ceh v8 labs module 12 hacking webservers.pdf

C E H L a b M a n u a l

H a c k i n g W e b S e r v e r s

M o d u l e 1 2

Module 12 - Hacking W ebservers

H a c k i n g W e b S e r v e r s

A. web server, which can be referred to as the hardware, the comp//ter, or the software, is the computer application that helps to deliver content that can be accessed through the Internet.

i con k e y ~ L a b S c e n a r io

T o d ay , m o s t o f o n lin e se rv ices are im p le m e n te d as w e b ap p lic a tio n s . O n lin e b an k in g , w eb sea rch en g in es , em ail ap p lic a tio n s , a n d socia l n e tw o rk s a re ju s t a few ex am p le s o f su ch w e b serv ices. W e b c o n te n t is g e n e ra te d 111 rea l tim e by a so f tw a re a p p lic a tio n ru n n in g a t se rv e r-s id e . So h ack e rs a tta c k 0 11 th e w e b se rv e r to steal c re d e n tia l in fo rm a tio n , p a ssw o rd s , a n d b u s in e ss in fo rm a t io n by D o S (D D o s ) a tta ck s , S Y N flo o d , p in g flo o d , p o r t scan , sn iffin g a tta ck s , a n d socia l e n g in e e rin g a ttack s. 1 1 1 th e area o f w e b secu rity , d e sp ite s tro n g e n c ry p tio n 0 11

th e b ro w se r-s e rv e r c h a n n e l, w e b u se rs still h a v e 1 10 a s su ra n c e a b o u t w h a t h a p p e n s a t th e o th e r en d . W e p re s e n t a secu rity a p p lic a tio n th a t a u g m e n ts w e b se rv e rs w ith tru s te d c o -se rv e rs c o m p o s e d o f li ig li-a ssu ran ce secu re c o p ro c e s so rs , c o n fig u re d w ith a p u b lic ly k n o w n g u a rd ia n p ro g ra m . W e b u se rs c an th e n es tab lish th e ir a u th e n tic a te d , e n c ry p te d c h a n n e ls w ith a tru s te d c o - se rv e r, w h ic h th e n c a n ac t as a tm s te d th ird p a rty 111 th e b ro w se r-s e rv e r in te ra c tio n . S ystem s are c o n s ta n tly b e in g a tta c k e d , a n d IT secu rity p ro fe ss io n a ls n e e d to b e aw are o f c o m m o n a tta ck s 0 1 1 th e w e b se rv e r ap p lica tio n s . A tta c k e rs u se sn iffe rs o r p ro to c o l an a ly zers to c a p tu re a n d analyze p ack e ts . I f d a ta is se n t a c ro ss a n e tw o rk 111 c lea r tex t, an a tta c k e r c a n c a p tu re th e d a ta p a c k e ts a n d u se a sn iffe r to re a d th e da ta . 1 1 1 o th e r w o rd s , a sn iffe r c a n e a v e sd ro p 0 11 e le c tro n ic c o n v e rsa tio n s . A p o p u la r sn iffe r is W ire sh a rk , I t ’s a lso u se d by a d m in is tra to rs fo r leg itim a te p u rp o s e s . O n e o f th e ch a llen g es fo r an a tta c k e r is to g am access to th e n e tw o rk to c a p tu re th e d a ta . I t a tta ck e rs h a v e p h y sica l access to a ro u te r 0 sw ־1 itch , th e y c a n c o n n e c t th e sn iffe r a n d c a p m re all tra ffic g o in g th ro u g h th e sy stem . S tro n g p h y sica l secu rity m e a su re s h e lp m itig a te tin s risk.

A s a p e n e tra tio n te s te r a n d e th ica l h a c k e r o f an o rg a n iz a tio n , y o u m u s t p ro v id e secu rity to th e c o m p a n y ’s w e b se rv e r. Y o u m u s t p e r fo rm ch eck s 0 11 th e w eb se rv e r fo r v u ln e rab ilitie s , m isc o n fig u ra tio n s , u n p a tc h e d secu rity flaw s, a n d im p ro p e r a u th e n tic a tio n w ith e x te rn a l system s.

L a b O b je c t iv e sT h e o b je c tiv e o f tin s lab is to h e lp s tu d e n ts le a rn to d e te c t u n p a tc h e d secu rity flaw s, v e rb o s e e r ro r m essag es , a n d m u c h m o re .

T h e o b je c tiv e o f tin s lab is to :

■ F o o tp r in t w e b se rv ers

■ C rack re m o te p a ssw o rd s

■ D e te c t u n p a tc h e d secu rity flaw s

[£ Z 7 V a lu a b le

in f o r m a t io n

S T e s t y o u r

k n o w le d g e

־= W e b e x e rc is e

m W o r k b o o k r e v ie w

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C EH Lab Manual Page 731


L a b E n v iro n m e n tT o e a rn o ־ u t tins, y o u need:

■ A c o m p u te r ru n n in g W indow S e rv e r 2 0 1 2 a s H o s t m ach in e

■ A c o m p u te r ru n n in g w in d o w server 2008, w in d o w s 8 an d w in d o w s 7 as a V irtual M ach ine

■ A w eb b ro w ser w ith In te rn e t access

■ A dm in istra tive privileges to 11111 too ls

L a b D u ra tio nT une: 40 M inu tes

O v e r v ie w o f W e b S e r v e r sA w eb server, w h ich can be re fe rred to as d ie hardw are , th e co m p u te r, o r d ie so ftw are, is th e c o m p u te r app lica tion d ia t he lp s to deliver c o n te n t th a t can be accessed th ro u g h th e In te rn e t. M o s t peo p le d u n k a w eb server is just th e hardw are co m p u te r, b u t a w eb server is also th e so ftw are c o m p u te r applica tion th a t is installed 111 th e hardw are co m p u te r. T lie p rim ary fu n c tio n o f a w eb server is to deliver w eb pages o n the req u es t to clients using th e H y p e rtex t T ran sfe r P ro to c o l (H T T P ). T in s m eans delivery o f H T M L d o cu m en ts an d any add itional c o n te n t th a t m ay be inc luded by a d o cu m en t, such as im ages, style sheets, an d scripts. M an y generic w eb servers also su p p o r t server-side sen p tin g using A ctive S erver Pages (ASP), P H P , o r o d ie r scrip ting languages. T in s m ean s th a t th e behav io r o f th e w eb server can be scrip ted 111 separate files, w lule th e acm al server softw are rem ains u nchanged . W eb servers are n o t always u sed fo r serv ing th e W o rld W ide WTeb. T h e y can also be fo u n d em b ed d e d in devices su ch as p rin te rs , ro u te rs , w eb cam s an d serv ing on ly alocal ne tw ork . T lie w e b server m ay d ien be u sed as a p a r t o f a system fo rm o n ito r in g a n d /o r adm in is tering th e device 111 question . T in s usually m eans d ia t n o additional so ftw are has to be installed o n th e client co m p u te r, since on ly a w eb b ro w ser is requ ired .

L a b T a s k sR eco m m en d ed labs to d em o n s tra te w eb server hacking:

■ F o o tp r in tin g a w eb server u sing th e h t t p r e c o n to o l

■ F o o tp r in tin g a w eb server u sing th e ID S e rv e to o l

■ E x p lo itin g Java vulnerabilities u s in g M e ta s p lo i t F ra m e w o rk

& T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- T ools\C E H v8

M odule 12 H ack in g W e b se rv e rs

m TASK 1

O verv iew

Ethical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.



L a b A n a ly s isA nalyze an d d o c u m e n t th e results re la ted to d ie lab exercise. G ive yo u r o p in io n 0 11

y o u r ta rg e t’s security p o stu re an d exposure.

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L A B .

