SlideShare a Scribd company logo

JConrad_Mod11_FinalProject_031816

Download as DOCX, PDF
J
Jeff Conrad

This document provides a summary of penetration testing conducted on the Metasploitable2 virtual machine. Scanning tools like Nessus, OpenVAS, and Metasploit found multiple vulnerabilities. Exploits were then used against vulnerabilities like weak credentials, outdated services, and insecure configurations. Password cracking with Hydra cracked credentials for services like rlogin. Wireless hacking cracked the WPA2 password for a Linksys router. Maltego was used to gather open source intelligence from the rasmussen.edu domain.

1 of 29
Running head: PENETRATION REPORT 1 Penetration Report Jeff Conrad Rasmussen College Author Note This paper is being submitted on March 18, 2016, for Jeff Conrad’s N230/CIS2315C Fundamentals of Ethical Hacking course.
PENETRATION REPORT 2 Table of Contents Executive Summary ...........................................................................................................................3 Summary of Results............................................................................................................................4 Module 3 Lab (Scanning) .................................................................................................................4 Module 4 Lab (Metasploitable2)........................................................................................................4 Module 8 Lab (Hydra Password Cracking) ........................................................................................4 Module 9 Lab (Wireless Networking).................................................................................................4 Module 10 Lab (Maltego) .................................................................................................................4 Attack Narrative ..................................................................................................................................5 Nessus Metasploitable2 Vulnerabilities .............................................................................................5 OpenVAS Metasploitable2 Vulnerabilities..........................................................................................6 Metasploit Metasploitable2 Vulnerabilities .........................................................................................7 Metasploit/Armitage Exploits ............................................................................................................8 Ingreslock Vulnerability.................................................................................................................8 NFS/RLogin Vulnerability..............................................................................................................9 Hydra Password Cracking ..............................................................................................................11 Wireless Hacking...........................................................................................................................14 Maltego.........................................................................................................................................20 Conclusion .......................................................................................................................................25 Recommendations............................................................................................................................26 Risk Rating.......................................................................................................................................27 Appendix A: Vulnerability Detail and Mitigation ...................................................................................28 Risk Rating Scale ..........................................................................................................................28 Default or Weak Credentials .......................................................................................................28 Password Reuse........................................................................................................................28 Open Ports ................................................................................................................................29 Patch Management ....................................................................................................................29
PENETRATION REPORT 3 Executive Summary This report shows the results of sample penetration testing for N230/CIS2315C Fundamentals of Ethical Hacking - 2016 Winter Quarter at Rasmussen College. The tests were performed to demonstrate how Ethical Hacking works and what steps should be used to access a remote system to determine its vulnerabilities. All activities were conducted in a classroom environment which simulated malicious intent. The goal of these exercises was to simulate how a remote attacker could access a network, obtain confidential data, or determine the internal infrastructure and availability of the remote systems. During these exercises, the emphasis was placed on identification of exploits using Open Web Application Security Project (OWASP) Top 10 for 2013. This document provides information on some of the common vulnerabilities. NIST SP 800-115 was reviewed for information related to testing and actions. All tests were performed in a controlled environment and did not affect any outside systems.
PENETRATION REPORT 4 Summary of Results For this course, the Metaspolitable2 virtual machine was used as a target. Kali Linux was used to attack the Metaspolitable2 virtual machine. There were several assignments that referenced the use of scanning the virtual machine and exploitation. These assignments occurred in Modules 3 and 4. Module 3 Lab (Scanning) During this lab, three scanning tools were used to find vulnerabilities within the Metaspoloitable2 virtual machine. These scanning tools included OpenVAS, Nessus, and Metasploit using Armitage. Nexpose was going to be used instead of Metasploit/Armitage but was unable to configure the application due to system hardware limitation. Module 4 Lab (Metasploitable2) During this lab, the Metasploitable2 virtual machine was attacked using the Metasploit/Armitage software. Three exploits were detected and were able to make a connection to the virtual machine. The exploits that were used for the test are listed below:  NFS  Ingreslock  login Module 8 Lab (Hydra Password Cracking) During this lab, the original intent was to use an Alfa wireless adapter to test penetration against another router. At the time of the lab, the adapter was not working properly. As an alternative, the Hydra password cracking tool was used against the Metasploitable2 virtual machine. Module 9 Lab (Wireless Networking) During this lab, an Alfa wireless adapter card was used to access and obtain the router admin password for a Linksys router setup with WPA2 Personal encryption. Module 10 Lab (Maltego) During this lab, Maltego scanning software was used to obtain information regarding email addresses for the rasmussen.edu web domain.
PENETRATION REPORT 5 Attack Narrative To find the exploits that were on the Metasploitable2 virtual machine, the first step was to scan the system. The programs used to scan Metasploitable were OpenVAS, Nessus, and Metasploit. Nexpose was going to be used instead of Metasploit but was unable to configure the software due to system limitations. Many of the issues found in OpenVAS were related to database vulnerabilities. 126 total vulnerabilities were found with OpenVAS. Nessus scan found 158 vulnerabilities, many of these were related to web and system services. Some backdoor detections were found as well. When the scan was run for Metasploit, it appeared only to find one result which was Java RMI Server Insecure Default Configuration Java Code Execution. Additional scans that may have found more vulnerabilities were not able to be run due to the type of Metasploit software version. OpenVAS and Nessus scan for similar information, but the reports are different. The CVE’s for both reports did not appear to have any matching information. Listed on the next several pages are results of the scans which contained the top vulnerabilities from each of the scans. Nessus Metasploitable2 Vulnerabilities CVE CVSS Risk Protocol Port Name Synopsis CVE- 1999-0618 10 Critical TCP 512 rexecd Service Detection The rexecd service is running on the remote host. CVE- 2008-0166 10 Critical TCP 25 Debian OpenSSH/OpenSSL Package Random Number Generator Weakness (SSL check) The remote SSL certificate uses a weak key. 10 Critical TCP 0 Unsupported UnixOperating System The remote hostis running an obsolete operating system. CVE- 2010-2075 10 Critical TCP 6667 UnrealIRCd Backdoor Detection The remote IRC server contains a backdoor. 10 Critical TCP 1524 Rogue Shell Backdoor Detection The remote hostmay have been compromised. 10 Critical TCP 5900 VNC Server 'password' Password A VNC server running on the remote hostis secured with a weak password. CVE- 1999-0651 7.5 High TCP 513 rlogin Service Detection The rlogin service is running on the remote host. CVE- 1999-0651 7.5 High TCP 514 rsh Service Detection The rsh service is running on the remote host. 7.5 High TCP 8180 Unsupported Web Server Detection The remote web server is obsolete /unsupported.
PENETRATION REPORT 6 OpenVAS Metasploitable2 Vulnerabilities Port CVSS NVT Name Summary CVEs 21 10 ProFTPD Multiple Remote Vulnerabilities The hostis running ProFTPD and is prone to multiple vulnerabilities. CVE-2010-3867, CVE-2010-4221 1524 10 Possible Backdoor: Ingreslock A backdoor is installed on the remote host NOCVE 2121 10 ProFTPD Multiple Remote Vulnerabilities The hostis running ProFTPD and is prone to multiple vulnerabilities. CVE-2010-3867, CVE-2010-4221 6000 10 X Server An improperlyconfigured X server will accept connections from clients from anywhere. CVE-1999-0526 3632 9.3 distcc Remote Code Execution Vulnerability Allows remote attackers to execute arbitrary commands via compilation jobs,which are executed by the server withoutauthorization checks. CVE-2004-2687 3306 9 MySQL weak password It was possible to login into the remote MySQL as root using weak credentials. NOCVE 5432 9 PostgreSQL weak password It was possible to login into the remote PostgreSQL as user postgres using weak credentials. NOCVE 5432 8.5 PostgreSQL Multiple Security Vulnerabilities PostgreSQL is prone to multiple security vulnerabilities. CVE-2010-1169, CVE-2010-1170, CVE-2010-1447 21 7.5 vsftpd Compromised Source Packages Backdoor Vulnerability Attackers can exploit this issue to execute arbitrary commands in the context of the application.Successful attacks will compromise the affected application. NOCVE 21 7.5 ProFTPD Server SQL Injection Vulnerability Prone to remote SQL Injection vulnerability. CVE-2009-0542, CVE-2009-0543 80 7.5 phpMyAdmin Code Injection and XSS Vulnerability phpMyAdmin is prone to a remote PHP code-injection vulnerabilityand to a cross-site scripting vulnerability. CVE-2009-1151 80 7.5 phpMyAdmin BLOB Streaming Multiple Input Validation Vulnerabilities phpMyAdmin is prone to multiple input- validation vulnerabilities,including an HTTP response-splitting vulnerability and a local file-include vulnerability. NOCVE 80 7.5 phpMyAdmin Configuration File PHP Code Injection Vulnerability According to its version number,the remote version of phpMyAdmin is prone CVE-2009-1285
PENETRATION REPORT 7 to a remote PHP code-injection vulnerability. 80 7.5 TikiWiki Versions before 4.2 Multiple Unspecified Vulnerabilities TikiWiki is prone to multiple unspecified vulnerabilities, including SQL-injection and authentication-bypass vulnerability. CVE-2010-1135, CVE-2010-1134, CVE-2010-1133, CVE-2010-1136 80 7.5 PHP-CGI-based setups vulnerability when parsing query string parameters from PHP files. PHP is prone to an information- disclosure vulnerability. CVE-2012-1823, CVE-2012-2311, CVE-2012-2336, CVE-2012-2335 Metasploit Metasploitable2 Vulnerabilities Metasploit was used to capture information from Metasploitable2 in a virtual machine environment. The only vulnerability that was detected was related to Java RMI Server Insecure Default Configuration Java Code Execution. This is shown below.
PENETRATION REPORT 8 Metasploit/Armitage Exploits Once the targets were identified, the next step was to try and find several vulnerabilities within the Metasploitable2 virtual machine. The IP address for the virtual machine was 192.168.75.129. Ingreslock Vulnerability The first exploit that was used was Ingreslock, which has a backdoor into the Metasploitable system. The exploit was performed using the Armitage software in Kali Linux.
PENETRATION REPORT 9 NFS/RLogin Vulnerability The second exploit that was used was accessing the Metasploitable system using NFS and the rlogin command. A port scan was run on the virtual machine as the system was cracked with root access. The attack was then setup using ssh to obtain the encryption keys for the ssh service in the next two images.
PENETRATION REPORT 10 Here, we can see the login screen of the Metasploitable virtual machine from the Kali Linux machine. As a continuation of the above, the root of the Metasploitable2 virtual machine was accessed. For the exploit to have worked properly, an RSH client was installed on Kali Linux. Below is the result of the vulnerability as we can view the IP address of the virtual machine – 192.168.75.129.
PENETRATION REPORT 11 Hydra Password Cracking The first step was to decide which VM to attack, Windows XP or Metasploitable. Metasploitable would be the first VM that would be attacked. To do this, a wordlist would need to be created. I used the available lists in Kali Linux using the command cd /usr/share/wordlists. This returned the below result. Seeing a Metasploit folder, I accessed the directory which showed some other wordlists that are available.
PENETRATION REPORT 12 From the list, the sensitive_files.txt file was chosen. The command hydra -l root -P /usr/share/wordlists/metasploit/sensitive_files.txt -t 6 ssh://192.168.75.129 was used to start the process. This is shown below. Once the command was run, no passwords were found against the Metasploitable VM. As the selected password list did not work, the next step was to run a nmap command against the Metasploitable VM to see which services were available.
PENETRATION REPORT 13 The postgres service was tried with the following command hydra -l msfadmin -P /usr/share/wordlists/metasploit/postgres_default_pass.txt -t 6 postgres://192.168.75.129. The result was no passwords found.
PENETRATION REPORT 14 Several variations of the postgres service lists were tried but did not return any passwords. The next step was to try a different service. This time, the rlogin service was used with the following command: hydra -l msfadmin -P /usr/share/wordlists/metasploit/root_userpass.txt rlogin://192.168.75.129. The result is below which found 15 passwords and logins. Wireless Hacking In this scenario, a Linksys E4200 router was used with WPA2 Personal encryption on it. An Alfa wireless adapter was used with Kali Linux to attempt cracking the router admin password and display the password. I had some issues connecting to the router, so it had to be reset to factory settings. Once it was setup, the airodump-ng wlan0monmon command was used to scan the wireless networks that were available. Below is the finding of the Linksys router used for this test. The router is labeled as Cisco07667.
PENETRATION REPORT 15 The next step was to select a password from one of the password wordlists in the Kali Linux system. The dictionary files were located at /usr/share/wordlists. The password that I chose to use is superman 21241036. A couple of days after the router was setup, I realized the WPA was setup on the 5 GHZ band instead of the 2.4 GHZ band. This is why the router showed up as having open security. I went back into the router and verified this was the issue. I changed the WPA on the 2.4 band to the correct setting as described above. The result is shown below.
