TCM PEH Scanning & Enumeration Notes

on February 13, 2021 under Certs

15 minute read

I have been plodding through this course each evening for the past week.
Raw notes below:

https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
it’s a vulnhub box, level 1

https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms
oscp-like vulnhub boxes

https://www.vmware.com/uk/products/workstation-player/workstation-player-evaluation.html
to download vmware workstation free

https://www.linuxlookup.com/howto/install_vmware_workstation_or_vmware_player_bundle_file
instructions for installing a vmware .bundle file

Download Kioptrix lvl 1
Download and install vmware
Unrar kioptrix lvl 1
import into vmware, edit settings, boot

currently 192.168.0.71
arp scan
sudo arp-scan -l

netdiscover
sudo netdiscover -r 192.168.0.0/24

scanning with nmap

losers call it “network mapper”
stealth scanning (-sS) is by default
it used to be stealthy, but any IDS will pick it up
it’s trying to make a connection via SYN ->, then loljk RST ->

sudo nmap -p- -A
scans all ports (-p-) with aggressive scan (-A) but you already know this

let’s do some diff’s

nmap 192.168.0.71

output:
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm

nmap -p- 192.168.0.71

output:
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm

nmap -sV 192.168.0.71

output:
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)

nmap -A 192.168.0.71

output:
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
| Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
| 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: yMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|ssl-date: 2021-02-03T04:56:14+00:00; +1h01m49s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
1024/tcp open status 1 (RPC #100024)

Host script results:
|_clock-skew: 1h01m48s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

nmap --script=vuln 192.168.0.71

output:
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|http-dombased-xss: Couldn’t find any DOM based XSS.
| http-enum:
| /test.php: Test page
| /icons/: Potentially interesting directory w/ listing on ‘apache/1.3.20’
| /manual/: Potentially interesting directory w/ listing on ‘apache/1.3.20’
| /usage/: Potentially interesting folder
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|http-csrf: Couldn’t find any CSRF vulnerabilities.
|http-dombased-xss: Couldn’t find any DOM based XSS.
|http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the “CCS Injection” vulnerability.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| http://www.cvedetails.com/cve/2014-0224
| http://www.openssl.org/news/secadv_20140605.txt
| ssl-dh-params:
| VULNERABLE:
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: BID:74733 CVE:CVE-2015-4000
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/512-bit MODP group with safe prime modulus
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://weakdh.org
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
| https://www.securityfocus.com/bid/74733
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
| https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the “POODLE” issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://www.securityfocus.com/bid/70574
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.openssl.org/~bodo/ssl-poodle.pdf
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
1024/tcp open kdm

Host script results:
|samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka “SMBv2 Negotiation Vulnerability.”
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]

is it possible to create a script which only runs -A against open ports from the -p- scan?
our job is to scan for open ports, then try to exploit them.

Enumerating HTTP and HTTPS

think about it from the POV of an attacker

develop this methodology over time
when you see a website, what are the basics you’re looking for?
service enumeration
back end directories
source code
vulnerability scanning
any sort of information that can be divulged

Go to the website (on all ports available (80, 8080, 443, etc))

If you see a default web page, this is an automatic FINDING
Always write this up in the report as an information disclosure
Tells you about the architecture and hygiene
404 is an information disclosure as well if lists version, hostname, port

Click around in the web page a little

View source

Perform a vulnerability scan

Dig through the results for anything of value, enumerate and note

Nikto

Be wary to not get yourself blocked by a WAF, like an IPS would block nmap -sS scans
nikto -h http://IP
anything that lists as outdated is a finding to notate on report
any directories found are findings, but dirbust later for full lists
look for juicy stuff (remote buffer overflow to shell) for separate exploitation phase notes

Dirbuster

dirbuster&
enter http://ip:port
browse to /usr/share/wordlists/dirbuster/(pick one that makes sense)
alternately, use /usr/share/seclists/
add file extensions (php, asp, aspx) that make sense for whatever the server runs
add file extensions of txt, zip, rar, pdf, docx, etc as well
it will find stuff for you to investigate, of course

Burpsuite intro

start foxyproxy
start burp
intercept one request
send to Repeater
edit the sent requests directly through Repeater and see response in real time (GET/POST etc)
go to target
set scope to each target and port
check server headers for information disclosure of webserver

Dirb

also exists

Gobuster

my fav so far

Enumerating SMB

port 139
SMB = file share
Like those C:\Scans folders
nmap -A will run enumeration scripts against SMB by default
Try to connect to the machine to see what’s in it
spin up Metasploit with $msfconsole

search smb
The auxiliary/scanner||fuzzer modules are for enumeration
use auxiliary/scanner/smb/smb_version
show options
set <option> for each <option>
(Yes we all know this already, but I have to take notes)
there’s >show advanced options?
run
Paste the output into your notes

My enum4linux and/or smbclient are not working. I am receiving “Protocol negotiation failed: NT_STATUS_IO_TIMEOUT”. How do I resolve?
Resolution:
On Kali, edit /etc/samba/smb.conf
Add the following under global:
client min protocol = CORE
client max protocol = SMB3

smbclient

Smbclient to connect via anonymous shares if available
Because you never know what you’ll find until you actually look
#smbclient -L \\<ip>\
-L lists shares
press enter at password prompt
then look at the shares listed
#smbclient \\<ip>\<the shares listed$>
So for SMB sometimes you get lucky, sometimes you don’t
But SMB is always important for AD stuff later

Enumerating SSH

Copy and paste your nmap scan ssh info into exploit-db
Basically as soon as you test a single ssh login, you’re actively in exploit phase

Problem:
Unable to negotiate… No matching key exchange method found. Their offer: <keyexchoffer>
Solution:
#ssh <ip> -oKexAlgorithms=+<keyexchoffer>
Unable to negotiate…No matching cipher found. Their offer: <ciper>
#ssh <ip> -oKexAlgorithm=+<keyexchoffer> -c <cipher>
Now you can connect
I’ve run into this on htb often.

That’s it for ssh.

Researching Vulnerabilities

Identifying and researching potential vulnerabilities

Take all the scan output results you’ve pasted into notes
Target the low hanging fruit:
port 80
port 443
port 139
other web ports
port 22

If you see potential RCE anything, that’s the juciest fruit to start with.
But be thorough.
Look up vulnerabilities, take notes, move on.

Notes vuln syntax:
port# - “Potentially vulnerable to <vuln name>” (links)
port# - “Potentially vulnerable to <vuln name>” (links)
port# - “Potentially vulnerable to <vuln name>” (links)

Check this stuff against CVE listings and add listings as subnotes.

Searchsploit

#searchsploit <protocol or service>
You can be too specific with searchsploit
#searchsploit Samba 2.2.3
= No results
#searchsploit Samba 2
= Lots of results

–Site
----hostname
------enumeration
--------nmap
------------port/result
------------port/result
--------nikto
------------page/result
------exploitation
--------blah blah
------findings
------------one page per finding plus screenshots

Scanning with Masscan

Masscan was built to scan the entire internet really fast
It’s a port scanner, built into kali2.0
This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.
Its usage (parameters, output) is similar to nmap, the most famous port scanner. When in doubt, try one of those features – features that support widespread scanning of many machines are supported, while in-depth scanning of single machines aren’t.
NOTE: masscan uses its own ad hoc TCP/IP stack. Anything other than simple port scans may cause conflict with the local TCP/IP stack.

#masscan -p1-65535 192.168.1.50

By default it will force -sS -Pn options
–rate 1000 speeds it up considerably

Scanning with Metasploit

search portscan
You’re looking for the syn scanner
show options and fill in requirements
this is kinda slow, doesn’t give you that much detail
You can multi-thread it
it’s just another auxiliary module you should know you can use

Scanning with Nessus

Typically you will start a Nessus scan, then move to enumeration, then return to the Nessus scan once it’s complete

Download and Install Nessus

Download Nessus x64
Install it
Navigate to it (http://localhost:8834)
It will compile plugins, which will take some time
Install whichever license (Essentials)
Get activation code, copy/paste
Need a new activation code with each new installation if Essentials
Let it finish installing
Log in

Run a Scan with Nessus

Scan > Templates > Basic Scan
Name the scan job
Enter targets to scan against
Do port scan of all ports via options
Set scan type
Go ahead and look through the options
Start scan

Review Nessus Scan Results

View results
Click the Vulnerabilities tab
Click Settings cog, disable Grouping
View installed version, and recommended version to patch
Sift through the results and report on what’s important and potential for exploitation
Download nessus file
There are tools to turn a .nessus file into an excel file

Converting .nessus File

Into CSV
https://github.com/levyjm/NessusConverter

Into Excel 2003
https://seclists.org/pen-test/2006/Apr/82
You can use the XML version of the Nessus report and just directly import it
into Excel (at least in 2003).
In Excel:

Drop down the “Data” menu on the toolbar
Point to “XML” then click “Import”
Click “Ok” a couple times; all the results are imported nicely into Excel

certs

I feedback.
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!