- No category
VMware Networking Modes & Nmap for VM Discovery | Cybersecurity Lab
a practical example that I shared in the previous lecture. An example where we have two VMs where both of them are running inside a virtual environment, and the virtual machine, or the software that we use for the virtual machine is VMware. So, essentially, VMware creates a… an isolated network for us on top of our regular operating system, which is usually a Windows or a Linux machine, or it could be a Mac. In my case, it is actually a Windows machine. And this machine is, in turn, connected to the network. Right? And then you have the rest of the internet, right? Starting from your phone. So, the way in which, VMware actually works is that, is that it, it provides a few networking modes of operation. The idea is that you can have as many number of operating systems as your system can support inside this virtual environment. In this case, let's assume that we have 3 virtual machines, and Usually, the virtual… the VMware environment will have something like a switch, Or a router. So this is a virtual router or a virtual switch that is, that it uses to connect to the underlying operating system, right? So, there are a few networking modes here. The first one is a NAT. This is the most popular one. That stands for Network Address Translation, as you might know from the networking course. So the idea here is that the… it's network address translator, right? Which means that Your regular network, which is basically the internet. Right? If you guys are connected to the NUS network, this would be the NUS network. So, the NUS network, or your regular internet, does not realized that there's actually a VMware, existing here, and the VMware also does not, know much about the internet. So the idea here is that all the packets that go from here all the way through the switch to the external world, will not have the source address as the VM. So if the packet is generated from the VM, the source address is usually the VM, right? But when you use network address translation, this address will be erased, and your underlying operating system address will be put into the network packets. So, that is the key difference between, between the NAT and other modes, right? So, NAT is one mode. So, by default in VMware, this is the mode that we will be using. So this mode is suitable for us, mainly because your systems can still talk to the internet, right? But the internet does not know that your system actually exists. Okay? And another salient feature of Black is that these VMs, which is like VM1 and VM2, can… or VM3, all the three can talk to each other, which is basically what we want. Right? So, in essence, we want one of these VMs to run as a victim mission, and we are assuming that the hacker or the attacker has access to another VM. So, this is the setup that we are working with. So, just to give you So my VM is still starting, so in the meantime, you can see here that the victim VM is one of the VMs, and the initial foothold is another VM. And if you go to Home, it'll be… So, when you go to the VM, you can actually right-click on this. And try to go to, settings. And under settings, you can see that the network adapter, by default, is a NAT, which is what we want. And you can also see here that, you can change it, in some cases, to bridged. So, bridged basically means that, The existence of your VM is known to the rest of the world, right? So, which means that, if you are connected to the NUS network, your VMs will actually get NUS IP addresses, right? So, it is sort of a problem, mainly because you don't want to expose your Kali Linux and your Victor VM to the rest of the internet, or to the rest of NUS. So, sometimes our network policy or NUS policy may prevent you from running Ali Linux, so you might get a email saying that you're not supposed to run this operating system anyways. Okay, so coming back to this, this is the mode, and you can change it to bridged or host only. Host only is a case where, your VMs do not connect to the internet, but rather, it creates a private network, where your VMs can talk to each other. This is also good enough for our purposes, but one reason why we chose NAT was that we still needed our VMs to connect to internet, because we might want to install some tools and things like that. Alright, so let's get back to this. So, In this, practice, that I've given you, the only thing that you know as someone who's hacking is, that you have access to a mission called as the attacker VM. Right? And this is the only thing that is visible to you, right? And most often, This is also what the regular real-world attackers would have access to. This one is known as the initial support. As we have, mentioned in the class earlier. So, we know that we have to map out the entire network and, and try to identify the other devices which are there, but we don't have anything to go by. For example, we can find the IP address of this, we know that the IP address is of the form x.y. dot z.w. And, and each of these actually have a combination of, well, they are 8-bit, so you can have 256… numbers here. So that is basically 236 into 256 into 256 into 256. Right, so this is the total number of IP addresses possible. So, obviously, we cannot scan all of them. So scanning all of them is not possible. So, we need something to start with. So, you might ask me, what is the thing that we can use as attackers to do an efficient attack? So, what we are going to rely on is actually how network designers create networks. So, network designers have this habit of creating a network with some X.Y.W.z. right, or Z.W, right, as I mentioned here. They just don't create, one mission having an IP address, and then something like X.A. m.n. So, you will most likely not find two IP addresses which are totally unrelated to each other in the same network, right? So what network designers do is they try to allocate the address X.y.z.w to one machine, and the next machine would most likely be X.y. Z dot W plus 1, right? So, it most likely changes in the last object. So, we are going to rely on something like that, and and try to discover the missions that are close by. So, let's go back to our experiment here. So, let's open the terminal and first find what is the IP address of this machine. So ifconfig is the old command that we use for finding the IP addresses. Right? The new one is actually IP address show, right? So when I do this. you can actually see that there are two interfaces. So, most of these machines will have this LO interface called the local, host, or the local interface. So, this is a loopback. LO stands for loopback, actually. And, and every mission will have this. So, this is not something that is interesting to us, but what is interesting is the… is the actual interface, which is ETH0. Right? And this ETH0, you can see that it has IP address 192.168.76.130. Right? So, that is, that is, X.y.z.w, in this case. As I mentioned earlier, the other VM which is present in the same network, which we already know that is the victim VM, but in real life, attacker may not know if it's a victim or not, but in any case, they will try to discover all the missions in this network. So you can see slash 24 here. This basically gives a clue as to how the network designers have designed this network. So, slash 24 basically means that the last 8 bits Right? The last 8 bits of this… This is known as the subnet, and all the other missions in this network can be discovered by changing the last 8 bits one by one. So, the last 8 bits are nothing but the bits that formed is 130, so you can actually iterate from 192.168, 76.0, 76.1, 76.2, all the way up to 76.255, and that will help you discover all the missions in the network. So let's try to do that. We can run nmath, which we have taught in the class, and we also looked at some examples of, stealth attacks. So, minus T5, NT4, and these are the things that… options that you can use. So, we are going to use minus T4. And along with that, we don't want to do a port scanning in the starting itself, right? So, one of the reasons why we shouldn't do port scanning in the starting is because it takes a lot of time to do it, right? And, there are… faster ways to discover whether there's a mission first or not. And once you discover that there's a mission, then you can do port scan, or you can do more specific attacks. Alright, so the command that we'll be using is, we can use minus T4 or T5, but just note that there shouldn't be a space between them. So, we are going to use T4, and we are also going to use a host-only scan, so which is not going to look at the ports which are open. In the network, it'll only check if the host is alive or not. So let's try running this. Okay, so this is very quick, and you can see that there are actually 3 VLs in this network, right? So this is our own mission, obviously. So 76.130 is also a part of the report. And you can see that there's .128. This, I suspect, is the VM that, the victim VM that we are interested in, but there is, some other VM also present, which is 192.168.76.2. So this is a bit, of a problem. So you can see in my VMware, I have only two VMs running, and there's one more that is present here. So, you can try to fingerprint this and try to find what machine this is, but if you do dig a little deeper into this, you will realize that This is actually the host computer, or the Windows operating system, that is hosting your your VMware, right? So, going back to the… to the… to the whiteboard, you can see that, there was a virtual switch that was created, or a virtual router that was created, and that router has an IP address, and that IP address is the… is… is 192.16876. Okay, now that we know that this is possibly the one, but you can actually try to do a little bit of, of, of investigation to rule out that 76.2 is not interesting to us, and it's actually 76.128. Alright, so now that we have discovered this, our next job is to compromise this mission. And for that, we need to… know, what tools we can use for this. So, one of the basic tools, or one of the basic things that we need to check is if there are any, backdoors that are already listening on this device. So this is a bit of a… Of something that is not very straightforward. Okay, sorry about that. Okay, so we were talking about the fact that, we have to check a few things before even, bringing the big guns like Metasplide. So, one of the basic things that you can do is, write some NSC script, right? We saw this in the previous lecture, how to write these, NMAT scripts, and you can write these scripts