Changes

← Older edit

SEC520/labs/Lab 3

2,974 bytes removed, 15:59, 21 July 2023

m

Protected "SEC520/labs/Lab 3": OER transfer ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))

<h1> Scanning, Enumeration & Vulnerability Testing</h1>

~~<a name="Introduction" id="Introduction"></a>~~<h2> Introduction</h2>

This lab focuses on identifying and exploiteng a server's vulnerabilities in order to gain access to that system. Information assembled in the reconnaissance phase provides the data used in the scanning & enumeration phases.

</ol></dd></dl>

~~<a name="Objectives" id="Objectives"></a>~~<h2> Objectives</h2>

<ol>

<li>Use the nmap utility to verify that a targeted server is active (running).</li>

~~<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a>~~<h2> Required Materials (Bring to All Labs)</h2>

<ul>

<li> SATA Hard Disk (in removable disk tray).

~~<a name="Prerequisites" id="Prerequisites"></a>~~<h2> Prerequisites</h2> <ul><li> ~~<a href="~~[https://~~scs~~wiki.~~senecac~~cdot.onsenecacollege.ca/~~%7Efac~~wiki/~~sec520~~SEC520/labs/~~SEC520_Lab_2.html">~~Lab_2 SEC520 Lab 2~~</a>~~]

</li></ul>

~~<a name="Linux_Command_Online_Reference" id="Linux_Command_Online_Reference"></a>~~<h2> Online Tools and References</h2>

~~<tbody>~~<tr valign="top">

<td>Scanning & Enumeration</td>

<td>Vulnerability Testing</td>

~~<td>Other</td>~~

</tr>

<td>

<ul>

<li>~~<a href="http://linuxmanpages.com/man1/nmap.1.php" target="_new">nmap</a></li>~~ ~~<li><a href="~~[http://www.howtoforge.com/useful-uses-of-netcat~~" target="_new">~~netcat~~</a>~~]</li>

</ul>

</td>

<td>

<ul>

<li>~~<a href="~~[http://www.symantec.com/connect/articles/introduction-nessus~~" target="_new">~~nessus~~</a>~~]</li> <li>~~<a href="~~[http://www.ehacking.net/2011/10/metasploit-tutorials-from-beginner-to.html~~" target="_new">~~Metasploit Framework~~</a></li>~~ ~~</ul>~~ ~~</td>~~ ~~<td>~~ ~~<ul>~~ ~~<li><a href="http://linuxmanpages.com/" target="_new">Online Linux Manpages</a>~~]</li>

</ul>

</td>

</tr>

~~</tbody>~~</table>

~~<a name="Resources_on_the_web" id="Resources_on_the_web"></a>~~<h2> Course Notes / Resources</h2>

<ul>

<li>~~<a href="~~[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w2_l1.odp~~" target="_new">~~odp~~</a>~~ ] | ~~<a href="~~[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w2_l1.pdf~~" target="_new">~~pdf~~</a>~~ ] | ~~<a href="~~[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w2_l1.ppt~~" target="_new">~~ppt ~~</a>~~](Slides: Scanning & Enumeration)</li> <li>~~<a href="~~[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w2_l2.odp~~" target="_new">~~odp~~</a>~~ ] | ~~<a href="~~[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w2_l2.pdf~~" target="_new">~~pdf~~</a>~~ ] | ~~<a href="~~[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w2_l2.ppt~~" target="_new">~~ppt ~~</a>~~](Slides: Vulnerability Testing)</li> <li>~~<a href="~~[http://www.youtube.com/watch?v=_Ch0RJlHFBo~~" target="_new">~~ Scanning 1~~</a>~~ ] | ~~<a href="~~[http://www.youtube.com/watch?v=WKLNAAt57Wg~~" target="_new">~~Scanning 2~~</a>~~ ] | ~~<a href="~~[http://www.youtube.com/watch?v=_Ch0RJlHFBo~~" target="_new">~~Enumeration~~</a>~~ ] |~~<a href="~~[https://www.youtube.com/watch?v=FMgAIfcPsyw~~" target="_new">~~Vulnerability Testing - Overview~~</a>~~ ] (YouTube Videos)</li> <li>~~<a href="~~[http://www.youtube.com/watch?v=BDTLdCllfr4~~" target="_blank">~~Installing Nessus in Kali Linux~~</a>~~ ] (YouTube Video)</li> <li>~~<a href="~~[http://www.youtube.com/watch?v=QjuyasD1aBE~~" target="_blank">~~Using Nessus in Kali Linux~~</a>~~ ] (YouTube Video)</li> <li>~~<a href="~~[http://www.youtube.com/watch?v=WlZuq6Vj5AI~~" target="_blank">~~Using Metasploit Pro in Kali Linux~~</a>~~ ] (YouTube Video)</li> <li>~~<a href="~~[http://www.youtube.com/watch?v=xErWWX2jllU~~" target="_blank">~~Use Armitage to Exploit Multiple Machines in Kali Linux~~</a>~~ ] (YouTube Video)</li> <li><a href="http://libcat.senecac.on.ca/vwebv/holdingsInfo?searchId=89542&recCount=50&recPointer=0&bibId=315433" target="_new">Penetration Tester's Open Source Toolkit (E-book)</a> (Chapter 3)</li>

