Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 124: Ch 8: Exploitation

393 views

Published on

Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne

Course Web page:

https://samsclass.info/124/124_F17.shtml

Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 124: Ch 8: Exploitation

  1. 1. CNIT 124: Advanced Ethical Hacking Ch 8: Exploitation
  2. 2. Topics • Metasploit Payloads • Exploiting WebDAV Default Credentials • Exploiting Open phpMyAdmin • Downloading Sensitive Files
  3. 3. Topics • Exploiting a Buffer Overflow in Third-Party Software • Exploiting Third-Party Web Applications • Exploiting a Compromised Service • Exploiting Open NFS Shares
  4. 4. Metasploit Payloads
  5. 5. msf> show payloads • Shows all payloads • If after use it only shows payloads compatible with that exploit
  6. 6. Payloads for ETERNALBLUE
  7. 7. Staged Payloads • Loads small first stage downloader • Downloads larger payload
  8. 8. Inline Payloads • Whole payload delivered immediately
  9. 9. Meterpreter • Custom payload for Metasploit • Resides in memory • Loaded by reflective dll injection • Uses TLS encryption • Useful commands like getsystem and hashdump
  10. 10. Exploiting WebDAV Default Credentials
  11. 11. Nmap Scan
  12. 12. WebDAV • Web Distributed Authoring and Versioning – An extension to HTTP – Allows developers to easily upload files to Web servers
  13. 13. XAMPP • A convenient way to run a LAMP server on Windows – LAMP: Linux, Apache, MySQL, and PHP • Includes WebDAV, turned on by default, with default credentials – In older versions
  14. 14. Cadaver • A command-line tool to use WebDAV servers • Default credentials allow file uploads
  15. 15. Website Defacement • Violates integrity, but not as powerful as Remote Code Execution
  16. 16. Upload a PHP File • PHP file executes on the server! • This is Remote Code Execution
  17. 17. Msfvenom Creates Malicious PHP File • msfvenom -l payloads to see all payloads • msfvenom -p php/meterpreter/ reverse_tcp -o to see options
  18. 18. Msfvenom Creates Malicious PHP File
  19. 19. Upload and Run • Using cadaver, put meterpreter.php • Browse to it in a Web browser to execute it
  20. 20. Meterpreter Reverse Shell
  21. 21. Exploiting Open phpMyAdmin
  22. 22. Purpose • phpMyAdmin provides a convenient GUI • Allows administration of SQL databases
  23. 23. phpMyAdmin
  24. 24. Should be Protected • phpMyAdmin should be limited-access – With a Basic Authentication login page, or a more secure barrier
  25. 25. SQL Query • Can write text to a file • This allows defacement
  26. 26. PHP Shell • Can execute one line of CMD at a time
  27. 27. Downloading a File with TFTP • We need some way to download another attack file to the target using the command-line • Windows lacks "wget" (although you can use bitsadmin) • Another solution: TFTP
  28. 28. Staged Attack • Initial attack sends a very small bit of code, such as a single line of CMD • That attack connects to a server and downloads more malicious code • Very commonly used by malware
  29. 29. Using FTP (Not in Book)
  30. 30. FTP Server in Metasploit
  31. 31. FTP Scripts • File contains text to be executed by command-line FTP client
  32. 32. Making the Script File with SQL
  33. 33. Run the FTP –s:script Command • More methods at link Ch 8w
  34. 34. Owned
  35. 35. Downloading Sensitive Files
  36. 36. Directory Traversal • Zervit allows you to browse the file system • Restart 
 Win2008-124 VM • Start Zervit 
 on port 3232
  37. 37. Zervit • Shows folders in 
 C:Program Files
  38. 38. Download Filezilla XML File • Contains MD5 password hashes
  39. 39. SAM and SYSTEM • C:Windowssystem32configSAM • System Accounts Manager • Contains password hashes • Encrypted • C:Windowssystem32configSYSTEM • Contains encryption key
  40. 40. Traverse to Them
  41. 41. Zervit Can't Access Them
  42. 42. C:WindowsRepair • Contained backups of SAM and SYSTEM in Windows XP • But not in Server 2008 • We'll have to get password hashes another way, later
  43. 43. Exploiting a Buffer Overflow in Third-Party Software
  44. 44. SLMail • Textbook uses an SLmail exploit from 2003 • But it seems not to run on Server 2008 • Just normal Metasploit procedure, same as other exploits • Nothing to see here
  45. 45. Exploiting Third-Party Web Applications
  46. 46. TikiWiki • Textbook exploits TikiWiki on a Linux target we're not using • Again, normal Metasploit process • Only difference: php payloads, like • php/meterpreter/reverse_tcp
  47. 47. Exploiting a Compromised Service
  48. 48. Metasploitable Target • Nmap shows vsftpd 2.3.4
  49. 49. Google "vsftpd 2.3.4"
  50. 50. Install FTP • Kali doesn't have "ftp" by default • apt install ftp
  51. 51. Smileyface in Username • x
  52. 52. Exploiting Open NFS Shares
  53. 53. Nmap Shows nfs
  54. 54. Nmap Script nfs-ls
  55. 55. nmap --script=nfs-ls • Error message appears below this, ignore it
  56. 56. Install nfs-common • Required to mount nfs shares from Kali • apt-get update • apt-get install nfs-common
  57. 57. SSH Keys in .ssh Directory
  58. 58. Authorized Keys • Public keys which allow login as msfadmin
  59. 59. Generate SSH Keys
  60. 60. Add to Authorized Keys
  61. 61. Connect with SSH
  62. 62. Move to /tmp/mount/root/.ssh • Log in as root

×