Scanning, Enumeration & Vulnerability Testing
Introduction
This lab focuses on identifying and exploiteng a server's vulnerabilities in order to gain access to that system. Information assembled in the reconnaissance phase provides the data used in the scanning & enumeration phases.
Students will obtain information from reconnaissance of their vulnerable VMs (IP_ADDRESS) and use scanning & enumeration to better map and then exploit their vulnerable Linux and Windows servers. They will do this in the following manner:
- Students will first use the nmap utility to scan a server to determine that the server is active (running). Verifying active servers can reduce the amount of scanning time to help avoid detection.
- The nmap utility will then be used to list various services (ports) that are running on a server.
- The student will perform enumeration (via banner-grabbing) to identify running services, and will perform fingerprinting to determine the version and type of the operating system on that targetted server.
- Once students have completed the scanning & enumeration phase, they will use that information to perform vulnerability testing (using Nessus and Metasploit) to gain access to that targeted server.
- Finally, once students sign a waiver form and receive authorization to perform penetration testing on Seneca's Tank server, they can apply what they have learned in this lab on the Tank server. Students will also receive accounts to access this server for penetration testing...
- Once students have completed the scanning & enumeration phase, they will use that information to perform vulnerability testing (using Nessus and Metasploit) to gain access to that targeted server.
- Once students have completed the scanning & enumeration phase, they will use that information to perform vulnerability testing (using Nessus and Metasploit) to gain access to that targeted server.
Objectives
- Use the nmap utility to verify that a targeted server is active (running).
- Learn various options of the nmap utility to perform half-open scans, UDP scans, and list running ports.
- Use the nmap utility to generate reports.
- Use the nmap and netcat utilities to verify the type and version of the operating system (finger-printing), and verify the version running services (banner grabbing).
- Use the nessus and Metasploit frameworks to flag, exploit, and gain access to a vulnerable computer system.
- Practice scanning and enumeration on the Tank server at Seneca College (assuming permissions forms submitted, and permission granted by your instructor / ACS).
Required Materials (Bring to All Labs)
- SATA Hard Disk (in removable disk tray).
- Lab Logbook (Lab3 Reference Sheet) (to make notes and observations).
Prerequisites
Online Tools and References
Scanning & Enumeration | Vulnerability Testing | Other |
Course Notes / Resources
- odp | pdf | ppt (Slides: Scanning & Enumeration)
- odp | pdf | ppt (Slides: Vulnerability Testing)
- Scanning 1 | Scanning 2 | Enumeration |Vulnerability Testing - Overview (YouTube Videos)
- Installing Nessus in Kali Linux (YouTube Video)
- Using Nessus in Kali Linux (YouTube Video)
- Using Metasploit Pro in Kali Linux (YouTube Video)
- Use Armitage to Exploit Multiple Machines in Kali Linux (YouTube Video)
- Penetration Tester's Open Source Toolkit (E-book) (Chapter 3)
Performing Lab 3
Task #1: Verifying Server is Active
After the reconnaissance phase, it is important to verify that
the target IP Address(es) are active (running). A great amount of time
can be saved during the scanning and enumeration process by simply
confirming that your target exists. Wasting time while scanning invalid
targets can also increase the chance of detection from a server's IDS (Instrusion Detection System).
In investigations 1 - 3, you will be learning to perform manual scans of targeted servers using the nmap utility. It is useful to learn how to use nmap, since other penetration testing software such as Nessus and Metasploit (discussed in later investigations) use the nmap utility.
INSTRUCTIONS:
- Boot-up your Kali Linux (host).
- Prior to booting up your vulnerable Linux and Windows VMs, follow the steps in the message box below to changes the network settings for each VM.
- After making the network settings changes (above for each VM), boot your vulnerable Linux and Windows VMs.
- Determine the IP Addresses for your Linux VM (/sbin/ifconfig for LINUX_IP_ADDRESS) and your Windows 2003 Server VM (ipconfig for WINDOWS_IP_ADDRESS). Write this information in your lab log-book.
- Take several minutes to review class notes, YouTube vidoes, and the online man pages to learn how to use the nmap utility before proceeding.
- Switch to your Kali Linux (host) machine and open a shell terminal.
- Issue the following command to verify that the virtual server is active:
nmap -v -sn LINUX_IP_ADDRESS - Is this server active?
- Try to verify that the Windows 2003 Server is active (running nmap with your WINDOWS_IP_ADDRESS).
- Can you detect this server? Write the result in your lab log-book.
- Try performing a UDP scan for both the Linux and Windows VMs by issuing the following commands:
nmap -v -sU LINUX_IP_ADDRESS
nmap -v -sU WINDOWS_IP_ADRESS
This may take some time. Try to time how long this UDP scan takes, and compare it with the TCP ping scan you previously performed. Why do you think it is useful to perform a UDP scan in addition to a TCP scan? - Record your findings in your lab log-book.
