ET XXX Introduction to Penetration Testing

Transcription

1 ET XXX Introduction to Penetration Testing 2014 Fall Semester Monday, Wednesday, Friday 1:30 2:20 PM Engineering Complex III, Room XXX Instructor Alejandro Baca Course Description The purpose of this course is give the student an understanding of how to conduct a penetration test on a network. As cyber-attacks increase, so does the demand for information security professionals who possess true network penetration testing and ethical hacking skills. At the end of the course the student should be able to: Understand the legal obligations of penetration testing and ethical hacking. How to plan the specifics of a test, carefully scoping the project and defining the rules of engagement with target environment personnel. Plan, scope, and perform reconnaissance on the network. Scan a target environment, creating comprehensive inventory of machines and then evaluating those system to find potential vulnerabilities. Exploitation and Post Exploitation. Understand the many kinds of exploits that a penetration tester or ethical hacker can use to compromise a target machine. Reporting, conclusion, and follow up of a penetration test. 1

2 Text and required supplies The Basics of Hacking and Penetration Testing Second Edition, by Dr. Patrick Engebretson Laptop o x86 or x64 compatible multicore CPU 1.5 GHz or higher o DVD Drive o 2 GB RAM minimum with 4 GB or higher recommended o Ethernet adapter o 20 GB available hard drive space o Any service pack level is acceptable for Windows 8, 7, Vista or Windows XP Pro Note taking materials Access to Canvas for schedule updates, lab instructions, quizzes and test. Ability and motivation to learn Schedule Date Day Topic/Activity Introduction to the course What is Penetration Testing? Code of Ethics, Legal obligations of ethical hacking, and penetration testing The dos and don ts and computer crime laws. Equipment and Basic Procedures Use of equipment, fundamentals, etc. Setting up a virtualized hacking environment Installing Kali Linux and Metasploitable in VMware player Types of Penetration Test Network services, client-side, web application, wireless security, and social engineering test. Permission Memo Receiving permission from a leader of an organization to test their environment. Rules of Engagement Define a set of practices for the penetration test. Define who will conduct the test, when will the test begin and end, what are the targets, will the team be observed, what type of test will it be, etc Setting the project scope of a penetration test Create a succinct statement of what is to be tested. List explicitly the domain names, network address ranges, individual hosts, and applications that will be tested. List explicitly what will NOT be test such as mission critical elements. Phases of Penetration Testing Chapter one page Reporting Report format: Executive summary, Introduction, Methodology, 2

3 Findings, Conclusion, and Appendix. Reconnaissance Lecture, Google, and HTTRack activity Reconnaissance Whois, host, and NSLOOKUP activity Reconnaissance Fierce and theharvester activity Reconnaissance MetaGooFil and lecture on Social Engineering Exam One Chapter one and two Scanning Lecture pings and ping sweeps with fping and Nmap ping scan Scanning Lecture on the three-way handshake and its impact on the scanning phase. Scanning Lecture on the port scanning basics Port scanning with Nmap: TCP, SYN, UDP, and Xmas scans Scanning OS Fingerprinting and Version scanning with Nmap Scanning Timing of scans, combination scan, and other features of Nmap Vulnerability Scanning Nessus Vulnerability Scanning Nmap Scripting Engine Scripts Web Vulnerability Scanning Nikto page 13 of LampSecurity CTF Exercise 7 W3af page 17 of LampSecurity CTF Exercise 7 Web Vulnerability Scanning ZAP page 23 of LampSecurity CTF Exercise 7 Nessus Exam two Chapter two and lecture material Exploitation Weak passwords: Hydra and Ncrack Exploitation Unix Basics: rlogin, rpcinfo, showmount, and ssh Exploitation Backdoors: telnet, UnrealRCD IRC, distccd, smbclient, samba_symlink_traveral Web Exploitation 3

4 SQL Injection and SQLMap Page 27 of LampSecurity CTF Exercise 7 Web Exploitation Cross Site Scripting Page121 of The Basics of Hacking and Penetration Testing Looting Dumping SQL databases, cracking passwords, and retrieving flags Page 32 of LampSecurity CTF Exercise 7 Maintaining Access and Post-exploitation Netcat Page 128 of The Basics of Hacking and Penetration Testing Exam Three Chapter four, five, and six Final Practical Exam Group of 4-5 students perform a simulated penetration test 4

5 Table of Contents ET XXX Introduction to Penetration Testing... 1 Codes of Ethics... 7 Permission Memo... 8 Rules of Engagement Worksheet... 9 Setting up a virtualized hacking environment Installing VMware Player Installing Metasploitable Penetration Testing Methodology Reconnaissance HTTrack: Website Copier Whois host and NSLOOKUP Fierce The Harvester MetaGooFil Scanning Pings and Ping Sweeps fping Nmap Ping scan TCP port scan SYN port scan UDP port scan Xmas tree scan Null scan Operating System Fingerprinting Version scanning Timing for Nmap scans OS detection, version detection, script scanning, and traceroute Vulnerability Scanning Nmap Scripting Engine (NSE) Nessus Installation

