Steps to hack a network

Viewing 11 reply threads
  • Author
    Posts
    • #5248
      caissyd
      Participant

      Ok, here’s the deal. I am having an hard time getting into many servers in the OSCP lab and I feel like a “chicken with no head”! Let me abstract the problem a bit. I have 2 questions:

      1) Once you have enumerated a network, let’s say there are 10 different servers, how to you proceed to exploit them? Time is precious and I feel like I go everywhere, try one service on server A, then trying another server on server B, and so on. For example, do you try all FTP servers, then all HTTP servers, etc or do you try all services on one machine then you go to the next one?

      2) If you have a single host to root, how do you proceed? Would you go, in order (if applicable!):
      a) Reconnaissance
      b) Scanning (nmap, nessus, nikto)
      c) Attack SMB, use metasploit, hydra
      d) If c) didn’t work out, Look for SQL injection vulnerabilities
      e) If d) didn’t work out, try fuzzing
      f) …

      I stuck after c)… I know it really depends on which services are available on a server, but generally, how do you proceed?

      I am tired…  :-

    • #33299
      sil
      Participant

      @H1t M0nk3y wrote:

      a) Reconnaissance
      b) Scanning (nmap, nessus, nikto)
      c) Attack SMB, use metasploit, hydra
      d) If c) didn’t work out, Look for SQL injection vulnerabilities
      e) If d) didn’t work out, try fuzzing
      f) …

      Without giving away keys to the kingdom, here is how I would proceed…

      1) Recon + Scanning
      Don’t always believe what you see during the recon phase and don’t rely on the output of solely one scan. Check your parameters and fiddle with them. For example nmap reports back the most common ports usually between 1000-2000 services however, that is a huge gap. Think big and tell nmap what services/ports YOU WANT to look for on both protocols UDP and TCP.

      2) Attack
      Don’t aim blindly at the servers with useless exploits. Create a targeted attack focused specifically on the machine and what its running. For example, why would you shoot off Windows based attacks at a Linux machine. Every machine will have an exploitable service/program/script. Your goal is to find out *WHAT* is exploitable. Be creative:


      # nmap -sX 10.20.30.40 -v

      Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 08:24 EDT

      The XMAS Scan took 34.76s to scan 1680 total ports.
      Host misos (10.20.30.40) appears to be up ... good.
      All 1680 scanned ports on misos (10.20.30.40) are open|filtered

      Nmap finished: 1 IP address (1 host up) scanned in 35.105 seconds
                    Raw packets sent: 3361 (134.442KB) | Rcvd: 1 (42B)

      # nmap -sS 10.20.30.40 -v

      Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 08:26 EDT
      The SYN Stealth Scan took 65.32s to scan 1680 total ports.
      Host misos (10.20.30.40) appears to be up ... good.

      PORT    STATE SERVICE
      80/tcp  open  http
      135/tcp  open  msrpc
      139/tcp  open  netbios-ssn
      445/tcp  open  microsoft-ds
      902/tcp  open  iss-realsecure-sensor
      912/tcp  open  unknown
      1026/tcp open  LSA-or-nterm

      Nmap finished: 1 IP address (1 host up) scanned in 65.668 seconds
                    Raw packets sent: 5039 (221.714KB) | Rcvd: 20 (956B)

      # nmap -sS 10.20.30.40 -p 1-60000 -v

      Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 08:27 EDT
      The SYN Stealth Scan took 261.60s to scan 60000 total ports.
      Host misos (10.20.30.40) appears to be up ... good.

