StarDotStar 1

NTS330 Final Project

V 1.1
August 18, 2016

This Report was Prepared by:

StarDotStar
Robert Thompson Penetration Tester
Vance Jones Penetration Tester
Tyler Weiss Penetration Tester

This report was created for educational purposes and is entirely fictional. The
systems herein have been created and maintained by this team in a virtual
environment. All information in this document is confidential and may not be
disclosed to unauthorized personnel.
 StarDotStar 2

Document Properties
Title NTS330 Final Project

Version 1.1

Authors Robert Thompson, Vance Jones, Tyler Weiss

Pen-Testers Robert Thompson, Vance Jones, Tyler Weiss

Reviewed By Robert Thompson, Vance Jones, Tyler Weiss

Approved By Robert Thompson, Vance Jones, Tyler Weiss

Classification Confidential

Version Control | | |
Version Date Author Description
1.1 August 18, Robert Final
2016 Thompson

1.0 August 17, Robert First Draft

2016 Thompson
 StarDotStar 3

Executive Summary
During our Penetration Test, we discovered several vulnerabilities that could
result in the loss of sensitive information or loss of system access. The entire
network was compromised through means of misconfiguration of several
different services on all machines tested. Stricter and more complex
password policies need to be implemented and the Operating Systems of all
the machines on the network should be patched to the latest security
update, or upgraded to more secure releases of Windows.
 StarDotStar 4

Contents
Initial Recon & Scanning ........................................................................ 6

Spider 192.168.1.90 & 192.168.37.90 .................................................. 8

Services ............................................................................................ 8

Details .............................................................................................. 8

Loot ................................................................................................. 8

Recommendations .............................................................................. 9

Owl 192.168.37.30 .......................................................................... 10

Discovery ........................................................................................ 10

Services .......................................................................................... 10

Details ............................................................................................ 10

Loot ............................................................................................... 10

Recommendations ............................................................................ 11

Mongoose 192.168.37.50 ................................................................. 12

Services .......................................................................................... 12

Details ............................................................................................ 12

Loot ............................................................................................... 12

Recommendations ............................................................................ 13

Frog 192.168.37.250 ....................................................................... 14

 StarDotStar 5

Services .......................................................................................... 14

Details ............................................................................................ 14

Loot ............................................................................................... 14

Recommendations ............................................................................ 16

Lion (Domain Controller) 192.168.37.10 ............................................. 17

Services .......................................................................................... 17

Details ............................................................................................ 17

Loot ............................................................................................... 17

Recommendations ............................................................................ 18

Fox 192.168.37.20 .......................................................................... 19

Discovery ........................................................................................ 19

Services .......................................................................................... 19

Details ............................................................................................ 19

Loot ............................................................................................... 19

Recommendations ............................................................................ 20

References ........................................................................................ 21
 StarDotStar 6

Initial Recon & Scanning

We started off by checking our own network configurations on our attack

platform. A quick ifconfig in the terminal revealed our address was
192.168.1.10. We followed up with an Nmap scan of the 192.168.1.0/24
range which resulted in our first target: 192.168.1.90.

Once we had our first target, we did conducted a portscan on it to discover

any visible services and open ports.

It was hosting a website; we visited the site to see what we had to work
with. There were several different web pages available, including a Contact
section with several names and an e-mail address at the bottom we
collected all the names and identified the naming convention for the
companys email accounts with the one visible email
breynolds@hackme.com.
 StarDotStar 7

These names were thrown into a custom wordlist for later.

 StarDotStar 8

Spider 192.168.1.90 & 192.168.37.90

Services
80 HTTP
139 NetBios-SSN
445 SMB
These services turned up after an Nmap scan; nmap sV O T5
192.168.1.90. The OS was revealed to be Windows XP.

Details
Knowing that port 445 was open and the OS is Windows XP, we knew this
target was vulnerable to the MS08-067 vulnerability. We ran the exploit
module exploit/windows/smb/ms08_067_netapi in Metasploit to gain
a remote meterpreter session with NT AUTHORITY/SYSTEM level privileges.
For good measure, we also fired up DirBuster and ran a small wordlist
against it, which revealed a lot of traversable directories that should have
been inaccessible from a web browser.

Loot
Once inside the target, we traversed the file system looking for any
interesting documents that might help us along the way. In the C:\
directory, we discovered and downloaded the flag secretfile0.txt. Loading the
mimikatz extension, we ran the command wdigest which gave us cleartext
passwords of accounts in memory. Finally, we checked the network
configuration of the target and discovered that it had a second network
interface: 192.168.37.90. We did a scan of the 192.168.37.0/24 range
immediately after discovering this, which revealed our next targets.
 StarDotStar 9

Recommendations
Updating Windows XP to the most recent security update will patch the
MS08-067 vulnerability; it is highly recommended that the web services be
reconfigured to prevent traversal of directories that should not be accessible
to the public. Ultimately, this version of Windows is no longer supported,
therefore upgrading/migrating to a newer version such as Windows 7 or
Windows 10 is the best course of action.
 StarDotStar 10

Owl 192.168.37.30

Discovery
As explained in the Loot section of the Spider target, we discovered this
box as well as the Mongoose and Frog boxes after conducting an Nmap scan
of the 192.168.37.0/24 range.

Services
21 FTP
8080 HTTP Proxy
These services turned up after an Nmap scan; nmap sV O T5
192.168.37.30. The OS was revealed to be Windows XP.

Details
First we visited the HTTP Proxy via web browser and were greeted by an FTP
login. We tried a few different default credentials including admin:admin,
admin:password; all of which returned nothing. We tried logging in
anonymously which did work: anonymous: . Once logged in, we attempted
to see what directories were available there wasnt much. We used the
exploit/windows/ftp/easyftp_cwd_fixret Metasploit module to gain a
remote meterpreter session with NT AUTHORITY/SYSTEM level privileges.
However, after a few commands the session died. We exploited the target
again and migrated the session to a notepad.exe process we spawned with
SYSTEM level privileges to maintain the privileged state.

Loot
Once inside the target, we traversed the file system as we did in the
previous target to look for interesting documents; we located the flag
secretfile2.txt in the C:\ directory. Mimikatz dumped different Administrator
credentials than the first target had as well.
 StarDotStar 11

Recommendations
Reconfigure FTP to disallow anonymous login. This account was what allowed
the Metasploit module to function. Ultimately, this version of Windows is no
longer supported, therefore upgrading/migrating to a newer version such as
Windows 7 or Windows 10 is the best course of action.
 StarDotStar 12

Mongoose 192.168.37.50

Services
25 SMTP
80 HTTP
1433 MSSQL
These services turned up after an Nmap scan; nmap sV O T5
192.168.37.50. The OS was revealed to be Windows XP.

Details
Initially, we visited the web page that was being hosted on this target which
greeted us with a login screen. We checked standard login vulnerabilities
such as manual SQL injection parameters (Username: Password: ). The
SQLi gave us a database error, and the default credentials were not
functioning. From here we went into Metasploit and used the auxiliary
module auxiliary/scanner/mssql/mssql_login which is loaded with the
default SQL login as sa and used fasttrack.txt as the password wordlist. The
password was revealed to be password1; with the credentials for the SQL
database, we ran the exploit/windows/mssql/mssql_payload module in
order to obtain a remote meterpreter session with NT AUTHORITY/SYSTEM
level privileges.

Loot
Once inside the target, we followed up with the usual process of exploring
the file system looking for anything interesting; we located the flag
secretfile3.txt in the C:\ directory. Mimikatz dumped different credentials
than the previous targets; at this point we realized all the targets would
result with different credentials. We ran another Metasploit module while
looking throughout the target as well:
post/windows/gather/enum_domain which revealed the Domain
Controller of the network:
Host name: Lion
IP Address: 192.168.37.10
 StarDotStar 13

Recommendations
The password for the target was extremely weak; the company should
implement a better password policy forcing users to create more complex
passwords. Ultimately, this version of Windows is no longer supported,
therefore upgrading/migrating to a newer version such as Windows 7 or
Windows 10 is the best course of action.
 StarDotStar 14

Frog 192.168.37.250

Services
22 SSH
These services turned up after an Nmap scan; nmap sV O T5
192.168.37.250. The OS was revealed to be Windows XP.

Details
SSH being the only service that was available on this target, we attempted
several different password attack methods and modules on this target. After
several failed attempts using custom password lists created using cewl in
tandem with hydras normal attack methods with the user list we created
earlier from the 192.168.1.90 targets Contact page on the website, we tried
some of hydras advanced options; using the u e nsr options, we found
valid SSH credentials mmarlinspike:ekipsnilramm. We logged in to the
target via SSH and opened port 445 since we knew the target was Windows
XP in order to exploit it using the MS08-067 vulnerability to obtain a remote
meterpreter session with NT AUTHORITY/SYSTEM level privileges.

Loot
Once inside the target, we repeated the same process as the previous
targets by exploring its file system. Mimikatz revealed a lot of credentials on
this target, including the Domain Admins credentials. The C:\ directory
contained secretfile4.txt.
 StarDotStar 15

This file gave us a bunch of hints on how to find and communicate with the
Domain Controller; although we knew what the IP address was, we could not
communicate with it or scan it. It also explained that there was another
target on the network that was not visible and gave us suggestions on how
to find it and scan it.
 StarDotStar 16

Recommendations
Similar to the Mongoose box, the company should implement a better
password policy forcing users to create more complex passwords. This was
the key weakness in this network and resulted in the entire domain
becoming compromised in the end. Ultimately, this version of Windows is no
longer supported, therefore upgrading/migrating to a newer version such as
Windows 7 or Windows 10 is the best course of action.
 StarDotStar 17

Lion (Domain Controller) 192.168.37.10

Services
53 DNS
88 Kerberos-sec
135 MSRPC
139 NetBios-ssn
389 LDAP
445 SMB
464 kpasswd5
The SMB service on port 445 was leveraged with a module of which passes
the hash to the target in order to gain a remote session. The flag from Frog
explained how to use certain methods to perform the attack and gain access
to the Domain Controller.

Details
Using the dumped credentials from the Frog target, we routed our traffic
through Frog in order to communicate with Lion; we leveraged the
Metasploit module exploit/windows/smb/psexec with the credentials
breynolds:[!]King0fth3kingd0m! and we were able to successfully pivot
into the Domain Controller and obtain a remote meterpreter session with NT
AUTHORITY/SYSTEM level privileges.

Loot
Once inside the target, we thoroughly searched through it and utilized
mimikatz to attempt to obtain any remaining credentials. The final flag
lastsecretfile.txt was located in the C:\ directory. We also wanted to confirm
the operating system of the machine, a quick systeminfo command in the
command prompt revealed that it was Windows Server 2008 R2.
 StarDotStar 18

Recommendations
Password policies need to be much stricter across the domain. The port
cannot be closed on the domain controller, though it is possible that is could
be protected by a firewall ruleset allowing only very specific traffic. Beyond
that, should the decision be made to upgrade the other systems on the
domain to Windows 7 or Windows 10, it is highly recommended that the
domain controller be migrated to Windows Server 2012 in order to
maintain software and OS functionality across the domain, as Server 2012 is
more secure.
 StarDotStar 19

Fox 192.168.37.20

Discovery
After we compromised the Frog target, the flag suggested that there was
another target that we could not see on the 192.168.37.X range and to scan
it a little more gently. We scanned the range once more, slowing down the
scan and discovered 192.168.37.20. We attempted to scan it slowing down
the speed and setting it to scan only port 1-500. This revealed our targets
services.

Services
80 HTTP
443 HTTPS
These services turned up after an Nmap scan; nmap sV O T2
192.168.37.20. The OS was revealed to be Windows XP.

Details
We visited the web page hosted by the target using a web browser. The
webpage was a chat server; Easy Chat Server. A quick search of Metasploit
modules revealed a single exploit for this service. When we initially used the
exploit module, it did not take. We got the same error repeatedly, so we
opened up a fresh console of Metasploit and tried again. The exploit worked
on the first try in the new console, and we were greeted by a remote
meterpreter session with NT AUTHORITY/SYSTEM level privileges.

Loot
Following the same methods as before, we explored the file system and
located the flag in the C:\ directory. Mimikatz dumped unique credentials
from the target as well.
 StarDotStar 20

Recommendations
If the Easy Chat Server service is crucial to business continuity of the
company, update the version as soon as possible; there are newer versions
available that are not vulnerable to the exploit utilized to compromise the
target. Ultimately, this version of Windows is no longer supported, therefore
upgrading/migrating to a newer version such as Windows 7 or Windows
10 is the best course of action.
 StarDotStar 21

References
Alharbi, M. A. (2010, April 6). Writing a Penetration Testing Report.
Retrieved from SANS: https://www.sans.org/reading-
room/whitepapers/testing/writing-penetration-testing-report-33343