Powered by Blogger.
Home » » Module 07: Network Penetration Testing Methodology-Perimeter Devices 2

Module 07: Network Penetration Testing Methodology-Perimeter Devices 2

Written By AKADEMY on Wednesday, July 3, 2019 | 11:22 AM

Exercise 2: HTTP Tunneling to Bypass Firewalls Using HTTPort

Scenario

Attackers are constantly searching for vulnerable clients to penetrate their network through IP spoofing to damage or steal data. The attacker can access packets through a firewall by spoofing the IP address. If attackers are able to capture network traffic, as explained in the previous lab, they can perform Trojan attacks, registry attacks, password hijacking attacks, etc., which can be disastrous for an organization’s network.
Therefore, as a network administrator, you should be able to identify attacks by extracting information from captured traffic such as source and destination IP addresses, protocol type, header length, source and destination ports, etc. and compare these details with modeled attack signatures to determine if an attack has occurred.
Also, familiarity with the HTTP tunneling technique is important as it helps in identifying additional security risks that may not be detected by conducting simple network and vulnerability scanning and determines to what extent a network IDS can identify malicious traffic within a communication channel.
Lab Duration30 Minutes
  1. Click Advertisement Dept. Subnet D.
    Click Admin account to log in.
    In the logon box password field click Pa$$w0rd
    After logging in to the machine, User Account Control pop-up for Java Auto Updater may appear any time. Click No.
    You can use the Type Password option from the Commands menu to enter the password.
    Screenshot
  2. Server Manager window appears, click close button.
    Screenshot
  3. Click Start and navigate to Administrative Tools --> Services.
    Screenshot
  4. Services window appears. Scroll down and right-click on World Wide Web Publishing Serviceand click Stop option.
    Screenshot
  5. In the same way, Right-click on IIS Admin Service and click Stop option.
    Screenshot
  6. ECSA-Tools folder is located in Windows Server 2012 (Internal Network) machine. To access the folder, type \\192.168.168.8 in the address bar of the Computer window and press EnterECSA-Tools shared folder will appear as shown in the screenshot below. Double-click on the shared folder to view the list of Tools for each module.
    If Windows Security pop-up appears to access \\192.168.168.8, provide Windows Server 2012 (Internal Network) credentials i.e.,
    Username: Administrator
    Password: Pa$$w0rd
    and click OK.
    Screenshot
  7. The ECSA-Tools, shared drive window appears, as shown in the screenshot.
    Screenshot
  8. Navigate to \\192.168.168.8\ECSA-Tools\ECSAv10 Module 07 Network Penetration Testing Methodology-Perimeter Devices\HTTHost and double-click htthost.exe.
    Screenshot
  9. The Open File – Security Warning pop-up appears on the screen, click Run.
    Screenshot
  10. The HTTHost 1.8.5 window appears, as shown in the screenshot.
    Screenshot
  11. Select Options tab.
    In the Options tab, set all its settings to default except Personal Password field, which should be filled in with any password. In this lab, the personal password is set to magic.
    Check the Revalidate DNS names and Log Connections options, and click Apply.
    Screenshot
  12. Check if the last line is Listener: listening at 0.0.0.0:80 in Application Log, which ensures that HTTHost is running properly and has started listening to port 80.
    Screenshot
  13. Close the Services console.
    Leave HTTHost running, and do not turn off the Advertisement Dept. Subnet D machine.
  14. Click Windows Server 2012 (Internal Network)click Ctrl+Alt+Delete.
    Screenshot
  15. In the log on box click Pa$$w0rd and press Enter.
    You can use the Type Password option from the Commands menu to enter the password.
    Screenshot
  16. Right-click the Windows icon and click Control Panel.
    Screenshot
  17. The Control Panel window appears and displays all control panel items. Select Windows Firewall.
    Screenshot
  18. The Windows Firewall control panel appears; click Turn Windows Firewall on or off link in the left pane.
    Screenshot
  19. The Customize settings window appears.
    Select the Turn on Windows Firewall (under Private network settings and Public network settings).
    Click OK.
    Screenshot
  20. Firewall is successfully turned on. Now, click Advanced settings in the left pane.
    Screenshot
  21. The Windows Firewall with Advanced Securityappears.
    Select Outbound Rules in the left pane.
    A list of outbound rules is displayed. Click New Rule… in the right pane (under Outbound Rules).
    Screenshot
  22. In the New Outbound Rule Wizard, select Portas the Rule Type, and click Next.
    Screenshot
  23. Select All remote ports, under Protocol and Ports, and click Next.
    Screenshot
  24. Under ActionBlock the connection is selected by default. Click Next.
    Screenshot
  25. In the Profile section, ensure that all the options (Domain, Private and Public) are checked, and click Next.
    Screenshot
  26. Under Name, type Port 21 Blocked in the Namefield, and click Finish.
    Screenshot
