Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne Course Web page: https://samsclass.info/124/124_F17.shtml Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)

1. CNIT 124:
Advanced Ethical
Hacking
Ch 8: Exploitation

2. Topics
• Metasploit Payloads
• Exploiting WebDAV Default Credentials
• Exploiting Open phpMyAdmin
• Downloading Sensitive Files

3. Topics
• Exploiting a Buffer Overflow in Third-Party
Software
• Exploiting Third-Party Web Applications
• Exploiting a Compromised Service
• Exploiting Open NFS Shares

4. Metasploit Payloads

5. msf> show payloads
• Shows all payloads
• If after use it only shows payloads
compatible with that exploit

6. Payloads for ETERNALBLUE

7. Staged Payloads
• Loads small first stage downloader
• Downloads larger payload

8. Inline Payloads
• Whole payload delivered immediately

9. Meterpreter
• Custom payload for Metasploit
• Resides in memory
• Loaded by reflective dll injection
• Uses TLS encryption
• Useful commands like getsystem and
hashdump

10. Exploiting WebDAV Default
Credentials

11. Nmap Scan

12. WebDAV
• Web Distributed Authoring and Versioning
– An extension to HTTP
– Allows developers to easily upload files to
Web servers

13. XAMPP
• A convenient way to run a LAMP server on
Windows
– LAMP: Linux, Apache, MySQL, and PHP
• Includes WebDAV, turned on by default,
with default credentials
– In older versions

14. Cadaver
• A command-line tool to use WebDAV
servers
• Default credentials allow file uploads

15. Website Defacement
• Violates integrity, but not as powerful as
Remote Code Execution

16. Upload a PHP File
• PHP file
executes
on the
server!
• This is
Remote
Code
Execution

17. Msfvenom Creates Malicious PHP File
• msfvenom -l payloads to see all payloads
• msfvenom -p php/meterpreter/
reverse_tcp -o to see options

18. Msfvenom Creates Malicious PHP File

19. Upload and Run
• Using cadaver, put meterpreter.php
• Browse to it in a Web browser to execute
it

20. Meterpreter Reverse Shell

21. Exploiting Open phpMyAdmin

22. Purpose
• phpMyAdmin provides a convenient GUI
• Allows administration of SQL databases

23. phpMyAdmin

24. Should be Protected
• phpMyAdmin should be limited-access
– With a Basic Authentication login page, or a
more secure barrier

25. SQL Query
• Can write text to a file
• This allows defacement

26. PHP Shell
• Can execute one line of CMD at a time

27. Downloading a File with TFTP
• We need some way to download another
attack file to the target using the
command-line
• Windows lacks "wget" (although you can
use bitsadmin)
• Another solution: TFTP

29. Staged Attack
• Initial attack sends a very small bit of
code, such as a single line of CMD
• That attack connects to a server and
downloads more malicious code
• Very commonly used by malware

31. Using FTP (Not in Book)

32. FTP Server in Metasploit

33. FTP Scripts
• File contains text to be executed by
command-line FTP client

34. Making the Script File with SQL

35. Run the FTP –s:script Command
• More methods at link Ch 8w

36. Owned

37. Downloading Sensitive Files

38. Directory Traversal
• Zervit allows you to browse the file
system
• Restart
Win2008-124 VM
• Start Zervit
on port 3232

39. Zervit
• Shows folders in
C:Program Files

40. Download Filezilla XML File
• Contains MD5 password hashes

41. SAM and SYSTEM
• C:Windowssystem32configSAM
• System Accounts Manager
• Contains password hashes
• Encrypted
• C:Windowssystem32configSYSTEM
• Contains encryption key

42. Traverse to Them

43. Zervit Can't Access Them

44. C:WindowsRepair
• Contained backups of SAM and SYSTEM in
Windows XP
• But not in Server 2008
• We'll have to get password hashes another
way, later

45. Exploiting a Buffer Overflow in
Third-Party Software

46. SLMail
• Textbook uses an SLmail exploit from 2003
• But it seems not to run on Server 2008
• Just normal Metasploit procedure, same
as other exploits
• Nothing to see here

47. Exploiting Third-Party Web
Applications

48. TikiWiki
• Textbook exploits TikiWiki on a Linux
target we're not using
• Again, normal Metasploit process
• Only difference: php payloads, like
• php/meterpreter/reverse_tcp

49. Exploiting a Compromised
Service

50. Metasploitable Target
• Nmap shows vsftpd 2.3.4

51. Google "vsftpd 2.3.4"

52. Install FTP
• Kali doesn't have "ftp" by default
• apt install ftp

53. Smileyface in Username
• x

54. Exploiting Open NFS Shares

55. Nmap Shows nfs

56. Nmap Script nfs-ls

57. nmap --script=nfs-ls
• Error message appears below this, ignore it

58. Install nfs-common
• Required to mount nfs shares from Kali
• apt-get update
• apt-get install nfs-common

59. SSH Keys in .ssh Directory

60. Authorized Keys
• Public keys which allow login as msfadmin

61. Generate SSH Keys

62. Add to Authorized Keys

63. Connect with SSH

64. Move to /tmp/mount/root/.ssh
• Log in as root