</ul>

~~<a name="Performing_Lab_2" id="Performing_Lab_2"></a>~~<h1> Performing Lab 3</h1> ~~<a name="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a>~~<h2> Task #1: Verifying Server is Active</h2>

After the reconnaissance phase, it is important to verify that

can be saved during the scanning and enumeration process by simply

confirming that your target exists. Wasting time while scanning invalid

targets can also increase the chance of detection from a server's IDS (Instrusion Detection System).

In investigations 1 - 3, you will be learning to perform manual scans of targeted servers using the nmap utility. It is useful to learn how to use nmap, since other penetration testing software such as Nessus and Metasploit (discussed in later investigations) use the nmap utility.

<li>Boot-up your Kali Linux (host).</li>

<li>Prior to booting up your vulnerable Linux and Windows VMs, follow the steps in the message box below to changes the network settings for each VM.</li>

~~</ol>~~

~~<ol>~~

<li value="3">After making the network settings changes (above for each VM), boot your vulnerable Linux and Windows VMs.</li>

<li>Determine the IP Addresses for your Linux VM (/sbin/ifconfig for LINUX_IP_ADDRESS) and your Windows 2003 Server VM (ipconfig for WINDOWS_IP_ADDRESS). Write this information in your lab log-book.</li>

<li>Issue the following command to verify that the virtual server is active: nmap -v -sn LINUX_IP_ADDRESS </li>

<li>Is this server active?</li>

~~</ol>~~

{{Admon/tip|Paranoid of Making a Mistake with nmap?|

If you are worried about making a mistake when using nmap (eg. scanning a wrong network), you can disconnect from the Seneca wireless or lan connection prior to scanning and enumeration. In this way, you are disconnected from Seneca's computer network prior to experimenting with your own host machine and virtual machines. Remember to establish the wireless or lan connection after you have performed your scan...~~</li></ol>~~|}}

~~<ol>~~ <li value="89">Try to verify that the Windows 2003 Server is active (running nmap with your WINDOWS_IP_ADDRESS).</li> <li>Can you detect this server? Write the result in your lab log-book.</li> <li>Try performing a UDP scan for both the Linux and Windows VMs by issuing the following commands: nmap -v -sU LINUX_IP_ADDRESS nmap -v -sU WINDOWS_IP_ADRESS This may take some time. Try to time how long this UDP scan takes, and compare it with the TCP ping scan you previously performed. Why do you think it is useful to perform a UDP scan in addition to a TCP scan? </li> <li> Record your findings in your lab log-book.</li> <li>Proceed to Task #2 </li> </ol>

Answer the Task #1 observations / questions in your lab log book.

~~<a name="Task2" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a>~~<h2> Task #2: Various Scanning Techniques</h2>

Now that we have verified that our targeted IP Addresses are active, we

can perform a scan to determine which services are running on those

servers. We can also record this information in a report format

(which can be inserted into a later Security Audit Report).

INSTRUCTIONS:

<ol>

<li>Use the nmap command to perform a stealthy scan in order to list the ports for the Linux VM by issuing the following command: nmap -sS LINUX_IP_ADDRESS </li>

<li>Record any running services (with associated port numbers) in your lab log-book.</li>

<li>Repeat step 2, but view course notes and add an option to record findings in report file(s) called /root/linux_vm_scan</li>

~~<a name="Task3" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a>~~<h2> Task #3: Enumeration Techniques</h2>

<li>Can you detect the type and version of the operating system? Record your findings in your log lab-book.</li>

<li>Perform the same scan, but for the Windows 2003 Server VM. Record your findings in your log lab-book.</li>

<li>Issue the following command to perform a banner grab for your vulnerable Linux VM: nmap -sV LINUX_IP_ADDRESS </li>