      PORT      STATE SERVICE
      80/tcp    open  http
      135/tcp  open  msrpc
      139/tcp  open  netbios-ssn
      445/tcp  open  microsoft-ds
      902/tcp  open  iss-realsecure-sensor
      912/tcp  open  unknown
      1026/tcp  open  LSA-or-nterm
      1028/tcp  open  unknown
      3865/tcp  open  unknown
      5357/tcp  open  unknown
      8222/tcp  open  unknown
      8333/tcp  open  unknown
      9127/tcp  open  unknown
      9704/tcp  open  unknown
      21112/tcp open  unknown
      23791/tcp open  unknown
      23943/tcp open  unknown

      Nmap finished: 1 IP address (1 host up) scanned in 262.092 seconds
                    Raw packets sent: 120028 (5.281MB) | Rcvd: 65 (3106B)

      Same machine, three different outputs. As you can see, if I relied on a typical NMAP scan, all I would yield would be 7 services when there are 17 TCP based services running on this machine. So what are these other “unknown” services?

      telnet 10.20.30.40 5357
      Trying 10.20.30.40...
      Connected to 10.20.30.40.
      Escape character is '^]'.
      POST
      HTTP/1.1 400 Bad Request
      Content-Type: text/html; charset=us-ascii
      Server: Microsoft-HTTPAPI/2.0
      Date: Wed, 23 Jun 2010 12:41:33 GMT
      Connection: close
      Content-Length: 326


      Bad Request

      Bad Request - Invalid Verb



      HTTP Error 400. The request verb is invalid.



      Connection closed by foreign host.

      Since I own the machine, I know exactly what’s running on it however, let’s assume I didn’t. Let me Google it: http://seclists.org/pen-test/2008/Jul/130 Now I have more information to go on. From here, what do you do? You dig down for potentially exploitable code (dis)affecting that program. Fuzz that port and so on and so forth.

      Enumeration 101 … Again, be creative with your enumeration whether it’s scanning, lists, etc. Create your own userlist, your own password lists. Are you solely relying on say three usernames? I’d use the top 50 common names as UID’s. Try not to focus on the tools and their generic methods of working. The tools only do what you tell them to do. Your brain is the key.

      Another post follows The message exceeds the maximum allowed length (30000 characters).

    • #33300
      sil
      Participant

      Again, think a little outside the box:


      nmap -sSV -sR -PP -O 10.4.64.105 -p 80,135,139,445,902,912,1026,1028,3865,5357,8222,8333,9127,9704,21112,23791,23943 > Output

      LONG OUTPUT OMITTED ...


      ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
      SF-Port9704-TCP:V=4.11%I=7%D=6/23%Time=4C220721%P=i686-pc-linux-gnu%r(GetR
      SF:equest,4E8D,"HTTP/1.1x20200x20OKrnDate:x20Wed,x2023x20Junx2020
      SF:10x2013:07:45x20GMTrnServer:x20Oraclex20Containersx20forx20J2EE
      SF:rnLast-Modified:x20Tue,x2020x20Aprx202010x2018:23:20x20GMTrnA
      SF:ccept-Ranges:x20bytesrnContent-Length:x2019882rnConnection:x20cl
      SF:osernContent-Type:x20text/htmlrnrn<!DOCTYPEx20HTMLx20PUBLICx2
      SF:0"-//W3C//DTDx20HTMLx204.01x20Transitional//EN">n<htmlx20lang=
      SF:"en,us">nnnnx20x20x20x20Welcomex20tox20Oraclex<br /> SF:20Containersx20forx20J2EEx2010gx20(10.1.3.1.0)nnx2
      SF:0x20x20x20<METAx20content="text/html;x20charset=windows-1252"x2
      SF:0http-equiv=Content-Type>nx20x20x20x20<linkx20rel="stylesheet"
      SF:x20href="ohs_images/portals.css">nn<bodyx20bgcolor="#FFFF
      SF:FF"x20link="#663300"x20vlink="#996633"x20alink="#FF6600"x20t
      SF:ext="#000000">n<ax20href="#p
      SF:ortlets"x20title="Listx20topicsx20onx20thisx20page"><imgx20src
      SF:="ohs_images/space.gif"x20alt="Skipx20tabs"x20height=1x20width
      SF:=1x20align="right"x20border=0>nnn<
      SF:ax20name="tabs">n<tablex20summary=""x20width="100%"x20bo
      SF:rder="0"x20cellspacing="0"")%r(HTTPOptions,2A0A,"HTTP/1.1x20200
      SF:x20OKrnDate:x20Wed,x2023x20Junx202010x2013:07:46x20GMTrnServe
      SF:r:x20Oraclex20Containersx20forx20J2EErnLast-Modified:x20Tue,x20
      SF:20x20Aprx202010x2018:23:20x20GMTrnAccept-Ranges:x20bytesrnCont
      SF:ent-Length:x2019882rnConnection:x20closernContent-Type:x20text/h
      SF:tmlrnAllow:x20GET,x20HEAD,x20OPTIONS,x20TRACErnrnHTTP/1.1x2
      SF:0200x20OKrnDate:x20Wed,x2023x20Junx202010x2013:07:46x20GMTrn
      SF:Server:x20Oraclex20Containersx20forx20J2EErnLast-Modified:x20Tue
      SF:,x2020x20Aprx202010x2018:23:20x20GMTrnAccept-Ranges:x20bytesr
      SF:nContent-Length:x2019882rnConnection:x20closernContent-Type:x20t
      SF:ext/htmlrnAllow:x20GET,x20HEAD,x20OPTIONS,x20TRACErnrn
      SF:0
      SF:
      SF:0
      SF:
      SF:0
      SF:
      SF:0
      SF:
      SF:0
      SF:
      SF:0");

