CEH v8 Labs Module 12 Hacking Webservers

CEH Lab Manual
Hacking Web Servers

Module 12
Module 12 - Hacking Webservers
Hacking Web Servers

A web server, which can be referred to as the hardware, the comp.liter, or the software, is the computer application that helps to deliver content that can be accessed through the Internet.
icon key
[Z7 Valuable information
S
=
~ Lab Scenario
T o d ay , m o s t o f o n lin e services are im p le m e n te d as w e b ap p licatio n s. O n lin e banking, w eb search eng in es, em ail ap p lica tio n s, a n d social n etw o rk s are just a few exam ples o f su ch w e b services. W e b c o n te n t is g e n e ra te d 111 real tim e by a so ftw are ap p lica tio n ru n n in g at server-side. So h ack ers attac k 011 th e w e b serv er to steal cre d en tial in fo rm a tio n , p assw o rd s, a n d b u sin ess in fo rm a tio n by D o S (D D o s) attacks, S Y N flo o d , p in g flo o d , p o r t scan, sn iffin g attack s, a n d social en g in ee rin g attacks. 111 th e area o f w e b security, d esp ite stro n g en c ry p tio n 011 th e b ro w se r-se rv e r ch an n el, w e b u sers still h av e 110 assu ra n ce a b o u t w h a t h a p p e n s a t th e o th e r end . W e p re s e n t a secu rity ap p lica tio n th a t a u g m en ts w eb servers w ith tru ste d co -se rv e rs c o m p o s e d o f h ig li-assu ran ce secure co p ro c e sso rs, co n fig u red w ith a p u blicly k n o w n g u ard ian p ro g ra m . W e b users can th e n estab lish th e ir a u th e n tic a te d , en c ry p ted ch an n els w ith a tru ste d co server, w h ic h th e n ca n act as a tru ste d th ird p a rty 111 th e b ro w se r-se rv e r in te ra c tio n . S ystem s are c o n stan tly b ein g attack ed , a n d I T secu rity p ro fe ssio n a ls n ee d to b e aw are o f c o m m o n attack s 011 th e w eb serv er ap p licatio n s. A tta ck e rs use sn iffers o r p ro to c o l analyzers to c a p tu re a n d analyze p ack ets. I f d ata is sen t across a n e tw o rk 111 clear text, an attac k er ca n c a p tu re th e d ata p ac k ets a n d use a sn iffer to re a d th e data. 111 o th e r w o rd s , a sn iffer ca n ea v esd ro p 011 electro n ic co n v e rsatio n s. A p o p u la r sn iffer is W iresh ark , I t s also u se d b y ad m in istra to rs fo r legitim ate p u rp o se s. O n e o f th e ch allen g es fo r an attac k er is to g am access to th e n e tw o rk to c a p tu re th e data. If attack ers h av e phy sical access to a ro u te r 01 sw itch, th ey ca n c o n n e c t th e sn iffer a n d ca p m re all traffic g o in g th ro u g h th e system . S tro n g p hysical secu rity m e asu res h elp m itigate tins risk. A s a p e n e tra tio n te ste r a n d eth ical h ac k er o f an o rg an iz atio n , y o u m u s t p ro v id e security to th e c o m p a n y s w e b server. Y o u m u s t p e rfo rm ch eck s 011 th e w eb serv er fo r M ilner abilities, m isco n fig u ratio n s, u n p a tc h e d secu rity flaw s, an d im p ro p e r a u th e n tic a tio n w ith ex tern al system s.
Test your knowledge Web exercise Workbook review
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts learn to d e te c t u n p a tc h e d secu rity flaw s, v e rb o se e rro r m essag es, a n d m u c h m o re. T h e o b jectiv e o f this lab is to: F o o tp rin t w e b servers C rack re m o te p a ssw o rd s D e te c t u n p a tc h e d secu rity flaws
C E H L ab M an u al Page 731
E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Environment
T o earn o u t tins, you need:
& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 12 Hacking W ebservers
A co m p u ter ru n n in g Window Server 2012 a s H o s t m achine A co m p u ter ru n n in g w in d o w server 2008, w indow s 8 and w in d o w s 7 as a V irtual M achine A w eb brow ser w ith In tern et access A dm inistrative privileges to 11111 tools
Lab Duration
Tim e: 40 M inutes
Overview of Web Servers

