Walkthrough

Gaining a Foothold

Nmap

┌──(root㉿kali)-[~]
└─# nmap -T4 -p- -A 192.168.88.130
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-01 02:44 EDT
Nmap scan report for 192.168.88.130
Host is up (0.00055s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn Microsoft Windows netbios-ssn
445/tcp   open              Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc       Microsoft Windows RPC
49153/tcp open  msrpc       Microsoft Windows RPC
49154/tcp open  msrpc       Microsoft Windows RPC
49155/tcp open  msrpc       Microsoft Windows RPC
49156/tcp open  msrpc       Microsoft Windows RPC
49157/tcp open  msrpc       Microsoft Windows RPC
MAC Address: 00:0C:29:67:E0:8C (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN-845Q99OO4PP; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest                                                                                             
|   authentication_level: user                                                                                      
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -1d03h07m44s, deviation: 2h18m33s, median: -1d04h27m44s
|_nbstat: NetBIOS name: WIN-845Q99OO4PP, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:67:e0:8c (VMware)
| smb2-time: 
|   date: 2023-10-31T02:18:37
|_  start_date: 2023-10-31T02:13:56
| smb-os-discovery: 
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: WIN-845Q99OO4PP
|   NetBIOS computer name: WIN-845Q99OO4PP\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-10-30T22:18:37-04:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.55 ms 192.168.88.130

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.09 seconds


┌──(root㉿kali)-[~]
└─# nmap --script smb-vuln* -p 445 192.168.88.130
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-01 02:57 EDT
Nmap scan report for 192.168.88.130
Host is up (0.00052s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:E0:8C (VMware)

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 5.35 seconds

Remote Code Execution vulnerability

192.168.88.130 vulnerable to remote code execution in Microsoft SMBv1 servers (ms17-010)

EternalBlue SMB Remote Windows Kernel Pool Corruption

https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/

This can lead to WannaCrypt attacks

https://msrc.microsoft.com/blog/2017/05/customer-guidance-for-wannacrypt-attacks/

Undetected Malicious Activity

Scanning, SMB Brute Force

Exploitation

SMB - eternalblue

192.168.88.130

Manual - AutoBlue MS17-010

AutoBlue-MS17-010

3ndG4me ⋅ a day ago

192.168.88.132 is not patched

Autoblue launched but it blue-screened 192.168.88.132

A perfect example of why you don’t run this in a real environment

If it was a hospital system, this could be have a life-threatening impact

Video

When you click the link below, it will start from the Blue Walkthrough.

Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)

0:00 - Introduction 0:17 - Hunting Subdomains Part 1 5:54 - Hunting Subdomains Part 2 10:46 - Identifying Website Technologies 17:57 - Gathering Information w/ Burp Suite 26:49 - Google Fu 32:24 - Utilizing Social Media 38:05 - Installing Kioptrix 44:28 - Scanning w/ Nmap 1:04:16 - Enumerating HTTP/HTTPS Part 1 1:19:22 - Enumerating HTTP/HTTPS Part 2 1:34:35 - Enumerating SMB 1:48:59 - Enumerating SSH 1:53:11 - Researching Potential Vulnerabilities 2:08:05 - Our Notes So Far 2:11:15 - Scanning w/ Nessus Part 1 2:21:54 - Scanning w/ Nessus Part 2 2:28:07 - Reverse Shells vs Bind Shells 2:35:12 - Staged vs Non-Staged Payloads 2:38:37 - Gaining Root w/ Metasploit 2:46:21 - Manual Exploitation 2:59:06 - Brute Force Attacks 3:07:00 - Credential Stuffing & Password Spraying 3:21:07 - Our Notes, Revisited 3:24:56 - Downloading Our Materials 3:30:17 - Buffer Overflows Explained 3:34:29 - Spiking 3:44:46 - Fuzzing 3:50:59 - Finding the Offset 3:56:22 - Overwriting the EIP 3:59:51 - Finding Bad Characters 4:07:46 - Finding the Right Module 4:16:16 - Generating Shellcode and Gaining Root 4:22:16 - Python3 and More 4:36:01 - Capstone Introduction 4:41:47 - Setting up Blue 4:45:48 - Blue Walkthrough 5:02:53 - Academy Setup 5:05:22 - Academy Walkthrough 5:49:46 - Dev Walkthrough 6:15:10 - Butler Walkthrough 6:51:33 - Blackpearl Walkthrough 7:15:08 - Conclusion Full Course: https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course All Course Resources/Links: https://github.com/Gr1mmie/Practical-Ethical-Hacking-Resources A shout out to all those involved with helping out on this course: Alek - Creating "Academy", "Dev", and "Black Pearl" Capstone machines and a Discord Admin. Dewalt, Yaseen, Likith, and Tuk - The five star support team. Dwight - Discord Admin and awesome hacker. Grimmie - Creation of SumRecon, lover of cookies, and a Discord Admin. Joe Helle - Creating the "Blue" Capstone machine and the PNPT foothold. The OG support staff and a Discord Admin. Lian - The OG Discord Admin with French Bulldogs I'd like to steal. Rumham - Discord Admin, lover of rum and hams, and overall great guy. ❓Info❓ ___________________________________________ Pentests & Security Consulting: https://tcm-sec.com Get Trained: https://academy.tcm-sec.com Get Certified: https://certifications.tcm-sec.com Merch: https://merch.tcm-sec.com Sponsorship Inquiries: info@thecybermentor.com 📱Social Media📱 ___________________________________________ Twitter: https://twitter.com/thecybermentor Twitch: https://www.twitch.tv/thecybermentor Instagram: https://instagram.com/thecybermentor LinkedIn: https://www.linkedin.com/in/heathadams Discord: https://discord.gg/tcm 💸Donate💸 ___________________________________________ Like the channel? Please consider supporting me on Patreon: https://www.patreon.com/thecybermentor Support the stream (one-time): https://streamlabs.com/thecybermentor My Build: lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1 EVGA 2080TI: https://amzn.to/30d2lj7 MSI Z390 MotherBoard: https://amzn.to/30eu5TL Intel 9700K: https://amzn.to/2M7hM2p G.SKILL 32GB DDR4 RAM: https://amzn.to/2M638Zb My Recording Equipment: Panasonic G85 4K Camera: https://amzn.to/2Mk9vsf Logitech C922x Pro Webcam: https://amzn.to/2LIRxAp Aston Origin Microphone: https://amzn.to/2LFtNNE Rode VideoMicro: https://amzn.to/309yLKH Mackie PROFX8V2 Mixer: https://amzn.to/31HKOMB Elgato Cam Link 4K: https://amzn.to/2QlicYx Elgate Stream Deck: https://amzn.to/2OlchA5 *We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.

youtu.be

Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)