[Challenge 8:] SMB Psexec Vulnerability

IP ADDRESS: 172.19.19.3

OPERATING SYSTEM: Windows Server 2008 R2

Tools Used:

• NMAP
• HPING3
• HYDRA
• NESSUS
• CAIN AND ABEL
• METASPLOIT

Methodology:

NMAP

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY 172.19.19.3

HPING3

HYDRA

Nessus

CAIN AND ABEL ON WINDOWS

Extraction of Active Directory Users

Used the following command line to extract the active directory admin users to desktop

CSVDE -f aduser.csv

METASPLOIT

NAVIGATE THROUGH SHELL

DOWNLOAD

Download the aduser.csv from meterpreter

Vulnerabilities and Recommendations:

MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability - Arbitrary code may be executed on the remote host through the SMB port

• The remote host is running a version of Microsoft Windows Vista or Windows Server 2008 that contains a vulnerability in its SMBv2 implementation. An attacker can exploit this flaw to disable the remote host or to execute arbitrary code on it.

  • SOLUTION: Microsoft has released a patch for Windows Vista and Windows Server 2008.

Unsupported Microsoft DNS Server Detection - The remote host is running an unsupported version of Microsoft DNS server.

• Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

  • SOLUTION: Upgrade to a supported version of Microsoft Windows.

MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution - The remote Windows host could allow arbitrary code execution.

• An arbitrary remote code vulnerability exists in the implementation of the Remote Desktop Protocol (RDP) on the remote Windows host. The vulnerability is due to the way that RDP accesses an object in memory that has been improperly initialized or has been deleted.

• If RDP has been enabled on the affected system, an unauthenticated, remote attacker could leverage this vulnerability to cause the system to execute arbitrary code by sending a sequence of specially crafted RDP packets to it.

  • SOLUTION: Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.

SNMP Agent Default Community Name - The community name of the remote SNMP server can be guessed.

• It is possible to obtain the default community name of the remote SNMP server.

• An attacker may use this information to gain more knowledge about the remote host, or to change the configuration of the remote system (if the default community allows such modifications).

  • SOLUTION: Disable the SNMP service on the remote host if you do not use it. Either filter incoming UDP packets going to this port, or change the default community string.