A w eb server, w h ich can be referred to as die hardw are, the com p u ter, o r die softw are, is the co m p u ter application d ia t helps to deliver c o n ten t th at can be accessed th ro u g h the Intern et. M o st people d u n k a w eb server is just th e hardw are com puter, b u t a w eb server is also the softw are co m p u ter application th a t is installed 111 the hardw are com puter. T lie prim ary fu nction o f a w eb server is to deliver w eb pages o n the request to clients using the H y p ertex t T ran sfer P ro to co l (H T T P). T ins m eans delivery o f H T M L d o cu m en ts an d any additional co n ten t th at m ay be included by a d o cum ent, such as im ages, style sheets, an d scripts. M any generic w eb servers also su p p o rt server-side scnpting using A ctive Server Pages (ASP), P H P , o r o d ie r scnpting languages. T ins m eans th a t the behavior o f th e w eb server can be scripted 111 separate files, w lule the acm al server softw are rem ains unchanged. W eb servers are n o t always used for serving th e W o rld W ide Web. T h ey can also be fo u n d em bed d ed 111 devices such as printers, routers, w ebcam s an d serving only a local netw ork. T lie w eb server m ay d ien be used as a p a rt o f a system for m o n ito rin g a n d /o r adm inistering th e device 111 question. T ins usually m eans d ia t n o additional softw are has to be m stalled o n the client co m p u ter, since only a w eb brow ser is required.
m
T A S K 1
Lab Tasks
R ecom m ended labs to dem o n strate w eb server hacknig: F o o tp rin tin g a w eb server usnig the httprecon tool F o o tp m itn ig a w eb server using the ID Serve tool E xploiting Java vulnerabilities usnig M etasploit Framework
Overview
E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webserver's
Lab Analysis
A nalyze an d d o cu m en t the results related to die lab exercise. G ive your o p in io n 011 your targets security p ostu re an d exposure.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D TO T H I S LAB.
E th ical H a ck in g a nd C ounterm easures Copyright by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.
Footprinting Webserver Using the httprecon Tool

The httpreconproject undertakes research in thefield of web serverfingerprinting, also known as httpfingerprinting
I CON KEY
Lab Scenario
W e b ap p licatio n s are th e m o s t im p o rta n t w ays to r an o rg an iz atio n to p u b lish in fo rm a tio n , in te ra c t w ith In te rn e t u se rs, a n d estab lish an e - c o m m e rc e /e g o v e rn m e n t p rese n ce . H o w e v e r, if an o rg an iz atio n is n o t rig o ro u s in co n fig u rin g a n d o p e ra tin g its p u b lic w eb site, it m ay be v u ln e ra b le to a v ariety o f security threats. A lth o u g h th e th rea ts 111 cy b ersp ace re m a in largely th e sam e as 111 th e physical w o rld (e.g., frau d , th e ft, v an d alism , a n d te rro rism ), th e y are far m o re d a n g e ro u s as a result. O rg a n iz a tio n s can face m o n e ta ry lo sses, d am ag e to re p u ta tio n , 01 legal ac tio n if an in tru d e r successfully v io lates th e co n fid en tiality o f th e ir data. D o S attack s are easy fo r attack ers to a tte m p t b ecau se o f th e n u m b e r o t p o ssib le attac k v e c to rs, th e v arie ty o f a u to m a te d to o ls available, an d th e lo w skill level n e e d e d to use th e to o ls. D o S attack s, as w ell as th re a ts o f in itiatin g D o S attacks, are also in creasin g ly b e in g u se d to blackm ail o rg an iz atio n s. 111 o rd e r to be an e x p e rt eth ical h ac k er a n d p e n e tra tio n tester, }o il m u s t u n d e rs ta n d h o w to p e rfo rm fo o tp rin tin g 011 w e b servers.
/ Valuable
mtormadon Test your

** W e b exercise W o rk b o o k re\
Lab Objectives
T h e o b jectiv e o f this lab is to h elp sm d e n ts le arn to fo o tp rin t w eb se rv e rs. I t will te ac h y o u h o w to:
H Tools dem onstrated in this lab are available D:\CEHTools\CEHv8 Module 12 Hacking W ebservers
U se th e h ttp r e c o n to o l G e t Webserver fo o tp rin t
Lab Environment
T o carry o u t th e lab, y o u need:
httprecon to o l lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking W ebservers\W ebserver Footprinting Tools\httprecon
E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.
Y o u can also d o w n lo a d d ie la test v e rsio n o f httprecon fro m th e link
http://w w w .com putec.ch/projekte/httprecon