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



F o o t p r i n t i n g W e b s e r v e r U s i n g t h e

h t t p r e c o n T o o l

The httprecon project undertakes research in thefield o f web server fingerprinting, also known as http fingerprinting

L a b S c e n a r ioW e b a p p lic a tio n s a re th e m o s t im p o r ta n t w ays to r an o rg a n iz a tio n to p u b lish in fo rm a tio n , in te ra c t w ith In te rn e t u se rs , a n d e s tab lish an e -c o m m e r c e /e - g o v e rn m e n t p re se n c e . H o w e v e r , i f an o rg a n iz a tio n is n o t r ig o ro u s in c o n fig u rin g a n d o p e ra tin g its p u b lic w e b s ite , i t m ay b e v u ln e ra b le to a v a rie ty o f secu rity th rea ts . A lth o u g h th e th re a ts 111 cy b e rsp ace re m a in largely th e sam e as 111 th e p h y sica l w o r ld (e.g., f rau d , th e f t, v a n d a lism , a n d te r ro r ism ) , th e y a re far m o re d a n g e ro u s as a re su lt. O rg a n iz a tio n s can face m o n e ta ry lo sses , d am ag e to re p u ta tio n legal a ־01 , c tio n i f an in t ru d e r successfu lly v io la te s th e c o n fid e n tia lity o f th e ir d a ta . D o S a tta ck s are easy fo r a tta c k e rs to a tte m p t b ecau se o f th e n u m b e r o t p o ss ib le a tta c k v e c to rs , th e v a rie ty o f a u to m a te d to o ls availab le , a n d th e lo w skill leve l n e e d e d to u se th e to o ls . D o S a tta ck s , as w ell as th re a ts o f in itia tin g D o S a tta ck s , are a lso in c rea s in g ly b e in g u se d to b lack m ail o rg a n iz a tio n s . 1 1 1 o rd e r to b e an e x p e r t e th ica l h a c k e r a n d p e n e tra tio n te s te r , o׳{ n m u s t u n d e rs ta n d h o w to p e r fo rm fo o tp r in t in g 0 11 w e b se rvers .

L a b O b je c t iv e sT h e o b je c tiv e o f th is lab is to h e lp s tu d e n ts le a rn to fo o tp r in t w e b se rv e rs . I t w ill te a c h y o u h o w to :

■ U se th e h t tp r e c o n to o l

■ G e t W ebserver fo o tp r in t

L a b E n v iro n m e n tT o ca rry o u t th e lab , y o u need :

■ h t tp r e c o n to o l lo c a te d a t D:\CEH-T0 0 ls \C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \W e b s e rv e r F o o tp r in t in g T o o ls \h t tp r e c o n

ICON KEY/ V a lu a b le

m t o m ia t io n

T e s t y o u r

* * W e b e x e rc is e

m W o r k b o o k re \

H T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le D:\CEH- T ools\C E H v8


Ethical Hacking and Countemieasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Stricdy Prohibited.



■ Y o u can a lso d o w n lo a d d ie la te s t v e rs io n o f h t t p r e c o n f ro m th e link h t tp : / /w w w .c o m p u te c .c h /p r o je k te /h t tp r e c o n

■ I f y o u d ec id e to d o w n lo a d th e l a t e s t v e r s io n , th e n sc re e n sh o ts sh o w n 111 th e lab m ig h t d if fe r

■ R u n tin s to o l 111 W in d o w s S e r v e r 2 0 1 2

■ A w e b b ro w se r w ith In te rn e t access

■ A d m in is tra tiv e p riv ileg es to ru n to o ls

L a b D u ra tio nT une: 10 M inu tes

O v e r v ie w o f h ttp re c o nh ttp re c o n is a to o l fo r ad v an ced w e b s e r v e r fingerprin ting , sim ilar to h ttp r in t. T h e h ttp re c o n p ro jec t does r e s e a r c h 111 th e he ld o f w eb server f in g e rp rin tin g , also k n o w n as h ttp fin g e rp rin tin g . T h e goal is highly a c c u r a t e iden tifica tion o f g iven h ttp d im p lem en ta tions.

L a b T a s k s1. N a v ig a te to D :\C E H -T ools\C E H v8 M o d u le 12 H a c k in g

W e b s e r v e r s \W e b s e rv e r F o o tp r in t in g T o o ls \h t tp r e c o n .

2. D o u b le -c lic k h t t p r e c o n .e x e to la u n c h h t tp r e c o n .

3. T h e m a in w in d o w o f h t tp re c o n a p p e a rs , as s h o w n 111 th e fo llo w in g figure.

m Httprecon is an open-source application that can fingerprint an application of webservers.

TASK 1

F o o tp rin tin g a W e b se rv e r

11 httprecon 7.3 I — 1File Configuration Fingergrinting Reporting Help

Target

|http;// | |80 T ] 6 " * ” |

GET existing | GET long request | GET nonexisbng | GET wrong protocol | HEAD existing | OPTIONS com * I *

Full Matchlist | Fingerprint Details | Report Preview |

| Name j Hits | Match % 1

£G1 Httprecon is distributed as a Z IP file containing the binary and fingerprint databases.

FIG U RE 1.1: httprecon main window

C EH Lab Manual Page 735 Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

http://www.computec.ch/projekte/httprecon


4. E n te r th e w e b s ite (U R L) w w w .ju g g y b o y .c o m th a t y o u w a n t to fo o tp r in t a n d se lec t th e p o r t n u m b e r .

5. C lick A n a ly z e to s ta r t an a ly z in g th e e n te re d w eb s ite .

6. Y o u sh o u ld rece iv e a fo o tp r in t o f th e e n te re d w eb site .

httprecon 7.3 - h ttp ://juggyboy.com :80/

File Configuration Fingerprinting Reporting Help

Target (Microsoft IIS 6.0)

I http:// ▼1 | juggyboy com|

GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I

HTTP/1.1 200 OKbate: Thu, 18 Oct 2012 11:36:10 GMT bontent-Length: 84S1 Content-Type: text/htmlContent-Location: http: / /כuggyboy. com/index. html Laat-Modified: Tue, 02 Oct 2012 11:32:12 GMT Accept-Ranges: non®ETag: "a47ee9091a0cdl: 7a49"Server: Microsoft-IIS/6.0 K-Powered-By: ASP.NET

Matchlst (352 Implementations) | Fingerprint Details | Report Preview |

| Name I Hits | Match % |Microsoft IIS 6.0 88 100

^ Microsoft IIS 5.0 71 80 68.Microsoft IIS 7 0 S3 71. 59

^ Miciosofl IIS 5.1 63 71 59 .•22 Sun ONE Web Server 61 63 71.59V , Apache 1.3.26 62 70.45. .O Zeus 4.3 62 70.45...V Apache 1.3.37 60 6818 v

£

tewl Httprecon uses a simple database per test case that contains all die fingerprint elements to determine die given implementation.

FIG U RE 1.2: The footprint result of the entered website

7. C lick d ie G ET lo n g r e q u e s t tab , w h ich will list d o w n d ie G E T request. T h e n click d ie F in g e rp r in t D e ta ils .

1 - l״L»J |

m The scan engine of httprecon uses nine different requests, which are sent to the target web server.

httprecon 7.3 - h ttp ://juggyboy.com :80/

File Configuration Fingerprinting Reporting Help

Target (Microsoft IIS 6.0)

I Nip:// j J׳ ^ juggyboy com| [ * - פ

GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I

HTTP/1.1 400 Bad RequestContent-Type: text/htmlDate: Thu, 18 Oct 2012 11:35:20 GHTConnection: closeContent-Length: 34

Matchlst (352 Implementations) Fingerprint Details | Report F^eview |

HTTPProtocol Version 1.1StatuscodeStatustextBanner

400

K-Povered-ByHeader Spaces 1Capital after Dash 1Header-Order Full Content-Type,Date,Connection,Content-LengthHeader-Order Limit Content-Type,Date,Connection,Content-Length

Ready

i~~ Httprecon does not rely on simple banner announcements by the analyzed software.

FIG U RE 1.3: The fingerprint and G ET long request result of the entered website

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C EH Lab Manual 36

http://www.juggyboy.com

http://juggyboy.com:80/

http://juggyboy.com:80/


L a b A n a ly s isA nalyze an d d o c u m e n t d ie results re la ted to th e lab exercise. G ive yo u r o p in io n 0 11

y o u r ta rg e t’s secim tv p o stu re an d exposure.



T o o l / U t i l i t y I n f o r m a t io n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

O u tp u t : F o o tp r in t o f th e juggyboy w e b s ite

C י o n te n t- ty p e : te x t /h tm l

h t t p r e c o n T o o l c י o n te n t- lo c a tio n :h t t p : / / ju g g v b o v .c o m / 1n d e x .h tm l

E י T ag : " a 4 7 e e 9 0 9 1 eOcd 1:7a49"server: M י ic ro s o f t- I IS /6 .0X י -P o w ered -B v : A S P .N E T

Q u e s tio n s1. A n a ly ze th e m a jo r d if fe re n c e s b e tw e e n classic b a n n e r-g ra b b in g o f th e

se rv e r line a n d h ttp re c o n .

2. E v a lu a te th e type o f te s t re q u e s ts s e n t b y h t tp re c o n to w e b se rvers .

I n t e r n e t C o n n e c t i o n R e q u i r e d

0 Y e s

P la t f o r m S u p p o r t e d

0 C la s s r o o m

□ N o

□ !L abs




L a b

F o o t p r i n t i n g a W e b s e r v e r U s i n g ID

S e r v e

ID Serve is a simple, free, sm all (26 Kbytes), andfast genera/purpose Internet server identification utility.

L a b S c e n a r io1 1 1 th e p re v io u s lab y o u h a v e le a rn e d to u se th e h t tp r e c o n to o l, h t tp re c o n is a to o l fo r a d v a n c e d w e b se rv e r f in g e rp rin tin g , s im ila r to h ttp r in t .

I t is v e ry im p o r ta n t fo r p e n e tra tio n te s te rs to b e fam iliar w ith b a n n e r-g ra b b in g te c h n iq u e s to m o n i to r se rv e rs to e n su re c o m p lia n c e a n d a p p ro p r ia te secu rity u p d a te s . U s in g th is te c h n iq u e y o u can also lo ca te ro g u e se rv e rs 0 d ־1 e te rm in e th e ro le o f se rv e rs w ith in a n e tw o rk . 1 1 1 tin s lab y o u w ill le a rn th e b a n n e r g ra b b in g te c h n iq u e to d e te rm in e a re m o te ta rg e t sy s tem u s in g ID S erve. 111 o rd e r to b e an e x p e r t e th ica l h a c k e r an d p e n e tr a tio n te s te r , y o u m u s t u n d e rs ta n d h o w to fo o tp r in t a w e b server.

L a b O b je c t iv e sT h is lab w ill sh o w y o u h o w to fo o tp r in t w e b se rv e rs a n d h o w to u se ID Serve.I t w ill te a c h y o u h o w to:

■ U se th e ID S erve to o l

■ G e t a w e b se rv e r fo o tp r in t

L a b E n v iro n m e n tT o ca rry o u t th e lab , y o u need :

■ ID S e rv e lo c a te d a t D:\CEH-T0 0 ls \C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \W e b s e rv e r F o o tp r in t in g T oo ls\ID S e rv e

■ Y o u can also d o w n lo a d th e la te s t v e rs io n o f ID S e r v e f ro m th e lin k h ttp : / / w w w .g rc .c o m / i d / 1d se rv e .h tm

■ I f y o u d ec id e to d o w n lo a d th e l a t e s t v e r s io n , th e n sc re e n sh o ts sh o w n 111 th e lab m ig h t d if fe r

ICON KEY/ V a lu a b le

in f o r m a t io n

T e s t y o u r

* * W e b e x e rc is e

m W o r k b o o k re \

H T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- T ools\C E H v8


Ethical Hacking and Countenneasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.


http://www.grc.com/id/


■ R u n tliis to o l o n W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e

■ A w e b b ro w se r w ith I n t e r n e t a c c e s s

■ A d m n iis tra tiv e p riv ileg es to ru n to o ls

L a b D u ra tio nT im e: 10 M inu tes

O v e r v ie w o f ID S e r v eID Serve a ttem p ts to de te rm in e d ie d o m a in n a m e associated w id i an IP. T ins p ro cess is k n o w n as a r e v e r s e DNS lo o k u p an d is h an d y w h e n check ing firew a ll lo g s o r re c e iv in g a n IP a d d r e s s fro m som eone . N o t all IP s th a t have a fo rw a rd d irec tion lo o k u p (D o m ain -to -IP ) h av e a r e v e r s e (IP -to -D o m ain ) lo o k u p , b u t m an y do.

m ID Serve is a simple, free, small (26 Kbytes), and fast general-purpose Internet server identification utility.

L a b T a s k s1. 111 W in d o w s S erv e r 2012 , n av ig a te to D :\C E H -T ools\C E H v8 M o d u le 12

H a c k in g W e b s e r v e r s \W e b s e rv e r F o o tp r in t in g T o o ls\ID S e rv e .

2. D o u b le -c lic k id s e r v e .e x e to la u n c h ID S e rv e .

3. T h e m a in w in d o w ap p ears . C lick th e S e r v e r Q u e ry tab as sh o w n in th e fo llo w in g figure.

ID Serve

Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research Corp.

0

ID S e r v eQ&A/HelpBackground | Seiver Query

Enter or copy I paste an Internet server URL or IP address here (example: www microsoft.com):

. When an Internet URL or IP has been provided above.™ press this button to initiate a query of the specified seiverQuery The Server

Server query processing:

The server identified itself a s :

Goto ID Serve web pageCopy |

FIG U RE 2.1: Welcome screen of ID Serve

4. 111 o p tio n 1 , e n te r (0 c ־1 o p y /p a s te an In te rn e t se rv e r U R L o r IP ad d ress) th e w e b s i t e (U R L ) y o u w a n t to fo o tp r in t .

5. E n te r h t t p : / / 1 0 .0 .0 .2 /r e a lh o m e (IP ad d re s s is w h e re th e rea l h o m e site is h o s te d ) in s te p 1.

TASK 1

F o o tp rin tin g a W e b se rv e r

ID Serve can connectmto any server port on any domain or IP address.

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


http://10.0.0.2/realhome


6. C lick Q u e ry th e S e r v e r to s ta r t q u e ry in g th e e n te re d w eb site .

7. A f te r th e c o m p le tio n o f th e q u e ry . ID S erve d isp lays th e re su lts o f th e e n te re d w e b s ite as sh o w n 111 th e fo llo w in g figure.

ID Serve

Internet Server Identification Utility. v1.02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research Corp.ID S e r v eBackground £etver Query | Q&A/Help

Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):Ihttp //I 0.0 0.2/realhome|C1

When an Internet URL a IP has been provided above, press this button to initiate a query of the specified serverQuery The Server

Server query processing:

r2 [

HTTP/1 1 200 OK Content-Type: text/htmlLast-Modified: Tue, 07 Aug 2012 06:05:46 GMT Accept-Ranges: bytesETaq: "c95dc4af6274cd1:0"__________The server identified itself a s :

Goto ID Serve web page| Copy |

,__ ID Serve uses tliestandard Windows TCP protocol when attempting to connect to a remote server and port.

1y=H ID Serve can almost always identify the make, model, and version of any web site's server software.

FIG U RE 2.2: ID Serve detecting the footprint

L a b A n a ly s is

D o c u m e n t all d ie server in fo rm ation .



T o o l / U t i l i t y I n f o r m a t io n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

I D S e rv e

S e rv e r I d e n t i f i e d : M ic ro s o f t- I IS /8 .0

S e rv e r Q u e r y P r o c e s s in g :

י H T T P / 1.1 200 o k■ c o n te n t-T y p e : te x t /h tm l■ L ast-M o d if ic a tio n : T u e , 07 A u g 201 2 06 :05 :46

G M T■ A c c e p t-R a n g e s : by tes■ E T ag : "c 9 5 d c 4 a f6 2 7 4 c d l:0 "




Q u e s tio n s1. A n a ly ze h o w ID S erve d e te rm in e s a s ite ’s w e b server.

2. W h a t h a p p e n s i f w e e n te r an IP a d d re ss in s te a d o f a U R L ׳׳

I n t e r n e t C o n n e c t i o n R e q u i r e d

□ Y e s

P la t f o r m S u p p o r t e d

0 C la s s r o o m

0 N o

0 !L abs

Ethical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.



3E x p l o i t i n g J a v a V u l n e r a b i l i t y U s in g

M e t a s p l o i t F r a m e w o r k

Metasploit sofina re helps security and ITprofessionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments.L a b S c e n a r ioP en e tra tio n testing is a m e th o d o f evaluating th e security o l a c o m p u te r system ־01 n e tw o rk by sim ulating an a ttack fro m m alicious ou ts iders (w ho d o n o t have an au th o rized m eans o f accessing th e o rgan iza tion 's system s) an d m alicious insiders (w ho have som e level o f au th o rized access). T h e p rocess invo lves an active analysis o f th e system fo r any p o ten tia l vu lnerabilities th a t co u ld resu lt fro m p o o r o r im p ro p e r system configu ra tion , e ither k n o w n an d u n k n o w n h ard w are softw ־01 are flaws, 01־ o p era tio n a l w eaknesses 111 p ro cess o r techn ica l coun te rm easu res. T ins analysis is e a rn ed o u t fro m the p o sitio n o f a p o ten tia l a ttacker an d can involve active exp lo ita tion o f security vulnerabilities. T h e M etasp lo it P ro jec t is a c o m p u te r secun tv p ro jec t th a t p rov ides in fo rm a tio n ab o u t security vulnerabilities an d aids in p en e tra tio n testing an d ID S signaUire d eve lopm en t. Its m o s t w ell-k n o w n sub- p ro jec t is th e o p en -so u rce M etasp lo it F ram ew ork , a to o l fo r d ev e lop ing and execu ting exp lo it co d e against a rem o te target m ach ine . O th e r im p o rta n t sub- p ro jec ts include d ie O p c o d e D a tab ase , shellcode arcluve, an d security research .

M etasp lo it F ram ew o rk is o n e o f th e m ain too ls fo r every p en e tra tio n test engagem ent. T o be an ex p ert etliical hack e r an d p en e tra tio n tester, you m u s t have so u n d u n d e rs tan d in g o f ]M etasploit F ram ew o rk , its various m odu les, exploits, payloads, an d co m m an d s 111 o rd e r to p e rfo rm a p e n test o f a target.

vulnerabilities to

L a b O b je c t iv e sT h e ob jective o f tins lab is to d em o n s tra te exp lo ita tion o t JD K take co n tro l o t a target m achine.

L a b E n v iro n m e n t1 1 1 diis lab , y o u need:

ICON KEY£__ V a lu a b le

i n f o r m a t io n

s T e s t y o u r

k n o w le d g e

בב W e b e x e rc is e

ca W o r k b o o k re v ie w

J T T o o ls d e m o n s tr a te d in th is lab a r e a v a ila b le in D:\CEH- T ools\C EH v8





■ M e ta sp lo it lo ca ted a t D:\CEH-Tools\CEHv8 M odule 12 H ack in g W ebserversY W ebserver A tta c k T o o ls \M e ta sp lo it

■ Y o u can also d o w n lo ad th e la test v e rs io n o t M e ta sp lo it F ra m e w o rk fro m d ie link h t t p : / A vw w .m etasp lo 1t .c o m /d o w n lo a d /

■ I t y o u decide to d o w n lo ad th e l a t e s t v e rs io n , th e n screensho ts sh o w n 111 th e lab m ig h t d itte r

■ A c o m p u te r ru n n in g W in d o w s S e rv e r 2 0 1 2 as h o s t m ach in e

■ W in d o w s 8 ru n n in g o n v irtual m ach in e as ta rget m ach ine

■ A w eb b ro w ser an d M ic ro so ft .N E T F ram ew o rk 2.0 o r la ter in b o th h o s t an d target m ach ine

■ j R E 7116 ru n n in g o n the target m ach in e (rem ove any o th e r ve rs io n o f jR E installed 111 d ie ta rge t m ach ine).T he |R E 7116 se tu p file (jre-7u6-w111dows- 1586.exe) is available a t D:\CEH-Tools\CEHv8 M odule 12 H ack in g

h t t p : / A v w w .o rac le .co m /te c h n e tw o rk /ia v a /ja v a se /d o w n lo a d s /ire 7 - dow nloads^ 163~5SS.htm l

■ D oub le -c lick m e ta s p lo it- la te s t-w in d o w s - in s ta l le r .e x e an d fo llow the w izard -d riven insta lla tion steps to install M e ta sp lo it F ra m e w o rk

C lassF inder an d M ed io d F in d er.fm d M ed io d (). B o th w ere new ly in tro d u ced 111 JD K7. C lassF inder is a rep lacem en t to r c la ssF o rN am e back 111 J D K 6. I t allow s u n tru s te d co d e to o b ta in a reference an d h av e access to a res tric ted package in J D K 7, w h ich can b e u sed to abuse su n .aw t.S unT oo lk it (a res tric ted package). W ith sun .aw t.S unT oo lk it, w e can actually invoke getFieldQ by abusing findM ethodQ m S ta tem en t.invokeln ternalO (bu t getFieldQ m u s t be public , an d tha t's n o t always d ie case 111 J D K 6. 111 o rd e r to access S ta tem en tacc 's p riva te field, m od ify

2. A fte r in stalla tion com ple tes , it w ill au tom atically o p e n in y o u r defau lt w eb

W e b se rv e rs \W e b se rv e r A tta c k T o o ls \M e ta sp lo it

■ Y o u can also d o w n lo ad th e T h e I R E 7116 se tup tile at

T im e: 20 M inu tes

O v e r v ie w o f th e L a bT ins lab d em o n s tra te s th e exp lo it th a t takes advantage o f tw o issues 111 J D K 7: th e

1. Install M e ta sp lo it o n the h o s t m ach in e W indow s S e rv e r 2012 .* t a s k 1

b ro w ser as sh o w n 111 th e fo llow ing figure.

3. C lick I U n d e rs ta n d th e R isk s to con tinue .

In s ta llin gM e ta sp lo itF ra m e w o rk




H ie exploit takes advantage of two issues in JD K 7:The ClassFinder and MethodFinder. findMethod( ). Both were newly introduced in JD K 7. ClassFinder is a replacement for classForName back in JD K 6.

FIGURE 3.1: Metasploit Untrusted connection in web browser

4. C lick A dd E x cep tio n .

It allows untrusted code to obtain a reference and have access to a restricted package in JD K 7, which can be used to abuse sun.awt.SunToolkit (a restricted package).

5. 111 the A dd S e c u r i ty E x c e p tio n w izard , click C onfirm S e c u r i ty E x cep tio n .

| +1£ & https:•1 k>c*Kx»t. V.' *f? ▼ C ן ( JJ* Google

This Connection is UntrustedYou have •tktd גס/יזיז to connoct 1«1u׳«l> 10 190. t jt *1 c•n t confirmthat youtconnection i׳> s*c 01«.Normally, wihrn you try to eonnert ik urrty t*e» wM pnwK truftrd י *Men re prove that youart going to the ugh( pla1«. Ilwrt, tlm t!t« 1 itfrMj « U «l יWhat Should I Do?If you usually conned to this Site wrthoi/t p׳obk-׳nv. thr, moi to•Ji mun tK«t someone n trying to impersonate the ate, and you shouldn't eontmue.| GelmeoulolhetelTechnical DetailsI Understand the Risks

I Add Excepaoi

FIGURE 3.2: Metasploit Adding Exceptions

J! U׳*rud«J Connerlionrt -tps:•’ loiaitost. 90

1♦C ־*I - Google

1- -I־ * *

5 w This Connection is UntrustedYou have asked Firefox to connect secure*)׳ to locaBrosU 790. t-jt we cant confirm that you!

Normally, when you tiyto connect securely, :itr. wi present tressed identification tc prove that ycu are going to the nght place. Ho»>ever. this site's ■der&ty can t be verrfsed.What Should 1 Do?If you usually connect to this site without problem flvs «0״* ec>d mun tivjt someone is trying to impersonate the site and you shouldn't continue.[ Gel me oulofhetelTechnical Details

| 1 Understand the Risks |




*־1 IAdd Security ExceptionYou are about to override how Firefox identifies this site.

! Legitimate banks, stores, and other public sites will not ask you to do this.

Server

Location: I liRM M H BM M feM I

Certificate StatusThis site attempts to identify itself with invalid information.

Wrong Site

Certificate belongs to a different site, which could indicate an identity theft. Unknown Identity

Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.

@ Permanently store this exception

| Confirm Security Exception | Cancel

With sun.awt.SunToolkit, we can actually invoke getFieldQ by abusing findMethod() in StatementiavokeIntemal0 (but getFieldO must be public, and that's not always die case in JD K 6) in order to access Statement.acc's private field, modifyAccessControlContext, and then disable Security Manager.

FIGURE 3.3: Metasploit Add Security Exception

6. O n d ie M etasp lo it — Setup an d C o n figu ra tion L og in screen , en te r tex t 111 d ie U se rn a m e . P a s s w o rd , an d P a s s w o rd c o n firm a tio n fields an d click C re a te A cco u n t.

k- M Vti .