<li>Take several minutes to review class notes, YouTube vidoes, and the online man pages to learn how to use the netcat utility before proceeding.</li>

<li>Use the netcat utility to verify the purpose of the running services on the Linux VM.</li>

~~<a name="Task4" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a>~~<h2> Task #4: Identifying Server Vulnerabilities Using Nessus</h2>

This section will reap the benefits from the previous phases of penetration testing you have performed in the previous labs. You

<ol>

<li>Make certain that your Kali Linux system is running, and that both of your Windows and Linux VMs are running.</li>

~~</ol>~~

{{Admon/tip|Exploiting Local Systems: Nessus Server-Client|This

to determine its vulnerabilities. This application has the nmap utility built into the application, and allows for plugins to be added to enhance vulnerability testing. The Nessus server

(daemon) must run first to allow the penetration test to graphically interface with the application (client).|}}

~~<ol>~~ <li>First you should register a free account on the Nessus Website in order to download plugins (and run the nessus server). To register, go to the following URL, and select home use: ~~<a href="~~[http://www.nessus.org/register/~~" target="_new">~~http://www.nessus.org/register/~~</a>~~]. Once you complete the registration form, an e-mail will be sent with a "one-time" ACTIVATION_CODE_# (you will need this in an up-coming step). </li> <li>Next, in your host machine, open a shell terminal and issue the following command to install the gdebi application to allow you to automatically download and install debian packages by clicking on a .deb file link: sudo apt-get install gdebi </li>~~</ol>~~

{{Admon/tip|Is There a Previous Version of Nessus?|

If there is already an older version of nessus that exists on your host, remove it by issuing the command: sudo apt-get remove nessus

|}}

~~<ol>~~

<li value="3">Next go to the following website: <a href="http://www.tenable.com/products/nessus/nessus-download-agreement" target="_new">http://www.tenable.com/products/nessus/nessus-download-agreement</a> (select to download a version for Debian for your appropriate OS: 32-bit or 64-bit).</li>

<li>A dialog box will appear to allow you to save the file. Note the directory where you have saved the deb file.</li><li>In the Administration menu, selec the Gdebi Package Manager. Click the File menu, and open and then select the downloaded deb file. Allow the program to install the Nessus package.</li>

~~<li>Allow the installation to complete (it may take a long time to download the newest plugins). </li>~~

<li>You need to create a username and password in order to access the Nessus server (from web-browser). Run the following command to create a username and password: sudo /opt/nessus/sbin/nessus-adduser </li>

<li>Prior to starting the Nessus server, you need to register this application. Use the registration/activiation code (provided from e-mail you received from above procedure) by issuing the command: sudo /opt/nessus/bin/nessus-fetch --register xxxx-xxxx-xxxx-xxxx (i.e. xxxx-xxxx-xxxx-xxxx represents activation-code contained in received e-mail message) </li>

~~<li>Issue the following command to start the Nessus server: sudo service nessusd start </li>~~

<li>You can run the Nessus client application in order to connect to the Nessus server (recommended) by web-browser. Simply launch a web-browser and type the following URL: <a href="https://127.0.0.1:8834/" target="_new">https://127.0.0.1:8834/</a></li>

~~</ol>~~

<li value="3">Next go to the following website: [http://www.tenable.com/products/nessus/nessus-download-agreement http://www.tenable.com/products/nessus/nessus-download-agreement] (select to download a version for Debian for your appropriate OS: 32-bit or 64-bit).</li> <li>A dialog box will appear to allow you to save the file. Note the directory where you have saved the deb file.</li> <li>In the Administration menu, selec the Gdebi Package Manager. Click the File menu, and open and then select the downloaded deb file. Allow the program to install the Nessus package.</li> <li>Allow the installation to complete (it may take a long time to download the newest plugins). </li> <li>You need to create a username and password in order to access the Nessus server (from web-browser). Run the following command to create a username and password: sudo /opt/nessus/sbin/nessus-adduser </li> <li>Prior to starting the Nessus server, you need to register this application. Use the registration/activiation code (provided from e-mail you received from above procedure) by issuing the command: sudo /opt/nessus/bin/nessus-fetch --register xxxx-xxxx-xxxx-xxxx (i.e. xxxx-xxxx-xxxx-xxxx represents activation-code contained in received e-mail message) </li> <li>Issue the following command to start the Nessus server: sudo service nessusd start </li> <li>You can run the Nessus client application in order to connect to the Nessus server (recommended) by web-browser. Simply launch a web-browser and type the following URL: [https://127.0.0.1:8834/ https://127.0.0.1:8834/]</li> {{Admon/tip|Problems connecting to Future Nessus Sessions| If you have installed and setup Nessus, yet cannot connect to the Nessus client, check to see if the Nessus server is running, and if no, start the service. It is recommended to make this service persistent. |}} ~~<ol>~~ <li value="11">When the application launches in the web-browser resource, you may have to indicate that you trust the connection, and to add an exception. It may take serveral minutes for the application to initialize. Login to your default user account (with the corresponding password). </li>

