CNIT 124: Ch 8: Exploitation
2 likes903 views
The document discusses various advanced ethical hacking techniques, including exploitation methods using Metasploit payloads, exploiting vulnerable services like WebDAV and phpMyAdmin, and downloading sensitive files through directory traversal. It also describes methods for creating and deploying malicious PHP scripts, managing SQL databases with phpMyAdmin, and using tools like Nmap and TFTP for attacks. Finally, it covers exploiting third-party software and compromised services within a penetration testing context.
CNIT 124: Ch 8: Exploitation
- 1. CNIT 124: Advanced Ethical Hacking Ch 8: Exploitation
- 2. Topics • Metasploit Payloads • Exploiting WebDAV Default Credentials • Exploiting Open phpMyAdmin • Downloading Sensitive Files
- 3. Topics • Exploiting a Buffer Overflow in Third-Party Software • Exploiting Third-Party Web Applications • Exploiting a Compromised Service • Exploiting Open NFS Shares
- 5. msf> show payloads • Shows all payloads • If after use it only shows payloads compatible with that exploit
- 7. Staged Payloads • Loads small first stage downloader • Downloads larger payload
- 8. Inline Payloads • Whole payload delivered immediately
- 9. Meterpreter • Custom payload for Metasploit • Resides in memory • Loaded by reflective dll injection • Uses TLS encryption • Useful commands like getsystem and hashdump
- 11. Nmap Scan
- 12. WebDAV • Web Distributed Authoring and Versioning – An extension to HTTP – Allows developers to easily upload files to Web servers
- 13. XAMPP • A convenient way to run a LAMP server on Windows – LAMP: Linux, Apache, MySQL, and PHP • Includes WebDAV, turned on by default, with default credentials – In older versions
- 14. Cadaver • A command-line tool to use WebDAV servers • Default credentials allow file uploads
- 15. Website Defacement • Violates integrity, but not as powerful as Remote Code Execution
- 16. Upload a PHP File • PHP file executes on the server! • This is Remote Code Execution
- 17. Msfvenom Creates Malicious PHP File • msfvenom -l payloads to see all payloads • msfvenom -p php/meterpreter/ reverse_tcp -o to see options
- 18. Msfvenom Creates Malicious PHP File
- 19. Upload and Run • Using cadaver, put meterpreter.php • Browse to it in a Web browser to execute it
- 22. Purpose • phpMyAdmin provides a convenient GUI • Allows administration of SQL databases
- 23. phpMyAdmin
- 24. Should be Protected • phpMyAdmin should be limited-access – With a Basic Authentication login page, or a more secure barrier
- 25. SQL Query • Can write text to a file • This allows defacement
- 26. PHP Shell • Can execute one line of CMD at a time
- 27. Downloading a File with TFTP • We need some way to download another attack file to the target using the command-line • Windows lacks "wget" (although you can use bitsadmin) • Another solution: TFTP
- 29. Staged Attack • Initial attack sends a very small bit of code, such as a single line of CMD • That attack connects to a server and downloads more malicious code • Very commonly used by malware
- 31. Using FTP (Not in Book)
- 32. FTP Server in Metasploit
- 33. FTP Scripts • File contains text to be executed by command-line FTP client
- 34. Making the Script File with SQL
- 35. Run the FTP –s:script Command • More methods at link Ch 8w
- 36. Owned
- 38. Directory Traversal • Zervit allows you to browse the file system • Restart Win2008-124 VM • Start Zervit on port 3232
- 39. Zervit • Shows folders in C:Program Files
- 40. Download Filezilla XML File • Contains MD5 password hashes
- 41. SAM and SYSTEM • C:Windowssystem32configSAM • System Accounts Manager • Contains password hashes • Encrypted • C:Windowssystem32configSYSTEM • Contains encryption key
- 42. Traverse to Them
- 43. Zervit Can't Access Them
- 44. C:WindowsRepair • Contained backups of SAM and SYSTEM in Windows XP • But not in Server 2008 • We'll have to get password hashes another way, later
- 45. Exploiting a Buffer Overflow in Third-Party Software
- 46. SLMail • Textbook uses an SLmail exploit from 2003 • But it seems not to run on Server 2008 • Just normal Metasploit procedure, same as other exploits • Nothing to see here
- 48. TikiWiki • Textbook exploits TikiWiki on a Linux target we're not using • Again, normal Metasploit process • Only difference: php payloads, like • php/meterpreter/reverse_tcp
- 50. Metasploitable Target • Nmap shows vsftpd 2.3.4
- 52. Install FTP • Kali doesn't have "ftp" by default • apt install ftp
- 53. Smileyface in Username • x
- 54. Exploiting Open NFS Shares
- 55. Nmap Shows nfs
- 57. nmap --script=nfs-ls • Error message appears below this, ignore it
- 58. Install nfs-common • Required to mount nfs shares from Kali • apt-get update • apt-get install nfs-common
- 59. SSH Keys in .ssh Directory
- 60. Authorized Keys • Public keys which allow login as msfadmin
- 62. Add to Authorized Keys
- 63. Connect with SSH
- 64. Move to /tmp/mount/root/.ssh • Log in as root