(Jlmetasploit

Password coafinrrtc••

Email address

orgaattillon

Optional Info & Settings

I (QMT«00:00) UTC־

| Q C10at« Auwni

Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE , Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.

FIGURE 3.4: Metasploit Creating an Account

7. C lick GET PRODUCT KEY 111 d ie M e ta sp lo it - A c tiv a te M e ta sp lo itw indow .

P ro d u c t K ey A c tiv a tio n




E n te r y o u r valid em ail address 111 th e M e ta sp lo it C o m m u n ity o p tio n an d click GO.

F־ !mv regaie «t*s?ot-ppp«xJuct_k*y־ Ikf >׳jtN»rne BtLutName iStLrnsilAddieii c«01g»■׳

Choose between two FREE Metasploit Offers

GD metasploit~ community

Mct.1r.p10H Community EdMion timplifiot n «ACfK «»<c׳/*r ׳ ano vulnerability vmifkaaon far specific eiplolta Increasing Ihe effectiveness of vulnerability scanners »ucnasNe®o*e־rortree

✓ FREE EDITIONJ Network dlscoveiy S vulnerability scann 9r Import ■S Basic exploitation ■/ Module firovwef

OR

(J) metasploit

Metatplotl Pro hetpt \+am*! * IT גיpr0fe1»10nal• m *׳:«•»*> c־♦*־* u tbreatftet by emaer*, corvoxanq broad tcope penefcation tests pnottong «yin*־jD111t*1 . *no *nfyns C 00*0*1 tnc mitigat&r!Metasploit ComTun״v plus

•/ Snan ejpKMUbsn •f Password ijd*r;J We 0 appiisa!:ר׳ scam.- a '׳י Social eng»eerw»3 '׳י Tear* coHabo»a*on S R•portingS Enterpnse-lewt support

Lnter email address:___________<ggmail.com||| Go 1

1»u«s «י»י Vas pass0 Pi ease email infoQrapid7 c<

FIGURE 3.6: Metasploit Community version for License Key

N o w log in to y o u r em ail address an d co p y d ie license key as sh o w n 111 d ie fo llow ing figure.

9.

This Security Alert addresses security issues CYE-2012-4681 '(US- CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops.

These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server- based software.

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password.

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



ק ם!

6:27 PM (0 minutes ago)

Your Metasploit Community Edition Product Key

Bates, Ariana anana_bates@raptd7 com vis bounces netsuite comto me ■׳

■r Rap1d7

Metasploit Product KeyWNMW-J8KJ-X3TW-RN68

Thank you for choosing Rapid7® Metasploit® Community Edition Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose - for free

Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can simply apply for a new license using the same registration mechanism.____________________________

FIGURE 3.7: Metasploit License Key in you! email ID provided

10. Paste d ie p ro d u c t key an d click N e x t to co n tin u e .t _ _ « l x ד

p * c-Metaspfoit Product Ker

fc «a!>01t-trial-i<ey,i־־ »?pr0durt=a1murnP!»thURl= hrtp!%3A%2F%2fIocalho«T׳L3AT?9(WL2Fset1jp3Li>»rtval<:-׳A\«*»e*wt; . ־1• ,־־־־1־

(J) metasploit4 More Steps To Get Started

1. Copy the Product Key from the email we just sent you.

2 Paste the Product Key here: [WM.nv jskj x3tw rn68T

3. Click Next on this page

4. Then dick Activate License on the next page

FIGURE 3.8: Metasploit Activating using License Key

11. C lick A c tiv a te L ic e n s e to activate d ie M etasp lo it license.

To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages tins vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.

Due to die severity of these vulnerabilities, die public disclosure of teclinical details and die reported exploitation of CVE-2012- 4681 "in die wild," Oracle strongly recommends diat customers apply die updates provided by this Security Alert as soon as possible.

The Metasploit Framework will always be free and open source. The Metasploit Project and Rapid7 are fully committed to supporting and growing the Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing dieir own penetration testing tools. It's a promise.




I. ,n r ,C •‘I I.f?־־״) A ■•.»(.. tocehoafc- SC!*.. ,■A■.* . .,'p.oc..:>cy WNMW-.0<l-X3TW-RN68&S«ibmH '

(J) metasploit'Activate Your Metasploit License

1. Get Your Product KeyChoose me proflucl that best nteds j<wr r»eeds Metaspioil Pro or the free Metasploit Community Edition זז you 3irea0> ra*t a commgn^ tfalorMi license product ke/ »ou can sup this slep

״and dick the ACT1WTE LICENSE OuHo ו2. Enter Product Key You've Received by EmailPaste ■n the product fcej־t*al was sent to fte «13יז־<J9־>׳ss /0u registered «v |w1WW-J6tU-X3TW-RN68 D Us• an HTTP Prat* to react! r»

FIGURE 3.9: Metasploit Activation

12. T lie A c tiv a tio n S u c c e s s fu l w in d o w appears.

1 ^ A hips/ lot*t>ost. 90 ' ' ן ( ־ C י7 Google P # E ~ I

, m i 1 1 i^ ic- iop iw i 1I community1 Home Protect* & H«e Hf-w* Panel II

1 | ^ Activation Successful

1 ^aeto^ofen J 0 %rsr t Q ut* *ojrct Starch 1 / Product Mr*׳*

0 y ,1 ml—י thow

90• jhM ׳■I □ (tolaur 0 0 0 »y»16m 0 ?0 m

Abating Window* Kemot• Management (WinUM) with Metasploit I cnemgnt.il Derb ,con Mu&lianill *leredlacuaaingvariouiledvvquMof ן

mass crwnage When Mubci told me about the WinRM service 1 wondered ■Whji don't we nav• any Mateaptoit modui•* rorthiaSTvowmg 1 to 1 of 1 t«nn FmhI Pi«.vk«j» 1 *•«! laMFxploit Trends: Top to Searches for MotAsploit Module* in OctoberT1r»e tor row mcnthl/ dose 01 Metasploit e»plo!t (renas* Each month we jarfher ns 11st err* most searched eaioit ana auxiliary modules from tns Metaspor. e ידי aa*e To protect users- privacy t..

Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit. and More!WinRM Exploit Library For me last couple weeks M etasplolt core oanVi&iJtoi Da־.*d ©iTieugWCosin 8 Malone/ has &«en living into Mi crosoffs WinRM services wfln $mu:«x and @_smn3r. UnOlttiese..

IU-... ...

Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end More?*ccSecUSA20l2Lastweekwas AppSecUSA 2012 here m Austin. ivtiid־ mat׳ exstairוזזscunous aosenceofaweeKtrMetaspioitupoateDioapost Tn*n«grfis of App jec for me, !were pn no particular

FIGURE 3.10: Metasploit Activation Successful

13. G o to A d m in is tra tio n an d click S o f tw a re U p d a te s .

e • •• X •*| - Google P it D •

metasploitcommunity1(״)

Admin h tin lion T ^| software upaates ו

Home Project* Software ucense

1 a ” a3- »1 & Hide b«w* Pan«1 1

FIGURE 3.11: Metasploit Updating Software

14. C lick C h e c k fo r U p d a te s , an d a fte r check ing d ie u p d a tes , click In s ta ll.

Hie Metasploit Framework will always be free and open source. Tlie Metasploit Project and Rapid7 are fully committed to supporting and growing die Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing their own penetration testing tools. It's a promise.

Tlie Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linus designed for testing security tools and demonstrating common vulnerabilities. Version 2 of diis virtual machine is available for download from Soiuceforge.net and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and odier common virtualization platforms.

as T A S K 3

U p d a tin gM e ta sp lo it




By default, Metasploitable's network interfaces are bound to die NAT and Host-only network adapters, and the image should never be exposed to a hostile network. (Note: A video tutorial on installing Metasploitable 2 is available at die link Tutorial on installing Metasploitable 2.0 on a Virtual Box Host Only network)

FIGURE 3.12: Metasploit Checking for Updates

15. A fte r co m p le tin g th e u p d a tes it w ill ask y o u to restart, so click R e s ta r t.

This document outlines many of the security flaws in die Metasploitable 2 image. Currendy missing is documentation on the web server and web application flaws as well as vulnerabilities diat allow a local user to escalate to root privileges. This document will continue to expand over time as many of die less obvious flaws widi diis platform are detailed.

16. W ait u n til M etasp lo it restarts.




1- יי־׳וי■^ A I'tlpiJ' locaVrat. ■w x -•I - Geogl, fi\ ft c -

If you've just finished installing Metasploit. the application will now take up to 5 minutes to initialize. ir* normal - please b« patient and have a coffee... you nave already been using tne product, *is message may זוpoint to a bog in the application and require the Metasploit

services to be restarted to resume lunctocaityIf the problem persists you may want to consul the Mowing

resources.• Metasploit Community Edition users: Pease vtol trie R*pid7 Security street forum• to seaxn for answers orpost a question

• Metasploit trial users: Please contact your Rap«f7 sales representative or etnai ■1fnqrjwd7.com

• Metasploit users with a support contract: Ptcasc visit the Rapld7 Customer Canter to fBc a support ease or *man suPD0rtgraD1d7.c0m

Retrying your request In 5 seconds ..

TCP ports 512, 513, arid 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation). To take advantage of diis, make sure the "rsh-client" client is installed (on Ubuntu), and run die following command as your local root user. If you are prompted for an SSH key, this means die rsh-client tools have not been installed and Ubuntu is defaulting to using SSH.

FIGURE 3.14: Metasploit Restarts

17. A fte r co m p le tio n o f re s ta rt it w ill red irec t to M e ta sp lo it - H om e. N o w click C re a te N ew P ro je c t fro m d ie P ro je c t d ro p -d o w n list.

MetaspKxt - Projects־*•זזד

y Mkle Nttvva Pmw(

TP..״-■:•mt New Project©metasploitcommunitycommunity

1 St'ov* Ul P10j»ctsI ac to *■ojrn M o , Qmniict j Search s 4 Product Mews 1

Show 10 V •Mill Ml■Q lame Horn Actrvc sessions tasks owner Memoera U pared w oescnpoo«

o •ystam 0 •beut 1 how ago : u -״'>1 נShowing 1K>1 of Pnmam I ■wt l»i

Abusing Window* Remote Management (WlnRM) with Metasploitlato one night 31 Oartiycon. Mubtx and l woto dtsaisslng various techniques or mass wmaoe WhenMutmtoldmea&outtheWinRMseivice.iwonoeiea ■Wh» aort we hM any Meta s eon modules tor mis...

Exploit Trends: Top 10 Searches lor Metasploit Modules in OctoberTim• ter your months dose of Metasploit exploit trends! Each mown we 0aV>ertn1s tstortne most searches exploit and auxiliary modules irom tne Metasploit dataoase To proted users' prtacy, 1..

Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit and More!•VinRU E«ploit Library For the I3sl couple weeks. Metasploit core contributor David gTheLicficCcsme Maloney h3s Deen dr«ino into Microsoft's WmRM serw :es with grmicor and @_s1nn3r Until these...

Weekly Metasploit Update: Miaosoft Windows and SQL, TurboFTP, and Mote!*ppSecOSA 2012 Last week was AppSecUSA 2012 here In Austin, *filch roa* explain •re curious absence ofa weekly Metasploit Update bloe poslThe taljHs of *wsecfcrme. were (m no particular...

Weekly Metasploit Update: Reasonnble disclosure. PHP FXF wrappers, and moie!

FIGURE 3.15: Metasploit Creating a New Project

18. 111 P ro je c t S e tt in g s , p ro v id e th e P ro je c t N am e an d en te r a D esc rip tio n , leave the N e tw o rk R a n g e set to its default, an d click C re a te P ro jec t.

C re a tin g a N ew M e ta sp lo it P ro je c t

This is about as easy as it gets. The nest service we should look at is die Network File System (NFS). NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services. The example below using rpcinfo to identify NFS and showmount -e to determine diat die "/" share (the root of die file system) is being exported.




I. , n r ,

3&arn־

^ A ־ ,.Ip. localhoit. V. a.

S B(״]metasploit▼ community1

| a Exploit׳

The exploit takes advantage of tiro issues in JDK 7 The ClassFinder and MethodFinder nndMemod() Botn were newly introduced in JOK 7 dassFinder is a replacement for ciassF.ixNflrng back in JQg 6 R alows untnisted code to oOtam a reference ana nave access to a restricted oa:o?e r JOK 7. ׳amen can oe used to aDuse suna -SuoJoolKit (a re src led package) //!®ו sun SunTwiwt we can actually invoke

Protect name*

Description

Networ* range

Q RvttiKt to network range

•*? RAPID 7

FIGURE 3.16: Metasploit Project Settings

19. C lick d ie M o d u les tab a fter d ie p ro jec t is created .Wfl»5f40T - | + ™

I ^ A hfclps/ lot»t>ost. SC . £? ▼ C | ?§ ־ Google f i # C ' 1

1 (U metasploitI community

■ £ Protect Java tx_ * ־ Account Jason e fi Administration r rt community j> Help ^

I|4kOvervle«v 4* י Analysis Sessions Campaigns *• Wt*b Apps |«&» Modules | lags Q) Reports JZ 1■1 *1*י

1 Horn• Java Lxptoit 0itwnr

J ” Overvtew. Proper Java Tipto■

Discovery Penetration

0 110413 dt*COMfC4 1 0 services dctaclod

0 vumeraDMMt *•utmed

• MMlOHCpNtd 0 pHtimilt cracked0 SMB Msr »s ttotee "0 SSH k*r* stuk-a

^ Scan- awpnrt— j * ■a^mm— , 0«jtrto>cc Q fiplat

Evidence Collection Cleanup

I 0 data fries acqaned OctoHdMssoas

iai Coeect... Clean ep-

1 Recent Event* ----------------------------------------------------------

FIGURE 3.17: Metasploit Modules Tab

20. E n te r CVE ID (2012-4681) in S e a rc h M o d u les a n d click E n ter.

Hie Metasploit Framework is a penetration testing systemand development platform diat you can use to create security tools and exploits. TheMetasploit Framework is written in Ruby and includes components in C and assembler.The Metasploit Framework consists of tools, libraries, modules, and user interfaces. Tire basic function of die Metasploit Framework is a module launcher diat allows die user to configure an exploit module and launch the exploit against a target svstem.

« T A S K 5

R unn ing th e E xp lo it




־'H V

F־ I,'MrtMf** Modu»«C *!I C009l«^ A https toolboit. V- a . ii?»ccv_'׳ odu*e5

▼metasploit[״) community1ft Overview Analysis Sessions ■,} Campaigns * ~ Modules Tags r, Reports ׳<Web Apps «i י Tasks

Search Modules 2012-4681

Module Statistics show Search Keywords show

0SVD6 EDSModule RanklooDH dooiie Out•Found 10 matching modules Module Type OSAuwiery ra Ckafipaae ?0 זו ג local me mclison vunerawty Z-***rZS. Z3\2 0672• zztei

1 AiMlffy ra WMWfee*fln« S4cuty4lfln69er 5 5 0r#cto׳y Traversal zrm»r-9.zv12 ★ ★ 86563 220»Srv»r Expbi ״ * A י »wn1C־gm S«wty Uanaer־ Plus 5.5 buiM "05 SQL Injection M .•־2012 r:: 56136 22904

1 U»Ot * M i iVndews Lssalal* Serve• Prm*s«jns Local Pnvitge Etcalaton 2 . *tor ,i. 2012

server IKPW A “ <*■•(» ei ncr **•rary > *• upnad Vuremboy 0e־.«^*»01־ » י י1 S»rv*׳fnpW A ייי >c1ta pH•.- RvMMiar ;!ICC BamX• Cod• >4• cl ton OcMar t. 2012 ★ ★ ★ ★ ★ ?IMS

S*׳•»׳ Use* *• w TirtoHP $ « 0 2 3 ׳».־׳ ד 30 PORT Ovrltow C ׳•*•;3.2012 KMT1 S*׳v•׳ L>1W ן — cro*yA<)nT 3 1Z2 M״«r_»ync p1׳e DacWoor Swfc• 25.2012

Ctnt Up** ♦ m «*SI2 OC3 lftcrg»on Mrnet Uwoc•! **ecContnaiHJ Uw-Altor-f r•• VgtnwabMy •י*־'•**•״■־ .«'2012 2012 *m mmI Ser rfKpM tm Ah l*M QataiKcr (tttxf CommnS f»eeuhon 14.2012 < « < < * MfiU

•.?.* RAPID 7

S t id ־

FIGURE 3.18: Metasploit Searching for Java Exploit

21. C lick d ie J a v a 7 A p p le t R e m o te C o d e E x e c u tio n 1111k.Metasploit - McdM ־*■

c >1 (1־^ A httpi. Iotat>ost. SC .v.-tepscev-'r-odule

metasploitcommunityY community[״)—ft Overview n Analysis Sessions ־,/ Campaigns #י Web Apps *y Modules Tags ^ Hcpoiu ^ Tasks

BID OSVDB C06B4B6T

Search Modules 201? 4081

Module Statutes show Searrh trywrrds si

7 AodK Rarrol• Co«l«r !*•CutbO ׳«WirJuk TypvClint

•'.'RAPID7

FIGURE 3.19: Metasploit Java 7 Applet Remote Code Execution Exploit found

22. C on figu re d ie exp lo it settings:

a. 111 P a y lo a d O p tio n s set d ie C o n n e c tio n T y p e as R e v e rs e and 111

L is te n e r H o s t ,en te r d ie IP address w h ere M etasp lo it is running .

b. 111 M odule O p tio n s , en te r d ie SRV H o st IP address w h e re M etasp lo it is runn ing .

c. E n te r d ie URI P a th (in diis lab w e are u sing greetings) an d click Run M odule.