<li>Go to the Policies section, and create a new policy called Basic for a "Basic Scan". Select this policy for Windows, but you are NOT required to provide the Window's username and password.</li>

<li>Click the Scan section and add a new scan called Windows 2003 Server using the Basic policy, and adding the IP ADDRESS at the bottom target area. Click on the Launch button to begin the scan.</li>

<li>You will be able to view the status of the scan. When the scanning has been completed, view and note the vulnerabilities that are listed in the scanning report.</li>

<li>What vulnerabilities do you see? Which ones were the most severe? Record these observations in your lab log-book.</li>

<li>How do you think that you can use the above-mentioned information that you have collected? Note your observations in your lab log-book. </li>

<li>Try creating other policies for the different types, and repeat scanning for the Windows target. What other vulnerabilities did you discover? Record your findings in your lab Log-book.</li>

<li>Repeat steps 12 to 16, but for your Vulnerable Linux (Fedora) sever VM. Make certain to use your VULNERABLE_IP_ADDRESS (or range) and name the report Fedora 5 Linux. Note your observations in your lab log-book.</li>

</ol>

Answer Task #4 observations / questions in your lab log book. ~~ ~~

~~<a name="Task5" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a>~~<h2> Task #5: Accessing Vulnerable Servers Using Metasploit</h2>

Metasploit is a framework (collection of utilities) for penetration testing. This framework acts as

a server-client model that is run on an internal network (unlike Nessus which can be run from a remote server).

This framework is ideal when working on your host/VM setup for penetration testing. Depending on the targeted server's vulnerability, the penetration tester may be able to access that system.

~~ ~~

<ol>

<li>For both vulnerable machines, log-in as a regular-user.</li>

<li>To obtain the Proprietary version of Metasploit, you need to register first. Here is the link to Metasploit Pro website: ~~<a href="~~[https://www.rapid7.com/products/metasploit/metasploit-community-registration.jsp~~" target="_blank">~~https://www.rapid7.com/products/metasploit/metasploit-community-registration.jsp~~</a>~~]</li>

<li>You will presented with a form to fill-out your personal information, and then you are required to create account. Make certain to apply for the free (community edition). During that process, you will be required to fill out information (including e-mail) in order to get an activation code.</li>

<li>At some point, you will be redirected to another screen to download the file for Metaspoit Pro. Once downloaded, you need to add execution permissions for the downloaded file, and run the file from the shell.</li>

<li>Back in your e-mail message with the activiation code, there is a link to a "Getting Started Guide (pdf)". Take a few minutes to read the pdf to get a sense of how to setup and use Metasploit to exploit your Window and Linux servers.</li>

<li>In your screen, click New Project. For this new project, give it a name of Windows 2003 Sever. Set the scan range for your Windows IP ADDRESS, then click to perform a scan, and then click on Launch Scan. The scanning process can take a few minutes to complete.</li>

~~</ol>~~

{{Admon/tip|Scanning is Required Prior to Exploitation|

Other than configuration there are generally three steps in using Metasploit:<ul><li>Scan the targeted server(s) to detect vulnerabilities</li><li>If any vulnerabilities are discovered, load the attack(s) to exploit the server, thus hopefully gaining access to the targeted server</li><li>Collect evidence to show employer or client proof of vulnerable server being penetrated</li></ul> After proving server penetration, then steps can be taken to make it harder for the server to be penetrated (referred to as system "hardening").

|}}

~~<ol~~> <li value="10">Refer to the YouTube Video on how to use both Nessus and Metasploit to penetrate the target server(s): ~~<a href="~~[http://www.youtube.com/watch?v=WlZuq6Vj5AI~~" target="_blank">~~Kali Linux - Security by Penetration Testing Tutorial: Metasploit Pro~~</a>~~] </li>~~</ol~~>

{{Admon/tip|Upgrade to Pro Trial Version Required|

When you start an exploit or "brute force" attack, you will be shown a webpage that allows you to upgrade to the Pro version (trial version). Click on that link to download activation code to install and register the trial version, then continue with your exploit.

|}}

~~<ol>~~

<li value="10">Learn how to penetrate, and capture proof that you pentrated the Windows 2003 server. Make certain to record the procedures in your lab log-book.</li>

<li>Perform the same operations above, but for your vulnerable Linux server. Where you successful? If not, why do you think you were unsucessful? Perform a netsearch in Google to see if there are recommended approaches on how to penetrate the Fedora Core 5 system.</li>

<li>Do you think performing a "Brute Force" or "Hail Mary" attack is advised? If not, provide the reasons why an alternative should be used. </li>~~</ol~~>

{{Admon/tip|Armitage is Open Source (free) GUI Alternative|

The company rapid7 has taken over ownership of Metasploit, and the the full version of this application costs approximately $1800! On the positive side, there is an open source (free) GUI for Metasploit client called armitage. If armitage does not appear to be present on your Kali Linux system, it has been added to the default repository for install. You will be following instructions below to install and run armitage and compare the common scanning and exploit attacks to gain access.

|}}

~~<ol>~~

<li value="13">Open a shell terminal, and login as root.</li>

<li>Issue the command: which armitage to confirm that this application exists on this server. If there is no pathname to that application, issue the command: apt-get install armitage (make certain application has been installed).</li>

<li>While logged on as root, issue the command: armitage</li>

<li>Refer to the following YouTube video to learn how to use armitage to scan and run exploitation attacks: ~~<a href="~~[https://www.youtube.com/watch?v=j7uLBzULOE0&feature=youtu.be~~" target="_blank">~~Use Armitage to Exploit Multiple Machines in Kali Linux~~</a>~~] </li>

<li>Note the differences between using armitage and the proprietory application Metasploit Pro in your lab log-book.</li>

~~</ol>~~

{{Admon/important|Additional Practice with Metasploit (Optional)|

If you were not able to access the Fedora Core 5 machine, you can always perform a Google search to find out techniques to help to access the machine. You ca

n also create another VM using a more vulnerable Linux Distribution (like Metasploitable: ~~<a href="~~[http://www.rapid7.com/resources/videos/test-metasploit-~~wit~~ hwith-metasploitable.jsp~~" target="_blank">~~Download Metasploitable OS~~</a>~~] Another thing to consider is to learn how to use the Metasploit command conso le to learn how to load and launch singluar attacks (resource: ~~<a href="~~[http://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commands~~" target="_~~ ~~blank">~~MSF Console Commands~~</a>~~]

|}}

~~<ol>~~

<li value="18">After you have received authorization (i.e. "green light" from your instructor) try penetration testing on your Tank server accounts, login to confirm IP_ADDRESS, and start to perform penetration testing in this server. WORD TO THE WISE: Don't do anything relating to penetration testing with the Tank server without "thinking it through" first! (i.e. you have been warned)...</li>

~~</ol>~~ ~~<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;"~~> ~~<div style="float: left; margin-left: -40px;"><a href="https:/~~{{Admon/~~scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/Idea.png" height="35" border="0" width="35"></a></div>~~ ~~<div>~~tip|Preparing for Lab #4~~ ~~|

Now that you have learned to pentrate a network server, you will learn now to protect (harden) the server. We will learn how to harden the Linux server first, and then learn how to harden the Windows 2003 server (in a later lab).

You will be creating a new virtual machine called "Hardened Linux" with the most recent version of Fedora. The reason why we do this is that Fedora 5 is no longer supported, and we want to learn the proper way to harden a Linux system (which involves constant upgrading).

In Virtualbox, you can install a downloaded Fedora image as a virtual file. You will learn how to perform this in lab4. In the meantime, you can download the most recent version of the Fedora install DVD image from (32-bit or 64-bit): ~~<a href="~~[http://mirrors.fedoraproject.org/publiclist/Fedora/17/~~" target="_new">~~https://getfedora.org/en/workstation/~~</a>~~] ~~</div></div>~~|}} ~~<ol>~~ <li value="1719">Proceed to "Completing The Lab".</li>

</ol>

~~<a name="Completing_the_Lab" id="Completing_the_Lab"></a>~~<h1> Completing the Lab </h1>

Arrange evidence for each of these items on your screen, then ask

your instructor to review them and sign off on the lab's completion:

~~<a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a>~~<h1> Preparing for Quizzes </h1>

<ol>

Chris.johnson

Bureaucrats, Administrators

1,576

edits

CDOT Wiki β

Changes

SEC520/labs/Lab 3

CDOT Wiki ^β