CEH v8 Labs Module 12 Hacking Webservers PDF

C EH
Lab M a n u a l
H a c k in g
e b
S e r v e r s M o d u le 12
M odule 12 - H ackin g W e b servers
H a c k in g
W e b
S e r v e r s
A. w e bs e r v e r ,w h ic hc a nb er e fe r re dt oa st h eh a r d w a r e ,t h ec o m p / / t e r , ort h es o f t w a r e , is t h ec o m p u t e ra p p lic a tio nthath e lp st od eliverc o n t e n tthatc a nb ea c c e s s e dt h r o u g h t h eIn tern et.

i con
[ Z 7 V a lu a b le in fo r m a tio n
key
L a b S c e n a r io
T o d a y , m o s t o f o n lin e se rv ic e s a re im p le m e n te d as w e b a p p lic a tio n s . O n lin e b a n k in g , w e b s e a rc h e n g in e s , e m a il a p p lic a tio n s , a n d so c ia l n e tw o rk s a re ju s t a fe w e x a m p le s o f s u c h w e b se rv ic e s. W e b c o n te n t is g e n e r a te d 111 re a l tim e b y a s o f tw a re a p p lic a tio n r u n n in g a t s e rv e r-sid e . S o h a c k e rs a tta c k 0 1 1 th e w e b s e r v e r to ste a l c re d e n tia l in f o r m a tio n , p a s s w o rd s , a n d b u s in e s s in f o r m a t io n b y D o S (D D o s ) a tta c k s , S Y N flo o d , p in g flo o d , p o r t sc a n , s n iffin g a tta c k s , a n d so c ia l e n g in e e rin g a tta c k s. 1 1 1 th e a re a o f w e b se c u rity , d e s p ite s tr o n g e n c r y p tio n 0 11 th e b ro w s e r - s e r v e r c h a n n e l, w e b u s e rs still h a v e 1 10 a s s u ra n c e a b o u t w h a t h a p p e n s a t th e o th e r e n d . W e p r e s e n t a s e c u rity a p p lic a tio n th a t a u g m e n ts w e b s e rv e rs w ith tr u s te d c o -s e rv e rs com posed of liig li-a s s u ra n c e s e c u re c o p r o c e s s o r s , c o n fig u re d w ith a p u b lic ly k n o w n g u a rd ia n p r o g r a m . W e b u s e rs c a n th e n e s ta b lis h th e ir a u th e n tic a te d , e n c ry p te d c h a n n e ls w ith a tr u s te d c o se rv e r, w h ic h th e n c a n a c t as a tm s t e d th ird p a rty 111 th e b ro w s e r - s e r v e r in te r a c tio n . S y ste m s are c o n s ta n tly b e in g a tta c k e d , a n d I T s e c u rity p ro f e s s io n a ls n e e d to b e a w a re o f c o m m o n a tta c k s 0 1 1 th e w e b s e r v e r a p p lic a tio n s . A tta c k e rs u s e s n iffe rs o r p r o t o c o l a n a ly z e rs to c a p tu r e a n d a n a ly z e p a c k e ts . I f d a ta is s e n t a c ro s s a n e tw o r k 111 c le a r te x t, a n a tta c k e r c a n c a p tu r e th e d a ta p a c k e ts a n d u se a s n iffe r to r e a d th e d a ta . 1 1 1 o th e r w o r d s , a s n iffe r c a n e a v e s d r o p 0 1 1 e le c tro n ic c o n v e rs a tio n s . A p o p u la r s n iffe r is W ir e s h a rk , I t s a lso u s e d b y a d m in is tra to rs f o r le g itim a te p u r p o s e s . O n e o f th e c h a lle n g e s f o r a n a tta c k e r is to g a m a c c e ss to th e n e tw o r k to c a p tu r e th e d a ta . I t a tta c k e rs h a v e p h y s ic a l a c c e ss to a r o u t e r
0 1 sw itc h , th e y c a n c o n n e c t th e s n iffe r a n d c a p m r e all tra ffic g o in g th r o u g h th e
Test your k n o w le d g e
W e b e x e r c is e
W o r k b o o k r e v ie w
sy ste m . S tr o n g p h y s ic a l s e c u rity m e a s u re s h e lp m itig a te tin s risk. A s a p e n e tr a tio n te s te r a n d e th ic a l h a c k e r o f a n o rg a n iz a tio n , y o u m u s t p ro v id e s e c u rity to th e c o m p a n y s w e b se rv e r. Y o u m u s t p e r f o r m c h e c k s 0 1 1 th e w e b s e r v e r f o r v u ln e ra b ilitie s , m is c o n fig u ra tio n s , u n p a tc h e d im p r o p e r a u th e n tic a tio n w ith e x te r n a l sy ste m s. s e c u rity fla w s, a n d
L a b O b je c t iv e s
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a r n to d e te c t u n p a tc h e d s e c u rity flaw s, v e r b o s e e r r o r m e s s a g e s , a n d m u c h m o r e . T h e o b je c tiv e o f tin s la b is to : F o o tp r in t w e b se rv e rs C ra c k r e m o te p a s s w o rd s D e te c t u n p a tc h e d se c u rity flaw s
C E H Lab Manual Page 731
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b E n v ir o n m e n t
T o e a rn o u t tin s, y o u n eed : & T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs A c o m p u te r ru n n in g W in d o w S e r v e r 2 0 1 2 a s H o s t m a c h in e A c o m p u te r r u n n in g w in d o w serv er 20 0 8 , w in d o w s 8 a n d w in d o w s 7 as a V irtu al M a c h in e A w e b b ro w s e r w ith I n te rn e t access A d m in istra tiv e p rivileges to 11111 to o ls
L a b D u r a tio n
T u n e : 40 M in u te s
O v e r v ie w o f W e b S e r v e r s
A w e b serv er, w h ic h c a n b e re fe rre d to as d ie h a rd w a re , th e c o m p u te r, o r d ie so ftw are, is th e c o m p u te r a p p lic a tio n d ia t h e lp s to d eliv er c o n te n t th a t c a n b e a c ce sse d th r o u g h th e In te rn e t. M o s t p e o p le d u n k a w e b se rv e r is ju st th e h a rd w a re c o m p u te r, b u t a w e b se rv e r is also th e so ftw are c o m p u te r a p p lic a tio n th a t is in stalled
111 th e h a rd w a re c o m p u te r. T lie p rim a ry fu n c tio n o f a w e b se rv e r is to d eliv er w e b
p a g es o n th e re q u e s t to clien ts u sin g th e H y p e rte x t T ra n s fe r P ro to c o l (H T T P ). T in s m e a n s d eliv ery o f H T M L d o c u m e n ts a n d an y ad d itio n a l c o n te n t th a t m a y b e in c lu d e d b y a d o c u m e n t, su c h as im ag es, style sh e e ts, a n d scrip ts. M a n y g e n e ric w e b serv ers also s u p p o r t serv er-sid e s e n p tin g u sin g A c tiv e S erv e r P ag es (A SP), P H P , o r o d ie r sc rip tin g lang u ag es. T in s m e a n s th a t th e b e h a v io r o f th e w e b se rv e r c a n b e sc rip te d 111 sep ara te files, w lu le th e acm a l se rv e r so ftw a re re m a in s u n c h a n g e d . W e b serv ers are n o t alw ays u s e d fo r se rv in g th e W o rld W id e WT eb. T h e y c a n also b e f o u n d e m b e d d e d in dev ices su c h as p rin te rs , ro u te rs, w e b c a m s a n d serv in g o n ly a lo c a l n e tw o rk . T lie w e b se rv e r m a y d ie n b e u s e d as a p a r t o f a sy ste m fo r m o n ito r in g a n d / o r a d m in iste rin g th e d ev ice 111 q u e stio n . T in s u su a lly m e a n s d ia t n o a d d itio n a l so ftw a re h a s to b e in sta lle d o n th e c lien t c o m p u te r, since o n ly a w e b b ro w s e r is re q u ire d .
m TASK
O v e rv ie w
Lab T asks
R e c o m m e n d e d lab s to d e m o n s tra te w e b se rv e r hack in g : F o o tp r in tin g a w e b serv e r u sin g th e h t t p r e c o n to o l F o o tp r in tin g a w e b serv e r u sin g th e ID S e r v e to o l E x p lo itin g Java v u ln erab ilities u s in g M e t a s p lo i t F r a m e w o r k
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
L a b A n a ly s is
A n a ly z e a n d d o c u m e n t th e resu lts re la te d to d ie lab exercise. G iv e y o u r o p in io n 0 11 y o u r ta rg e ts secu rity p o s tu re a n d e x p o su re .
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
F o o t p r in t in g h ttp re c o n
e b s e r v e r U s in g
th e
T o o l
The httprecon project undertakes research in thefield o f web serverfingerprinting, also known as http fingerprinting ICON KEY
/ V a lu a b le m t o m ia t io n
W e b a p p lic a tio n s a re th e m o s t i m p o r t a n t w a y s t o r a n o r g a n iz a tio n to p u b lis h in f o r m a tio n , in te r a c t w ith I n t e r n e t u s e r s , a n d e s ta b lis h a n e - c o m m e r c e /e g o v e rn m e n t p re s e n c e . H o w e v e r, if an o rg a n iz a tio n is not r ig o ro u s in c o n fig u rin g a n d o p e r a tin g its p u b lic w e b s ite , it m a y b e v u ln e r a b le to a v a rie ty o f
Test yo u r
**
se c u rity th re a ts . A lth o u g h th e th r e a ts 111 c y b e rs p a c e re m a in la rg e ly th e sa m e as

111 th e p h y s ic a l w o r ld (e.g., fra u d , th e f t, v a n d a lis m , a n d te r r o r is m ) , th e y a re fa r
W o r k b o o k re \
m o r e d a n g e r o u s as a re s u lt. O r g a n iz a tio n s c a n fa c e m o n e ta r y lo s s e s , d a m a g e to r e p u ta tio n , 0 1 le g a l a c tio n i f a n in t r u d e r su c c e s sfu lly v io la te s th e c o n fid e n tia lity o f th e ir d a ta . D o S a tta c k s a re e a sy f o r a tta c k e rs to a tt e m p t b e c a u s e o f th e n u m b e r o t p o s s ib le a tta c k v e c to r s , th e v a rie ty o f a u to m a te d to o ls a v a ila b le , a n d th e lo w skill le v e l n e e d e d to u s e th e to o ls . D o S a tta c k s , as w e ll as th r e a ts o f in itia tin g D o S a tta c k s , a re a ls o in c re a s in g ly b e in g u s e d to b la c k m a il o rg a n iz a tio n s . 1 1 1 o r d e r to b e a n e x p e r t e th ic a l h a c k e r a n d p e n e tr a tio n te s te r, }o n m u s t u n d e r s ta n d h o w to p e r f o r m f o o tp r in tin g 0 1 1 w e b se rv e rs.
T h e o b je c tiv e o f th is la b is to h e lp s tu d e n ts le a r n to f o o t p r in t w e b s e rv e rs . I t w ill te a c h y o u h o w to : H T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le D:\CEHT o o ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs U s e th e h tt p r e c o n to o l G e t W e b se rv e r f o o t p r in t
T o c a rry o u t th e la b , y o u n e e d : h t t p r e c o n to o l lo c a te d a t D :\C EH -T 0 0 ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o l s \ h t t p r e c o n
Ethical Hacking and Countemieasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
Y o u c a n a lso d o w n lo a d d ie la te s t v e r s io n o f h t t p r e c o n f r o m th e lin k h ttp ://w w w .c o m p u te c .c h /p r o je k te /h ttp r e c o n
m Httprecon is an open-source application that can fingerprint an application of webservers.
I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n
111 th e la b m ig h t d if fe r
R u n tin s to o l 111 W in d o w s S e r v e r 2 0 1 2 A w e b b r o w s e r w ith I n t e r n e t a c c e ss A d m in is tra tiv e p riv ile g e s to r u n to o ls
L a b D u r a tio n
T u n e : 10 M in u te s
O v e r v ie w o f h t t p r e c o n
h ttp r e c o n is a to o l fo r a d v a n c e d w e b s e r v e r fin g e rp rin tin g , sim ilar to h ttp rin t. T h e h ttp r e c o n p ro je c t d o e s r e s e a r c h 111 th e h e ld o f w e b serv er fin g e rp rin tin g , also k n o w n as h tt p fin g e rp rin tin g . T h e g o a l is h ig h ly a c c u r a t e id e n tific a tio n o f g iv en h ttp d im p le m e n ta tio n s.
TASK 1
F o o tp rin tin g a W eb serv er
Lab T asks
1. N a v ig a te to D :\C E H -T o o ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o l s \ h t t p r e c o n . 2. 3. D o u b le -c lic k h t t p r e c o n . e x e t o la u n c h h t t p r e c o n . T h e m a in w in d o w o f h t t p r e c o n a p p e a rs , as s h o w n 111 th e fo llo w in g fig u re .
11
File Configuration Target
|http;// |
httprecon 7.3
Fingergrinting Reporting Help
1
6 "* |
|80
T ]
GET existing | GET long request | GET nonexisbng | GET wrong protocol | HEAD existing | OPTIONS com * I *
G1 Httprecon is distributed as a Z IP file containing the binary and fingerprint databases.
Full Matchlist | Fingerprint Details | Report Preview |
| Name
j Hits
| Match
% 1
F IG U R E 1.1: httprecon main window
4.
E n t e r th e w e b s ite (U R L ) w w w .ju g g y b o y .c o m th a t y o u w a n t to f o o t p r in t a n d se le c t th e p o r t n u m b e r .
5. 6.
C lic k A n a ly z e to s ta r t a n a ly z in g th e e n te r e d w e b s ite . Y o u s h o u ld re c e iv e a f o o t p r in t o f th e e n te r e d w e b s ite .

h ttp re co n 7.3 - h ttp ://ju g g yb o y.co m :8 0 /
File Configuration Fingerprinting Reporting Help
tewl Httprecon uses a simple database per test case that contains all die fingerprint elements to determine die given implementation.
Target (Microsoft IIS 6.0) I http:// 1 | juggyboy com|
GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 200 O K bate: Thu, 1 8 Oct 2012 11:36:10 G M T bontent-Length: 84S1 Content-Type: text/html Content-Location: http: //uggyboy.com/index.html Laat-Modified: Tue, 0 2 Oct 2012 11:32:12 G M T Accept-Ranges: non ETag: "a47ee9091a0cdl:7a49" Server: Microsoft-IIS/6.0 K-Powered-By: ASP.NET
Matchlst (352 Implementations) | Fingerprint Details | Report Preview | | Name Microsoft IIS 6.0 ^ ^ Microsoft IIS 5.0 Microsoft IIS 7 0 Miciosofl IIS 5.1 Sun ONE W eb Server 61 Zeus 4.3 Apache 1.3.37 I Hits 88 71 S3 63 63 62 62 60 | Match 100 80 68. 71. 59 71 59 . 71.59 70.45. . 70.45... 6818 v
%|
22 O
V
V , Apache 1.3.26
m The scan engine of httprecon uses nine different requests, which are sent to the target web server.
F IG U R E 1.2: The footprint result of the entered website
7.
C lick d ie G E T lo n g r e q u e s t tab , w h ic h w ill list d o w n d ie G E T re q u est. T h e n click d ie F in g e r p r in t D e ta ils .

h ttp re co n 7.3 - h ttp ://ju g g yb o y.co m :8 0 /
File Configuration Fingerprinting Reporting Help
1 - l L J |
Target (Microsoft IIS 6.0) I Nip:// j J ^ juggyboy com| [*
GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 400 Bad Request Content-Type: text/html Date: Thu, 1 8 Oct 2012 11:35:20 G H T Connection: close Content-Length: 3 4
Matchlst (352 Implementations)
Fingerprint Details | Report Fêview |
i~ ~ Httprecon does not rely on simple banner announcements by the analyzed software.
Protocol Version Statuscode Statustext Banner K-Povered-By Header Spaces Capital after Dash Header-Order Full Header-Order Limit
Ready
H TTP
1 .1
4 0 0
Content-Type,Date,Connection,Content-Length Content-Type,Date,Connection,Content-Length
1 1
F IG U R E 1.3: The fingerprint and G ET long request result of the entered website
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b A n a ly s is
A n aly ze a n d d o c u m e n t d ie resu lts re la te d to th e lab exercise. G iv e y o u r o p in io n 0 11 y o u r ta rg e ts sec im tv p o s tu re a n d e x p o su re .
P L E A S E
T A L K
T O
Y O U R
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
T o o l/U tility
I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d O u t p u t : F o o tp r in t o f th e ju g g y b o y w e b s ite C o n te n t- ty p e : t e x t / h t m l c o n te n t- lo c a tio n : h t t p : / / ju g g v b o v .c o m / 1 n d e x .h tm l E T a g : " a 4 7 e e 9 0 9 1eO cd 1:7 a49 " se rv e r: M i c r o s o f t- I I S /6 .0 X -P o w e re d -B v : A S P .N E T
h ttp re c o n T o o l
Q u e s t io n s
1. A n a ly z e th e m a jo r d if fe re n c e s b e tw e e n classic b a n n e r - g r a b b in g o f th e s e r v e r lin e a n d h tt p r e c o n . 2. E v a lu a te th e ty p e o f te s t r e q u e s ts s e n t b y h t t p r e c o n to w e b se rv e rs.
I n te r n e t C o n n e c tio n R e q u ire d 0 Y es P la tfo rm S u p p o rte d 0 C la s s ro o m !L ab s No
Lab
F o o t p r in t in g S e r v e
e b s e r v e r U s in g
ID
ID Serve is a simple,free, sm all (26 Kbytes), andfastgenera/purpose Internet server identification utility. ICON KEY
/ V a lu a b le in fo r m a tio n
1 1 1 th e p re v io u s la b y o u h a v e le a r n e d to u s e th e h tt p r e c o n to o l, h t t p r e c o n is a
to o l fo r a d v a n c e d w e b s e rv e r fin g e rp rin tin g , s im ila r to h ttp r in t. I t is v e ry im p o r t a n t f o r p e n e tr a tio n te s te rs to b e fa m ilia r w ith b a n n e r - g r a b b in g te c h n iq u e s to m o n i to r s e rv e rs to e n s u r e c o m p lia n c e a n d a p p r o p r ia te se c u rity u p d a te s . U s in g th is te c h n iq u e y o u c a n a lso lo c a te r o g u e s e rv e rs 0 1 d e te r m in e th e ro le o f s e rv e rs w ith in a n e tw o rk . 1 1 1 tin s la b y o u w ill le a r n th e b a n n e r g ra b b in g te c h n iq u e to d e te r m in e a r e m o te ta r g e t s y s te m u s in g I D S e rv e . 111 o r d e r to b e a n e x p e r t e th ic a l h a c k e r a n d p e n e tr a ti o n te s te r, y o u m u s t u n d e r s ta n d h o w to f o o t p r in t a w e b se rv e r.
Test yo u r
**
W o r k b o o k re \
T h is la b w ill s h o w y o u h o w to f o o t p r in t w e b s e rv e rs a n d h o w to u s e I D S erv e . I t w ill te a c h y o u h o w to: H T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs U s e th e I D S e rv e to o l G e t a w e b s e rv e r f o o t p r in t
T o c a rry o u t th e la b , y o u n e e d : ID S e r v e lo c a te d a t D :\C EH -T 0 0 ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o ls\ID S e r v e Y o u c a n also d o w n lo a d th e la te s t v e r s io n o f ID S e r v e f r o m th e lin k h ttp : / / w w w .g r c .c o m / i d / 1 d s e r v e .h tm I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n
111 th e la b m ig h t d if fe r
Ethical Hacking and Countenneasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
R u n tliis to o l o n W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e A w e b b r o w s e r w ith I n t e r n e t a c c e s s A d m n iis tra tiv e p riv ile g e s to r u n to o ls
L a b D u r a tio n
T im e : 10 M in u te s
m ID Serve is a simple, free, small (26 Kbytes), and fast general-purpose Internet server identification utility.
O v e r v ie w o f ID S e r v e
I D S erv e a tte m p ts to d e te rm in e d ie d o m a in n a m e a sso c ia te d w id i a n IP. T in s p ro c e s s is k n o w n as a r e v e r s e DNS lo o k u p a n d is h a n d y w h e n c h e c k in g fire w a ll lo g s o r r e c e iv in g a n IP a d d r e s s fr o m s o m e o n e . N o t all IP s th a t h a v e a fo rw a rd d ire c tio n lo o k u p (D o m a in -to -IP ) h a v e a r e v e r s e (IP -to -D o m a in ) lo o k u p , b u t m a n y do.
TASK 1
F o o tp rin tin g a W eb serv er
Lab T asks
1. 111 W in d o w s S e rv e r 2 0 1 2 , n a v ig a te to D :\C E H -T o o ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o ls\ID S e r v e . 2. 3. D o u b le -c lic k i d s e r v e . e x e to la u n c h ID S e r v e . T h e m a in w in d o w a p p e a rs . C lic k th e S e r v e r Q u e ry ta b as s h o w n in th e fo llo w in g fig u re.
0 ID S e rv e
ID Serve
In te r n e tS e rv e rId e n tific a tio nU tility ,vl. 0 2 P e rs o n a lS e c u rityF re e w a reb yS te v eG ib s o n