I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
m H ttprecon is an open-source application that can fingerprint an application o f webservers.
R u n tins to o l 111 W indows Server 2012 A w e b b ro w se r w ith I n te r n e t access A d m in istra tiv e privileges to r u n to o ls
Lab Duration
T im e: 10 M inutes
Overview of httprecon
h ttp re c o n is a tool for advanced w eb server fingerprinting, similar to httprint. T h e h ttp re c o n p roject does research 111 th e held o f w eb server fingerprinting, also k n o w n as http fingerprinting. T h e goal is lughlv accurate identification o f given httpd im plem entations. TASK 1
Lab Tasks
1. N av ig ate to D:\CEH-Tools\CEHv8 Module 12 Hacking W ebservers\W ebserver Footprinting Tools\httprecon. D o u b le-c lick h ttp recon .exe to la u n c h httprecon. T h e m a in w in d o w o f h ttp re c o n ap p e ars, as sh o w n 111 th e fo llo w in g figure.
11
File Configuration Fingergrinting Target |http;// | |80 T ] 6 "* |
Footprinting a Webserver
2. 3.
httprecon 7.3
Reporting Help
I 1
GET existing | GET long request | GET nonexistag | GET wrong protocol | HEAD existing | OPTIONS com * I *
G1 Httprecon is distributed as a ZIP file containing the binary and fingerprint databases.
Full Matchlist | Fingerprint Details | Report Preview | | Name j Hits 1 Match % 1
FIGURE 1.1: httprecon main window
C E H L ab M anual P ag e 735
E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
4.
E n te r th e w eb site (URL) w w w .juggyboy.com th a t y o u w a n t to footprint a n d select th e port number. Click Analyze to s ta rt analyzing th e e n te re d w eb site. Y o u sh o u ld receiv e a fo o tp rin t o f th e e n te re d w eb site.
httprecon 7.3 - http://juggyboy.com:80/
File Configuration Fingerprinting Reporting Help Target (Microso(( IIS 6.0) I http:// 1 |juggyboy ccxn|
5. 6.
tewl Httprecon vises a simple database per test case that contains all die fingerprint elements to determine die given implementation.
GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I HTTP/1.1 200 OK bate: Thu, 18 Oct 2012 11:36:10 GMT bontent-Length: 84S1 Content-Type: text/html Content-Location: http://uggyboy.com/index.html Last-Modified: Tue, 02 Oct 2012 11:32:12 GMT Accept-Ranges: non ETag: "a47ee9091a0cdl:7a49" Server: Microsoft-IIS/6.0 K-Powered-By: ASP.NET
Matchlst (352 Implementations) | Fingerprint Details | Report Preview | | Name Microsoft IIS 6.0 ^ ^ Microsoft IIS 5.0 Microsoft IIS 7 0 Microsoft IIS 5.1 I Hits 88 71 S3 63 63 62 62 60 | Match % | 100 80.68... 71. 59 71 59 . 71.59 70.45. . 70.45... 6818
22
Sun ONE Web Server 61 V , Apache 1.3.26 O Zeus 4.3 V Apache 1.3.37
m The scan engine o f httprecon uses nine different requests, which are sent to the target web server.
FIGU RE 1.2: Tlie footprint result o f the entered website
7.
Click die GET long request tab, w h ich will list d o w n die G E T request. T h e n click die Fingerprint Details.
httprecon 7.3 - http://juggyboy.com:80/
File Configuration Fingerprinting Reporting Help Target (Microsoft IIS 6.0) I N ip;// j J ^ juggyboy com| [*
1 - l LJ |
GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I HTTP/1.1 400 Bad Request Content-Type: text/html Data: Thu, 18 Oct 2012 11:35:20 GMT Connection: close Content-Length: 34
Matchlst (352 Implementations)
Fingerprint Details | Report F^eview |

HTTP 1 .1 400
i~ ~ H ttprecon does not rely on simple banner announcements by the analyzed software.
P r o t o c o l V e r s io n S ta tu sc o d e S ta tu sta x t B anner K -P o v e r e d -B y H eader S p aces C a p i t a l a f t e r D a sh H e a d e r-O r d e r F u l l H e a d e r -O r d e r L im it
1 1 C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h
Ready
FIGURE 1.3: The fingerprint and G E T long request result o f the entered website
C E H L ab M anual Page 736
Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Analysis
A nalyze an d d o cu m en t die results related to the lab exercise. G ive your o p in io n 011 your targets secuntv p ostu re an d exposure.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S RE L A T E D TO T H I S LAB.
T o o l/U tility
Information C o llected /O b jectives Achieved
O u tp u t: F o o tp rin t o f th e juggyboy w eb site
h ttp r e c o n T o o l
C o n te n t-ty p e : te x t/h tm l c o n te n t-lo c a tio n : h tt p : / / ju g g v b o v .c o m / 1n d e x .h tm l E T ag : "a 4 7 ee 9 0 9 1eOcd 1:7a49" server: M ic ro s o ft-IIS /6 .0 X -P o w ered -B v : A S P .N E T
Questions
1. A nalyze th e m a jo r d iffe ren ce s b e tw e e n classic b a n n e r-g ra b b in g o f th e serv er line a n d littp re c o n . E v alu ate th e type o f te s t req u e sts se n t b y littp re c o n to w e b servers.
2.
Internet Connection Required
0 Y es P la tf o r m S u p p o r te d 0 C la s s r o o m
No
!Labs
E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Lab
Footprinting a Webserver Using ID Serve

ID Serve is a simple,free, small (26 Kbytes), andfastgeneral-purpose Internet server identification utility.
I CON KEY
Lab Scenario
111 th e p rev io u s lab y o u h av e le arn ed to u se th e h ttp r e c o n tool, h ttp r e c o n is a
/ Valuable
information Test your ** Web exercise

m
to o l fo r a d v a n ce d w e b serv er fin g erp rin tin g , sim ilar to h ttp rin t. It is v ery im p o rta n t fo r p e n e tra tio n testers to be fam iliar w ith b an n e r-g ra b b in g te ch n iq u e s to m o n ito r servers to en su re co m p lia n ce a n d a p p ro p ria te security u p d ates. U sin g this te c h n iq u e y o u can also lo cate ro g u e serv ers 01 d e te rm in e th e role o f servers w ith in a n e tw o rk . 111 tins lab y o u w ill learn th e b a n n e r g ra b b in g te c h n iq u e to d e te rm in e a re m o te ta rg e t system u sin g I D Serve. 111 o rd e r to b e an e x p e rt ethical h ac k er an d p e n e tra tio n te ste r, v o u m u s t u n d e rs ta n d h o w to fo o tp rin t a w e b server.
Workbook re\
Lab Objectives
T h is lab w ill sh o w y o u h o w to f o o tp rin t w eb serv ers a n d h o w to u se ID Serve. It w ill te ac h v o u h o w to: U se th e ID Serve to o l G e t a w eb serv er fo o tp rin t
H Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 12 Hacking W ebservers
Lab Environment
T o carry o u t th e lab, y o u need:
ID Serve lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking W ebservers\W ebserver Footprinting Tools\ID Serve
Y o u can also d o w n lo a d th e la test v e rsio n o f ID Serve fro m th e link h ttp : / / w w w .g rc .c o m / i d / 1d se rv e .h tm I f v ou d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
R u n diis to o l o n W indows Server 2012 as h o s t m a ch in e A w e b b ro w s e r w ith Internet a c c e s s A d m in istra tiv e privileges to r u n to o ls
Lab Duration
Tim e: 10 M inutes
m ID Serve is a simple, free, small (26 Kbytes), and fast general-purpose Internet server identification utility.
Overview of ID Serve
ID Serve attem pts to determ ine die domain name associated w idi an IP. Tins process is kno w n as a reverse DNS lookup an d is h an d y w h e n checking firewall logs o r receiving an IP address fro m som eone. N o t all IP s th at have a forward direction lookup (D om ani-to-IP ) have a reverse (IP -to-D om ain) lookup, b u t m any do.
T A S K
Lab Tasks
1. 111 W in d o w s S erver 2012, n av ig ate to D:\CEH-Tools\CEHv8 Module 12
Footprinting a W ebserver
Hacking W ebservers\W ebserver Footprinting Tools\ID Serve.

2. 3. D o u b le-c lick id serv e.ex e to la u n ch ID Serve. T h e m ain w in d o w ap p ears. C lick th e Server Query tab as sh o w n in th e follow ing figure.
ID Serve
ID Serve
Background | Seiver Query
Internet Server Identification Utility, v l .02 Personal Security Freeware by Steve Gibson
Copyright (c) 2003 by Gibson Research Corp.
Q & A /H elp
Enter or copy I paste an Internet server URL a IP address here (example: www.microsoft.com):
Query The Server
W hen an Internet URL or IP has been provided above. press this button to initiate a query of the specified seiver
ID Serve can connect to any server port on any domain or IP address.
Server query processing:
The server identified itself a s :
Copy
Goto ID Serve web page
FIGU RE 2.1: Welcome screen o f ID Serve
4.
111 o p tio n 1, e n te r (01 c o p y /p a s te an In te r n e t serv er U R L o r IP address) th e w e b site (URL) y o u w a n t to footprint. E n te r h t t p : / / 10.0 .0 .2 /re a lh o m e (IP ad d re ss is w h e re th e real h o m e site is h o ste d ) in step 1.
5.
6. 7.
Click Query th e Server to sta rt q u ery in g th e e n te re d w eb site. A fte r th e c o m p le tio n o f th e query. ID Serve displays th e resu lts o f th e e n te re d w eb site as sh o w n 111 th e fo llo w in g figure.
ID Serve
,_ _ ID Serve uses the standard Windows TCP protocol when attempting to connect to a remote server and port.
ID Serve
Background etver Query
In te rn e t S e r v e r Id e n tific a tio n U tility . v 1 .02 P e rs o n a l S e c u rity F re e w a re b y S te v e G ib s o n Copyright (c) 2003 by Gibson Research Corp.
Q & A /H elp
Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):
C 1
Ih ttp / / I 0 .0 0 .2 /re a lh o m e |
r2 [
Query The Server
When an Internet URL a IP has been provided above, press this button to initiate a query of the specified server
Server query processing:
HTTP/1.1 200 OK Content-Type: text/html Last-Modified: Tue, 07 Aug 2012 06:05:46 GMT Accept-Ranges: bytes ETaq: "c95dc4af6274cd1:0"________________
1y=H ID Serve can almost always identify the make, model, and version of any web site's server software.
| Copy
The server identified itself a s :
Goto ID Serve web page
FIGU RE 2.2: ID Serve detecting die footprint
Lab Analysis
D o c u m e n t all die server inform ation.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S RE L A T E D TO T H I S LAB.

T o o l/U tility Information C o llected /O b jectives A chieved
S e rv e r I d e n tif ie d : ]M icro so ft-IIS /8 .0 S e rv e r Q u e r y P r o c e s s in g : I D S erv e
H T T P / 1.1 200 o k c o n te n t-T y p e : te x t/h tm l L ast-M o d ificatio n : T u e , 07 A u g 2012 06:05:46 GMT A cc ep t-R an g es: bytes E T ag : "c 9 5 d c4 a f6 2 7 4 c d l:0 "
Questions
1. Analyze how ID Se1 ve determines a sites web server. 2. What happens if we enter an IP address instead of a URL Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
3
Exploiting Java Vulnerability Using Metasploit Framework
Metasploit sofinare helps security and ITprofessionals identify security issues, verify vulnerability Mitigations, and manage expert-driven security assessments.
ICON KEY
Lab Scenario
Penetration testing is a method of evaluating the security ol a computer system 01 network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, either known and unknown hardware 01 software flaws, 01 operational weaknesses 1 1 1 process or technical countermeasures. Tins analysis is earned out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. The Metasploit Project is a computer secuntv project that provides information about security vulnerabilities and aids 1 1 1 penetration testing and IDS signamre development. Its most well-known subproject is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important subprojects include die Opcode Database, shellcode arcluve, and security research. Metasploit Framework is one of the main tools for every penetration test engagement. To be an expert etliical hacker and penetration tester, you must have sound understanding of ]Metasploit Framework, its various modules, exploits, payloads, and commands 1 1 1 order to perform a pen test of a target.
__ Valuable inform ation T est your knowledge W eb exercise

m
W orkbook review
J T Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 12 Hacking Webservers
Lab Objectives
The objective of tins lab is to demonstrate exploitation ot JDK take control ot a target machine. vulnerabilities to
Lab Environment
1 11 this lab, you need:
E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Metasploit located at D:\CEH-Tools\CEHv8 Module 12 Hacking WebserversYWebserver Attack Tools\Metasploit
You can also download the latest version ot Metasploit Framework from die link http://www.111etasplo1t.com/download/ It you decide to download the latest version, then screenshots shown 1 1 1 the lab might ditter A computer running Windows Server 2012 as host macliine
Windows 8 running on virtual macliine as target macliine
A web browser and Microsoft .NET Framework 2.0 or later in both host and target macliine j RE. 7116 miming on the target macliine (remove any other version of jRE installed 1 1 1 die target 111acl1111e).T11e |R E 7116 setup file (jre-7u6-wi11dows1586.exe) is available at D:\CEH-Tools\CEHv8 Module 12 Hacking
Webservers\Webserver Attack Tools\Metasploit
You can also download the The IRE 7116 setup tile at http://www.oracle.com/technetwork/iava/javase/downloads/ire7downloads-163~5S8.html Double-click m etasploit-latest-windows-installer.exe and follow the wizard-driven installation steps to install Metasploit Framework
Time: 20 Minutes
Overview of the Lab

