Intelligence Gap
Fourth Step to Become a Hacker - Haaga-Helia Assignment
Fourth Step to Become a Hacker - Haaga-Helia Assignment
Assignment 4
The questions for the assignment are here
The fun seems to start in this assignment. Finally, we get to hack something for real 😝
Task X
Reconnoissance is the crucial first step where we map out the entire network to find as much as we can about the target before attacking. The purpose of this phase is finding out the scope of the attack.
The Art of Hacking - Passive Reconnoissance
Source
- Researching the target’s environment without sending any info to the target network
- This means, no port, vurnerability scanning or performing phishing.
- Methodogies:
-
Search engine
site:wordpress.com -site:www.wordpress.com -
Certificate Transparency - find issued certificates
-
Guess hostnames
nshlookup test.example.com who is <ip-address> -
Regional Internet Registries
-
Censys.io searches
-
Web searches for files
site:example.com pdf site:example.com filetype:xlsx site:example.com inurl:etc -intext:etc ext:password -
Checking file’s metadata using
exiftool -
Public Breaches: Adobe, Linkedin, Dropbox etc.
-
The Art of Hacking - Active Reconnoissance
Source
- Next step after Passive Reconnoissance
- Sending info to the target network using port scanning etc.
- Definitely set off alerts to target’s administrator
- Methodogies:
-
Performing Port Scanning
Nmap Masscan -
Web Service Review
Eyewitness -
Vulnerability Scanning
-
Nmap Network Scanning - Port Scanning Basics
Source
- Nmap is one of the most popular port scanning software out there
- There are 6 port states recognized by Nmap
-
open- Actively accepting TCP connections, UDP datagrams or SCTP associations
- Primary goal of port scanning
-
closed- Accesible but no application is listening on it
- Showing that a host is up on an IP address
- Can be scanned later in case some open up
-
filtered- Can’t determine if the port is open because of packet filtering prevents it
- Could be from firewall device
- Provides very little information
-
unfiltered- Port is accessible
- Unable to determine if it’s open or closed
- Using other scan type such as Window, SYN or FIN scan can help
-
open|filtered- Unable to determine if port is open or filtered
- This happens when open ports give no response
-
closed|filtered- Unable to determine if port is closed or filtered
-
Chapter 15 - Port Scanning Basics
Task A - Add vboxnet to VirtualBox
Click on Tools on the left panel above all of the machines you have –> Preferences –> Network –> Click on the first icon.
Then click on the last icon to edit
You can configure like I do in the image or you could keep the old Network CIDR. I change because it’s easier for me to remember this value –> Click Ok.
We now have a new NAT Network.
Task B - Install Metasploitable 2
To install Metasploitable 2, first we should download it from here.
To get started, we open VirtualBox and click New. Then I configure as in the image below.
I choose 1024MB Memory just in case, you can go with 512MB, it’s fine. After that choose Use an existing virtual hard disk file –> Choose the Metasploitable.vmdk from the ZIP file that you download –> Create.
After that you will see your new virtual machine on the left panel.
Before running the virtual machine, of course, we have to turn of our wifi, otherwise, it’s very dangerous. Now we can run the virtual machine by double click on it. To login just type msfadmin 2 times and we’re in
To know the IP address, simply type
|
|
I can see that the Metasploitable machine’s IP Address is
192.168.100.4
Task C - Connect Linux Computer
Right click on the virtual machine that you are planning to use to exploit the Metasploitable machine –> Network and choose the values as in the image
Do the same for your Metasploitable machine after installing it in task B.
To know that we can communicate with the Metasploitable virtual machine, first logging into another virtual machine, in my case it’s Debian 11 machine. After that I open the terminal in this Debian machine and type
|
|
And I see that the Metasploitable machine replies
Task D - Open The Website On Metasploitable Machine
Now switch to Debian machine, we already know the target machine IP address, we have enough information to take control over it. Open the browser and type in
192.168.100.4
You will see the Metasploitable website opens
Task E - Scanalyses
For the ease of hacking, I decided to use Kali Linux instead of Debian. You can find nmap among Kali Linux’s tools.