      Kind of noisy no? Clean it up


      perl -p -e 's!x20! !g;s!SF:! !g;s!\n!n!g;s!x20! !g;s:\: :g' /tmp/Output

      ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
      SF-Port9704-TCP:V=4.11%I=7%D=6/23%Time=4C220721%P=i686-pc-linux-gnu%r(GetRequest,4E8D,"HTTP/1 .1  200  OK
      Date:  Wed,  23  Jun  20 10  13:07:45  GMT
      Server:  Oracle  Containers  for  J2EE
      Last-Modified:  Tue,  20  Apr  2010  18:23:20  GMT
      Accept-Ranges:  bytes
      Content-Length:  19882
      Connection:  close
      Content-Type:  text/html

      <!DOCTYPE  HTML  PUBLIC x2
      0 "-//W3C//DTD  HTML  4 .01  Transitional//EN ">




      Welcome  to  Oracle Containers  for  J2EE  10g  (10 .1 .3 .1 .0 )


             

      (HTTPOptions,2A0A,"HTTP/1 .1  200  OK
      Date:  Wed,  23  Jun  2010  13:07:46  GMT
      Server:  Oracle  Containers  for  J2EE
      Last-Modified:  Tue, 20 Apr 2010 18:23:20  GMT
      Accept-Ranges:  bytes
      Content-Length:  19882
      Connection:  close
      Content-Type:  text/html
      Allow:  GET,  HEAD,  OPTIONS,  TRACE

      HTTP/1 .1
      200  OK
      Date:  Wed,  23  Jun  2010  13:07:46  GMT

      Server:  Oracle  Containers  for  J2EE
      Last-Modified:  Tue, 20 Apr 2010  18:23:20 GMT
      Accept-Ranges:  bytes
      Content-Length:  19882
      Connection:  close
      Content-Type: text/html
      Allow:  GET,  HEAD,  OPTIONS,  TRACE

      I now have better information to work with. Stay focused on your goal. Find what’s running, then focus on what might potentially break it instead of trying to throw the toolshed at it.

    • #33301
      caissyd
      Participant

      Sil, I am so humble right now!

      Thanks a lot, I wasn’t doing the right thing. You examples are priceless!!!
      I will keep you posted.

    • #33302
      caissyd
      Participant

      Another related question: If you find 10 services listening on a machine, I guess you try the easy stuff first than you make your way up to the more “difficult” ones?!?

