eJPT - 3.2 Network Based Attacks

HmadHmad
7 min read

Table of contents

Network Attacks

View the fundamentals of networking here - Footprinting & Scanning Page.

SMB & NetBIOS Enumeration

While NetBIOS and SMB were once closely linked, modern networks rely primarily on SMB for file and printer sharing, often using DNS & other mechanisms for name resolution instead of NetBIOS. Modern implementations of Windows primarily use SMB and can work without NetBIOS, however, NetBIOS over TCP port 139 is required for backward compatibility and are often enabled together.

View some of the notes for this section here - Enumeration Page.

SMB

SMB provides features for file and printer sharing, named pipes and inter-process communication (IPC). It allows users to access files on remote computers as if they were local. SMB has several versions:

  • SMB 1.0 The original version, which had security vulnerabilities. Was used with Windows XP.

  • SMB 2.0/2.1 Introduced with Windows Vista, Server 2008. Had improved performance and security.

  • SMB 3.0+ Introduced with Windows 9, Server 2012. Added features like encryption, multi-channel support and improvements for virtualization.

SMB normally uses 445 for direct SMB traffic (bypassing NetBIOS) and port 139 when operating with NetBIOS.

NetBIOS

NetBIOS is an API and a set of network protocols for providing communication services over a local network. It's used primarily to allow application on different computers to find and interact with each other on a network. It offers 3 primary services:

  1. Name Service (NetBIOS-NS) Allows computers to register, unregister and resolve names in a local network

  2. Datagram Service (NetBIOS-DGM) Supports connectionless communication and broadcasting

  3. Session Service (NetBIOS-SSN) Supports connection-oriented communication for more reliable data transfers

NetBIOS typically uses ports 137 (NS), 138 (DGM) and 139 (SSN) over UDP and TCP.

Lab Notes

In this case, we have two Windows systems to attack. We will be able to access the second system by pivoting from the first machine.

We can use a tool called nbtscan which we can use to scan networks for NetBIOS name information. You could also use nmblookup and specify an IP using the -A flag. In this case neither of these tools will work.

Once we have run out Nmap service version detection scan. We can now use an Nmap script to check or enumerate the version of SMB. It's called smb-protocols. We can also check the security level of SMB on a target with the smb-security-mode Nmap script. To search for Nmap scripts:

ls -al /usr/share/nmap/scripts/ | grep -e "smb"

Once we've identified what versions of SMB are accepted on the target and the security level, we can test for vulnerabilities via logging in as an anonymous user using smbclient. This works and we can see all the share names.

Since we can login anonymously and the system is running SMBv1, we can enumerate the users. We can use the Nmap script smb-enum-users to do so. We can now use the information gathered, we can brute-force passwords for those accounts. Firstly, create a file called users.txt with those usernames. We can now use Hydra to brute-force passwords.

Once we have obtained credentials, we can use PsExec or the Metasploit module to get a meterpreter session on the target system. Now that we have a meterpreter session, we can ping the second target system. We can then configure the network route:

run autoroute -s (subnet of ip of target2)

We will now use the Metasploit module socks_proxy. We will also open up proxy chains on our Kali machine to run an Nmap scan on the second target.

proxychains nmap demo1.ine.local -sT -Pn -sV -p445

Now using our original meterpreter session, we can use net view to see what resources are shared. Now that we can see what shares are available, we can map those disks to our system by running the following:

net use D: \\target_ip\diskname

Now that they are on our system, we can navigate to them and view the contents.

SNMP Enumeration

SNMP stands for Simple Network Management Protocol. It's a widely used protocol for monitoring and managing several networked devices, such as routers, switches, etc. It allows network administrators to query devices for status information, configure certain settings and receive alerts or traps when specific events occur.