I started with port scanning using nmap with the command
|
|
I got the following result
Let’s analyze the results. We have a bunch of ports that are open to some services.
- Port 21/tcp (FTP):
- This is one of the oldest protocols created for the internet.
- It is used to control File Transfer Protocol sessions and data transmission
- Port 22/tcp (SSH):
- Used for Secure Shell (SSH) communication and allows remote administration access to the VM
- Port 23/tcp (telnet):
- Used by the Telnet protocol that provides remote access to a variety of communications systems
- Port 25/tcp (smtp):
- Used as the transmission channel
- Port 53/tcp (domain):
- Takes care of recolving human readable ‘host names’ into numeric IP addresses
- Port 80/tcp (HTTP):
- Used internet communication protocol to send and receive unencrypted web pages
- Port 111/tcp (rpcbind):
- Used as a well-defined means for determining the ports upon which other services in the system are running
- Port 139/tcp (netbios-ssn)
- Enables NetBIOS services provide access to shared resources like files and printers not only to your network computers but also to anyone across the internet
- Port 445/tcp (microsoft-ds)
- Allows SMB to communicate over the Internet
- Port 512/tcp (exec)
- Makes possible the transmission of a datagram message from one computer to an application running in another computer
- Port 513/tcp (login)
- Allows remote attackers to exploit other vulnerabilities such as CVE-2005-3716, or execute arbitrary shell commands via rlogin, which does not require authentication
- Port 514/tcp (shell)
- Listens for incoming syslog event notifications (carried by UDP protocol packets) generated by remote syslog clients
- Port 1099/tcp (rmiregistry)
- May use a defined protocol to communicate depending on the application
- Port 1524/tcp (ingreslock)
- Same as port 1099
- Port 2049/tcp (nfs)
- used by UNIX clients for file access
- Port 2121/tcp (ccproxy-ftp)
- A communications protocol for the Internet network layer, transport layer, and session layer.
- Makes possible the transmission of a datagram message from one computer to an application running in another computer
- Port 3306/tcp (mysql)
- Used by the mysql client, MySQL Connectors, and utilities such as mysqldump and mysqlpump
- Port 5432/tcp (postgresql)
- Is opened for the Postgres database
- Port 5900/tcp (vnc)
- Used by VNC, a platform independent desktop sharing and remote control application
- Port 6000/tcp (X11)
- Guarantees delivery of data and also guarantees that packets will be delivered on port 6000 in the same order in which they were sent
- Port 6667/tcp (irc)
- Same as port 2121
- Port 8180/tcp (unknown)
- Unsigned port
Firstly, we can see that these ports are all open and accept connections. They all have different services running on them except port 8180.
Apparently, ports such as 21, 22, 80, 3306, 5432 are usually open to be used. However, port 513, 2121 and 8180 seems to be problematic since they are ports for malicious activity and are flagged as virus ports.
The most vunerable ports that are usually used for exploitation in this case are 21 (FTP), 22 (SSH), 139 (SMB), 80 (HTTP), 23 (telnet), 3306 (mysql) and 5432 (postgresql). Don’t get me wrong here, these are vunerable ports but usually any open ports are all vunerable but these are more unsafe. A computer is rather safe when there are 0-2 open ports and if more than 9 ports are open, the machine is very vunerable. This machine has 22 open ports, obviously this machine is meant to be attacked 😜.
Moreover, HTTPS is well-known to be much more secure compared to HTTP and usually HTTPS uses port 443. This machine doesn’t have that port and instead using HTTP so clearly this is very unsafe.
With this information, I think services like SSH, FTP, MySQL and PostgreSQL could be the vunerable ones here that we can start to exploit.