- Proceed to Task #2
Answer the Task #1 observations / questions in your lab log book.
Task #2: Various Scanning Techniques
Now that we have verified that our targeted IP Addresses are active, we
can perform a scan to determine which services are running on those
servers. We can also record this information in a report format
(which can be inserted into a later Security Audit Report).
INSTRUCTIONS:
- Use the nmap command to perform a stealthy scan in order to list the ports for the Linux VM by issuing the following command:
nmap -sS LINUX_IP_ADDRESS - Record any running services (with associated port numbers) in your lab log-book.
- Repeat step 2, but view course notes and add an option to record findings in report file(s) called /root/linux_vm_scan
- The reports are created in 3 different formats. List those formats, and give a reason how these can be incorporated into a Security Audit Report.
- Repeat steps 2 and 3, generating similar reports for the Windows 2003 Server VM called /root/windows_vm_scan.
- Use what you have learned in task #2 to assemble a scanning report for your Linux and Windows VMs. These files must be available for your instructor to check when you have completed this lab.
- Proceed to Task #3.
Answer Task #2 observations / questions in your lab log book.
Task #3: Enumeration Techniques
The process of enumeration places more emphasis on scanning information of a server's operating system (finger-printing), and on software versions of a server's running services (banner-grabbing).
INSTRUCTIONS:
- Issue the following command for the Linux VM:
nmap -O LINUX_IP_ADDRESS - Can you detect the type and version of the operating system? Record your findings in your log lab-book.
- Perform the same scan, but for the Windows 2003 Server VM. Record your findings in your log lab-book.
- Issue the following command to perform a banner grab for your vulnerable Linux VM:
nmap -sV LINUX_IP_ADDRESS - Take several minutes to review class notes, YouTube vidoes, and the online man pages to learn how to use the netcat utility before proceeding.
- Use the netcat utility to verify the purpose of the running services on the Linux VM.
- Record your findings in your lab log-book.
- Repeat the 2 previous steps, but for the Windows 2003 Server.
- Use what you have learned in task #2 to perform enumeration for your Windows and Linux VMs. Incorporate this information into a file called: vm_security_audit_linux and vm_security_audit_windows respectively.
- Proceed to Task #4
Answer Task #3 observations / questions in your lab log book.
Task #4: Identifying Server Vulnerabilities Using Nessus
This section will reap the benefits from the previous phases of penetration testing you have performed in the previous labs. You
will be using the information assembled in your previous labs to gain access into your vulnerable Windows VM (possibly Linux VM) by exploiting weaknesses of their running services. You will be using two common utilties (or frameworks) in order to achieve access: Nessus and Metasploit.
INSTRUCTIONS:
- Make certain that your Kali Linux system is running, and that both of your Windows and Linux VMs are running.
- First you should register a free account on the Nessus Website in order to download plugins (and run the nessus server). To register, go to the following URL, and select home use: http://www.nessus.org/register/. Once you complete the registration form, an e-mail will be sent with a "one-time" ACTIVATION_CODE_# (you will need this in an up-coming step).
- Next, in your host machine, open a shell terminal and issue the following command to install the gdebi application to allow you to automatically download and install debian packages by clicking on a .deb file link:
sudo apt-get install gdebi
- Next go to the following website: http://www.tenable.com/products/nessus/nessus-download-agreement
(select to download a version for Debian for your appropriate OS: 32-bit or 64-bit). - A dialog box will appear to allow you to save the file. Note the directory where you have saved the deb file.
- In the Administration menu, selec the Gdebi Package Manager. Click the File menu, and open and then select the downloaded deb file. Allow the program to install the Nessus package.
- Allow the installation to complete (it may take a long time to download the newest plugins).
- You need to create a username and password in order to access the Nessus server (from web-browser). Run the following command to create a username and password:
sudo /opt/nessus/sbin/nessus-adduser - Prior to starting the Nessus server, you need to register this application. Use the registration/activiation code (provided from e-mail you received from above procedure) by issuing the command:
sudo /opt/nessus/bin/nessus-fetch --register xxxx-xxxx-xxxx-xxxx
(i.e. xxxx-xxxx-xxxx-xxxx represents activation-code contained in received e-mail message)</b> - Issue the following command to start the Nessus server: sudo service nessusd start
- You can run the Nessus client application in order to connect to the Nessus server (recommended) by web-browser. Simply launch a web-browser and type the following URL: https://127.0.0.1:8834/
- When the application launches in the web-browser resource, you may have to indicate that you trust the connection, and to add an exception. It may take serveral minutes for the application to initialize. Login to your default user account (with the corresponding password).
- Go to the Policies section, and create a new policy called Basic for a "Basic Scan". Select this policy for Windows, but you are NOT required to provide the Window's username and password.
- Click the Scan section and add a new scan called Windows 2003 Server using the Basic policy, and adding the IP ADDRESS at the bottom target area. Click on the Launch button to begin the scan.
- You will be able to view the status of the scan. When the scanning has been completed, view and note the vulnerabilities that are listed in the scanning report.
- What vulnerabilities do you see? Which ones were the most severe? Record these observations in your lab log-book.
- How do you think that you can use the above-mentioned information
that you have collected? Note your observations in your lab log-book.
- Try creating other policies for the different types, and repeat scanning for the Windows target. What other vulnerabilities did you discover? Record your findings in your lab Log-book.
- Repeat steps 12 to 16, but for your Vulnerable Linux (Fedora) sever VM. Make certain to use your VULNERABLE_IP_ADDRESS (or range) and name the report Fedora 5 Linux. Note your observations in your lab log-book.
- Proceed to Task #5
- For both vulnerable machines, log-in as a regular-user.
- To obtain the Proprietary version of Metasploit, you need to register first. Here is the link to Metasploit Pro website:
https://www.rapid7.com/products/metasploit/metasploit-community-registration.jsp - You will presented with a form to fill-out your personal information, and then you are required to create account. Make certain to apply for the free (community edition). During that process, you will be required to fill out information (including e-mail) in order to get an activation code.
- At some point, you will be redirected to another screen to download the file for Metaspoit Pro. Once downloaded, you need to add execution permissions for the downloaded file, and run the file from the shell.
- After the file installs, you will be prompted to open a web interface (open it). Make certain to create a new user.
- Once you check your e-mail to obtain the activation code, enter the product key (activation code) in the required field to obtain your account.
- If all goes well, there will be an indication that the activation is successful.
- Back in your e-mail message with the activiation code, there is a link to a "Getting Started Guide (pdf)". Take a few minutes to read the pdf to get a sense of how to setup and use Metasploit to exploit your Window and Linux servers.
- In your screen, click New Project. For this new project, give it a name of Windows 2003 Sever. Set the scan range for your Windows IP ADDRESS, then click to perform a scan, and then click on Launch Scan. The scanning process can take a few minutes to complete.
- Refer to the YouTube Video on how to use both Nessus and Metasploit to penetrate the target server(s):
Kali Linux - Security by Penetration Testing Tutorial: Metasploit Pro - Learn how to penetrate, and capture proof that you pentrated the Windows 2003 server. Make certain to record the procedures in your lab log-book.
- Perform the same operations above, but for your vulnerable Linux server. Where you successful? If not, why do you think you were unsucessful? Perform a netsearch in Google to see if there are recommended approaches on how to penetrate the Fedora Core 5 system.
- Do you think performing a "Brute Force" or "Hail Mary" attack is advised? If not, provide the reasons why an alternative should be used.
- Open a shell terminal, and login as root.
- Issue the command: which armitage to confirm that this application exists on this server. If there is no pathname to that application, issue the command: apt-get install armitage (make certain application has been installed).
- While logged on as root, issue the command: armitage
- Refer to the following YouTube video to learn how to use armitage to scan and run exploitation attacks:
Use Armitage to Exploit Multiple Machines in Kali Linux - Note the differences between using armitage and the proprietory application Metasploit Pro in your lab log-book.
- After you have received authorization (i.e. "green light" from your instructor) try penetration testing on your Tank server accounts, login to confirm IP_ADDRESS, and start to perform penetration testing in this server. WORD TO THE WISE: Don't do anything relating to penetration testing with the Tank server without "thinking it through" first! (i.e. you have been warned)...
- Proceed to "Completing The Lab".
- File contents of your Linux and Windows system enumeration (both Nessus and Metasploit).
- Completed Lab 3 notes (indicating scanning and enumeration techniques).
- Explain the difference between scanning and enumeration.
- What is the purpose of a half-open scan when using the nmap utility?
- What is the purpose of a UDP scan when using the nmap utility?
- List 3 unique methods and permitted methods of performing penetration-testing at Seneca College?
- Explain how to issue the nmap command in order to save the results of the scan in a file. What is it useful to save results into a file?
- Define the term banner-grabbing. How does this term differ from fingerprinting?
- List and explain two types of utilities (frameworks) that can be used to exploit (gain access) to targetted servers?
- In your opinion, how can successfully exploiting a targetted server be useful?
- Try to instinctively guess 3 steps to take in order to help the targeted sever from being exploited.
</ol>
Answer Task #4 observations / questions in your lab log book.
Task #5: Accessing Vulnerable Servers Using Metasploit
Metasploit is a framework (collection of utilities) for penetration testing. This framework acts as
a server-client model that is run on an internal network (unlike Nessus which can be run from a remote server).
This framework is ideal when working on your host/VM setup for penetration testing. Depending on the targeted server's vulnerability, the penetration tester may be able to access that system.
Answer Task #5 observations / questions in your lab log book.
Completing the Lab
Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion: