Use nmap to sweep the target network, and identify the IP address of target 1. Use the appropriate flags to keep this scan efficient.

On the target machine, list the first 3 port numbers found in numerical order using a standard nmap portscan of the common ports open on the target.

After discovering a target system, we want to identify which OS it might be running.

From Kali using nmap, perform an OS Fingerprint Scan on the TARGET XP machine, using a SYN scan of all default ports, with no name resolution and no host discovery.

Port scan the target, first performing a nmap port scan on all default TCP ports, with no name resolution, no host discovery, and the use the -–reason flag to get details of the port responses.

Nmap can be used to manually check applications and versions for network services running on the open ports it finds. The –sV flag can be used to do this. nmap –sV –n target_IP.

Perform an Application Fingerprint Scan on the TARGET system(s), with no name resolution, no host discovery, and only on the range of ports you discovered previously, specifying ports such as:

nmap ... -sV –p100-140,445... -

We would typically now perform a vulnerability scan against our target using a full blown scanner such as OpenVAS.

As Windows SMB services are running we could perform a quick assessment using the nmap NSE Script smb-check-vulns, which checks for some of the most well know vulnerabilities. 

To run the script:

Which SMB vulnerability was highlighted on target machine? 

The various elements of the MetaSploit Framework (MSF) are stored under the

directory /usr/share/metasploit-framework¸ including the exploit and payload Ruby scripts themselves.

Change to this directory, and list the contents.

Change to the modules directory and list the contents.

Which directory holds the built in vulnerability scanners? 

Change to the exploits directory and list the contents

How are the exploits sorted?

Where might exploits which work on several different OS’s be stored?

Change to the directory where the Windows exploits are, and list the contents.

How are the Windows exploits sorted?

Note: The exploits contained here are for the OS and applications which run on the OS.

Change to the directory where the Windows Server Message Block (SMB) exploits are, and list the contents.

Edit one of the Ruby exploit scripts (or use less to view), for the well know

vulnerability MS08_067.

What is the associated CVE for this exploit script?

Google for the CVE and check the mitre database (cve.mitre.org) – What date was the vulnerability entry created?

Google the OSVDB entry (osvdb.org) - What versions of Windows XP

Professional are vulnerable?

In the ruby script find the ‘Targets’ section, and within find the Windows XP SP0/SP1 section.

What is the return address of the exploit’s shellcode for an XP target system?

Navigate back up to the modules/ directory and change into the payloads directory, and list the contents.

How are the payloads sorted?

Where might an atomic Bind Shell payload be stored?

Where might the staged Meterpreter payload be stored?

Change into the singles payload directory, and then into the windows payloads

directory.

Which payload would be used to create a new user on the target machine?

Which payload would be used to create a TCP listener on a port on the target, and create and bind a command shell to it?

Edit the adduser.rb script.

Which Windows command is executed on the target machine to create the new user?

Edit the shell_bind_tcp.rb script and review the payload itself.

How many bytes of shellcode are in the payload?

From KALI, Start the Metasploit MsfConsole interface from a terminal window. You should get a strange and fairly unique ascii graphic:

Which version of Metasploit is reported?

What is the initial msfconsole prompt?

The MSF command use allows us to select the exploit we want. Paste the exploit name onto the msfconsole command line:

use exploit/windows/smb/ms08_067_netapi

What has the msfconsole prompt changed to?

The show options command can now be used to check the options for the selected exploit and payload modules selected:

Which options are mandatory and currently not set?

Set any mandatory options needed to run the exploit:

Which port is the Bind Shell payload going to start the listener on?

To send the exploit and payload to the target … use the exploit command.

Did the exploit work, and has the reverse shell payload been launched? Check

using the Windows ipconfig command. 

Have you successfully got a Windows command shell on the target machine?

What is the IP Address of the target reported from the ipconfig command?

What is the current working directory, using the Windows cd command?

From the Target machine shell, check the network services running and especially any established connections using netstat –an

Can you identify the bind shell MSF payload connection? 

Check the associated processes for the payload connection using the netstat command and adding the –o flag

Review the running executables and the associated processes using the windows command tasklist

Can you identify the process id (pid) for the bind shell MSF payload connection? 

Can you identify the executable process the bind shell is attached to? 

Lets logon to our target and check these things.

From Kali, open a new terminal windows and get a VNC remote desktop to the target, using the ssvnc tool. From the new terminal window typo:

ssvnc

In the Host:Display enter “:52”, for Remote SSH Command select “None” and click Connect

On the Target machine, again check the listening services and established

connections using netstat –an

From Kali, check the listening services and connections using ss –ln and ss –an

Can you identify the bind shell MSF payload connection?

Which machine is the client and which is the server (handler) for this Bind Shell

payload?

Which port is the server listening on?

From Kali, we can use the same exploit, but this time lets swap the payload for a TCP Reverse Bind Shell payload, and set the PORT for the listener to 777.

Which extra option is mandatory for the reverse shell payload? Why?

Set the options needed and run the exploit against the target XP machine.

Did the exploit work, and has the reverse shell payload been launched? (check

using ipconfig command)

From Kali, check the listening services and connections using ss –ln and ss –an

On the target server and check the listeners and connections using netstat –n

Which machine is the client and which is the server (handler) for this payload?

Use a Reverse TCP Meterpreter Shell payload, and check the options needed.

Set the LOCALHOST option to the appropriate value, and the listening port to be 777.

Which machine will run the listener (the reverse handler) on the specified port?

From Kali, check the services running and established connections using ss –an.

On the Target machine, check the listening services running and connections using netstat –an

Which machine is the client and which is the server (handler) for this payload?

Which port is the Meterpreter payload communicating to our Kali machine on?

In the Meterpreter shell, we have a range of Meterpreter commands for Windows target post exploitation. The UPARROW key and TAB key work. Check the Meterpreter shell help using the Meterpreter command?

Note: Use the lecture notes as reference, and most commands have help via –h

Which Meterpreter command gets information about the target system?

Which Build of XP is reported by the command?

Check the network address of the target with the Meterpreter ipconfig command

What is the MAC Address of the target systems Ethernet interface?

Check the username we are running as on the target using the Meterpreter command getuid

What is the user we have inherited on the target? Why is this?

From the Meterpreter shell, check the running processes on the target using ps

Find the process id of the exploited process which Meterpreter is running inside.

What is the process id which Meterpreter is running in?

What is the name of the process? 

If we had exploited a process which may have crashed, or the user might close, Meterpreter facilities moving processes. We would typically migrate to a process which will not terminate.

What is the process id of the winlogon.exe process?

From the Meterpreter shell use the migrate command to move processes to the winlogon.exe process.

What is the process id which Meterpreter is now running in?

Check the current working directory with the Meterpreter command pwd

What is the current working dir?

Use Meterpreter command lcd to change to the root user’s home directory on the Kali machine. Then change to the Windows directory on the target box.

Download the winnt.bmp file from the target using the command download

What size is the downloaded file?

The search command can be useful in finding files on the target. Locate all the

ntuser.dat.log files.

Which directory are all these files under?

Kali provides us with many useful tools which we can upload to a target.

From Kali, change to the /usr/shar/windows-binaries directory and list the contents.

In the Meterpreter shell, change to the c:\test dir on the target machine.

Use the upload command to upload the nc.exe Windows netcat executable to the target machine.

 Is the nc.exe now listed in the c:\test dir on the target?

We can also spawn a cmd.exe shell on our target. This extra layer of shell can be useful as if the cmd.exe crashes or exits for some reason, we still have out

Meterpreter shell and can create another shell.

Try the shell command

Now from the new shell, use the Windows tasklist command to display the running processes on the target.

What is the process id of this cmd.exe shell?

Check the user accounts on the target with: net user

As we have SYSTEM privileges lets add a user to the target machine for future use.

This type of activity would have to be within your rules of engagement and perhaps discussed with the customer!

net user username userpasswd /add

Has the user account been successfully created?

We can use the windows shell to review machines the target has been in contact with, which could be interesting to check if they are in the scope of the penetration test. For example by dumping the target’s APR cache:

arp -a

Which IP Addresses are listed?