Post Exploitation
n00bpentesting.com
n00bpentesting.com
Lab Guide Four
Prerequisites Hardware Software
3 3 3
Topics Covered
4
A Note
4
Before You Begin
4
Lab 0ne – Post Exploitation
5
What’s Next?
8
Twitter @shai_saint
2
n00bpentesting.com
Lab Guide Four
Prerequisites Thank you for downloading the n00bpentesting.com Lab Guide Four. This guide is designed to help the n00b penetration tester get their feet wet with some of the tools covered on n00bpentesting.com while honing their skills following the Penetration Testing Execution Standard.
Hardware • • •
Computer with Linux, Windows, or Mac OSX 4GB RAM Hard-‐drive with at least 50GB
Software VirtualBox Virtualization Software http://www.virtualbox.org/wiki/Downloads BackTrack 5 R1 Virtual Machine http://www.backtrack-‐linux.org/downloads Windows XP SP2 Virtual Machine Supply your own copy or use a NIST Image NIST -‐ http://nvd.nist.gov/fdcc/download_fdcc.cfm Metasploitable Virtual Machine http://updates.metaspoit.com/data/Metasploitable.zip.torrent
Twitter @shai_saint
3
n00bpentesting.com
Lab Guide Four
Topics Covered
•
Post Exploitation
A Note
All n00bpentesting.com guides will follow applicable sections of the Penetration Testing Execution Standard (PTES). It is highly recommended that any penetration tester or one who wants to move into this field should read and regularly reference the standard. It can be found here: http://www.pentest-‐standard.org/
Before You Begin It is important to update BackTrack, SET, and Metasploit before you begin each lesson. Updating these packages will ensure the latest tool updates and fixes are applied for better stability and exploit success. To Update BackTrack At the command prompt type: apt-‐get update && apt-‐get upgrade && apt-‐get dist-‐ upgrade, press ENTER To Update Set At the command prompt type: cd /pentest/exploits/set && svn update, press ENTER To Update Metasploit At the command prompt type: cd /pentest/exploits/framework && svn update, press ENTER
Twitter @shai_saint
4
n00bpentesting.com
Lab Guide Four
Lab 0ne – Post Exploitation In this lab you will learn how to escalate privileges by using information gained from the initial exploitation of the target. Once the privileges have been escalated to “root”, then game over, the target system is completely under the control of this user. We were able to show two ways to exploit the target system (hint: there are many), first using metasploit, and second using a specially crafted URI. Once the exploit was successfully launched access to the /etc/passwd file provided insight on the available accounts on the target system that can be used in a brute force password attack. 1. In the running meterpreter session type: download /etc/passwd, press Enter
Now that the /etc/passwd file has been downloaded to the BackTrack VM, a password brute force tool can be used to try and obtain a valid set of credentials. We will use a tool called medusa to brute force the password of the msfadmin account. We are telling medusa to try and login to host 192.168.99.102 as user msfadmin using the password file darkc0de.lst, try password same as username, and use SSH for the login attempts.
Twitter @shai_saint
5
n00bpentesting.com
Lab Guide Four
2. At the command prompt type: medusa -‐h 192.168.99.102 -‐u msfadmin -‐P /pentest/passwords/wordlists/darkc0de.lst -‐es -‐M ssh, press ENTER
Success! The user msfadmin has a password of msfadmin. Now this account can be used to login to the target via SSH. 3. At the prompt type: ssh msfadmin@metasploitable_IP_address, when prompted for password enter msfadmin
Twitter @shai_saint
6
n00bpentesting.com
Lab Guide Four
Though the login was successful, msfadmin is not root and is not currently running as root. This is indicated by the prompt followed by a $, see below. Hopefully, msfadmin is in the sudoers file and we can sudo to root. Let’s give it a try. 4. At the command prompt type: sudo –i, press ENTER 5. When prompted for the password enter “msfadmin” The command prompt will change ending in a #, this indicates the user is now running as root. GAME OVER!!! The user privileges were successfully escalated to “root” and now has access to /etc/shadow, where passwords are hashed for all accounts on the system. This file can be used with John the Ripper to be cracked off-‐line. Files and services can be uploaded and started for persistence and further exploitation on the network the target resides on.
Twitter @shai_saint
7
n00bpentesting.com
Lab Guide Four
What’s Next?
Continue to explore, and practice, over, and over again. The metasploitable image has several vulnerabilities; in fact, the same vulnerabilities we exploited in a certain manner can be exploited in other methods as well. More guides will become available on n00bpentesting.com.
Twitter @shai_saint
8