Hacking_and_Penetration_Testing_with_Low_Power_Devices
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Penetration</strong> testing <strong>with</strong> a single beagle<br />
117<br />
remote access. Many users put important or frequently used files on their desktops,<br />
which can make screenshots of the desktop particularly insightful.<br />
The screenshot from the Windows XP machine at 192.168.10.103 revealed an<br />
OpenOffice spreadsheet called payroll.ods. This file is easily transferred to the Beagle<br />
using the download comm<strong>and</strong> in Meterpreter. If the file is password-protected, it<br />
will need to be cracked <strong>with</strong> a password cracker or custom script. Post exploitation<br />
files <strong>and</strong> password hashes should be extracted from the machine. Since this isn’t a<br />
book on Metasploit, I will leave any additional things that could be done to this box<br />
as an exercise.<br />
The host at 192.168.10.101 is running an SSH server <strong>and</strong> Web server. Based on<br />
the OpenVAS scan of the SSH server, the machine appears to be running OpenSSH<br />
on some version of Ubuntu. The scan revealed that the Web server is Apache 2.2 <strong>and</strong><br />
that phpmyadmin, a common tool for administering MySQL databases, was present<br />
on the Web site. OpenVAS also produced multiple warnings regarding FrontAccounting,<br />
which is the process running on port 8888. Apparently, FrontAccounting<br />
is vulnerable to SQL injection attacks. OpenVAS also warned of a possible DoS<br />
attack involving flooding the machine <strong>with</strong> ICMP type 9 packets. While all of this<br />
is good information, nothing is immediately exploitable.<br />
No gaping security holes were found in the Ubuntu machine at 192.168.10.101 or<br />
on the two tablets connected to the network. This is not terribly surprising <strong>and</strong> it is<br />
also not the end of the line for these machines. Even the fully patched <strong>and</strong> hardened<br />
Linux server is subject to misconfiguration <strong>and</strong> user stupidity. All of the technology<br />
in the world cannot save you from bad passwords.<br />
ATTACKING PASSWORDS<br />
Passwords are a common weak spot for many organizations. Now that we have<br />
cracked the WPA2-PSK password, we might want to have a shot at cracking the<br />
administrator password for the access point. This could allow us to change the default<br />
DNS server in order to redirect users to a cloned Web site <strong>and</strong> many other malicious<br />
things.<br />
We have already determined that the router is administered via a Web interface.<br />
Hydra can be used to perform online password cracking for the router configuration<br />
site. Hydra is a comm<strong>and</strong> line tool. A graphical wrapper known as xHydra is also<br />
available if you do not wish to learn all the comm<strong>and</strong> line flags. A nice feature of<br />
xHydra is that it displays the Hydra comm<strong>and</strong> line used <strong>and</strong> thus educates you on<br />
how to use Hydra directly.<br />
Before searching through millions of passwords, it may be worthwhile to guess a<br />
couple first. The first guess is that the “moremoney” password is also used to administer<br />
the access point. Figure 5.20 shows the output from xHydra that verifies that this<br />
was in fact the case.<br />
The password hashes from the Windows machine are obtained via the meterpreter<br />
hashdump comm<strong>and</strong>. These passwords are easily cracked <strong>with</strong> an off-line