Escolar Documentos
Profissional Documentos
Cultura Documentos
Lab M a n u a l
H a c k in g
e b
S e r v e r s M o d u le 12
H a c k in g
W e b
S e r v e r s
key
L a b S c e n a r io
T o d a y , m o s t o f o n lin e se rv ic e s a re im p le m e n te d as w e b a p p lic a tio n s . O n lin e b a n k in g , w e b s e a rc h e n g in e s , e m a il a p p lic a tio n s , a n d so c ia l n e tw o rk s a re ju s t a fe w e x a m p le s o f s u c h w e b se rv ic e s. W e b c o n te n t is g e n e r a te d 111 re a l tim e b y a s o f tw a re a p p lic a tio n r u n n in g a t s e rv e r-sid e . S o h a c k e rs a tta c k 0 1 1 th e w e b s e r v e r to ste a l c re d e n tia l in f o r m a tio n , p a s s w o rd s , a n d b u s in e s s in f o r m a t io n b y D o S (D D o s ) a tta c k s , S Y N flo o d , p in g flo o d , p o r t sc a n , s n iffin g a tta c k s , a n d so c ia l e n g in e e rin g a tta c k s. 1 1 1 th e a re a o f w e b se c u rity , d e s p ite s tr o n g e n c r y p tio n 0 11 th e b ro w s e r - s e r v e r c h a n n e l, w e b u s e rs still h a v e 1 10 a s s u ra n c e a b o u t w h a t h a p p e n s a t th e o th e r e n d . W e p r e s e n t a s e c u rity a p p lic a tio n th a t a u g m e n ts w e b s e rv e rs w ith tr u s te d c o -s e rv e rs com posed of liig li-a s s u ra n c e s e c u re c o p r o c e s s o r s , c o n fig u re d w ith a p u b lic ly k n o w n g u a rd ia n p r o g r a m . W e b u s e rs c a n th e n e s ta b lis h th e ir a u th e n tic a te d , e n c ry p te d c h a n n e ls w ith a tr u s te d c o se rv e r, w h ic h th e n c a n a c t as a tm s t e d th ird p a rty 111 th e b ro w s e r - s e r v e r in te r a c tio n . S y ste m s are c o n s ta n tly b e in g a tta c k e d , a n d I T s e c u rity p ro f e s s io n a ls n e e d to b e a w a re o f c o m m o n a tta c k s 0 1 1 th e w e b s e r v e r a p p lic a tio n s . A tta c k e rs u s e s n iffe rs o r p r o t o c o l a n a ly z e rs to c a p tu r e a n d a n a ly z e p a c k e ts . I f d a ta is s e n t a c ro s s a n e tw o r k 111 c le a r te x t, a n a tta c k e r c a n c a p tu r e th e d a ta p a c k e ts a n d u se a s n iffe r to r e a d th e d a ta . 1 1 1 o th e r w o r d s , a s n iffe r c a n e a v e s d r o p 0 1 1 e le c tro n ic c o n v e rs a tio n s . A p o p u la r s n iffe r is W ir e s h a rk , I t s a lso u s e d b y a d m in is tra to rs f o r le g itim a te p u r p o s e s . O n e o f th e c h a lle n g e s f o r a n a tta c k e r is to g a m a c c e ss to th e n e tw o r k to c a p tu r e th e d a ta . I t a tta c k e rs h a v e p h y s ic a l a c c e ss to a r o u t e r
0 1 sw itc h , th e y c a n c o n n e c t th e s n iffe r a n d c a p m r e all tra ffic g o in g th r o u g h th e
Test your k n o w le d g e
W e b e x e r c is e
W o r k b o o k r e v ie w
sy ste m . S tr o n g p h y s ic a l s e c u rity m e a s u re s h e lp m itig a te tin s risk. A s a p e n e tr a tio n te s te r a n d e th ic a l h a c k e r o f a n o rg a n iz a tio n , y o u m u s t p ro v id e s e c u rity to th e c o m p a n y s w e b se rv e r. Y o u m u s t p e r f o r m c h e c k s 0 1 1 th e w e b s e r v e r f o r v u ln e ra b ilitie s , m is c o n fig u ra tio n s , u n p a tc h e d im p r o p e r a u th e n tic a tio n w ith e x te r n a l sy ste m s. s e c u rity fla w s, a n d
L a b O b je c t iv e s
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a r n to d e te c t u n p a tc h e d s e c u rity flaw s, v e r b o s e e r r o r m e s s a g e s , a n d m u c h m o r e . T h e o b je c tiv e o f tin s la b is to : F o o tp r in t w e b se rv e rs C ra c k r e m o te p a s s w o rd s D e te c t u n p a tc h e d se c u rity flaw s
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b E n v ir o n m e n t
T o e a rn o u t tin s, y o u n eed : & T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs A c o m p u te r ru n n in g W in d o w S e r v e r 2 0 1 2 a s H o s t m a c h in e A c o m p u te r r u n n in g w in d o w serv er 20 0 8 , w in d o w s 8 a n d w in d o w s 7 as a V irtu al M a c h in e A w e b b ro w s e r w ith I n te rn e t access A d m in istra tiv e p rivileges to 11111 to o ls
L a b D u r a tio n
T u n e : 40 M in u te s
O v e r v ie w o f W e b S e r v e r s
A w e b serv er, w h ic h c a n b e re fe rre d to as d ie h a rd w a re , th e c o m p u te r, o r d ie so ftw are, is th e c o m p u te r a p p lic a tio n d ia t h e lp s to d eliv er c o n te n t th a t c a n b e a c ce sse d th r o u g h th e In te rn e t. M o s t p e o p le d u n k a w e b se rv e r is ju st th e h a rd w a re c o m p u te r, b u t a w e b se rv e r is also th e so ftw are c o m p u te r a p p lic a tio n th a t is in stalled
111 th e h a rd w a re c o m p u te r. T lie p rim a ry fu n c tio n o f a w e b se rv e r is to d eliv er w e b
p a g es o n th e re q u e s t to clien ts u sin g th e H y p e rte x t T ra n s fe r P ro to c o l (H T T P ). T in s m e a n s d eliv ery o f H T M L d o c u m e n ts a n d an y ad d itio n a l c o n te n t th a t m a y b e in c lu d e d b y a d o c u m e n t, su c h as im ag es, style sh e e ts, a n d scrip ts. M a n y g e n e ric w e b serv ers also s u p p o r t serv er-sid e s e n p tin g u sin g A c tiv e S erv e r P ag es (A SP), P H P , o r o d ie r sc rip tin g lang u ag es. T in s m e a n s th a t th e b e h a v io r o f th e w e b se rv e r c a n b e sc rip te d 111 sep ara te files, w lu le th e acm a l se rv e r so ftw a re re m a in s u n c h a n g e d . W e b serv ers are n o t alw ays u s e d fo r se rv in g th e W o rld W id e WT eb. T h e y c a n also b e f o u n d e m b e d d e d in dev ices su c h as p rin te rs , ro u te rs, w e b c a m s a n d serv in g o n ly a lo c a l n e tw o rk . T lie w e b se rv e r m a y d ie n b e u s e d as a p a r t o f a sy ste m fo r m o n ito r in g a n d / o r a d m in iste rin g th e d ev ice 111 q u e stio n . T in s u su a lly m e a n s d ia t n o a d d itio n a l so ftw a re h a s to b e in sta lle d o n th e c lien t c o m p u te r, since o n ly a w e b b ro w s e r is re q u ire d .
