Case Study of a Morto Worm
In August 2010, F-secure published an interesting story about a worm named “Morto,” which was
dangerously spread via networks across the world. The worm took advantage of people using weak/
default passwords for their RDP log-ins such as administrator, password, and 123456. When
Morto found an RDP, it tried a list of default passwords. Once it logged in to an RDP, it started to
scan for port MS-Term-Service listening on port 3389 on the local area network, and it used the
same password list to connect to it again. In this way, it spread very fast.
Now that you have been made aware of how leaving an RDP with default passwords can be
dangerous for an organization, let us try cracking it with Ncrack.
Command
:
ncrack –v –u administrator –P/pentest/passwords/wordlists/darkc0de.lst
rdp://192.168.75.140
The –v is an additional parameter I specified here, which is used for verbosity, followed by
the –u parameter for username, –P for password, and finally rdp:// followed by the IP address of
the target. Once our credentials are cracked, we can use rdesktop to log in to the RDP.
Command
:
rdesktop –u administrator –p aedis
Combining Nmap and Ncrack for Optimal Results
As mentioned before, ncrack can be combined with nmap for more effective results. We have
already learnt to output the results in an XML file using oX command from nmap in the scanning
chapter. If you are not familiar with it, go back and review the scanning chapter.
Remote Exploitation
◾
173
In this particular example, we will scan our network for all live hosts with open ports within
our local network 192.168.75.1/24 and then export the results to ncrack, where it will automati-
cally attempt to crack all the services requiring authentication.
Now, from ncrack, we will execute the following command to brute-force all the network
services requiring authentication.
Note
: This will not work for ms-term-service due to a bug in the tool. Therefore, for rdp, you
need to try it separately by using the method I explained earlier.
Command
:
ncrack –vv –u administrator –P/pentest/passwords/wordlists/darkc0de.lst
–iX/root/Desktop/output.xml –f
ncrack will now start cracking the services that have authentication, leaving out the others. So
now you’ve seen how easy it is to combine nmap and ncrack to automate our process.
Attacking SMTP
The SMTP protocol is mostly used for sending e-mails. It was created a long time ago, and at that
time, the focus was on adding features, not on security. In the “Information Gathering Techniques”
chapter (Chapter 3), we discussed some enumeration techniques with SMPT. We talked about the
VRFY command that could be used to check if a particular user exists or not, which later we can use to
brute-force SMTP accounts using any of our favorite tools, Hydra or Medusa. Since we have already
discussed approaches to cracking the authentication of various protocols, we won’t discuss it here.
174
◾
Ethical Hacking and Penetration Testing Guide
Instead, we will look at another interesting attack, where we can use the target mail server to
send spoofed e-mails to any e-mail address. This can be used in social engineering attacks such as
speared phishing.
Dostları ilə paylaş: |