The Process Of Hacking Essay Example
Penetration testing for this network seemed to be a challenge to start but as I gained access to more and more systems on the network it got easier to exploit other machines on the network. The goal of this was to gain access to the Domain Controller on the network and to be able to exploit as many machines as I could. I gained access to 4 of the 6 machines through exploits alone and once being able to access the Domain Controller made an account for myself with administrative level permissions. I also found on the desktop of the domain controller a list of passwords. Mike's desktop also had the same file with passwords with an additional one. There was also a Windows XP computer on the network that was not patched for eternal blue an exploit that affected almost all versions of windows. The version of windows 10 was susceptible to this exploit as well but my version of python was not working correctly with the exploit.
The Linux machines were also vulnerable, the FTP server was also running outdated software, and the version that it did have had a back door into it allowing me to exploit it and get root control or full control over the machine. The Apache server was also vulnerable to a PHP exploit that affected its version allowing me to open a meterpreter sessions which would allow me to inject different programs into it. The Meterpreter session also allowed me to get hashed and plain text passwords, none of the passwords had been cracked before and I left a program on trying to crack them but after a day or 2 I still had nothing, I did get a plaintext password though, BearsBeatsBattlestarGalactica1! for the account dwigt. If I had enough time and a powerful computer all the hashes would be cracked, it’s not if it is when.
At the beginning of my attack started using recon tools, this was mostly done with Nmap. Nmap gave me the information of what computers were on the network including their operating systems IP addresses it also let me know some of the programs that were running at the network level on these computers. This includes programs like Apache, OpenSSH, and Windows Active Directory. The first IP that I decided to start investigating was the Windows XP machines on the network because it was the oldest operating system running so I assumed it would be the easiest to infiltrate. One of the tools Nmap comes loaded with is the ability to run scripts that will check to see if target machines are susceptible to vulnerabilities, so I ran Nmap with a default vulnerability script against the windows XP address. Depending on what I found from the Windows XP computer and if I were able to get into it that would determine if I would start trying to infiltrate the Windows computers or the Linux computers. I was able to access the windows machine because the Nmap scan said it might be vulnerable to one of the Eternal Blue exploits, I used Metasploit with the ms17_010_psexec module to exploit this machine1.
After gaining access to the windows started looking at the versions of software running on different computers after this, seeing Apache running and the version number from Nmap allowed me to google if there were any exploits for it. This version of apache has a backdoor built into it that Metasploit has a module for and with little more than a google search to find that out and using the easy-to-use module I was also able to infiltrate this machine2. One of the other Linux machines had an FTP server running on one of its ports and Nmap was able to tell me the version of vsFTPd had a backdoor build3 into it that I was also able to exploit with a module found on Metasploit4.
The next machine was by far the hardest to find and exploit for, the domain controller which was recently patched. Nmap told me it was a Windows Server 2016 Standard 6.3 which was not vulnerable to any of the eternal blue exploits and Nmap could not find anything it was vulnerable to. This meant that I was going to have to look through exploits that were recent and would not be patched. I came across the Zerologon exploit which affects domain controllers.
I used the nbname scanner on Metasploit to find the hostname of the server5 and since I already knew the server's IP address that is all the exploit required. I used the Zerologon module which said it reset the password and ran a python script that grabbed the hashed password that the domain controller used for the administrator account6. The last part of this was to use another python script that would take the hash values, domain name, IP address, and the username and use them to access the domain7. This exploit gave me full access to the administrative account on the domain and allowed me to make my own account on the domain with administrative privileges.
Infiltrating all these computers told me a lot not only about the network but the users on it. Starting at the beginning with the Windows XP machine I was able to run a few commands in Meterpreter that gave me privilege escalation to the system level and was able to run a program called mimikatz that dumped hashes and usernames from not only the local machine but from the on accounts that had signed into it from the domain8 if there were any plane text passwords on the computer this program would also grab them, this got me the password for the dwigt username, “BearsBeatsBattlestarGalactica1!”. On the Windows XP machine, I was also able to use meterpreter to get the system privileges with the getsystem command which tries a few different methods to privilege escalate. I was also able to get the computer name, model, build, registered owner, and registered organization9. After using the exploit on the FTP server the first thing I did was figure out what account I was logged onto it with and it was the root account which should be prevented at all chances possible because it can do almost anything on the computer including downloading and executing files from the internet which an attacker could do with a virus to make a meterpreter session, this would allow them to execute exploits from this computer attacking computers or servers on the network that they couldn’t access or even see before(Pivoting). The Windows Server 2016 was not up to date as previously thought and I went to the desktop on the accounts and there were 3 files, on Mike's desktop there was a file with 4 passwords10 and on the administrator desktop, there was a passwords file with 3 passwords and a flag file11.
It is my recommendation that your company has a company that professionally does network and data protection for your network, they should at a minimum come in and update all the computers and all the software that are running on them. You should also have your employees and network managers go to a class about data protection. This would cover things like having unique passwords, long passwords at least 21 characters with uppercase lowercase numbers and symbols and be unique to only work. Updating your computers and making sure your employees have good practices with passwords will minimize the ways that your company could be compromised. If you look at the wannacry virus in 2017 and after it affected millions of computers costing over 4 billion dollars12. “Microsoft released a security patch which protected user’s systems against this exploit almost two months before the WannaCry ransomware attack began. Unfortunately, many individuals and organizations do not regularly update their operating systems and so were left exposed to the attack.” (Kaspersky)13 Not updating machines is very common and has caused billions of dollars of damage in 2017 alone, this same ransomware attack cost companies hundreds of millions alone in 2018 after there had been a patch for all systems that were affected by it for months, this even included Windows XP an operating system that had not been supported for years. The moral of the story is keeping your machines up to date should be one of your biggest priorities.
After doing my first assessment on the network I found many security flaws and user mistakes that should be made your priority to prevent any intrusions or unintended data leaks due to user error. Having a company independently come in and lock down the network with the priority being teaching employees about password practices and showing network administrators the dangers of leaving computers operating systems and software out of date. I also want to say with all the ways that I was able to infiltrate computers I could not figure out how to access the windows 10 machine, eternal blue scans said it was susceptible, but I was unable to use it to gain access to it. Following the ways, I was looking for exploits and understanding why they are possible will also help prevent further possible intrusions because it will teach you to look at your network similarly to me.