m TASK
O v e rv ie w
Lab T asks
R e c o m m e n d e d lab s to d e m o n s tra te w e b se rv e r hack in g : F o o tp r in tin g a w e b serv e r u sin g th e h t t p r e c o n to o l F o o tp r in tin g a w e b serv e r u sin g th e ID S e r v e to o l E x p lo itin g Java v u ln erab ilities u s in g M e t a s p lo i t F r a m e w o r k
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
L a b A n a ly s is
A n a ly z e a n d d o c u m e n t th e resu lts re la te d to d ie lab exercise. G iv e y o u r o p in io n 0 11 y o u r ta rg e ts secu rity p o s tu re a n d e x p o su re .
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
F o o t p r in t in g h ttp re c o n
e b s e r v e r U s in g
th e
T o o l
The httprecon project undertakes research in thefield o f web serverfingerprinting, also known as http fingerprinting ICON KEY
/ V a lu a b le m t o m ia t io n
L a b S c e n a r io
W e b a p p lic a tio n s a re th e m o s t i m p o r t a n t w a y s t o r a n o r g a n iz a tio n to p u b lis h in f o r m a tio n , in te r a c t w ith I n t e r n e t u s e r s , a n d e s ta b lis h a n e - c o m m e r c e /e g o v e rn m e n t p re s e n c e . H o w e v e r, if an o rg a n iz a tio n is not r ig o ro u s in c o n fig u rin g a n d o p e r a tin g its p u b lic w e b s ite , it m a y b e v u ln e r a b le to a v a rie ty o f
Test yo u r
**
W e b e x e r c is e
W o r k b o o k re \
m o r e d a n g e r o u s as a re s u lt. O r g a n iz a tio n s c a n fa c e m o n e ta r y lo s s e s , d a m a g e to r e p u ta tio n , 0 1 le g a l a c tio n i f a n in t r u d e r su c c e s sfu lly v io la te s th e c o n fid e n tia lity o f th e ir d a ta . D o S a tta c k s a re e a sy f o r a tta c k e rs to a tt e m p t b e c a u s e o f th e n u m b e r o t p o s s ib le a tta c k v e c to r s , th e v a rie ty o f a u to m a te d to o ls a v a ila b le , a n d th e lo w skill le v e l n e e d e d to u s e th e to o ls . D o S a tta c k s , as w e ll as th r e a ts o f in itia tin g D o S a tta c k s , a re a ls o in c re a s in g ly b e in g u s e d to b la c k m a il o rg a n iz a tio n s . 1 1 1 o r d e r to b e a n e x p e r t e th ic a l h a c k e r a n d p e n e tr a tio n te s te r, }o n m u s t u n d e r s ta n d h o w to p e r f o r m f o o tp r in tin g 0 1 1 w e b se rv e rs.
L a b O b je c t iv e s
T h e o b je c tiv e o f th is la b is to h e lp s tu d e n ts le a r n to f o o t p r in t w e b s e rv e rs . I t w ill te a c h y o u h o w to : H T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le D:\CEHT o o ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs U s e th e h tt p r e c o n to o l G e t W e b se rv e r f o o t p r in t
L a b E n v ir o n m e n t
T o c a rry o u t th e la b , y o u n e e d : h t t p r e c o n to o l lo c a te d a t D :\C EH -T 0 0 ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o l s \ h t t p r e c o n
Ethical Hacking and Countemieasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n
111 th e la b m ig h t d if fe r
L a b D u r a tio n
T u n e : 10 M in u te s
O v e r v ie w o f h t t p r e c o n
h ttp r e c o n is a to o l fo r a d v a n c e d w e b s e r v e r fin g e rp rin tin g , sim ilar to h ttp rin t. T h e h ttp r e c o n p ro je c t d o e s r e s e a r c h 111 th e h e ld o f w e b serv er fin g e rp rin tin g , also k n o w n as h tt p fin g e rp rin tin g . T h e g o a l is h ig h ly a c c u r a t e id e n tific a tio n o f g iv en h ttp d im p le m e n ta tio n s.
TASK 1
F o o tp rin tin g a W eb serv er
Lab T asks
1. N a v ig a te to D :\C E H -T o o ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o l s \ h t t p r e c o n . 2. 3. D o u b le -c lic k h t t p r e c o n . e x e t o la u n c h h t t p r e c o n . T h e m a in w in d o w o f h t t p r e c o n a p p e a rs , as s h o w n 111 th e fo llo w in g fig u re .
11
File Configuration Target
|http;// |
httprecon 7.3
Fingergrinting Reporting Help
1
6 "* |
|80
T ]
GET existing | GET long request | GET nonexisbng | GET wrong protocol | HEAD existing | OPTIONS com * I *
| Name
j Hits
| Match
% 1
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
4.
E n t e r th e w e b s ite (U R L ) w w w .ju g g y b o y .c o m th a t y o u w a n t to f o o t p r in t a n d se le c t th e p o r t n u m b e r .
5. 6.
tewl Httprecon uses a simple database per test case that contains all die fingerprint elements to determine die given implementation.
GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 200 O K bate: Thu, 1 8 Oct 2012 11:36:10 G M T bontent-Length: 84S1 Content-Type: text/html Content-Location: http: //uggyboy.com/index.html Laat-Modified: Tue, 0 2 Oct 2012 11:32:12 G M T Accept-Ranges: non ETag: "a47ee9091a0cdl:7a49" Server: Microsoft-IIS/6.0 K-Powered-By: ASP.NET
Matchlst (352 Implementations) | Fingerprint Details | Report Preview | | Name Microsoft IIS 6.0 ^ ^ Microsoft IIS 5.0 Microsoft IIS 7 0 Miciosofl IIS 5.1 Sun ONE W eb Server 61 Zeus 4.3 Apache 1.3.37 I Hits 88 71 S3 63 63 62 62 60 | Match 100 80 68. 71. 59 71 59 . 71.59 70.45. . 70.45... 6818 v
%|
22 O
V
V , Apache 1.3.26
m The scan engine of httprecon uses nine different requests, which are sent to the target web server.
7.
1 - l L J |
GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 400 Bad Request Content-Type: text/html Date: Thu, 1 8 Oct 2012 11:35:20 G H T Connection: close Content-Length: 3 4
i~ ~ Httprecon does not rely on simple banner announcements by the analyzed software.
