network reconnaissance lab - home | george mason ...astavrou/courses/isa_564_f15/network... ·...

ISA 564, Angelos Stavrou

Laboratory 2

Network Reconnaissance Lab

Software Requirements:

1. A secure shell (SSH) client. For windows you can download a free version from here: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.63-installer.exe

Mac/Linux distributions come with ssh, you just have to open a console to invoke the program.

2. The KALI Linux – Penetration Testing Distribution http://www.kali.org (PROVIDED, no need to download unless you want to run in locally).

3. Metasploitable 2 vulnerable platform (http://sourceforge.net/projects/metasploitable/files/Metasploitable2/) (PROVIDED, no need to download unless you want to run in locally)

4. Windows Users please install Xming X Server for X-windows support (Free): http://sourceforge.net/projects/xming/files/latest/download

5. Mac Users install X11 XQUARTZ http://xquartz.macosforge.org/landing/

6. Linux Users just need to start X-Windows

Lab Exercise Steps:

A. Connect to KALI Linux on DSLSRV.GMU.EDU and port 10022 (or 11022) as root using ssh and password Msec2015. (with the dot and capital M):


Laboratory 2

For Mac/Linux Open an XQuartz (X11) console and type: ssh –YC [email protected] -p 11022

Or ssh [email protected] -p 11022

You should get:

[email protected]'s password:

[… ] root@kali:~#


Laboratory 2

For Windows

Enter dslsrv.gmu.edu for Host name and 10022 or 11022 (second server) for Port and click Open. You can also use servers on ports 12022 and 13022.

login as: root

password: Msec2015. (with the dot and capital M).

Now we are all logged in in an ssh terminal and we can continue with the Lab.

Your metasploitable machines are directly connected to your backtrack on IP addresses: 10.1.1.2 and 10.1.1.3


Laboratory 2


Laboratory 2

Simple Target Reconnaissance The first step for any penetration testing approach is the reconnaissance part.

In this lab, we will be using NESSUS to scan the vulnerable machines and identify exploits that can be used to attack those machines. NESSUS is yet another tool in our penetration testing arsenal and a complement to Metasploit that we used in the last Lab.

Reconnaissance with Nessus

B. Start your X-windows client

a. Mac Users start XQuartz

b. Windows users start Xming X Server

C. Start SSH connection to the Backtrack server as per step A but with a modification:

a. Mac Use ssh Connect to the Backtrack servers as per step (A) but with a slight change for Mac and Linux: ssh –YC [email protected] -p 10022

OR (SECOND SERVER IDENTICAL):

ssh –YC [email protected] -p 11022 The “C” option adds compression whereas the “Y” option allows for graphic windows to be forwarded locally.

b. For Windows

Start putty and enable the X11 forwarding on the Putty program before you try to connect (see Figure in next page)


Laboratory 2

The X11 Forwarding option allows for Graphics to be FORWARDED to your local machine even when the program is running on the remote server.


Laboratory 2

Enabling compression increases the speed of the graphics because the network traffic is smaller.

You should be in a prompt like this:

root@kali:~#

To test if you have the GUI activated, type “xterm” on the prompt, you should get (the window might be flashing at your command bar and you have to click it to bring it up):


Laboratory 2

D. Now we are ready to start with NESSUS which is browser driven For your convenience, I have installed already NESSUS on the Kali Linux so you do not have to perform any steps other than execute the program. In general though, you will need to install NESSUS on a backtrack installation using the following steps: http://www.fuzzysecurity.com/tutorials/8.html

You need to connect to the vncserver by typing:

vncviewer kali:15 (any number from 1-32 will work).

Your password is again Msec2015. (with capital M and the dot).


Laboratory 2

Then you should see something similar to:

Click on the top left icon with the screen prompt.


Laboratory 2

Start FIREFOX using the –profilemanager flag:

firefox –profilemanager


Laboratory 2

(Creat your own profile and then click Start Iceweasel). Sometimes, if firefox crashes, you might need to create a secondary profile to avoid being locked-out.


Laboratory 2

E. Start Nessus

Type https://localhost:8834 in firefox’s Browser Address and press return:

In the NESSUS Login Window Type “msec” for Username and “Msec2015.” for password

Click “Sign In” to login.


Laboratory 2

Click on the New Scan on the left panel and the select BASIC NETWORK SCAN.


Laboratory 2

Select the basic scan on the left top.

To identify which networks to scan you need to return back to your terminal and press ctrl-z to suspend the firefox process and then type “bg” to put it in the background (see below)


Laboratory 2


Laboratory 2

In order to identify the network to scan, we use the command “ifconfig” (ipconfig is the windows equivalent). This command allows us to find all the connected networks and network cards:

The network subnet to scan is the eth0 one: (10.192.113.1/24) (/24 signifies a C-class network i.e. addresses in the range 10.192.113.1 – 255)

Now return back to NESSUS.


Laboratory 2

You need to fill the name and Target fields (the name is your choice; the target should be 10.192.1.113.1/24 from ifconfig findings).

Note that the form might be extend on the bottom of your screen so you need to scroll to be able to press the “Save” button.