Metasploit P1־o contains tasks, such as bruteforce and discovery, in the form ofmodules. The modules automate the functionality diat die Metasploit Framework provides and enables you to perform multiple tasks simultaneously.

A project is die logical component diat provides die intelligent defaults, penetration testing workflow, and module- specific guidance dating the penetration test.

111 addition to the capabilities offered by the open source framework, Metasploit Pro delivers a full graphical user interface, automated exploitation capabilities,complete user action audit logs, custom reporting, combined widi an advanced penetration testing workflow.




mmrnm3

C (־־״?I.^ A ׳•-It״, !onlhoit - V- a-j iipo.c, 2A*i‘~ kT James forsnawI |duck<Jduckgrnetasp*o«c£im» o/e

slnnV 'enn3/ met3sp*0* 0&*n> SoJa״j iuan .aiquei

<)uanva:que:@mMasp:s!::c״r־ rjetll

The m odule is (*signed to run in tho bacKgroun d. oxploibng diem sj׳sterns 3s in•y comod. h ■w c3s« 01 «׳«C browser exploits, :•?as־ setne UR1PATH ocoon Delow ityouwantio control which URL is usecio nos»t>6 eg** T־s srvport co«or can &e used » cf!an<;e me I3tenng per in me case ot passve u8My modules (auxaary) me moaae caput ואו se *31ae iromne Tasic log alter vw moiSute has t»«n started

Target SefltogsI Generic (Java Payload) v|

s*yb»a1Vp• Interpreter v| LttonwPwH |1aW-€6S3SConnocfloo Typ• | Reverse vj UllOMrHMl 11Q001Q j

a SS.2 SSO USIX

Th• bcil port to !•ton on. Ipo't)N«gM«w 551 10r neiynrj eonnectan* (Met) Pa'.h to * cuclom SSL cortlfcirto lOofoal I* tnOe 5©oc׳V tho vorwon 0< SSL the) •hook) to Mod Tho URIto uoo tor ttu» oxptot 130'ajt * im M

Advanced Options show ivaMoa opooas snow1 o

IPv6 is die latest version of die Internet Protocol designed by die Internet Engineering Task Force to replace die current version of IPv4. The implementation of IPv6 predominantly impacts addressing, routing, security, and services.

FIGURE 3.20: Metasploit Running Module

23. T h e task is s ta rted as sh o w n 111 th e fo llow ing screensho t.

c ■’§ (1־^ A hdpi. Iot*t>ost - X v.i390con-le•-

metasploit[״)community

ft Overview ga Analysis [_ SmioM ./ Campaigns *■ Web Apps V Module* lags 3 Reports ~ Tasks Qm Upton inti Imk

5U׳to<J 2312 IMS 14 01 S3 LTC

FIGURE 3.21: Metasploit Task Started

24. N o w sw itch to W in d o w s 8 V irtua l M acliu ie, lau n ch d ie C h ro m e b ro w ser an d en te r h t t p : / / 10.0.0.10:8080/g ree tin g s in d ie address bar an d press E n ter.

25. C lick d ie R un th is t im e fo r Java(T M ) w a s b lo c k e d b e c a u s e it is o u t of d a te p ro m p t 111 d ie C h ro m e brow ser.

In Metasploit Pro, you can define IPv6 addresses for target hosts. For example, when youperform a discovery scan, scan a web application, execute a bruteforce attack, or run amodule, you can define an IPv6 address for die target hosts. For modules, Metasploit Pro provides several payloads diat provide IPv6 support for Windows x86, Linux x86, BSD x86,PHP, and cmd.



http://10.0.0.10:8080/greetings


Window*; 8 on WIN־?N9ST0SG!FN * Virtual Machine Connprtion" יFile Action Medi« Clpboard View Hdpj׳ O ( . ® O II I► >3 i>

/C □ 10Q0.10t8080/greetings *- ־»i f JavafTM) was blockec because it is out of date Update plug-in... Run this time

Note: Metasploit Pro does not support IPv6 for link local broadcast discovery, socialengineering, or pivoting. However, you can import IPv6 addresses from a text file or youcan manually add them to your project. If you import IPv6 addresses from a text file,you must separate each address with a new line.

FIGURE 3.22: Windows 8 Virtual Machine — Running die Exploit

26. N o w sw itch to y o u r W in d o w s S erver 2012 h o s t m acliine an d check die M etasp lo it task pane . M etasp lo it will start cap tu ring d ie reverse c o n n ec tio n fro m d ie ta rget m acliine.

^ A hti|>K//'loC*i»c«ti79Qp'1*o»i3p«ccv£t»W ^7 ▼ C 1 1 GoogleGD metasploit'community1

0 Web Apps Modules lags _j Reports i_ Tasks *־ Sessions Campaigns .־ b Overview Analysis

FIGURE 3.23: Metasploit Capturing die reverse connection of targeted macliine

27. C lick d ie S e s s io n s tab to v iew d ie cap tu red co n n ec tio n o f d ie ta rget m acliine.

Project Management A Metasploit Pro project contains die penetration test diat you want to nm. A project defines die target systems, network boundaries, modules, and web campaigns diat you want toinclude in die penetration test. Additionally, within a project, you can use discovery scan to identify target systems and bruteforce to gain access to systems.




User Management Administrators can assign user roles to manage the level of access that the user has toprojects and administrative tasks. You can manage user accounts from tire Administration menu.

FIGURE 3.24: Metasploit Session tab

28. C lick d ie c ap tu red session to v iew d ie in fo rm a tio n o f a ta rget m ach in e as sh o w n 111 d ie fo llow ing screensho t.

A .Ipi;• loiaNmt. '!C 1׳ r, e • 1 Google ־

ן - י a ״ x י

ם - • {p____

GD metasploitcommunityOverview M Aiiolyv) I ~ Sessions Q ^ Cufiipulgns Vf> Web Ap|n V Modules lags £, Reports £1 Tasks Q

Morn* Java Ixptvt ttiinni

ttCoM ( J CMafwp

Active SessionsOS Moat Type Age 0vet1«(kj11 Attack Modulo

| *SCMM1 J #012 100 ׳-Wndewad v*mse׳ Q .v *•*■ר Metwpr eter 4 mm + JAW_JRE 17 JLXEC

Closed Sessions

1 Ueissploit Commune? 4.4.0 - U&dato 2012103101 © 2010-2012 R8pitf7Inc.B03K* U* R APID7

FIGURE 3.25: Metasploit Captured Session of a Target Machine

29. Y o u can v iew d ie in fo rm a tio n o f th e target m achine.

Global Settings Global settings define settings that all projects use. You can access global settings from the Administration menu.From the global settings, you can set the payload type for the modules and enable access todie diagnostic console through a web browser. Additionally, from global settings, you can create A PI keys, post-exploitation macros,persistent listeners, and Nexpose Consoles.




System Management As ail administrator, you can update die license key and perform software updates. You canaccess die system management tools from the Administration menu.

FIGURE 3.26: Metasploit Target Machine System information

30. T o access d ie tiles o f d ie ta rget system , click A c c e s s F ile sy s te m .I - Sesac1 ״

c >1 (1־metasploit[״)—

^ r communityY community\ Overview ^Anilyib I ~ StwtoM Q ',/Campaigns ■*־ Web Apps V I

Session 1 on 10.0.0.12&41«ak>n Tyini ׳natai pi <pej—3>1—**י*'O'*Infoi mallon *1יי» O Attack ModuloAvailable Actions

. Cooa JrstKr evidence ana sensitive daii iscreenshois, passwords. s>»tem irtformMon)oarse Vie remote «ie3y3tem and upload, download, and Oelete Hies

. u*ef»ct1u*\ a remcte command sn«ll on me tarcet !advanced users)

. Ptolatacts usirtg Vie remote host as a gateway (TCPAJDP) i Close Vbs session. Furmsrmteracaonieijuires exploitation

Collect System ג■)

ot«׳C1«M Piory P ״

•VRAPID7e 2010-2012 R3pid7 Inc Be׳

Host ScanA host scan identifies vulnerable systems within die target network range diat you define.When you perform a scan, Metasploit Pro provides information about die services,vulnerabilities, and captured evidence for hosts that the scan discovers. Additionally, you canadd vulnerabilities, notes, tags, and tokens to identified hosts.

FIGURE 3.27: Metasploit Accessing Filesystem of a Target Machine

31. Y o u can v iew an d m od ify d ie files fro m d ie ta rget m acliine.

Bruteforce uses a large number of user name and password combinations to attempt to gain access to a host. Metasploit Pro provides preset bruteforce profiles diat you can use tocustomize attacks for a specific environment. If you have a list of credentials diat you want to use, you can import the credentials into the system.




.•«MrtKffcit fik 1M01?P A ,'ttpi tocdhoit. %m־' '1,tiio'ptfh-iViridavn C ־•f * G009I. p ftSal SpMCti 201245-19 09 33 40 UTC iSy»W0W64 2012-11-1513 58 52 UTCU System 2012-05-19 09 33 41 UTCL» Sy8tem32 2012-11-1513 56 52 UTCL* X4P1 2012 05-19 09 33 41 UTCL ־&«ls 2012-09-18092721 UTCt* Ten© 2012-11-1514.13.50 UTC-oasCala 2012-05-19 0933.57 UTCLi V« 2012-05-19 09 33 40 UTCL_ 2012-05-19 Oft 33. <1 UTCGm WmSlot* 2012-0912 11 35 29 UTCAtaS*S 2012-11-1514 ftS 17 UTC{ •*Ins 2012-05-19 09 33 *5 UTCI asssatch 2012-05-190930S1 UTC>■■«■» 2012-10 0907 0351 BTC2012-09-100956 50 UTC[ ■ 2012-05-19 Oft 33 40 UTC•MTS 2012 05-1909092' UTCLi, •ChMNM 2012-05-1909 33 41 UTC a_ ••cutty 2012 05-190911 54 UTCL* *•׳VW9 2012 05-19090920 UTC_fr-aong 201245.1909 33 41 UTCQblwax.fi 2012415.190• 33 51 UTC90C7D912BE23I4 lyt » 2012.104411 14® UTC ( i STORE i 1 |l • 0£l£TI . 1|־ OKMatalb* 1720 2012-09.12 Hfil2UTC ( . STORE 1 >| (> OfLtTf . )□ MMpfW exe 2012-45.19 U17 31 BTC <. STORE ; >| {■ DELETE .)' LUWH 14a6 נ.זו0 מ 44»00? as utc ( . STORE I )| ( .OELETE . )PfROb* 718 2O12-10-1S0SMMUTC ( . STORE 1 )1( •DELETE • )Pre fMvrnal *1יי נ1ג29 I *012-4IS-18 21 46 V UTC ( . STORE i )1( .DELETE . )carter j-iseb J

If a bruteforce is successful, Metasploit Pro opens a session on die target system. You cantake control of die session dirough a command shell or Meterpreter session. If there is anopen session, you can collect system data, access die remote file system, pivot attacks and traffic, and run postexploitation modules.

FIGURE 3.28: Metasploit Modifying Filesystem of a Target Macliine

32. Y o u can also launch a c o m m a n d shell o f d ie ta rge t m ach ine by clicking C o m m an d S h e ll fro m sessions capUired.

Modules expose and exploit vulnerabilities and security flaws in target systems. MetasploitPro offers access to a comprehensive library of exploit modules, auxiliary modules, and postexploitation modules. You can run automated exploits or manual exploits.

FIGURE 3.29: Metasploit Launching Command Shell of Target Macliine

33. T o view d ie system IP address an d o d ie r in fo rm a tio n d iro u g h d ie c o m m a n d shell 111 M etasp lo it, type ip con fig I all an d p ress E n ter.

Automated exploitation uses die minimum reliability option to determine the set of exploits to run against die target systems. You cannot select die modules or define evasion options diat Metasploit Pro uses.




Manual exploitation provides granular control over die exploits diat you ran against die target systems. You run one exploit at a time, and you can choose die modules and evasion options diat you want to use.

F IG U R E 3.30: Metasploit IPC O N FIG command for Target Machine

34. The following screenshot shows die IP address and other details of your target machine.

l F־n־־- !!<■ a ••Ip*. U**

«U12 - KM Miniport (Vwtwork. Monitor)

k»m : «U13 Hierosorc Karrwti network Art.iptorHardware KM00:00:00:00:04:00 : ־MTU : «2»4»«?2»צ

Social engineering exploits client-side vulnerabilities. You perform social engineering through a campaign. A campaign uses e-mail to perform phishing attacks against target systems. To create a campaign, you must set up a web server, e-mail account, list of target e- mails, and email template.

Interface 13Naw> ! net« - Hteroiort ISATAP Adapter

Meterpretcr > |

FIG U R E 3.31: Metasploit Target Machine IP Address in Metasploit Command Shell

35. Click die Go back one page button in Metasploit browser to exit die command shell.

WebScan spiders web pages and applications for active content and forms. I f the WebScanidentifies active content, you can audit die content for vulnerabilities, and dien exploit die vulnerabilities after Metasploit Pro discovers diem.




FIG U R E 3.32: Metasploit closing command shell

F IG U R E 3.33: Metasploit Terminating Session

37. It will display Session Killed. Now from die Account drop-down list, select Logout.

I * ’7 ,ח8' י

JJj A Account Jason ▼j User Settings

T- J Logout©metasploit

community1r community1

fc Overview rt Analysis ~ Sessions Campaigns Web Apps ty Modules lags □I Reports

Session killed

Active Sessions

Closed Sessions

Attack ModuleE5CMW11 & •#*0 tZ- .Vrxww»8 wcterpretef «l12-tMS14 0e»UTC Atfne 0 1V n<low»p ♦ JAVA_N£V_EXIC

uMtamiaiH

A task chain is a series of tasks that you can automate to follow a specific schedule. TheMetasploit Web U I provides an interface that you can use to set up a task chain and an interactive clock and calendar diat you can use to define die schedule.

A report provides comprehensive results from a penetration test. Metasploit Pro provides several types of standard reports diat range from high level, general overviews to detailedreport findings. You can generate a report in PD F, Word, XM L, and HTM L.

You can use reports to compare findings between different tests or different systems. Reports provide details on compromised hosts, executed modules, cracked passwords, cracked SMB hashes, discovered SSH keys, discovered services, collected evidence, and web campaigns.

FIG U R E 3.34: Metasploit Session Killed and Logging out




Lab AnalysisAnalyze and document the results related to the lab exercise. Give your opinion 011 your target’s secuntv posture and exposure.

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .

Tool/Utility Information Collected/Objectives Achieved

MetasploitFramework

Output: Interface Infomation■ Name: etl14-M1crosoft Hyepr-v Network

AdapterHardware MAC: 00:00:00:00:00:00 י■ MTU: 1500■ IPv4 Address: 10.0.0.12■ IPv6 Netmask: 255.255.255.0■ IPv6 Address: fe80::b9ea:d011:3e0e:lb7■ IPv6 Netmask: ffff:ffff:ffff:ffff:ffff::

Question1. How would you create an initial user account from a remote system?2. Describe one 01־ more vulnerabilities that Metasploit can exploit.

Internet Connection Required

□ Yes 0 NoPlatform Supported

0 Classroom 0 !Labs



ceh v8 labs module 12 hacking webservers.pdf

Documents

ls n e e d

p p e n s

s e n t

e e rin g

b s c e n

e n te d

th e d

d th e