Tins lab demonstrates the exploit that takes advantage of two issues 1 1 1 JDK 7: the ClassFmder and MediodFinder.fmdMediod(). Both were newly introduced 1 1 1 JDK 7. ClassFmder is a replacement tor classForName back 1 1 1 JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SuiiToolkit (a restricted package). With sun.awt.SimToolkit, we can actually invoke getFieldQ by abusing fmdMethod() 1 1 1 Statement.mvokelnternalO (but getFieldQ must be public, and that's not always die case 1 1 1 JDK 6. 1 11 order to access Statementacc's private field, modify
* t a s k
1. Install Metasploit on the host macliine Windows Server 2012. 2. After installation completes, it will automatically open in your default web browser as shown 1 1 1 the following figure. 3. Click I Understand the Risks to continue.
Installing Metasploit Framework
J! U*rudJ ConnerHon rt , .ips; loct>ost. 90
I* C | - Google
1- -I**
5 w
This Connection is Untrusted

You have asked Firefox to connect secure*) to locaBrosU790. t-jt we cant confirmthat youc Norm ally, *henyou tryto connect securely, sites 1:, presenttrusted identification tc prove that you are going to the nght place. H o>ever. this site's der& tycan t be verrfsed. What Should 1 Do? Ifyou usuallyconnect to this site without problem^flvs t 0 ec>d mu n that someone is trying to impersonate the site, andyou shouldn't continue. [ Gel me oulofhete! Technical Details | 1 Understand the Risks |
Hie exploit takes advantage of two issues in JD K 7: The ClassFinder and MethodFinder. findMediod( ). Bodi were newly introduced in JD K 7. ClassFinder is a replacement for classForName back in JDK 6.
FIGURE 3.1: Metasploit Untrusted connection in web browser
4. Click Add Exception. |+ 1

& https:1 k>c*Kxt. V .' *f? C (JJ* Gocgle
This Connection is Untrusted
It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SunToolkit (a restricted package).
Y ou have aikeJ / to connect 1cu1 l> 10 connection i>s*c0 1.
1 9 0 .t j t*1 c t confirmthat you
Norm ally, wihrnyou tty to eonnert tee urrty titei wMpnwK truftrd Sentil*Men re prove that you art going to the light plac. I lw r t, tlm t!t 1 itfrMj U l What Should I Do? If you usually conned to this git wrthoi/t pobk-ns, th-, moi t o J imun that someone n trying to irrtpertonate the ate, andyou shouldn't e e n r m i t e . | Gelmeoulotheiel Technical Details I Understand the Risks
I Add Excepaoi
FIGURE 3.2: Metasploit Adding Exceptions
5. 1 1 1 the Add Security Exception wizard, click Confirm Security Exception.
Add Security Exception

You are about to override how Firefox identifies this site. ! Server Location: I liRMMHBMMfeMI
1*I
Legitimate banks, stores, and o ther public sites will not ask you to do this.
With sun.awt.SunToolkit, we can actually invoke getFieldQ by abusing findMethod() in StatementiavokeIntemal0 (but getFieldO must be public, and that's not always die case in JDK 6) in order to access Statement.acc's private field, modify AccessControlContext, and then disable Security Manager.
Certificate Status This site attempts to identify itself with invalid information. Wrong Site Certificate belongs to a different site, which could indicate an identity theft. Unknown Identity Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.
@ Permanently store this exception | Confirm Security Exception | Cancel
FIGURE 3.3: Metasploit Add Security Exception
6. On die Metasploit Setup and Configuration Login screen, enter text 1 1 1 die Username. Password, and Password confirmation fields and click Create
Account.
kM Vti .
Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.
(Jlmetasploit
Password confirma
Optional Info & Settings

Email address
ijaiKMtmn
I SMrM 00) UTC~
| Q Cioatt Auwni
FIGURE 3.4: Metasploit Creating an Account
7. Click GET PRODUCT KEY 1 1 1 die Metasploit - Activate Metasploit window.

Product Key Activation
This Security Alert addresses security issues CYE-2012-4681 '(USCERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops.
Enter your valid email address 1 1 1 the Metasploit Community option and click GO.
P ro du c t
m v e^V.e
These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle serverbased software.
F !
t*s?ot-pp^p^xJuct_k*yIkf> jtNrne ikLutNam e iS tLrnsilA ddieii c 0 1 g
Choose between two FREE Metasploit Offers
(J)metasploit
M efa1.pl04Pro mipi \+am*! * IT pror*tnon*l11r * :*> c **u i bteacftet by ematr*, cc-nix&M) btojd t&op pnk1>alM t pnottong yin*jD1 1 1 t*1 . *no .*nf.-nj : 0 0 *0*1 t n c mitigatar! M cfabpicul Comjnfj plus / f J ' ' S S Snan wpKM Ubsn Password ijd*r; W e0 appitcafcixi scam- Sooal engmerw 3 Teamcoa& oa*on Reporting Entetpnse-lewl suppon
G Dmetasploit ~ community
M ct.1 r.p 10 HCommunityE dM iontimplifiot rfA C fKd 1 <cvr no vulnerability vmifkaaon far specific eiplolta lncreaing Ihe tcBvono68 ofvulnerabilityscanners ucnasN*o*erortre
OR
FREE EDITION J NaMwt discoveiy
J vulnerabilityscann9rIm port S Basicexpioitallon

/M odule tyovwer
Lnteremail address: ___________ <ggmail.com||| Go 1
1us Vbs pa5 Piease email infoQrapid7 ci
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password.
FIGURE 3.6: Metasploit Community version for License Key
9. Now log in to your email address and copy die license key as shown 1 1 1 die following figure.
Your Metasploit Community Edition Product Key

Bates, Ariana anana_bates@raptd7 com vis bounces netsuite com to me 6:27 PM (0 minutes ago)
To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages tins vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
r Rap1d7
M etasploit Product Key WNMW-J8KJ-X3TW-RN68
Thank you for choosing Rapid7 Metasploit Community Edition Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose - for free Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can simply apply for a new license using the same registration mechanism.______________________
FIGURE 3.7: Metasploit License Kevin youi email ID provided
10. Paste die product key and click Next to continue.

Due to die severity of these vulnerabilities, the public disclosure of teclinical details and the reported exploitation of CVE-20124681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
M etaspfoit Product K er t__1 x
fc
a!>01t-trial-i<ey,i^?pr0durt=a1m urnPhU R l=hrtp 1% 3A % 2F % 2fIo calho T L 3 A T ? 9 (W L 2 F se t1 jp 3 L i> rtva l< :- A \*e*w t;
.1 ,1
p * c-
(J) metasploit
4 More Steps To Get Started 1. Copy the Product Key from the email we just sent you. Paste the Product Key here: [WM.nv jskj x3 tw rn 68T
3. Click Next on this page 4. Then dick Activate License on the next page
The Metasploit Framework will always be free and open source. The Metasploit Project and Rapid7 are fully committed to supporting and growing the Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing dieir own penetration testing tools. It's a promise.
FIGURE 3.8: Metasploit Activating using License Key
11. Click Activate License to activate die Metasploit license.
I. , n r ,
f A .(.. tocJhort-- SC!*.. . .,'p.oc..:>cy W NM W -.0<l-X3TW -RN68&SibmH '
C I (?I.
(J)metasploit'
Hie Metasploit Framework will always be free and open source. The Metasploit Project and Rapid7 are fully committed to supporting and growing die Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing dieir own penetration testing tools. It's a promise.
Activate Your Metasploit License 1. Get Your Product Key Chooseihe profluclthatbest nteds jurreeds ue< p io lProorthefreeM etasploit C om m unityE dition you irea >
3 3
3 0r a * ta commgn^tfaiorWlicenseproductkt/.oucansupthisslep
2. Enter Product Key You've Received by Email

Paste nthe product fcejt*al was sent to fte 13< J 9< ss ;ou registered v and dick the A C T 1W T EL ICENSE & u 0
|W NtW -J6tU-X3TW -RN6a

D Us an H TT PPrat*to react! V* tomet?
FIGURE 3.9: Metasploit Activation The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linus designed for testing security tools and demonstrating common vulnerabilities. Version 2 of diis virtual machine is available for download from Soiuceforge.net and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMVTare, VirtualBox, and odier common virtualization platforms.
12. Tlie Activation Successful window appears.

