Uncategorized

WARNING : This knowledge is only for ethical purposes. Misuse this info at your own risk.

Good morning ethical hackers. Polycom HDX devices are popular worldwide for video conferencing. They are fit for meeting rooms and conference halls of various sizes as they support 1 to 3 displays. The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication.

So when all the conventional methods to get access to a network, this can work as an entry point of course if they are using this product. Let us see how this can be used in our pen test. Start Metasploit and load the exploit as shown below.

psh_auth_bypass1

Set the target and check if it’s vulnerable as shown below using “check” command.

psh_auth_bypass2a

 

You can use the default payload or choose the required payload. I am using the below payload. After setting payload, type command “run” to run the exploit.  The exploit works as shown below.

psh_auth_bypass3

 

NOTE: This howto is part of a series “Metasploitable tutorials”.

Good morning friends. In the previous part of the tutorial, we performed a vulnerability scan on our target Metasploitable and got some high ranking vulnerabilities. Before we take the plunge and exploit those vulnerabilities, let’s do some enumeration first.

Enumeration is the process of collecting information about user names, network resources, other machine names,  shares and services running on the network. Although little bit boring, it can be very helpful for the success of the hack in real time. In our previous parts, we have performed scanning and banner grabbing. So we already know what services are running on the target machine. They include FTP,telnet, SMTP and SMB etc. We can perform enumeration on all these services.

SMB stands for Server Message Block. Its mainly used for providing shared access to files, printers and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. It is a predecessor of  Common Internet File system (CIFS). To know more about SMB please go here.

SMB enumeration can provide a treasure trove of information about our target. So for today’s tutorial let’s see how to perform SMB enumeration with Kali Linux. I will use three tools inbuilt in Kali Linux : enum4linux, acccheck and SMBMap.

The first tool we will use is enum4linux. As the name suggests, it is a tool used for enumeration of Linux. To see all the options of this tool, just type “enum4linux -h“. Using this tool, first let us see the users of the SMB service. Open terminal and type command “enum4linux -U 192.168.25.129” as shown below.

enum4linux1

As we can see above, this system is part of a workgroup. Know the difference between domain and workgroup. We can see below that it has listed all the SMB users present on the target.

enum4linux2

Of all the usernames the tool got us, I am assuming only three usernames are useful to us: user,root and msfadmin since others seem more like processes but we will keep our fingers crossed.

enum4linux3

Before we check for validity of these credentials, let us perform a full enumeration with enum4linux. In the terminal type command “enum4linux 192.178.25.129” i.e without any options.  As you can see below, it lists us Nbtstat information of what services are active on the target.

enum4linux5

It also provides us with the OS information.

enum4linux6

And crucial info about Shares, i.e which user has what rights on the target.

enum4linux7

enum4linux8

It provides us password policy info, in case we don’t get the credentials and want to crack them.

enum4linux9

Groups present on the system.

enum4linux10

It will also display users based on RID cycling.

enum4linux11

It seems there are no printers connected to the target.

enum4linux12

Ok, now we know the users. Let’s try to find out the passwords for the usernames we seem to have got. We will use a tool called acccheck for this purpose. It is a password dictionary attack tool that targets windows authentication via the SMB protocol.  We will see more about password cracking later. First I will try it with the user “user”. In Kali Linux, most of the password dictionaries are present in “usr/share/dirb” directory. So I specify a dictionary which consists of most common passwords used.

Here, I am just guessing that the user may be using a common password. After specifying all the options, Hit Enter. The cracking process starts as shown below.

acccheck1

Once the tool gets the correct password, it stops the scan and displays a success message as shown below. Voila … the password of the user “user” is “user” only.

acccheck2

Seeing this result, I get a new idea. There might be a possibility that all the users may be using their username as password. To find out this, I create a new file called user.txt with all the usernames we got with enum4linux and specify the file for both username and password as shown below.

acccheck4

We got succces with three users; user, msfadmin and a blank user with password “games”. Since we successfully got some credentials, it’s time to see the share drives on our target system. For this, we will use another tool called SMBMap.

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.

First let us check the rights of each user we got as shown below.

smbmap1

smbmap2

smbmap3

We can see that users user and msfadmin have READ,WRITE permissions on tmp directory only and the Blank user doesn’t have much. Next let us try to list all the drives on the target system with user “msfadmin”. We can see we don’t have enough privileges to execute a command.

smbmap5

Since we have READ privileges, let us read the drive on the target system as shown below. Well that’s all for SMB enumeration guys.

smbmap6

 

RESULT: We got some usernames which may be useful to us while exploiting the system in future.

NOTE: This howto is a part of a series of Metasploitable Tutorials but can also be read separately.

Good morning friends. In one of our previous howto’s, we saw how to install OpenVAS in Kali Linux. Today we will see how to perform a vulnerability assessment with OpenVAS. The target on which I have performed this vulnerability assessment is Metasploitable. Start Kali Linux ( The system on which we have installed OpenVAS,,, obviously). Open a terminal and type the following commands as underlined below.

openvass1

Then  open a browser and direct the browser to port no 9392 as shown below. You should get the following interface.

openvass2

We will perform a quick scan. In the blank given, enter the IP address of our target as shown below and click on “Start Scan” as shown below.

openvass3

 

The scan will run as shown below. It will take quite a bit of a long time. So I would suggest you go and eat some pani puri and come back.

openvass4

Once you are back, the scan should be finished and will look as shown below. Click on the link shown below.

openvass5

You should get a general summary of the scan.

openvass6

Now let us see the scan report. Go to “Scan Management” tab and click on Reports as shown below. It will show you a list of scans we performed. In our case, there is only one scan.

openvass7

Now click on the scan as shown below.

openvass8

This is our entire scan report with all the vulnerabilities existing in our target classified from high to low.

openvass9

openvass10

openvass11

openvass12

In our next howtos, we will see how to exploit all these ( which means most of them ) vulnerabilities. Until then, Good bye.