Protocol Version Statuscode Statustext Banner K-Povered-By Header Spaces Capital after Dash Header-Order Full Header-Order Limit
Ready
H TTP
1 .1
4 0 0
Content-Type,Date,Connection,Content-Length Content-Type,Date,Connection,Content-Length
1 1
F IG U R E 1.3: The fingerprint and G ET long request result of the entered website
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b A n a ly s is
A n aly ze a n d d o c u m e n t d ie resu lts re la te d to th e lab exercise. G iv e y o u r o p in io n 0 11 y o u r ta rg e ts sec im tv p o s tu re a n d e x p o su re .
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
T o o l/U tility
h ttp re c o n T o o l
Q u e s t io n s
1. A n a ly z e th e m a jo r d if fe re n c e s b e tw e e n classic b a n n e r - g r a b b in g o f th e s e r v e r lin e a n d h tt p r e c o n . 2. E v a lu a te th e ty p e o f te s t r e q u e s ts s e n t b y h t t p r e c o n to w e b se rv e rs.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
F o o t p r in t in g S e r v e
e b s e r v e r U s in g
ID
ID Serve is a simple,free, sm all (26 Kbytes), andfastgenera/purpose Internet server identification utility. ICON KEY
/ V a lu a b le in fo r m a tio n
L a b S c e n a r io
1 1 1 th e p re v io u s la b y o u h a v e le a r n e d to u s e th e h tt p r e c o n to o l, h t t p r e c o n is a
to o l fo r a d v a n c e d w e b s e rv e r fin g e rp rin tin g , s im ila r to h ttp r in t. I t is v e ry im p o r t a n t f o r p e n e tr a tio n te s te rs to b e fa m ilia r w ith b a n n e r - g r a b b in g te c h n iq u e s to m o n i to r s e rv e rs to e n s u r e c o m p lia n c e a n d a p p r o p r ia te se c u rity u p d a te s . U s in g th is te c h n iq u e y o u c a n a lso lo c a te r o g u e s e rv e rs 0 1 d e te r m in e th e ro le o f s e rv e rs w ith in a n e tw o rk . 1 1 1 tin s la b y o u w ill le a r n th e b a n n e r g ra b b in g te c h n iq u e to d e te r m in e a r e m o te ta r g e t s y s te m u s in g I D S e rv e . 111 o r d e r to b e a n e x p e r t e th ic a l h a c k e r a n d p e n e tr a ti o n te s te r, y o u m u s t u n d e r s ta n d h o w to f o o t p r in t a w e b se rv e r.
Test yo u r
**
W e b e x e r c is e
W o r k b o o k re \
L a b O b je c t iv e s
T h is la b w ill s h o w y o u h o w to f o o t p r in t w e b s e rv e rs a n d h o w to u s e I D S erv e . I t w ill te a c h y o u h o w to: H T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs U s e th e I D S e rv e to o l G e t a w e b s e rv e r f o o t p r in t
L a b E n v ir o n m e n t
T o c a rry o u t th e la b , y o u n e e d : ID S e r v e lo c a te d a t D :\C EH -T 0 0 ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o ls\ID S e r v e Y o u c a n also d o w n lo a d th e la te s t v e r s io n o f ID S e r v e f r o m th e lin k h ttp : / / w w w .g r c .c o m / i d / 1 d s e r v e .h tm I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n
111 th e la b m ig h t d if fe r
Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
L a b D u r a tio n
T im e : 10 M in u te s
m ID Serve is a simple, free, small (26 Kbytes), and fast general-purpose Internet server identification utility.
O v e r v ie w o f ID S e r v e
I D S erv e a tte m p ts to d e te rm in e d ie d o m a in n a m e a sso c ia te d w id i a n IP. T in s p ro c e s s is k n o w n as a r e v e r s e DNS lo o k u p a n d is h a n d y w h e n c h e c k in g fire w a ll lo g s o r r e c e iv in g a n IP a d d r e s s fr o m s o m e o n e . N o t all IP s th a t h a v e a fo rw a rd d ire c tio n lo o k u p (D o m a in -to -IP ) h a v e a r e v e r s e (IP -to -D o m a in ) lo o k u p , b u t m a n y do.
TASK 1
F o o tp rin tin g a W eb serv er
Lab T asks
1. 111 W in d o w s S e rv e r 2 0 1 2 , n a v ig a te to D :\C E H -T o o ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o ls\ID S e r v e . 2. 3. D o u b le -c lic k i d s e r v e . e x e to la u n c h ID S e r v e . T h e m a in w in d o w a p p e a rs . C lic k th e S e r v e r Q u e ry ta b as s h o w n in th e fo llo w in g fig u re.
0 ID S e rv e
ID Serve
B a c k g r o u n d | Se iverQ u e r y
Q & A / H e lp
Enter or copy I paste an Internet server URL or IP address here (example: www microsoft.com):
When an Internet U R L or IP has been provided above. press this button to initiate a query of the specified seiver
Copy |
4.
111 o p ti o n
1 , e n te r
(0 1 c o p y / p a s t e a n I n t e r n e t s e rv e r U R L o r I P a d d re s s)
th e w e b s i t e (U R L ) y o u w a n t to f o o t p r in t . 5. E n t e r h t t p : / / 1 0 .0 .0 .2 /r e a lh o m e (IP a d d re s s is w h e r e th e re a l h o m e site is h o s te d ) in s te p 1.
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
6. 7.
C lic k Q u e ry t h e S e r v e r to s ta r t q u e ry in g th e e n te r e d w e b s ite . A f te r th e c o m p le tio n o f th e q u e r y . I D S e rv e d isp la y s th e re s u lts o f th e e n te r e d w e b s ite as s h o w n 111 th e fo llo w in g fig u re.
, _ _ ID Serve uses tlie standard Windows TCP protocol when attempting to connect to a remote server and port.
IDServe
ID
S e rv e
B a c k g r o u n d
Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):
r2 [
When an Internet URL a IP has been provided above, press this button to initiate a query of the specified server
L a b A n a ly s is
D o c u m e n t all d ie se rv e r in fo rm a tio n .
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
T o o l/U tility
I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d S e r v e r I d e n t i f i e d : M ic r o s o f t- I I S /8 .0 S e rv e r Q u e ry P ro c e s s in g :
I D S e rv e
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Q u e s t io n s
1. 2. A n a ly z e h o w I D S e rv e d e te r m in e s a s ite s w e b se rv e r. W h a t h a p p e n s i f w e e n te r a n I P a d d re s s in s te a d o f a U R L
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
3
E x p lo it in g M Ja v a V u ln e r a b ilit y e w o rk U s in g e t a s p lo it F r a m
L a b S c e n a r io
P e n e tra tio n te stin g is a m e th o d o f ev alu a tin g th e secu rity o l a c o m p u te r sy stem 0 1 n e tw o rk b y sim u latin g a n a tta c k fro m m alicio u s o u tsid e rs (w h o d o n o t h a v e a n a u th o riz e d m e a n s o f a c cessin g th e o rg a n iz a tio n 's system s) a n d m alicio u s in sid ers (w h o h a v e so m e level o f a u th o riz e d access). T h e p ro c e s s in v o lv e s a n activ e analysis o f th e sy ste m fo r a n y p o te n tia l v u ln erab ilities th a t c o u ld re su lt fro m p o o r o r im p ro p e r sy ste m c o n fig u ra tio n , e ith e r k n o w n a n d u n k n o w n h a rd w a re 0 1 so ftw are flaw s, 01 o p e ra tio n a l w e a k n e sse s 111 p ro c e s s o r te c h n ic a l c o u n te rm e a s u re s. T in s analysis is e a rn e d o u t fro m th e p o s itio n o f a p o te n tia l a tta c k e r a n d c a n in v o lv e active e x p lo ita tio n o f secu rity vuln erab ilities. T h e M e ta sp lo it P ro je c t is a c o m p u te r se c u n tv p ro je c t th a t p ro v id e s in fo rm a tio n about secu rity v u ln erab ilities and aids in p e n e tra tio n te stin g a n d ID S signaU ire d e v e lo p m e n t. Its m o s t w e ll-k n o w n su b p ro je c t is th e o p e n -s o u rc e M e ta sp lo it F ra m e w o rk , a to o l fo r d e v e lo p in g an d e x e c u tin g ex p lo it c o d e ag ain st a re m o te ta rg e t m a c h in e . O th e r im p o rta n t su b p ro je c ts in c lu d e d ie O p c o d e D a ta b a se , sh ellco d e arcluv e, a n d secu rity research . M e ta sp lo it F ra m e w o rk is o n e o f th e m a in to o ls fo r e v ery p e n e tra tio n te st
s
ca
Test yo u r k n o w le d g e
W e b e x e r c is e
W o r k b o o k r e v ie w
e n g a g e m e n t. T o b e a n e x p e rt etliical h a c k e r a n d p e n e tra tio n te ste r, y o u m u s t h a v e s o u n d u n d e rs ta n d in g o f ]M etasploit F ra m e w o rk , its v a rio u s m o d u le s, ex p lo its, J T T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs p ay lo ad s, a n d c o m m a n d s 111 o rd e r to p e rf o rm a p e n te st o f a target.
L a b O b je c t iv e s
T h e o b je ctiv e o f tin s lab is to d e m o n s tra te ex p lo ita tio n o t JD K ta k e c o n tro l o t a ta rg e t m ac h in e . v u ln erab ilities to
L a b E n v ir o n m e n t
1 1 1 d iis lab , y o u n eed :
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
A c o m p u te r ru n n in g W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e W in d o w s 8 ru n n in g o n v irtu a l m a c h in e as ta rg e t m a c h in e A w e b b ro w se r a n d M ic ro so ft .N E T F ra m e w o rk 2.0 o r la te r in b o th h o s t a n d ta rg e t m a c h in e
j R E 7116 ru n n in g o n th e ta rg e t m a c h in e (re m o v e a n y o th e r v e rs io n o f jR E in stalled 111 d ie ta rg e t m a c h in e ).T h e |R E 7116 se tu p file (jre-7u6-w111dows1586.exe) is available a t D :\C E H -Tools\C E H v8 M o d u le 1 2 H a c k in g W e b s e r v e r s \W e b s e r v e r A tta c k T o o ls \M e ta s p lo it
D o u b le -c lic k m e ta s p lo it- la te s t- w in d o w s - in s ta lle r .e x e a n d fo llo w th e w iz a rd -d riv e n in sta lla tio n ste p s to install M e ta s p lo it F ra m e w o r k
T im e : 2 0 M in u te s
O v e r v ie w o f t h e L a b
T in s lab d e m o n s tra te s th e e x p lo it th a t tak es a d v a n ta g e o f tw o issu es 111 J D K 7: th e C la ssF in d e r a n d M e d io d F in d e r.fm d M e d io d (). B o th w e re n e w ly in tro d u c e d 111 J D K 7. C la ssF in d e r is a re p la c e m e n t to r c la s sF o rN a m e b a c k 111 J D K 6. I t allow s u n tr u s te d c o d e to o b ta in a re fe re n c e a n d h a v e access to a re s tric te d p ac k a g e in J D K 7, w h ic h can be u se d to a b u se s u n .a w t.S u n T o o lk it (a re s tric te d p ack ag e). W ith su n .a w t.S u n T o o lk it, w e ca n actually in v o k e getF ieldQ b y a b u sin g fin d M e th o d Q m S ta te m e n t.in v o k e ln te rn a lO (b u t getF ieldQ m u s t b e p u b lic , a n d th a t's n o t alw ays d ie case
111
JD K
6.
111 o rd e r
to
access
S ta te m e n ta c c 's
p riv a te
field,
m o d ify
t a s k
1. 2.
In stall M e ta s p lo it o n th e h o s t m a c h in e W in d o w s S e r v e r 2 0 1 2 . A fte r in stallatio n c o m p le te s , it w ill au to m atically o p e n in y o u r d e fa u lt w e b b ro w se r as s h o w n 111 th e fo llo w in g figure. C lick I U n d e r s ta n d t h e R is k s to c o n tin u e .
In s ta llin g M e ta s p lo it F ra m e w o r k
3.
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
J ! U *rudJC o n n e r l i o n rt t p s : l o i a i t o s t .9 0
1 C *I - G o o g l e
1-
-I* *
5 w
This Connection is Untrusted You h a v ea s k e dF i r e f o xt oc o n n e c ts e c u r e * ) t ol o c a BrosU7 9 0 .t j twe cantc o n f i r mt h a ty o u ! N o r m a l l y ,when yout i y t oc o n n e c ts e c u r e l y ,: i t r . wi p r e s e n tt r e s s e di d e n t i f i c a t i o nt cp r o v et h a ty cu a r eg o i n gt ot h en g h tp l a c e .H o > e v e r .t h i ss i t e ' s d e r & t yc a ntbev e r r f s e d . What Should 1 Do? I f you u s u a l l yc o n n e c tt ot h i ss i t ew i t h o u tp roblem^f l v s 0 *ec>d mu n t i v j tsomeone i s t r y i n gt o i m p e r s o n a t et h es i t eandyous h o u l d n ' tc o n t i n u e . [ Gel me o u l o f h e t e l Technical Details | 1Understand the Risks |
H ie exploit takes advantage of two issues in JD K 7: The ClassFinder and MethodFinder. findMethod( ). Both were newly introduced in JD K 7. ClassFinder is a replacement for classForName back in JD K
6.
4.
