IDS and Penetration Testing Lab II Software Requirements: 1. A secure shell (SSH) client. For windows you can download a free version from here: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.62- installer.exe Mac/Linux distributions come with ssh, you just have to open a console to invoke the program. 2. The BackTrack Linux Penetration Testing Distribution http://www.backtrack-linux.org/downloads/ (PROVIDED, no need to download unless you want to run in locally). 3. Metasploitable 2 vulnerable platform (http://sourceforge.net/projects/metasploitable/files/metasploitable2/) (PROVIDED, no need to download unless you want to run in locally) 4. Windows Users please install Xming X Server for X-windows support (Free) 5. Mac Users install X11 XQUARTZ 6. Linux just need to start X-Windows Lab Exercise Steps: A. Connect to BackTrack Linux on DSLSRV.GMU.EDU and port 10022 (or 11022) as root using ssh and password isa674. (with the dot): - For Mac/Linux, type: ssh root@dslsrv.gmu.edu -p 11022 Or ssh root@dslsrv.gmu.edu -p 10022 You should get: root@dslsrv.gmu.edu's password: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux
[ ] root@bt:~# For Windows Enter dslsrv.gmu.edu for Host name and 10022 or 11022 (second server) for Port and click Open
login as: root password: isa674. (with the dot). Now we are all logged in in an ssh terminal and we can continue with the Lab. Your metasploitable machines are directly connected to your backtrack on IP addresses: 10.1.1.2 and 10.1.1.3 Target Reconnaissance The first step for any penetration testing approach is the reconnaissance part. All of you used nmap in the past to: Questions: - Detect the machines with open ports available in a subnet - Identify the open ports and potentially more information about the services and machine running the services 1. How do we identify which subnets are available for us in a host? Which command will provide that to us? Can we find that command using the man k keyword search? 2. What is the NMAP syntax that we will use to scan a subnet?
3. What is the NMAP syntax to find the operating system of the machines in the subnet? 4. Can NMAP identify vulnerable services and point us to the exploits? Although nmap is a very useful tool, it is limited in what it can do for us. An alternative tool with graphical user interface and more detailed analysis of the potential vulnerabilities of each services on a target host is NESSUS (http://www.tenable.com/products/nessus) In this lab, we will be using NESSUS to scan the vulnerable machines and identify exploits that can be used to attack those machines. NESSUS is yet another tool in our penetration testing arsenal and a complement to Metasploit that we used in the last Lab. Reconnaissance with NMAP B. Start your X-windows client a. Mac Users start XQuartz b. Windows users start Xming X Server C. Start SSH connection to the Backtrack server as per step A but with a modification: a. Mac Use ssh Connect to the Backtrack servers as per step (A) but with a slight change for Mac and Linux: ssh Y root@dlssrv.gmu.edu -p 11022 b. For Windows Start putty and enable the X11 forwarding on the Putty program before you try to connect (see Figure in next page)
The -Y flag instructs the remote server to forward any graphical windows to your local X-Windows so you can view GUIs. You should be in a prompt like this: root@bt:~# To test if you have the GUI activated, type xterm on the prompt, you should get (the window might be flashing at your command bar and you have to click it to bring it up):
D. Now we are ready to start with NESSUS which is browser driven For your convenience, I have installed already NESSUS on the backtrack so you do not have to perform any steps other than execute the program. In general though, you will need to install NESSUS on a backtrack installation using the following steps: http://www.fuzzysecurity.com/tutorials/8.html In the command prompt root@bt:~#, type: firefox -ProfileManager This should bring up the window of the firefox browser. Depending on your Internet or network connection this might take few seconds. In the end, you should see: Create your own profile by clicking NEXT and then fil out your name click NEXT and then Start Firefox with your profile (See Figure next page).
Next time you can use your profile instead of creating one. E. Start Nessus Type https://localhost:8834 in the Browser Address and press return: In the NESSUS Login Window Type root for Username and msec641.
Click Login to enter and OK in the next screen. Click on Scans and Add. You need to fill the form with a name (your own), the type is Run Now and the policy is Internal Network Scan and for Scan Targets you enter the IP addresses of the hosts to scan (like in nmap). After you complete the form press Lunch Scan at the bottom right of the screen. The next step is to Browse the report (it takes 4-5 mins to complete the scan). To browse the existing reports, you click on Reports-> Browse (on top). You should get a screen similar to the one in the next page.
By selecting one of the two and clicking on Browse (or double click), you get: By clicking further you get:
Using this information and either metasploit (msfconsole or armitage which we will cover in class, you can attack the two machines). Another option is to use http://www.exploit-db.com/ (see next page)
Use the SEARCH option and copy the CVE or OSVDB option to get: By double clicking on the link, you get:
The above is a python exploit This is the exploit in python. Follow their recommended steps to exploit the vulnerability. Where you successful? Futher Questions: Select 4 High and 4 Medium threats and test to see if you can break into the machines. Note that not all exploits are exploitable! Describe what you did even if it was not successful. Include screenshots of your effots. Extra Credit - Install your own Backtrack 5 R2 (you can get it from here: (http://www.backtrack-linux.org/downloads/) - Install NESSUS using the home feed (free) http://www.fuzzysecurity.com/tutorials/8.html
- Provide scans for dslsrv.gmu.edu and the GMU mail server mh-x.gmu.edu - Provide scans for www.gmu.edu and another server of your choice - If you cannot install your own NESSUS use the one provided to perform the same scans Interesting video with some instructions but more advanced: http://www.youtube.com/watch?v=gw5xioitelw&feature=player_embedded We will discuss and dive into the tools more in class!