In this lab we are going to set up your Kali and Metasploitable VMs for use in our weekly labs.
We'll run the virtual machines, gather their IPs, and confirm they are able to send/receive traffic between each other.
There are only a few questions but be sure to answer them so the work you perform may be captured for grading purposes.
Preamble.
You will need to download your chosen Virtual Machine Manager (VM) choose the VM that works for your operating system
For Windows
http://www.vmware.com/ - Downloads – VMWare Player
https://www.virtualbox.org/wiki/Downloads
For OSX (Mac)
http://www.vmware.com/ - Downloads – VMWare Fusion (NOTE – This software is not free you can only download a 30 day trial)
https://www.virtualbox.org/wiki/Downloads
Next Download Kali Linux
https://www.kali.org/downloads/
Select Kali Linux 32 Bit and click the direct link for ‘ISO’
Download Metasploitable Linux (This is our target operating system)
https://sourceforge.net/projects/metasploitable/
Click the green button marked ‘download’
Next is installation
https://www.youtube.com/watch?v=a0X9-lCOsEo This Video will guide you through installing Metasploitable using virtual box – the process is similar for VMWare
https://www.youtube.com/watch?v=FVmWMogGX4Q This Video will guide you through installing Kali Linux in Virtual Box – the process is similar for VMWare
During the installation make sure that the password you select for the ‘root’ account is toor
During the installation you will be asked to give your kali VM a ‘hostname’ please make sure that you put your name as the hostname for the machine.
Class: SEC6070
Name:
Date:
1. Open VMware Workstation.
2. Start your Kali and Metasploitable VMs.
Both your Kali VM and your Metasploitable VM should be running.
3. Select Kali linux
4. Type this username at the login prompt: root
5. Type this password: toor
We need to change the default password because it's not secure.
While the password we're changing it to isn't necessarily secure (for the sake of simplicity in this class) we still need to change it on principal.
6. Open a shell. (Look for a small black box at the top left of your screen.)
7. Type: passwd
a. Paste your screenshot here:-
8. Type: wilmuabc (it will ask you to repeat the password)
9. Type: ifconfig
a. Paste your screenshot here:-
10. Record your IP address here:
ANSWER:
NOTE IN ALL FURTHER WORKSHEETS UNLESS OTHERWISE TOLD THIS WILL BE YOUR ‘LHOST’ OR LOCAL HOST
11. Let's double-check no firewall is running.
a. Type: iptables -L (All policies should be set to "ACCEPT".)
b. Paste your screenshot here:-
12. Press ctrl+alt to escape your Kali VM.
Now let's switch our focus to the Metasploitable VM.
13. At the user logon prompt type: msfadmin
14. At the password prompt type: msfadmin
This is an intentionally vulnerable system so there's no point in changing the password from the default.
15. Type: ifconfig
b. Paste your screenshot here:-
16. Record the IP address here:
NOTE IN ALL FURTHER WORKSHEETS UNLESS OTHERWISE TOLD THIS WILL BE YOUR ‘RHOST’ OR REMOTE HOST
Now we know the IP addresses of our Kali and our Metasploitable VMs.
Let's test connectivity.
17. You should still be at the Metasploitable prompt.
a. Type: ping {insert the IP address of your Kali VM}
b. Press ctrl+c to stop the ping.
c. Paste your screenshot here:-
Now let's verify connectivity from the Kali VM.
18. Switch your focus to the Kali VM. (Reminder: Press ctrl+alt to escape the Metasploitable VM.)
19. Click on "Applications-Internet-Firefox Web Browser".
20. Once Firefox opens type the IP address of your Metasploitable VM in the address field and navigate to it.
You should navigate to a running web service.
a. Paste your screenshot here:-
Listed on your webpage should be a list of vulnerable web services that we will be testing against later in the class
Once you have completed this worksheet please submit it for grading via the link on blackboard
Linux Primer with Kali
Class: SEC6070
Name:
Date:
This lab is meant to familiarize you with the Linux operating system.