to check If these machines actually have a backdoor or not. Right? And the backdoors can, again, be of a few types, but we'll come to that shortly. But checking for backdoors is the first thing that we should do. So, you might ask me, why should I do this, instead of bringing in Metasploit? So the reason why we need to check for backdoors beforehand is that there might be some other attacker in the network who has already exploited these missions. And they might have left a few backdoors open for accessing in the future. So, if you are an attacker, the first thing that you want to check is to see if there are any existing backdoors which will give easy access into the network without even, you know, clipping on the security, infrastructure of the network, right? So, backdoors can be of two types. The first one is actually, I mean, these are basically shells. which are active on the, on the victim, right? So these are shells. So you can use a few, tools like, MC, right, for connecting to these, You can say NC, and then give the victim IP. We already know the victim IP. Right? And then give the port number that you're interested in. Right? Some 123 or something. So that reminds me, we still do not know what are all the services running on this machine, right? So for that, I think we've learned this in the class, you can just say nmap, and then you can say minus S, you are doing a scan. And, you can do a TCP scan, or you can do some… a TCP synchronized scan, right, and then try to find these things. You can also run the version scan, SV, and that will print all the versions of the softwares in these machines. 0.28. Alright, so let's run this thoroughly, and then, we'll wait for the code. Okay, so coming back to this, the first thing that we need to do is to write a NSC script to find if there are any backdoors which are there, which you can take advantage of. Obviously, your script can iterate from port number, or all the ports that you discover, right? There could be some 100 ports that you discover, so you need to give a list of ports that NSC Script can iterate through and try to connect to these backdoors. So this is the first thing for today. And once you do that, and you discover that there aren't any open back doors on this mission, the second thing that you want to do is to bring a software like Metasploit. That can actually, automate the attack for you. So, Metasploit is a very, it is a framework for, for launching these attacks, and it can be considered to be, assembly line for the attacks. So what I mean by assembly line is, you can pick and choose what you want to be a part of the attack, and the code for this is already written by someone. So, there are two major things that Metasploit provides. The first one is actually the exploit code. This is very important because we know that regions may have vulnerabilities, right? Presents may have several vulnerabilities, but however, only some vulnerabilities have an exploit code attached to them, or rather, someone has actually written an exploit, which can take advantage of the vulnerability. So, you might ask me, where can I find these export codes? One obvious answer for all of this is actually GitHub. Right? But the problem with GitHub is that many of these export codes are, they do not work in the real world, right? So that's a problem. And, and another place where you can find exploit Code is ExploitDB. So this also contains a lot of exploit, and metasploit actually plugs into a lot of these data sources, and Metasploit curates some of… some of these that are actually working in the real world, right? So, Metasploit can be used to get the exploit code. So, exploit is mostly, like, you have a 50-story building, and there is a window that is open in the 50th floor, right? So, you know that there is some vulnerability on this. But you still need to do, something to get into the window. If you think of these buildings in 1970s, 1980s, there was no way by which thieves could enter the 50th floor, right? But today, people may have some drones which actually can fly up to the 50th floor and get into the window. So that's basically what exploit code does. It tries to exploit the vulnerability and get into the house in the 50th floor through the window. Now, once you get into the window, there are a bunch of things that you can do. You can steal the jewelry, or you just want to, you know, you just want to create chaos, and you can just throw things all around. So all these things can be done by the drone. So that is the second part of that act, which is basically the… the payload. Right, so payload basically says what you want to do after you do the exploit. So, payload, can be of, multiple kinds. Some of the most popular payloads are obviously to open a shell, right? You want to open a lineup shell, and then you want to execute your own commands. And likewise, you can also have other things like, You can directly do privilege escalation, right? That can also be done. There are a bunch of things that you can do, so these are all the payloads that are available. So, Shend is the one that we will be looking at today. And, I think this is the one that I wanted to mention, which is one important kind of payload is actually known as meter printer. Right? So this is a special tool which Metasploid