In Part 1 of Pentesting 101: Surveying, we discussed the Metasploit framework and how to create a database of network and host information in addition to how you can route packets and connections through a host. In Part 2, we will cover other tools to use during a penetration test as well as troubleshooting techniques.
In some networks, it might not be feasible to use Metasploit for the penetration test engagement. There are other frameworks out there that work similar to Metasploit, like Covenant. Covenant picked up where PowerShell Empire left off. It is a PowerShell based framework like Metasploit and can run on Kali Linux. Covenant is heavily focused on Active Directory and Windows-based networks rather than being the “jack of all trades” like Metasploit. If the penetration testing target is exclusively Windows, using Covenant C2 might be worth it.
From the initial compromise, other actions can be taken such as man-in-the-middle attacks. Ettercap is an excellent tool for such an occasion. Ettercap uses ARP cache poisoning to attack other hosts on the network. From there, Ettercap can sniff and intercept traffic as well as potentially exploiting traffic flowing from the infected hosts through the hop point. Ettercap is extremely effective at credential harvesting in unencrypted traffic like telnet, FTP, SSHv1, and many others. More information can be found at the Ettercap website.
Another popular program to harvest credentials like Ettercap is called “responder.py”. Responder.py is a python based application that can poison Link-Local Multicast Name Resolution (LLMNR), Multicast DNS (mDNS), and NetBIOS Name Service. Like Ettercap, it can intercept and crack certain types of traffic but it is oriented to a more Windows-based network.
When getting several hops deep into a network, issues could arise where packets aren’t being routed properly or are not getting to and from their intended target. For Windows 10, Microsoft quietly slipped in a packet monitor into the operating system to aid system administrators. This tool can also aid penetration testers during a penetration test. Take the above network example into consideration. So far, we’ve established there is an SSH server on the 10.1.1.177 host. If we wanted to see whether the packets were making the proper TCP handshake, we could use the built-in Windows PktMon software.
In an elevated privilege command shell through Metasploit, we can set up the listener. For this example, we will listen on port 22 and call the filter “SSH”. That command is “pktmon filter add SSH -p 22”. This does not start the pktmon listener however, this just sets the filter. To start the packet monitor simply type “pktmon start --etw” to listen on all interfaces. Periodically you can check the status of the filter, if any packets have been passed or dropped by typing “pktmon counters”. At the time of running that command, an SSH login had not been tried. The “pktmon stop” command will show the stats as well as the location of the log file. One note about the log file is that it is saved in binary format. It is possible to convert that file to a Wireshark pcap format or text file. In this example, we will convert it to a simple text file with the command “pktmon format C:\Windows\Temp\PktMon.etl -o C:\Windows\Temp\PktMon.txt”. From here it can be read using the built-in Windows “type” command.
Learn more about the Windows 10 packet monitor.
On a Linux host, we can also accomplish this same task. This has to be carried out in an elevated command shell but the results are similar. Continuing with the previous example, say that the SSH packets were not reaching the intended target of 10.1.1.177. We could use tcpdump on the host computer to check if the packets were going through the proper SOCKS proxy. Since we are going through the local Metasploit SOCKS proxy, we must set up the listener on the loopback interface. Using the “-n” flag says not to resolve hostnames and ports. The “-A” flag says to show the packets in ASCII format. The “-s0” flag tells tcpdump to show the full packet and finally the expression “port 1080” specifies the port to listen on. In our case, it’s port 1080 due to the Metasploit SOCKS proxy listening on that port. The expression “port 1080” is in Berkeley Packet Filter (BPF) syntax.
Tcpdump’s uses and features go far beyond just listening on a simple port. It is worth exploring tcpdump’s features and functionality.
In an earlier article we talked about how to write your own port scanner. That port scanner and methodology can be used here to gain a further foothold into the network. The tools spoken about in this blog can also be used in concert with each other. A penetration tester could use Metasploit or Covenant to gain initial access into a network and from there lay down Ettercap or responder.py to sniff credentials over the local network. Metasploit can then be used to create a proxy to the next host and the process of scanning/fingerprinting and access starts all over again. If a connection to a remote host fails for whatever reason, using tools like tcpdump or PktMon can help figure out the issue.
In the next article we will discuss how to access the next hop in the network using Metasploit, SSH, tunneling, and other techniques.