  27. The new rule Port 21 Blocked is created, right-click the newly created rule (Port 21 Blocked), and click Properties.
    Screenshot
  28. The Properties window for Port 21 Blocked rule appears.
    Select the Protocols and Ports tab. In the Remote Port field, select Specific Ports option from the drop-down list and enter 21 as Port Number.
    Leave the other default settings, click Apply, and click OK.
    Screenshot
  29. Disable the rule, and check if you are able to connect to the FTP site.
    Right-click the newly added rule, and click Disable Rule.
    Screenshot
  30. Launch the command prompt, and issue ftp 172.20.20.11. You will be asked to enter the username.
    This means you are able to establish an FTP connection.
    Screenshot
  31. Now, enable the rule, and check whether you can establish a connection.
    Right-click the newly added rule, and click Enable Rule.
    Screenshot
  32. Launch the Command Prompt and check whether you are able to connect to the FTP site by issuing the command ftp 172.20.20.11. The added outbound rule should block the connection shown in the screenshot.
    If you are not asked to enter credentials, it means that the connection is blocked.
    Screenshot
  33. Close all the windows.
    Now, perform tunneling using HTTPort to establish a connection with the FTP site located on Sales Department Subnet D.
  34. Navigate to E:\ECSAv10 Module 07 Network Penetration Testing Methodology-Perimeter Devices\HTTPort and double-click httport3snfm.exe.
    Follow the wizard-driven installation steps to install HTTPort.
    If an Open File Security - Warning pop-up appears, click Run.
    Screenshot
  35. Click on Start and type HTTPort 3.SNFM. You will get the tool as a search result. Click on the first option.
    Screenshot
  36. An Introduction wizard appears, click Next (5 times) till the end of the wizard and then click Close.
    Screenshot
  37. The HTTPort main window (HTTPort 3.SNFM) appears, as shown in the screenshot.
    Screenshot
  38. Select the Proxy tab and enter the IP address of Advertisement Dept. Subnet D machine i.e., 172.20.20.9 (since HTTHost is running in that machine), and enter 80 as Port number.
    In the Misc. options section, under the Bypass mode: field, select Remote host option from the drop-down list.
    In the Use personal remote host at (blank = use public) section, re-enter the IP address Advertisement Dept. Subnet D i.e., 172.20.20.9and 80 as the port number.
    Enter magic in the Password: field.
    Screenshot
  39. Select the Port mapping tab and click Add to create New Mapping.
    Screenshot
  40. Right-click New Mapping node, and click Edit.
    Screenshot
  41. Rename this to ftp old home (you can enter a name of your choice). Right-click the node below Local port, then click Edit and enter 21 as the port value.
    Right-click the node below Remote host, click Edit and rename it as 172.20.20.11.
    Right-click the node below Remote port, then click Edit and enter 21 as the port value.
    172.20.20.11 specified in Remote hostnode is the IP address of the FTP site hosted on Sales Department Subnet D.
    Screenshot
  42. Switch back to Proxy tab and click Start to begin the HTTP tunneling.
    Screenshot
  43. 1. HTTPort intercepts the FTP request to localhost and tunnels through it. HTTHost installed on the remote machine connects you to 172.20.20.11.
    1. This means you may not access FTP site directly by issuing ftp 172.20.20.11 in the command prompt, but you will be able to access it through the local host by issuing the command ftp 127.0.0.1.
  44. Launch Command Prompt and type ftp 172.20.20.11, and press Enter. The ftp connection will be blocked by the outbound firewall rule.
    Screenshot
  45. Now launch a new Command Prompt, type ftp 127.0.0.1 and Press Enter. You should be able to connect to the site.
    Screenshot
  46. Enter the credentials of any user account of Sales Department Subnet D. In this lab, we are using the credentials of the Admin account. Type the username (Admin) and password (test@123), and press Enter.
    The password you enter won't be visible.
    Screenshot
  47. You have successfully logged in, even after adding a firewall outbound rule inferring that a tunnel has been established by HTTPort and HTTHost, bypassing the firewall.
    Now you have access to add files in the ftp directory located in Sales Department Subnet Dmachine.
    Type mkdir Test and press Enter.
    Screenshot
  48. Click Advertisement Dept. Subnet D. Login to the machine with Username Admin and password as test@123.
  49. Navigate to C:\inetpub\ftproot. A directory named Test will be created in the ftproot folder as shown in the screenshot.
    Screenshot
  50. Thus, you have successfully bypassed windows firewall using HTTP Tunneling.
    On completion of the exercise, delete the created outbound rule, stop HttHost and HTTPort and disable the firewall (which was enabled in the beginning of the lab) in the host machine i.e., Windows Server 2012 (Internal Network). Also, start the World Wide Web Publishing Service in Advertisement Dept. Subnet D machine.
    Close all the applications, files, and folders that were opened while performing this exercise.
In this lab you have learned how to analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT