Ceh v8 labs module 12 hacking webservers

450 views

Published on

Published in: Sports, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
450
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
93
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Ceh v8 labs module 12 hacking webservers

  1. 1. C EH H a c k in g W e b Lab M a n u a l S e r v e r s M o d u le 12
  2. 2. M odule 12 - H ackin g W e b servers H a c k in g W e b S e r v e r s A. wbs r e, w ic c nb r fere t a t eh r w r , t ec m/t r ort es fw r , e ev r h h a e e r d o s h ad ae h o p/e, h ot ae is t ec m ue a pc tio thath lp t d c ne tthatc nb ac se t r u h h o p t r p li a n e s o eliver o t n a e ces dho g t eIn et. h tern i con key ~ [£ Z 7 V a lu a b le in fo r m a tio n L a b S c e n a r io T o d a y , m o s t o f o n lin e se rv ic e s a re im p le m e n te d as w e b a p p lic a tio n s . O n lin e b a n k in g , w e b s e a rc h e n g in e s , e m a il a p p lic a tio n s , a n d so c ia l n e tw o rk s a re ju s t a fe w e x a m p le s o f s u c h w e b se rv ic e s. W e b c o n te n t is g e n e r a te d 111 re a l tim e b y a k n o w le d g e S Test your s o f tw a re a p p lic a tio n r u n n in g a t s e rv e r-sid e . S o h a c k e rs a tta c k 0 1 1 th e w e b s e r v e r =‫־‬ W e b e x e r c is e m W o r k b o o k r e v ie w to ste a l c re d e n tia l in f o r m a tio n , p a s s w o rd s , a n d b u s in e s s in f o r m a t io n b y D o S (D D o s ) a tta c k s , S Y N flo o d , p in g flo o d , p o r t sc a n , s n iffin g a tta c k s , a n d so c ia l e n g in e e rin g a tta c k s. 1 1 1 th e a re a o f w e b se c u rity , d e s p ite s tr o n g e n c r y p tio n 0 11 th e b ro w s e r - s e r v e r c h a n n e l, w e b u s e rs still h a v e 1 10 a s s u ra n c e a b o u t w h a t h a p p e n s a t th e o th e r e n d . W e p r e s e n t a s e c u rity a p p lic a tio n th a t a u g m e n ts w e b s e rv e rs w ith tr u s te d c o -s e rv e rs com posed of liig li-a s s u ra n c e s e c u re c o p r o c e s s o r s , c o n fig u re d w ith a p u b lic ly k n o w n g u a rd ia n p r o g r a m . W e b u s e rs c a n th e n e s ta b lis h th e ir a u th e n tic a te d , e n c ry p te d c h a n n e ls w ith a tr u s te d c o se rv e r, w h ic h th e n c a n a c t as a tm s t e d th ird p a rty 111 th e b ro w s e r - s e r v e r in te r a c tio n . S y ste m s are c o n s ta n tly b e in g a tta c k e d , a n d I T s e c u rity p ro f e s s io n a ls n e e d to b e a w a re o f c o m m o n a tta c k s 0 1 1 th e w e b s e r v e r a p p lic a tio n s . A tta c k e rs u s e s n iffe rs o r p r o t o c o l a n a ly z e rs to c a p tu r e a n d a n a ly z e p a c k e ts . I f d a ta is s e n t a c ro s s a n e tw o r k 111 c le a r te x t, a n a tta c k e r c a n c a p tu r e th e d a ta p a c k e ts a n d u se a s n iffe r to r e a d th e d a ta . 1 1 1 o th e r w o r d s , a s n iffe r c a n e a v e s d r o p 0 1 1 e le c tro n ic c o n v e rs a tio n s . A p o p u la r s n iffe r is W ir e s h a rk , I t ’s a lso u s e d b y a d m in is tra to rs f o r le g itim a te p u r p o s e s . O n e o f th e c h a lle n g e s f o r a n a tta c k e r is to g a m a c c e ss to th e n e tw o r k to c a p tu r e th e d a ta . I t a tta c k e rs h a v e p h y s ic a l a c c e ss to a r o u t e r 0 1 ‫ ־‬sw itc h , th e y c a n c o n n e c t th e s n iffe r a n d c a p m r e all tra ffic g o in g th r o u g h th e sy ste m . S tr o n g p h y s ic a l s e c u rity m e a s u re s h e lp m itig a te tin s risk. A s a p e n e tr a tio n te s te r a n d e th ic a l h a c k e r o f a n o rg a n iz a tio n , y o u m u s t p ro v id e s e c u rity to th e c o m p a n y ’s w e b se rv e r. Y o u m u s t p e r f o r m c h e c k s 0 1 1 th e w e b s e r v e r f o r v u ln e ra b ilitie s , m is c o n fig u ra tio n s , u n p a tc h e d s e c u rity fla w s, a n d im p r o p e r a u th e n tic a tio n w ith e x te r n a l sy ste m s. L a b O b je c t iv e s T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a r n to d e te c t u n p a tc h e d s e c u rity flaw s, v e r b o s e e r r o r m e s s a g e s , a n d m u c h m o r e . T h e o b je c tiv e o f tin s la b is to : ■ ■ C ra c k r e m o te p a s s w o rd s ■ C E H Lab Manual Page 731 F o o tp r in t w e b se rv e rs D e te c t u n p a tc h e d se c u rity flaw s Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  3. 3. M odule 12 - H ackin g W e b servers L a b E n v ir o n m e n t T o e a rn ‫ ־‬o u t tin s, y o u n eed : & T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:CEHT oo lsC E H v 8 M o d u le 12 H a c k in g W e b se rv e rs ■ A c o m p u te r ru n n in g W in d o w S e r v e r 2 0 1 2 a s H o s t m a c h in e ■ A c o m p u te r r u n n in g w in d o w serv er 20 0 8 , w in d o w s 8 a n d w in d o w s 7 as a V irtu al M a c h in e ■ A w e b b ro w s e r w ith I n te rn e t access ■ A d m in istra tiv e p rivileges to 11111 to o ls L a b D u r a tio n T u n e : 40 M in u te s O v e r v ie w o f W e b S e r v e r s A w e b serv er, w h ic h c a n b e re fe rre d to as d ie h a rd w a re , th e c o m p u te r, o r d ie so ftw are, is th e c o m p u te r a p p lic a tio n d ia t h e lp s to d eliv er c o n te n t th a t c a n b e a c ce sse d th r o u g h th e In te rn e t. M o s t p e o p le d u n k a w e b se rv e r is ju st th e h a rd w a re c o m p u te r, b u t a w e b se rv e r is also th e so ftw are c o m p u te r a p p lic a tio n th a t is in stalled 111 th e h a rd w a re c o m p u te r. T lie p rim a ry fu n c tio n o f a w e b se rv e r is to d eliv er w e b p a g es o n th e re q u e s t to clien ts u sin g th e H y p e rte x t T ra n s fe r P ro to c o l (H T T P ). T in s m e a n s d eliv ery o f H T M L d o c u m e n ts a n d an y ad d itio n a l c o n te n t th a t m a y b e in c lu d e d b y a d o c u m e n t, su c h as im ag es, style sh e e ts, a n d scrip ts. M a n y g e n e ric w e b serv ers also s u p p o r t serv er-sid e s e n p tin g u sin g A c tiv e S erv e r P ag es (A SP), P H P , o r o d ie r sc rip tin g lang u ag es. T in s m e a n s th a t th e b e h a v io r o f th e w e b se rv e r c a n b e sc rip te d 111 sep ara te files, w lu le th e acm a l se rv e r so ftw a re re m a in s u n c h a n g e d . W e b serv ers are n o t alw ays u s e d fo r se rv in g th e W o rld W id e WT eb. T h e y c a n also b e f o u n d e m b e d d e d in dev ices su c h as p rin te rs , ro u te rs, w e b c a m s a n d serv in g o n ly a lo c a l n e tw o rk . T lie w e b se rv e r m a y d ie n b e u s e d as a p a r t o f a sy ste m fo r m o n ito r in g a n d / o r a d m in iste rin g th e d ev ice 111 q u e stio n . T in s u su a lly m e a n s d ia t n o a d d itio n a l so ftw a re h a s to b e in sta lle d o n th e c lien t c o m p u te r, since o n ly a w e b b ro w s e r is re q u ire d . m TASK 1 O v e rv ie w Lab T asks R e c o m m e n d e d lab s to d e m o n s tra te w e b se rv e r hack in g : ■ ■ F o o tp r in tin g a w e b serv e r u sin g th e ID S e r v e to o l ■ C E H Lab Manual Page 732 F o o tp r in tin g a w e b serv e r u sin g th e h t t p r e c o n to o l E x p lo itin g Java v u ln erab ilities u s in g M e t a s p lo i t F r a m e w o r k Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  4. 4. M odule 12 - H ackin g W e b servers L a b A n a ly s is A n a ly z e a n d d o c u m e n t th e resu lts re la te d to d ie lab exercise. G iv e y o u r o p in io n 0 11 y o u r ta rg e t’s secu rity p o s tu re a n d e x p o su re . P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D C E H Lab Manual Page 733 T O T H I S I F Y O U H A V E Q U E S T I O N S L A B . Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. M odule 12 - H ackin g W e b servers F o o t p r in t in g h ttp re c o n W e b s e r v e r U s in g th e T o o l The httprecon project undertakes research in thefield o f web serverfingerprinting, also known as http fingerprinting ICON KEY / V a lu a b le m t o m ia t io n Test yo u r L a b S c e n a r io W e b a p p lic a tio n s a re th e m o s t i m p o r t a n t w a y s t o r a n o r g a n iz a tio n to p u b lis h in f o r m a tio n , in te r a c t w ith I n t e r n e t u s e r s , a n d e s ta b lis h a n e - c o m m e r c e /e g o v e rn m e n t p re s e n c e . H o w e v e r, if an o rg a n iz a tio n is not r ig o ro u s in c o n fig u rin g a n d o p e r a tin g its p u b lic w e b s ite , it m a y b e v u ln e r a b le to a v a rie ty o f ** W e b e x e r c is e se c u rity th re a ts . A lth o u g h th e th r e a ts 111 c y b e rs p a c e re m a in la rg e ly th e sa m e as 111 th e p h y s ic a l w o r ld (e.g., fra u d , th e f t, v a n d a lis m , a n d te r r o r is m ) , th e y a re fa r m W o r k b o o k re m o r e d a n g e r o u s as a re s u lt. O r g a n iz a tio n s c a n fa c e m o n e ta r y lo s s e s , d a m a g e to r e p u ta tio n , 0 1 ‫ ־‬le g a l a c tio n i f a n in t r u d e r su c c e s sfu lly v io la te s th e c o n fid e n tia lity o f th e ir d a ta . D o S a tta c k s a re e a sy f o r a tta c k e rs to a tt e m p t b e c a u s e o f th e n u m b e r o t p o s s ib le a tta c k v e c to r s , th e v a rie ty o f a u to m a te d to o ls a v a ila b le , a n d th e lo w skill le v e l n e e d e d to u s e th e to o ls . D o S a tta c k s , as w e ll as th r e a ts o f in itia tin g D o S a tta c k s , a re a ls o in c re a s in g ly b e in g u s e d to b la c k m a il o rg a n iz a tio n s . 1 1 1 o r d e r to b e a n e x p e r t e th ic a l h a c k e r a n d p e n e tr a tio n te s te r, }‫׳‬o n m u s t u n d e r s ta n d h o w to p e r f o r m f o o tp r in tin g 0 1 1 w e b se rv e rs. L a b O b je c t iv e s T h e o b je c tiv e o f th is la b is to h e lp s tu d e n ts le a r n to f o o t p r in t w e b s e rv e rs . I t w ill te a c h y o u h o w to : H T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le D:CEHT o o lsC E H v 8 M o d u le 12 H a c k in g W e b se rv e rs C E H Lab Manual Page 734 ■ U s e th e h tt p r e c o n to o l ■ G e t W e b se rv e r f o o t p r in t L a b E n v ir o n m e n t T o c a rry o u t th e la b , y o u n e e d : ■ h t t p r e c o n to o l lo c a te d a t D :C EH -T 0 0 lsC E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s W e b s e r v e r F o o tp r in tin g T o o l s h t t p r e c o n Ethical Hacking and Countemieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  6. 6. M odule 12 - H ackin g W e b servers ■ Y o u c a n a lso d o w n lo a d d ie la te s t v e r s io n o f h t t p r e c o n f r o m th e lin k h ttp ://w w w .c o m p u te c .c h /p r o je k te /h ttp r e c o n ■ I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n 111 th e la b m ig h t d if fe r m Httprecon is an open-source application that can fingerprint an application of webservers. ■ R u n tin s to o l 111 W in d o w s S e r v e r 2 0 1 2 ■ A w e b b r o w s e r w ith I n t e r n e t a c c e ss ■ A d m in is tra tiv e p riv ile g e s to r u n to o ls L a b D u r a tio n T u n e : 10 M in u te s O v e r v ie w o f h t t p r e c o n h ttp r e c o n is a to o l fo r a d v a n c e d w e b s e r v e r fin g e rp rin tin g , sim ilar to h ttp rin t. T h e h ttp r e c o n p ro je c t d o e s r e s e a r c h 111 th e h e ld o f w e b serv er fin g e rp rin tin g , also k n o w n as h tt p fin g e rp rin tin g . T h e g o a l is h ig h ly a c c u r a t e id e n tific a tio n o f g iv en h ttp d im p le m e n ta tio n s. TASK 1 F o o tp rin tin g a W eb serv er Lab T asks 1. N a v ig a te to D :C E H -T o o lsC E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s W e b s e r v e r F o o tp r in tin g T o o l s h t t p r e c o n . 2. D o u b le -c lic k h t t p r e c o n . e x e t o la u n c h h t t p r e c o n . 3. T h e m a in w in d o w o f h t t p r e c o n a p p e a rs , as s h o w n 111 th e fo llo w in g fig u re . 11 httprecon 7.3 File Configuration Fingergrinting Reporting I — 1 Help Target |http;// | |80 T ] 6 "* ” | GET existing | GET long request | GET nonexisbng | GET wrong protocol | HEAD existing | OPTIONS com * I * £G1 Httprecon is distributed as a Z IP file containing the binary and fingerprint databases. Full Matchlist | Fingerprint Details | Report Preview | | Name j Hits | Match % 1 F IG U R E 1.1: httprecon main window C E H Lab Manual Page 735 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. M odule 12 - H ackin g W e b servers 4. E n t e r th e w e b s ite (U R L ) w w w .ju g g y b o y .c o m th a t y o u w a n t to f o o t p r in t a n d se le c t th e p o r t n u m b e r . 5. C lic k A n a ly z e to s ta r t a n a ly z in g th e e n te r e d w e b s ite . 6. Y o u s h o u ld re c e iv e a f o o t p r in t o f th e e n te r e d w e b s ite . h ttp re co n 7.3 - h ttp ://ju g g yb o y.co m :8 0 / File tewl Httprecon uses a simple database per test case that contains all die fingerprint elements to determine die given implementation. Configuration Fingerprinting Reporting Help Target (Microsoft IIS 6.0) I http:// ▼1 | juggyboy com| GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I HTTP/1.1 200 O K bate: Thu, 1 Oct 2012 11:36:10 G T 8 M bontent-Length: 84S1 Content-Type: text/html Content-Location: http: //‫כ‬uggyboy.com/index.html Laat-Modified: Tue, 0 Oct 2012 11:32:12 G T 2 M Accept-Ranges: non® ETag: "a47ee9091a0cdl:7a49" Server: Microsoft-IIS/6.0 K-Powered-By: ASP.NET Matchlst (352 Implementations) | Fingerprint Details | Report Preview | | Name I Hits | Match %| Microsoft IIS 6.0 88 100 ^ Microsoft IIS 5.0 71 80 68. S3 71. 59 ^ Miciosofl IIS 5.1 63 71 59 . •22 Sun ONE W eb Server 61 63 71.59 V , Apache 1.3.26 62 70.45. . O Zeus 4.3 62 70.45... V Apache 1.3.37 60 6818 Microsoft IIS 7 0 m The scan engine of httprecon uses nine different requests, which are sent to the target web server. v £ F IG U R E 1.2: The footprint result of the entered website 7. C lick d ie G E T lo n g r e q u e s t tab , w h ic h w ill list d o w n d ie G E T re q u est. T h e n click d ie F in g e r p r in t D e ta ils . h ttp re co n 7.3 - h ttp ://ju g g yb o y.co m :8 0 / File Configuration Fingerprinting Reporting 1 l‫ ״‬J | - L» Help Target (Microsoft IIS 6.0) I Nip:// j ‫׳‬J ^ juggyboy com| [* - ‫פ‬ GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I HTTP/1.1 400 Bad Request Content-Type: text/html Date: Thu, 1 Oct 2012 11:35:20 G T 8 H Connection: close Content-Length: 3 4 Matchlst (352 Implementations) i~ ~ Httprecon does not rely on simple banner announcements by the analyzed software. Protocol Version Statuscode Statustext Banner K-Povered-By Header Spaces Capital after Dash Header-Order Full Header-Order Limit Fingerprint Details | Report F^eview | H TTP 1 .1 40 0 1 1 Content-Type,Date,Connection,Content-Length Content-Type,Date,Connection,Content-Length Ready F IG U R E 1.3: The fingerprint and G ET long request result of the entered website C E H Lab Manual Page 736 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  8. 8. M odule 12 - H ackin g W e b servers L a b A n a ly s is A n aly ze a n d d o c u m e n t d ie resu lts re la te d to th e lab exercise. G iv e y o u r o p in io n 0 11 y o u r ta rg e t’s sec im tv p o s tu re a n d e x p o su re . P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D T o o l/U tility T O I F T H I S Y O U H A V E Q U E S T I O N S L A B . I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d O u t p u t : F o o tp r in t o f th e ju g g y b o y w e b s ite ‫י‬ c o n te n t- lo c a tio n : ‫י‬ h ttp re c o n T o o l C o n te n t- ty p e : t e x t / h t m l ‫י‬ h t t p : / / ju g g v b o v .c o m / 1 n d e x .h tm l E T a g : " a 4 7 e e 9 0 9 1eO cd 1:7 a49 " ‫י‬ se rv e r: M i c r o s o f t- I I S /6 .0 ‫י‬ X -P o w e re d -B v : A S P .N E T Q u e s t io n s 1. A n a ly z e th e m a jo r d if fe re n c e s b e tw e e n classic b a n n e r - g r a b b in g o f th e s e r v e r lin e a n d h tt p r e c o n . 2. E v a lu a te th e ty p e o f te s t r e q u e s ts s e n t b y h t t p r e c o n to w e b se rv e rs. I n te r n e t C o n n e c tio n R e q u ire d 0 Y es □ No P la tfo rm S u p p o rte d 0 C E H Lab Manual Page 737 C la s s ro o m □ !L ab s Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  9. 9. M odule 12 - H ackin g W e b servers Lab F o o t p r in t in g a W e b s e r v e r U s in g ID S e r v e ID Serve is a simple,free, sm all (26 Kbytes), andfastgenera/purpose Internet server identification utility. ICON KEY / V a lu a b le in fo r m a tio n Test yo u r L a b S c e n a r io 1 1 1 th e p re v io u s la b y o u h a v e le a r n e d to u s e th e h tt p r e c o n to o l, h t t p r e c o n is a to o l fo r a d v a n c e d w e b s e rv e r fin g e rp rin tin g , s im ila r to h ttp r in t. I t is v e ry im p o r t a n t f o r p e n e tr a tio n te s te rs to b e fa m ilia r w ith b a n n e r - g r a b b in g te c h n iq u e s to m o n i to r s e rv e rs to e n s u r e c o m p lia n c e a n d a p p r o p r ia te se c u rity ** W e b e x e r c is e m W o r k b o o k re u p d a te s . U s in g th is te c h n iq u e y o u c a n a lso lo c a te r o g u e s e rv e rs 0 1 ‫ ־‬d e te r m in e th e ro le o f s e rv e rs w ith in a n e tw o rk . 1 1 1 tin s la b y o u w ill le a r n th e b a n n e r g ra b b in g te c h n iq u e to d e te r m in e a r e m o te ta r g e t s y s te m u s in g I D S e rv e . 111 o r d e r to b e a n e x p e r t e th ic a l h a c k e r a n d p e n e tr a ti o n te s te r, y o u m u s t u n d e r s ta n d h o w to f o o t p r in t a w e b se rv e r. L a b O b je c t iv e s T h is la b w ill s h o w y o u h o w to f o o t p r in t w e b s e rv e rs a n d h o w to u s e I D S erv e . I t w ill te a c h y o u h o w to: ■ ■ H T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:CEHT o o lsC E H v 8 M o d u le 12 H a c k in g W e b se rv e rs U s e th e I D S e rv e to o l G e t a w e b s e rv e r f o o t p r in t L a b E n v ir o n m e n t T o c a rry o u t th e la b , y o u n e e d : ■ ID S e r v e lo c a te d a t D :C EH -T 0 0 lsC E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s W e b s e r v e r F o o tp r in tin g T o o lsID S e r v e ■ Y o u c a n also d o w n lo a d th e la te s t v e r s io n o f ID S e r v e f r o m th e lin k h ttp : / / w w w .g r c .c o m / i d / 1 d s e r v e .h tm ■ I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n 111 th e la b m ig h t d if fe r C E H Lab Manual Page 738 Ethical Hacking and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. M odule 12 - H ackin g W e b servers ■ R u n tliis to o l o n W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e ■ A w e b b r o w s e r w ith I n t e r n e t a c c e s s ■ A d m n iis tra tiv e p riv ile g e s to r u n to o ls L a b D u r a tio n T im e : 10 M in u te s m ID Serve is a simple, free, small (26 Kbytes), and fast general-purpose Internet server identification utility. O v e r v ie w o f ID S e r v e I D S erv e a tte m p ts to d e te rm in e d ie d o m a in n a m e a sso c ia te d w id i a n IP. T in s p ro c e s s is k n o w n as a r e v e r s e DNS lo o k u p a n d is h a n d y w h e n c h e c k in g fire w a ll lo g s o r r e c e iv in g a n IP a d d r e s s fr o m s o m e o n e . N o t all IP s th a t h a v e a fo rw a rd d ire c tio n lo o k u p (D o m a in -to -IP ) h a v e a r e v e r s e (IP -to -D o m a in ) lo o k u p , b u t m a n y do. TASK 1 F o o tp rin tin g a W eb serv er Lab T asks 1. 111 W in d o w s S e rv e r 2 0 1 2 , n a v ig a te to D :C E H -T o o lsC E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s W e b s e r v e r F o o tp r in tin g T o o lsID S e r v e . 2. D o u b le -c lic k i d s e r v e . e x e to la u n c h ID S e r v e . 3. T h e m a in w in d o w a p p e a rs . C lic k th e S e r v e r Q u e ry ta b as s h o w n in th e fo llo w in g fig u re. 0 ID Serve ID In r e S rv rIdn a nU ,vl. 2 tent e e e tific tio tility 0 P rs n l S c rityF e a b S v G s n e o a e u re wre y te e ibo S e rv e Copyright (c) 2003 by Gibson Research Corp. B c go n | Se Qey ak r u d iver ur Q A H lp &/ e Enter or copy I paste an Internet server URL or IP address here (example: www microsoft.com): . ™ Query The Server m ID Serve can connect to any server port on any domain or IP address. When an Internet U R L or IP has been provided above. press this button to initiate a query of the specified seiver Server query processing: The server identified itself a s : Goto ID Serve web page Copy | F IG U R E 2.1: Welcome screen of ID Serve 4. 111 o p ti o n 1 , e n te r (0 1 ‫ ־‬c o p y / p a s t e a n I n t e r n e t s e rv e r U R L o r I P a d d re s s) th e w e b s i t e (U R L ) y o u w a n t to f o o t p r in t . 5. E n t e r h t t p : / / 1 0 .0 .0 .2 /r e a lh o m e (IP a d d re s s is w h e r e th e re a l h o m e site is h o s te d ) in s te p 1. C E H Lab Manual Page 739 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  11. 11. M odule 12 - H ackin g W e b servers 6. C lic k Q u e ry t h e S e r v e r to s ta r t q u e ry in g th e e n te r e d w e b s ite . 7. A f te r th e c o m p le tio n o f th e q u e r y . I D S e rv e d isp la y s th e re s u lts o f th e e n te r e d w e b s ite as s h o w n 111 th e fo llo w in g fig u re. IDServe , _ ID Serve uses tlie _ standard Windows TCP protocol when attempting to connect to a remote server and port. ID In r e S rv rIdn a nU .v . 2 tent e e e tific tio tility 10 P rs n l S c rityF e a b S v G s n e o a e u re wre y te e ibo Cprgt(c20bGsn eerhCr. oyi h ) 03 y ibo Rsac o p £ tv rQe | Q A H lp e e u ry &/ e S e rv e B c go n ak r u d Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com): C Ihttp //I 0.0 0.2/realhome| 1 r2 [ When an Internet URL a IP has been provided above, press this button to initiate a query of the specified server Query The Server Server query processing: HT/ 120O T P1 0 K Cn n Tp:t x/t l o te t- y e ethm Ls Md dT e 0 Ag21 0:0:4 G T at- o ifie : u , 7 u 02 6 5 6 M Ac p R n e :bte c e t- a g s y s E a :" 9 d4f6 7 c 1 "__________ T q c 5 c a 2 4d :0 1 H ID Serve can almost y= always identify the make, model, and version of any web site's server software. The server identified itself a s : | Copy Goto ID Serve web page | F IG U R E 2.2: ID Serve detecting the footprint L a b A n a ly s is D o c u m e n t all d ie se rv e r in fo rm a tio n . P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D T o o l/U tility T O T H I S I F Y O U H A V E Q U E S T I O N S L A B . I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d S e r v e r I d e n t i f i e d : M ic r o s o f t- I I S /8 .0 S e rv e r Q u e ry P ro c e s s in g : I D S e rv e ‫י‬ H T T P / 1.1 2 0 0 o k ■ c o n te n t- T y p e : t e x t / h t m l ■ L a s t- M o d if ic a tio n : T u e , 0 7 A u g 2 0 1 2 0 6 :0 5 :4 6 ■ A c c e p t-R a n g e s : b y te s ■ E T a g : " c 9 5 d c 4 a f 6 2 7 4 c d l:0 " GMT C E H Lab Manual Page 740 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. M odule 12 - H ackin g W e b servers Q u e s t io n s 1. A n a ly z e h o w I D S e rv e d e te r m in e s a s ite ’s w e b se rv e r. 2. W h a t h a p p e n s i f w e e n te r a n I P a d d re s s in s te a d o f a U R L ‫׳׳‬ I n te r n e t C o n n e c tio n R e q u ire d □ Y es 0 No P la tfo rm S u p p o rte d 0 C E H Lab Manual Page 741 C la s s ro o m 0 !L a b s Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. M odule 12 - H ackin g W e b servers 3 E x p lo it in g M Ja v a e t a s p lo it F r a m V u ln e r a b ilit y U s in g e w o rk Metasploitsofin r h lp s c rtya dITprofessionalsid n fys c rtyi s e, v rify ae e s e ui n e ti e ui su s e vulnerabilitymig to s a dmng e p r- rv ns c rtyas smns it ai n , n a a e x et di e e ui ses e t . I CON KEY £_ _ V a lu a b le in fo r m a tio n s L a b S c e n a r io P e n e tra tio n te stin g is a m e th o d o f ev alu a tin g th e secu rity o l a c o m p u te r sy stem 0 1 ‫־‬ n e tw o rk b y sim u latin g a n a tta c k fro m m alicio u s o u tsid e rs (w h o d o n o t h a v e a n Test yo u r k n o w le d g e ‫ב‬ ‫ב‬ W e b e x e r c is e ca a u th o riz e d m e a n s o f a c cessin g th e o rg a n iz a tio n 's system s) a n d m alicio u s in sid ers (w h o h a v e so m e level o f a u th o riz e d access). T h e p ro c e s s in v o lv e s a n activ e analysis W o r k b o o k r e v ie w o f th e sy ste m fo r a n y p o te n tia l v u ln erab ilities th a t c o u ld re su lt fro m p o o r o r im p ro p e r sy ste m c o n fig u ra tio n , e ith e r k n o w n a n d u n k n o w n h a rd w a re 0 1 ‫ ־‬so ftw are flaw s, 01 ‫ ־‬o p e ra tio n a l w e a k n e sse s 111 p ro c e s s o r te c h n ic a l c o u n te rm e a s u re s. T in s analysis is e a rn e d o u t fro m th e p o s itio n o f a p o te n tia l a tta c k e r a n d c a n in v o lv e active e x p lo ita tio n o f secu rity vuln erab ilities. T h e M e ta sp lo it P ro je c t is a c o m p u te r se c u n tv p ro je c t th a t p ro v id e s in fo rm a tio n about secu rity v u ln erab ilities and aids in p e n e tra tio n te stin g a n d ID S signaU ire d e v e lo p m e n t. Its m o s t w e ll-k n o w n su b p ro je c t is th e o p e n -s o u rc e M e ta sp lo it F ra m e w o rk , a to o l fo r d e v e lo p in g an d e x e c u tin g ex p lo it c o d e ag ain st a re m o te ta rg e t m a c h in e . O th e r im p o rta n t su b p ro je c ts in c lu d e d ie O p c o d e D a ta b a se , sh ellco d e arcluv e, a n d secu rity research . M e ta sp lo it F ra m e w o rk is o n e o f th e m a in to o ls fo r e v ery p e n e tra tio n te st e n g a g e m e n t. T o b e a n e x p e rt etliical h a c k e r a n d p e n e tra tio n te ste r, y o u m u s t h a v e s o u n d u n d e rs ta n d in g o f ]M etasploit F ra m e w o rk , its v a rio u s m o d u le s, ex p lo its, J T T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:CEHT o o lsC E H v 8 M o d u le 12 H a c k in g W e b se rv e rs C E H Lab Manual Page 742 p ay lo ad s, a n d c o m m a n d s 111 o rd e r to p e rf o rm a p e n te st o f a target. L a b O b je c t iv e s T h e o b je ctiv e o f tin s lab is to d e m o n s tra te ex p lo ita tio n o t JD K ta k e c o n tro l o t a ta rg e t m ac h in e . v u ln erab ilities to L a b E n v ir o n m e n t 1 1 1 d iis lab , y o u n eed : Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  14. 14. M odule 12 - H ackin g W e b servers ■ M e ta s p lo it lo c a te d a t D :C E H -ToolsC E H v8 M o d u le 1 2 H a c k in g W e b se rv e rsY W e b se rv e r A tta c k T o o ls M e ta s p lo it ■ Y o u c a n also d o w n lo a d th e la te st v e rs io n o t M e ta s p lo it F ra m e w o r k fro m d ie lin k h t t p : / A v w w .m eta sp lo 1 t . c o m / d o w n lo a d / ■ I t y o u d e c id e to d o w n lo a d th e l a t e s t v e rs io n , th e n sc re e n sh o ts s h o w n 111 th e lab m ig h t d itte r ■ A c o m p u te r ru n n in g W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e ■ W in d o w s 8 ru n n in g o n v irtu a l m a c h in e as ta rg e t m a c h in e ■ A w e b b ro w se r a n d M ic ro so ft .N E T F ra m e w o rk 2.0 o r la te r in b o th h o s t a n d ta rg e t m a c h in e ■ j R E 7116 ru n n in g o n th e ta rg e t m a c h in e (re m o v e a n y o th e r v e rs io n o f jR E in stalled 111 d ie ta rg e t m a c h in e ).T h e |R E 7116 se tu p file (jre-7u6-w111dows1586.exe) is available a t D :C E H -ToolsC E H v8 M o d u le 1 2 H a c k in g W e b s e r v e r s W e b s e r v e r A tta c k T o o ls M e ta s p lo it ■ Y o u c a n also d o w n lo a d th e T h e I R E 7116 s e tu p tile at h t t p : / A v w w .o ra c le .c o m /te c h n e tw o r k /ia v a /ja v a s e /d o w n lo a d s /ir e 7 d o w n lo a d s^ 163~ 5S S .htm l ■ D o u b le -c lic k m e ta s p lo it- la te s t- w in d o w s - in s ta lle r .e x e a n d fo llo w th e w iz a rd -d riv e n in sta lla tio n ste p s to install M e ta s p lo it F ra m e w o r k T im e : 2 0 M in u te s O v e r v ie w o f t h e L a b T in s lab d e m o n s tra te s th e e x p lo it th a t tak es a d v a n ta g e o f tw o issu es 111 J D K 7: th e C la ssF in d e r a n d M e d io d F in d e r.fm d M e d io d (). B o th w e re n e w ly in tro d u c e d 111 J D K 7. C la ssF in d e r is a re p la c e m e n t to r c la s sF o rN a m e b a c k 111 J D K 6. I t allow s u n tr u s te d c o d e to o b ta in a re fe re n c e a n d h a v e access to a re s tric te d p ac k a g e in J D K 7, w h ic h can be u se d to a b u se s u n .a w t.S u n T o o lk it (a re s tric te d p ack ag e). W ith su n .a w t.S u n T o o lk it, w e ca n actually in v o k e getF ieldQ b y a b u sin g fin d M e th o d Q m S ta te m e n t.in v o k e ln te rn a lO (b u t getF ieldQ m u s t b e p u b lic , a n d th a t's n o t alw ays d ie case * t a s k 1 In s ta llin g M e ta s p lo it F ra m e w o r k C E H Lab Manual Page 743 111 JD K 6. 111 o rd e r to access S ta te m e n ta c c 's p riv a te field, m o d ify 1. In stall M e ta s p lo it o n th e h o s t m a c h in e W in d o w s S e r v e r 2 0 1 2 . 2. A fte r in stallatio n c o m p le te s , it w ill au to m atically o p e n in y o u r d e fa u lt w e b b ro w se r as s h o w n 111 th e fo llo w in g figure. 3. C lick I U n d e r s ta n d t h e R is k s to c o n tin u e . Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  15. 15. M odule 12 - H ackin g W e b servers J U‫׳‬ ! *rud«JC n e l o onrin 1- 1♦ rt -p:’l i i o t 9 ts• o a t s . 0 C 5 w -I‫* * ־‬ ‫־‬I - G o l * oge This Connection is Untrusted You h v a k dF rfxt c n e tscr * ‫ ׳‬ol c BrosU7 0 tj we cantc n i mt a y u a e s e ieo o o n c eu e ) t o a 9 . -t o f r ht o! H ie exploit takes advantage of two issues in JD K 7: The ClassFinder and MethodFinder. findMethod( ). Both were newly introduced in JD K 7. ClassFinder is a replacement for classForName back in JD K N r a l ,when yout y oc n e tscrl,:t. p e e tt e s dietfcto t p o et a y omly i t o n c euey ir wi r s n r s e dniiain c r v h t cu a eg i gt t en h pa e H » e e .ti st' ■ e & yc ntbevrfe. r o n o h g t lc . o > v r hs ies d r t a ersd What Should 1 Do? Iyou u u l yc n e tt ti st w t o tp f s a l o n c o hs ie i h u roblem^fv « ‫*״‬ec>d mun tvtsomeone i ty n t ls 0 ij s ri g o i p r o a et est andyous o l n tc n i u . m e s n t h ie h u d ' otne [ Gel me o l f e e uohtl Technical Details | 1Understand the Risks | 6. FIG U RE 3.1: Metasploit Untrusted connection in web browser 4. C lick A dd E x c e p tio n . |+ 1 £ * ? ▼ C ‫(ן‬ f JJ* G o l oge & hts• k c K » . V' tp:1 > * x t . This Connection is Untrusted It allows untrusted code to obtain a reference and have access to a restricted package in JD K 7, which can be used to abuse sun.awt.SunToolkit (a restricted package). You h v • k d‫ג/ז ז‬t c n o t1«1u‫׳‬l 10 a e t t ‫ סיי‬o o n c «> c n e t o i sc . o n c i n ‫«10 * ׳‬ > * 1 1 0 tj 9. t c ntc n i m h ty u • ofrta ot N rmlly w rnyoutrytoe n e ik u t*e»w pnwKtru ‫* י‬Menrep v th ty u o a , ih o n rt rrty M ftrd ro e a o art g in toth u h p 1« Ilwrt, tlmt!t«1 itfrMj « ‫ י‬U o g e g ( la . «l What Should I Do? Ifyo u a co n toth S w o tp b - v th moi to•Ji mun tK tso e n ntryin to u su lly n ed is ite rth i/ ‫׳‬o k ‫׳‬n . r, « mo e g ime n teth a , an yo sh u n e n u . p rso a e te d u o ld 't o tme | Gelmeoulolhetel Technical Details IUnderstand the Risks I Add Excepaoi FIG U R E 3.2: Metasploit Adding Exceptions 5. C E H Lab Manual Page 744 111 th e A dd S e c u r ity E x c e p tio n w iz ard , click C o n firm S e c u r ity E x c e p tio n . Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. M odule 12 - H ackin g W e b servers 1‫ *־‬I Add S c r t E c p i n euiy x e t o You are about to override how Firefox identifies this site. ! Legitimate banks, stores, and other public sites will not ask you to do this. Server Location: I liR M M H B M M fe M I With sun.awt.SunToolkit, we can actually invoke getFieldQ by abusing findMethod() in StatementiavokeIntemal0 (but getFieldO must be public, and that's not always die case in JD K 6) in order to access Statement.acc's private field, modify AccessControlContext, and then disable Security Manager. Certificate Status This site attempts to identify itself with invalid information. Wrong Site Certificate belongs to a different site, which could indicate an identity theft. Unknown Identity Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature. @ Permanently store this exception | Confirm Security Exception | Cancel FIG U R E 3.3: Metasploit Add Security Exception 6. O n d ie M e ta sp lo it — S e tu p a n d C o n fig u ra tio n L o g in scree n , e n te r te x t 111 d ie U s e rn a m e . P a s s w o r d , a n d P a s s w o r d c o n firm a tio n fields a n d click C r e a te A c c o u n t. k- M Vti . Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE , Firefox, Safari, Chrome; Windows, Ubuntu, OS X , Solaris, etc. (Jlmetasploit Password coafinrrtc•• Optional I f & S t i g no etns Em address ail orgaattillon I (QMT«00:00) UTC‫־‬ | Q C t« Auwni 10a FIG U RE 3.4: Metasploit Creating an Account 7. C lick G ET PROD UCT KEY 111 d ie M e ta s p lo it - A c tiv a te M e ta s p lo it w in d o w . P r o d u c t K ey A c tiv a tio n C E H Lab Manual Page 745 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  17. 17. M odule 12 - H ackin g W e b servers This Security Alert addresses security issues CYE-2012-4681 '(USC ERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops. E n te r y o u r v a lid em ail a d d re ss 111 th e M e ta s p lo it C o m m u n ity o p tio n a n d click GO. ‫־‬F ! mv r g i « * ? t p ^ « x u t k y If‫׳‬t » n BtLutName i t rsldii c 0 g ■ e a e t s o - p p ^ J c _ * ‫ ־‬k> N r e j S LniAdei « 1 » ‫׳‬ These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle serverbased software. Choose between two FREE Metasploit Offers () Jmetasploit G metasploit D M etatplotl Prohetpt + *! * ‫ גי‬IT am p r0fe1»10 m*‫ >*»•«:׳‬c‫ ♦*־‬u t nal• ‫*־‬ breatftet b emaer*, corvoxanq y broad tcope p enefcatio tests pnottong n «yin*‫־‬jD111t*1 .*no *nfyns C 0*0*1 tnc 0 m itigat&r! M ct.1r.p Com unityEd io tim 10H m M n plifiot n«ACfK «»< ‫ ׳‬anovu c‫*/׳‬r lnerab ility vm ifkaaon far specific eiplolta Increasing Ihe effectiveness o vulnerabilityscanners f »ucnasNe®o*e‫־‬rortree ~ com unity m M etasploit ComTun‫״‬v plus • / • f J ‫'׳י‬ ‫'׳י‬ Snan ejpK U M bsn Password ijd*r; W 0appiisa!:‫ ר׳‬scam a e .Social eng»eerw»3 Tear*coH o»a*on ab R• rting po S Enterpnse-lew su o t pp rt S ✓ FREE EDITION OR J S ■S ■ / N orkdlscoveiy etw vlea i i yscann9 I p r unr b l t r mot Ba i epo t t o s c xli a i n M ule firovw od ef Lnterem address: ail ___________ < ail.com Go 1 ggm ||| 1»u«s «‫ י«י‬Vas pass0 Piease em infoQ ail rapid7 c < These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. C E H Lab Manual Page 746 FIG U R E 3.6: Metasploit Community version for License Key 9. N o w lo g in to y o u r em ail a d d re ss a n d c o p y d ie licen se key as s h o w n 111 d ie fo llo w in g figure. Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. M odule 12 - H ackin g W e b servers Your Metasploit Community Edition Product Key Bates, Ariana anana_bates@raptd7 com vis bounces netsuite com To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages tins vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. ‫ם! ק‬ 6:27 P M (0 minutes ago) to me ■ ‫׳‬ ■ Rap1d7 r Metasploit Product Key WNMW-J8KJ-X3TW-RN68 Thank you for choosing Rapid7® Metasploit® Community Edition Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose -for free Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can simply apply for a new license using the same registration mechanism.____________________________ FIG U RE 3.7: Metasploit License Key in you! email ID provided 10. P a ste d ie p r o d u c t k ey a n d click N e x t to c o n tin u e . Due to die severity of these vulnerabilities, die public disclosure of teclinical details and die reported exploitation of CVE-20124681 "in die wild," Oracle strongly recommends diat customers apply die updates provided by this Security Alert as soon as possible. t_ _ « l x ‫ד‬ M t s f i P o u tK r eapot r d c e «a!>0t- l- e ,i^?p0d rt= 1m rn !»th R h !% A 2 2 calh «TL A ?9 L F e jp L » a :- *w 1 tria i<y » r u a u P U l= rtp 3 % F% fIo o ‫ 3 ׳‬T (W2s t1 3i>rtv l< ‫»*« ׳‬e t; A ‫־‬fc ‫־‬ .‫1,־־־־ •1־‬ ‫־‬ p* c- (J)metasploit 4 More Steps To Get Started 1 Copy t e ProductKey from theemail we j s sent yo . . h ut u 2 Paste the Product Key here: [WM.nv jskj x3tw r n 68T 3 Click Next on this page . 4 Then dick Activate License on the next page . The Metasploit Framework will always be free and open source. The Metasploit Project and Rapid7 are fully committed to supporting and growing the Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing dieir own penetration testing tools. It's a promise. C E H Lab Manual Page 747 FIG U R E 3.8: Metasploit Activating using License Key 11. C lick A c tiv a te L ic e n s e to a ctiv ate d ie M e ta sp lo it license. Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  19. 19. M odule 12 - H ackin g W e b servers I. , n r , f A ■.» to o SC!*.. ,■ ■ . .,'p.oc..:>cy W W-.0 l- 3T -RN S«ib H ' • (.. ceh afcA .* NM < X W 68& m C • ‘I (‫?־־״‬I. (J)m etasploit' H ie Metasploit Framework will always be free and open source. Tlie Metasploit Project and Rapid7 are fully committed to supporting and growing die Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing their own penetration testing tools. It's a promise. Activate Your Metasploit License 1 Get Your Product Key . Chooseme po l c ta b s ntedsj w r e d M t s i i P oo te r eM t s l i CommunityE i i n ‫ז‬y 3 r a >r * a commgn^ tfalorMil c n ep o u tk/» uc nsupti s e rf u l ht e t < r » e s e a p o l r r h fe e a p o t d t o ‫ ז‬ou i e 0 a t ies rdc e o a hs l p 2 Enter ProductKey You've Received by Email . 1 13 9 0 P s ■ ep dcfet* lwss nto « ‫ / <׳<יז־‬ure is r dv ‫ ו‬a dd kth ATWEL E S OH‫״‬ a te n rout cj‫ ־‬a a e t fte th J ‫־‬ ss g tee « n ic e C T IC N E uo |1WJt-3WR6 wW-6UXT-N8 D U•a HT P t*torec r» s n T P ra at! FIG U RE 3.9: Metasploit Activation Tlie Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linus designed for testing security tools and demonstrating common vulnerabilities. Version 2 of diis virtual machine is available for download from Soiuceforge.net and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and odier common virtualization platforms. 12. T lie A c tiv a tio n S u c c e s s f u l w in d o w ap p ears. 1^ A hips/ lot*t> . 90 ost ' ' 7‫ י‬C ‫)ן‬ ‫ ־‬Google P # E ~I , m i 1 1 i^ ic - io p iw i 1 community I 1 H e om Protect* 1 | ^ Activation Successful 1 ^aeto^ofen & H«e H w Panel f- * J 0 %rsr^t Q ut* *ojrct Starch 1 / Product Mr*‫*׳‬ Abating Window* Kemot• Management (WinUM) with Metasploit thow ‫ 1, — י‬ml 0 y I □ (to r lau S vo m 1 to1of 1 t«n n T wg II 0 0 0 »» 6 y1m 0 ?0m■ • ‫ ׳‬jhM 90 Fm I Pi«.vk«j» 1 h *•«! laM I cnem gnt.il D ,con Mu&lianill *leredlacuaaingvariouiledvvquMof erb mass crw nage W M b to m about theW hen u ci ld e inRMservice 1w ondered ■ h Wji d n'twe nav• an M o y ateap m toit odui•* ro rthia ‫ן‬ Fxploit Trends: Top to Searches for MotAsploit Module* in October T to row m 1r»e r cnthl/dose 01 M etasploite»p !t (renas* Each m n w jarfh ns lo o th e er 11st err* m searched eaioit ana a x ry m ost u ilia odules fro tns M m etaspor. e‫ ידי‬aa*e T p tect userso ro privacyt.. Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit. and More! W inRMEx lo Library Form lastcoupleweeks M p it e etasplolt coreoanV iJto D .*d i& i a‫־‬ © iTieugWCosin8M alone/has & living in McrosoffsWinRMservices w «en to i fln $m u:«x and@ n3r. UnO _sm lttiese.. Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end M ore? *ccSecUSA20l2Lastweekwas AppSecUSA2012here m ustin. ivtiid‫ ־‬m A at‫׳‬ exstair‫וזז‬scunous aosenceofaweeKtrMetaspioitupoateDioapost Tn*n«grfis o f A jec fo m !w re pnno particular pp r e, e IU-... ... FIG U R E 3.10: Metasploit Activation Successful as T A S K 13. G o to A d m in is tra tio n a n d click S o f tw a r e U p d a te s . 3 U p d a tin g M e ta s p lo it e X • • • | softw upaates are Softw ucense are community1 H e om •*| - G oogle P it D• A inhtinlio T ^ dm n (‫)״‬m etasploit Project* ‫ו‬ 1 & H eb«w* Pan«1 id 1 1 a ” a3- » FIG U R E 3.11: Metasploit Updating Software 14. C lick C h e c k f o r U p d a te s , a n d a fte r c h e c k in g d ie u p d a te s , click In s ta ll. C E H Lab Manual Page 748 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. M odule 12 - H ackin g W e b servers By default, Metasploitable's network interfaces are bound to die N A T and Host-only network adapters, and the image should never be exposed to a hostile network. (Note: A video tutorial on installing Metasploitable 2 is available at die link Tutorial on installing Metasploitable 2.0 on a Virtual Box Host Only network) FIG U R E 3.12: Metasploit Checking for Updates 15. A fte r c o m p le tin g th e u p d a te s it w ill a sk y o u to re sta rt, so click R e s ta r t. This document outlines many of the security flaws in die Metasploitable 2 image. Currendy missing is documentation on the web server and web application flaws as well as vulnerabilities diat allow a local user to escalate to root privileges. This document will continue to expand over time as many of die less obvious flaws widi diis platform are detailed. 