SEC520/labs/Lab 4
Types of Attacks
Introduction
In the previous lab, you learned how to perform penetration testing on a vulnerable (target) server. You learned how to perform scanning and enumeration, and then ran vulnerability testing software (eg. Metasploit) to gain access to your Windows server.
In this lab, students will learn other methods of vulnerability testing to gain access to vulnerable servers:
- This lab will allow students to identify and practice common types of attacks that occur on targeted computer systems.
- First, students will be exposed to Client-side attacks (usually initiated by the server's users) including Malicious web-page Payloads, and IP Spoofing (Man in the Middle) attacks.
- Then, students will focus on Server-side attacks such as Server-side Injection, and Password attacks.
Objectives
- Access a server by creating a webpage using the <iframe> tag to redirect a user to a Metasploit exploit in order to gain access to the computer system.
- Understand how phishing can be used to have the user inadvertantly activate (trigger) HTML code to access a vulnerable server via a web-browser.
- Perform IP Spoofing (Man in the Middle) attacks in order to obtain useful information between a connect between computers.
- Access and manipulate a database server to gain access into the targeted server.
- Use a password cracking program to discover and access user accounts, and possibly root access.
Required Materials (Bring to All Labs)
- SATA Hard Disk (in removable disk tray).
- Lab Logbook (Lab6 Reference Sheet) (to make notes and observations).
Prerequisites
Online Tools and References
Course Notes
- odp | pdf | ppt (Slides: Types of Attacks)
- Phishing | Malicious Payload | IP Spoofing | Database Injection | Cracking Weak Passwords (YouTube Videos)
- Penetration Tester's Open Source Toolkit (E-book) (Chapters 4, 5, 6)
Performing Lab 4
Task #1: Web-browser Redirect (Phishing) Attacks
This section will demonstrate the vulnerability of a computer system
with one of its weakest links: Humans. You will be using the Metasploit framework to create an attack on your server that will exploit and gain access to your target machine. You will also learn how you can redirect users to this attack site to deliver the malicious payload to that targeted computer.
INSTRUCTIONS:
Metasploit is a very versatile tool for penetration testing. In addition to gaining access to "targeted" computer systems by using the Armitage frontend, other strategies such as lurking to gain access (via reverse shell) by redirecting web-browser traffic are also available.
In this section, we will be using the mfs-console to issue commands to exploit via the web-browser. Before we start, we should update our Metasploit Framework. In order to achieve this, we will update the older version of Metasploit that came with our Kali Linux edition with a new version:
- Login as root user, and issue the command: msfconsole (ignore error, console should eventually load). If problems persist check to see if the Metasploit server is running.
Next, we will be generating an attack payload (code) that can be executed from an html file (via a form button) to gain access to the computer system. Perform the following steps to create this payload (html) file: - In the msfconsole, issue the following commands:
use auxiliary/server/capture/http_basic show options set REALM Facebook Gateway set URIPATH / run
- Note the LOCAL IP ADDRESS. You will be entering that address in a web-browser on your targeted Windows server.
- Your attack server (running Metasploit) is now "lurking" until the user enters data in a windows dialog box.
- Switch to your vulnerable Windows server, make certain that you are logged in as Administrator.
- Open the Control Panel, select Add or Remove Programs, select Add/Remove Windows Components. Click to select Internet Explorer Enhanced Security Configuration and click Details. Unclick the checkboxes for admin and all other users and then click Next.
- Login into a regular user account and open a web-browser.
- Enter the IP ADDRESS for the attack web-site. Enter a username and password when prompted by the dialog box
- Now, switch to your attack machine (i.e. host), and you should see a notification of the exploit. Where you able to determine the username and password?
- Did you think it would be harder to exploit a machine in this way?
- How popular do you think this type of human-based attack is?
- How can you prevent this type of attack from occurring on a "hardened system"?
- Record your findings in your lab log-book.
- Proceed to Task #2
Answer the Task #1 observations / questions in your lab log book.
Task #2: IP Spoofing (Man in the Middle) Attacks / Packet Sniffing
This section will demonstrate an IP Spoofing attack (sometimes
referred to as "arp poisoning") where the target server is "tricked"
into communicating with a server that assumes has the correct MAC
address. The attacker can then "feed packets" to the destination allowing for an uninterupted session to obtain information such as usernames and passwords.
INSTRUCTIONS:
- We will be using your Kali Linux host machine, Vulnerable Windows VM, and Vulnerable Linux VM for this section.
- Note the IP Address of your Windows server.
- Make certain that your Windows machine is running an FTP
server. Set up the FTP server to only allow users to access the FTP
server by username and password (possibly not required from default installation and startup). - For demonstration purposes of this "man in the middle" attack, open a command prompt, and issue the following MS-Windows command: ping LINUX_IP_ADDR -t
You should now see proof of a connection between your vulnerable Windows and Linux servers. - Switch to your vulnerable Linux server, open a shell terminal, and note the IP Address of your vulnerable Linux server.
- Open another shell terminal, and issue the following Linux command to continuously "ping" the Windows server: ping WINDOWS_IP_ADDR
- We will now trick the Windows server into thinking that the attack (Kali Linux or "host") server is the destination server.
- Switch to your Kali Linux (host) server, and open a shell terminal.
- While in the host (attack) machine, issue the following Linux command:
sudo arpspoof -t WINDOWS_IP_ADDR LINUX_IP_ADDR
- We need to continue the "man in the middle" attack by now
performing the same manuever for the Linux VM. While still in the host (attack) machine, open another shell terminal and issue the following
Linux command:
sudo arpspoof -t LINUX_IP_ADDR_LINUX WINDOWS_IP_ADDR - Switch to first your vulnerable Windows machine to view the pings. What do you notice? Do the same for your vulnerable Linux machine. Record your findings in your lab log-book.