Laboratory 2

Using this information and either metasploit (msfconsole or armitage which we will cover in class, you can attack the two machines).


Laboratory 2

Futher Questions:

Select 2 High and 2

Medium threats and test to see if you can break into the machines. Note that not all exploits are exploitable! Describe what you did even if it was not successful. Include screenshots of your effots.

Extra Credit

- Install your own Backtrack 5 R2 (you can get it from here: (http://www.backtrack-linux.org/downloads/)

- Install NESSUS using the home feed (free)

http://www.fuzzysecurity.com/tutorials/8.html

- Provide scans for dslsrv.gmu.edu and the GMU mail server mh-x.gmu.edu

- Provide scans for www.gmu.edu and another server of your choice

- If you cannot install your own NESSUS use the one provided to perform the same scans

Interesting video with some instructions but more advanced:

http://www.youtube.com/watch?v=gw5xioiteLw&feature=player_embedded

We will discuss and dive into the tools more in class!

Advanced Target Reconnaissance You need to connect to the vncserver by typing:

vncviewer kali:15 (any number from 1-32 will work).


Laboratory 2

Your password is again Msec2015. (with capital M and the dot).

Then you should see something similar to:


Laboratory 2

Click on the top left icon with the screen prompt.

A new window will pop-up and you type armitage and press enter.


Laboratory 2

Sometimes you get pop-up windows, press “Connect” and “Yes”:


Laboratory 2


Laboratory 2

If everything went well, you should get the following screen:

or the one below by selecting armitage-> Set Target View-> Table View

Now we can start the exploitation!


Laboratory 2

Which Host?

For the purpose of this lab, hosts 10.192.113.60 and 10.192.113.65 are vulnerable metasploitable virtual machines (hosts that are provisioned to be vulnerable on purpose). We can start with those so we can focus on the attacks.

Remote Exploits

Before you can attack, you must choose your weapon. Armitage makes this process easy. Use Attacks -> Find Attacks to generate a custom Attack menu for each host.

To exploit a host: right-click it, navigate to Attack, and choose an exploit. To show the right attacks, make sure the operating system is set for the host.

The Attack menu limits itself to exploits that meet a minimum exploit rank of great. Some useful exploits are ranked good and they won't show in the attack menu. You can launch these using the module browser.

Use Armitage -> Set Exploit Rank to change the minimum exploit rank.

Optionally, if you'd like to see hosts that are vulnerable to a certain exploit, browse to the exploit in the module browser. Right-click the module. Select Relevant Targets. Armitage will create a dynamic workspace that shows hosts that match the highlighted exploit. Highlight all of the hosts and double-click the exploit module to attack all of them at once.


Laboratory 2

What is next?

You select the host with a right mouse click and then go on attacks at the top menu and press “Find Attacks”. If all goes well you will get the Attack Analysis Complete window, press “OK”

Next, you click with the left mouse button on the host you want to attack (for mac you can press command-mouse for left click). You should see the following menu


Laboratory 2

Select Attack -> misc -> check exploits

This will allow you to check the exploits for that category (misc) to see if you can find any vulnerabilities you can exploit.

At the bottom of the console you should see each of the individual attacks being tested.

Click on the Console and press CRTL-F to search for the word “vulnerable” (see below):


Laboratory 2

Notice that the following attack IS VIABLE (host VULNERABLE):

To take advantage of the above vulnerability, you again press left-click on the target host and select the attack from the menu (see below):

You should be able to see the following menu:


Laboratory 2

Press Lunch


Laboratory 2


Laboratory 2

A new tab with the shell will open in the area below. I have typed commands whoami and hostname to show you that I have indeed successfully exploited the host.

Which exploit?

Learning which exploits to use and when comes with experience. Some exploits in Metasploit implement a check function. These check functions connect to a host and check if the exploit applies. Armitage can use these check functions to help you choose the right exploit when there are many options. For example, targets listening on port 80 will show several web application exploits after you use Find Attacks. Click the Check exploits... menu to run the check command against each of these. Once all the checks are complete, press Ctrl+F and search for vulnerable. This will lead you to the right exploit.


Laboratory 2

Clicking a host and selecting Services is another way to find an exploit. If you have Nmap scan results, look at the information field and guess which server software is in use. Use the module browser to search for any Metasploit modules related to that software. One module may help you find information required by another exploit. Apache Tomcat is an example of this. The tomcat_mgr_login module will search for a username and password that you can use. Once you have this, you can launch the tomcat_mgr_deploy exploit to get a shell on the host.

A list of ALL the vulnerabilities for metasploitable 2 can be found here:

https://community.rapid7.com/docs/DOC-1875

and

http://chousensha.github.io/blog/2014/06/03/pentest-lab-metasploitable-2/

Further readings:

https://www.ethicalhacker.net/features/special-events/free-armitage-and-metasploit-video-training

Assignment for Lab 2:

Exploit a vulnerability and show me that you have placed a file in the exploited remote machine via screenshots and by creating the file with the command “touch <yourname>” where <yourname> should be replaced with your full name.

Happy exploiting!

network reconnaissance lab - home | george mason ...astavrou/courses/isa_564_f15/network... ·...

Documents