ISA 564, Angelos Stavrou
Laboratory 2
Network Reconnaissance Lab Software Requirements: 1. A secure shell (SSH) client. For windows you can download a free version from here: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.63-installer.exe Mac/Linux distributions come with ssh, you just have to open a console to invoke the program. 2. The KALI Linux – Penetration Testing Distribution http://www.kali.org (PROVIDED, no need to download unless you want to run in locally). 3. Metasploitable 2 vulnerable platform (http://sourceforge.net/projects/metasploitable/files/Metasploitable2/) (PROVIDED, no need to download unless you want to run in locally)
4. Windows Users please install Xming X Server for X-windows support (Free): http://sourceforge.net/projects/xming/files/latest/download 5. Mac Users install X11 XQUARTZ http://xquartz.macosforge.org/landing/ 6. Linux Users just need to start X-Windows
Lab Exercise Steps: A. Connect to KALI Linux on DSLSRV.GMU.EDU and port 10022 (or 11022) as root using ssh and password Msec2015. (with the dot and capital M):
ISA 564, Angelos Stavrou
Laboratory 2
For Mac/Linux Open an XQuartz (X11) console and type: ssh –YC
[email protected] -p 11022 Or ssh
[email protected] -p 11022 You should get:
[email protected]'s password:
[… ] root@kali:~#
ISA 564, Angelos Stavrou
Laboratory 2
For Windows
Enter dslsrv.gmu.edu for Host name and 10022 or 11022 (second server) for Port and click Open. You can also use servers on ports 12022 and 13022.
login as: root password: Msec2015. (with the dot and capital M). Now we are all logged in in an ssh terminal and we can continue with the Lab. Your metasploitable machines are directly connected to your backtrack on IP addresses: 10.1.1.2 and 10.1.1.3
ISA 564, Angelos Stavrou
Laboratory 2
ISA 564, Angelos Stavrou
Laboratory 2
Simple Target Reconnaissance The first step for any penetration testing approach is the reconnaissance part. In this lab, we will be using NESSUS to scan the vulnerable machines and identify exploits that can be used to attack those machines. NESSUS is yet another tool in our penetration testing arsenal and a complement to Metasploit that we used in the last Lab.
Reconnaissance with Nessus B. Start your X-windows client
a. Mac Users start XQuartz b. Windows users start Xming X Server
C. Start SSH connection to the Backtrack server as per step A but with a modification:
a. Mac Use ssh Connect to the Backtrack servers as per step (A) but with a slight change for Mac and Linux:
ssh –YC
[email protected] -p 10022 OR (SECOND SERVER IDENTICAL): ssh –YC
[email protected] -p 11022 The “C” option adds compression whereas the “Y” option allows for graphic windows to be forwarded locally. b. For Windows
Start putty and enable the X11 forwarding on the Putty program before you try to connect (see Figure in next page)
ISA 564, Angelos Stavrou
Laboratory 2
The X11 Forwarding option allows for Graphics to be FORWARDED to your local machine even when the program is running on the remote server.
ISA 564, Angelos Stavrou
Laboratory 2
Enabling compression increases the speed of the graphics because the network traffic is smaller.
You should be in a prompt like this: root@kali:~# To test if you have the GUI activated, type “xterm” on the prompt, you should get (the window might be flashing at your command bar and you have to click it to bring it up):
ISA 564, Angelos Stavrou
Laboratory 2
D. Now we are ready to start with NESSUS which is browser driven For your convenience, I have installed already NESSUS on the Kali Linux so you do not have to perform any steps other than execute the program. In general though, you will need to install NESSUS on a backtrack installation using the following steps: http://www.fuzzysecurity.com/tutorials/8.html You need to connect to the vncserver by typing:
vncviewer kali:15
(any number from 1-32 will work).
Your password is again Msec2015. (with capital M and the dot).
ISA 564, Angelos Stavrou
Then you should see something similar to:
Click on the top left icon with the screen prompt.
Laboratory 2
ISA 564, Angelos Stavrou
Start FIREFOX using the –profilemanager flag: firefox –profilemanager
Laboratory 2
ISA 564, Angelos Stavrou
Laboratory 2
(Creat your own profile and then click Start Iceweasel). Sometimes, if firefox crashes, you might need to create a secondary profile to avoid being locked-out.
ISA 564, Angelos Stavrou
Laboratory 2
E. Start Nessus Type https://localhost:8834 in firefox’s Browser Address and press return:
In the NESSUS Login Window Type “msec” for Username and “Msec2015.” for password Click “Sign In” to login.
ISA 564, Angelos Stavrou
Laboratory 2
Click on the New Scan on the left panel and the select BASIC NETWORK SCAN.
ISA 564, Angelos Stavrou
Laboratory 2
Select the basic scan on the left top. To identify which networks to scan you need to return back to your terminal and press ctrl-z to suspend the firefox process and then type “bg” to put it in the background (see below)
ISA 564, Angelos Stavrou
Laboratory 2
ISA 564, Angelos Stavrou
Laboratory 2
In order to identify the network to scan, we use the command “ifconfig” (ipconfig is the windows equivalent). This command allows us to find all the connected networks and network cards:
The network subnet to scan is the eth0 one: (10.192.113.1/24) (/24 signifies a C-class network i.e. addresses in the range 10.192.113.1 – 255) Now return back to NESSUS.
ISA 564, Angelos Stavrou
Laboratory 2
You need to fill the name and Target fields (the name is your choice; the target should be 10.192.1.113.1/24 from ifconfig findings). Note that the form might be extend on the bottom of your screen so you need to scroll to be able to press the “Save” button.
ISA 564, Angelos Stavrou
Laboratory 2
Using this information and either metasploit (msfconsole or armitage which we will cover in class, you can attack the two machines).
ISA 564, Angelos Stavrou
Laboratory 2
Futher Questions: Select 2 High and 2 Medium threats and test to see if you can break into the machines. Note that not all exploits are exploitable! Describe what you did even if it was not successful. Include screenshots of your effots. Extra Credit -
Install your own Backtrack 5 R2 (you can get it from here: (http://www.backtrack-linux.org/downloads/)
-
Install NESSUS using the home feed (free) http://www.fuzzysecurity.com/tutorials/8.html
-
Provide scans for dslsrv.gmu.edu and the GMU mail server mh-x.gmu.edu
-
Provide scans for www.gmu.edu and another server of your choice
-
If you cannot install your own NESSUS use the one provided to perform the same scans
Interesting video with some instructions but more advanced: http://www.youtube.com/watch?v=gw5xioiteLw&feature=player_embedded
We will discuss and dive into the tools more in class!
Advanced Target Reconnaissance You need to connect to the vncserver by typing:
vncviewer kali:15
(any number from 1-32 will work).
ISA 564, Angelos Stavrou
Your password is again Msec2015. (with capital M and the dot). Then you should see something similar to:
Laboratory 2
ISA 564, Angelos Stavrou
Click on the top left icon with the screen prompt.
A new window will pop-up and you type armitage and press enter.
Laboratory 2
ISA 564, Angelos Stavrou
Sometimes you get pop-up windows, press “Connect” and “Yes”:
Laboratory 2
ISA 564, Angelos Stavrou
Laboratory 2
ISA 564, Angelos Stavrou
If everything went well, you should get the following screen:
or the one below by selecting armitage-> Set Target View-> Table View
Now we can start the exploitation!
Laboratory 2
ISA 564, Angelos Stavrou
Laboratory 2
Which Host? For the purpose of this lab, hosts 10.192.113.60 and 10.192.113.65 are vulnerable metasploitable virtual machines (hosts that are provisioned to be vulnerable on purpose). We can start with those so we can focus on the attacks.
Remote Exploits Before you can attack, you must choose your weapon. Armitage makes this process easy. Use Attacks -> Find Attacks to generate a custom Attack menu for each host. To exploit a host: right-click it, navigate to Attack, and choose an exploit. To show the right attacks, make sure the operating system is set for the host. The Attack menu limits itself to exploits that meet a minimum exploit rank of great. Some useful exploits are ranked good and they won't show in the attack menu. You can launch these using the module browser. Use Armitage -> Set Exploit Rank to change the minimum exploit rank. Optionally, if you'd like to see hosts that are vulnerable to a certain exploit, browse to the exploit in the module browser. Right-click the module. Select Relevant Targets. Armitage will create a dynamic workspace that shows hosts that match the highlighted exploit. Highlight all of the hosts and double-click the exploit module to attack all of them at once.
ISA 564, Angelos Stavrou
Laboratory 2
What is next? You select the host with a right mouse click and then go on attacks at the top menu and press “Find Attacks”. If all goes well you will get the Attack Analysis Complete window, press “OK”
Next, you click with the left mouse button on the host you want to attack (for mac you can press command-mouse for left click). You should see the following menu
ISA 564, Angelos Stavrou
Laboratory 2
Select Attack -> misc -> check exploits This will allow you to check the exploits for that category (misc) to see if you can find any vulnerabilities you can exploit. At the bottom of the console you should see each of the individual attacks being tested. Click on the Console and press CRTL-F to search for the word “vulnerable” (see below):
ISA 564, Angelos Stavrou
Laboratory 2
Notice that the following attack IS VIABLE (host VULNERABLE):
To take advantage of the above vulnerability, you again press left-click on the target host and select the attack from the menu (see below):
You should be able to see the following menu:
ISA 564, Angelos Stavrou
Press Lunch
Laboratory 2
ISA 564, Angelos Stavrou
Laboratory 2
ISA 564, Angelos Stavrou
Laboratory 2
A new tab with the shell will open in the area below. I have typed commands whoami and hostname to show you that I have indeed successfully exploited the host.
Which exploit? Learning which exploits to use and when comes with experience. Some exploits in Metasploit implement a check function. These check functions connect to a host and check if the exploit applies. Armitage can use these check functions to help you choose the right exploit when there are many options. For example, targets listening on port 80 will show several web application exploits after you use Find Attacks. Click the Check exploits... menu to run the check command against each of these. Once all the checks are complete, press Ctrl+F and search for vulnerable. This will lead you to the right exploit.
ISA 564, Angelos Stavrou
Laboratory 2
Clicking a host and selecting Services is another way to find an exploit. If you have Nmap scan results, look at the information field and guess which server software is in use. Use the module browser to search for any Metasploit modules related to that software. One module may help you find information required by another exploit. Apache Tomcat is an example of this. The tomcat_mgr_login module will search for a username and password that you can use. Once you have this, you can launch the tomcat_mgr_deploy exploit to get a shell on the host.
A list of ALL the vulnerabilities for metasploitable 2 can be found here: https://community.rapid7.com/docs/DOC-1875 and http://chousensha.github.io/blog/2014/06/03/pentest-lab-metasploitable-2/ Further readings: https://www.ethicalhacker.net/features/special-events/free-armitage-and-metasploitvideo-training
Assignment for Lab 2: Exploit a vulnerability and show me that you have placed a file in the exploited remote machine via screenshots and by creating the file with the command “touch ” where should be replaced with your full name.
Happy exploiting!