




- Setting XP's IP as the RHOST:




- Launching the exploit,  a successful meterpreter session is achieved:






















- Now, post exploitation shows that XP is connected to an inner network 20.0.0.0/24:




- Scanning for machines inside 20.0.0.0/24, a new 20.0.0.2 is discovered.
This is the pivot 2 to be used at the attack against the final victim:




- Backgrounding the session 1:




- So far, there is only one active meterpreter session 1:




- A route to the inner network 20.0.0.0/24 is added using session 1:




- Printing the route:




- Backing:




- Nex step would be to exploit the intermediate machine, whose IP is 20.0.0.2. For that purpose, let's discover open and available ports:




- Let's try to attack port 80 using a vulnerability at Bad Blue application, web server usually working on that port:




- Setting the remote host to the new discovered system:




- In this case, the meterpreter payload is set to bind_tcp, because otherwise (reverse_tcp) the final victim would not know how to go back to the attacker:




- Launching the exploit a second meterpreter session is opened. We learn that the pivot 2 is a Windows 7 system:




- Also, it is interesting to notice that W7 has got two interfaces, one the 20.0.0.2 and the other connected to the innermost network 10.0.0.0/24, with IP 10.0.0.1:








- Let's discover other machines inside the network 10.0.0.0/24. As a  result, we learn that the final victim has got the IP 10.0.0.2:




- Backgrounding the meterpreter session 2:




- Backing to the original msfconsole prompt:




- Now, there are 2 active meterpreter sessions:



- A second route is needed to access the innermost network 10.0.0.0/24, using meterpreter session 2:








- Now, the last step would be to attack the final victim, with IP 20.0.0.2. To achieve this goal we need to know what ports are open and available to be attacked, running this auxiliary script:




- Let's try to attack port 21, usually devoted to FTP service, for instance using the exploit vsftpd_234_backdoor:




-Launching the exploit, the attack is successful because a third session shell is opened at the innermost victim:




- So finally there are 3 open and active sessions for the whole process:




- It is interesting to view how netstat shows all the connections from each computer. From the attacker's point of view:






- From the Linux innermost computer's point of view:




- From the XP's point of view:




- From W7's point of view:







Monday, June 13, 2016

METASPLOIT - Pivoting


METASPLOIT - PIVOTING

- Layout for this exercise:





- First, let's exploit the pivot XP taking advantage of the netapi vulnerability:




- Setting the remote host to the XP's IP address:




-  Looking for a meterpreter session and a reverse_tcp shell:




- The local host is the attacker itself, due to the reverse shell:




- Once launched the exploit, the attack is successful and a meterpreter session is achieved:




- The pivot has got two interfaces, one with the outside network 192.168.1.0 and the other with inside network 10.0.0.0:




- Let's discover hosts inside the inside network 10.0.0.0/24. Because 10.0.0.1 corresponds to the pivot XP, the 10.0.0.2 must belong to the innermost machine, the vitcim:




- Backgrounding the meterpreter session 1:




- So far, there is only one active meterpreter, number 1:




- A route is added to the inside network, using the active meterpreter session 1:




- Printing the route:




- Backing from the netapi exploit:




- Scanning open ports (just from 1 to 500) at the victim 10.0.0.2:






- Several interesting ports are open, for instance TCP 21, usually dedicated to FTP service:




- Backing from the auxiliary script:




- Now, let's try attacking the FTP service on the victim:




- Setting the victim's IP as the remote host:




- Let's use the payload cmd/unix/interact to get a remote shell:




- Required options:




- Once the exploit is run the attack is successful because the remote shell is finally achieved, back from the victim's machine:











Saturday, June 11, 2016

METASPLOIT - Linux - Post Exploitation



LINUX - POSTEXPLOTAITION

- Layout for this exercise:




- First of all, let's exploit the Linux system:




- As a consequence of the attack a remote shell session is open. For handling the attack in a better way, the session is backgrounded:





- Metasploit provides several post exploitation tools, for instance hashdump gathers hashes of all the passwords available at the victim's machine:





- Also, checkvm determines whether the remote system is a real or virtual machine:





- enum_configs gathers information about the victim's configuration, related to installed applications and services:





- enum_network collects data about the network, like IPTables rules, interfaces, ports, connections, DNS, SSH, etc ...





enum_protections module looks for applications used to prevent or detect attacks, like Antivirus, IDS/IPS, firewalls, etc ...





- enum_system module gathers system information, like installed packages, services, mount information, user list, user bash history and cron jobs:





enum_users_history module gathers user information like user lists, bash history, mysql history, vim history, etc ...





METASPLOIT - Linux - RLogin




LINUX - RLOGIN


- Layout for this exercise:




- Rlogin (Remote Login) is an old service used for remote administration that allows users to connect machines over a network. In some way it can be considered predecessor of SSH. Rlogin suffers from several security issues, like unencrypted transmission and unreliable authentication protocols. For this reason nowadays it is rarely used across untrusted networks. However, some Linux systems have the service enabled by default, which can be taken advantage by malicious attackers. Rlogin runs at port TCP 513.


- Scanning the victim with  NMAP the attacker views that port 513 is open:




- The attacker just tries to connect remotely to the victim, under root username (not asking for password), achieving a shell without any problem. The example shows how the authentication protocol is really weak, because it does not ask for a password:




- Once there, the attacker can totally manage the victim's system:






- netstat command displays connection between victim and attacker:

















METASPLOIT - Linux - NFS


LINUX - NFS

- Layout for this exercise:





- NFS (Network File System) is a service available on Linux systems, which function is to allow users manage of shared folders over a network. In case of misconfiguration NFS might convert into a serious vulnerability allowing attackers access to the whole system. 


- The attacker discover the NFS service running on port 2049:




- showmount displays a list of exported directories from a specific machine, in this case the vulnerable victim's IP. 




- The result (/*) shows that even the root directory at the victim is shared, which it is actually a huge security breach, because the whole system is available to be shared by any attacker.

- As a consequence, the filesystem accessed with showmount can be mounted or attached into a temporary folder at the attacker's machine. The option nolock ensures disabling file locking: 






- A a result, the attacker can see locally the whole content of the remote system:




- For instance, etc/passwd is obtained by the attacker: