Ethical Hacking and Penetration Testing Guide
Case Study of a Morto Worm
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Case Study of a Morto Worm
- Command : rdesktop –u administrator –p aedis Combining Nmap and Ncrack for Optimal Results
- Attacking SMTP
|
Case Study of a Morto Worm
In August 2010, F-secure published an interesting story about a worm named “Morto,” which was dangerously spread via networks across the world. The worm took advantage of people using weak/ default passwords for their RDP log-ins such as administrator, password, and 123456. When Morto found an RDP, it tried a list of default passwords. Once it logged in to an RDP, it started to scan for port MS-Term-Service listening on port 3389 on the local area network, and it used the same password list to connect to it again. In this way, it spread very fast. Now that you have been made aware of how leaving an RDP with default passwords can be dangerous for an organization, let us try cracking it with Ncrack. Command : ncrack –v –u administrator –P/pentest/passwords/wordlists/darkc0de.lst rdp://192.168.75.140 The –v is an additional parameter I specified here, which is used for verbosity, followed by the –u parameter for username, –P for password, and finally rdp:// followed by the IP address of the target. Once our credentials are cracked, we can use rdesktop to log in to the RDP. Command : rdesktop –u administrator –p aedis Combining Nmap and Ncrack for Optimal Results As mentioned before, ncrack can be combined with nmap for more effective results. We have already learnt to output the results in an XML file using oX command from nmap in the scanning chapter. If you are not familiar with it, go back and review the scanning chapter. Remote Exploitation ◾ 173 In this particular example, we will scan our network for all live hosts with open ports within our local network 192.168.75.1/24 and then export the results to ncrack, where it will automati- cally attempt to crack all the services requiring authentication. Now, from ncrack, we will execute the following command to brute-force all the network services requiring authentication. Note : This will not work for ms-term-service due to a bug in the tool. Therefore, for rdp, you need to try it separately by using the method I explained earlier. Command : ncrack –vv –u administrator –P/pentest/passwords/wordlists/darkc0de.lst –iX/root/Desktop/output.xml –f ncrack will now start cracking the services that have authentication, leaving out the others. So now you’ve seen how easy it is to combine nmap and ncrack to automate our process. Attacking SMTP The SMTP protocol is mostly used for sending e-mails. It was created a long time ago, and at that time, the focus was on adding features, not on security. In the “Information Gathering Techniques” chapter (Chapter 3), we discussed some enumeration techniques with SMPT. We talked about the VRFY command that could be used to check if a particular user exists or not, which later we can use to brute-force SMTP accounts using any of our favorite tools, Hydra or Medusa. Since we have already discussed approaches to cracking the authentication of various protocols, we won’t discuss it here. 174 ◾ Ethical Hacking and Penetration Testing Guide Instead, we will look at another interesting attack, where we can use the target mail server to send spoofed e-mails to any e-mail address. This can be used in social engineering attacks such as speared phishing. Yüklə 22,44 Mb. Dostları ilə paylaş:
|