      In Sil example:

      PORT     STATE SERVICE
      80/tcp   open  http
      135/tcp  open  msrpc
      139/tcp  open  netbios-ssn
      445/tcp  open  microsoft-ds
      902/tcp  open  iss-realsecure-sensor
      912/tcp  open  unknown
      1026/tcp open  LSA-or-nterm

      Wouldn’t you try these ones first and if you don’t find anything, you continue scanning all the other ports (TCP and UDP)?

      Or would you scan everything in depth (which I believe makes a lot of sense!), then try to attack the most common ones and finally go for the most difficult services?

    • #33303
      sil
      Participant

      Low hanging fruit is often the easiest to pick 😉 So for the sample scan you posted:


      PORT    STATE SERVICE
      80/tcp  open  http
      135/tcp  open  msrpc
      139/tcp  open  netbios-ssn
      445/tcp  open  microsoft-ds
      902/tcp  open  iss-realsecure-sensor
      912/tcp  open  unknown
      1026/tcp open  LSA-or-nterm

      Thorough solution: (version_trace + -O)


      # nmap -sSV -sR -PP -O 10.20.30.40 -p 80 --version_trace

      Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-06-23 11:06 EDT
      Timing report
        hostgroups: min 1, max 100000
        rtt-timeouts: init 1000, min 100, max 10000
        scan-delay: TCP 1000, UDP 1000
        parallelism: min 0, max 0
        max-retries: 10, host-timeout: 0

      Interesting ports on misos (10.20.30.40):
      PORT  STATE SERVICE VERSION
      80/tcp open  http    Microsoft IIS webserver 7.0

      Personally… It would depend on the OS fingerprint 😉 Is it Win2k, 2k3, XP, Vista? … On 2K and 2K3, you’re more likely to find SMB “exploitable” then you would on XP, Vista, 2008. So it all depends if you obtained a nice fingerprint.

      Now, there are two things going on… There is the OSCP exam, and there is compromising a machine, recon, analysis…


      for i in `lynx --dump  "http://labs.google.com/sets?hl=en&q1=window&q2=unix&q3=&q4=&q5=&btn=Small+Set+%2815+items+or+fewer%29"|grep "["|sed -n '3,10p'|awk -F ] '{print $2}'`

      do

      echo /pentest/python/impacket-examples/rpcdump.py $i:$i@10.20.30.40 139/SMB|sh
      echo /pentest/python/impacket-examples/rpcdump.py $i:$i@10.20.30.40 135/TCP|sh
      echo /pentest/python/impacket-examples/rpcdump.py $i:$i@10.20.30.40 445/SMB|sh

      done

      Will yield you a lot of information on SMB processes, try it.. What you do with that information is up to you. You need to think like an attacker. Not solely based on the content of the exam. The goal is to compromise the machines by any means necessary. This does not stop you from using your own tools here.

      In the case of low hanging fruit… Take not of the nmap syntax I re-use:


      root@axios:/pentest/exploits/framework3# ./msfconsole

      #    # ###### #####  ##    ####  #####  #      ####  # #####
      ##  ## #        #    #  #  #      #    # #      #    # #  #
      # ## # #####    #  #    #  ####  #    # #      #    # #  #
      #    # #        #  ######      # #####  #      #    # #  #
      #    # #        #  #    # #    # #      #      #    # #  #
      #    # ######  #  #    #  ####  #      ######  ####  #  #


            =[ metasploit v3.4.1-dev [core:3.4 api:1.0]
      + -- --=[ 567 exploits - 271 auxiliary
      + -- --=[ 272 payloads - 26 encoders - 8 nops
            =[ svn r9532 updated 8 days ago (2010.06.15)

      msf > db_driver sqlite3
      [*] Using database driver sqlite3
      msf > db_connect hitmonkeytest
      [-] Note that sqlite is not supported due to numerous issues.
      [-] It may work, but don't count on it
      [*] Creating a new database file...
      [*] Successfully connected to the database
      [*] File: hitmonkeytest

      msf > db_nmap -p 80,135,139,445,902,912,1026,1028,3865,5357,8222,8333,9127,9704,21112,23791,23943 10.20.30.40