provides you with, and the objective of this tool is, is something slightly, different. So, to understand the importance of MetaTritter, we have to look at the shell first. So, the key idea is that you start Metasplot, obviously, you don't have access to the victim mission, right? You only have access to the attacker mission. This is attacker VM, and this is the victim VM. Right? Okay, so that type of VM is trying to open some terminal, run Metasploit, and it gets shell access on the… on this machine, right? So, essentially, the… the victim VM can be accessed in the shell right here. But what you can observe after doing that is that once the shell opens in the victim VM, there are only certain commands that you can run. If the shell is a Linux shell, this only supports Linux commands, right? So, Linux commands are very powerful, no doubt about that, but the problem is that Linux commands are not tuned for attacker behavior. Ultimately, you want to launch some attacks on the mission, right? So what meter printer shell provides you with is, it again provides you with a shell, but this shell can understand, some specific commands which are tailored for attacks, right? So that is why Meterpreter is very important. Alright, so coming to the shell, there are a couple of shells that are, possible today, and the first shell is known as the bind shell. This is the most common way in which, you can use, or you can, write a payload. And the second one is actually a reverse… Right? So the difference between these two is that… is the… is basically how the attacker wants to access the mission. Does he want it to be… does he or she want it to be… stealthy or, and so on, right? And it also depends on the network. I will tell you in a moment as to what I mean by that. So, before going into the details of it, first, let's look at what bind shell actually is. So here is the, here is the attacker VL, and here is the victim VL. Right? So that type of VM. Launches this attack. And we said that the payload is delivered, right? So now, let's say what this payload is. If this payload happens to be a bind shell. What that means is that this victim VM will now have a shell. Right? Where it lives. Right? So Shell obviously runs on a port, so this port could be something like… you can decide what port you want, maybe something like 90… 90… Or rather 9,281 or something like that, right? So you choose support. And you start the shell, so that is your payload. Once you start the bind shell, the shell is bound to this VM, and it is listening there. Now, what the attacker can do is… He or she can later connect to this shell, using the NC program, as I said earlier, and obviously you need to give the IP address of the victim VM, and then say the port number is 9281, and then they can connect to the shell and start executing Linux commands. So this is one way to do this. And the second way to do this is slightly, not so straight. I mean, it is… Possibly straightforward, but yeah, let's go ahead and see what this does. So again, that attacker VM tries to launch an attack on the victim in VM, And first, the payload is getting wet. But this time, the payload is actually a reverse shift. Right? So this reverse shell, again, this is a shell, but, what this tries to do is it tries to establish a remote connection back You're gonna be… This is a… remote ship, so… so… again, the shell is available at the victim VM immediately, right? So, in the first case, you first need to do the attack. and then need to connect. So there are two steps to this, right? This is step A, this is step B. But in the case of reverse shell, the moment you launch the attack, which is step A, the shell is visible in the attacker menu, right? No, there are… a couple of things here that we need to understand. In both the cases, you get the same shell, which has the same privileges, and you have the same Linux commands to execute. But why do we have two ways of doing this? The main reason is because of, network security. So the target network may have some firewalls. That block connections. So this is also relevant to the incident 2, or assignment 2, that we will be doing later. So, firewalls are capable of blocking connections. As it turns out, in the real world, whenever Some connection comes from outside the network, to inside, the rules are tougher. tougher rules, right? Which means that if you open a bind shell, and later a victim attacker VM tries to connect to it, it is likely that there's a firewall here that will try to block this connection. Which means that this bind shell is useless, right? So, in such cases, attackers prefer to have a reverse shell. So, reverse shell can actually go through the firewall. The reason is because in a reverse shell. You can see here that the victim VM is starting the connection to the attacker VM. So the origin of the connection is the victim VM, which is inside your network. So the firewall will not block this. So the firewall, if it was somewhere in between, it will say this connection can pass. So that is one reason why, people typically prefer reversals. Now, coming to the next part of it, this is a subtle point, but still something that is very important. So, the question here is, the attacker BN may not always want, to use their attack mission again for connecting data, right? What