- \n
- Used command nmap 192.168.10.0\/24 -p- -sV to find open ports and services in the 192.168.10.0\/24 subnet<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-42.png\")
<\/a><\/figure>\n\n\n\n- \n
- Launch Metasploit Framework and search for the exploit module: ms08_067_netapi<\/u><\/em><\/strong><\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-43.png\")
<\/a><\/figure>\n\n\n\n- \n
- Use ms08_067_netapi as the exploit module and set meterpreter reverse_tcp as the payload.<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-44.png\")
<\/a><\/figure>\n\n\n\n- \n
- Use 4498<\/u> <\/em><\/strong>as the listening port number. Configure the rest of the parameters. Display your configurations and exploit the target.\n
- \n
- Set the rhosts, lhost, and lport with set commands<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-45.png\")
<\/a><\/figure>\n\n\n\n- \n
- Successfully exploited and established a session<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-46.png\")
<\/a><\/figure>\n\n\n\n- \n
- [Post-exploitation] Execute the screenshot command to take a screenshot of the target machine if the exploit is successful.\n
- \n
- Used screenshot to take a screenshot<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-47.png\")
<\/a><\/figure>\n\n\n\n- \n
- Image taken<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-48.png\")
<\/a><\/figure>\n\n\n\n- \n
- [Post-exploitation] In meterpreter shell, display the target system\u2019s local date and time.\n
- \n
- Used localtime command\n
- \n
- Time was 2023-10-19 16:08:33 EST<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- [Post-exploitation] In meterpreter shell, get the SID of the user.\n
- \n
- Used getsid command\n
- \n
- SID : S-1-5-18<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- [Post-exploitation] In meterpreter shell, get the current process identifier.\n
- \n
- Used getpid command\n
- \n
- Pid: 1168<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- [Post-exploitation] In meterpreter shell, get system information about the target.\n
- \n
- Used sysinfo command<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-49.png\")
<\/a><\/figure>\n\n\n\nTask B.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0
Exploit EternalBlue on Windows Server 2008 with Metasploit<\/h1>\n\n\n\nIn this task, you need to use similar steps to exploit the EternalBlue <\/strong>vulnerability on Windows Server 2008. Make sure to search and replace the exploit module against Windows Server 2008 accordingly.<\/p>\n\n\n\n
- \n
- Ran nmap scan for open ports and services using command namp 192.168.10.0\/24 -p- -sV<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-50.png\")
<\/a><\/figure>\n\n\n\n- \n
- Started Metasploit and searched from eternalblue<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-51.png\")
<\/a><\/figure>\n\n\n\n- \n
- Used exploit option 2<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-52.png\")
<\/a><\/figure>\n\n\n\n- \n
- Configure your Metasploit accordingly and set DDMMYY as the listening port number. Display the configuration and exploit the target.\n
- \n
- set payload and other configurations\n
- \n
- attempted to use date but unfortunately it was out of range and used 4498 for lport instead<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-53.png\")
<\/a><\/figure>\n\n\n\n- \n
- exploited machine successfully<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-54.png\")
<\/a><\/figure>\n\n\n\n- \n
- [Post-exploitation] Execute the screenshot command to take a screenshot of the target machine if the exploit is successful.