While it is not meant to make you a Linux power user, it is meant to make you comfortable with moving around the operating system.
We won't go over the file system hierarchy or delve into the more technical aspects of how Linux works but we will go over common commands so you have a working knowledge of Linux.
Linux commands will still be provided to you in future labs but it is important that, as an IT professional, you memorize these commands.
*Special Note: Unlike Windows, Linux shell commands and paths are case sensitive.
1.Open VMware Workstation/Virtual Box and launch the Kali VM.
We'll start by learning to move around Linux.
2. Launch a shell. (It's the black box icon to the right of Applications, Places, System.)
a. Paste your screenshot here:-
3. Type: whoami (This is the account you're logged in with.)
a. Paste your screenshot here:-
4. Type: pwd (pwd stands for "present working directory")
a. Paste your screenshot here:-
5. Type: ls –alF
a. Paste your screenshot here:-
b. What does this command do?
c. What does the ‘switch’ –alF achieve?
6. Type: cd /
a. Where does this command put you in the file system ‘tree’?
7. Hit the up arrow on your keyboard and then hit it again.
Observe that it shows you your previous commands.
This is a big time saver.
8. Type: ls /usr/share
a. Paste your screenshot here:-
Notice all of the tools.
These are your penetration testing tools.
9. Type: cd .. (This will take back to your parent directory.)
10. Type: pwd
a. Paste your screenshot here:-
Where are you now?
11. Type: clear
a. What does this command do?
12. Type: history
a. Paste your screenshot here:-
b.What does history show you?
13. Type: {press the spacebar} date
14. Hit the up arrow twice and hit enter.
a. Paste your screenshot here:-
b. What didn't the history command show you?
c. Why is this important?
15. Type: clear
All software, drivers, drives, etc, are considered files in Linux.
There are many useful commands to perform searches and queries on files in a Linux operating system.
16. Type: locate gunzip
a. Paste your screenshot here:-
17. Type: find /usr/share | more (Hit ctrl+c to stop the output.)
a. Paste your screenshot here:-
18. Type: whereis msfconsole
a. Paste your screenshot here:-
19. Type: whatis motd
a. Paste your screenshot here:-
Linux has many text editors available for use:
20. Type: cat /usr/share/doc/funkload/examples/demo/cmf/passwords.txt
a. Paste your screenshot here:-
b. What did "cat" do?
c. Are able to edit the file?
21. Type: nano /usr/share/doc/funkload/examples/demo/cmf/passwords.txt
a. Paste your screenshot here:-
Nano is considered to be easier to use for users new to Linux text editors.
When you type you immediately begin editing the file.
Press ctrl+x to exit.
Press "n" to not save any changes.
Sometimes you need to learn more about commands you are not familiar with.
22. Type: man top
a. Paste your screenshot here:-
b. What does the man page description indicate the "top" program does?
c. Type: q
23. Type: info man
a. Paste your screenshot here:-
To exit type: q
(Sometime people find it easier to read info pages as opposed to man pages.)
24. Type: top -help
a. Paste your screenshot here:-
b. What is printed to the screen?
Let's look at a few Linux networking related commands that are useful to know:
25. Type: ifconfig
a. Paste your screenshot here:-
b. What is the IP address?
26. Type: route
a. Paste your screenshot here:-
b. What is the gateway?
27. Type: cat /etc/hostname
a. Paste your screenshot here:-
b. What is the hostname?
If your hostname is not your name
Type nano /etc/hosts
Delete ‘Kali’
Replace it with your own name
Save and exit
a. Paste your screenshot here:-
28. Type: cat /etc/resolv.conf
a. Paste your screenshot here:-
b. What is the address of the nameserver (aka DNS server):
29.Find the "sudoers" file.
Read its contents.
a. Paste your screenshot here:-
b. What is the exact location of the sudoers file?
c. What commands may members of the sudo groups execute?
30. Edit the hostname of your machine, type :nano /etc/hostname
delete ‘kali’
add your name in its place
press ctrl x
yes to save changes
enter to quit
a. Paste your screenshot here:-
There are many more commands used in the Linux operating system.
