PEH Capstone - Google Drive
drive.google.com
Walkthrough
Gaining a Foothold
Nmap
┌──(root㉿kali)-[~]
└─# nmap -T4 -p- -A 192.168.88.130
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-01 02:44 EDT
Nmap scan report for 192.168.88.130
Host is up (0.00055s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:67:E0:8C (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -1d03h07m44s, deviation: 2h18m33s, median: -1d04h27m44s
|_nbstat: NetBIOS name: WIN-845Q99OO4PP, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:67:e0:8c (VMware)
| smb2-time:
| date: 2023-10-31T02:18:37
|_ start_date: 2023-10-31T02:13:56
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: WIN-845Q99OO4PP
| NetBIOS computer name: WIN-845Q99OO4PP\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-10-30T22:18:37-04:00
TRACEROUTE
HOP RTT ADDRESS
1 0.55 ms 192.168.88.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.09 seconds
┌──(root㉿kali)-[~]
└─# nmap --script smb-vuln* -p 445 192.168.88.130
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-01 02:57 EDT
Nmap scan report for 192.168.88.130
Host is up (0.00052s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:67:E0:8C (VMware)
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 5.35 secondsRemote Code Execution vulnerability
192.168.88.130 vulnerable to remote code execution in Microsoft SMBv1 servers (ms17-010)
EternalBlue SMB Remote Windows Kernel Pool Corruption
https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/
This can lead to WannaCrypt attacks
https://msrc.microsoft.com/blog/2017/05/customer-guidance-for-wannacrypt-attacks/
Undetected Malicious Activity
Scanning, SMB Brute Force
Exploitation
SMB - eternalblue
192.168.88.130
Manual - AutoBlue MS17-010
192.168.88.132 is not patched
Autoblue launched but it blue-screened 192.168.88.132
A perfect example of why you don’t run this in a real environment
If it was a hospital system, this could be have a life-threatening impact
Video
When you click the link below, it will start from the Blue Walkthrough.
Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)
0:00 - Introduction 0:17 - Hunting Subdomains Part 1 5:54 - Hunting Subdomains Part 2 10:46 - Identifying Website Technologies 17:57 - Gathering Information w/ Burp Suite 26:49 - Google Fu 32:24 - Utilizing Social Media 38:05 - Installing Kioptrix 44:28 - Scanning w/ Nmap 1:04:16 - Enumerating HTTP/HTTPS Part 1 1:19:22 - Enumerating HTTP/HTTPS Part 2 1:34:35 - Enumerating SMB 1:48:59 - Enumerating SSH 1:53:11 - Researching Potential Vulnerabilities 2:08:05 - Our Notes So Far 2:11:15 - Scanning w/ Nessus Part 1 2:21:54 - Scanning w/ Nessus Part 2 2:28:07 - Reverse Shells vs Bind Shells 2:35:12 - Staged vs Non-Staged Payloads 2:38:37 - Gaining Root w/ Metasploit 2:46:21 - Manual Exploitation 2:59:06 - Brute Force Attacks 3:07:00 - Credential Stuffing & Password Spraying 3:21:07 - Our Notes, Revisited 3:24:56 - Downloading Our Materials 3:30:17 - Buffer Overflows Explained 3:34:29 - Spiking 3:44:46 - Fuzzing 3:50:59 - Finding the Offset 3:56:22 - Overwriting the EIP 3:59:51 - Finding Bad Characters 4:07:46 - Finding the Right Module 4:16:16 - Generating Shellcode and Gaining Root 4:22:16 - Python3 and More 4:36:01 - Capstone Introduction 4:41:47 - Setting up Blue 4:45:48 - Blue Walkthrough 5:02:53 - Academy Setup 5:05:22 - Academy Walkthrough 5:49:46 - Dev Walkthrough 6:15:10 - Butler Walkthrough 6:51:33 - Blackpearl Walkthrough 7:15:08 - Conclusion Full Course: https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course All Course Resources/Links: https://github.com/Gr1mmie/Practical-Ethical-Hacking-Resources A shout out to all those involved with helping out on this course: Alek - Creating "Academy", "Dev", and "Black Pearl" Capstone machines and a Discord Admin. Dewalt, Yaseen, Likith, and Tuk - The five star support team. Dwight - Discord Admin and awesome hacker. Grimmie - Creation of SumRecon, lover of cookies, and a Discord Admin. Joe Helle - Creating the "Blue" Capstone machine and the PNPT foothold. The OG support staff and a Discord Admin. Lian - The OG Discord Admin with French Bulldogs I'd like to steal. Rumham - Discord Admin, lover of rum and hams, and overall great guy. ❓Info❓ ___________________________________________ Pentests & Security Consulting: https://tcm-sec.com Get Trained: https://academy.tcm-sec.com Get Certified: https://certifications.tcm-sec.com Merch: https://merch.tcm-sec.com Sponsorship Inquiries: info@thecybermentor.com 📱Social Media📱 ___________________________________________ Twitter: https://twitter.com/thecybermentor Twitch: https://www.twitch.tv/thecybermentor Instagram: https://instagram.com/thecybermentor LinkedIn: https://www.linkedin.com/in/heathadams Discord: https://discord.gg/tcm 💸Donate💸 ___________________________________________ Like the channel? Please consider supporting me on Patreon: https://www.patreon.com/thecybermentor Support the stream (one-time): https://streamlabs.com/thecybermentor My Build: lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1 EVGA 2080TI: https://amzn.to/30d2lj7 MSI Z390 MotherBoard: https://amzn.to/30eu5TL Intel 9700K: https://amzn.to/2M7hM2p G.SKILL 32GB DDR4 RAM: https://amzn.to/2M638Zb My Recording Equipment: Panasonic G85 4K Camera: https://amzn.to/2Mk9vsf Logitech C922x Pro Webcam: https://amzn.to/2LIRxAp Aston Origin Microphone: https://amzn.to/2LFtNNE Rode VideoMicro: https://amzn.to/309yLKH Mackie PROFX8V2 Mixer: https://amzn.to/31HKOMB Elgato Cam Link 4K: https://amzn.to/2QlicYx Elgate Stream Deck: https://amzn.to/2OlchA5 *We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.
youtu.be
