NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

Transcription

1 1 NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

2 2 Item I. (What were you asked to do?) Complete Metasploit: Quick Test on page of the Penetration Testing book. Complete Telnet: Banner Grabbing of multiple websites Complete NMap: Primer Item II. (What did you do?) Metasploit MSF Console Using MSF console I was able to gain remote access to the windows system using the console interface. The msfconsole used known vulnerabilities in the un- patched Windows XP system to gain access to the command line interface on the remote system. According to the textbook the patch that is missing is MS The vulnerability exists in the netapi32.dll file, the attacker is able to gain access using the vulnerability through the Server Message Block service. This is the same vulnerability that was used in the Conficker worm. Below are the steps in order that were taken to use this vulnerability.

3 3

4 4

5 5

6 6 MSFCLI I found the CLI to be much easier as you can set all the options and do the same thing as the console with one line of instruction. Below is the screenshot with how I did it.

7 7 msfvenom I found msfvenom to the most interesting of the exercises because it showed how many real world attacks are carried out. Many common attacks are carried out by creating a malicious file and convincing someone to intentionally or unintentionally execute therefore allowing access to the system. This is exactly what we did in the msfvenom portion of the lab. Below are the screenshots.

8 8

9 9 Auxiliary The auxiliary programs are the programs that are added as a part of metasploit and aid when carrying out attacks. Below is the execution and use of the pipe auditor. Below shows how it was carried out.

10 10 Additional Questions They way you are able to see the meterpreter session from the Kali VM on the Windows VM is through netstat. When the session is open or closed you will see it in the netstat window. See the below screenshot. Telnet As requested I completed a telnet banner grab on both the computer science network at SUNY IT and also other websites. These are the steps that I followed: 1. Log into fang via terminal.

11 11 2. Typed the following command: telnet <target web address> <port number> Below are the screenshots of the servers that I completed the telnet assignment on: As can be interpreted by the screenshots when I tried the Telnet banner grab on SUNY IT s servers I was able to find out that they are running HTTP 1.1, their server is running Oracle Apache 2.2.3, as well as more information, which can be seen below. On the SUNY IT server there is vulnerability in the version of Apache that they are running. (V2.2.3) One vulnerability is CVE , which relates to the ability to do cross- site scripting. This vulnerability would allow attackers to place web script or HTML into the server using a crafted string. I tried doing the banner grab at Apple s website and was not able to grab nearly as much information as the SUNY IT website. Interestingly when I looked up Apple s server information I was able to figure out they are running an Akamai server. I tried doing the banner grab at Yahoo s website and was not able to grab nearly as much information as the SUNY IT website. On the Yahoo server I was able to figure out that they are running an Apache server.

12 12

13 13 NMap Nmap is a very useful tool that is used to evaluate a network and discover useful information about the network and the hosts on the network. With Nmap you are able to scan a host to find out what ports are open on the host. You are also able to run it and have it check UDP as well as TCP. This can also be useful to see what hosts are up and powered on, because if the ports are open the NIC is active and therefore the system is up. Below shows a basic nmap scan on the Windows XP VM. Below shows a basic nmap scan on the Metasploitable VM.

14 14 Below is a scan of an IP range. Below is a UDP scan of a range of IPs using nmap su

15 15 Below is a scan to discover is a host is up using the nmap sp on an entire subnet Below shows the use of Zenmap using the GUI. The GUI appears to just take your input and create the command line instruction and then execute it. It also shows you what the command syntax should be as well.

16 16 Additional Questions After doing the nmap lab I would prefer to use cli due its simplicity. The book used for nmap does a very good job at explaining the commands and where they are used. I believe that when I was stuck on a command I might use Zenmap to aid in the command syntax if I got stuck and couldn t figure it out. ITEM III. (Difficulties) At the beginning of the lab I was having difficulties trying to get the msfconsole to work. Since the new virtual machines were rolled out I did not have many difficulties. The obstacle that was faced is that when running the msfvenom console and creating the exe file I was receiving information that was unexpected therefore I thought it was an error. It turned out it was just a warning not an error and it was working as expected. See below where I received the unexpected information. Item IV. (What did you learn?) This lab was very interesting and was also eye opening, many times we believe cyber attacks only happen to people that fall to social engineering. After doing this lab it became evident that this is not the case and it can be very easy to carry out an attack on an unsuspecting victim. Prior to this lab I did not have any experience with the metasploit framework at all. This lab was also very useful and helpful at learning how to use metasploit. Prior to this lab I also had very minimal experience with telnet and nmap. I gained a lot of very valuable information about how to use both of these tools.