There are also multiple scripting languages available, the most common of which is BASH.
You are encouraged to continue learning more about the Linux operating system as it is responsible for running most of the machines we interact with on regular basis.
Once you have completed this worksheet please upload it via the link on blackboard for grading
Introduction to Metasploit - A Tour
Class: SEC6070
Name:
Date:
What is Metasploit?
Metasploit is an open source framework for exploitation that has transcended its humble beginnings and become a "penetration testing environment suite" - my interpretation. I say this because you are now able to use Metasploit to accomplish any task in the penetration testing phase and based on your findings you may choose a tool/methodology, modify an existing tool/methodology, or create a new tool/methodology to accomplish your goal.
While most penetration testing options like Canvas have additional options and features, none provide you with the freedom and flexibility that Metasploit does. So while Kali is a wonderful Linux-based operating system loaded with tools, a pentester has everything he or she needs in Metasploit. As you will soon learn in this course, Metasploit has reconnaissance tools (discovery and vulnerability scanners), malicious code generators, evasion apps so your exploit doesn't get caught by IPS or antivirus, password attack tools, and many, many more.
PLEASE DON’T CONFUSE METASPLOIT (THE FRAMEWORK) WITH METASPLOITABLE (THE VULNERABLE BY DESIGN OPERATING SYSTEM)
1.Open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Launch a terminal (shell). (It's the black box icon to the right of Applications, Places.)
3. Type: msfconsole
Wait patiently for Metasploit to load.
a. Once loaded paste your screenshot here: -
4. Open another terminal and type: env
a. Paste your screenshot here: -
(View the PATH variable. When you attempt to execute a program Linux looks at all of the paths in the PATH environment variable to find and execute the program. That's why you may type "msfconsole" and the program executes.)
5. If you visit the Rapid7 website (https://www.rapid7.com/) you will find you have the option to register for notifications, support, and updates of Kali.
Rapid7 has moved away from using SVN for code management to Git.
For our purpose, here it doesn't matter but if you enjoy working on the bleeding edge of distros you may want to register and upgrade to the latest version.
a. Paste your screenshot here: -
6. Switch your focus back to the Metasploit shell. Look at the information under the banner and answer the questions below about the various modules available.
6a. How many exploits does Metasploit have:
6b. How many auxiliary exploits does Metasploit have:
6c. How many post modules does Metasploit have:
6d. How many payloads does Metasploit have:
6e. How many encoders does Metasploit have:
6f. How many nops does Metasploit have:
Metasploit Modules Breakdown
I've defined Metasploit's modules below.
Take the time to read them so you have a better understanding of their purpose and use.
Exploits - Pre-packaged malicious executables that takes advantage of a vulnerability to gain access to a system and deliver a payload.
Payloads - Can be a variety of applications/configurations used to establish foothold on system post-exploitation. Examples are reverse shells that call home or stagers for further exploitation and persistence. Meterpreter is a particularly useful and commonly used payload shell.
Encoders - Obfuscates exploits and payloads so they can't be fingerprinted by AV or IDS/IPS definitions.
Auxiliary - Attack components such as DoS tools, buffer overflows, SQL injection apps, fuzzers, and more.
Post - Automation modules for post-exploitation. Tools to further establish access on a system or network like keystroke loggers and privilege escalators.
NOPs - NOP sled tools such as buffer overflow reference material for custom NOP sleds. For simplicity's sake we'll say NOP sleds tell a processor to do nothing for a specified number of clock cycles, thereby increasing the chances of your code executing successfully.
With that brief introduction behind us let's learn by doing.
*You may want to maximize your terminal to full screen.
7. Type: help (Notice the list of commands available to you in Metasploit.)
a. Paste your screenshot here:-
8. Type: show exploits (Wait patiently for the Metasploit database to be queried and print the results to your terminal.)
a. Paste your screenshot here:-
b. Notice the format: Name, Date, Rank, Description
c. What is the date of the "windows/http/sonicwall_scrutinizer_sqli" exploit?
d. What is its rank?
e. What is its description?