Copyright (c) 2003 by Gibson Research Corp.
B a c k g r o u n d | Se iverQ u e r y
Q & A / H e lp
Enter or copy I paste an Internet server URL or IP address here (example: www microsoft.com):
Query The Server
When an Internet U R L or IP has been provided above. press this button to initiate a query of the specified seiver
ID Serve can connect to any server port on any domain or IP address.
Server query processing:
The server identified itself a s :
Copy |
Goto ID Serve web page
F IG U R E 2.1: Welcome screen of ID Serve
4.
111 o p ti o n
1 , e n te r
(0 1 c o p y / p a s t e a n I n t e r n e t s e rv e r U R L o r I P a d d re s s)
th e w e b s i t e (U R L ) y o u w a n t to f o o t p r in t . 5. E n t e r h t t p : / / 1 0 .0 .0 .2 /r e a lh o m e (IP a d d re s s is w h e r e th e re a l h o m e site is h o s te d ) in s te p 1.
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
6. 7.
C lic k Q u e ry t h e S e r v e r to s ta r t q u e ry in g th e e n te r e d w e b s ite . A f te r th e c o m p le tio n o f th e q u e r y . I D S e rv e d isp la y s th e re s u lts o f th e e n te r e d w e b s ite as s h o w n 111 th e fo llo w in g fig u re.
, _ _ ID Serve uses tlie standard Windows TCP protocol when attempting to connect to a remote server and port.
IDServe
ID
S e rv e
B a c k g r o u n d
In te r n e tS e rv e rId e n tific a tio nU tility .v 1 . 0 2 P e rs o n a lS e c u rityF re e w a reb yS te v eG ib s o n C o p y r ig h t(c )2 0 0 3 b yG ib s o n R e s e a r c hC o r p . e tv e rQ u e ry | Q & A / H e lp
Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):
C 1 Ihttp //I 0.0 0.2/realhome|
r2 [
Query The Server
When an Internet URL a IP has been provided above, press this button to initiate a query of the specified server
Server query processing:
H T T P / 112 0 0O K C o n te n tT y p e :t e x t / h t m l L a s tM o d ifie d :T u e ,0 7 A u g2 0 1 20 6 :0 5 :4 6G M T A c c e p tR a n g e s :b y te s E T a q :" c 9 5 d c 4 a f6 2 7 4 c d 1 :0 "__________

1 y= H ID Serve can almost always identify the make, model, and version of any web site's server software.
| Copy The server identified itself a s :
Goto ID Serve web page
F IG U R E 2.2: ID Serve detecting the footprint
L a b A n a ly s is
D o c u m e n t all d ie se rv e r in fo rm a tio n .
P L E A S E
T A L K
T O
Y O U R
I F
Y O U L A B .
H A V E
Q U E S T I O N S
R E L A T E D
T o o l/U tility
I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d S e r v e r I d e n t i f i e d : M ic r o s o f t- I I S /8 .0 S e rv e r Q u e ry P ro c e s s in g :
I D S e rv e
H T T P / 1.1 2 0 0 o k c o n te n t- T y p e : t e x t / h t m l L a s t- M o d if ic a tio n : T u e , 0 7 A u g 2 0 1 2 0 6 :0 5 :4 6 GMT A c c e p t-R a n g e s : b y te s E T a g : " c 9 5 d c 4 a f 6 2 7 4 c d l:0 "
Q u e s t io n s
1. 2. A n a ly z e h o w I D S e rv e d e te r m in e s a s ite s w e b se rv e r. W h a t h a p p e n s i f w e e n te r a n I P a d d re s s in s te a d o f a U R L
I n te r n e t C o n n e c tio n R e q u ire d Y es P la tfo rm S u p p o rte d 0 C la s s ro o m 0 !L a b s 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
3
E x p lo it in g M Ja v a V u ln e r a b ilit y e w o rk U s in g e t a s p lo it F r a m
Metasploitsofin ar eh e lp ss e c u r itya n dITprofessionalsid e n tifys e c u r ityi s s u e s ,v e rify vulnerabilitym it ig a t io n s ,a n dm a n a g ee x p e r t d r iv e ns e c u r itya s s e s s m e n t s .

I CON KEY
_ _ V a lu a b le in fo r m a tio n
P e n e tra tio n te stin g is a m e th o d o f ev alu a tin g th e secu rity o l a c o m p u te r sy stem 0 1 n e tw o rk b y sim u latin g a n a tta c k fro m m alicio u s o u tsid e rs (w h o d o n o t h a v e a n a u th o riz e d m e a n s o f a c cessin g th e o rg a n iz a tio n 's system s) a n d m alicio u s in sid ers (w h o h a v e so m e level o f a u th o riz e d access). T h e p ro c e s s in v o lv e s a n activ e analysis o f th e sy ste m fo r a n y p o te n tia l v u ln erab ilities th a t c o u ld re su lt fro m p o o r o r im p ro p e r sy ste m c o n fig u ra tio n , e ith e r k n o w n a n d u n k n o w n h a rd w a re 0 1 so ftw are flaw s, 01 o p e ra tio n a l w e a k n e sse s 111 p ro c e s s o r te c h n ic a l c o u n te rm e a s u re s. T in s analysis is e a rn e d o u t fro m th e p o s itio n o f a p o te n tia l a tta c k e r a n d c a n in v o lv e active e x p lo ita tio n o f secu rity vuln erab ilities. T h e M e ta sp lo it P ro je c t is a c o m p u te r se c u n tv p ro je c t th a t p ro v id e s in fo rm a tio n about secu rity v u ln erab ilities and aids in p e n e tra tio n te stin g a n d ID S signaU ire d e v e lo p m e n t. Its m o s t w e ll-k n o w n su b p ro je c t is th e o p e n -s o u rc e M e ta sp lo it F ra m e w o rk , a to o l fo r d e v e lo p in g an d e x e c u tin g ex p lo it c o d e ag ain st a re m o te ta rg e t m a c h in e . O th e r im p o rta n t su b p ro je c ts in c lu d e d ie O p c o d e D a ta b a se , sh ellco d e arcluv e, a n d secu rity research . M e ta sp lo it F ra m e w o rk is o n e o f th e m a in to o ls fo r e v ery p e n e tra tio n te st
s
ca
Test yo u r k n o w le d g e
W o r k b o o k r e v ie w
e n g a g e m e n t. T o b e a n e x p e rt etliical h a c k e r a n d p e n e tra tio n te ste r, y o u m u s t h a v e s o u n d u n d e rs ta n d in g o f ]M etasploit F ra m e w o rk , its v a rio u s m o d u le s, ex p lo its, J T T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs p ay lo ad s, a n d c o m m a n d s 111 o rd e r to p e rf o rm a p e n te st o f a target.
T h e o b je ctiv e o f tin s lab is to d e m o n s tra te ex p lo ita tio n o t JD K ta k e c o n tro l o t a ta rg e t m ac h in e . v u ln erab ilities to
1 1 1 d iis lab , y o u n eed :
M e ta s p lo it lo c a te d a t D :\C E H -Tools\C E H v8 M o d u le 1 2 H a c k in g W e b se rv e rsY W e b se rv e r A tta c k T o o ls \M e ta s p lo it
Y o u c a n also d o w n lo a d th e la te st v e rs io n o t M e ta s p lo it F ra m e w o r k fro m d ie lin k h t t p : / A v w w .m eta sp lo 1 t . c o m / d o w n lo a d /
I t y o u d e c id e to d o w n lo a d th e l a t e s t v e rs io n , th e n sc re e n sh o ts s h o w n 111 th e lab m ig h t d itte r
A c o m p u te r ru n n in g W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e W in d o w s 8 ru n n in g o n v irtu a l m a c h in e as ta rg e t m a c h in e A w e b b ro w se r a n d M ic ro so ft .N E T F ra m e w o rk 2.0 o r la te r in b o th h o s t a n d ta rg e t m a c h in e
j R E 7116 ru n n in g o n th e ta rg e t m a c h in e (re m o v e a n y o th e r v e rs io n o f jR E in stalled 111 d ie ta rg e t m a c h in e ).T h e |R E 7116 se tu p file (jre-7u6-w111dows1586.exe) is available a t D :\C E H -Tools\C E H v8 M o d u le 1 2 H a c k in g W e b s e r v e r s \W e b s e r v e r A tta c k T o o ls \M e ta s p lo it
Y o u c a n also d o w n lo a d th e T h e I R E 7116 s e tu p tile at h t t p : / A v w w .o ra c le .c o m /te c h n e tw o r k /ia v a /ja v a s e /d o w n lo a d s /ir e 7 d o w n lo a d s^ 163~ 5S S .htm l
D o u b le -c lic k m e ta s p lo it- la te s t- w in d o w s - in s ta lle r .e x e a n d fo llo w th e w iz a rd -d riv e n in sta lla tio n ste p s to install M e ta s p lo it F ra m e w o r k
T im e : 2 0 M in u te s
O v e r v ie w o f t h e L a b
T in s lab d e m o n s tra te s th e e x p lo it th a t tak es a d v a n ta g e o f tw o issu es 111 J D K 7: th e C la ssF in d e r a n d M e d io d F in d e r.fm d M e d io d (). B o th w e re n e w ly in tro d u c e d 111 J D K 7. C la ssF in d e r is a re p la c e m e n t to r c la s sF o rN a m e b a c k 111 J D K 6. I t allow s u n tr u s te d c o d e to o b ta in a re fe re n c e a n d h a v e access to a re s tric te d p ac k a g e in J D K 7, w h ic h can be u se d to a b u se s u n .a w t.S u n T o o lk it (a re s tric te d p ack ag e). W ith su n .a w t.S u n T o o lk it, w e ca n actually in v o k e getF ieldQ b y a b u sin g fin d M e th o d Q m S ta te m e n t.in v o k e ln te rn a lO (b u t getF ieldQ m u s t b e p u b lic , a n d th a t's n o t alw ays d ie case
111
JD K
6.
111 o rd e r
to
access
S ta te m e n ta c c 's
p riv a te
field,
m o d ify
t a s k
1. 2.
In stall M e ta s p lo it o n th e h o s t m a c h in e W in d o w s S e r v e r 2 0 1 2 . A fte r in stallatio n c o m p le te s , it w ill au to m atically o p e n in y o u r d e fa u lt w e b b ro w se r as s h o w n 111 th e fo llo w in g figure. C lick I U n d e r s ta n d t h e R is k s to c o n tin u e .
In s ta llin g M e ta s p lo it F ra m e w o r k
3.
J ! U *rudJC o n n e r l i o n rt t p s : l o i a i t o s t .9 0
1 C *I - G o o g l e
1-
-I* *
5 w
This Connection is Untrusted You h a v ea s k e dF i r e f o xt oc o n n e c ts e c u r e * ) t ol o c a BrosU7 9 0 .t j twe cantc o n f i r mt h a ty o u ! N o r m a l l y ,when yout i y t oc o n n e c ts e c u r e l y ,: i t r . wi p r e s e n tt r e s s e di d e n t i f i c a t i o nt cp r o v et h a ty cu a r eg o i n gt ot h en g h tp l a c e .H o > e v e r .t h i ss i t e ' s d e r & t yc a ntbev e r r f s e d . What Should 1 Do? I f you u s u a l l yc o n n e c tt ot h i ss i t ew i t h o u tp roblem^f l v s 0 *ec>d mu n t i v j tsomeone i s t r y i n gt o i m p e r s o n a t et h es i t eandyous h o u l d n ' tc o n t i n u e . [ Gel me o u l o f h e t e l Technical Details | 1Understand the Risks |
H ie exploit takes advantage of two issues in JD K 7: The ClassFinder and MethodFinder. findMethod( ). Both were newly introduced in JD K 7. ClassFinder is a replacement for classForName back in JD K
6.
FIG U RE 3.1: Metasploit Untrusted connection in web browser
4.
C lick A dd E x c e p tio n .
|+ 1
& h t t p s : 1k > c * K x t .V . ' * f ? C ( JJ* G o o g l e
This Connection is Untrusted
It allows untrusted code to obtain a reference and have access to a restricted package in JD K 7, which can be used to abuse sun.awt.SunToolkit (a restricted package).
You h a v e t k t d / t oc o n n o c t1 1 u l >10 c o n n e c t i o ni >s * c 01 .
1 9 0 . tj t
* 1
c ntc o n f i r m t h a ty o u t
N o rm a lly ,w ih rnyoutrytoe o n n e rtik u rrty t*ew MpnwKtruftrd* Menrep ro v eth a ty o u art g o in gtoth eu g h (p la 1.Ilwrt, tlmt!t1 itfrMj U l
What Should I Do?
Ifyo uu su a llyco n n edtoth isS itew rth o i/ tp o b k n v . th r,moi toJi mun tK tso m e o n entryin gto im p e rso n a teth ea te , an dyo ush o u ld n 'te o n tm u e .
| Gelmeoulolhetel Technical Details IUnderstand the Risks
I Add Excepaoi
FIG U R E 3.2: Metasploit Adding Exceptions
5.
111 th e A dd S e c u r ity E x c e p tio n w iz ard , click C o n firm S e c u r ity E x c e p tio n .
Add S e c u r i t yE x c e p t i o n
You are about to override how Firefox identifies this site. ! Server Location: I liR M M H B M M fe M I
1 *I
Legitimate banks, stores, and other public sites will not ask you to do this.
With sun.awt.SunToolkit, we can actually invoke getFieldQ by abusing findMethod() in StatementiavokeIntemal0 (but getFieldO must be public, and that's not always die case in JD K 6) in order to access Statement.acc's private field, modify AccessControlContext, and then disable Security Manager.
Certificate Status This site attempts to identify itself with invalid information. Wrong Site Certificate belongs to a different site, which could indicate an identity theft. Unknown Identity Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.
@ Permanently store this exception | Confirm Security Exception | Cancel
FIG U R E 3.3: Metasploit Add Security Exception
6.
O n d ie M e ta sp lo it S e tu p a n d C o n fig u ra tio n L o g in scree n , e n te r te x t 111 d ie U s e rn a m e . P a s s w o r d , a n d P a s s w o r d c o n firm a tio n fields a n d click C r e a te A c c o u n t.
k- M Vti .
Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE , Firefox, Safari, Chrome; Windows, Ubuntu, OS X , Solaris, etc.
(Jlmetasploit
Password coafinrrtc
Optional I n f o& S e t t i n g s
Em ail address orgaattillon I (QMT00:00) UTC
|Q C 10a t Auwni
FIG U RE 3.4: Metasploit Creating an Account
7.
C lick G ET PROD UCT KEY 111 d ie M e ta s p lo it - A c tiv a te M e ta s p lo it w in d o w .
P r o d u c t K ey A c tiv a tio n
This Security Alert addresses security issues CYE-2012-4681 '(USC ERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops.
E n te r y o u r v a lid em ail a d d re ss 111 th e M e ta s p lo it C o m m u n ity o p tio n a n d click GO.
F !
mv r e g a i e t * s ? o t p p ^ p ^ x J u c t _ k * y I k f > j t N r n e BtLutName i S t L r n s i l A d d i e i ic 0 1 g
These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle serverbased software.
Choose between two FREE Metasploit Offers
( J ) metasploit
M etatplotl Prohetpt \+ am *! * IT p r0fe1 10 nal m*:*> c* *u t breatftet b yemaer*, corvoxanq broad tcope p enefcatio ntests pnottong yin*jD111t*1 .*no *nfyns C 0 0*0*1 tnc m itigat&r! M etasploit ComTunv plus Snan ejpK M U bsn Password ijd*r; W e0appiisa!: scam .-a Social engeerw3 Tear*coH ab oa*on R po rting S Enterpnse-lew t su pp o rt / f J ' '
G Dmetasploit
~ com m unity
M ct.1r.p 10HCom m unityEd M io ntim plifiot nACfK < c/*r anovu lnerab ility vm ifkaaon far specific eiplolta Increasing Ihe effectiveness o fvulnerabilityscanners ucnasNeo*erortree
FREE EDITION
OR
J S S /
N etw orkdlscoveiy v u l n e r a b i l i t yscann9 rI m p o r t Ba s i ce x p l o i t a t i o n M od ule firovw ef
Lnterem ail address: ___________ < ggm ail.com ||| Go 1
1us Vas pass0 Piease em ail infoQ rapid7 c <
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password.
FIG U R E 3.6: Metasploit Community version for License Key
9.
N o w lo g in to y o u r em ail a d d re ss a n d c o p y d ie licen se key as s h o w n 111 d ie fo llo w in g figure.
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Your Metasploit Community Edition Product Key

Bates, Ariana anana_bates@raptd7 com vis bounces netsuite com
6:27 P M (0 minutes ago)
To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages tins vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
to me
r Rap1d7
Metasploit Product Key
WNMW-J8KJ-X3TW-RN68
Thank you for choosing Rapid7 Metasploit Community Edition Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose -for free Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can simply apply for a new license using the same registration mechanism.____________________________
FIG U RE 3.7: Metasploit License Key in you! email ID provided
10. P a ste d ie p r o d u c t k ey a n d click N e x t to c o n tin u e .

Due to die severity of these vulnerabilities, die public disclosure of teclinical details and die reported exploitation of CVE-20124681 "in die wild," Oracle strongly recommends diat customers apply die updates provided by this Security Alert as soon as possible.
M e t a s p f o i tP r o d u c tK e r
t_ _ l x
.1 ,1
fc
a!>0 1ttria li< e y ,i^ ?p r0d u rt= a1m u rn P !th U R l=h rtp !% 3 A % 2 F% 2 fIo calh o T L 3 A T ?9 (W L 2 F s e t1 jp 3 L i> rtv a l< :A \ *e *w t;
p*
c-
(J)metasploit
4 More Steps To Get Started 1 .Copy t h e ProductKey from theemail we j u s tsent yo u .
2 Paste the Product Key here: [WM.nv jskj x3tw r n 68T 3 .Click Next on this page 4 .Then dick Activate License on the next page
The Metasploit Framework will always be free and open source. The Metasploit Project and Rapid7 are fully committed to supporting and growing the Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing dieir own penetration testing tools. It's a promise.
FIG U R E 3.8: Metasploit Activating using License Key
11. C lick A c tiv a te L ic e n s e to a ctiv ate d ie M e ta sp lo it license.
I. , n r ,
f A . (.. to ceh o afc- SC!*.. , A .* . .,'p.oc..:>cy W NM W-.0 < lX 3T W -RN 68& Sib m H' C I (?I.
(J)m etasploit'
H ie Metasploit Framework will always be free and open source. Tlie Metasploit Project and Rapid7 are fully committed to supporting and growing die Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing their own penetration testing tools. It's a promise.
Activate Your Metasploit License
1 . Get Your Product Key Chooseme p r o f l u c lt h a t b e s tntedsj < w rr e e d sM e t a s p i o i lP r oo rt h ef r e eM e t a s p l o i tCommunityE d i t i o n y ou3 i r e a 0 >r a * ta commgn^ tfalorMil i c e n s ep r o d u c tk e /oucansupt h i ss l e p
2 . Enter ProductKey You've Received by Email
P a s te n th ep ro d u c tf c e j t* a lw a ss e n tto fte < J < ss/ ure g is te r e d v a n dd ic kth eA C TW T EL IC E N S EO u H o
13 9 0
| w 1 W W J 6 t U X 3 T W R N 6 8
DU s a nH T T PP ra t*tore a c t!r
FIG U RE 3.9: Metasploit Activation Tlie Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linus designed for testing security tools and demonstrating common vulnerabilities. Version 2 of diis virtual machine is available for download from Soiuceforge.net and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and odier common virtualization platforms.
12. T lie A c tiv a tio n S u c c e s s f u l w in d o w ap p ears.

1^
A hips/ lot*t> ost. 90
' ' 7 C )
Google
E ~I
I
1
, m i 1 1 i^ ic - io p iw i 1 community H om e Protect* & He H fw * Panel
II
1 1
| ^
Activation Successful
J
âetoôfen
0
0
%rsr^t
Q ut* *ojrct
Starch
1 / Product Mr**
Abating Window* Kemot Management (WinUM) with Metasploit
thow y ,1 ml 0 I (to lau r S T vo w m g1 to1of 1 tn n 0 0 y 1 6 m 0 ?0m jhM 90 Fm h I Pi.vkj 1
*!
laM
I cnem gnt.il D erb,con Mu&lianill *leredlacuaaingvariouiledvvquMof mass crw nage W hen M u b ci to ldm e about theW inRMservice 1w ondered W h ji d o n'twe nav an yM ateap toitm odui* ro rthia Fxploit Trends: Top to Searches for MotAsploit Module* in October T 1re to rrow m cnthl/dose 01 M etasploitep lo !t (renas* Each m o n thw e jarfh erns 11st err* m ost searched eaioit ana a u x ilia ry m odules fro mtns M etaspor. e aa*e T op ro tect usersprivacyt.. Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit. and More! W inRMEx p lo itLibrary Form e lastcoupleweeks M etasplolt coreoanV i& iJto iD a .*d iTieugWCosin8M alone/has & en living in toM icrosoffsWinRMservices w fln $m u:x and@ _sm n3r. UnO lttiese.. Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end M ore? *ccSecUSA20l2Lastweekwas AppSecUSA2012here m A ustin. ivtiid m at exstairscunous aosenceofaweeKtrMetaspioitupoateDioapost Tn*ngrfis o f A ppjec fo rm e, !w e re p nno p articular
IU-... ...
FIG U R E 3.10: Metasploit Activation Successful
as T A S K
3
e
13. G o to A d m in is tra tio n a n d click S o f tw a r e U p d a te s .

X *| - G oogle A dm inhtinlio nT^ | softw are upaates Softw are ucense 1 a a3- P it D
U p d a tin g M e ta s p lo it
()m etasploit
community1 Project* H om e
1 & H id ebw* Pan1 1
FIG U R E 3.11: Metasploit Updating Software
14. C lick C h e c k f o r U p d a te s , a n d a fte r c h e c k in g d ie u p d a te s , click In s ta ll.
By default, Metasploitable's network interfaces are bound to die N A T and Host-only network adapters, and the image should never be exposed to a hostile network. (Note: A video tutorial on installing Metasploitable 2 is available at die link Tutorial on installing Metasploitable 2.0 on a Virtual Box Host Only network)
FIG U R E 3.12: Metasploit Checking for Updates
15. A fte r c o m p le tin g th e u p d a te s it w ill a sk y o u to re sta rt, so click R e s ta r t.
This document outlines many of the security flaws in die Metasploitable 2 image. Currendy missing is documentation on the web server and web application flaws as well as vulnerabilities diat allow a local user to escalate to root privileges. This document will continue to expand over time as many of die less obvious flaws widi diis platform are detailed.
16. W a it u n til M e ta sp lo it restarts.
1^ A I'tlpiJ'locaVrat. w x I- G e o g l ,
c-
fi\ ft
TCP ports 512, 513, arid 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation). To take advantage of diis, make sure the "rsh-client" client is installed (on Ubuntu), and run die following command as your local root user. If you are prompted for an SSH key, this means die rsh-client tools have not been installed and Ubuntu is defaulting to using SSH.
I fyou've just finished i n s t a l l i n g Metasploit. the application w i l l now take up to 5 minutes to i n i t i a l i z e . ir* normal please b patient and have a c o f f e e . . . you nave already been usingtne p r o d u c t , *is message may p o i n tt o a bog i nthe a p p l i c a t i o n and r e q u i r ethe M e t a s p l o i t s e r v ices tobe r e s t a r t e dto resume lunctocaity I fthe problem p e r s i s t s you may want toconsul the Mowing r esources. Metasploit Community Edition users: Pease v t o lt r i e R*pid7 Security street forum toseaxnf o ra n s w e r sor po s t a question Metasploit t r i a l users: Please contactyour Rapf7 sales rep r e s e n t a t i v eore t n a i 1fnqrjwd7.com Metasploit users with a support contract: Ptcasc v i s i t t he Rapld7 Customer Canter t of B ca supportease o r *man suPD0rtgraD1d7.c0m
Retrying your request I n 5 seconds . .
FIG U R E 3.14: Metasploit Restarts
17. A fte r c o m p le tio n o f re s ta rt it w ill re d ire c t to M e ta s p lo it - H o m e. N o w click C r e a te N e w P r o je c t fro m d ie P r o je c t d ro p - d o w n list. C re a tin g a N e w M e ta s p lo it P r o je c t

* M e t a s p K x t-P r o j e c t s
..-TP
: m tN e w P r o je c t
yM k l eN t t v v aPmw( 1 S t ' o v *U l P10j c t s
m etasploit
community I act o* o j r n Mo , Q m niict j Search s
4 Pro d u c tMews Abusing Window* Remote Management (WlnRM) with M e t a s p l o i t
Show 1 0 V M i l l M l Q lame u < '-1 Showing1K>1 o f
Horn :
A c t r v cs e s s i o n s
t a s k s owner Memoera o y s t a m 0
Upared w oescnpoo b e u t1how a g o Pnmam I wt li
lato onenight 3 1O artiyco n .M u b txandl w oto dtsaisslngvarious techniques o r mass wm aoe WhenMutmtoldmea&outtheWinRMseivice.iwonoeiea W h a ortwe hM a nyM e t aseon m odulestorm is... E x p l o i tT r e n d s : Top 10 Searches l o r Me t a s p l o i t Modules i nOctober Tim teryo ur m onthsdose o fM etasploit e x p lo ittrends! Each m ow nwe 0a V > ertn 1s tstortne m ost searches e x p lo itand aux iliarym odules iromtneM etasploit dataoase Toprotedusers' prtacy, 1 . . Weekly M e t a s ploit Update: WinRM PartOne, E x p l o i t i n g Metasploit and More! V inR UEploit LibraryFor theI3sl couplew eeks. M etasploit core co n trib u to rD avid gTheLicficCcsm eM aloneyh3s D eend rin oin to M icro so ft'sW m RMserw:es w ith grm icor and @ _s1nn3r U n til these... Weekly Me t a s p l o i t Update: Miaosoft Windows and SQL, TurboFTP, and Mote! *ppSecOSA2012 Last w eekwas AppSecUSA2012here InA ustin , *filch ro a* ex p lainre curious absence o f aweeklyM etasploit U pdate bloe poslThe tal j H so f *wsecfcrme. were (mnop articu la r... Weekly Me t a s p l o i t Update: Reasonnble d i s c l o s u r e . PHP FXF wrappers, and moie!
This is about as easy as it gets. The nest service we should look at is die Network File System (NFS). N FS can be identified by probing port 2049 directly or asking the portmapper for a list of services. The example below using rpcinfo to identify N FS and showmount -e to determine diat die "/" share (the root of die file system) is being exported.
FIG U RE 3.15: Metasploit Creating a New Project
18. 111 P r o je c t S e ttin g s , p ro v id e th e P r o je c t N a m e a n d e n te r a D e s c rip tio n , leave th e N e tw o rk R a n g e set to its d efau lt, a n d click C r e a te P ro je c t.
n
^ A , .Ip. lo calho it. V. a.
I. , n r ,
(]m etasploit
community1
SB
3 & ar
H ie Metasploit Framework is a penetration testing system and development platform diat you can use to create security tools and exploits. The Metasploit Framework is written in Ruby and includes components in C and assembler. The Metasploit Framework consists of tools, libraries, modules, and user interfaces. Tire basic function of die Metasploit Framework is a module launcher diat allows die user to configure an exploit module and launch the exploit against a target svstem.
I ^
Protect nam e* D escription
aExploit | The e x p l o i ttakes advantage oft i r oiss u e si nJDK 7 The ClassFinder and MethodFinder nndMemod() Botn were newly introduced i nJOK 7 dassFinder i sa replacement f o rc i a s s F . i x N f l r n gback i nJQg 6 R alows untnisted code t ooOtam a reference ana nave access t oa r e s t r i c t e d oa:o?e rJ O K7. a m e ncan oe used to aDuse suna^-SuoJoolKit (a r esrcled package) / / ! sun ^SunTwiwt we can a c t u a l l yinvoke
Networ*r a n g e
Q RvttiKt tonetworkrange
*? R A P I D 7
FIG U R E 3.16: Metasploit Project Settings
19. C lick d ie M o d u le s ta b a fte r d ie p ro je c t is created .

W fl5f40T Ah f c l p s / lott> ost. SC . |+ ? C | ? G oogle P r o t e c t Javatx_ * Account Jason e f iA d m i n i s t r a t i o nr rt community fi # C ' 1 ^ I *1 *
1 (Um etasploit
I community |4kOvervlev 4 * Analysis 1 H o rn Java Lx p to it 0itwnr Sessions Campaigns * Wt*b Apps |& Modules |
j> H e l p
lags
Q) Reports
JZ 1 1
J Overvtew.ProperJavaT ipto Discovery 01 1 0 4 1 3dt*C O M fC 4 0 services dctaclod 0vum eraDM M t *utm ed Penetration MMlOHCpNtd 0 pHtimilt cracked 0 SMB Msr s ttotee 0 SSHk*r* stu k a Q fiplat
"
^ Scan-
aw p nrt j * a^mm ,
0 j t r t o > c c
Evidence Collection I 0 data friesacqaned
Cleanup OctoHdMssoas
iai C oeect... 1 Recent Event*
Cleanep-
----------------------------------------------------------
FIG U R E 3.17: Metasploit Modules Tab
TASK
20. E n te r CVE ID (2012-4681) in S e a r c h M o d u le s a n d click E n te r.
R u n n in g t h e E x p lo it
,'MrtMf** M odu ^ A h t t p s t o o l b o i t .V - a .ii ? c c v _ ' o d u * e 5
F I
C *!I C009l
' H V
* Web Apps i> Modules Tags r, Reports ~ Tasks
Metasploit P 1 o contains tasks, such as bruteforce and discovery, in the form of modules. The modules automate the functionality diat die Metasploit Framework provides and enables you to perform multiple tasks simultaneously.
(]m etasploit
community1 ft Overview Analysis Sessions ,} Campaigns
Search Modules
2012-4681
M o d u le Sta tisticsshow Se a rchK eyw o rd s sh o w

Found 10 m atchingm odules M oduleType A uw iery 1 AiMlffy Srvr Expbi 1 1 UOt serverIKPW Srv*fnpW S* Use* 1 S*v L> 1W I Ctnt Up** Ser^rfKpM O S ra ra * A *M i A A * w m tm Ckafipaae?0 localm em clisonvunerawty W M W fee*flnS4cuty4lfln 69er 550r# cto y T rave rsa l wn1C gmSwty UanaerPlu s5 .5b u iM "05 SQ LIn je c tio n iVndew s Lssalal* ServePrm *sjns Lo ca l PnvitgeEtcalato n < * ( ei ncr **rary > * u p n adVurem boy >c1ta p H .-RvM M iar ;!IC CBam X C o d > 4 clto n TirtoHP $ 0 2 3 3 0. PO R TO vrltow cro*yA<)n T 31 Z2 M r_ync p 1e D a cW o o r *SI2O C 3lftcrg o nMrnet U w oc! **ecC o n tn aiH JU w A lto r-fr V g tn w ab M y Ah l*M Q a taiK cr(tttxf C o m m n Sfee u h o n D Hdooiie O u t Z-***rZS. Z 3 \ 2 zrmr-9.zv12 :: M r .2012 2.*tor ,i. 2012 0e *^.01 OcMar t. 2 0 1 2 C;*3 .2 0 1 2 Swfc 2 5 .2 0 1 2 * * '* '.2012 1 4 .2012 2012 *m < < <* KMT mm MfiU ?IMS M odule Ran klo o 5 6 1 3 6 0SVD6 0 6 7 2 8 6 5 6 3 ED S zztei 220 2 2 9 0 4
. ? . *RAPID7
A project is die logical component diat provides die intelligent defaults, penetration testing workflow, and modulespecific guidance dating the penetration test.
FIG U R E 3.18: Metasploit Searching forJava Exploit
21. C lick d ie J a v a 7 A p p le t R e m o te C o d e E x e c u tio n 1111k.

* M e ta sp lo it-McdM
^ A httpi. Iotat> ost. S C .v.-tepscev-'r-odule
c >1
( 1
(]m etasploit
Y community ft Overview n Analysis Sessions ,/ Campaigns # Web Apps *y Modules Tags ^ Hcpoiu
^ Tasks
S t id
Search Modules
201? 4081 M odule Statutes show Searrh trywrrds s i
WirJuk Typv C lint AodKR a rro lC o l r!* C u tb O7
B ID
O SVD B
C 0 6
B 4 B 6 T
'.'RAPID7
111 addition to the

capabilities offered by the open source framework, Metasploit Pro delivers a full graphical user interface, automated exploitation capabilities, complete user action audit logs, custom reporting, combined widi an advanced penetration testing workflow.
FIG U R E 3.19: MetasploitJava 7 Applet Remote Code Execution Exploit found
22. C o n fig u re d ie ex p lo it settings: a. 111 P a y lo a d O p tio n s set d ie C o n n e c tio n T y p e as R e v e r s e a n d 111 L is te n e r H o s t ,e n te r d ie IP a d d re ss w h e re M e ta sp lo it is ru n n in g . b. 111 M o d u le O p tio n s , e n te r d ie SR V H o s t I P ad d re ss w h e re M e ta sp lo it is ru n n in g . E n te r d ie URI P a th (in d iis la b w e are u sin g greetin g s) a n d click R un M od u le.
c.
^ T I j
A It , !onlhoit -V -a j iipo.c, 2A*i~ k James forsnaw |duck< Jduckgrnetasp*ocim slnnV 'enn3/^m et3sp*0* 0 & *n > iuan .aiquei <)uanva:que:@m Masp:s!::cr o/e SoJa rjetll
( ?I.
m m r n m
3
IPv6 is die latest version of die Internet Protocol designed by die Internet Engineering Task Force to replace die current version of IPv4. The implementation of IPv6 predominantly impacts addressing, routing, security, and services.
The m o dule is (*signedtoruninthob acK gro und . ox p lo ib n gdiemsjsterns 3sinycomod. h wc3s0 1Cbrow ser e x p lo its, :?as setne U R 1 PA T HocoonD elowityouwantio co ntrol w hichURL is usecio nost> 6eg** T s srvport coor can & eused cf!a n < ;em e I3tenng per inm e case o t passve u8M ym odules(auxaary) m e moaae caput se *31ae iromne T asiclog alter vw m o iSu tehas tn started Target Sefltogs I Generic (Java Payload) v|
s*yb a1 V p
Interpreter
v|
C o n n o c flo oT yp |Reverse vj
LttonwPwH |1aW -6S3S UllOMrHMl 11Q001Q
T h bcil p o rtto! to no n . Ip o't) N gM w5 5 11 0 rneiynrj eonnectan*(M et) P a '.hto* cu clo mSSL c o rtlfcirtolO o fo al I* tnO e 5 o c V th ovo rw o n0< SSL th e ) h o o k ) toM od T h oU RItou o oto rttu o x p to t1 3 0'ajt * im M AdvancedO p t i o n sshow ivaMoa opooas snow a SS.2 SSO USIX
1 o
FIG U R E 3.20: Metasploit Running Module
23. T h e ta sk is s ta rte d as s h o w n 111 th e fo llo w in g sc re e n sh o t.

^ A hd p i. Io t*t> o s t - X v.i390con-le-
( 1
(]m etasploit
community
In Metasploit Pro, you can define IPv6 addresses for target hosts. For example, when you perform a discovery scan, scan a web application, execute a bruteforce attack, or run a module, you can define an IPv6 address for die target hosts. For modules, Metasploit Pro provides several payloads diat provide IPv6 support for Windows x86, Linux x86, BSD x86, PH P, and cmd.
f tOverview
ga A n a l y s i s in ti
[_ SmioM Imk
. /Campaigns
* Web Apps
V Module*
lags
3 Reports
~ Tasks Q
m Upton
5Uto < J2 3 1 2 IMS 1 40 1S 3LT C
FIG U R E 3.21: Metasploit Task Started
24. N o w sw itch to W in d o w s 8 V irtu a l M acliu ie, la u n c h d ie C h ro m e b ro w se r a n d e n te r h t t p : / / 10.0.0 .1 0 :8 0 8 0 /g re e tin g s in d ie a d d re ss b a r a n d p re ss E n te r. 25. C lick d ie R un t h i s ti m e fo r Ja v a (T M ) w a s b lo c k e d b e c a u s e it is o u t o f d a t e p r o m p t 111 d ie C h ro m e b ro w se r.
F i l e A c t i o n Medi Clpboard View Hdp
"
Window*; 8 on WIN?N9ST0SG!FN * Virtual Machine Connprtion
O (. O
II I >3 i>
-* C 1 0 Q 0 .1 0 t8 0 8 0 /g reetin g s/
i f JavafTM) was blockec because it is out of date Update plug-in... Run this time
Note: Metasploit Pro does not support IPv6 for link local broadcast discovery, social engineering, or pivoting. However, you can import IPv6 addresses from a text file or you can manually add them to your project. If you import IPv6 addresses from a text file, you must separate each address with a new line.
FIG U R E 3.22: Windows 8 Virtual Machine Running die Exploit
26. N o w sw itch to y o u r W in d o w s S e rv e r 2 0 1 2 h o s t m ac liin e a n d c h e c k d ie M e ta sp lo it ta sk p a n e . M e ta sp lo it w ill sta rt c a p tu rin g d ie re v e rse c o n n e c tio n fro m d ie ta rg e t m acliin e.
^ Ah ti|> K / / 'lo C * i c ti7 9 Q p '1 * o i3 p c c v t W
^7
C1
G o o g le
G D m etasploit' community1
b Overview Analysis . Sessions Campaigns * Web Apps Modules lags _j Reports i _ Tasks 0
Project Management A Metasploit Pro project contains die penetration test diat you want to nm. A project defines die target systems, network boundaries, modules, and web campaigns diat you want to include in die penetration test. Additionally, within a project, you can use discovery scan to identify target systems and bruteforce to gain access to systems. FIG U R E 3.23: Metasploit Capturing die reverse connection of targeted macliine
27. C lick d ie S e s s i o n s ta b to v ie w d ie c a p tu re d c o n n e c tio n o f d ie ta rg e t m acliin e.
User Management Administrators can assign user roles to manage the level of access that the user has to projects and administrative tasks. You can manage user accounts from tire Administration menu.
FIG U R E 3.24: Metasploit Session tab
28. C lick d ie c a p tu re d se ssio n to v ie w d ie in f o rm a tio n o f a ta rg e t m a c h in e as s h o w n 111 d ie fo llo w in g sc re e n sh o t.

- a x A .Ip i; loiaNmt. '!C 1 r, e oogle 1 G ____ p { -
G D m etasploit
community Overview M o rn * M Aiiolyv) I ~ Sessions Q ttiinni ^ Cufiipulgns V f>Web Ap|n V Modules lags , Reports 1 Tasks Q Java Ixptvt
ttCoM
(J C M a fw p
Active Sessions
O S M o a t -W ndew ad
| *SCMM 1 Closed Sessions
J #012 100
Type M e tw p re te r
Age
4 mm
0vet1(kj1 1 * * Q .v v * m s e
A ttack M o d u lo + JAW_JRE17JLXEC
Global Settings Global settings define settings that all projects use. You can access global settings from the Administration menu. From the global settings, you can set the payload type for the modules and enable access to die diagnostic console through a web browser. Additionally, from global settings, you can create A P I keys, post-exploitation macros, persistent listeners, and Nexpose Consoles.
1 Ueissploit C om m une? 4 .4 .0-U & dato2 0 1 2 103 10 1
20 1 0 -2 0 1 2R 8 p itf7 Inc.B 0 3 K *U *
RAPID7
FIG U R E 3.25: Metasploit Captured Session of a Target Machine
29. Y o u c a n v ie w d ie in f o rm a tio n o f th e ta rg e t m a ch in e .
System Management As ail administrator, you can update die license key and perform software updates. You can access die system management tools from the Administration menu.
FIG U R E 3.26: Metasploit Target Machine System information Host Scan A host scan identifies vulnerable systems within die target network range diat you define. When you perform a scan, Metasploit Pro provides information about die services, vulnerabilities, and captured evidence for hosts that the scan discovers. Additionally, you can add vulnerabilities, notes, tags, and tokens to identified hosts.
30. T o access d ie tiles o f d ie ta rg e t sy stem , click A c c e s s F ile s y s te m .

I S e s a c 1
c >1 ( 1
(]m etasploit
^ Y r community \ Overview Ânilyib I ~ StwtoM Q ',/Campaigns * Web Apps V I
Session 1 on 10.0.0.12
& 4 1 a k > n T y in i n a t a ip i < p e j 3 > 1 * * * 'O '*

I n f o im a l l o n *1 O
A tta c kM o d u lo
Available Actions
( C o lle ct System
. Cooa JrstKr evidence ana sensitivedaii iscreenshois, passw ords. s> temirtform M on) o a r s eV i erem o t e i e 3 y 3 t e mandu p l o a d ,d o w n l o a d ,and O e l e t eH i e s . u*efct1u*\ a rem cte com m and snll onm e tarcet !advanced users)
C1M Piory Po t
. Ptolatacts usirtgV ie rem otehost as a gatew ay(TCPAJDP) i Close V bs session. Furm srm teracaonieijuires ex p lo itatio n
e2 0 1 0 2 0 1 2R 3 p i d 7I n cB e
VRAPID7
Bruteforce uses a large number of user name and password combinations to attempt to gain access to a host. Metasploit Pro provides preset bruteforce profiles diat you can use to customize attacks for a specific environment. If you have a list of credentials diat you want to use, you can import the credentials into the system.
FIG U R E 3.27: Metasploit Accessing Filesystem of a Target Machine
31. Y o u c a n v iew a n d m o d ify d ie files fro m d ie ta rg e t m acliin e.
If a bruteforce is successful, Metasploit Pro opens a session on die target system. You can take control of die session dirough a command shell or Meterpreter session. If there is an open session, you can collect system data, access die remote file system, pivot attacks and traffic, and run postexploitation modules.
PA , 't t p it o c d h o i t .%m . '1, t io 'p t f h i V i r i d a v n S a l S p M C t i S y W 0 W 6 4 U S y s t e m L S y 8 t e m 3 2 L * X 4 P 1 L & l s t *T e n o a s C a l a L iV L _ G m W m S l o t * A t a S * S { * I n s Ia s s s a t c h > [ M T S L i , C h M N M _ c u ty L * * V W 9 _f r a o n g Q b l w a x . f i 9 0 C 7 D 9 1 2 B E 2 3 I 4 ly t O K M a t a l b * M M p f W e x e 'L U W H P f R O b * P r e f M v r n a l* 1 c a r t e r
M rtK ffc it fik
1M01?
1 7 2 0 1 4 a 6 7 1 8 1 2 9 j i s e b
2 0 1 2 4 5 1 9 0 9 3 3 4 0 U T C 2 0 1 2 1 1 1 5 1 3 5 8 5 2 U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 1 U T C 2 0 1 2 1 1 1 5 1 3 5 6 5 2 U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 1 U T C 2 0 1 2 0 9 1 8 0 9 2 7 2 1 U T C 2 0 1 2 1 1 1 5 1 4 . 1 3 . 5 0 U T C 2 0 1 2 0 5 1 9 0 9 3 3 . 5 7 U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 0 U T C 2 0 1 2 0 5 1 9 O f t 3 3 . < 1 U T C 2 0 1 2 0 9 1 2 1 1 3 5 2 9 U T C 2 0 1 2 1 1 1 5 1 4 f t S 1 7 U T C 2 0 1 2 0 5 1 9 0 9 3 3 * 5 U T C 2 0 1 2 0 5 1 9 0 9 3 0 S 1 U T C 2 0 1 2 1 0 0 9 0 7 0 3 5 1 B T C 2 0 1 2 0 9 1 0 0 9 5 6 5 0 U T C 2 0 1 2 0 5 1 9 O f t 3 3 4 0 U T C 2 0 1 2 0 5 1 9 0 9 0 9 2 'U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 1 U T C 2 0 1 2 0 5 1 9 0 9 1 1 5 4 U T C 2 0 1 2 0 5 1 9 0 9 0 9 2 0 U T C 2 0 1 2 4 5 . 1 9 0 9 3 3 4 1 U T C 2 0 1 2 4 1 5 . 1 9 0 3 3 5 1 U T C 2 0 1 2 . 1 0 4 4 1 1 1 4 U T C 2 0 1 2 0 9 . 1 2 H f i l 2 U T C 2 0 1 2 4 5 . 1 9 U 1 7 3 1 B T C ? 0 0 4 4 . 0 a s u t c 2 O 1 2 1 0 1 S 0 S M M U T C I* 0 1 2 4 I S 1 8 2 1 4 6 V U T C
C f*G 0 0 9 I.
p ft
'
a (iS T O R E i1 | l 0 l T I.1 | (.S T O R E 1 > | (> O f L t T f.) < .S T O R E ;> | { D E L E T E .) (.S T O R E I ) |(. O E L E T E .) (.S T O R E 1 ) 1 ( D E L E T E ) (.S T O R E i) 1 (. D E L E T E .)
Modules expose and exploit vulnerabilities and security flaws in target systems. Metasploit Pro offers access to a comprehensive library of exploit modules, auxiliary modules, and postexploitation modules. You can run automated exploits or manual exploits.
FIG U RE 3.28: Metasploit Modifying Filesystem of a Target Macliine
32. Y o u c a n also la u n c h a c o m m a n d shell o f d ie ta rg e t m a c h in e b y clicking C o m m a n d S h e ll fro m se ssio n s capU ired.
Automated exploitation uses die minimum reliability option to determine the set of exploits to run against die target systems. You cannot select die modules or define evasion options diat Metasploit Pro uses.
FIG U RE 3.29: Metasploit Launching Command Shell of Target Macliine
33. T o v iew d ie sy stem IP a d d re ss a n d o d ie r in f o rm a tio n d iro u g h d ie c o m m a n d shell 111 M e ta sp lo it, ty p e ip c o n fig Iall a n d p ress E n te r.
Manual exploitation provides granular control over die exploits diat you ran against die target systems. You run one exploit at a time, and you can choose die modules and evasion options diat you want to use.
F IG U R E 3.30: Metasploit IP C O N F IG command for Target Machine
Social engineering exploits client-side vulnerabilities. You perform social engineering through a campaign. A campaign uses e-mail to perform phishing attacks against target systems. To create a campaign, you must set up a web server, e-mail account, list of target emails, and email template.
34. The following screenshot shows die IP address and other details of your target machine.
F !
!< a Ip * . U**
l - n
U12 - KM M iniport (Vwtwork. Monitor)
km : U 1 3 H iero so rc K a rrw ti H a rd w a re K M 0 0 :0 0 :0 0 :0 0 :0 4 :0 0: M T U : 2 4 ?2
n e tw o rk A rt.ip to r
In terface 13
N a w >
Meterpretcr >|
!n et -Hteroiort IS A T A PA d a p te r
WebScan spiders web pages and applications for active content and forms. I f the WebScan identifies active content, you can audit die content for vulnerabilities, and dien exploit die vulnerabilities after Metasploit Pro discovers diem.
F IG U R E 3.31: Metasploit Target Machine IP Address in Metasploit Command Shell
35. Click die Go b a c k command shell.
o n e p age
button in Metasploit browser to exit die
A task chain is a series o f tasks that you can automate to follow a specific schedule. The Metasploit W eb U I provides an interface that you can use to set up a task chain and an interactive clock and calendar diat you can use to define die schedule.
A report provides comprehensive results from a penetration test. Metasploit Pro provides several types o f standard reports diat range from high level, general overviews to detailed report findings. You can generate a report in PD F, W ord, X M L , and H T M L.
F IG U R E 3.32: Metasploit closing command shell
F IG U R E 3.33: Metasploit Terminating Session You can use reports to compare findings between different tests or different systems. Reports provide details on compromised hosts, executed modules, cracked passwords, cracked SM B hashes, discovered SSH keys, discovered services, collected evidence, and web campaigns.
37. It will display Session

Logout.
K illed.
Now from die A c c o u n t drop-down list, select

7'8, JJj AA c c o u n tJ a s o n
j U s e rS e ttin g s T -J L o g o u t
I* metasploit r community1
f cO v e rv ie w
r tAnalysis
~S e s s io n s
C a m p a ig n s
W e bA p p s
t yM o d u le s
la g s
IR e p o r ts
Session killed
Active Sessions Closed Sessions A t t a c kM o d u le JA V A _ ^ N V _ E X IC
E 5 C M W 1 1
&
#*0 t Z -.V r x w w 8
w c t e r p r e t e f
l1 2 tM S 1 40 e U T C
A t f n e0 1 V n < lo w p
u M ta m ia iH
F IG U R E 3.34: Metasploit Session Killed and Logging out
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011 your targets secuntv posture and exposure.
PLE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Tool/U tility
Information Collected/Objectives Achieved Output: Interface Infomation Name: etl14-M1crosoft Hyepr-v Network Adapter Hardware MAC: 00:00:00:00:00:00 MTU: 1500 IPv4 Address: 10.0.0.12 IPv6 Netmask: 255.255.255.0 IPv6 Address: fe80::b9ea:d011:3e0e:lb7 IPv6 Netmask: ffff:ffff:ffff:ffff:ffff::
Metasploit Framework
Question
1 . How would you create an initial user account from a remote system? 2. Describe one 01more vulnerabilities that Metasploit can exploit.
Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No

CEH v8 Labs Module 12 Hacking Webservers PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CEH v8 Labs Module 12 Hacking Webservers PDF

Enviado por

Direitos autorais:

Formatos disponíveis

C EH

M odule 12 - H ackin g W e b servers

A. w e bs e r v e r ,w h ic hc a nb er e fe r re dt oa st h eh a r d w a r e ,t h ec o m p / / t e r , ort h es o f t w a r e , is t h ec o m p u t e ra p p lic a tio nthath e lp st od eliverc o n t e n tthatc a nb ea c c e s s e dt h r o u g h t h eIn tern et.

C E H Lab Manual Page 731

M odule 12 - H ackin g W e b servers

C E H Lab Manual Page 732

M odule 12 - H ackin g W e b servers

C E H Lab Manual Page 733

M odule 12 - H ackin g W e b servers

se c u rity th re a ts . A lth o u g h th e th r e a ts 111 c y b e rs p a c e re m a in la rg e ly th e sa m e as

C E H Lab Manual Page 734

M odule 12 - H ackin g W e b servers

Y o u c a n a lso d o w n lo a d d ie la te s t v e r s io n o f h t t p r e c o n f r o m th e lin k h ttp ://w w w .c o m p u te c .c h /p r o je k te /h ttp r e c o n

m Httprecon is an open-source application that can fingerprint an application of webservers.

R u n tin s to o l 111 W in d o w s S e r v e r 2 0 1 2 A w e b b r o w s e r w ith I n t e r n e t a c c e ss A d m in is tra tiv e p riv ile g e s to r u n to o ls

G1 Httprecon is distributed as a Z IP file containing the binary and fingerprint databases.

Full Matchlist | Fingerprint Details | Report Preview |

F IG U R E 1.1: httprecon main window

C E H Lab Manual Page 735

M odule 12 - H ackin g W e b servers

C lic k A n a ly z e to s ta r t a n a ly z in g th e e n te r e d w e b s ite . Y o u s h o u ld re c e iv e a f o o t p r in t o f th e e n te r e d w e b s ite .

Target (Microsoft IIS 6.0) I http:// 1 | juggyboy com|

F IG U R E 1.2: The footprint result of the entered website

C lick d ie G E T lo n g r e q u e s t tab , w h ic h w ill list d o w n d ie G E T re q u est. T h e n click d ie F in g e r p r in t D e ta ils .

Target (Microsoft IIS 6.0) I Nip:// j J ^ juggyboy com| [*

Matchlst (352 Implementations)

Fingerprint Details | Report F^eview |

C E H Lab Manual Page 736

M odule 12 - H ackin g W e b servers

I n te r n e t C o n n e c tio n R e q u ire d 0 Y es P la tfo rm S u p p o rte d 0 C la s s ro o m !L ab s No

C E H Lab Manual Page 737

M odule 12 - H ackin g W e b servers

C E H Lab Manual Page 738

M odule 12 - H ackin g W e b servers

R u n tliis to o l o n W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e A w e b b r o w s e r w ith I n t e r n e t a c c e s s A d m n iis tra tiv e p riv ile g e s to r u n to o ls

In te r n e tS e rv e rId e n tific a tio nU tility ,vl. 0 2 P e rs o n a lS e c u rityF re e w a reb yS te v eG ib s o n

Query The Server

ID Serve can connect to any server port on any domain or IP address.

Server query processing:

The server identified itself a s :

Goto ID Serve web page

F IG U R E 2.1: Welcome screen of ID Serve

C E H Lab Manual Page 739

M odule 12 - H ackin g W e b servers

In te r n e tS e rv e rId e n tific a tio nU tility .v 1 . 0 2 P e rs o n a lS e c u rityF re e w a reb yS te v eG ib s o n C o p y r ig h t(c )2 0 0 3 b yG ib s o n R e s e a r c hC o r p . e tv e rQ u e ry | Q & A / H e lp

C 1 Ihttp //I 0.0 0.2/realhome|

Query The Server

Server query processing:

H T T P / 112 0 0O K C o n te n tT y p e :t e x t / h t m l L a s tM o d ifie d :T u e ,0 7 A u g2 0 1 20 6 :0 5 :4 6G M T A c c e p tR a n g e s :b y te s E T a q :" c 9 5 d c 4 a f6 2 7 4 c d 1 :0 "__________

Goto ID Serve web page

F IG U R E 2.2: ID Serve detecting the footprint

H T T P / 1.1 2 0 0 o k c o n te n t- T y p e : t e x t / h t m l L a s t- M o d if ic a tio n : T u e , 0 7 A u g 2 0 1 2 0 6 :0 5 :4 6 GMT A c c e p t-R a n g e s : b y te s E T a g : " c 9 5 d c 4 a f 6 2 7 4 c d l:0 "

C E H Lab Manual Page 740

M odule 12 - H ackin g W e b servers

I n te r n e t C o n n e c tio n R e q u ire d Y es P la tfo rm S u p p o rte d 0 C la s s ro o m 0 !L a b s 0 No

C E H Lab Manual Page 741

M odule 12 - H ackin g W e b servers

Metasploitsofin ar eh e lp ss e c u r itya n dITprofessionalsid e n tifys e c u r ityi s s u e s ,v e rify vulnerabilitym it ig a t io n s ,a n dm a n a g ee x p e r t d r iv e ns e c u r itya s s e s s m e n t s .

C E H Lab Manual Page 742

M odule 12 - H ackin g W e b servers

M e ta s p lo it lo c a te d a t D :\C E H -Tools\C E H v8 M o d u le 1 2 H a c k in g W e b se rv e rsY W e b se rv e r A tta c k T o o ls \M e ta s p lo it

Y o u c a n also d o w n lo a d th e la te st v e rs io n o t M e ta s p lo it F ra m e w o r k fro m d ie lin k h t t p : / A v w w .m eta sp lo 1 t . c o m / d o w n lo a d /

I t y o u d e c id e to d o w n lo a d th e l a t e s t v e rs io n , th e n sc re e n sh o ts s h o w n 111 th e lab m ig h t d itte r