Intro to Internal Exploitation




Say for instance you were doing an audit, and your using an Snmp Scanner. By chance let's say solar winds, maybe Snmpwalk, Snmpget, Snmpset, Admsnmp,Net::Snmp etc whatever you do its up to you. Personally i believe that layer 2 is very much over looked, as well i've read this fact so i know it to be an issue. Books are published on this but im gonna
dumb it down so everyone can learn from this. The scenario is an attack on a fictional network, i'm going to introduce you to a couple of sick tools that alot of others dont use or overlook during a pentest. The first thing i do when i'm testing is to map the network i have in mind, first i will do a whois get the info look at it see if it has a NOC. if you know what that is you know what i mean. The reason i'm saying this is beacuse if you are advanced you can own the NOC i've done it over 10 times on various appliances if anyone knows a Juniper router you know the fun in owning one of those lol.


first you must have installed the vidalia bundle for linux, If You have done so run it like this before reading ./vidalia or vidalia

after it runs and connects you can issue commands through it with proxychains like this


sudo proxychains ./programtorun victim




Ok so here is the target network info 
_________________________________________


Domain Name: test.com
Updated: 1 second ago - Refresh

Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Status: clientTransferProhibited

Expiration Date: 2013-06-17
Creation Date: 1997-06-18
Last Update Date: 2011-04-18

Name Servers:
ns1.victim.com
ns2.victim2.com


-----------------------------------------------------------

Now i Move to do a Zone Transfer on the target Domain to see if i can find out what other targets exist on the Network. but mind you i already have done an audit and know the network info the zone transfer is just to verify the connectivity of open ports on the remote hosts behind the firewall and to map the acl of the firewwall

i use 

solarwinds,firewalk,snmpwalk,snmpget,ADMSnmp,Nmap,Proxychains,tor,vidalia


im not going to show what this looks like if you dont know how to do a zone transfer without using a web based interafce and you cannot trace an ip packet to its destination and map intermediate hosts that may be firewalls and be able to determine the network structure don't bother trying this beacuse its going to get deep very easily very quickly and simple and very easy to follow just watch

ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| victim
|S-chain|-<>-127.0.0.1:9050-<><>-tor-router:53-<><>-OK
|DNS-response| victim is 10.30.2.43
traceroute to victim (10.30.2.43), 30 hops max, 60 byte packets
1 192.168.1.22 (192.168.1.22) 0.313 ms 0.324 ms 0.384 ms
2 192.168.1.1 (192.168.1.1) 2.615 ms 7.191 ms 21.306 ms
3 10.1.224.1 (10.1.224.1) 33.639 ms 34.932 ms 38.245 ms
4 10.30.2.43 (10.30.2.43) 35.456 ms 15.232 ms 46.256 ms
5 *FIREWALL*
6 *


So as You can See there is a firewall behind the target you ask how did i find the victim a random snmp scan so now i have the info from the snmp scan the info i just gathered and now I can map their entire Network like i said im not getting into this type of stuff to ward off skiddies.

Notice that the tor-router is routing our traffic for us and making us anonymous all You have to do is run vidalia and issue proxychains a command which is a program to run and that programs options and a target 


Basically i took the ip did a whois on it got the nameservers did a zone transfer and verified the firewall exists and it is a cisco device and luckily for me i already bruteforced the snmp daemon on the cisco device and have the
Read community string and the Write, I then move to copy the config i crackthe cisco hash login to the telnet device beacuse it is a cisco 2600 running the 11.3 ios and it hasnt been rebooted in a year we are safe to say the idiots didn't update. 


So our next step is to use telnet to login to the device and get enable priveleges once this is achieved you can create an IPSEC tunnel to yourself so you would be basically sitiing behind their entire network which would put you in direct access to their vlan's and coporate file shares etc


|You would use this command |
---------------------------- 


"sudo proxychains telnet victim.cisco.router" without quotes





|You can scan the host with NMAP like this|
-----------------------------------------

"sudo proxychains nmap -vv -sT -PN -n victim





sudo socat --help
-----------------
use this if you like as well

No comments:

Post a Comment