OS and Network Penetration Testing

8/10/2019 OS and Network Penetration Testing

1/4

Information Security: Exploiting OS

Vulnerabilities and Network PenetrationTesting

1.Describe the steps done to get administrator/root access to a modern operating system,

other than the ones presented in the lab. Present briefly the vulnerability that helped you in the

process. (min 1 page max 2 pages .

Te following steps describe a metod of ow to crack a !indows " Password# wen you

a$e direct access to te targeted macine% Tis metod does not re&uire anoter program like 'eset

(isk# a password cracking program or anyting else specially designed to retrie$e passwords% Tis is

$ery con$enient and te only drawback tat can be considered is te fact te attacker needs to access

te computer wic as te targeted !indows " system installed on it and once te password as been

cracked# te attacker cannot co$er is tracks%

Tese are te necessary steps in order to ack te administrator password and get root

pri$ileges:

1. )irst ting needed to be done is to make !indows " gi$e a *!indows Error 'eco$ery+ screen

wen booting up te operating system% In order to do tis# you a$e to start te computer# by

pressing te On,Off button% !ile te *Starting !indows+ screen is acti$e on te monitor# press

te On,Off button again on te computer% Tis will trigger !indows to perform a ard sutdown%-fter tis# start te computer again and wait until a screen like te one in!igure 1appears%

!igure 1" #indo$s %rror &ecovery 'creen

2. If Step . as been completed correctly# te screen will gi$e te options on ow to start te

computer# like seen in !igure 1% Select te */aunc Startup 'epair+ option and ten# wen

prompted wit a window tat asks you: *(o you want to restore your computer using System

'estore0+ select 1ancel%


2/4

Information Security: Exploiting OS Vulnerabilities and Network Penetration Testing

3. Te Startup 'epair will now ceck your computer for problems% !ait until it finises repairing

your computer% Tis process will not arm any of te user2s personal files% -fter waiting# a new

window will be prompted tat says *Startup 'epair cannot repair tis computer automatically+%

Tere will be an arrow pointing downwards in te bottom of te left corner tat says *View

Problem (etails+# sown in !igure 2%

!igure 2" ie$ Problem Details

4. 1lick on te arrow sowed in !igure 2% Te window will grow# displaying te Problem (etails%

Scroll down until you2ll find links in te details% Ignore te first one and click on te second one

tat will say someting like +If te online pri$acy statement is not a$ailable# please read our

pri$acy statement 3:4windows4system564en78S4errofflps%txt+%

5. -fter clicking te link# Notepad will open up# display te *errofflps%txt+ file% 1lick on te *)ile+button from te top menu of Notepad# click *Open+ and go to te System56 )older# usually found

on ere: 1:4!indows4System56% -fter entering te folder# switc from Text Documents(.txt) toAll

Filesby clicking te drop7down menu from te bottom of te window 9*Files of type+ option%

6. )ind te application named sethcand rename it to sethc.ba)% Tis is te application for te Sticky

;eys program% Next# in te same folder9System56# find te application named cmd(*ommand

Prompt#create a copy of it and rename te copy to sethc%


3/4


targeted macine% In tis example# te main goal will be to compromise and gain root access on a web

ser$er wic uses !indows as an Operating System% Tis will be done by exploiting te SS/ P1T

andsake $ulnerability 9known as TA1IIS/-?E% Tis is ow it works: if any SS/7enabled ser$ices

are present# and bot te P1T and SS/ protocols are enabled# remote attackers may exploit te buffer

o$erflow condition to execute arbitrary code on $ulnerable !indows ser$er installations and gain

SBSTE? pri$ileges% Te se$erity of tis $ulnerability is compounded by te fact tat SS/ is most

often used to secure communications in$ol$ing confidential or $aluable information# and it is terefore

belie$ed tat ackers will aggressi$ely target tis $ulnerability% -n a$ailable exploit sends amalformed SS/,P1T 1/IENT>AE//O message# along wit sufficient code tat allows it to open a

remote sell on te $ictim2s ser$er% Once exploited# a remote sell is created on te target system on

T1P port 5.55"% Tese are te steps needed to complete in order to ack and gain admin pri$ileges:

.% /aunc te 1ore Impact C8I% In te left and pane of te C8I# click on te icon to open a

*New !orkspace%+ In te window tat opens# fill in te information tat is re&uired in order to

create te workspace ten click *Next+% Tis sould open te license dialog box% Dust click on

*next+ as te license sould already be set up% Tis sould open te passprase dialog box% Set

te passprase for your system to password% Once you a$e set te passprase# mo$e your

mouse around in te box on te rigt and side until te blue bar underneat te box is filled#

ten click *Next+% Tis will open te completion dialog box% On tis screen# click *)inis%+Tis sould launc te 1ore Security console# as sown in !igure +:

!igure +" *ore 'ecurity *onsole

6% Co to Entity View pane# rigt click on te localost2 icon and select *New Aost from te dropdown menu% -fter tis# a dialog box for te new ost will appear% Aere# cange te fields to

matc te IP address of te targeted system and ten press Ok% In te 1ore Impact console

sould be a new icon wit a ?icrosoft !indowsF logo and te IP address tat as been

entered in te pre$ious step next to it% 1lick on View and te Entity Properties from te ?enu


4/4


Pane# wic will prompt a dialog box *?odule Parameters+% /ea$e all te options set to

default and click Ok%

G% If te attack as been successful# a new item named le$elH9H sould be seen under te

targeted system icon# in te -gents Pane of te console# wic means a return connection as

been made from te target to te attack system% Tis exploit only creates te connection# but it

does not load any files on te ard dri$e of te targeted system%

1licking on te /og,(ebug

tab of te Execution ?odule Status pane sould also let you know tat te attack was

successful%

!igure " 'tep 2

=% -t tis point# te targeted system is now exploited% In te ?odules Pane in te

console# find te icon for Sells and select te$ini %&ell% (rag and drop te sell on

te le'el0(0) agent in -gents Pane% - pop7up (OS like window will appear# like a

1ommand Prompt wic uses primarily /inux commands% Tis sell will run on te

$ulnerable system wit System /e$el permissions wic means te attacker will be

able to start and stop processes# delete and insert files and create backdoors%

G

OS and Network Penetration Testing

Documents

Transcript of OS and Network Penetration Testing