6 Scanning Web Vulnerability Scanning Nessus Setting up Web Vulnerability Scan Policy Scanning Password Attacks Ncrack Hydra Exploitation and Web Exploitation Works Cited

7 New Mexico State University Codes of Ethics I certify that by having access to tools and program that can be used to break or hack into systems, that I will only use them in an ethical, professional and legal manner. This means that I will only use them to test the current strength of a security network so that improvement can be made. I will always receive permission before performing a penetration test. If for some reason I do not use these tools in a proper manner, I do not hold New Mexico State University or the instructor liable. I accept the full responsibility for my actions. Full Name: Banner ID: Signature: Date: 7

8 [Insert Your Organization Logo] Permission Memo Subject: Vulnerability Assessment and Penetration Testing Authorization Date: MMDDYY To properly secure this organization's information technology assets, the information security team is required to assess our security stance periodically by conducting vulnerability assessments and penetration testing. These activities involve scanning our desktops, laptops, servers, network elements, and other computer systems owned by this organization on a regular, periodic basis to discover vulnerabilities present on these systems. Only with knowledge of these vulnerabilities can our organization apply security fixes or other compensating controls to improve the security of our environment. The purpose of this memo is to grant authorization to specific members of our information security team to conduct vulnerability assessments and penetration tests against this organization's assets. To that end, the undersigned attests to the following: 1) [Insert name of tester], [Insert name of tester], and [Insert name of tester] have permission to scan the organization's computer equipment to find vulnerabilities. This permission is granted for from [insert start date] until [insert end date]. 2) [Insert name of approver] has the authority to grant this permission for testing the organization's Information Technology assets. [Insert additional permissions and/or restrictions if appropriate.] Signature: Signature: [Name of Approver] [Title of Approver] Date: [Name of Test Team Lead] [Title of Test Team Lead] Date: 8

9 Rules of Engagement Worksheet Penetration Testing Team Contact Information: Primary Contact: Mobile Phone: Pager: Secondary Contact: Mobile Phone: Pager: Target Organization Contact Information: Primary Contact: Mobile Phone: Pager: Secondary Contact: Mobile Phone: Pager: "Daily Debriefing" Frequency: "Daily Debriefing" Time/Location: Start Date of Penetration Test: End Date of Penetration Test: Testing Occurs at Following Times: 9

10 Will test be announced to target personnel: Will target organization shun IP addresses of attack systems: Does target organization's network have automatic shunning capabilities that might disrupt access in unforeseen ways (i.e. create a denial-of-service condition), and if so, what steps will be taken to mitigate the risk: Would the shunning of attack systems conclude the test: If not, what steps will be taken to continue if systems get shunned and what approval (if any) will be required: IP addresses of penetration testing team's attack systems: 10

11 Is this a "black box" test: What is the policy regarding viewing data (including potentially sensitive/confidential data) on compromised hosts: Will target personnel observe the testing team: 11

12 Signature of Primary Contact representing Target Organization Date Signature of Head of Penetration Testing Team Date If necessary, signatures of individual testers: Signature Date Signature Date 12

13 Signature Date Signature Date 13

14 Setting up a virtualized hacking environment There are a lot of tutorials available on the internet related to hacking but the main problem lies in testing your theoretical skills and actually penetrating a system. This paper will teach you how to create a virtualized hacking environment so that you may apply your skills to gain practical exposure to hacking. Ideally you would want a separate computer so that your Attacker machine isn t limited on hardware resources. But this paper will cover setting up an environment on one machine. Here s what you ll need: Multiple processor/cores (e.g. Intel Core 2 Quad or AMD Quad Something) Plenty of RAM (8 GB is ideal but 4 GB is minimal) Plenty of Hard Drive Storage (500 GB) Virtualization software (e.g. VMware, VirtualBox, Windows Virtual PC) Pre-built virtual machines or installer ISOs Once we have satisfied the hardware requirements we need to identify which virtual machine host program that we will use. The reason why a security consultant or IT administrator would utilize virtualization is to minimize risk of destruction. VMs can be easily backed up, snapshotted, and transferred to other host computers. The two main products are VirtualBox and VMWare Player. Both are excellent products however VMware Player has more prebuilt virtual machines which include.vmx files. The prebuilt VMs allow easy and rapid deployment. Some of the VMs are configured with nonpersistent disks so any potential damage you do to the system will be revert on reboot. 14

15 Installing VMware Player First download the latest version of VMware Play from their website: If you re an avid Windows user the installation wizard should perform the entire task to install the software. Once it is installed, launch and you should see this screen: 15

16 Installing Metasploitable 2 As I said before a problem you encounter when learning how to use an exploit/ hacking tool is trying to configure targets to scan and attack. Luckily, Rapid7 (Metasploit team) is aware of that issue and has released a vulnerable VMware virtual machine called Metasploitable. They have has just released Metasploitable 2 which includes new vulnerabilities and vulnerable web services! The virtual machine will run on any recent VMware or VirtualBox product. The virtual machines are configured with non-persistent disk so any potential damage you do to the system will be reverted on reboot. You can find Metasploitable at: Extract the Metasploitable download. Once it is extracted you will find a directory with various virtual machine files. IF you are using VMware player all you have to do is double click the.vmx file and VMware player will automatically create the Virtual machine for you. If you are using virtual box there are some additional steps you will have to take: 1. Click New the open the New Virtual Machine Wizard. 2. Give the VM a name such as Metasploitable. For the operating system select Linux and for the version select Ubuntu. 3. Select the amount of RAM in megabytes. The machine will work fine on 512 MB. 4. For the virtual Hard Disk we will select the vmdk that we extracted. Click Use existing hard disk and on the right of the drop down menu click on the folder icon to browse your directories. From there locate the Metasploitable.vmdk file. 5. The next window will be a Summary of your new VM. Click create to finalize. 6. To start the machines select it in the VM field and click the big green arrow that says Start. At this point you will see a new window pop up with a black screen displaying start up data for Metasploitable. Now we have a punching bag so that we may test hacking tools against it. So what s our next step? Getting these tools! The most commonly used Penetration Testing OS was BackTrack, but now is Kali Linux. Kali Linux is the new generation of the industry-leading BackTrack Linux penetration testing and security auditing Linux distribution. Kali Linux is a complete re-build of BackTrack from the ground up, adhering completely to Debian development standards (What is Kali Linux?, 2013).Kali Linux provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to password crackers. Kali includes many well-known security tools including: Metasploit RFMON Aircrack-ng Kismet Nmap Ophcrack Ettercap Wireshark Hydra OWASP W3af And many more! 16

17 Kali Linux download link: The current version of Kali may be downloaded in ISO form or a VMware image. You can choose to download the VMware which is specifically tailored towards being run as a VM which I highly recommend getting because we are setting up a virtualized network. From there simply install Kali with the ISO or with vmdk. At this point install the guest OS of Backtrack in VMware Player of VirtualBox just as you did with Metasploitable. Excellent, at this point we should have both Kali and Metasploitable installed as guest OS in either VMware Player or VirtualBox. Now we need to create the Virtualized LAN (VLAN). Again, the steps may vary with VMware or VirutalBox. Generally, the steps include changing the Network Connection of the Virtual Machine to NAT or Host-Only. What this does is create a private VLAN with the host. 1. Make sure that both of the VMs are shutdown 2. Form the Home screen for VMware player where all of the VMs are listed, select Kali and on the bottom right of the screen select Edit virtual machine settings. 3. At this point a window will pop up: 17

18 Select Network adapter and change it to eighet NAT or Host-only. I suggest setting it to NAT so that Kali has internet access and can be updated in the future. 4. Select Ok and the window will collapse. 5. Repeat steps 1-4 for the Metasploitable 2 VM 6. Start both VMs a. In the VMplayer home screen start Kali by selecting it and clicking Play vitrtual machine b. At this point you will only be able to view the Kali VM running. On the taskbar, right-click the VMware player and icon and select the Metasploitable.vmx file underneath Recent. This will play the VM of Metasploitable. 18

19 7. Check if both machines have the same IP address a. Log into Kali the credentials are: root/root b. Check network configurations with ifconfig c. Lot into Metasploitable, the credentials are: msfadmin/msfadmin 19

20 d. Check network configuratino with ifconfig You should now have a virtualized hacking environment to hone your ethical hacking skills! For good measure go ahead and ping the Metasploitable server from Kali. SANS SIFT Kit/Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed forensic examination. Though Kali is designed for penetration testing it could be used in the same manor as SIFT in the sense of an easily deployable workstation of conducting test. A tester could make copies for each penetration test that they conduct. This would allow for penetration test to be easily stored and accessible. For each operation a tester would make a copy of the Kali VM and saved all of the activity and content. Fore easier reporting it is highly recommended to create folders in the VM for each phase of the penetration test. Log on to Kali and create a recon, scanning, and exploitation folder: root@kali:~#mkdir /root/desktop/recon root@kali:~#mkdir /root/desktop/scanning root@kali:~#mkdir /root/desktop/exploitation 20

21 21

22 Penetration Testing Methodology The Penetration Testing Methodology derives from the Zero Entry Hacking Methodology from The Basics of Hacking and Penetration Testing. The PTM provides a pathway for a penetration test. It begins with the broad to specific when conducting a penetration test. As we journey through the semester we will cover each step. From the top we begin with the ethics, legalities, and rules of engagement for the pen test. We perform the test as it is being conducted the team is continuously reporting to a centralized repository. Once the penetration test is complete a report is generated which includes detailed information about the pen test. The report also includes remediation information and the raw output from the tools used. 22

23 Reconnaissance Definition: Military observations of a region to locate an enemy or ascertain strategic features. Reconnaissance, also known as information gathering, is the most important of the four phases. The more time spent on collecting information on a target, the more likely you are to be successful in a penetration test. There are two types of reconnaissance: Active reconnaissance includes interacting directly with the target. However during this process, the target may record our IP address and log our activity. This would jeopardize or opportunity of concealing our identity that would impact a penetration test performance. Passive reconnaissance makes use of the vast amount of information available on the web. When we are conducting passive reconnaissance, we are not interacting directly with the target and as such, the target has no way of knowing, recording, or logging our activity. Recon begins by conducting thorough search public information. There are two main goals in this phase: first, gather as much information as possible about the target; second, sort through all of the information gathered and create a list of attackable IP addresses. While you are gathering information, it is important to keep your data in a central location such as a spreadsheet. Each discovered target system get one line in the inventory spreadsheet with the details populated as they are discovered throughout the test. The spreadsheet includes fields such as: target IP, name, OS, etc an example can be found in the class directory titled target_inventory.csv In most cases for a penetration test, the first activity is to locate the target s website. For this class we will use a search engine search for NMSU. 23

24 HTTrack: Website Copier Typically, we begin by closely reviewing the target s website. In some case, we may actually use a tool called HTTrack to make a page-by-page copy of the website. HTTrack is a free utility that create an identical, off-line copy of the target website. The copied website will include all the pages, link, pictures, and code from the original website; however it will reside on your local computer. Utilizing a website tool like HTTrack allows us to explore and thoroughly mine the website off-line without having to spend additional time traipsing around on the company s web server. For this activity we will be copying a web page from the Metasploitable 2 server. 1. First download both the CLI and GUI version of HTTRack. root@kali:~#apt-get install httrack && apt-get install webhttrack 2. Restart the Kali VM 3. Launch the GUI by navigating to Applications > Internet > WebHTTrack Website Copier 4. The HTTrack Website Copier webpage should appear and we are presented with 4 web pages that allow us to set up and customize the copy process. Each page allows us to change various aspects of the program including language, project name, the location where we will store the website, and the web address of the site that we would like to copy. As you work through each of these pages by making the desired changes to each option and click the Next button. The final page will include a Start button, click then when you are ready to begin making a copy of your target s website. Here is an example of what the web page will look like during the copying process. 24

25 The amount of time it takes for this process to complete will depend on the size of your target s website. Once HTTrack has finished copying the target website, it will present you with a webpage allowing you to Browse the Mirrored Website in a browser or navigate to the path where the site was stored. 25

26 Whois A very simple but effective means for collecting additional information about our target is Whois. The Whois service allows us to access specific information about our target including the IP addresses or host names of the company s Domain Name Systems (DNS ) servers and contact information usually containing an address and phone number. Whois is built into the Linux operating system. The simplest way to use this service is to open a terminal and enter the following command: root@kali:~#whois target_domin For this example we will use NMSU. 26

27 host and NSLOOKUP Oftentimes, during the reconnaissance phase some of our results will contain hostnames rather than IP addresses. When this occurs, we can use the host or nslookup tool to perform a name translation. Host and nslookup can be accessed via a terminal and type: root@kali:~#host dns1.nmsu.edu root@kali:~#nslookup dns1.nmsu.eu Fierce Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostname against specified domains. It s really meant as a precursor to nmap, unicornscan, Nessus, nikto, etc since all of those require that you already know what IP space you are looking for. Fierce does not perform exploitation and does not scan the whole Internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics. First it queries your DNS for the DNS server of the target. It then switches to using the target s DNS server. You can use a different DNS server if you want using the dnsserver switch but this can cause problems if the server you use won t tell you information about other people s sites and you won t be able to find much relevant internal address space. Fierce then attempts to dump the Start of Authority (SOA) record for the domain, if that the DNS server is misconfigured. An SOA record is a resource record that is used by the DNS. Every domain name has an SOA record in its database that indicates basic properties of the domain and the zone that the domain is in. The dump of the SOA record will probably fail; next Fierce will attempt to guess names that are common amongst a lot of different companies. The list of names was made by the creators of Fierce and has seen this hostnames in majority of other domains. Next, it Fierce finds anything on any IP address it will scan up and down a set amount (default 5) looking for anything else with the same domain name it is using reverse lookups. If it finds anything on any of those lookups it will recursively scan until it doesn t find any more hosts. This forms a looping process and the bigger the domain is the more results the Fierce scan will have! For this example will be scanning the NMSU network. To launch Fierce against an enterprise network open a terminal windows and run the following command: root@kali:~# fierce dns nmsu.edu 27

28 Fierce will then traverse a domain and identify hostnames. After scanning the NMSU network the Fierce scan resulted in finding 3458 entries. We would then add these hostnames to our target list and begin the reconnaissance process again. Fierce should not be limited to command that was previous used. Fierce is a very powerful tool and could possibly be used for majority of the reconnaissance if the teams focus is simply find targets for the exploitation phase. To build experience with Fierce complete the following commands on a domain and explain what they do: root@kali:~#fierce root@kali:~#fierce root@kali:~#fierce root@kali:~#fierce dns example.com connect headers.txt -range dnsserver ns1.example.com dns examplecompany.com search corp,main,branch dns example.com wordlist dictionary.txt 28

29 The Harvester An excellent tool to use in reconnaissance is The Harvester. The Harvester is a simple but highly effective Python script written by Christian Martorella at Edge Security. This tool allows us to quickly and accurately catalog both addresses and subdomains that are directly related to our target. The Harvester can be used to search Google, Bing, and PGP server for s, hosts, and subdomains. It can also search LinkedIn for usernames. During the reconnaissance you will recover addresses of an employee of the target company. By mutating and manipulating the information before symbol you can extract potential network usernames. Open a terminal window and run the following command: root@kali:~#theharvester d nmsu.edu l 10 b google f nmsu_harvest_report.html The switches used in the command: -d: Domain to search or company name -l: Limit the number of results to 10 -b: Data source e.g. google, bing, bingapi, pgp, all -f: Save the results into an HTML and XML file to /root/desktop/nmsu_harvest_report.html 29

30 Once the harvest is complete theharvester will generate an html report that can be easily parse with a web browser. As you can see, theharvester was effective in locating at least 34 s an 52 hosts for the nmsu.edu domain name. During a penetration test we would then add these new domains to our target list and being the reconnaissance process again. 30

31 MetaGooFil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx) belonging to a target company. Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, pdfminer and others. With the results it will generate a report with username, software versions and servers or machine names that will help Penetration testers in the information gathering phase. It is idea to create a files folder to hold all of the target files that will be downloaded; this keeps the original directory clean. Open a terminal and create a folder on the desktop: root@kali:~#mkdir /root/desktop/files/ With the files directory we can run MetaGooFil by executing the following command: root@kali:~#metagoofil -d nmsu.edu -l 100 -n -f all -o /root/desktop/files -f /root/desktop/files/mgf_results.html 31

32 MetaGooFil will run, collecting docx file from the Internet that are related to nmsu.edu. With the l switch our search will be limited to 100 and the amount of downloaded files are limited to 10 with the n switch. MetaGooFil will then parse through the metadata of the files and extract usernames, software used, addresses, and the path/servers that the file originally existed on. All of the files will be downloaded to the /root/desktop/files directory as for the actual report will be saved to the desktop. Viewing the.html results file is very similar to theharvester result file because the same programmer made them! From the results we can report that MetaGooFil discovered 13 usernames, 2 types of software used, 13 addresses, and 0 path/server with parameters that we defined. Naturally, the results would grow if we were to increase the parameters to allow more files to be searched and downloaded. 32

33 Scanning In this phase of the PTM focuses on scanning a target environment, creating a comprehensive inventory of machines, and then evaluating those systems to find potential vulnerabilities. The break down of the scanning phase is: one, determine is a system is alive; two, port scanning the system; three, scanning the system for vulnerabilities. This module will require to have both a VM of Kali and Metasploitable running with a network connection to NAT or Host-only. Pings and Ping Sweeps A ping is a special type of network packet called an ICMP packet. Pings work by sending specific types of network traffic, called ICMP echo request packets, to a specific interface on a computer or network device. if the device (and the attached network card) that received the ping packet is turned on and not restricted from responding, the receiving machine will respond back to the originating machine with an echo reply packet. Aside from telling us that a host is alive and accepting traffic, pings provide other valuable information including the total time it took for the packet to travel to the target and return. Pings also report traffic loss that can be used to gauge the reliability of a net- work connection(engebretson, 2011). fping The simplest way to run a ping sweep is with fping. fping is a program like ping, which uses the Internet Control Message Protocol (ICMP) to determine if a target host is responding. fping differs from ping in that you can specify any number of targets on the command line, or specify a file containing the list of targets to ping. Instead of sending to one target until it times out or replies, fping will send out a ping packet and move on to the next target in a round-robin fashion. One could visually this as radar sweeping a radius. 1. The first step is to identify what IP address your VM of Kali has and take note of it: root@kali:~#ifconfig 2. With both VMs of Kali and Metasploitable let s sweep the LAN with fping issuing the following command: fping -a -g > fping-hosts.txt 33

34 Fping will now ping sweep the LAN and save the entire standard output from the program to the file host.txt into the working directory. Once the command has been run you can open the.txt file to view which host are up, in my case their were four host up. 34