16. W a it u n til M e ta sp lo it restarts. C E H Lab Manual Page 749 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  21. 21. M odule 12 - H ackin g W e b servers 1A I'tlpiJ'locaVrat. ^ ■w x TCP ports 512, 513, arid 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation). To take advantage of diis, make sure the "rsh-client" client is installed (on Ubuntu), and run die following command as your local root user. If you are prompted for an SSH key, this means die rsh-client tools have not been installed and Ubuntu is defaulting to using SSH. - I- G o l • eg, ■‫יי־׳וי‬ fi ft c- I you've just finished i s a l n Metasploit. the application f ntlig w l now take up to 5 minutes to i i i l z . ir* normal il ntaie please b« patient and have a c f e . . ofe. ‫ ו‬you nave already been usingtne p o u t *is message may ‫ז‬ rdc, p i t t a bog i the a p i a i n and r q i ethe M t s l i on o n plcto eur eapot s r ices tobe r s a t dto resume lunctocaity ev etre I the problem p r i t you may want toconsul the Mowing f esss r esources. • Metasploit Community Edition users: Pease v o ti t l re R*pid7 Security street forum• toseaxnf ra s e so o nwr r po t a question s • Metasploit t i l users: Please contactyour Rap«f7 sales ra rep e e t t v oreni ■1fnqrjwd7.com r s n a i e ta • Metasploit users with a support contract: Ptcasc vst ii t Rapld7 Customer Canter t f ca supportease o he oB r *man suPD0rtgraD1d7.c0m Retrying your request I 5 seconds . n . FIG U R E 3.14: Metasploit Restarts 17. A fte r c o m p le tio n o f re s ta rt it w ill re d ire c t to M e ta s p lo it - H o m e. N o w click C r e a te N e w P r o je c t fro m d ie P r o je c t d ro p - d o w n list. C re a tin g a N e w M e ta s p lo it P r o je c t ‫זזד‬ • ‫ ־‬e a p x -P o e t * M t s K t rjcs ..‫■-״‬TP © etasploit m :• tNwr jet m e Po c community y M l Nt v Pmw( k e tv a 1 S ' v U P10j c s to* l »t I act * o r o ■jn Mo ■ Show 1 V •il l 0 Ml M «Q lame u < 1 '‫״‬Showing1K>1 o f , j Search Q m niict s 4 Pro u tMews dc 1 Abusing Window* Remote Management (WlnRM) with M t s l i eapot Horn : ‫נ‬ Atv s s i n crc e s o s t s s owner Memoera ak o •sa ytm 0 Upared w oescnpoo • e t1how a o bu g Pnmam I ■wt l»i lato onenight 3 O 1 artiyco . M b andl w dtsaisslngvarious techniques o n u tx oto r mass wm aoe WhenMutmtoldmea&outtheWinRMseivice.iwonoeiea ■ h W» a we hM a M t seon m ort ny e a odulestorm is... E p o t T e d : Top 10 Searches l r Me a p o t Modules i October xli rns o tsli n Tim teryo m • ur onthsdose o M f etasploit e p ittrends! Each m nwe 0a > 1s x lo ow V ertn tstortne m searches e p itand aux m ost x lo iliary odules iromtneM etasploit dataoase Toprotedusers' prtacy, 1 . . Weekly M t s e a ploit Update: WinRM PartOne, E p o t n Metasploit and xliig More! •V UE«ploit LibraryFor theI3sl couplew inR eeks. M etasploit core co trib to D n u r avid gTheLicficCcsm M e aloneyh3s D d oin M so W RMserw:es w een r«in to icro ft's m ith grm and @ icor _s1nn3r U til these... n This is about as easy as it gets. The nest service we should look at is die Network File System (NFS). N FS can be identified by probing port 2049 directly or asking the portmapper for a list of services. The example below using rpcinfo to identify N FS and showmount -e to determine diat die "/" share (the root of die file system) is being exported. C E H Lab Manual Page 750 Weekly Me a p o t Update: Miaosoft Windows and SQL, TurboFTP, and tsli Mote! *ppSecOSA2012 Last w was AppSecUSA2012here InA , *filch ro eek ustin a* ex lain•re curious absence o aweeklyM p f etasploit U pdate bloe poslThe tal H o js f *wsecfcrme. were (mnop articu r... la Weekly Me a p o t Update: Reasonnble d s l s r . PHP FXF wrappers, tsli icoue and moie! FIG U RE 3.15: Metasploit Creating a New Project 18. 111 P r o je c t S e ttin g s , p ro v id e th e P r o je c t N a m e a n d e n te r a D e s c rip tio n , leave th e N e tw o rk R a n g e set to its d efau lt, a n d click C r e a te P ro je c t. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  22. 22. M odule 12 - H ackin g W e b servers I. , n r , ‫־‬ n ^ A ‫,־‬Ip. lo . calho V. a. it. ▼ 3 & ar SB (‫]״‬m etasploit community1 H ie Metasploit Framework is a penetration testing system and development platform diat you can use to create security tools and exploits. The Metasploit Framework is written in Ruby and includes components in C and assembler. The Metasploit Framework consists of tools, libraries, modules, and user interfaces. Tire basic function of die Metasploit Framework is a module launcher diat allows die user to configure an exploit module and launch the exploit against a target svstem. Protect nam e* D escription ‫ ׳‬Exploit | a The e p o ttakes advantage oft r iss e i JDK 7 The ClassFinder and xli io u s n MethodFinder nndMemod() Botn were newly introduced i JOK 7 dassFinder i a n s replacement f rc a s . x f r gback i JQg 6 R alows untnisted code t oOtam a o isFiNln n o reference ana nave access t a r s r c e oa:o?e rJ K7 ‫ ׳‬e can oe used t aDuse o etitd O .a n m o suna^-SuoJoolKit (a r srcled package) / ! ‫ו‬sun ^SunTwiwt we can a t a l invoke e /® culy Networ*r n e ag Q RvttiKt tonetworkrange •*? R A P I D 7 FIG U R E 3.16: Metasploit Project Settings 19. C lick d ie M o d u le s ta b a fte r d ie p ro je c t is created . W fl»5f40T I ^ A hcp/ lot»t> fl s ost. SC |+™ . £? ▼ C | ?§ ‫ ־‬G oogle ■ 1 m (U etasploit I £ P o e t Javatx_ * ‫ ־‬Account Jason e f A m n s r t o r rtc i diitain fi rt community community |4kOvervle«v 4* ‫י‬Analysis 1 H rn o • Java Lx to p it Sessions Campaigns * Wt*b Apps • |«& Modules | » lags Q) Reports JZ 1 ■1 # j> H l ep C ' 1 ^ I *1‫י‬ * 0itwnr J ” Overvtew.ProperJavaT ipto■ Discovery 1 Penetration 01 01 dt*C M 4 143 O fC 0 services dctaclod 0vum eraDM t *•utm M ed ^ Scan- aw nrt— j * ■a^mm— , p Evidence Collection I 0 data friesacqaned iai C oeect... 1 Recent Event* • MMlOHCpNtd 0 pHtimilt cracked 0 SMB Msr »s ttotee 0 SSHk*r* stu ka 0jroc «tt>c " Q fiplat Cleanup OctoHdMssoas Cleanep- ---------------------------------------------------------- FIG U R E 3.17: Metasploit Modules Tab « TASK 5 20. E n te r CVE ID (2012-4681) in S e a r c h M o d u le s a n d click E n te r. R u n n in g t h e E x p lo it C E H Lab Manual Page 751 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  23. 23. M odule 12 - H ackin g W e b servers Metasploit P 1‫ ־‬contains o tasks, such as bruteforce and discovery, in the form of modules. The modules automate the functionality diat die Metasploit Framework provides and enables you to perform multiple tasks simultaneously. '‫־‬ ‫־‬F I ,'MrtMf** M odu»« ^ C A h t s t o b i . V a .ii » c _ ‫ ׳‬o u e tp o l o t ? c v ' d*5 *!I C009l« H V (‫]״‬m etasploit ▼ community1 ft Overview Analysis Sessions ■ Campaigns ,} * ‫ י‬Web Apps Search Modules « ‫ ׳‬Modules i> Tags r, Reports ~ Tasks 2012-4681 M d le Sta o u tisticsshow Se rchK o s sh w a eyw rd o Found 10 m atchingm odules M oduleType A iery uw 1 AiMlffy Srv»r Expbi O S ra ra Ckafipaae?0‫ ג זו‬localm m e clisonvunerawty WW M fee*fln«S4cuty4lfln 69er 550r# ‫׳‬y T rsa cto rave l * A ‫י״‬ D dooiie O t• H u Z-***rZS. Z 32 zrm»r-9.zv12 :: M r ‫2102.•־‬ »wn1C ‫־‬gmS«wty Uanaer‫־‬Plu 5 b iM s .5 u "05 SQ In c n L je tio *M i iVndew Lssalal* Serve•Prm s *s«jns Lo l PnvitgeEtcalato ca n A “ < •ei ncr **•rary >•u n Vurem * (» ■ * p ad boy ‫ ייי‬A >c1ta p • RvM iar ;!IC Bam •C d > clto H.- M C X o • 4• n OcMar t. 2 1 02 S*‫ ׳•«׳‬Use* *• w TirtoHP $ « 0 2 3 3 ‫ד ׳«.־׳‬PO TO 0 R vrltow 1 S*‫׳‬v•‫ ׳‬L> 1W ‫—ן‬ ♦ m tm 516 63 0e «*^».‫־10־‬ S»rv*‫׳‬fnpW 0SVD6 07• 62 853 66 ★★ C;•*•‫2 0 3׳‬ .2 1 Swfc• 2 .2 1 5 02 ED S zztei 220» 294 20 2.*tor ,i. 2012 serverIKPW M odule Ran o klo U»Ot 1 1 I Ctnt Up** Ser^rfKpM cro*yA<)n 31Z2 M «r_»ync p D cW o T ‫״‬ 1‫׳‬e a o r «*SI2O 3lftcrg nMrnet U oc•! **ecC n aiH U - lto r• V tn ab y C »o w o tn J w A r-f • g w M » ‫יי‬ ‫2102.»' *־' *•■־‬ ‫•י •* ״‬ 1 .2012 4 Ah l*M Q taiK (tttxf C m n f»ee h n a cr o mS uo ?IMS ★ ★★★★ KMT 2012 *m mm MfiU <« < <* •. RAPID7 .