I mean by that is, let's say there's an attacker VN, Right? Attacker VA. Has launched the attack. on the victim VM. But the attacker, for some reason, for stealth reason or things like that, doesn't want to connect to the victim VL using the same mission, but now they want to use another mission, right? Let's see, noon… attack VM, right? So, from here, they somehow want to connect to this, victim VM. So, let me change the color of my pen, just to show that there's a difference. Now, you have the new attack VM. In the first case, which is the bind shell, there's already a port that is open here. So, in this case, when the attacker wants to launch the attack from a new VM, they can just, again, use NC command, give the IP address of the victim VM, and give the port 9281, and the new attack VM will be able to launch this attack on the… will be able to connect to the bandwidth, right? So this is perfectly fine. It's very simple to do this. But if you want to do the same thing in a reverse shell, this is, not so straightforward, because As you can see, in the case of a reverse shell, the connection is initiated by the victim VM. You can see that the victim VM is starting this remote shell. with, the attacker VM, right? So, somehow the victim VM should know, instead of starting the remote shell on the attack VM, it somehow needs to start this remote shell on this New address, right? So this is a problem. So for this reason, When you originally launched the attack, right? there are some attack parameters that you can set. So, in the attack parameter, you can set that the IP address of the… that… of the eventual, mission on which you have to open the new version is actually the new VM, right? So that is configurable. You can either give the attacker VM's IP here, or if the attacker wants a new, mission, to have the reversion, then they can give the IP address of the new attack VM. Okay, that's pretty much what I had in terms of theory. We are going to now practice, some of these things that I just mentioned. Okay, as a next step, what we are going to do is, run nmap with this additional command, minus p minus. The main reason why we want to run this is because Normally, when you run Nmap, even with minus SV option, it will only run it on the top 1000 ports which are used in the world. So, when I say top 1 ports, it doesn't mean port number 0 to port number 1000, but rather, they have some heuristics through which they find what are all the common ports that are used around the world by services, and they will 1D scan for those ports. So, if these machines have, some services, critical services running at some other port, then Nmap will skip that. So if you don't want Nmap to skip some ports, you can use this option, minus B minus. And now we are going to run this Of course, this will take some time, but, I have gotten the output of both of them, beforehand for you. So, this was the one with… without the minus P minus option, and you can see that this is the one with the minus P minus option, and I am comparing the two texts, and you can see here that in the case of, minus P-, it does say that at port number 513, there is actually a question mark. Which seems, to imply that there is some service running here, but, it is not sure of it. And, another thing to notice is, you can now see that there's, there's some other ports which, which could be of interest to us, right? So these are the different ports. Alright, so, usually what I do is, when you have a lot of services running here, even before you go to the attack phase, you try to use some legitimate programs to connect to these ports and see if you actually get a, shell, right? So, for instance, if there's a… something like, NFS program, right? You can actually try to connect, through the network file system and see if anything is being… anything is mounting from that, right? So that's one way to do it. But of course, if you have a lot of services, it's a bit tedious, I can understand, but this is usually how you should proceed. Okay, so I will be starting now with a service that seems very suspicious to me, which is question mark. Usually, you get a question mark if MAP is not able to identify. For sure, it's business and service. And it's usually a very nice trick in CTS, because, Because we don't use the regular services in the CTS, right? So, if it comes with a question mark, it means that Nmap is not aware of this service. So, that's the reason why I'm going to try this out, port number 513. Alright, so this is still executing, but yeah, at the end of it, you will get the same result. So, let's try the NC command, right? So this is our NC command. You give NC, and then you give the IP address, and then followed by the port number. Alright, so it doesn't say anything, so, if NC were to connect, then I should be able to run some of… commands, like, who am I, or something like that, but it exits right away, which implies that, it could still be a backdoor, but this is not the right program for it. Usually, I just cross-verify by, trying telnet also, right? And when I try something on who am I, it says connection closed by foreign host. So this is probably not, the right thing. So, what I did next was, I tried searching online to see how, this program called SRLogin, right? It says OpenBST or