PENETRATION REPORT 16 The command airodump-ng wlan0 --channel 11 was used which provided the below result. The command airodump-ng wlan0 --channel 11 --write Cisco07667-psk was used. I then disconnected my laptop from the router with the LAN cable that was used for configuration. The wireless card was setup to point to the Cisco SSID using the provided password above. As shown in the below result, the Windows 8 computer connected with the WPA handshake.
PENETRATION REPORT 17 Once the handshake was accepted, the command aircrack-ng Cisco07667-psk-01.cap, which displayed the below result. Option 3 was selected to start the dictionary attack. As there was no dictionary file mentioned, the command aborted. The cowpatty utility was used to verify if the dictionary file could be accessed. The following command was used to start the process cowpatty -f /usr/share/wordlists/metasploit/routers_userpass.txt -r Cisco07667-psk-01.cap -s Cisco07667. As you can see, the password from the dictionary file is displayed.
PENETRATION REPORT 18 For the WPA2 part of the assignment, the router was configured to use WPA2 Personal. The password was left the same. The same command was used for WPA2 as WPA. The result is below. The laptop was disconnected from the wireless network. It was then reconnected to obtain a WPA handshake.
PENETRATION REPORT 19 The next step was to crack the WPA2 key. I used the command aircrack-ng Cisco07667-psk-01.cap -w /usr/share/wordlists/metasploit/routers_userpass.txt to start the cracking process. The below screen is what appeared asking for the SSID to crack. Option 3 was selected. The result of the cracked key is shown below.
PENETRATION REPORT 20 Maltego During this lab, Maltego was used to scan against the Rasmussen.edu website to obtain information related to infrastructure and email address information. Maltego is an open-source intelligence and forensic application. I started Maltego and ran through the first time setup wizard. I was unable to get initially the program to function but determined
PENETRATION REPORT 21 I canceled out of the setup screen to setup a new session. I selected the URL option to scan a website and selected the Company Stalker option. The next screen brought me to the domain name screen. I selected the rasmussen.edu website to scan against.
PENETRATION REPORT 22 I received the following message and selected the Run button to continue.
PENETRATION REPORT 23 Once the scan was completed, the below list of email addresses appeared. Once the results were processed, the below map appeared. Taking one of the email addresses that appeared, the below extrapolation can be found. In the screenshot, the Rasmussen user was found with additional email addresses to other people at other locations.
PENETRATION REPORT 24
PENETRATION REPORT 25 Conclusion If this were a real company, there would have been many vulnerabilities and compromise of critical company assets. There were many instances of weak passwords and systems that were not properly patched. Patching the Metasploitable2 virtual machine would have fixed some issues found in this report.
PENETRATION REPORT 26 Recommendations Due to the impact to the overall organization as uncovered by this penetration test, appropriate resources should be allocated to ensure that remediation efforts are accomplished in a timely manner. While a comprehensive list of items that should be implemented is beyond the scope of this engagement, some high level items are important to mention . It is important to note recommendations listed below are related to the Metasploitable2 virtual machine and are not reflective of attacks against any Rasmussen networks for learning purposes. 1. Strong credentials should be used for all systems, file systems, and directories. Several weak passwords were found in multiple applications and services. NIST SP 800-118 is recommended for guidelines to setup and operate an enterprise password policy. 2. Change control access of all systems should be implemented in a company to ensure proper security and insecure deployments are discovered and quickly addressed. 3. Patch management should be implemented in all companies to maintain good security and frequent updates. Many of the issues found in the virtual machine could have been avoided by having the system patched regularly. 4. Performing regular vulnerability assessments and disaster recovery should be a part of a company plan and should be conducted on a regular basis. NIST 800-37 has guidelines that can be used as a basis for security controls and monitoring.
PENETRATION REPORT 27 Risk Rating While accessing Rasmussen systems for these learning exercises for these labs, it should be noted none of Rasmussen systems were compromised in any way. Analyzing the Metasploitable2 virtual machine showed many risks and vulnerabilities such as back doors and lack of security. As a result of these tests, the risk associated with the virtual machine is High. It could be assumed if the virtual machine were a company computer system, malicious intent would allow an attacker access to vital systems.
PENETRATION REPORT 28 Appendix A: Vulnerability Detail and Mitigation Risk Rating Scale In accordance with NIST SP 800-30, exploited vulnerabilities are ranked based on likelihood and impact to determine overall risk. The impact and remediation’s listed are general in nature. Default or Weak Credentials Rating: High Description: An external interface can present risk when setup with weak passwords taken from a dictionary Impact: For Windows systems, Group Policy should set a local administrator password on all hosts within the scope of the GPO. Using the same local administrator password on corporate systems allows an attacker with appropriate access to utilize the well-known “pass-the-hash” attack vector. It allows an attacker to successfully authenticate on all hosts that share the same password, using only the retrieved password hash. Remediation: Ensure all administrative interfaces are secured with complex passwords. Ensure user accounts are also setup with complex password guidelines. User passwords should be changed at least every 60 days. Administrative passwords should be changed as needed or secured with limited access and auditing. Password Reuse Rating: High Description: While the same password was not shown in many systems in the virtual machine, this is a common practice and should be avoided when possible. Impact: Password reuse in general is a practice which should be highly discouraged and prevented as much as possible. Reusing the same password can allow a greater attack surface. Remediation: Password management policies should be updated for all systems. Windows systems should use domain level Group Policy to enforce password complexity and history. Linux and Mac systems should use similar techniques for user and system accounts. Local administrator accounts should be disabled wherever possible.
PENETRATION REPORT 29 Open Ports Rating: High Description: A number of service and default ports were shown to be open and not secured on the Metasploitable2 virtual machine. administrator password. Impact: Allowing ports to remain open allows potential attacks which increases risks to a company. Remediation: Recommended to close available ports that are not in use by applications or system processes. This would reduce the surface attack vector. Patch Management Rating: High Description: Metasploitable2 contained a number of applications and services which were not patched. unpatched systems and application. Impact: Combinations of weak passwords and unpatched services, systems, and applications, can allow an attacker to compromise a system. Once the system is compromised, the attacker has the ability to access other networked systems. Remediation: All corporate assets should be kept current with latest vendor supplied security patches. This can be achieved with vendor tools or third-party applications, which can provide an overview of all missing patches. In many instances, third-party tools can also be used for patch deployment throughout a heterogeneous environment.

Recommended

Audit
AuditAudit
Audit
Mark Ellzey Thomas
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploit
Aashish R
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
E Hacking
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
PacSecJP
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Linux host review
Linux host reviewLinux host review
Linux host review
rglaal
 

Recommended

Audit
AuditAudit
Audit
Mark Ellzey Thomas
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploit
Aashish R
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
E Hacking
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
PacSecJP
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Linux host review
Linux host reviewLinux host review
Linux host review
rglaal
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Tamas K Lengyel
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
Akhil Kadangode
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Attack of the clones
Attack of the clonesAttack of the clones
Attack of the clones
UltraUploader
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
Tamas K Lengyel
 
Ch8-Computer Security
Ch8-Computer SecurityCh8-Computer Security
Ch8-Computer Security
Attaporn Ninsuwan
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics tools
VishnuPratap7
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
Asep Sopyan
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
Ishan Girdhar
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
David Jorm
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
Dr. Ramchandra Mangrulkar
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
dkaya
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
Tamas K Lengyel
 
Whitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution LaravelWhitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Chandan Singh Ghodela
 
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
Felipe Prado
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
Harshit Singh Bhatia
 

More Related Content

What's hot

Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Tamas K Lengyel
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
Akhil Kadangode
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Attack of the clones
Attack of the clonesAttack of the clones
Attack of the clones
UltraUploader
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
Tamas K Lengyel
 
Ch8-Computer Security
Ch8-Computer SecurityCh8-Computer Security
Ch8-Computer Security
Attaporn Ninsuwan
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics tools
VishnuPratap7
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
Asep Sopyan
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
Ishan Girdhar
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
David Jorm
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
Dr. Ramchandra Mangrulkar
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
dkaya
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
Tamas K Lengyel
 
Whitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution LaravelWhitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Chandan Singh Ghodela
 
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
Felipe Prado
 

What's hot (20)

Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 
Linux Virus
Linux VirusLinux Virus
Linux Virus
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Attack of the clones
Attack of the clonesAttack of the clones
Attack of the clones
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
 
Ch8-Computer Security
Ch8-Computer SecurityCh8-Computer Security
Ch8-Computer Security
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics tools
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Whitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution LaravelWhitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution Laravel
 
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
 

Similar to JConrad_Mod11_FinalProject_031816

Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
Harshit Singh Bhatia
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
Mattia Salvi
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing tool
medoelkang600
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
CSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment EssayCSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment Essay
Rochelle Schear
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
stirlingvwriters
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
Nutan Kumar Panda
 
business
businessbusiness
business
Gajendra Saini
 
Penetration Testing is the Art of the Manipulation
Penetration Testing is the Art of the ManipulationPenetration Testing is the Art of the Manipulation
Penetration Testing is the Art of the Manipulation
JongWon Kim
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdf
prithaaash
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoff
Andrey Apuhtin
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoff
EMC
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1
Florin D. Tanasache
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
Alexander Master
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
ShainaBoling829
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 

Similar to JConrad_Mod11_FinalProject_031816 (20)

Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing tool
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
CSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment EssayCSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment Essay
 
Metasploit
MetasploitMetasploit
Metasploit
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
business
businessbusiness
business
 
Penetration Testing is the Art of the Manipulation
Penetration Testing is the Art of the ManipulationPenetration Testing is the Art of the Manipulation
Penetration Testing is the Art of the Manipulation
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdf
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoff
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoff
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 

JConrad_Mod11_FinalProject_031816

  • 1. Running head: PENETRATION REPORT 1 Penetration Report Jeff Conrad Rasmussen College Author Note This paper is being submitted on March 18, 2016, for Jeff Conrad’s N230/CIS2315C Fundamentals of Ethical Hacking course.
  • 2. PENETRATION REPORT 2 Table of Contents Executive Summary ...........................................................................................................................3 Summary of Results............................................................................................................................4 Module 3 Lab (Scanning) .................................................................................................................4 Module 4 Lab (Metasploitable2)........................................................................................................4 Module 8 Lab (Hydra Password Cracking) ........................................................................................4 Module 9 Lab (Wireless Networking).................................................................................................4 Module 10 Lab (Maltego) .................................................................................................................4 Attack Narrative ..................................................................................................................................5 Nessus Metasploitable2 Vulnerabilities .............................................................................................5 OpenVAS Metasploitable2 Vulnerabilities..........................................................................................6 Metasploit Metasploitable2 Vulnerabilities .........................................................................................7 Metasploit/Armitage Exploits ............................................................................................................8 Ingreslock Vulnerability.................................................................................................................8 NFS/RLogin Vulnerability..............................................................................................................9 Hydra Password Cracking ..............................................................................................................11 Wireless Hacking...........................................................................................................................14 Maltego.........................................................................................................................................20 Conclusion .......................................................................................................................................25 Recommendations............................................................................................................................26 Risk Rating.......................................................................................................................................27 Appendix A: Vulnerability Detail and Mitigation ...................................................................................28 Risk Rating Scale ..........................................................................................................................28 Default or Weak Credentials .......................................................................................................28 Password Reuse........................................................................................................................28 Open Ports ................................................................................................................................29 Patch Management ....................................................................................................................29
  • 3. PENETRATION REPORT 3 Executive Summary This report shows the results of sample penetration testing for N230/CIS2315C Fundamentals of Ethical Hacking - 2016 Winter Quarter at Rasmussen College. The tests were performed to demonstrate how Ethical Hacking works and what steps should be used to access a remote system to determine its vulnerabilities. All activities were conducted in a classroom environment which simulated malicious intent. The goal of these exercises was to simulate how a remote attacker could access a network, obtain confidential data, or determine the internal infrastructure and availability of the remote systems. During these exercises, the emphasis was placed on identification of exploits using Open Web Application Security Project (OWASP) Top 10 for 2013. This document provides information on some of the common vulnerabilities. NIST SP 800-115 was reviewed for information related to testing and actions. All tests were performed in a controlled environment and did not affect any outside systems.
  • 4. PENETRATION REPORT 4 Summary of Results For this course, the Metaspolitable2 virtual machine was used as a target. Kali Linux was used to attack the Metaspolitable2 virtual machine. There were several assignments that referenced the use of scanning the virtual machine and exploitation. These assignments occurred in Modules 3 and 4. Module 3 Lab (Scanning) During this lab, three scanning tools were used to find vulnerabilities within the Metaspoloitable2 virtual machine. These scanning tools included OpenVAS, Nessus, and Metasploit using Armitage. Nexpose was going to be used instead of Metasploit/Armitage but was unable to configure the application due to system hardware limitation. Module 4 Lab (Metasploitable2) During this lab, the Metasploitable2 virtual machine was attacked using the Metasploit/Armitage software. Three exploits were detected and were able to make a connection to the virtual machine. The exploits that were used for the test are listed below:  NFS  Ingreslock  login Module 8 Lab (Hydra Password Cracking) During this lab, the original intent was to use an Alfa wireless adapter to test penetration against another router. At the time of the lab, the adapter was not working properly. As an alternative, the Hydra password cracking tool was used against the Metasploitable2 virtual machine. Module 9 Lab (Wireless Networking) During this lab, an Alfa wireless adapter card was used to access and obtain the router admin password for a Linksys router setup with WPA2 Personal encryption. Module 10 Lab (Maltego) During this lab, Maltego scanning software was used to obtain information regarding email addresses for the rasmussen.edu web domain.
  • 5. PENETRATION REPORT 5 Attack Narrative To find the exploits that were on the Metasploitable2 virtual machine, the first step was to scan the system. The programs used to scan Metasploitable were OpenVAS, Nessus, and Metasploit. Nexpose was going to be used instead of Metasploit but was unable to configure the software due to system limitations. Many of the issues found in OpenVAS were related to database vulnerabilities. 126 total vulnerabilities were found with OpenVAS. Nessus scan found 158 vulnerabilities, many of these were related to web and system services. Some backdoor detections were found as well. When the scan was run for Metasploit, it appeared only to find one result which was Java RMI Server Insecure Default Configuration Java Code Execution. Additional scans that may have found more vulnerabilities were not able to be run due to the type of Metasploit software version. OpenVAS and Nessus scan for similar information, but the reports are different. The CVE’s for both reports did not appear to have any matching information. Listed on the next several pages are results of the scans which contained the top vulnerabilities from each of the scans. Nessus Metasploitable2 Vulnerabilities CVE CVSS Risk Protocol Port Name Synopsis CVE- 1999-0618 10 Critical TCP 512 rexecd Service Detection The rexecd service is running on the remote host. CVE- 2008-0166 10 Critical TCP 25 Debian OpenSSH/OpenSSL Package Random Number Generator Weakness (SSL check) The remote SSL certificate uses a weak key. 10 Critical TCP 0 Unsupported UnixOperating System The remote hostis running an obsolete operating system. CVE- 2010-2075 10 Critical TCP 6667 UnrealIRCd Backdoor Detection The remote IRC server contains a backdoor. 10 Critical TCP 1524 Rogue Shell Backdoor Detection The remote hostmay have been compromised. 10 Critical TCP 5900 VNC Server 'password' Password A VNC server running on the remote hostis secured with a weak password. CVE- 1999-0651 7.5 High TCP 513 rlogin Service Detection The rlogin service is running on the remote host. CVE- 1999-0651 7.5 High TCP 514 rsh Service Detection The rsh service is running on the remote host. 7.5 High TCP 8180 Unsupported Web Server Detection The remote web server is obsolete /unsupported.
  • 6. PENETRATION REPORT 6 OpenVAS Metasploitable2 Vulnerabilities Port CVSS NVT Name Summary CVEs 21 10 ProFTPD Multiple Remote Vulnerabilities The hostis running ProFTPD and is prone to multiple vulnerabilities. CVE-2010-3867, CVE-2010-4221 1524 10 Possible Backdoor: Ingreslock A backdoor is installed on the remote host NOCVE 2121 10 ProFTPD Multiple Remote Vulnerabilities The hostis running ProFTPD and is prone to multiple vulnerabilities. CVE-2010-3867, CVE-2010-4221 6000 10 X Server An improperlyconfigured X server will accept connections from clients from anywhere. CVE-1999-0526 3632 9.3 distcc Remote Code Execution Vulnerability Allows remote attackers to execute arbitrary commands via compilation jobs,which are executed by the server withoutauthorization checks. CVE-2004-2687 3306 9 MySQL weak password It was possible to login into the remote MySQL as root using weak credentials. NOCVE 5432 9 PostgreSQL weak password It was possible to login into the remote PostgreSQL as user postgres using weak credentials. NOCVE 5432 8.5 PostgreSQL Multiple Security Vulnerabilities PostgreSQL is prone to multiple security vulnerabilities. CVE-2010-1169, CVE-2010-1170, CVE-2010-1447 21 7.5 vsftpd Compromised Source Packages Backdoor Vulnerability Attackers can exploit this issue to execute arbitrary commands in the context of the application.Successful attacks will compromise the affected application. NOCVE 21 7.5 ProFTPD Server SQL Injection Vulnerability Prone to remote SQL Injection vulnerability. CVE-2009-0542, CVE-2009-0543 80 7.5 phpMyAdmin Code Injection and XSS Vulnerability phpMyAdmin is prone to a remote PHP code-injection vulnerabilityand to a cross-site scripting vulnerability. CVE-2009-1151 80 7.5 phpMyAdmin BLOB Streaming Multiple Input Validation Vulnerabilities phpMyAdmin is prone to multiple input- validation vulnerabilities,including an HTTP response-splitting vulnerability and a local file-include vulnerability. NOCVE 80 7.5 phpMyAdmin Configuration File PHP Code Injection Vulnerability According to its version number,the remote version of phpMyAdmin is prone CVE-2009-1285
  • 7. PENETRATION REPORT 7 to a remote PHP code-injection vulnerability. 80 7.5 TikiWiki Versions before 4.2 Multiple Unspecified Vulnerabilities TikiWiki is prone to multiple unspecified vulnerabilities, including SQL-injection and authentication-bypass vulnerability. CVE-2010-1135, CVE-2010-1134, CVE-2010-1133, CVE-2010-1136 80 7.5 PHP-CGI-based setups vulnerability when parsing query string parameters from PHP files. PHP is prone to an information- disclosure vulnerability. CVE-2012-1823, CVE-2012-2311, CVE-2012-2336, CVE-2012-2335 Metasploit Metasploitable2 Vulnerabilities Metasploit was used to capture information from Metasploitable2 in a virtual machine environment. The only vulnerability that was detected was related to Java RMI Server Insecure Default Configuration Java Code Execution. This is shown below.
  • 8. PENETRATION REPORT 8 Metasploit/Armitage Exploits Once the targets were identified, the next step was to try and find several vulnerabilities within the Metasploitable2 virtual machine. The IP address for the virtual machine was 192.168.75.129. Ingreslock Vulnerability The first exploit that was used was Ingreslock, which has a backdoor into the Metasploitable system. The exploit was performed using the Armitage software in Kali Linux.
  • 9. PENETRATION REPORT 9 NFS/RLogin Vulnerability The second exploit that was used was accessing the Metasploitable system using NFS and the rlogin command. A port scan was run on the virtual machine as the system was cracked with root access. The attack was then setup using ssh to obtain the encryption keys for the ssh service in the next two images.
  • 10. PENETRATION REPORT 10 Here, we can see the login screen of the Metasploitable virtual machine from the Kali Linux machine. As a continuation of the above, the root of the Metasploitable2 virtual machine was accessed. For the exploit to have worked properly, an RSH client was installed on Kali Linux. Below is the result of the vulnerability as we can view the IP address of the virtual machine – 192.168.75.129.
  • 11. PENETRATION REPORT 11 Hydra Password Cracking The first step was to decide which VM to attack, Windows XP or Metasploitable. Metasploitable would be the first VM that would be attacked. To do this, a wordlist would need to be created. I used the available lists in Kali Linux using the command cd /usr/share/wordlists. This returned the below result. Seeing a Metasploit folder, I accessed the directory which showed some other wordlists that are available.
  • 12. PENETRATION REPORT 12 From the list, the sensitive_files.txt file was chosen. The command hydra -l root -P /usr/share/wordlists/metasploit/sensitive_files.txt -t 6 ssh://192.168.75.129 was used to start the process. This is shown below. Once the command was run, no passwords were found against the Metasploitable VM. As the selected password list did not work, the next step was to run a nmap command against the Metasploitable VM to see which services were available.
  • 13. PENETRATION REPORT 13 The postgres service was tried with the following command hydra -l msfadmin -P /usr/share/wordlists/metasploit/postgres_default_pass.txt -t 6 postgres://192.168.75.129. The result was no passwords found.
  • 14. PENETRATION REPORT 14 Several variations of the postgres service lists were tried but did not return any passwords. The next step was to try a different service. This time, the rlogin service was used with the following command: hydra -l msfadmin -P /usr/share/wordlists/metasploit/root_userpass.txt rlogin://192.168.75.129. The result is below which found 15 passwords and logins. Wireless Hacking In this scenario, a Linksys E4200 router was used with WPA2 Personal encryption on it. An Alfa wireless adapter was used with Kali Linux to attempt cracking the router admin password and display the password. I had some issues connecting to the router, so it had to be reset to factory settings. Once it was setup, the airodump-ng wlan0monmon command was used to scan the wireless networks that were available. Below is the finding of the Linksys router used for this test. The router is labeled as Cisco07667.
  • 15. PENETRATION REPORT 15 The next step was to select a password from one of the password wordlists in the Kali Linux system. The dictionary files were located at /usr/share/wordlists. The password that I chose to use is superman 21241036. A couple of days after the router was setup, I realized the WPA was setup on the 5 GHZ band instead of the 2.4 GHZ band. This is why the router showed up as having open security. I went back into the router and verified this was the issue. I changed the WPA on the 2.4 band to the correct setting as described above. The result is shown below.
  • 16. PENETRATION REPORT 16 The command airodump-ng wlan0 --channel 11 was used which provided the below result. The command airodump-ng wlan0 --channel 11 --write Cisco07667-psk was used. I then disconnected my laptop from the router with the LAN cable that was used for configuration. The wireless card was setup to point to the Cisco SSID using the provided password above. As shown in the below result, the Windows 8 computer connected with the WPA handshake.