* ? A project is die logical component diat provides die intelligent defaults, penetration testing workflow, and modulespecific guidance dating the penetration test. FIG U R E 3.18: Metasploit Searching forJava Exploit 21. C lick d ie J a v a 7 A p p le t R e m o te C o d e E x e c u tio n 1111k. ■‫־‬Mta lo -McdM * e sp it ^ A httpi. Iotat> ost. S .v.-tepscev-'r-odule C c >1 (‫־‬ 1 — (‫]״‬m etasploit S t id ‫־‬ Y community ft Overview n Analysis Sessions ‫ ־‬Campaigns ,/ Search Modules #‫ י‬Web Apps *y Modules Tags ^ Hcpoiu ^ Tasks 201? 4081 M odule Statutes show Searrh trywrrds s i WirJuk Typv B ID C lint O B SVD C6 0 BBT 46 ‫ «׳‬AodKR rro C« r!*• u O7 a l• ol« C tb •'.'RAPID7 111 addition to the capabilities offered by the open source framework, Metasploit Pro delivers a full graphical user interface, automated exploitation capabilities, complete user action audit logs, custom reporting, combined widi an advanced penetration testing workflow. FIG U R E 3.19: MetasploitJava 7 Applet Remote Code Execution Exploit found 22. C o n fig u re d ie ex p lo it settings: a. 111 P a y lo a d O p tio n s set d ie C o n n e c tio n T y p e as R e v e r s e a n d 111 L is te n e r H o s t ,e n te r d ie IP a d d re ss w h e re M e ta sp lo it is ru n n in g . b. 111 M o d u le O p tio n s , e n te r d ie SR V H o s t I P ad d re ss w h e re M e ta sp lo it is ru n n in g . c. E n te r d ie URI P a th (in d iis la b w e are u sin g greetin g s) a n d click R un M od u le. C E H Lab Manual Page 752 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  24. 24. M odule 12 - H ackin g W e b servers ^ James forsnaw |duck< Jduckgrnetasp*o«c£im » slnnV 'enn3/^m et3sp*0* 0 *n &> iuan .aiquei <)uanva:que:@m Masp:s!::c‫״‬r‫־‬ C A ‫• ׳‬It , !onlhoit -V a j iipo.c, 2A*i‘~ k -‫״‬ - - T I j (‫־״‬ ‫?־‬I. m rm m n 3 o/e SoJa‫״‬ rjetll The m dule is (*signedtoruninthob gro d ox lo n diemsj‫׳‬sterns 3sin•ycomod. h ■ c3s«0 «‫«׳‬Cbrow e p its, o acK un . p ib g w 1 ser x lo :•?as‫ ־‬setne U 1 T ocoonD R PA H elowityouwantio co ntrol w URL is usecio nos»t> eg** T srvport co«or can & used hich 6 ‫־‬s e » cf!a < m I3tenng per inm case o passve u8M m n ;e e e t y odules(auxaary) m moaae caput‫ ואו‬se *31ae iromne T log alter e asic vw m iSu has t»«n started o te IPv6 is die latest version of die Internet Protocol designed by die Internet Engineering Task Force to replace die current version of IPv4. The implementation of IPv6 predominantly impacts addressing, routing, security, and services. Target Sefltogs I Generic (Java Payload) v| s*yb V »a1 p• Interpreter v| LttonwPwH |1aW -€6S3S UllOMrHMl 11Q001Q C n o flo T • |Reverse vj o n c o yp j T •bcil p rtto!• no . Ip h o to n o't) N «w5 1 1 rneiynrj eonnectan*(M «gM 5 0 et) P '.hto* cu mSSL c rtlfcirtolO fo I* tnO a clo o o al e 5 o ‫׳‬V th vo o 0< th ) • o k toM ©c o rw n SSL e h o ) od a SS.2 SSO USIX T oU u oto ttu o p t 1 0'ajt * im M h RIto o r » x to 3 AdvancedO t o sshow pin ivaMoa opooas snow 1 o FIG U R E 3.20: Metasploit Running Module 23. T h e ta sk is s ta rte d as s h o w n 111 th e fo llo w in g sc re e n sh o t. ^ A hd i. Io o t - X v.i390con-le•p t*t> s c ■ ’ § (‫־‬ 1 (‫]״‬m etasploit community In Metasploit Pro, you can define IPv6 addresses for target hosts. For example, when you perform a discovery scan, scan a web application, execute a bruteforce attack, or run a module, you can define an IPv6 address for die target hosts. For modules, Metasploit Pro provides several payloads diat provide IPv6 support for Windows x86, Linux x86, BSD x86, PH P, and cmd. f Overview t ga A a y i nlss m Upton in ti [_ SmioM . Campaigns / * Web Apps ■ V Module* lags 3 Reports ~ Tasks Q Imk 5U‫׳‬to J 2 1 IMS 1 0 S LT < 32 413 C FIG U R E 3.21: Metasploit Task Started 24. N o w sw itch to W in d o w s 8 V irtu a l M acliu ie, la u n c h d ie C h ro m e b ro w se r a n d e n te r h t t p : / / 10.0.0 .1 0 :8 0 8 0 /g re e tin g s in d ie a d d re ss b a r a n d p re ss E n te r. 25. C lick d ie R un t h i s ti m e fo r Ja v a (T M ) w a s b lo c k e d b e c a u s e it is o u t o f d a t e p r o m p t 111 d ie C h ro m e b ro w se r. C E H Lab Manual Page 753 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  25. 25. M odule 12 - H ackin g W e b servers ‫י‬ " Window*; 8 on WIN‫?־‬N9ST0SG!FN * Virtual Machine Connprtion Fl A t o Medi« Clpboard View Hdp ie c i n ‫׳‬j O (. ® O II I► >3 i> «‫ *- ־‬C □ 1 Q .1 t8 8 /g 0 0 0 0 0 reetin s/ g i f JavafTM) was blockec because it is out of date Update plug-in... Run this time Note: Metasploit Pro does not support IPv6 for link local broadcast discovery, social engineering, or pivoting. However, you can import IPv6 addresses from a text file or you can manually add them to your project. If you import IPv6 addresses from a text file, you must separate each address with a new line. FIG U R E 3.22: Windows 8 Virtual Machine — Running die Exploit 26. N o w sw itch to y o u r W in d o w s S e rv e r 2 0 1 2 h o s t m ac liin e a n d c h e c k d ie M e ta sp lo it ta sk p a n e . M e ta sp lo it w ill sta rt c a p tu rin g d ie re v e rse c o n n e c tio n fro m d ie ta rg e t m acliin e. ^ A h K/ Ci»« 9 p * » pcv t» ti|>/'lo* cti7Q'1oi3«c£ W ^7 ▼C1 1 Gole og G community1 D etasploit' m b Overview Analysis .‫ ־‬Sessions Campaigns *‫ ־‬Web Apps Modules lags _j Reports i _ Tasks 0 Project Management A Metasploit Pro project contains die penetration test diat you want to nm. A project defines die target systems, network boundaries, modules, and web campaigns diat you want to include in die penetration test. Additionally, within a project, you can use discovery scan to identify target systems and bruteforce to gain access to systems. FIG U R E 3.23: Metasploit Capturing die reverse connection of targeted macliine 27. C lick d ie S e s s i o n s ta b to v ie w d ie c a p tu re d c o n n e c tio n o f d ie ta rg e t m acliin e. C E H Lab Manual Page 754 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  26. 26. M odule 12 - H ackin g W e b servers User Management Administrators can assign user roles to manage the level of access that the user has to projects and administrative tasks. You can manage user accounts from tire Administration menu. FIG U R E 3.24: Metasploit Session tab 28. C lick d ie c a p tu re d se ssio n to v ie w d ie in f o rm a tio n o f a ta rg e t m a c h in e as s h o w n 111 d ie fo llo w in g sc re e n sh o t. ‫י - ן‬a ‫ ״‬x ‫י‬ A .Ip loiaNmt. '!C i;• 1‫ ׳‬r, e oogle •1 ‫ ־‬G ____ p { • ‫-ם‬ Gm D etasploit community Overview M rn o * M Aiiolyv) I ~ Sessions Q Java Ixptvt ttCoM ^ Cufiipulgns V Web Ap|n f> V Modules lags £, Reports £1 Tasks Q ttiinni (J C a p Mfw Active Sessions O S | *SCMM1 Closed Sessions Global Settings Global settings define settings that all projects use. You can access global settings from the Administration menu. From the global settings, you can set the payload type for the modules and enable access to die diagnostic console through a web browser. Additionally, from global settings, you can create A P I keys, post-exploitation macros, persistent listeners, and Nexpose Consoles. C E H Lab Manual Page 755 Ma ot J #012 100 1 Ueissploit C m om une? 4 .0-U dato2 1 103 1 .4 & 0 2 10 ‫-׳‬W ad ndew Type M tw re r e p te Age 4 mm 0vet1«(kj1 1 *• ‫ר‬Q ‫ * ׳‬s *■ .v vm e © 10-2012Rp Inc.B 3 *U 20 8itf7 0 K * A ttack M d lo ou + JAW_JRE17JLXEC RAPID7 FIG U R E 3.25: Metasploit Captured Session of a Target Machine 29. Y o u c a n v ie w d ie in f o rm a tio n o f th e ta rg e t m a ch in e . Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  27. 27. M odule 12 - H ackin g W e b servers System Management As ail administrator, you can update die license key and perform software updates. You can access die system management tools from the Administration menu. FIG U R E 3.26: Metasploit Target Machine System information Host Scan A host scan identifies vulnerable systems within die target network range diat you define. When you perform a scan, Metasploit Pro provides information about die services, vulnerabilities, and captured evidence for hosts that the scan discovers. Additionally, you can add vulnerabilities, notes, tags, and tokens to identified hosts. 