It's an application layer protocol that typically uses UDP for transport. It involves 3 primary components:

  • SMNP manager - the system responsible for querying and interacting with SNMP agents on networked devices

  • SNMP agent - software running on networked devices that responds to SNMP queries and sends traps

  • MIB (Management Information Base) - a hierarchical database that defines the structure of data available through SNMP and each piece of data has a unique OID (Object Identifier)

It also has several versions:

  • v1 - earliest version, relies on community strings (passwords) for authentication

  • v2 - improved version with support for bulk transfers, relies on passwords for authentication

  • v3 - introduced security features, encryption, message integrity and user-based authentication

It mainly runs on:

  • Port 161 - which is used for SNMP queries

  • Port 162 - which is used for SNMP traps (notifications)

In penetration testing, we need to query SNMP-enabled devices to gather information useful for identifying potential vulnerabilities, misconfigurations or attack vectors. Key objectives:

  • Identify SNMP enabled devices

  • Extract system information

  • Identify SNMP community strings (i.e. passwords)

  • Retrieve network configurations

  • Collect user and group information

  • Identify services and applications

After our Nmap scan, we can see that port 161 is open and that it's running v1. We can use the Nmap script snmp-brute like the following:

nmap -sU -p161 --script=snmp-brute target_ip

We can use the tool snmpwalk to extract more information from SNMP that we previously couldn't without the community strings. It's an SNMP application that uses SNMP get next requests to query for a tree of information.

snmpwalk -v (version of SNMP) -c (the community string)

The data that it outputs is not readable at all. So, we can run all the Nmap scripts on the target.

nmap -sU -p161 --script snmp-* target_ip > snmp_info

After running this, we can see what users are on the system and then leverage this to perform a brute-force attack and gain credentials. We can then login to the system via PsExec or the Metasploit module psexec to access the system via SMB.

SMB Relay Attack

This is a type of network attack where an attacker intercepts SMB traffic, manipulates it and relays it to a legitimate server to gain unauthorized access to resources or perform malicious actions. This is common in Windows.

That attacker sets up a man-in-the-middle position between the client and the server. This can be done using various techniques, such as ARP spoofing, DNS poisoning or setting up a rogue SMB server. When a client connects to a legitimate server via SMB, it sends authentication data. The attacker captures this data, which might include NTLM hashes.

Instead of decrypting the captured NTLM hash, the attacker relays it to another server that trusts the source. This allows the attacker to impersonate the user whose hash was captured. Alternatively, we can use this NTLM hash to login to the SMB server. If the relay is successful, the attacker can gain access to the resources on the server, which might include sensitive files, databases or administrative privileges. This access to lead to further lateral movement within the network, compromising additional systems.

We will setup the SMB relay via a Metasploit module called smb_relay. Now that we have the relay set to our target system, we can move onto the next step. We can create a new file which will contain DNS records. We will set our IP to resolve to the top-level domain of our target:

echo "172.16.5.101 *.sportsfoo.com" > dns

We can now use dnsspoof and spoof via our interface eth1 and the file that contains the DNS record that we just created. This will essentially point all the requests to the target domain to our system.

dnsspoof -i eth1 -f dns

We can now set up the man-in-the-middle attack by utilizing ARP spoofing. Our goal is to poison the traffic between our victim (Windows 7 system) and the default gateway. This will allow us to manipulate the traffic via dnsspoof. Firstly, we need to enable IP forwarding.

echo 1 > /proc/sys/net/ipv4/ip_foward

Now, in 2 separate terminals, we will set up our ARP spoof against both the Windows 7 system and the gateway.

Terminal 1
arpspoof -i eth1 -t 172.16.5.5 (Windows 7) 172.16.5.1 (Gateway)

Terminal 2
arpspoof -i eth1 -t 172.16.5.1 (Gateway) 172.16.5.5 (Windows 7)

Every time the Windows 7 systems sends an SMB request or connection to the gateway, it's intercepted by dnsspoof which forges replies telling it that the IP address they are looking for resolves to our system. Now, the Metasploit module will grab those NTLM hashes and use them to get a shell or a meterpreter session.

That’s it for this section. Next one up is the CTF or skill check that iNE has put up.

— Hmad

0
Subscribe to my newsletter

Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ejptnetworkingmetasploit

Written by

Hmad
Hmad

I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.