      Starting Nmap 5.00 ( http://nmap.org ) at 2010-06-23 10:28 EDT
      Interesting ports on misos (10.20.30.40):
      PORT      STATE    SERVICE
      80/tcp    open    http
      135/tcp  open    msrpc
      139/tcp  open    netbios-ssn
      445/tcp  open    microsoft-ds
      902/tcp  open    iss-realsecure
      912/tcp  open    unknown
      1026/tcp  open    LSA-or-nterm
      1028/tcp  open    unknown
      3865/tcp  open    unknown
      5357/tcp  open    unknown
      8222/tcp  open    unknown
      8333/tcp  open    unknown
      9127/tcp  filtered unknown
      9704/tcp  filtered unknown
      21112/tcp open    unknown
      23791/tcp filtered unknown
      23943/tcp filtered unknown
      MAC Address: 00:14:C1:4C:53:DC (U.S. Robotics)

      Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
      msf >

      The low hanging fruit would be to try autopwn but that would be the easy wait out. Not only the easy way out, but you’ve accomplished nothing (besides I don’t believe you’re allowed to use Metasploit or Autopwn during the exam… I don’t recall).  You’ve done your –version_trace so you already know that there is no need to run ALL http based exploits against this machine anyway. Think about autopwn and how it will work. It’s pointless as an Apache exploit won’t work on IIS7, secondly it’s noisy so autopwn is useless. You DID get specifics on your scan: So you should perform a search on those specifics:

      msf > search oracle
      [*] Searching loaded modules for pattern 'oracle'...

      Remember, my recon told me Oracle was running here. So now I have a choice, I could tamper with Oracle, check exploit-db, CVSS lists, milw0rm, etc.


      # find /pentest/exploits/framework3/modules/exploits/windows|xargs grep 9127

      No luck with finding an exploit that targets Oracle on that port (9127) or any other exploit that uses that port. It all depends on various factors when I perform a pentest. Usually I try not to rely too deeply on specific tools and when I do, I use them in lesser known methods. I’ve yet to see many people use tools like Scapy and even nmap at their finest usage. I suggest understanding the relationship between tools, ports, etc., before wandering aimlessly (and I don’t mean that in a derogatory way).

      When I did my recon for the exam,  I literally had Open Office open posting the output to ALL services I found on the servers. Then I began focusing on what I saw and ONLY what I saw in regards to versions, the operating system running those versions, etc. Same applies to my real world work. When I do recon now, I try to get EVERY little morsel of information I can from every possible source before I even think of an exploitable method for those processes.

      http://www.google.com/search?q=oracle+9704+%2Bexploit+%2Bbi&btnG=Search&hl=en&client=firefox-a&hs=uvm&rls=org.mozilla%3Aen-US%3Aofficial&sa=2

      Why lookie here: http://netifera.com/research/ (POET). You won’t get that information from the content on the OSCP, but I don’t believe there is anything telling you that you CAN’T use other tools. I do believe though that you can’t use metasploit, autopwn and or Core Impact and or Canvas. (That is of course if you have Core or Canvas.) Things may have changed though I took the exam in 07 or 08 (don’t remember)

    • #33304
      caissyd
      Participant

      Sil, I have to pay you a beer!!!  😀

      I will spend as much time as I can tin the next few days applying these words of wisdom in the lab!!!

      I can’t try anything at work today, but I can’t wait to be home!!!

      I really appreciate your comments…

    • #33305
      Ignatius
      Participant

      Hey sil, I’ve been watching this thread with great interest.  Thank you for your thorough and logical presentation of what you’d do and why.  I see comments on other sites about simply following recipe 1), 2) then 3) to penetrate a system but that is far too simplistic.  I’d rather understand what’s happening “under the hood”, exactly what I’m doing and why, so I can apply the principles to another system.