30. T o access d ie tiles o f d ie ta rg e t sy stem , click A c c e s s F ile s y s te m . I -ea1‫״‬ Ss c c >1 (‫־‬ 1 — (‫]״‬m etasploit ^ Y community r Overview ^Anilyib I ~ StwtoM Q ',/Campaigns ■ ‫־‬Web Apps * V I Session 1 on 10.0.0.12 &«kn y i ‫ ׳‬aap <j—> * ‫*' *י‬ 4a>Tin nt i i p 31— 'O 1 e * Ifim l o no a l n *1‫ י‬O ‫י‬ » A c Mu ttak o lo d Available Actions (■ C lle System ‫ ג‬o ct . Cooa JrstKr evidence ana sensitivedaii iscreenshois, passw ords. s> irtform on) »tem M o r eV erem t « e y t mandu l a ,d w l a ,and O l t H e as i oe i33e pod o n o d eee is . u*ef»ct1u* a rem com and sn«ll onm tarcet !advanced users) cte m e ‫ ״‬C1«M Piory P‫»׳‬o t . Ptolatacts usirtgV rem host as a gatew (TCPAJDP) ie ote ay i Close V session. Furm teracaonieijuires ex lo n bs srm p itatio e2 1 - 0 2R p d I cB ‫׳‬ 0 021 3i7 n e Bruteforce uses a large number of user name and password combinations to attempt to gain access to a host. Metasploit Pro provides preset bruteforce profiles diat you can use to customize attacks for a specific environment. If you have a list of credentials diat you want to use, you can import the credentials into the system. C E H Lab Manual Page 756 •VRAPID7 FIG U R E 3.27: Metasploit Accessing Filesystem of a Target Machine 31. Y o u c a n v iew a n d m o d ify d ie files fro m d ie ta rg e t m acliin e. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  28. 28. M odule 12 - H ackin g W e b servers M ffc fik rtK it If a bruteforce is successful, Metasploit Pro opens a session on die target system. You can take control of die session dirough a command shell or Meterpreter session. If there is an open session, you can collect system data, access die remote file system, pivot attacks and traffic, and run postexploitation modules. Modules expose and exploit vulnerabilities and security flaws in target systems. Metasploit Pro offers access to a comprehensive library of exploit modules, auxiliary modules, and postexploitation modules. You can run automated exploits or manual exploits. Automated exploitation uses die minimum reliability option to determine the set of exploits to run against die target systems. You cannot select die modules or define evasion options diat Metasploit Pro uses. C E H Lab Manual Page 757 1M01? PA'tptcht%m. '1,iothVdn ,ti o o » t 'p-iia di. • f i r v SS»C6 aM 4 lp0 St i yW W Uye Stm s LStm »ye3 82 LX *4 P 1 L‫«־‬ &s l t T© *e n -sa oC al a LV i« L _ Ga*t mo Wl* m S AS tS { •n *s I I asc sah st >■» ■« ■ [■ •S M T L•M i CN , hM _•u •ty c L*‫׳‬W *• 9 V _fag ro -n Qw.i baf lx 971EIly 0DB3 t C9 2 24 ‫־‬Oal* Ktb M a □M e Mf x pe W ' LRb UH W PO f* Pfva1 rM l* er ‫י‬ n cre ar t » 10 7 2 1 4 a 6 7 1 8 ‫9גנ‬ 1 2 jie -b s 22-03U 04194T 15930C 221552C 0--18U 1 135T 1 2--03U 00931C 15 94T 21 221552C 0--16U 1 135T 1 22-03U 00931C 15 94T 1 229821C 0--07U 10192T 2215.3U 0--1.0C 11145T 1 22-03U 0-19.7C 15 3 T 09 5 2--03U 00930C 15 94T 21 22-O.1C 0-1f3 U 15 t3 T 09 < 22915U 0-112T 10239C 2215fS7C 0--1 1T 1 14 U 1 t 22-03U 0-19* T 15 35C 09 225931C 0--00U 1019ST 22003B 0-075T 11901C 229050C 0--06U 10195T 22-O4T 0-1f30C 15 t3U 09 22-09U 00192T 1590' C 225931C 0--03U 10194T 22-01U 00195T 15914C 22-09U 00192T 15900C 22.931C 04 03U 15 94T 1 22503U 04.931C 11 •5T 1 22414U 0.011 T 1 4 ®C 1 229H2T 0-.2fl UC 10 i 1 225U7B 0-.911C 14 3T 1 ?04‫מנז‬st 0 4 0 au « ‫ .ו‬c 220SMT O11SM 1 -0 U C I*2S84 U 0--26 T 1I11V 4 C C ‫־‬f*G9 • 0I. 0 '‫־‬ p ft i a (iSR1•lT1 TE | 0£.| Oi l £I (.SR>OT) TE | ftf. O1(> L <O;>DT .SR |■LE TE { E .) E (.SR)(.ET.) TE | O E OI L E (.SR)(•LE) TE1DT O1 E • E (.SR)(.ET.) TE1D E Oi L E J FIG U RE 3.28: Metasploit Modifying Filesystem of a Target Macliine 32. Y o u c a n also la u n c h a c o m m a n d shell o f d ie ta rg e t m a c h in e b y clicking C o m m a n d S h e ll fro m se ssio n s capU ired. FIG U RE 3.29: Metasploit Launching Command Shell of Target Macliine 33. T o v iew d ie sy stem IP a d d re ss a n d o d ie r in f o rm a tio n d iro u g h d ie c o m m a n d shell 111 M e ta sp lo it, ty p e ip c o n fig Iall a n d p ress E n te r. Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  29. 29. M odule 12 - H ackin g W e b servers Manual exploitation provides granular control over die exploits diat you ran against die target systems. You run one exploit at a time, and you can choose die modules and evasion options diat you want to use. F IG U R E 3.30: Metasploit IP C O N F IG command for Target Machine Social engineering exploits client-side vulnerabilities. You perform social engineering through a campaign. A campaign uses e-mail to perform phishing attacks against target systems. To create a campaign, you must set up a web server, e-mail account, list of target emails, and email template. 34. The following screenshot shows die IP address and other details of your target machine. l -‫ ־־‬n ‫־‬F ! !<■ a • Ip. •* U** «U12 - KM M iniport (Vwtwork. Monitor) k»m : « 1 H so K rrw U 3 iero rc a ti H rd a K 0 :0 :0 :0 :0 :0 : ‫־‬ a wre M0 0 0 0 4 0 MU T : « » » ?2 ‫צ‬ 24« » n tw rk A to e o rt.ip r In terface 13 Nw a> ! n -Hteroiort IS T P A a te et« AA dp r Meterpretcr >| WebScan spiders web pages and applications for active content and forms. I f the WebScan identifies active content, you can audit die content for vulnerabilities, and dien exploit die vulnerabilities after Metasploit Pro discovers diem. C E H Lab Manual Page 758 F IG U R E 3.31: Metasploit Target Machine IP Address in Metasploit Command Shell 35. Click die Go b a c k command shell. o n e p age button in Metasploit browser to exit die Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  30. 30. M odule 12 - H ackin g W e b servers A task chain is a series o f tasks that you can automate to follow a specific schedule. The Metasploit W eb U I provides an interface that you can use to set up a task chain and an interactive clock and calendar diat you can use to define die schedule. A report provides comprehensive results from a penetration test. Metasploit Pro provides several types o f standard reports diat range from high level, general overviews to detailed report findings. You can generate a report in PD F, W ord, X M L , and H T M L. F IG U R E 3.32: Metasploit closing command shell F IG U R E 3.33: Metasploit Terminating Session You can use reports to compare findings between different tests or different systems. Reports provide details on compromised hosts, executed modules, cracked passwords, cracked SM B hashes, discovered SSH keys, discovered services, collected evidence, and web campaigns. 37. It will display Session K illed. Now from die A c c o u n t drop-down list, select Logout. I* ’7'8‫י ,ח‬ JJj AAonJsn▼ c ut ao c ©metasploit r community1 f Oe ie c v rv w r Analysis t ~ S s io s es n Cma n a pig s WbAp e ps t Mdules yo la s g □ Rp r I e ots j Ue Sttin s sr e g T J L gu - oot Session killed Active Sessions Closed Sessions E C W1 5M 1 & •#*0 t -.Vx w8 Z r w» wt r rt f cepee « 2 tM1 0 » T l1 - S 4 e U C Af e0 1nlo» tn V<w p At c Mdle tak ou ♦JA A^ £ _ X V _ NVE IC u ta ia M m iH F IG U R E 3.34: Metasploit Session Killed and Logging out C E H Lab Manual Page 759 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  31. 31. M odule 12 - H ackin g W e b servers Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s secuntv posture and exposure. PLE A SE TA LK TO Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Tool/U tility Information Collected/Objectives Achieved Metasploit Framework Output: Interface Infomation ■ Name: etl14-M1crosoft Hyepr-v Network Adapter ‫ י‬Hardware MAC: 00:00:00:00:00:00 ■ MTU: 1500 ■ IPv4 Address: 10.0.0.12 ■ IPv6 Netmask: 255.255.255.0 ■ IPv6 Address: fe80::b9ea:d011:3e0e:lb7 ■ IPv6 Netmask: ffff:ffff:ffff:ffff:ffff:: Question 1 How would you create an initial user account from a remote system? . 2. Describe one 01‫־‬more vulnerabilities that Metasploit can exploit. Internet Connection Required □ Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 760 0 !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

×