Changes

Jump to: navigation, search

SEC520/labs/Lab 3

676 bytes removed, 15:55, 31 January 2018
no edit summary
<h2> <span class="mw-headline">Online Tools and References</span></h2>
<table cellpadding="12">
<tbody><tr valign="top">
<td><b>Scanning &amp; Enumeration</b></td>
<td><b>Vulnerability Testing</b></td>
<td><b>Other</b></td>
</tr>
<td>
<ul>
<li>[http://linuxmanpages.com/man1/nmap.1.php nmap]</li>
<li>[http://www.howtoforge.com/useful-uses-of-netcat netcat]</li>
</ul>
</ul>
</td>
<td> <ul> <li>[http://linuxmanpages.com/ Online Linux Manpages]</li> </ul> </td>
</tr>
</tbody></table>
<p><br>
</p>
<li>[http://www.youtube.com/watch?v=QjuyasD1aBE Using Nessus in Kali Linux] (YouTube Video)</li>
<li>[http://www.youtube.com/watch?v=WlZuq6Vj5AI Using Metasploit Pro in Kali Linux] (YouTube Video)</li>
<li>[http://www.youtube.com/watch?v=xErWWX2jllU Use Armitage to Exploit Multiple Machines in Kali Linux] (YouTube Video)</li> <li>[http://libcat.senecac.on.ca/vwebv/holdingsInfo?searchId=89542&amp;recCount=50&amp;recPointer=0&amp;bibId=315433 Penetration Tester's Open Source Toolkit (E-book)] (Chapter 3)</li>
</ul>
can be saved during the scanning and enumeration process by simply
confirming that your target exists. Wasting time while scanning invalid
targets can also increase the chance of detection from a server's IDS (Instrusion Detection System).<br /><br />
In investigations 1 - 3, you will be learning to perform manual scans of targeted servers using the nmap utility. It is useful to learn how to use nmap, since other penetration testing software such as Nessus and Metasploit (discussed in later investigations) use the nmap utility.
<br><br>
<li>Boot-up your <i>Kali Linux (host)</i>.</li>
<li>Prior to booting up your vulnerable Linux and Windows VMs, follow the steps in the message box below to changes the network settings for <u>each</u> VM.</li>
</ol>
<ol>
<li value="3">After making the network settings changes (above for each VM), boot your vulnerable Linux and Windows VMs.</li>
<li>Determine the IP Addresses for your Linux VM (<b>/sbin/ifconfig</b> for LINUX_IP_ADDRESS) and your Windows 2003 Server VM (<b>ipconfig</b> for WINDOWS_IP_ADDRESS). Write this information in your lab log-book.</li>
<li>Issue the following command to verify that the virtual server is active:<br><br><b>nmap -v -sn LINUX_IP_ADDRESS</b><br><br></li>
<li>Is this server active?</li>
</ol>
{{Admon/tip|Paranoid of Making a Mistake with nmap?|
If you are worried about making a mistake when using nmap (eg. scanning a wrong network), you can <b>disconnect from the Seneca wireless or lan connection prior to scanning and enumeration</b>. In this way, you are disconnected from Seneca's computer network prior to experimenting with your own host machine and virtual machines. Remember to establish the wireless or lan connection after you have performed your scan...</li></ol>|}}
<ol> <li value="89">Try to verify that the Windows 2003 Server is active (running nmap with your WINDOWS_IP_ADDRESS).</li> <li>Can you detect this server? Write the result in your lab log-book.</li> <li>Try performing a <b>UDP scan</b> for <b>both the Linux and Windows VMs</b> by issuing the following commands:<br /><br /><b>nmap -v -sU LINUX_IP_ADDRESS</b><br /><b>nmap -v -sU WINDOWS_IP_ADRESS</b><br /><br />This may take some time. Try to time how long this UDP scan takes, and compare it with the TCP ping scan you previously performed. Why do you think it is useful to perform a UDP scan in addition to a TCP scan?<br /><br /></li> <li> Record your findings in your lab log-book.</li> <li>Proceed to Task #2<br><br></li> </ol>
<p><b>Answer the Task #1 observations / questions in your lab log book.</b>
</p>
can perform a scan to determine which services are running on those
servers. We can also record this information in a report format
(which can be inserted into a later Security Audit Report).<br /><br />
<p>
INSTRUCTIONS:
</p><ol>
<li>Use the <b>nmap</b> command to perform a <b>stealthy scan</b> in order to list the ports for the Linux VM by issuing the following command:<br /><br /><b>nmap -sS LINUX_IP_ADDRESS</b><br /><br /></li>
<li>Record any running services (with associated port numbers) in your lab log-book.</li>
<li>Repeat step 2, but view course notes and add an <b>option</b> to record findings in report file(s) called <b>/root/linux_vm_scan</b></li>
<li>Can you detect the type and version of the operating system? Record your findings in your log lab-book.</li>
<li>Perform the same scan, but for the Windows 2003 Server VM. Record your findings in your log lab-book.</li>
<li>Issue the following command to perform a <b>banner grab</b> for your vulnerable Linux VM:<br /><br /><b>nmap -sV LINUX_IP_ADDRESS</b><br /><br /></li>
<li>Take several minutes to review <b>class notes</b>, <b>YouTube vidoes</b>, and the <b>online man pages</b> to learn how to use the <b>netcat</b> utility before proceeding.</li>
<li>Use the <b>netcat</b> utility to verify the purpose of the running services on the Linux VM.</li>
<ol>
<li>Make certain that your <b>Kali Linux system is running</b>, and that both of your <b>Windows and Linux VMs are running</b>.</li>
</ol>
<br>
{{Admon/tip|Exploiting Local Systems: Nessus Server-Client|This
to determine its vulnerabilities. This application has the <b>nmap</b> utility built into the application, and allows for plugins to be added to enhance vulnerability testing. The Nessus server
(<b>daemon</b>) must run first to allow the penetration test to graphically interface with the application (<b>client</b>).|}}
<ol> <br /> <li>First you should register a free account on the <b>Nessus Website</b> in order to download plugins (and run the nessus server). To register, go to the following URL, and select home use: [http://www.nessus.org/register/ http://www.nessus.org/register/]. Once you complete the registration form, an e-mail will be sent with a "one-time" ACTIVATION_CODE_# (you will need this in an up-coming step).<br /><br /></li> <li>Next, in your host machine, open a shell terminal and issue the following command to install the <b>gdebi</b> application to allow you to automatically download and install debian packages by clicking on a .deb file link:<br /><b>sudo apt-get install gdebi</b><br /><br /></li></ol>
{{Admon/tip|Is There a Previous Version of Nessus?|
If there is already an older version of <b>nessus</b> that exists on your host, remove it by issuing the command: <br /><b>sudo apt-get remove nessus</b><br />
|}}
<br>
<ol>
<li value="3">Next go to the following website: [http://www.tenable.com/products/nessus/nessus-download-agreement http://www.tenable.com/products/nessus/nessus-download-agreement]<br /> (select to download a version for <b>Debian</b> for your appropriate OS: 32-bit or 64-bit).</li>
<li>A dialog box will appear to allow you to save the file. Note the directory where you have saved the deb file.</li><li>In the <b>Administration</b> menu, selec the <b>Gdebi Package Manager</b>. Click the <b>File</b> menu, and <b>open</b> and then select the downloaded deb file. Allow the program to install the Nessus package.</li>
<li>Allow the installation to complete (it may take a long time to download the newest plugins).<br /><br /></li>
<li>You need to create a username and password in order to access the Nessus server (from web-browser). Run the following command to create a username and password:<br /><b>sudo /opt/nessus/sbin/nessus-adduser</b><br /><br /></li>
<li>Prior to starting the Nessus server, you need to register this application. <b>Use the registration/activiation code (provided from e-mail you received from above procedure)</b> by issuing the command:<br /><b>sudo /opt/nessus/bin/nessus-fetch --register xxxx-xxxx-xxxx-xxxx</b><br /> (i.e. xxxx-xxxx-xxxx-xxxx represents activation-code contained in received e-mail message)</b><br /><br /></li>
<li>Issue the following command to start the Nessus server: <b>sudo service nessusd start</b><br /><br /></li>
<li>You can run the Nessus client application in order to connect to the Nessus server (recommended) by web-browser. Simply launch a web-browser and type the following URL: <b>[https://127.0.0.1:8834/ https://127.0.0.1:8834/]</b></li>
</ol>
<li value="3">Next go to the following website: [http://www.tenable.com/products/nessus/nessus-download-agreement http://www.tenable.com/products/nessus/nessus-download-agreement]<br> (select to download a version for <b>Debian</b> for your appropriate OS: 32-bit or 64-bit).</li> <li>A dialog box will appear to allow you to save the file. Note the directory where you have saved the deb file.</li> <li>In the <b>Administration</b> menu, selec the <b>Gdebi Package Manager</b>. Click the <b>File</b> menu, and <b>open</b> and then select the downloaded deb file. Allow the program to install the Nessus package.</li> <li>Allow the installation to complete (it may take a long time to download the newest plugins).<br><br></li> <li>You need to create a username and password in order to access the Nessus server (from web-browser). Run the following command to create a username and password:<br><b>sudo /opt/nessus/sbin/nessus-adduser</b><br><br></li> <li>Prior to starting the Nessus server, you need to register this application. <b>Use the registration/activiation code (provided from e-mail you received from above procedure)</b> by issuing the command:<br><b>sudo /opt/nessus/bin/nessus-fetch --register xxxx-xxxx-xxxx-xxxx</b><br><b> (i.e. xxxx-xxxx-xxxx-xxxx represents activation-code contained in received e-mail message)</b><br><br></li> <li>Issue the following command to start the Nessus server: <b>sudo service nessusd start</b><br><br></li> <li>You can run the Nessus client application in order to connect to the Nessus server (recommended) by web-browser. Simply launch a web-browser and type the following URL: <b>[https://127.0.0.1:8834/ https://127.0.0.1:8834/]</b></li>   {{Admon/tip|Problems connecting to Future Nessus Sessions| If you have installed and setup Nessus, yet cannot connect to the Nessus client, check to see if the Nessus server is running, and if no, start the service. It is recommended to make this service persistent. |}}<br /><ol> <li value="11">When the application launches in the web-browser resource, you may have to indicate that you trust the connection, and to add an exception. It may take serveral minutes for the application to initialize. Login to your default user account (with the corresponding password).<br /><br /></li>
<li>Go to the <b>Policies</b> section, and create a new policy called <b>Basic</b> for a "Basic Scan". Select this policy for Windows, but you are NOT required to provide the Window's username and password.</li>
<li>Click the <b>Scan</b> section and add a new scan called <b>Windows 2003 Server</b> using the <b>Basic</b> policy, and adding the IP ADDRESS at the bottom target area. Click on the <b>Launch</b> button to begin the scan.</li>
<li>You will be able to view the status of the scan. When the scanning has been completed, view and note the vulnerabilities that are listed in the scanning report.</li>
<li>What vulnerabilities do you see? Which ones were the most severe? Record these observations in your lab log-book.</li>
<li>How do you think that you can use the above-mentioned information that you have collected? Note your observations in your lab log-book.<br /><br /></li>
<li>Try creating other policies for the different types, and repeat scanning for the Windows target. What other vulnerabilities did you discover? Record your findings in your lab Log-book.</li>
<li>Repeat <b>steps 12 to 16</b>, but for your <b>Vulnerable Linux (Fedora) sever VM</b>. Make certain to use your <b>VULNERABLE_IP_ADDRESS (or range)</b> and name the report <b>Fedora 5 Linux</b>. Note your observations in your lab log-book.</li>
</ol>
<p><b>Answer Task #4 observations / questions in your lab log book.</b> </p><p><br></p> 
<h2> <span class="mw-headline">Task #5: Accessing Vulnerable Servers Using Metasploit</span></h2>
a server-client model that is run on an <b>internal network</b> (unlike <b>Nessus</b> which can be run from a remote server).
This framework is ideal when working on your host/VM setup for penetration testing. Depending on the targeted server's vulnerability, the penetration tester may be able to access that system.
<br /><br /><br />
<ol>
<li>For <u>both</u> vulnerable machines, log-in as a regular-user.</li>
<li>Back in your e-mail message with the <b>activiation code</b>, there is a link to a <b>"Getting Started Guide (pdf)"</b>. Take a few minutes to read the pdf to get a sense of how to setup and use Metasploit to exploit your Window and Linux servers.</li>
<li>In your screen, click <b>New Project</b>. For this new project, give it a name of <b>Windows 2003 Sever</b>. Set the scan range for your Windows IP ADDRESS, then click to perform a scan, and then click on <b>Launch Scan</b>. The scanning process can take a few minutes to complete.</li>
</ol><br />
{{Admon/tip|Scanning is Required Prior to Exploitation|
<br /><br />Other than configuration there are generally three steps in using Metasploit:<ul><li><b>Scan the targeted server(s)</b> to detect vulnerabilities</li><li>If any vulnerabilities are discovered, <b>load the attack(s) to exploit the server</b>, thus hopefully gaining access to the targeted server</li><li><b>Collect evidence</b> to show employer or client proof of vulnerable server being penetrated</li></ul><br /><br />After proving server penetration, then steps can be taken to make it harder for the server to be penetrated (referred to as system "hardening").
|}}
<br /><ol> <li value="10">Refer to the <b>YouTube Video</b> on how to use both <b>Nessus</b> and <b>Metasploit</b> to penetrate the target server(s):<br /><br />[http://www.youtube.com/watch?v=WlZuq6Vj5AI Kali Linux - Security by Penetration Testing Tutorial: Metasploit Pro]<br /><br /></li></ol><br />
{{Admon/tip|Upgrade to Pro Trial Version Required|
<br /><br />When you start an exploit or "brute force" attack, you will be shown a webpage that allows you to upgrade to the Pro version (trial version). Click on that link to download activation code to install and register the trial version, then continue with your exploit.
|}}
<br /><ol>
<li value="10">Learn how to penetrate, and capture proof that you pentrated the Windows 2003 server. Make certain to record the procedures in your lab log-book.</li>
<li>Perform the same operations above, but for your vulnerable Linux server. Where you successful? If not, why do you think you were unsucessful? Perform a netsearch in Google to see if there are recommended approaches on how to penetrate the Fedora Core 5 system.</li>
<li>Do you think performing a <b>"Brute Force"</b> or <b>"Hail Mary"</b> attack is advised? If not, provide the reasons why an alternative should be used.<br /><br /></li></ol>
<br />
{{Admon/tip|Armitage is Open Source (free) GUI Alternative|
<br /><br />The company <b>rapid7</b> has taken over ownership of Metasploit, and the the full version of this application costs approximately $1800! On the positive side, there is an open source (free) GUI for Metasploit client called <b>armitage</b>. If armitage does not appear to be present on your Kali Linux system, it has been added to the default repository for install.<br /><br />You will be following instructions below to install and run armitage and compare the common scanning and exploit attacks to gain access.
|}}
<br /><ol>
<li value="13">Open a shell terminal, and login as root.</li>
<li>Issue the command: <b>which armitage</b> to confirm that this application exists on this server. If there is no pathname to that application, issue the command: <b>apt-get install armitage</b> (make certain application has been installed).</li>
<li>While logged on as root, issue the command: <b>armitage</b></li>
<li>Refer to the following YouTube video to learn how to use armitage to scan and run exploitation attacks:<br /><br />[https://www.youtube.com/watch?v=j7uLBzULOE0&feature=youtu.be Use Armitage to Exploit Multiple Machines in Kali Linux]<br /><br /></li>
<li>Note the differences between using armitage and the proprietory application Metasploit Pro in your lab log-book.</li>
</ol>
<br>
{{Admon/important|Additional Practice with Metasploit (Optional)|
If you were not able to access the Fedora Core 5 machine, you can always perform a Google search to find out techniques to help to access the machine. You ca
n also create another VM using a more vulnerable Linux Distribution (like Metasploitable: [http://www.rapid7.com/resources/videos/test-metasploit-wit hwith-metasploitable.jsp Download Metasploitable OS]<br /><br />Another thing to consider is to learn how to use the Metasploit command conso
le to learn how to load and launch singluar attacks (resource: [http://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commands MSF Console Commands]
|}}
<br>
<ol>
<li value="18">After you have received authorization (i.e. "green light" from your instructor) try penetration testing on your <b>Tank</b> server accounts, login to confirm IP_ADDRESS, and start to perform penetration testing in this server. <b>WORD TO THE WISE: Don't do anything relating to penetration testing with the Tank server without "thinking it through" first!</b> (i.e. you have been warned)...</li>
</ol><br />
{{Admon/tip|Preparing for Lab #4|
Now that you have learned to pentrate a network server, you will learn now to protect (<i>harden</i>) the server. We will learn how to harden the Linux server first, and then learn how to harden the Windows 2003 server (in a later lab).
<br /><br />
You will be creating a new virtual machine called <b>"Hardened Linux"</b> with the most recent version of Fedora. The reason why we do this is that <b>Fedora 5 is no longer supported</b>, and we want to learn the proper way to harden a Linux system (which involves constant upgrading).
<br /><br /> In Virtualbox, you can install a downloaded Fedora image as a <b>virtual file</b>. You will learn how to perform this in lab4. In the meantime, you can download the most recent version of the Fedora install DVD image from (32-bit or 64-bit):<br />
[http://mirrors.fedoraproject.org/publiclist/Fedora/17/ https://getfedora.org/en/workstation/]
<br /><br />
|}}
<br /><ol> <li value="1719">Proceed to "Completing The Lab".</li>
</ol>

Navigation menu