Pentesting
Wir haben drei Übungsstunden dafür verwendet, um gegen die Schule einen Pentest zu machen.
Zu allererst haben wir das Sub-Netz getested, welches der Schule zur verfügung steht:
% nmap "193.170.137.*" -sn !134
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-19 11:28 CEST
Nmap scan report for 193.170.137.0
Host is up (0.0070s latency).
Nmap scan report for 193.170.137.1
Host is up (0.0035s latency).
Nmap scan report for 193.170.137.2
Host is up (0.0035s latency).
Nmap scan report for 193.170.137.3
Host is up (0.0096s latency).
Nmap scan report for 193.170.137.4
Host is up (0.0096s latency).
Nmap scan report for 193.170.137.5
Host is up (0.0096s latency).
Nmap scan report for 193.170.137.6
Host is up (0.0096s latency).
Nmap scan report for 193.170.137.7
Host is up (0.0095s latency).
Nmap scan report for 193.170.137.8
Host is up (0.0095s latency).
Nmap scan report for 193.170.137.9
Host is up (0.0095s latency).
Nmap scan report for 193.170.137.10
Host is up (0.0095s latency).
Nmap scan report for 193.170.137.11
Host is up (0.0071s latency).
Nmap scan report for 193.170.137.12
Host is up (0.00095s latency).
Nmap scan report for 193.170.137.13
Host is up (0.0060s latency).
Nmap scan report for 193.170.137.14
Host is up (0.0074s latency).
Nmap scan report for 193.170.137.15
Host is up (0.0074s latency).
Nmap scan report for 193.170.137.16
Host is up (0.0074s latency).
Nmap scan report for 193.170.137.17
Host is up (0.0012s latency).
Nmap scan report for 193.170.137.18
Host is up (0.0070s latency).
Nmap scan report for 193.170.137.19
Host is up (0.012s latency).
Nmap scan report for 193.170.137.20
Host is up (0.015s latency).
Nmap scan report for 193.170.137.21
Host is up (0.015s latency).
Nmap scan report for 193.170.137.22
Host is up (0.015s latency).
Nmap scan report for 193.170.137.23
Host is up (0.017s latency).
Nmap scan report for 193.170.137.24
Host is up (0.017s latency).
Nmap scan report for 193.170.137.25
Host is up (0.017s latency).
Nmap scan report for 193.170.137.26
Host is up (0.017s latency).
Nmap scan report for 193.170.137.27
Host is up (0.017s latency).
Nmap scan report for 193.170.137.28
Host is up (0.018s latency).
Nmap scan report for 193.170.137.29
Host is up (0.018s latency).
Nmap scan report for 193.170.137.30
Host is up (0.018s latency).
Nmap scan report for 193.170.137.31
Host is up (0.019s latency).
Nmap scan report for 193.170.137.32
Host is up (0.019s latency).
Nmap scan report for 193.170.137.33
Host is up (0.019s latency).
Nmap scan report for 193.170.137.34
Host is up (0.019s latency).
Nmap scan report for 193.170.137.35
Host is up (0.019s latency).
Nmap scan report for 193.170.137.36
Host is up (0.020s latency).
Nmap scan report for 193.170.137.37
Host is up (0.0085s latency).
Nmap scan report for 193.170.137.38
Host is up (0.0020s latency).
Nmap scan report for 193.170.137.39
Host is up (0.020s latency).
Nmap scan report for 193.170.137.40
Host is up (0.021s latency).
Nmap scan report for 193.170.137.41
Host is up (0.022s latency).
Nmap scan report for 193.170.137.42
Host is up (0.023s latency).
Nmap scan report for 193.170.137.43
Host is up (0.024s latency).
Nmap scan report for 193.170.137.44
Host is up (0.025s latency).
Nmap scan report for 193.170.137.45
Host is up (0.0011s latency).
Nmap scan report for 193.170.137.46
Host is up (0.0069s latency).
Nmap scan report for 193.170.137.47
Host is up (0.016s latency).
Nmap scan report for 193.170.137.48
Host is up (0.018s latency).
Nmap scan report for 193.170.137.49
Host is up (0.0019s latency).
Nmap scan report for 193.170.137.50
Host is up (0.0019s latency).
Nmap scan report for 193.170.137.51
Host is up (0.016s latency).
Nmap scan report for 193.170.137.52
Host is up (0.017s latency).
Nmap scan report for 193.170.137.53
Host is up (0.017s latency).
