diannaosec

  In this lab, I captured a hash using Responder, and then relayed it back to the same machine to open a shell. This shell was then upgraded and via pivoting a new machine was exploited. To start with, I did a scan to find open ports on the target machine. Next, I did a more thorough scan of the discovered open ports. I found that the remote machine was using netbios and running Windows 7. The remote machine was running x86 architecture (32 bit) so I had to remove the original x86-64 (64 bit) files from the relay tool before compiling 32 bit versions. I then turned the responder http and smb servers off as I wanted to relay the captured hashes. This was achieved by editing the file found @ /etc/responder/Responder.conf I then started the Responder and Multirelay tools. An ntlmv2 hash was captured and relayed to open an interactive shell. From this shell, I was able to ascertain that the remote machine was connected to a second subnet (10.100.40.0/24) In order to upgrade this shell ...

  In this lab, I was connected directly to an internal network and had to use ARP requests to discover live hosts. I started by using arp-scan and then tried using an nmap scan. I got the same results from both scans. I then combined the IP addresses into a file which could be used to feed further nmap scans. My next job was to try to find the DNS server, so I scanned for port 53 being open to TCP and / or UDP connections. I also tried scanning port 53 from the source port of 53 as sometimes DNS servers will only accept requests from this port. Next, I did a more thorough scan of the DNS server and found it to be running SAMBA on ports 139 and 445, which suggested that it was a Linux box with connections to Windows machines using the SMB protocol. I then used dig to query the DNS server to find out more about the domain it was serving and the host names for the other two machines on the network. I did this using a reverse DNS request as I was working from the IP addresses and tryin...