9. Encoders allow you to encode your payload so it doesn't trigger antivirus or IDS tools like McAfee's HBSS.
This is very important to know and understand because most AV and IDS tools aren't going to catch your payload if you encode it.
a. Type: show encoders
b. Paste your screenshot here:-
c. Find and document an encoder of your choice here:
10. Payloads are the deliveries we will make to the system we are exploiting.
a. Type: show payloads
b. Paste your screenshot here:-
c. Find and document a payload for the Mac OS here:
a. Paste your screenshot here:-
11. We will use auxiliary modules quite a bit. There are a variety of community provided penetration testing tools located here.
a. Type: show auxiliary
b. Paste your screenshot here:-
c. Does the auxiliary module contain scanners?
d. If so list them here :-
Now let's get down to business and pretend we are professional penetration testers researching a strategy to gain access to an industrial control system network such as a water treatment plant.
12. We need to find a Windows SCADA exploit.
a. Type every word after this colon: search windows/scada
b. Paste your screenshot here:-
13. Let's learn more about a particular module we found in our search results to confirm it will be useful to us.
a. Type: info windows/scada/moxa_mdmtool
b. Who provided this exploit?
c. What are the options available for this exploit?
d. What references are available?
e. What does the description tell us this module does?
14. This may be the exploit we need to compromise the system.
a. Type: use windows/scada/moxa_mdmtool
b. Paste your screenshot here:-
c. Type: show payloads
d. Document two payloads you would might use that are available for this exploit:
e. Paste your screenshot here:-
15. Type: show advanced
a. These advanced options, for the most part, won't normally be changed by you. You will want to change them in some cases though. Scroll down to the SSL option. It's currently set to false. If you were running a reverse shell out of a network you may want to enable SSL not only to potentially hide your activity but to also protect your client. The last thing you want to do expose the client's data to a third party because you transferred it in clear text over the internet.
16. Type: show options
a. Paste your screenshot here:-
b. These are the setting the exploit currently has.
17. Type: info
a. Paste your screenshot here:-
17. Type: help
a. Paste your screenshot here:-
b. What command would you type to verify a system is vulnerable to this exploit?
c. What command would use to execute the exploit?
19. Type: exit
Now let's take a look at how Metasploit's file system is organized.
20. Type: cd /usr/share/metasploit-framework/modules
a. Type: ls (You should recognize the high level organization.)
b. Paste your screenshot here:-
21. Type: cd exploits
a. Type: ls
b. Paste your screenshot here:-
(As you can see, you may drill down in each folder to view available tools Metasploit offers. Although this isn't necessary, it is good to understand how the Metasploit is organized for troubleshooting modules.)
You've gained a basic understanding of Metasploit's organization and how to explore this popular open source penetration testing tool suite. We'll gain a higher level of understanding and take part in a more advanced use of Metasploit in subsequent labs.
Please upload this worksheet via the link provided in Blackboard
Database Attack Lab
Class: SEC6070
Name:
Date:
This lab will follow a database penetration test from beginning to end in order to illustrate, in a hands-on way, the steps necessary to fully compromise a database. You will use a Metasploit module to identify an account you may use to login. Once logged in you will use SQL commands to explore the database.
1. If Metasploitable isn't already running launch the Metasploitable VM.
2. At the user logon prompt type: msfadmin
3. At the password prompt type: msfadmin
4. Type: ifconfig
a. Paste your screenshot here:-
5. Record the IP address here: This is your RHOST or ‘remote host’
Now switch to Kali.
6. Open a shell by clicking on the black box next to the word “Places”.
7. Type: service postgresql start
a. Paste your screenshot here:-
8. Type: msfconsole
a. Paste your screenshot here:-
9. Scan your target for database technologies. Try to identify running database services on your target’s ports.
a. Type: nmap x.x.x.x (substitute x.x.x.x for the ip address of your REMOTE host)
b. Paste your screenshot here:-
Success! We’re identified multiple instances of database technologies running on our target. Let’s choose a service to target. For this example we’ll select MySQL.