C lick A dd E x c e p tio n .
|+ 1
& h t t p s : 1k > c * K x t .V . ' * f ? C ( JJ* G o o g l e
It allows untrusted code to obtain a reference and have access to a restricted package in JD K 7, which can be used to abuse sun.awt.SunToolkit (a restricted package).
1 9 0 . tj t
* 1
c ntc o n f i r m t h a ty o u t
N o rm a lly ,w ih rnyoutrytoe o n n e rtik u rrty t*ew MpnwKtruftrd* Menrep ro v eth a ty o u art g o in gtoth eu g h (p la 1.Ilwrt, tlmt!t1 itfrMj U l
What Should I Do?
Ifyo uu su a llyco n n edtoth isS itew rth o i/ tp o b k n v . th r,moi toJi mun tK tso m e o n entryin gto im p e rso n a teth ea te , an dyo ush o u ld n 'te o n tm u e .
| Gelmeoulolhetel Technical Details IUnderstand the Risks
I Add Excepaoi
5.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Add S e c u r i t yE x c e p t i o n
You are about to override how Firefox identifies this site. ! Server Location: I liR M M H B M M fe M I
1 *I
Legitimate banks, stores, and other public sites will not ask you to do this.
With sun.awt.SunToolkit, we can actually invoke getFieldQ by abusing findMethod() in StatementiavokeIntemal0 (but getFieldO must be public, and that's not always die case in JD K 6) in order to access Statement.acc's private field, modify AccessControlContext, and then disable Security Manager.
Certificate Status This site attempts to identify itself with invalid information. Wrong Site Certificate belongs to a different site, which could indicate an identity theft. Unknown Identity Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.
6.
k- M Vti .
Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE , Firefox, Safari, Chrome; Windows, Ubuntu, OS X , Solaris, etc.
(Jlmetasploit
Password coafinrrtc
Optional I n f o& S e t t i n g s
Em ail address orgaattillon I (QMT00:00) UTC
|Q C 10a t Auwni
7.
P r o d u c t K ey A c tiv a tio n
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
This Security Alert addresses security issues CYE-2012-4681 '(USC ERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops.
F !
mv r e g a i e t * s ? o t p p ^ p ^ x J u c t _ k * y I k f > j t N r n e BtLutName i S t L r n s i l A d d i e i ic 0 1 g
These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle serverbased software.
( J ) metasploit
M etatplotl Prohetpt \+ am *! * IT p r0fe1 10 nal m*:*> c* *u t breatftet b yemaer*, corvoxanq broad tcope p enefcatio ntests pnottong yin*jD111t*1 .*no *nfyns C 0 0*0*1 tnc m itigat&r! M etasploit ComTunv plus Snan ejpK M U bsn Password ijd*r; W e0appiisa!: scam .-a Social engeerw3 Tear*coH ab oa*on R po rting S Enterpnse-lew t su pp o rt / f J ' '
G Dmetasploit
~ com m unity
M ct.1r.p 10HCom m unityEd M io ntim plifiot nACfK < c/*r anovu lnerab ility vm ifkaaon far specific eiplolta Increasing Ihe effectiveness o fvulnerabilityscanners ucnasNeo*erortree
FREE EDITION
OR
J S S /
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password.
9.
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages tins vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
to me
r Rap1d7
WNMW-J8KJ-X3TW-RN68
Thank you for choosing Rapid7 Metasploit Community Edition Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose -for free Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can simply apply for a new license using the same registration mechanism.____________________________
t_ _ l x
.1 ,1
fc
a!>0 1ttria li< e y ,i^ ?p r0d u rt= a1m u rn P !th U R l=h rtp !% 3 A % 2 F% 2 fIo calh o T L 3 A T ?9 (W L 2 F s e t1 jp 3 L i> rtv a l< :A \ *e *w t;
p*
c-
(J)metasploit
4 More Steps To Get Started 1 .Copy t h e ProductKey from theemail we j u s tsent yo u .
2 Paste the Product Key here: [WM.nv jskj x3tw r n 68T 3 .Click Next on this page 4 .Then dick Activate License on the next page
The Metasploit Framework will always be free and open source. The Metasploit Project and Rapid7 are fully committed to supporting and growing the Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing dieir own penetration testing tools. It's a promise.
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
I. , n r ,
f A . (.. to ceh o afc- SC!*.. , A .* . .,'p.oc..:>cy W NM W-.0 < lX 3T W -RN 68& Sib m H' C I (?I.
(J)m etasploit'
H ie Metasploit Framework will always be free and open source. Tlie Metasploit Project and Rapid7 are fully committed to supporting and growing die Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing their own penetration testing tools. It's a promise.
Activate Your Metasploit License
1 . Get Your Product Key Chooseme p r o f l u c lt h a t b e s tntedsj < w rr e e d sM e t a s p i o i lP r oo rt h ef r e eM e t a s p l o i tCommunityE d i t i o n y ou3 i r e a 0 >r a * ta commgn^ tfalorMil i c e n s ep r o d u c tk e /oucansupt h i ss l e p
13 9 0
| w 1 W W J 6 t U X 3 T W R N 6 8
DU s a nH T T PP ra t*tore a c t!r
FIG U RE 3.9: Metasploit Activation Tlie Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linus designed for testing security tools and demonstrating common vulnerabilities. Version 2 of diis virtual machine is available for download from Soiuceforge.net and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and odier common virtualization platforms.
' ' 7 C )
E ~I
I
1
II
1 1
| ^
Activation Successful
J
^aeto^ofen
0
0
%rsr^t
Q ut* *ojrct
Starch
1 / Product Mr**
Abating Window* Kemot Management (WinUM) with Metasploit
*!
laM
I cnem gnt.il D erb,con Mu&lianill *leredlacuaaingvariouiledvvquMof mass crw nage W hen M u b ci to ldm e about theW inRMservice 1w ondered W h ji d o n'twe nav an yM ateap toitm odui* ro rthia Fxploit Trends: Top to Searches for MotAsploit Module* in October T 1re to rrow m cnthl/dose 01 M etasploitep lo !t (renas* Each m o n thw e jarfh erns 11st err* m ost searched eaioit ana a u x ilia ry m odules fro mtns M etaspor. e aa*e T op ro tect usersprivacyt.. Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit. and More! W inRMEx p lo itLibrary Form e lastcoupleweeks M etasplolt coreoanV i& iJto iD a .*d iTieugWCosin8M alone/has & en living in toM icrosoffsWinRMservices w fln $m u:x and@ _sm n3r. UnO lttiese.. Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end M ore? *ccSecUSA20l2Lastweekwas AppSecUSA2012here m A ustin. ivtiid m at exstairscunous aosenceofaweeKtrMetaspioitupoateDioapost Tn*ngrfis o f A ppjec fo rm e, !w e re p nno p articular
IU-... ...
as T A S K
3
e
U p d a tin g M e ta s p lo it
()m etasploit
community1 Project* H om e
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
By default, Metasploitable's network interfaces are bound to die N A T and Host-only network adapters, and the image should never be exposed to a hostile network. (Note: A video tutorial on installing Metasploitable 2 is available at die link Tutorial on installing Metasploitable 2.0 on a Virtual Box Host Only network)
This document outlines many of the security flaws in die Metasploitable 2 image. Currendy missing is documentation on the web server and web application flaws as well as vulnerabilities diat allow a local user to escalate to root privileges. This document will continue to expand over time as many of die less obvious flaws widi diis platform are detailed.