- used command screenshot -p \/root\/windows08.jpg
- screenshot is on next page with the rest of the post-exploitation tasks<\/li><\/ul><\/li><\/ul>\n
- \n
- image<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-55.png\")
<\/a><\/figure>\n\n\n\n- \n
- [Post-exploitation] In meterpreter shell, display the target system\u2019s local date and time.\n
- \n
- Used command localtime<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- [Post-exploitation] In meterpreter shell, get the SID of the user.\n
- \n
- Used command getsid<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- [Post-exploitation] In meterpreter shell, get the current process identifier.\n
- \n
- Used command getpid<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- [Post-exploitation] In meterpreter shell, get system information about the target.\n
- \n
- Used command getsysinfo<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-56.png\")
<\/a><\/figure>\n\n\n\nTask C.\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0
Exploit Windows 7 with a deliverable payload.<\/h1>\n\n\n\nIn this task, you need to create an executable payload with the required configurations below. Once your payload is ready, you should upload it to the web server running on Kali Linux and download the payload from Windows 7, then execute it on the target to make a reverse shell. Of course, don’t forget to configure your Metasploit on Kali Linux before the payload is triggered on the target VM.<\/p>\n\n\n\n
The requirements for your payload are:<\/p>\n\n\n\n
- \n
- Payload Name: Use your MIDAS ID\n
- \n
- Used msfvenom to create deliverable payload<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-57.png\")
<\/a><\/figure>\n\n\n\n- \n
- Listening port: 4498<\/u><\/em><\/strong>
- set lport and lhost in meterpreter<\/li><\/ul>\n
- \n
- started exploit (waiting for connection)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-58.png\")
<\/a><\/figure>\n\n\n\n- \n
- Started apache 2<\/u><\/strong><\/li>\n\n\n\n
- Copied ewell007.exe payload to apache2<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-59.png\")
<\/a><\/figure>\n\n\n\n- \n
- Ran ewell007.exe on windows 7<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-60.png\")
<\/a><\/figure>\n\n\n\n- \n
- Session was successfully opened on internal kali meterpreter<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-61.png\")
<\/a><\/figure>\n\n\n\n
<\/strong><\/p>\n\n\n\n[Post-exploitation] <\/strong>Once you have established the reverse shell connection to the target Windows 7, complete the following tasks in your meterpreter shell:<\/p>\n\n\n\n
- \n
- Execute the screenshot command to take a screenshot of the target machine if the exploit is successful.\n
- \n
- Used command screenshot -p \/root\/windows07.jpeg<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-62.png\")
<\/a><\/figure>\n\n\n\n- \n
- image<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-63.png\")
<\/a><\/figure>\n\n\n\n- \n
- Create a text file on the attacker Kali named “IMadeIT-YourMIDAS.txt” (replace YourMIDAS with your university MIDAS ID) and put the current timestamp in the file. Upload this file to the target’s desktop. Then log in to Windows 7 VM and check if the file exists. You need to show me the command that uploads the file.\n
- \n
- Created file on internal kali<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-64.png\")
<\/a><\/figure>\n\n\n\n- \n
- Used command upload [filename] to window 7 desktop<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-65.png\")
<\/a><\/figure>\n\n\n\n- \n
- Verified<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-66.png\")
<\/a><\/figure>\n\n\n\n
<\/strong><\/p>\n\n\n\n[Privilege escalation, extra credit] <\/strong>Background your current session, then gain administrator-level privileges on the remote system. After you escalate the privilege, complete the following tasks:<\/p>\n\n\n\n
- \n
- Create a malicious account with your name and add this account to the administrator group. You need to complete this step on the Attacker Side.
- Used a UAC bypass to increase the privileges of our connection to create user EdwinW with password iamhere<\/li><\/ul>\n
- \n
- Then elevated the shadow account to the administrator group for future access<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-67.png\")
<\/a><\/figure>\n\n\n\n- \n
- Remote access to the malicious account created in the previous step and browse the files belonging to the user, “Windows 7”, in RDP.<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-68.png\")
<\/a><\/figure>\n\n\n\nTask D. Extra Credit<\/h1>\n\n\n\n
- \n
- Find another exploit that targets on either Windows XP or Windows Server 2008.<\/li>\n<\/ul>\n\n\n\n
- \n
- Used nmap 192.168.10.0\/24 -p- -sV to scan open ports and services<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-69.png\")
<\/a><\/figure>\n\n\n\n- \n
- Ran nessuss to scan for vulnerabilities of 192.168.10.11<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-70.png\")
<\/a><\/figure>\n\n\n\n- \n
- Started, searched and gained information on ms12-020<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-71.png\")
<\/a><\/figure>\n\n\n\n- \n
- Configured settings and exploited 192.168.10.11<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-72.png\")
<\/a><\/figure>\n\n\n\n- \n
- Windows 2008 side blue screen of death<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/sites.wp.odu.edu\/edwin-wells-4\/wp-content\/uploads\/sites\/30994\/2024\/11\/image-73.png\")
<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"Old Dominion University CYSE 301 Cybersecurity Techniques and Operations Assignment 4: Ethical Hacking (v3) Edwin C Wells IV Task A.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Exploit SMB on Windows XP with Metasploit In this task, you need to complete the following steps to exploit SMB vulnerability on Windows XP. Task B.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Exploit EternalBlue on Windows Server 2008 with Metasploit… <\/p>\n
- Windows 2008 side blue screen of death<\/li>\n<\/ul>\n\n\n\n
- Configured settings and exploited 192.168.10.11<\/li>\n<\/ul>\n\n\n\n
- Started, searched and gained information on ms12-020<\/li>\n<\/ul>\n\n\n\n
- Ran nessuss to scan for vulnerabilities of 192.168.10.11<\/li>\n<\/ul>\n\n\n\n
- Used nmap 192.168.10.0\/24 -p- -sV to scan open ports and services<\/li>\n<\/ul>\n\n\n\n
- Find another exploit that targets on either Windows XP or Windows Server 2008.<\/li>\n<\/ul>\n\n\n\n
- Remote access to the malicious account created in the previous step and browse the files belonging to the user, “Windows 7”, in RDP.<\/li>\n<\/ul>\n\n\n\n
- Then elevated the shadow account to the administrator group for future access<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Used a UAC bypass to increase the privileges of our connection to create user EdwinW with password iamhere<\/li><\/ul>\n
- Create a malicious account with your name and add this account to the administrator group. You need to complete this step on the Attacker Side.
