53
edits
Changes
no edit summary
<h2> <span class="mw-headline">Objectives</span></h2>
<ol><li>Access a server by creating a webpage using the <b><iframe></b> tag to redirect a user to a <b>Metasploit exploit</b> in order to gain access to the computer system.
</li><li>Understand how <b>phishing</b> can be used to have the user inadvertantly activate (trigger) HTML code to access a vulnerable server via a web-browser. </li><li>Perform <b>IP Spoofing</b> (Man in the Middle) attacks in order to obtain useful information between a connect between computers. </li><li>Access and manipulate a database server to gain access into the targeted server. </li><li>Use a <b>password cracking program</b> to discover and access user accounts, and possibly root access.
</li></ol>
<p><br>
<h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
<ul>
<li> <b>SATA Hard Disk</b> (in removable disk tray). </li><li> <b>Lab Logbook (Lab6 Reference Sheet)</b> (to make notes and observations). </li></ul> <p><br> </p> <h2> <span class="mw-headline">Prerequisites</span></h2> <ul><li> [https://wiki.cdot.senecacollege.ca/wiki/SEC520/labs/Lab_3 SEC520 Lab 3] </li></ul> <p><br> </p> <h2> <span class="mw-headline">Online Tools and References</span></h2> <ul> <li>[http://www.ehacking.net/2011/10/metasploit-tutorials-from-beginner-to.html Metasploit Framework]</li> <li>[http://linuxmanpages.com/man1/nmap.1.php nmap]</li> <li>[http://www.irongeek.com/i.php?page=security/arpspoof arpspoof]</li> <li>[http://arhodes505.awardspace.us/minituts/xhydra.htm xhydra]</li> </ul> <p><br> </p> <h2> <span class="mw-headline">Course Notes</span></h2> <ul> <li>[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.odp odp] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.pdf pdf] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.ppt ppt] (Slides: Types of Attacks)</li> <li>[http://www.youtube.com/watch?v=ZUygX8TBBw0 Phishing] | [http://www.youtube.com/watch?v=PqfZM3Lxrmg Malicious Payload] | [http://www.youtube.com/watch?v=-hd7XG-b6uk IP Spoofing] | [http://www.youtube.com/watch?v=AhTfo6pWBIM Database Injection] | [http://www.youtube.com/watch?v=Iyh_w0Ix2bc Cracking Weak Passwords] (YouTube Videos)</li> <li>[http://libcat.senecac.on.ca/vwebv/holdingsInfo?searchId=89542&recCount=50&recPointer=0&bibId=315433 Penetration Tester's Open Source Toolkit (E-book)] (Chapters 4, 5, 6)</li> </ul> <p><br> </p> <h1> <span class="mw-headline">Performing Lab 4</span></h1> <br> {{Admon/caution|CAUTION!|Scanning ports and exploiting servers must require the permission of Server Owner (preferably in writing). Students must either use their VMs, use the IFS lab (if available), or sign an agreement to use the <b>Tank</b> server when practising these computer system intrusion methods.|}} <br> <h2> <span class="mw-headline">Task #1: Web-browser Redirect (Phishing) Attacks</span></h2> <br> This section will demonstrate the vulnerability of a computer system with one of its weakest links: <i>Humans</i>. You will be using the <b>Metasploit</b> framework to create an attack on your server that will <i>exploit</i> and <i>gain access</i> to your target machine. You will also learn how you can redirect users to this attack site to deliver the malicious payload to that targeted computer. <br> INSTRUCTIONS: <br /><br /> Metasploit is a very versatile tool for penetration testing. In addition to gaining access to "targeted" computer systems by using the <b>Armitage</b> frontend, other strategies such as <i>lurking</i> to gain access (via reverse shell) by redirecting web-browser traffic are also available. <br /><br /> In this section, we will be using the mfs-console to issue commands to exploit via the web-browser. Before we start, we should update our Metasploit Framework. In order to achieve this, we will update the older version of Metasploit that came with our Kali Linux edition with a new version: <br /><br /> {{Admon/tip|Using The MSF Console| <b>msfconsole</b> is a shell that allows penetration testers to issue commands when working with Metasploit. For example, IFS students in the degree program are expected to perform penetration testing more in the msfconsole than using Metasploit GUIs like Armatage!<br /><br /> We will be running the <b>msfconsole</b> command to access the command shell, and setup a typical phishing attack. |}} <br /> <ol> <li>Login as <b>root</b> user, and issue the command: <b>msfconsole</b> (ignore error, console should eventually load). If problems persist check to see if the Metasploit server is running.<br> Next, we will be generating an attack payload (code) that can be executed from an html file (via a form button) to gain access to the computer system. Perform the following steps to create this payload (html) file: <br /></li> <li>In the <b>msfconsole</b>, issue the following commands: <br /></li> </ol> <pre> use auxiliary/server/capture/http_basic show options set REALM Facebook Gateway set URIPATH / run </pre> <ol> <li value="3">Note the <b>LOCAL IP ADDRESS</b>. You will be entering that address in a web-browser on your targeted Windows server.</li> </li><li>Your attack server (running Metasploit) is now "lurking" until the user enters data in a windows dialog box.</li>
