In today's blog post I am going to show how easy it is exfiltrate sensitive data from a vulnerable web server that has a misconfigured port.
We will begin my booting our Kali virtual machine and the Windows server. For the purposes of this exercise we are going to have both virtual machines, Kali and a Windows 2016 server on the same network. This essentially means the attacker has gained access to the network, perhaps through a wifi attack, using a bad usb, infiltrating the ethernet network or by malware.
We begin by scanning the network for other network devices: sudo netdiscover -r 10.10.0.0/16
We discover 1 machine on the network. In a real environment you might discover many, many devices on the network.
The results show us the IP address and we can see its a Microsoft OS machine. Lets can the machine for any open ports:
Sudo nmap -vv -sV -O -p- -A 10.10.10.2
The results of the Nmap scan show a few ports are open, interestingly port 21, used for FTP, is open and Nmap reports that anonymous login is allowed !
Lets see if we can take advantage of that misconfiguration:
ftp 10.10.10.2
Login : anonymus
pass L <leave blank>
And we are in !
Ok let's see what files and folders we can see:
ls / dir
We can see there are two folders accesssible on the FTP server and a txt file. Browsing the 'personal' folder we can see a file with possibly sensitive information contained herein, let's steal that file named 'myinformation.txt' and transfer it to our machine:
get myinformation.txt
This transfers the file to our machine over FTP.
OK so we have stolen some sensitive data, let's leave a malicious update file for the unsuspecting victim to hopefully click on and execute a powershell script in the background (no viseable command prompt window) and create a backdoor to our command and control server (not covered in this article).
Uploading the malware file to the victim:
put update.exe
This uploads our malicious file to the same 'personal' directory. Now of course this is a super-simple example of exploiting an open ftp port, stealing some sensitive information and uploading some malware. In a real-world scenario whilst we may get 'lucky' with an open FTP port, the reality is we may need do some work leg work to find an exploit to gain access to the system and in reality *most* people know not to execute an unknown exe file.......... This could have been made more tricky by using the Social Engineering Toolkit to create a malicious PDF file that when opened creates a backdoor for us, we'll look at that in my next post :)