- Verified<\/li>\n<\/ul>\n\n\n\n
- Used command upload [filename] to window 7 desktop<\/li>\n<\/ul>\n\n\n\n
- Created file on internal kali<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Create a text file on the attacker Kali named “IMadeIT-YourMIDAS.txt” (replace YourMIDAS with your university MIDAS ID) and put the current timestamp in the file. Upload this file to the target’s desktop. Then log in to Windows 7 VM and check if the file exists. You need to show me the command that uploads the file.\n
- image<\/li>\n<\/ul>\n\n\n\n
- Used command screenshot -p \/root\/windows07.jpeg<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
- Execute the screenshot command to take a screenshot of the target machine if the exploit is successful.\n
- Session was successfully opened on internal kali meterpreter<\/li>\n<\/ul>\n\n\n\n
- Copied ewell007.exe payload to apache2<\/li>\n<\/ul>\n\n\n\n
- Started apache 2<\/u><\/strong><\/li>\n\n\n\n
- started exploit (waiting for connection)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- set lport and lhost in meterpreter<\/li><\/ul>\n
- Listening port: 4498<\/u><\/em><\/strong>
- Used msfvenom to create deliverable payload<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Payload Name: Use your MIDAS ID\n
- Used command getsysinfo<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- [Post-exploitation] In meterpreter shell, display the target system\u2019s local date and time.\n
- image<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- screenshot is on next page with the rest of the post-exploitation tasks<\/li><\/ul><\/li><\/ul>\n
- used command screenshot -p \/root\/windows08.jpg
- [Post-exploitation] Execute the screenshot command to take a screenshot of the target machine if the exploit is successful.
- exploited machine successfully<\/li>\n<\/ul>\n\n\n\n
- attempted to use date but unfortunately it was out of range and used 4498 for lport instead<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
- set payload and other configurations\n
- Configure your Metasploit accordingly and set DDMMYY as the listening port number. Display the configuration and exploit the target.\n
- Used exploit option 2<\/li>\n<\/ul>\n\n\n\n
- Started Metasploit and searched from eternalblue<\/li>\n<\/ul>\n\n\n\n
- Ran nmap scan for open ports and services using command namp 192.168.10.0\/24 -p- -sV<\/li>\n<\/ul>\n\n\n\n
- Used sysinfo command<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Used getpid command\n
- Used getsid command\n
- Used localtime command\n
- [Post-exploitation] In meterpreter shell, display the target system\u2019s local date and time.\n
- Image taken<\/li>\n<\/ul>\n\n\n\n
- Used screenshot to take a screenshot<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- [Post-exploitation] Execute the screenshot command to take a screenshot of the target machine if the exploit is successful.\n
- Successfully exploited and established a session<\/li>\n<\/ul>\n\n\n\n
- Set the rhosts, lhost, and lport with set commands<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Use 4498<\/u> <\/em><\/strong>as the listening port number. Configure the rest of the parameters. Display your configurations and exploit the target.\n
- Use ms08_067_netapi as the exploit module and set meterpreter reverse_tcp as the payload.<\/li>\n<\/ul>\n\n\n\n
- Launch Metasploit Framework and search for the exploit module: ms08_067_netapi<\/u><\/em><\/strong><\/li>\n<\/ul>\n\n\n\n