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
1^ A I'tlpiJ'locaVrat. w x I- G e o g l ,
c-
fi\ ft
TCP ports 512, 513, arid 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation). To take advantage of diis, make sure the "rsh-client" client is installed (on Ubuntu), and run die following command as your local root user. If you are prompted for an SSH key, this means die rsh-client tools have not been installed and Ubuntu is defaulting to using SSH.
I fyou've just finished i n s t a l l i n g Metasploit. the application w i l l now take up to 5 minutes to i n i t i a l i z e . ir* normal please b patient and have a c o f f e e . . . you nave already been usingtne p r o d u c t , *is message may p o i n tt o a bog i nthe a p p l i c a t i o n and r e q u i r ethe M e t a s p l o i t s e r v ices tobe r e s t a r t e dto resume lunctocaity I fthe problem p e r s i s t s you may want toconsul the Mowing r esources. Metasploit Community Edition users: Pease v t o lt r i e R*pid7 Security street forum toseaxnf o ra n s w e r sor po s t a question Metasploit t r i a l users: Please contactyour Rapf7 sales rep r e s e n t a t i v eore t n a i 1fnqrjwd7.com Metasploit users with a support contract: Ptcasc v i s i t t he Rapld7 Customer Canter t of B ca supportease o r *man suPD0rtgraD1d7.c0m
..-TP
: m tN e w P r o je c t
yM k l eN t t v v aPmw( 1 S t ' o v *U l P10j c t s
m etasploit
community I act o* o j r n Mo , Q m niict j Search s
Horn :
A c t r v cs e s s i o n s
t a s k s owner Memoera o y s t a m 0
lato onenight 3 1O artiyco n .M u b txandl w oto dtsaisslngvarious techniques o r mass wm aoe WhenMutmtoldmea&outtheWinRMseivice.iwonoeiea W h a ortwe hM a nyM e t aseon m odulestorm is... E x p l o i tT r e n d s : Top 10 Searches l o r Me t a s p l o i t Modules i nOctober Tim teryo ur m onthsdose o fM etasploit e x p lo ittrends! Each m ow nwe 0a V > ertn 1s tstortne m ost searches e x p lo itand aux iliarym odules iromtneM etasploit dataoase Toprotedusers' prtacy, 1 . . Weekly M e t a s ploit Update: WinRM PartOne, E x p l o i t i n g Metasploit and More! V inR UEploit LibraryFor theI3sl couplew eeks. M etasploit core co n trib u to rD avid gTheLicficCcsm eM aloneyh3s D eend rin oin to M icro so ft'sW m RMserw:es w ith grm icor and @ _s1nn3r U n til these... Weekly Me t a s p l o i t Update: Miaosoft Windows and SQL, TurboFTP, and Mote! *ppSecOSA2012 Last w eekwas AppSecUSA2012here InA ustin , *filch ro a* ex p lainre curious absence o f aweeklyM etasploit U pdate bloe poslThe tal j H so f *wsecfcrme. were (mnop articu la r... Weekly Me t a s p l o i t Update: Reasonnble d i s c l o s u r e . PHP FXF wrappers, and moie!
This is about as easy as it gets. The nest service we should look at is die Network File System (NFS). N FS can be identified by probing port 2049 directly or asking the portmapper for a list of services. The example below using rpcinfo to identify N FS and showmount -e to determine diat die "/" share (the root of die file system) is being exported.
18. 111 P r o je c t S e ttin g s , p ro v id e th e P r o je c t N a m e a n d e n te r a D e s c rip tio n , leave th e N e tw o rk R a n g e set to its d efau lt, a n d click C r e a te P ro je c t.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
n
^ A , .Ip. lo calho it. V. a.
I. , n r ,
(]m etasploit
community1
SB
3 & ar
H ie Metasploit Framework is a penetration testing system and development platform diat you can use to create security tools and exploits. The Metasploit Framework is written in Ruby and includes components in C and assembler. The Metasploit Framework consists of tools, libraries, modules, and user interfaces. Tire basic function of die Metasploit Framework is a module launcher diat allows die user to configure an exploit module and launch the exploit against a target svstem.
I ^
aExploit | The e x p l o i ttakes advantage oft i r oiss u e si nJDK 7 The ClassFinder and MethodFinder nndMemod() Botn were newly introduced i nJOK 7 dassFinder i sa replacement f o rc i a s s F . i x N f l r n gback i nJQg 6 R alows untnisted code t ooOtam a reference ana nave access t oa r e s t r i c t e d oa:o?e rJ O K7. a m e ncan oe used to aDuse suna^-SuoJoolKit (a r esrcled package) / / ! sun ^SunTwiwt we can a c t u a l l yinvoke
Networ*r a n g e
Q RvttiKt tonetworkrange
*? R A P I D 7
1 (Um etasploit
I community |4kOvervlev 4 * Analysis 1 H o rn Java Lx p to it 0itwnr Sessions Campaigns * Wt*b Apps |& Modules |
j> H e l p
lags
Q) Reports
JZ 1 1
J Overvtew.ProperJavaT ipto Discovery 01 1 0 4 1 3dt*C O M fC 4 0 services dctaclod 0vum eraDM M t *utm ed Penetration MMlOHCpNtd 0 pHtimilt cracked 0 SMB Msr s ttotee 0 SSHk*r* stu k a Q fiplat
"
^ Scan-
aw p nrt j * a^mm ,
0 j t r t o > c c
Cleanup OctoHdMssoas
Cleanep-
----------------------------------------------------------
TASK
R u n n in g t h e E x p lo it
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
F I
C *!I C009l
' H V
* Web Apps i> Modules Tags r, Reports ~ Tasks
Metasploit P 1 o contains tasks, such as bruteforce and discovery, in the form of modules. The modules automate the functionality diat die Metasploit Framework provides and enables you to perform multiple tasks simultaneously.
(]m etasploit
community1 ft Overview Analysis Sessions ,} Campaigns
Search Modules
2012-4681
. ? . *RAPID7
A project is die logical component diat provides die intelligent defaults, penetration testing workflow, and modulespecific guidance dating the penetration test.
c >1
( 1
(]m etasploit
Y community ft Overview n Analysis Sessions ,/ Campaigns # Web Apps *y Modules Tags ^ Hcpoiu
^ Tasks
S t id
Search Modules
B ID
O SVD B
C 0 6
B 4 B 6 T
'.'RAPID7
22. C o n fig u re d ie ex p lo it settings: a. 111 P a y lo a d O p tio n s set d ie C o n n e c tio n T y p e as R e v e r s e a n d 111 L is te n e r H o s t ,e n te r d ie IP a d d re ss w h e re M e ta sp lo it is ru n n in g . b. 111 M o d u le O p tio n s , e n te r d ie SR V H o s t I P ad d re ss w h e re M e ta sp lo it is ru n n in g . E n te r d ie URI P a th (in d iis la b w e are u sin g greetin g s) a n d click R un M od u le.
c.
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
^ T I j
A It , !onlhoit -V -a j iipo.c, 2A*i~ k James forsnaw |duck< Jduckgrnetasp*ocim slnnV 'enn3/^m et3sp*0* 0 & *n > iuan .aiquei <)uanva:que:@m Masp:s!::cr o/e SoJa rjetll
( ?I.
m m r n m
3
IPv6 is die latest version of die Internet Protocol designed by die Internet Engineering Task Force to replace die current version of IPv4. The implementation of IPv6 predominantly impacts addressing, routing, security, and services.
The m o dule is (*signedtoruninthob acK gro und . ox p lo ib n gdiemsjsterns 3sinycomod. h wc3s0 1Cbrow ser e x p lo its, :?as setne U R 1 PA T HocoonD elowityouwantio co ntrol w hichURL is usecio nost> 6eg** T s srvport coor can & eused cf!a n < ;em e I3tenng per inm e case o t passve u8M ym odules(auxaary) m e moaae caput se *31ae iromne T asiclog alter vw m o iSu tehas tn started Target Sefltogs I Generic (Java Payload) v|
s*yb a1 V p
Interpreter
v|
C o n n o c flo oT yp |Reverse vj
T h bcil p o rtto! to no n . Ip o't) N gM w5 5 11 0 rneiynrj eonnectan*(M et) P a '.hto* cu clo mSSL c o rtlfcirtolO o fo al I* tnO e 5 o c V th ovo rw o n0< SSL th e ) h o o k ) toM od T h oU RItou o oto rttu o x p to t1 3 0'ajt * im M AdvancedO p t i o n sshow ivaMoa opooas snow a SS.2 SSO USIX
1 o
FIG U R E 3.20: Metasploit Running Module
( 1
(]m etasploit
community
In Metasploit Pro, you can define IPv6 addresses for target hosts. For example, when you perform a discovery scan, scan a web application, execute a bruteforce attack, or run a module, you can define an IPv6 address for die target hosts. For modules, Metasploit Pro provides several payloads diat provide IPv6 support for Windows x86, Linux x86, BSD x86, PH P, and cmd.
f tOverview
ga A n a l y s i s in ti
[_ SmioM Imk
. /Campaigns
* Web Apps
V Module*
lags
3 Reports
~ Tasks Q
m Upton
24. N o w sw itch to W in d o w s 8 V irtu a l M acliu ie, la u n c h d ie C h ro m e b ro w se r a n d e n te r h t t p : / / 10.0.0 .1 0 :8 0 8 0 /g re e tin g s in d ie a d d re ss b a r a n d p re ss E n te r. 25. C lick d ie R un t h i s ti m e fo r Ja v a (T M ) w a s b lo c k e d b e c a u s e it is o u t o f d a t e p r o m p t 111 d ie C h ro m e b ro w se r.
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
"
O (. O
II I >3 i>
-* C 1 0 Q 0 .1 0 t8 0 8 0 /g reetin g s/
i f JavafTM) was blockec because it is out of date Update plug-in... Run this time
Note: Metasploit Pro does not support IPv6 for link local broadcast discovery, social engineering, or pivoting. However, you can import IPv6 addresses from a text file or you can manually add them to your project. If you import IPv6 addresses from a text file, you must separate each address with a new line.
26. N o w sw itch to y o u r W in d o w s S e rv e r 2 0 1 2 h o s t m ac liin e a n d c h e c k d ie M e ta sp lo it ta sk p a n e . M e ta sp lo it w ill sta rt c a p tu rin g d ie re v e rse c o n n e c tio n fro m d ie ta rg e t m acliin e.
^ Ah ti|> K / / 'lo C * i c ti7 9 Q p '1 * o i3 p c c v t W
^7
C1
G o o g le
G D m etasploit' community1
b Overview Analysis . Sessions Campaigns * Web Apps Modules lags _j Reports i _ Tasks 0
Project Management A Metasploit Pro project contains die penetration test diat you want to nm. A project defines die target systems, network boundaries, modules, and web campaigns diat you want to include in die penetration test. Additionally, within a project, you can use discovery scan to identify target systems and bruteforce to gain access to systems. FIG U R E 3.23: Metasploit Capturing die reverse connection of targeted macliine
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
User Management Administrators can assign user roles to manage the level of access that the user has to projects and administrative tasks. You can manage user accounts from tire Administration menu.
G D m etasploit
community Overview M o rn * M Aiiolyv) I ~ Sessions Q ttiinni ^ Cufiipulgns V f>Web Ap|n V Modules lags , Reports 1 Tasks Q Java Ixptvt
ttCoM
(J C M a fw p
Active Sessions
O S M o a t -W ndew ad
J #012 100
Type M e tw p re te r
Age
4 mm
0vet1(kj1 1 * * Q .v v * m s e
A ttack M o d u lo + JAW_JRE17JLXEC
Global Settings Global settings define settings that all projects use. You can access global settings from the Administration menu. From the global settings, you can set the payload type for the modules and enable access to die diagnostic console through a web browser. Additionally, from global settings, you can create A P I keys, post-exploitation macros, persistent listeners, and Nexpose Consoles.
20 1 0 -2 0 1 2R 8 p itf7 Inc.B 0 3 K *U *
RAPID7
29. Y o u c a n v ie w d ie in f o rm a tio n o f th e ta rg e t m a ch in e .
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
System Management As ail administrator, you can update die license key and perform software updates. You can access die system management tools from the Administration menu.
FIG U R E 3.26: Metasploit Target Machine System information Host Scan A host scan identifies vulnerable systems within die target network range diat you define. When you perform a scan, Metasploit Pro provides information about die services, vulnerabilities, and captured evidence for hosts that the scan discovers. Additionally, you can add vulnerabilities, notes, tags, and tokens to identified hosts.