Solaris RLoginD, right? So RLoginD is, is a daemon program for RLogin. And I just looked at it a little bit, and I was searching for information on this, and I stumbled on something which is very… interesting, which is that you can, instead of using Telnet or NC, you can use this custom program called RLogin, or this is a native program for running RLogin, and you can give the IP address of, Of the target, 76th. 128, and then you give the username for this, right? Of course, you don't know the username, so I looked at a few popular usernames. One of the usernames that is typically found in these missions is ROOP. So you just say minus n Roop. And it seems to be, connecting, but of course, we don't know the password, right? Obviously, we don't know the… Password for the… For the VM. So, we cannot do this, but the good news is it is able to… it is a legitimate r login service, right? So, I tried using some tricks on our login, like the other user accounts. And apparently, there's a user account called Demon that you can try, and when I tried this. It actually went into the… so this is a… This appears to be a program that is probably left behind by some other attacker, or maybe the administrator of the system has this program and they did not secure it properly. And of course, once you're here, you can use IFConfing or IP address. show, and find, or verify that the IP address is actually correct. Right, so this is fun. And you can try to go online to see what's the username. That's, of course, given. We don't have, root access on this machine, but we still have access on this machine. Okay, this is a simple attack that I wanted to show you. But this is not the only vulnerability in this mission. Right, so let's go back to the output of this, and you can actually see here that, there are a few services that are known to be vulnerable, and one of them is actually the Samba service, right here. So, this is what we are going to do next. Alright, so you can start a MetaSplot by using this command called mssconsole. It takes quite a bit of time to open this, and that's the reason why I started earlier. And, once it finishes. you should be able to see, the Metasploit, the MSF console, here like this. So the console supports a lot of commands, and some of them we will learn along the way. So, the first thing that, once we decide that we wanted to target the Samba vulnerability, is to identify the exact version of Samba. The reason for this is because there are lots of exploits on Samba, depending on what version is running on the system. Just to give you an example, let me try, searching for the Samba bundle, please. And you can see that there are about 77 vulnerabilities related to Samba, right here. So unless you specify the version, it's very difficult to do a search. And you can also see the success rate of these things, which is… which I thought was quite interesting. So, if it's a manual or normal, it's typically not preferred by hackers, but if it is excellent, that means that you have a very high success rate. Okay, so coming back to this, we need to find the version of the Samba server for us to be more focused on our attack. So for that, we can use a Metasploit module called for SMB version detection. Obviously, you can't remember everything, but you can use the search or, some… you can use Google search to basically find the right commands for this. So here you can see that, We are asking that us try to use this module called SMD version, and it shifts to this, this particular module. And in case you want to go back. you can just say back, and then you'll be back to the original console, right? Okay, now we want to use… find the version, so we are using this module for our execution, and we have to set the parameters. Obviously, we need to say, what is the target mission, to find the Samba version running in… running inside it. So, let's try to find… let's try to set the R host. Our host is the remote host which we are trying to target, and here I'm setting the IP address to .128, as before. And now, I can run the module by just saying, run. But there are some models which require some additional options, like port number and stuff like that. If it requires that, then you can give, otherwise you can just… Okay, it says that it detected Samba running at port number 445 and port number 125. This is consistent with what we saw here. You can see here, there's Samba, Samba here, right? 139, and 445. So these are the two ports, but we don't know the actual version. So that's the problem there. Right? Okay, so port 44… There's another key point here, which is that port number 1 3.9 is not detected by this, which means that it could be a modified version, or it could be a version that is not supported by MetaScript, or not detected by Metasplot. Okay, 445 is our port number, so we are sure now. And and this is the version, 3.0.20. So now, let's select this, and then we'll write a search for a more specific exploit on Samba with this particular version number. Okay, so that worked. You can see that, this is the exploit. So, if you have multiple exploits, you'll get the number 0, 1, 2, 3, right? So, in this case, there's only one exploit, so I will just say use 0. So this is the exploit that we are going to use. And you can see here that it says no payload is