- To complete the "man in the middle" attack, you are required to establish IP FORWARDING. Open another shell window in your host (attack) machine, and issue the following Linux command in your attack host:
sudo su # login with admin passord
echo 1 > /proc/sys/net/ipv4/ip_forward
(This means to set IP FORWARDING to "True" or "On") - Switch to your vulnerable Windows and Linux machines. Is the connection (using the ping command) re-established? Record your findings in your lab log-book.
- On an available shell terminal on your host (attack) server, and issue the following Linux command: dsniff
(tip: Use the command: find -P . | grep dsniff to locate dsniff superuser executable) - This packet sniffer program will lurk until a user from the Linux VM establishes a connection with the Windows VM FTP SERVER.
- Switch to your vulnerable Linux server, and establish an FTP connection with the Windows FTP server.
- Then switch back to your host (attack) server.
- What do you notice? Is this information sufficent to logon as a Windows system user? Record your findings in your lab log-book.
- Return to your vulnerable Linux server, and close the FTP connection with the Windows server.
- Switch back to your attack server. What information does dsniff provide?
- What steps would a security analyst implement in order to reduce the possibility of a "man in the middle" attack?
- Record your findings/answers in your lab log-book.
- Proceed to Task #3
Answer Task #2 observations / questions in your lab log book.
Task #3: Database Injection Attack
SQL injection attacks are basically in the form of introducing or "injecting" malicious code via the input (form) for the SQL/MYSQL database, in order to gain access to the backend database. There are many different methods of injection attacks. We will demonstrate a fairly common method of injection attack which exploits a weakness for the MYSQL server (that fail to sanitize user input. In this case, the user inserting illegal characters (single quote i) within an established web-based database form.
In this section, we will only expose the student to the concept of an injection attack. You are NOT required to setup the MYSQL server, or run a SQL injection attack on your vulnerable machines...
INSTRUCTIONS:
- Study the following PHP code below:
<?php $user = $_POST['usr']; $user = "anything' OR x='x"; mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'"); ?>
- How could this code be incorporated with an HTML document (using a form) to perform a database injection attack? Record your answer in your lab log-book.
- View the associated YouTube video in the resources above, and try briefly explained why this type of attack could work. Write your explanation in your lab log-book.
- Now, make the following editing changes to your saved database form (areas to be changed are displayed in bold, red colour:
<?php $user = <span style="color:red;font-weight:bold">mysql_real_escape_string(</span>$_POST['usr']<span style="color:red;font-weight:bold">)</span>; $user = "anything' OR x='x"; mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'"); ?>
- Try to explain how this last editing session prevented this SQL injection attack. Record your observations/answers in your lab log-book.
- Proceed to Task #4.
Answer Task #3 observations / questions in your lab log book.
Task #4: Password Cracking Attack
In this section, you will learn another technique to crack passwords by
obtaining usernames from e-mail addresses, and then running a password
cracking program to hopefully gain access to an account on a vulnerable Windows server that contains a weak password. Then, after gaining access to the account, we will then use a series of techniques to gain access to the
administrator's account.
INSTRUCTIONS:
- Go to your vulnerable Windows server, create a username called weak that contains a very weak password (no special characters, just words that could be contained in a dictionary).
- How could you obtain usernames (eg. e-mail usernames) for a targetted computer system? (review your labs and notes during the Reconnaissance Phase). Record your answer in your lab log-book.
- Assuming that you have obtained a username (i.e. username: weak) from the reconnaissance phase. We will now be using a tool to gain access to the account on the targeted Windows server.
- We need to download a dictionary file containing many of the weak password combinations to help crack a user's weak password. You can perform a Netsearch in order to save this dictionary as a text file.
Here is a link to various password cracking dictionaries: http://www.skullsecurity.org/wiki/index.php/Passwords
As root, download the compressed file (cain.txt.bz2) to your /root directory. - Decompress the file by issuing the following Linux command: bunzip2 cain.txt.bz2
- To launch the xhydra application as root (unless you are already in root), issue the following Linux command: sudo xhydra
- In the initial application window (ie. Target tab), enter the WINDOWS_IP_ADDR in the Target textbox.
- Under the Protocol list-box, select ftp.
- In the Output Options section, check Be verbose, and check Show Attempts.
- Move to the next screen by clicking on the Passwords tab.
- In the Username section, type the username called weak.
- In the Password section, click on the passwords list radio button, and then click on the passwords list text-box in order to browse to the /root/cain.txt dictionary (on your Kali Linux system) that contains common passwords that you downloaded and decompressed.
- At the bottom of the screen, check Try login as password, and click Try Empty Password.
- Click on the Start tab, and click on the Start button (at the bottom of the screen) to begin the attack.
- This attack may take several minutes to complete.
- Check the output from the Password Cracking Attempt. Did it list any usernames and passwords? If so, record the information in your lab log-book.
- What sort of harm can be done to this organization if the root account has been hacked?
- What sort of password rules should be used to make it harder to penetrate this system?
- Record your findings in your lab log-book.
- Proceed to the "Completing the Lab".
Answer Task #4 observations / questions in your lab log book.
Completing the Lab
Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:
- Proof of Windows VM hack from Phishing / Malicious Code.
- Packet Sniffing information from Linux to Windows FTP connection.
- Demonstation of prevention from Data Injection Attack.
- Completed Lab 4 notes.
Preparing for Quizzes
- Briefly explain the purpose of a Phishing Attack. How can phishing relate to using malicious code?
- Define the term Man in the Middle attack.
- Briefly list the steps in a Database Injection attack.
- How can a dictionary file be used to crack passwords on a targeted server?
- What is a password hash? How can a password hash be cracked?
- What can an organization do to prevent passwords on their computer system from being cracked?