10. Metasploit has multiple MySQL exploits.
a.Type: search mysql
b. Paste your screenshot here:-
11. Type: use auxiliary/scanner/mysql/mysql_login
12. Type: info
13. Type: set rhosts x.x.x.x (substitute x.x.x.x for the ip address of your REMOTE host)
14. Type: set username root
15. Type: set stop_on_success true
16. Let’s confirm the changes you made took. Type: info
17. a. Paste your screenshot here:-
18. Type: exploit
a. Paste your screenshot here:-
You determined the username root has no password. Congratulations. Let’s test our access to the MySQL database.
19. Open a new shell by clicking on the black box to the right of the word “Places”.
20. Type: mysql –h x.x.x.x –u root (substitute x.x.x.x for the ip address of your REMOTE host)
a. Paste your screenshot here:-
21. Type: show databases;
a. Paste your screenshot here:-
22. Let’s pick a database and explore it. Type: use dvwa;
a. Paste your screenshot here:-
23. Now that we’ve picked a database let’s view the tables. Type: show tables;
a. Paste your screenshot here:-
24. Let’s see what data is being held in this table. Type: show columns from users;
a. Paste your screenshot here:-
25. Columns of interest are “user” and “password”. Type: select user, password from users;
a. Paste your screenshot here:-
26. You’ve successfully scanned for a database technology, found a vulnerable database service running on a target’s port, located the appropriate exploit for use and ran it. Now try exploiting a different database vulnerability, such as Postgresql.
Congratulations, you’ve used a Metasploit module to attack a database. You’ve accessed a database, enumerated the tables, identified fields of interest, and inspected their contents.
Metasploit Reconnaissance Lab
Class: SEC6070
Name:
Date:
In this lab we will be doing information gathering with regards to email addresses within the Wilmu.edu domain
1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of the desktop.
3. Type: msfconsole
We'll start by performing reconnaissance of a potential target.
We'll run an email reconnaissance module against wilmu.edu for demonstration purposes.
4. Type: use auxiliary/gather/search_email_collector
5. Type: set DOMAIN wilmu.edu
6. Type: set OUTFILE /tmp/results.txt
7 Type: info
a. Paste your screenshot here:-
8. What search engines is search_email_collector using?
a. Paste your screenshot here:-
9. Type: show advanced
a. Paste your screenshot here:-
10. Why might you use a proxy when running search_email_collector?
ANSWER:
10. Type: run
a. Paste your screenshot here:-
11. Your results were already printed to the screen but what if you move on to another pen testing activity?
a. Type: cat /tmp/results.txt
b. Paste your screenshot here:-
As you can see, your results have been recorded to a text file for later referencing.
12. Type: ls /usr/share/metasploit-framework/modules/auxiliary/gather
a. Paste your screenshot here:-
13. What other interesting information gather tools are there?
a. List one of the tools you are interested in and why.
ANSWER:
Now that we know a little bit more about wilmu.edu we'll run a DNS reconnaissance module against wilmu.edu.
14. Type: back
15. Type: use auxiliary/gather/enum_dns
16. Type: info
a. Paste your screenshot here:-
17. Look at the options that are set to true by default. enum_dns will try a zone transfer using ENUM_AXFR. enum_dns will also search for common srv records such as such as ftp, http, smtp, ldap, etc, using ENUM_SRV. ENUM_STD is also set to be used by default. It will search for standard DNS records such as start of authorities (SOAs), name server records (NSs), and A records (aka hosts). As you can see, enum_dns is more powerful and aggressive than dns_info.
18. Type: show options
a. Paste your screenshot here:-
19. Type: show advanced
a. Paste your screenshot here:-
b . What options would you use if you had a strategy, such as a low and slow attack that won't get you noticed?
ANSWER:
20. Type: set DOMAIN wilmu.edu
21. Type: run
a. Paste your screenshot here:-
22. What information was retrieved?
ANSWER:
23. Let's explore more enum_dns options.
a. Type: set ENUM_TLD true
24. Type: run (This could take quite awhile to complete.)
a. Paste your screenshot here:-
b. How many TLDs does enum_dns search?