configured, which means after it, after you execute this exploit, it doesn't know what to do, so you need to tell what it has to do. But before saying, or rather how to say what it has to do is by setting the options, but let's start by setting the simpler options, which is setting the right-hand side or the remote host to the right, IP address, and you can also set the payload. Alright, so payload, you can decide what you want to do. In this case, I want to keep it simple, and I want to get a shell as soon as possible, so I'm just going to use a reverse shell. This is a normal Unix reverse shell, right? So I'm just going to set this, and then I'm going to set… for a reversion, I need to say the target mission, or rather, the mission where the shell should open, which is my own mission, which is the same mission in which I'm working. So, I set the IP address to .130, and that's the IP address of the current attacker mission, the Kali Union. And I'm going to set the port number to some random number, something like 444. Okay, so I've set all the options, and now one thing that is remaining for me to do is just say run. So, obviously, something is happening here. You need to wait, you need to be a bit patient. And you can see here that the command shell has actually opened. Right, so the shell has opened, but you don't actually see the shell, the terminal, something like this arrow mark and stuff like that. That is because this shell is a reverse shell, and it's opening remotely. So you can directly start running your commands, like, UberMy. And you can see here that we already have root access to this machine. Just to confirm, let's try running an ifquanit to see what is the IP address of the machine. You can see here that the IP address is 192.168, 76.128, which is the correct one, right? Okay, so now we are in the session. Obviously, there is a chance that you might want to go back, and then log in back to this session later, right? So you can just press Ctrl-Z. Ctrl-Z will put, this, the shell in the background. So it says Background Session 1, I'll just say yes. Alright, so that's… that session is running in the background. Later, I can go back to it. So, in order to list all the sessions, I can just say session minus L… minus L scans for listing. Sorry, I think it's sessions. Amazing. And you can see here that with ID 1, there is a shell that is waiting for me to arrive. And I can just say minus height, and then give the name of the… or the number of the shit. Right, so now I'm back to the ship. Now, when I again do 2MI, I should get rooted. So I'll again put this tag into the background. Alright, so this is how attackers can keep persistence on this. Alright, so just to give you some additional details, I'll just go back from this module and try something different. So, there is a more advanced shell known as a meter-blitter, which I mentioned slightly earlier. In order to start That, you need to use a different payload, because the regular reverse shell will not open the, meetup letter shell, so you need to set a different a different payload called minus x86, and then metaphrater slash reverse DC. So this is also a reversion, but this is from Winterpreter. When I tried running this, I did not have these modules on my machine, so that's the reason why it did not work, so I'm not going to show you, but in case you're interested, this is how you can set, or you can use a different payload. Alright, so that is pretty much what I had to show. We saw, in summary, how to do network scanning using some stealth options and discovering the mission, and most importantly, we wanted to find all the services that are running. So, we used two options for MMAP. The first option Gave us some answers, but this is not all the ports that are there on the mission. These are only the popularly used ports which are open. And if you want to run on all the ports, we used an option for that called "-P minus, and then it showed us these additional ports that were open. And, another point of interest was this question mark. So, we went ahead and tried to see if we can use NetCat, and we can use, 10Net, and also our login to log in. And finally, our login succeeded, and we were able to log in to this port. That was a simple attack. Now, we also had, looked at a few Samba-related attacks, so we used Metasploit for this. We first searched for the correct Samba version to target, and once we found the correct target version, then we searched for vulnerabilities. Which you can see here. Somewhere above. And once you got the vulnerability, for example, this one, we use the vulnerability and set all the options that are required. There are two options which are important to us. One is a reverse shell, another one is a bind shell. So, in this case, we used a reverse shell to connect, and set the appropriate options. And finally, we got a shell. Okay, that completes, this lecture. Thank you for listening.
0
No more boring flashcards learning!
Learn languages, math, history, economics, chemistry and more with free StudyLib Extension!
- Distribute all flashcards reviewing into small sessions
- Get inspired with a daily photo
- Import sets from Anki, Quizlet, etc
- Add Active Recall to your learning and get higher grades!
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users