(]m etasploit
^ Y r community \ Overview ^Anilyib I ~ StwtoM Q ',/Campaigns * Web Apps V I
Session 1 on 10.0.0.12
A tta c kM o d u lo
Available Actions
( C o lle ct System
. Cooa JrstKr evidence ana sensitivedaii iscreenshois, passw ords. s> temirtform M on) o a r s eV i erem o t e i e 3 y 3 t e mandu p l o a d ,d o w n l o a d ,and O e l e t eH i e s . u*efct1u*\ a rem cte com m and snll onm e tarcet !advanced users)
C1M Piory Po t
. Ptolatacts usirtgV ie rem otehost as a gatew ay(TCPAJDP) i Close V bs session. Furm srm teracaonieijuires ex p lo itatio n
e2 0 1 0 2 0 1 2R 3 p i d 7I n cB e
VRAPID7
Bruteforce uses a large number of user name and password combinations to attempt to gain access to a host. Metasploit Pro provides preset bruteforce profiles diat you can use to customize attacks for a specific environment. If you have a list of credentials diat you want to use, you can import the credentials into the system.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
If a bruteforce is successful, Metasploit Pro opens a session on die target system. You can take control of die session dirough a command shell or Meterpreter session. If there is an open session, you can collect system data, access die remote file system, pivot attacks and traffic, and run postexploitation modules.
1M01?
1 7 2 0 1 4 a 6 7 1 8 1 2 9 j i s e b
2 0 1 2 4 5 1 9 0 9 3 3 4 0 U T C 2 0 1 2 1 1 1 5 1 3 5 8 5 2 U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 1 U T C 2 0 1 2 1 1 1 5 1 3 5 6 5 2 U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 1 U T C 2 0 1 2 0 9 1 8 0 9 2 7 2 1 U T C 2 0 1 2 1 1 1 5 1 4 . 1 3 . 5 0 U T C 2 0 1 2 0 5 1 9 0 9 3 3 . 5 7 U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 0 U T C 2 0 1 2 0 5 1 9 O f t 3 3 . < 1 U T C 2 0 1 2 0 9 1 2 1 1 3 5 2 9 U T C 2 0 1 2 1 1 1 5 1 4 f t S 1 7 U T C 2 0 1 2 0 5 1 9 0 9 3 3 * 5 U T C 2 0 1 2 0 5 1 9 0 9 3 0 S 1 U T C 2 0 1 2 1 0 0 9 0 7 0 3 5 1 B T C 2 0 1 2 0 9 1 0 0 9 5 6 5 0 U T C 2 0 1 2 0 5 1 9 O f t 3 3 4 0 U T C 2 0 1 2 0 5 1 9 0 9 0 9 2 'U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 1 U T C 2 0 1 2 0 5 1 9 0 9 1 1 5 4 U T C 2 0 1 2 0 5 1 9 0 9 0 9 2 0 U T C 2 0 1 2 4 5 . 1 9 0 9 3 3 4 1 U T C 2 0 1 2 4 1 5 . 1 9 0 3 3 5 1 U T C 2 0 1 2 . 1 0 4 4 1 1 1 4 U T C 2 0 1 2 0 9 . 1 2 H f i l 2 U T C 2 0 1 2 4 5 . 1 9 U 1 7 3 1 B T C ? 0 0 4 4 . 0 a s u t c 2 O 1 2 1 0 1 S 0 S M M U T C I* 0 1 2 4 I S 1 8 2 1 4 6 V U T C
C f*G 0 0 9 I.
p ft
'
a (iS T O R E i1 | l 0 l T I.1 | (.S T O R E 1 > | (> O f L t T f.) < .S T O R E ;> | { D E L E T E .) (.S T O R E I ) |(. O E L E T E .) (.S T O R E 1 ) 1 ( D E L E T E ) (.S T O R E i) 1 (. D E L E T E .)
Modules expose and exploit vulnerabilities and security flaws in target systems. Metasploit Pro offers access to a comprehensive library of exploit modules, auxiliary modules, and postexploitation modules. You can run automated exploits or manual exploits.
Automated exploitation uses die minimum reliability option to determine the set of exploits to run against die target systems. You cannot select die modules or define evasion options diat Metasploit Pro uses.
33. T o v iew d ie sy stem IP a d d re ss a n d o d ie r in f o rm a tio n d iro u g h d ie c o m m a n d shell 111 M e ta sp lo it, ty p e ip c o n fig Iall a n d p ress E n te r.
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Manual exploitation provides granular control over die exploits diat you ran against die target systems. You run one exploit at a time, and you can choose die modules and evasion options diat you want to use.
Social engineering exploits client-side vulnerabilities. You perform social engineering through a campaign. A campaign uses e-mail to perform phishing attacks against target systems. To create a campaign, you must set up a web server, e-mail account, list of target emails, and email template.
34. The following screenshot shows die IP address and other details of your target machine.
F !
!< a Ip * . U**
l - n
km : U 1 3 H iero so rc K a rrw ti H a rd w a re K M 0 0 :0 0 :0 0 :0 0 :0 4 :0 0: M T U : 2 4 ?2
n e tw o rk A rt.ip to r
In terface 13
N a w >
Meterpretcr >|
!n et -Hteroiort IS A T A PA d a p te r
WebScan spiders web pages and applications for active content and forms. I f the WebScan identifies active content, you can audit die content for vulnerabilities, and dien exploit die vulnerabilities after Metasploit Pro discovers diem.
o n e p age
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
A task chain is a series o f tasks that you can automate to follow a specific schedule. The Metasploit W eb U I provides an interface that you can use to set up a task chain and an interactive clock and calendar diat you can use to define die schedule.
A report provides comprehensive results from a penetration test. Metasploit Pro provides several types o f standard reports diat range from high level, general overviews to detailed report findings. You can generate a report in PD F, W ord, X M L , and H T M L.
F IG U R E 3.33: Metasploit Terminating Session You can use reports to compare findings between different tests or different systems. Reports provide details on compromised hosts, executed modules, cracked passwords, cracked SM B hashes, discovered SSH keys, discovered services, collected evidence, and web campaigns.
K illed.
I* metasploit r community1
f cO v e rv ie w
r tAnalysis
~S e s s io n s
C a m p a ig n s
W e bA p p s
t yM o d u le s
la g s
IR e p o r ts
Session killed
E 5 C M W 1 1
&
#*0 t Z -.V r x w w 8
w c t e r p r e t e f
l1 2 tM S 1 40 e U T C
A t f n e0 1 V n < lo w p
u M ta m ia iH
F IG U R E 3.34: Metasploit Session Killed and Logging out
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011 your targets secuntv posture and exposure.
PLE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Tool/U tility
Information Collected/Objectives Achieved Output: Interface Infomation Name: etl14-M1crosoft Hyepr-v Network Adapter Hardware MAC: 00:00:00:00:00:00 MTU: 1500 IPv4 Address: 10.0.0.12 IPv6 Netmask: 255.255.255.0 IPv6 Address: fe80::b9ea:d011:3e0e:lb7 IPv6 Netmask: ffff:ffff:ffff:ffff:ffff::
Metasploit Framework
Question
1 . How would you create an initial user account from a remote system? 2. Describe one 01more vulnerabilities that Metasploit can exploit.
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.