Nmap scan report for 193.170.137.54
Host is up (0.017s latency).
Nmap scan report for 193.170.137.55
Host is up (0.017s latency).
Nmap scan report for 193.170.137.56
Host is up (0.017s latency).
Nmap scan report for 193.170.137.57
Host is up (0.0019s latency).
Nmap scan report for 193.170.137.58
Host is up (0.0019s latency).
Nmap scan report for 193.170.137.59
Host is up (0.016s latency).
Nmap scan report for 193.170.137.60
Host is up (0.017s latency).
Nmap scan report for 193.170.137.61
Host is up (0.0013s latency).
Nmap scan report for 193.170.137.62
Host is up (0.0025s latency).
Nmap scan report for 193.170.137.63
Host is up (0.018s latency).
Nmap scan report for hprouter.htl-kaindorf.ac.at (193.170.137.98)
Host is up (0.019s latency).
Nmap scan report for time.htl-kaindorf.ac.at (193.170.137.100)
Host is up (0.0015s latency).
Nmap scan report for 193.170.137.110
Host is up (0.016s latency).
Nmap scan report for vmaut2.htl-kaindorf.ac.at (193.170.137.131)
Host is up (0.0010s latency).
Nmap scan report for vmaut1.htl-kaindorf.ac.at (193.170.137.132)
Host is up (0.0079s latency).
Nmap scan report for nwadminmf.htl-kaindorf.ac.at (193.170.137.143)
Host is up (0.0013s latency).
Nmap scan report for wiki.htl-kaindorf.ac.at (193.170.137.146)
Host is up (0.0077s latency).
Nmap scan report for backup.htl-kaindorf.ac.at (193.170.137.148)
Host is up (0.022s latency).
Nmap scan report for 193.170.137.149
Host is up (0.0061s latency).
Nmap scan report for san1admin.htl-kaindorf.ac.at (193.170.137.162)
Host is up (0.0090s latency).
Nmap scan report for san2admin.htl-kaindorf.ac.at (193.170.137.163)
Host is up (0.017s latency).
Nmap scan report for direktion.htl-kaindorf.ac.at (193.170.137.168)
Host is up (0.013s latency).
Nmap scan report for db2.htl-kaindorf.ac.at (193.170.137.198)
Host is up (0.0015s latency).
Nmap scan report for vmware1.htl-kaindorf.ac.at (use )
Host is up (0.0027s latency).
Nmap scan report for vmware2.htl-kaindorf.ac.at (193.170.137.201)
Host is up (0.0020s latency).
Nmap scan report for pruefneu.htl-kaindorf.ac.at (193.170.137.205)
Host is up (0.016s latency).
Nmap scan report for 193.170.137.207
Host is up (0.0024s latency).
Nmap scan report for new.htl-kaindorf.ac.at (193.170.137.209)
Host is up (0.0023s latency).
Nmap scan report for konsole.htl-kaindorf.ac.at (193.170.137.210)
Host is up (0.016s latency).
Nmap scan report for stromServer.htl-kaindorf.ac.at (193.170.137.211)
Host is up (0.033s latency).
Nmap scan report for stromRaid.htl.kaindorf.ac.at (193.170.137.212)
Host is up (0.018s latency).
Nmap scan report for wbnb.htl-kaindorf.ac.at (193.170.137.220)
Host is up (0.0014s latency).
Nmap done: 256 IP addresses (86 hosts up) scanned in 1.76 seconds
We tried several things and investigated almost every machine, however, beside not being https there were no obvious vulnerabilities.
We then went on to inspect the physical security of a central network switch, which we successfully broke open.
Moreover is the Server room almost always not properly locked.
In the other lessons I tried to attack the servers which have SMB enabled with the EternalBlue Exploits.
I used Metasploit modules but it somehow did not work and I read that it is not an attack which is guaranteed to work and sometimes causes blue screens (hence the name EternalBlue) on the target machines and I stopped further testing.
michael@michael-ThinkPad ~
% nmap "193.170.137.*" -p 445 --open !111
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-26 12:00 CEST
Nmap scan report for vmaut2.htl-kaindorf.ac.at (193.170.137.131)
Host is up (0.0030s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap scan report for vmaut1.htl-kaindorf.ac.at (193.170.137.132)
Host is up (0.013s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap scan report for direktion.htl-kaindorf.ac.at (193.170.137.168)
Host is up (0.0051s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap done: 256 IP addresses (87 hosts up) scanned in 10.16 seconds