Task F - Break Into Metasploitable 2
I think I’m going to go wild with this volunteer task 😝
Using Port 21 (FTP) - Backdoor Exploitation
In order to exploit this port, first we need to re-scan the open ports with another command to get the version of the services with sudo priviledge
|
|
We have a list like this
Now that we know the version of this FTP service, if you use Kali Linux, search for Metasploit Framework and start it. If not, type in the terminal
|
|
Then we need to search if there’s any backdoor to exploit this version of FTP service my typing in the msfconsole
|
|
And we get this result
We see there is a command to interact with this module, copy paste and execute these following command
|
|
There is an issue here is that I don’t have any target host
This happens because I’m using a custom network and the IP address of the Metasploitable machine is not that default one. To fix this, I use this command
|
|
Then execute
|
|
Now it looks good
Can’t wait to exploit, simply use this command
|
|
But then I have another problem
I could exploit the other machine but no session was created. This happens because of many reasons but one of them is because the srvhost and lhost are not the same. To make sure that they are the same I use these commands
|
|
This 192.168.100.7 IP address is my current Kali Linux IP address. After this, I got in
I was able to execute whoami command and I’m the root user so I’ve succeeded in exploiting this machine with port 21.
Using Port 22 (SSH) - Bruteforce
For this method, since we have known the username and password of Metasploitable are msfadmin and msfadmin. We can just simply use this command
|
|
And we get in. But this is not fun. I’m going to assume that I don’t know the credentials and also the IP address in this exploitation attempt. So first thing first, I’m going to discover the other machine IP address using this below command
|
|
Netdiscovery command is an active/passive address reconnoissance tool that is developed for those wireless networks without DHCP server.
I got this result
So we know that the vunerable host we want to target is 192.168.100.4.
I’ve checked the documentation and I’ve created 2 lists of usernames and passwords following the doc’s recommendations
usernames.txt
test
admin
msfadmin
root
guest
sys
klog
service
passwords.txt
admin
root
test
msfadmin
service
postgres
123456789
sys
Now we should open the Metasploit framework console of type into the current console msfconsole. Then execute the following commands
|
|
We get this result
Next, we execute the belows commands
|
|
Sit back and watching the magic happens in front of your eyes. Here we are, the combination of credentials shows up
We can use get in the session using this command
|
|
The number at the end of the sessions command depends on the number of sessions you are opening and which session you want to open. In my case, it’s the 1st session. I can start checking who I am and if I a sudo user or not. We can see
Now we know for sure the credentials we get is a sudoer. We open another terminal and use the following command to really get inside the machine
|
|
And we got in
Using Port 80 (HTTP)
First thing first, let’s check the version of HTTP service running on port 80 using the same command I used in the previous step
|
|
And we can see that the version is Apache httpd 2.2.8
Then we open Metasploit Framework console from Kali Linux Tools or type msfconsole in the terminal.
We start the hacking process using these commands
|
|
Here’s the result
Then we set the rhosts and exploit
|
|
The exploitation succeeds
So according to the results, we know that the HTTP service is powered by PHP 5.2.4 and Apache 2.2.8. Open the Kali’s terminal and use this command to check for exploitation with this information
|
|
Basically, this command search for exploitation method that works with apache 2.2.8 and PHP. And we see the result here
Let’s switch back to Metasploit console and search for exploitation that has PHP version 5.4.2 in it
|
|
We can see the following list
I’ve tried the first option exploit/multi/http/op5_license but seems that this option is for exploiting HTTPS since it uses port 443 and this is not what we need. Therefore, I try the 2nd option
|
|
Then we can start exploiting
|
|
Here we are, we get everything we have on the web server
Then I destroyed the website by removing the index page using rm index.php. No warning or anything anymore for this page
But don’t do the same as me because the damage is done permanently, my index page is gone forever and it doesn’t come back even if I restart the machine 🤣. If you want to do the same and you want the old index page to comes back, I think you have to re-download Metasploitable 2.
Using Port 3306 (MySQL)
This next hacking attempt is going to be fun. This time no more superficial hacking, we get straight to the database.
Since I’ve hacked too much, I want to skip steps this time. I cut to the chase by searching the available scanning/exploitation methods there are for MySQL service
|
|
And I got this
We need to know the database credentials first so I went for the mysql_login one. So just as before, I use these commands
|
|
I used the same usernames and passwords file as before. I got the credentials and I can log into mysql like this
I explored the mysql database
Then I want to check the credentials of all of the users in mysql db. Here we are