      I’ll keep an eye on further fascinating developments …

    • #33306
      Dengar13
      Participant

      Agreed.  Sil, you truly are an asset to this site.  Thank you.

    • #33307
      sil
      Participant

      @Dengar13 wrote:

      Agreed.  Sil, you truly are an asset to this site.  Thank you.

      Thanks to both you and Ignatius. I just try to offer a different perspective on things. Tools are cool, no one can get by without them. Understanding their place and value should come first. I come from the system/network administration background almost exclusive on *nix based systems (Solaris, BSD, Linux… Google + Archive.org would attest to this) so I take an administrative + security approach. I’ve always tried to do – without… Meaning, replicating tools without using them because after all, most tools are prettified command line scripts anyway, you just have to be familiar with what commands to use.

      I argued slash debated at one point about using specific tools because they were noisy. Most IPS/IDS even home based firewalls will smell nmap coming a mile away, let alone any scanner. That doesn’t mean I couldn’t run say netcat in a sleep script. With netcat I’m less likely to trigger an alarm for one, secondly if I’m already on a machine, no need to introduce programs that may trigger a HIPS. Sort of “tai chi” the machine’s own self.

      I also threw this same concept out before as an “all inclusive” backdoor retainer: http://www.infiltrated.net/scripts/plague the concept was based off of simple files already on a system (no need to download and trigger any alarms). Would be completely undetectable by AV. I did this in response to a few things at the time… To prove a point to an engineer at Symantec during Joanna Rutkowska’s Red Pill Blue Pill dare. It was said that an undetectable backdoor couldn’t be made… I made one then the contest was “re-described” to state an “undetectable backdoor hook for ring0” couldn’t be made. 🙁 How sad… I could have won 10k for a 4 liner.

      The point I’m trying to make sometimes is, understand as best as possible what you are doing (stay focused and be extremely versatile). Things fall into place after some practice. Heck on a daily basis I almost always say: “Aha!!!!” and learn something new. This to me is the beauty of security – so vast… Networking, forensics, reverse engineering, scripting… There is always something to do and something new to learn. I’ve been fortunate enough to know a lot of people through the years and have always despised those who thought they were “too leet/good” to share.

      Heck I learn from anyone I can. You never know what you might miss being shortsighted/arrogant/elitist. On the flip side, my descriptions at times tend to seem arrogant. I don’t mean to post that way, just the way I am 😉

    • #33308
      caissyd
      Participant

      Sil, you don’t sound arrogant at all!

      There was an earthquake this afternoon in Ottawa, Canada and the government sent us home (even if NOTHING happened!!!). Anyway I got home early and have been applying what you said for the last hour. I am sooooooo new to this world!

      My background is developing web applications, so I understand the code very well, but there is a steep learning curve to many, many things in this field.

      But as you mentionned, that’s why I love it so much: you never stop learning!

      All that to say, a server in the lab I thought had 9 ports open really have… 24 listening services! Oh well, back to work now! ;D

    • #33309
      sil
      Participant

      @H1t M0nk3y wrote:

      My background is developing web applications, so I understand the code very well, but there is a steep learning curve to many, many things in this field.

      When it comes to programming… I only program what I need to run (specifics) so I’m very sharp at creating something I specifically need however, this is usually because a) I’ve either done it so many times I felt a need to program something so I don’t have to keep doing it b) I can re-hash/re-use existing code (why reinvent wheels). I have little patience to go out and be a programmer. I try to gain enough of an understanding to get a job done It’s only until now that I’m literally pouring over ASM from scratch not to program in ASM, but to understand reversing a bit more. At the same time it’s a bit difficult for me because I can’t devote as much time as I’d like to it.

Viewing 11 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?