  • 17. PENETRATION REPORT 17 Once the handshake was accepted, the command aircrack-ng Cisco07667-psk-01.cap, which displayed the below result. Option 3 was selected to start the dictionary attack. As there was no dictionary file mentioned, the command aborted. The cowpatty utility was used to verify if the dictionary file could be accessed. The following command was used to start the process cowpatty -f /usr/share/wordlists/metasploit/routers_userpass.txt -r Cisco07667-psk-01.cap -s Cisco07667. As you can see, the password from the dictionary file is displayed.
  • 18. PENETRATION REPORT 18 For the WPA2 part of the assignment, the router was configured to use WPA2 Personal. The password was left the same. The same command was used for WPA2 as WPA. The result is below. The laptop was disconnected from the wireless network. It was then reconnected to obtain a WPA handshake.
  • 19. PENETRATION REPORT 19 The next step was to crack the WPA2 key. I used the command aircrack-ng Cisco07667-psk-01.cap -w /usr/share/wordlists/metasploit/routers_userpass.txt to start the cracking process. The below screen is what appeared asking for the SSID to crack. Option 3 was selected. The result of the cracked key is shown below.
  • 20. PENETRATION REPORT 20 Maltego During this lab, Maltego was used to scan against the Rasmussen.edu website to obtain information related to infrastructure and email address information. Maltego is an open-source intelligence and forensic application. I started Maltego and ran through the first time setup wizard. I was unable to get initially the program to function but determined
  • 21. PENETRATION REPORT 21 I canceled out of the setup screen to setup a new session. I selected the URL option to scan a website and selected the Company Stalker option. The next screen brought me to the domain name screen. I selected the rasmussen.edu website to scan against.
  • 22. PENETRATION REPORT 22 I received the following message and selected the Run button to continue.
  • 23. PENETRATION REPORT 23 Once the scan was completed, the below list of email addresses appeared. Once the results were processed, the below map appeared. Taking one of the email addresses that appeared, the below extrapolation can be found. In the screenshot, the Rasmussen user was found with additional email addresses to other people at other locations.
  • 25. PENETRATION REPORT 25 Conclusion If this were a real company, there would have been many vulnerabilities and compromise of critical company assets. There were many instances of weak passwords and systems that were not properly patched. Patching the Metasploitable2 virtual machine would have fixed some issues found in this report.
  • 26. PENETRATION REPORT 26 Recommendations Due to the impact to the overall organization as uncovered by this penetration test, appropriate resources should be allocated to ensure that remediation efforts are accomplished in a timely manner. While a comprehensive list of items that should be implemented is beyond the scope of this engagement, some high level items are important to mention . It is important to note recommendations listed below are related to the Metasploitable2 virtual machine and are not reflective of attacks against any Rasmussen networks for learning purposes. 1. Strong credentials should be used for all systems, file systems, and directories. Several weak passwords were found in multiple applications and services. NIST SP 800-118 is recommended for guidelines to setup and operate an enterprise password policy. 2. Change control access of all systems should be implemented in a company to ensure proper security and insecure deployments are discovered and quickly addressed. 3. Patch management should be implemented in all companies to maintain good security and frequent updates. Many of the issues found in the virtual machine could have been avoided by having the system patched regularly. 4. Performing regular vulnerability assessments and disaster recovery should be a part of a company plan and should be conducted on a regular basis. NIST 800-37 has guidelines that can be used as a basis for security controls and monitoring.
  • 27. PENETRATION REPORT 27 Risk Rating While accessing Rasmussen systems for these learning exercises for these labs, it should be noted none of Rasmussen systems were compromised in any way. Analyzing the Metasploitable2 virtual machine showed many risks and vulnerabilities such as back doors and lack of security. As a result of these tests, the risk associated with the virtual machine is High. It could be assumed if the virtual machine were a company computer system, malicious intent would allow an attacker access to vital systems.
  • 28. PENETRATION REPORT 28 Appendix A: Vulnerability Detail and Mitigation Risk Rating Scale In accordance with NIST SP 800-30, exploited vulnerabilities are ranked based on likelihood and impact to determine overall risk. The impact and remediation’s listed are general in nature. Default or Weak Credentials Rating: High Description: An external interface can present risk when setup with weak passwords taken from a dictionary Impact: For Windows systems, Group Policy should set a local administrator password on all hosts within the scope of the GPO. Using the same local administrator password on corporate systems allows an attacker with appropriate access to utilize the well-known “pass-the-hash” attack vector. It allows an attacker to successfully authenticate on all hosts that share the same password, using only the retrieved password hash. Remediation: Ensure all administrative interfaces are secured with complex passwords. Ensure user accounts are also setup with complex password guidelines. User passwords should be changed at least every 60 days. Administrative passwords should be changed as needed or secured with limited access and auditing. Password Reuse Rating: High Description: While the same password was not shown in many systems in the virtual machine, this is a common practice and should be avoided when possible. Impact: Password reuse in general is a practice which should be highly discouraged and prevented as much as possible. Reusing the same password can allow a greater attack surface. Remediation: Password management policies should be updated for all systems. Windows systems should use domain level Group Policy to enforce password complexity and history. Linux and Mac systems should use similar techniques for user and system accounts. Local administrator accounts should be disabled wherever possible.
  • 29. PENETRATION REPORT 29 Open Ports Rating: High Description: A number of service and default ports were shown to be open and not secured on the Metasploitable2 virtual machine. administrator password. Impact: Allowing ports to remain open allows potential attacks which increases risks to a company. Remediation: Recommended to close available ports that are not in use by applications or system processes. This would reduce the surface attack vector. Patch Management Rating: High Description: Metasploitable2 contained a number of applications and services which were not patched. unpatched systems and application. Impact: Combinations of weak passwords and unpatched services, systems, and applications, can allow an attacker to compromise a system. Once the system is compromised, the attacker has the ability to access other networked systems. Remediation: All corporate assets should be kept current with latest vendor supplied security patches. This can be achieved with vendor tools or third-party applications, which can provide an overview of all missing patches. In many instances, third-party tools can also be used for patch deployment throughout a heterogeneous environment.