ANSWER:
Be careful when using this option. You might find spoofed sites that have been set up to look like the original and then get hit with exploits suites like the Black Hole Exploit Kit.
25. Type: show options
a. Paste your screenshot here:-
b. What does ENUM_RVL do?
ANSWER:
26. What does ENUM_BRT do?
ANSWER:
a. Type: ls /usr/share/wordlists
b. Paste your screenshot here:-
These are not files you would want to cat or gedit. They are enormous wordlists used by Metasploit for various brute forcing purposes.
We've done some basic but effective reconnaissance using Metasploit. We've discovered email addresses and servers belonging to Wilmington University. There are many reconnaissance tools available to you such as Maltego. Maltego is a highly effective reconnaissance tool that also searches social network sites.
Once completed please upload this worksheet to Blackboard by the link provided for grading
Metasploit Scanning Lab
Class: SEC6070
Name:
Date:
1. If your VMs aren't already running then open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the word "Places".
3. Type: msfconsole
4. Open another instance of VMware Player and launch the Metasploitable VM.
5. At the user logon prompt type: msfadmin
6. At the password prompt type: msfadmin
7. Type: ifconfig
a. Paste your screenshot here:-
b. This IP address becomes your RHOST (Remote Host)
8. Record the Metasploitable VM IP address here:
Metasploit has numerous scanners located in various places. Let's become familiar with how to find and identify the scanners we need. Not all scanners are built alike. Some are very limited but very good at what they do while others are broader in functionality and applicable in many instances.
Switch to you Kali VM and type "back" if you currently have a module loaded from a previous lab.
9. Repeat step 2 and open an additional shell and type:
ls /usr/share/metasploitframework/modules/auxiliary/scanner/portscan
10. These are just a few of the built in port scanners Metasploit has to offer.
a. What port scanners are available?
b. Paste your screenshot here:-
11. Lets pick one and list the options and advanced options.
a. Switch to your Kali VM and type: use auxiliary/scanner/portscan/xmas
b. Type: show options
c. Paste your screenshot here:-
d. Type: show advanced
a. Paste your screenshot here:-
12. Type: back
13. Switch to the other shell (Not Metasploit.) and type:
ls /usr/share/metasploit-framework/modules/auxiliary/scanner/discovery
a. Paste your screenshot here:-
14. Notice we have more discovery tools.
a. List a tool and what it does.
b. Paste your screenshot here:-
15. Switch back to your other shell and type: use auxiliary/scanner/discovery/arp_sweep
a. Type: show options
b. Paste your screenshot here:-
c. Type: show advanced
d. Paste your screenshot here:-
16. Let's search for more scanners.
a. Type: search type:auxiliary scanner
If you have trouble reading the output make sure your shell is maximized as well as your instance of VMware.
b. Paste your screenshot here:-
17. What scanner may I use to brute force Outlook Web Access logins?
a. Type: search type:auxiliary outlook
b. Who wrote the module? Type: info
c. Paste your screenshot here:-
d. Type: info auxiliary/scanner/http/owa_login
e. Paste your screenshot here:-
18. What is the pcanywhere_login module good for?
a. Type: search type:auxiliary pcanywhere_login
b. Paste your screenshot here:-
c. Type: info auxiliary/scanner/pcanywhere/pcanywhere_login
d. Paste your screenshot here:-
Now let's learn how to use the "info" command to gather information about modules.
19. Type: info auxiliary/scanner/mssql/mssql_ping
a. What does this module do?
b. Paste your screenshot here:-
Now let's look at everyone's favorite scanner Nmap. Nmap is a tool every pen tester, system administrator, network administrator, etc, should be familiar with.
*If you currently have a module loaded type: back
20. Type "nmap". Notice the exhaustive output. The switch syntax is given along with a description of the command.
21. Type: nmap -sT x.x.x.x (x.x.x.x. is the IP address of the Metasploitable VM.)