</ol>
{{Admon/important|Disable Internet Explorer Enhanced Security|
<ol>
</ol>
<br /><br />
Here is how simple (subtle) it can be:<br /><br />
<ol>
</ol>
|}}
<ol>
<br /> <li value="14">Proceed to Task #2</li> </ol>
<p><b>Answer the Task #1 observations / questions in your lab log book.</b>
</p>
<p><br>
This section will demonstrate an <b>IP Spoofing</b> attack (sometimes referred to as <i>"arp poisoning"</i>) where the target server is "tricked" into communicating with a server that assumes has the correct MAC address. The attacker can then <b>"feed packets"</b> to the destination allowing for an uninterupted session to obtain information such as usernames and passwords. <br><br> INSTRUCTIONS: </p><ol> <li>We will be using your <b>Kali Linux</b> host machine, <b>Vulnerable Windows VM</b>, and <b>Vulnerable Linux VM</b> for this section.</li> <li>Note the IP Address of your Windows server. </li><li>Make certain that your Windows machine is running an FTP server. Set up the FTP server to only allow users to access the FTP server by username and password (possibly not required from default installation and startup).</li> <li>For demonstration purposes of this "man in the middle" attack, open a command prompt, and issue the following MS-Windows command: <b>ping LINUX_IP_ADDR -t</b><br /><br />You should now see proof of a connection between your vulnerable Windows and Linux servers.</li> <li>Switch to your vulnerable Linux server, open a shell terminal, and note the IP Address of your vulnerable Linux server.</li> <li>Open another shell terminal, and issue the following Linux command to continuously "ping" the Windows server: <b>ping WINDOWS_IP_ADDR</b></li> <li>We will now trick the Windows server into thinking that the attack (Kali Linux or "host") server is the destination server.</li> <li>Switch to your Kali Linux (host) server, and open a shell terminal.</li> <li>While in the host (attack) machine, issue the following Linux command:<br /><br /> <b>sudo arpspoof -t WINDOWS_IP_ADDR LINUX_IP_ADDR</b><br><br> </li> <li>We need to continue the "man in the middle" attack by now performing the same manuever for the Linux VM. While still in the host (attack) machine, open another shell terminal and issue the following Linux command: <br><br><b>sudo arpspoof -t LINUX_IP_ADDR_LINUX WINDOWS_IP_ADDR</b><br><br></li> <li>Switch to first your vulnerable Windows machine to view the pings. What do you notice? Do the same for your vulnerable Linux machine. Record your findings in your lab log-book.<br /><br /></li>
</ol>
<br>
<ol>
</ol>
{{Admon/important|Obtaining Username / Password Information|One of the main reasons for a <b>"man in the middle" attack</b> is to obtain sensitive information such as a username and password for further exploitation. A <b>Packet Sniffer</b> is a useful tool when using a "man in the middle attack". Throughout your journey in the area of Internet Security, you will soon learn there
<br>
<ol>
</ol>
{{Admon/important|FTP Doesn't Work / Alternative Arp Posioning Method|
<ol>
<p><b>Answer Task #2 observations / questions in your lab log book.</b>
</p><p><br>
</p>
INSTRUCTIONS:
<ol>
</ol>
<pre> <?php
</pre>
<br>
<ol>
</ol>
<pre> <?php
</pre>
<ol>
</ol>
<p><b>Answer Task #3 observations / questions in your lab log book.</b>
</p><p><br>
</p>
INSTRUCTIONS:
<ol>
{{Admon/important|xhydra|xhydra is a graphical frontend of a program
that scans open ports, and attempts to crack account passwords that are
weak using a dictionary file of potential passwords. Of course, you
could have performed this task manually by using <b>nmap</b> to scan open ports, and use other password cracking tools (such as <b>Cain and Able</b>), but <b>xhydra</b> performs these operations automatically.|}}
<br>
{{Admon/important|Gaining Root Access|Once a penetration tester has access to a system as an unpriviledged user, there are methods to try to identify and gain access to an administrative account.<br /><br />
For example with Linux systems, gaining access to the <b>/etc/passwd</b> file to list users with administrative privedges and gaining access to the <b>/etc/shadow</b> to attempt a crack the root password hash (via the <b>John the Ripper</b> utility).
|}}
<br>
<br />
{{Admon/important|Sharpening Your Skills (hackthissite.org)|
|}}
<br />
</ol>
<p><b>Answer Task #4 observations / questions in your lab log book.</b>
</p><p><br>
</p>
</p>
<ol>
</ol>
<p><br>
<ol>
</ol>