35 Nmap Network Mapper (Nmap) is a free open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for task such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what are available on the network, what services those hosts are offering, what OS version they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts (Lyon, 2008). Nmap also provides number other features, including ping sweeps. With the Nmap Scripting Engine (NSE), Nmap can be extended to become a general-purpose vulnerability scanner as well. This topic will be covered later on in the vulnerability-scanning phase. Ping scan Let us now ping sweep our LAN with the sn switch. This switch disables the port scan feature on Nmap so that a penetration tester can rapidly identify which host are alive similar to fping. Nmap has multiple ways to output a scan but for this demonstration we will use normal output. 1. The first step is to identify what IP address your VM of Kali has and take note of it: root@kali:~#ifconfig 2. Execute a ping scan with a normal output file name sn_scan_norm: nmap -sn -on sn_scan_norm /24 35

36 Nmap offers the ability to scan in CIDR notation as well as single and block addresses. All output forms for Nmap can be used with other security tools and with Nmap itself. With the same scan change the output parameter and identify which each option does! All of the options can be found by issuing the command nmap h. 36

37 TCP port scan The first scan we will look at is the TCP connect scan. This scan is often considered the most basic and stable of all the port scans Nmap attempts to complete a three-way handshake on each port specified in the Nmap command. If you do not specify a port range Nmap will scan the most 1,000 most common ports. It is always recommended to specify all the ports to identify any ports that could be change in an attempt to achieve security through obscurity. You can scan all the ports by specifying the -p switch. Using the -PN switch will cause Nmap to disable host discovery and force the tool to scan every system and ports that otherwise may be missed (Engebretson, 2011). With that being said a ping sweep isn t vital when conducting a test on a LAN. By default, the host discovery feature will first identify if a host is alive and then continue to scan the ports of the host. To run a TCP connect scan, issue the following command: root@kali:~#nmap st SYN port scan The SYN scan is arguably the most popular Nmap port scan. By default the SYN scan is the default. It is faster than the TCP connect scan and yet remains safe, with little change of DOS ing or crashing a system. SYN scans are faster because they only complete the first two steps of a three-way handshake. Rather than using the -st we use the -ss switch. This instructs Nmap to run a SYN scan rather than a TCP connect scan (Engebretson, 2011). To run a SYN scan, issue the following command: root@kali:~#nmap ss UDP port scan The UDP scan is often overlooked. SYN scans are the most typical yet UDP will allow a penetration tester to achieve a solid understanding of all the services running on the machine. Both the TCP connect scan and the SYN scan use TCP as the basis for their scanning techniques. If we want to discover services utilizing UDP we need to instruct Nmap to do so. Rather than using the -st or ss switch we will use the -su switch. To run a UDP scan, issue the following command: root@kali:~#nmap su

38 Xmas tree scan Xmas tree scans get their name from the fact that the FIN, PSH, and URG packet flags are set to on ; as a result, the packet has so many flags turned on and the packet I often described as being lit up like a Christmas tree (Engebretson, 2011). The Xmas tree and null scans work against Unix and Linux machines but not Windows. As a result, these scans are rather ineffective against Microsoft targets. To run an Xmas tree issue the following command: root@kali:~#nmap sx Null scan Null scans, like Xmas tree scans, are probes made with packets that violate traditional TCP communication. In many ways, the Null scan is the exact opposite of a Xmas tree scan because the Null scan utilizes packets that are devoid of any flags (completely empty). Target systems will respond to Null scans in the exact same way they respond to Xmas tree scans. Specifically, an open port on the target system will send no response back to Nmap, whereas a closed port will respond with and RST packet. One of the main advantages of running Xmas tree and null scans is that in some cases, you are able to bypass simple filters and Access Control Lists (ACLs). It is important to understand that neither Xmas tree nor null scans seek to establish any type of communication channel. The whole goals of these scans are to determine if a port is open or closed. To run a Null scan issue the following command: root@kali:~#nmap sn Operating System Fingerprinting The -O switch can be useful for fingerprinting the operating system. This switch is handy for deterring if the target you are attacking is a Windows, Linux, or other type of machine. Knowing the operating system of your target will save time by allowing a penetration test to focus the selection of attacks to known weaknesses of that system. For example, there is no use in exploring exploits for a Linux machine if your target is running Windows (Engebretson, 2011). To fingerprint an OS with Nmap issue the following command: root@kali:~#nmap O

39 Version scanning The -sv switch is used for version scanning. When conducting version scanning, Nmap send probes to the open port in an attempt to determine specific information about the service that is listening. When possible, Nmap will provide details about the service including version numbers and other banner information. This information should be recorded in your notes and inventory! This information will help identify if any services are susceptible to an exploit. I is recommended that you use the -sv switch whenever possible, especially on unusual ports because a wily administrator may have moved a web server to port in an attempt to obscure the service. To retrieve the version information with Nmap issue the following command: root@kali:~#nmap sv

40 Timing for Nmap scans Nmaps includes the option to change the speed of a port scan. This is done with the -T switch. The timing switch ranges on a numeric scale. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed (Lyon, 2008). To issue a Nmap scan with an aggressive timing template issue the following command: root@kali:~#nmap T OS detection, version detection, script scanning, and traceroute. Nmap includes the option to perform OS and version detection alongside with script scanning and performing a traceroute to a machine. The -A switch is a collection of other various switches in Nmap and allow for easier execution. This option is the de facto scan to perform on any host. To issue this delicious 4 layer burrito of an Nmap scan issue the following command: root@kali:~#nmap A

41 Vulnerability Scanning Now that we have a list of IPs, open ports, and services on each machine, it is time to scan the targets for vulnerabilities. Vulnerability is a weakness in the software or system configuration that can be exploited. Vulnerabilities can come in many forms but most often they are associated with missing patches. Vendors often release patches to fix a known problem or vulnerability. Unpatched software and system often lead to quick penetration tests because some vulnerabilities allow remote code execution. Remote code execution is definitely one of the holy grails of hacking. Nmap Scripting Engine (NSE) The Nmap Scripting Engine is one of Nmap s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of network tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts with Nmaps, or write their own to meet custom needs (Lyon, 2008). NSE has numerous goals: Utilize Nmap s efficient multi-threaded architecture to send arbitrary messages and receive responses in parallel to and from multiple targets. Create an environment so that s development community can write and release free scripts that can easily be incorporated into scans by all Nmap users. Support network discovery options that augment Nmap s port scanning and OS fingerprinting features, including whois lookups, DNS interrogation, etc. Enhance version detection functionality beyond probe and match to look more deeply into interaction with a target. Perform vulnerability scanning of target system to find configuration flaws and other issues. Detect systems that have been infected with malware or backdoors based on their network behavior. Support exploitation of given flaws to gain access to a target machine or its information, not supplanting the Metasploit exploitation framework, but offering some subset of exploit functionality integrated with Nmap. The NSE supports several different categories of tests, with each script fitting into one or more categories: The Safe scripts are designed to have minimal impact on a target, neither crashing it nor leaving any entries in its logs. Furthermore, these scripts should not utilize excessive bandwidth, nor should they exploit vulnerabilities. The Intrusive scripts, which may leave logs, guess passwords (which could lock out accounts), and have other impacts on the target machines. The Auth category are tests associated with authentication, including some password guessing and authentication bypass tests. The Malware category measure for the presence of an infection or backdoor on the target. Examples in this category include check to see if a port used by a given malware specimen is open on the target and whether I responds as that malware would. The Version category of scripts attempts to determine which versions of services are present on the target. These scripts can be more complex than the normal version checking of Nmap. The Discovery category of scripts determine more information about the network environment associated with the target, and include some whois and DNS lookups, among other functions. The Vuln category includes scripts that determine whether a given target has a given security flaw, such as misconfiguration or an unpatched service. 41

42 The External category includes scripts that may send information to a third-party database or other system on the Internet to pull additional data. The Default category includes scripts that are run wen Nmap is invoked with just the -sc or -A switch and no specific script category or individual script specified. The scripts are associated with NSE are found in their won directory called scripts which is located by default in the Nmap data directory. Inside this directory, there is a file called scitps.db, which inventories the several dozen scripts in the directory. We can easily search for Safe scripts by issuing the following command: root@kali:~#grep safe /usr/share/nmap/scripts/script.db Vulnerability scripts can be found with: root@kali:~#grep vuln /usr/share/nmap/scripts/script.db Each category contains a lot of scripts and it is very daunting to search for a particular one. Therefore we will utilize the NSEDoc which is a web page containing a description for each script. The webpage maybe found here: For this demonstration let s look through the vuln library and find an arbitrary script to scan the Metasploitable2 server. Navigate to the ftp-vsftpd-backdoor script and read through the summary to get an idea of the script does. Let s launch the script by issuing the following command: root@kali:~#nmap -script=ftp-vsftpd-backdoor p PORT STATE SERVICE 21/tcp open ftp ftp-vsftpd-backdoor: VULNERABLE: vsftpd version backdoor State: VULNERABLE (Exploitable) IDs: CVE:CVE OSVDB:73573 Description: vsftpd version backdoor, this was reported on Disclosure date: Exploit results: The backdoor was already triggered Shell command: id Results: uid=0(root) gid=0(root) groups=0(root) References: _ Now, using the version detection scan the host and note which services are running on the Metasploitable2. Then using the NSE vuln scripts try to identify if each service is vulnerable. For rapid vulnerability scanning we can use the -sc switch. This set the script values to default for NSE thus launching an automated scan. 42

43 Nessus Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment. Nessus allows scans for the following types of vulnerabilities: Vulnerabilities that allow a remote hacker to control or access sensitive data on a system. Misconfiguration (e.g. open mail relay, missing patches, etc.) Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (online password brute forcer) to launch a dictionary attack. Denial of Services against the TCP/IP stack by using mangled packets. Preparation for PCI DSS audits. Installation 1. Download the installed from: a. Debian 6.0 (32 bits) or VM of Kali is 32 bit b. Save it to any directory c. Register for a key on the Nessus website by submitting your address. The Nessus crew will you a unique product key that can be used to register the product. Tenable Nessus Home allows you to scan your personal home network (up to 16 IP addresses per scanner) with the same high-speed, indepth assessments and agentless scanning convenience that Nessus subscribers enjoy. Please note that Nessus Home does not provide access to support, allow you to perform compliance checks or content audits, or allow you to ue the Nessus virtual appliance. d. Register here: 2. With dpkg install Nessus. dpkg is a tool to install, build, remove and manage Debian packages. 3. Start nessusd by typing /etc/init.d/nessusd start. 43

44 4. Navigate to 5. Nessus will guide your through a series of web pages were you will create an administrator user, enter the activation key, and update the plugins. This process will take a while so go ahead and make yourelf a pot of coffee or get something to eat! 44

45 6. Once Nessus has been initalized login with the credentials that you set. 7. Becaue Nessus is running on a VM that this connected to a network that is located in your host OS you can access from your host s web browser! Just identify the IP address of you VM and navigate to it: 8. In order to scan a host a policy must be created. Without a policy a scan cannot be saved. 45

46 a. Click on the New Scan button which is located on the upper left corner. b. A windows will appear asking about the policies, click on the Continue button. c. The Policies page will now appear. Click on the New Policy buton which is located in the upper left corner. d. The Policy Wizard will now appear. There are many options available that provide descriptions of each. The options are: i. Host Discovery ii. Basic Network Scan iii. Credentialed Patch Audit iv. Web Application Tests v. Windows Malware Scan vi. Mobile Device Scan vii. Prepare for PCI DSS Audits viii. Advanced Policy e. Select Basic Network Scan. Set the following values: i. Step One 1. Policy Name: Basic Network Scan 2. Visibility: private 3. Description: A full system scan suitable for any host ii. Step Two 1. Scan type: Internal iii. Step Three is optional so skip this one by clicking Save. However if credentials are provided for a system submit them here. This will help detect missing patches and client-side vulnerabilities. For the Authentication method you can choose either Windows of SSH. iv. Our Basic Network Scan policy is not available for use! 46

47 Scanning 1. Navigate to the Scans page and click on the New Scan button. 2. You will be presented with a page that has parameters for a scan. Enter the following: a. Name: Metasploitable2 Host Scan b. Policy: Basic Network Scan c. Folder: my scans d. Target: The IP address of Metasploitable (e.g ) e. Click Launch! 3. Nessus will now scan the host. 4. Once the scan is finish click on the scan which should now say Completed. A page will appear with a bar that has sections which are color coded. Each color represents the severity of a vulnerability. Red = Critical Orange = High Yellow = Medium Green = Low 47

48 Blue = Information 5. Nessus will report that Metasploitable2 has 106 vulnerabilities! The report will provide detailed listing of all the vulnerabilities that Nessus discovered. We are interested in the Vulnerabilities that are labeled as Critical and High. You should take some time to closely review the report and make detailed notes about the system. We will use these results in the next phase to gain access to the system. 6. Being that reporting is essential to the penetration testing process Nessus allows a scan to be exported in Nessus, PDF, HTML, CSV, and Nessus DB format. For final reporting it is recommended to use PDF so that it can be easily printed. For the remainder of the penetration process it is recommended to use the CSV format so that hosts information and vulnerabilities may be easy parsed. a. Click the Export drop down button and select PDF b. In the Available Content field drag all three to the Report Content field and click Export. 48

49 c. Nessus will now prepare the content, Keep the content, and open it for viewing. In the Nessus report it will provide a description, solution, and the plugin output. All of this information is critical to a penetration test especially the solution because it will be the bulk of the debriefing when the test concludes. 49

50 Web Vulnerability Scanning Nessus When we originally set up Nessus we had to create a new policy to scan a host. One of the options included Web Application test; this type of policy scans for published and unknown web vulnerabilities. With that in it is safe to that Nessus could possibly be used for the entire scanning phase of a penetration test however do not use Nessus as a crutch. Rely on the basics that this course has covered so that you have a solid knowledge foundation when it comes to penetration testing. Let us now create a web application policy and scan a target. Setting up Web Vulnerability Scan Policy 1. Navigate to the Policies page. Click on the New Policy button which is located in the upper left corner. 2. The Policy Wizard will now appear. Select Web Application Tests. 3. Enter the following values a. Policy Name: Metasploitable2 Mutillidae b. Visibility: private c. Description: Scans for published and unknown web vulnerabilities d. Click Next 4. For this demonstration set the scan type to Less complex. In an actual penetration test it is recommended to set the scan type to More in depth. 5. For the Web mirroring start page(s), enter the location of the web application that you wish to test. Nessus will detect several different web applications and enumerate common directories on the web server. However, it cannot know about all directory names, so by entering the directory to do web mirroring, we add it to the list of application that will be tested (Asadoorian, 2009). For this demonstration set Web mirroring start page(s) to /mutillidae/ 6. Step 3 is optional, Click Save. We will expand more these options during the web exploitation phase. 50