Network penetration testing

In this tutorial we’re going to identify running services on the target server and try to exploit them.

Tools

We will use the following tools:

  1. 1. https://nmap.org/
  2. 2. https://www.openvas.org/
  3. 3. https://www.tenable.com/products/nessus
  4. 4. https://www.metasploit.com/

Metasploitable 2

You should download a vulnerable machine from https://sourceforge.net/projects/metasploitable/ . Then you should import it into any VM software, I’ll be using VirtualBox. In the VM settings set network adapter to Bridged Adapter and start the machine. Run ifconfig to get the ip address of your vulnerable machine, in my case it is 192.168.0.106.

Identifying live hosts

Typically you are given a set of ip addresses and the 1st step is to identify which hosts are live. We are using a single machine so we only have a single ip address.

Run nmap -sn 192.168.0.106:

We can see that our target machine is live. When you have a bunch of ip addresses you can scan using a mask, ex: nmap -sn 192.168.0.106/24

Identifying open ports

Now we should identify open ports and services on those ports.

Run nmap -sS -sV --script=default --top-ports 1000 --version-all -O --osscan-guess -T4 --open -Pn -v 192.168.0.106 for TCP scan:

Run nmap -sU --top-ports 100 -Pn -v 192.168.0.106 for UDP scan:

Now we have extensive information about opened ports, services and OS.

Vulnerability assessment

Now we’re going to use different tools in order to automate vulnerability search.

Nmap

Nmap has a bunch of scripts for vulnerability assessment.

Vulscan

Copy vulscan repository https://github.com/scipag/vulscan to your nmap script’s folder at /usr/share/nmap/scripts. Run nmap -sV --script=vulscan/vulscan.nse 192.168.0.106. You will get a list of ports with related CVEs:

Nmap-vulners

Copy nmap-vulners repository https://github.com/vulnersCom/nmap-vulners to your nmap script’s folder at /usr/share/nmap/scripts. Run nmap -sV --script=nmap-vulners/vulners.nse 192.168.0.106. You will again get a list of ports with CVEs:

Vuln

Nmap has a default vuln script. Run nmap --script=vuln -sV 192.168.0.106 -p 8180 to scan a specific port:

OpenVAS

Run openvas from docker image at https://github.com/immauss/openvas. Login into your openvas account on your localhost, create a new task for target Metasploitable virtual machine and run the task. You should see the following report after scan is finished:

Nessus

Nessus is a paid vulnerability scanner but it allows up to 16 hosts used for free. Open nessus on your localhost, login, set up a new Basic Network Scan and run the scan. After the scan is finished you should see the following report:

Port by port

At this stage we have all the information about services, ports, possible CVEs and possible vectors. Now, we should go port by port and try to perform the following tasks:

  1. 1. Exploit vulnerability on port (if it exists)
  2. 2. Privilege escalation
  3. 3. Persistence

Exploiting

Take a look at the port 8180 where we can see the Apache Tomcat server. Click on the Status link and Apache will ask for user and password. We can try to bruteforce the credentials using Metasploit. Open msfconsole, then run:

You can see the following output:

Default login and password tomcat seem to be working.

Now click Status => enter tomcat for login and password => List Applications. You can see the Upload button where we can upload a shell. Run:

You will get a meterpreter session:

Privilege escalation

To get root access we can search for SUID set binaries. Run:

You will see the following binaries:

Run:

You should see the root keyword.

Persistence

There are a few ways to maintain persistence:

  1. 1. Add SSH key
  2. 2. Server shell (php, etc…)
  3. 3. CRON job
  4. 4. User’s .bashrc file
  5. 5. Services
  6. 6. sudoers
  7. 7. SUID files

Report

When all ports are scanned then it is time to write a report. You can find an example report here https://tcm-sec.com/wp-content/uploads/2021/04/TCMS-Demo-Corp-Security-Assessment-Findings-Report.pdf 

Leave a Reply

Your email address will not be published. Required fields are marked *