1^ A hips/ lot*t>ost. 90 ' ' 7C ) Google fi # C ~I
, m i 11 i^ ic j o p iw i 1 I community 1 Home Protect* & He H f-w * Pen! II
1
1
|^
Activation Successful
^ , **** O Search 1 / Pr04ct M r** Abating Window* Kemot Management (W inUM) with Metasploit 0 0 0 y1 em 0 ?0m jhM90 PcevkM t 1 *!I I jt cnerngr1 t.il Derb,con Mu&lianill were dlacuaalng various ledwqueaof mass crwnage W hen M ubci told me about the W inR Mservice 1wondered W h ji don't we any M*tfspl0ft modul* forthis Exploit Trends; Top tO Searches for M im aip loft Modules in October Tim e tot row r morthl, dose 01M etasploit eplo!t trenas' Each monlh we jarfhertms kstctme most searched eaioit and auxiliary modules fromthe MetasdMt c3T3M3e T o protect users- pr% acy t.. Weekly Metasploit Update: W inRM Part One, Exploiting Metasploit. and More! W inR ME xploit L ibrary Forthe last couple weeks M etasplolt core conV.DJtoi Da .*d iTieugWCosin8M alone; has Doen (Wng into M icrosoffs W inR Msendees w W i $mu:x and @ _smn3c. UnOlttiese.. Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end M ore? *ccSecUSA20l2L3stweekwas AppSecUSA2012 here mAustin. ivtiicf may eclair?curious aosenceofaweeKtrMetaspioitupoatebioapost Tnerw1 1yr.s :f A ppjec for me, !w ere pn no particular
^ oe to ! * fe n
thow 10 v.imtoe I (tolaur STvow m g1 to 1of 1ratrws
last
IU-.... ....
FIGURE 3.10: Metasploit Activation Successful

T A S K 3
13. Go to Administration and click Software Updates.

e GJ community1 metasploit
Hom e Project* X *| - G oogle AdinlnInti11lion v ^ | softw are upaates som vare ucense
Updating Metasploit
PH
1
& H idebw* Par*1
FIGURE 3.11: Metasploit Updating Software
14. Click Check for Updates, and after checking die updates, click Install.
By default, Metasploitable's network interfaces are bound to die NAT and Host-only network adapters, and die image should never be exposed to a hostile network. (Note: A video tutorial on installing Metasploitable 2 is available at die link Tutorial on installing Metasploitable 2.0 on a Virtual Box Host Only network)
FIGURE 3.12: Metasploit Checking for Updates
15. After completing the updates it will ask you to restart, so click Restart.
This document outlines many of die security flaws in die Metasploitable 2 image. Currendy missing is documentation on the web server and web application flaws as well as vulnerabilities diat allow a local user to escalate to root privileges. This document will continue to expand over time as many of die less obvious flaws widi diis platform are detailed.
16. Wait until Metasploit restarts.
Etliical H a ck in g a nd C ounterm easures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
1^ Af 1 loc*txt - SO*^lspKCV x -| - Geogl,
c -
fi\ ft
TCP ports 512, 513, arid 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation). To take advantage of this, make sure the "rsh-client" client is installed (on Ubuntu), and run the following command as your local root user. If you are prompted for an SSH key, this means die rsh-client tools have not been installed and Ubuntu is defaulting to using SSH.
If you've just finished installing Metasploit. the application will now take up to 5 minute* to mmaine. ir* normal please be patient and have a coffee... you have aireaay been using the product, *is message may point to a bog in the application and require the Metasploit services to be restarted 10 resume lunctocaity If the problem persists you may want to consul the Mowing resources. Metasploit Community Edition userv: Pease vtol the Rapid? security street forum to seaxh for answers or post a question Metasploit trial utert: Please contact your Rapf7 sales representative or emai *aiea1 ffraMdr.com Metasploit user* with a support contract: (Vase visit the Rapid7 Customer Canter to R te a support ease or email *uPD0rt!graD1d7.c0m
Retrying your request In 5 seconds ..
FIGURE 3.14: Metasploit Restarts
17. After completion of restart it will redirect to Metasploit - Home. Now click Create New Project from die Project drop-down list.
Creating a New Metasploit Project
*MeUspKxt - Pfojerts
..- TP
:m t N ewP rcici
yH ide N ttvvaPm w( 1 St'ov* H I P10 jcts
metasploit community
| ac to *offn J M o , Q m n iic t j Search \
4 product Mews Abusing Window* Remote Management (W lnRM) with Metasploit
*hW tO V M illM l Q Mine u <M ut *howto* 110 1of
tom :
Actrvc sessions :
tasks 0
owner
1 system
Members 0
U pared w oesenpooft b e u t1how ago I,I Kirvm. I art L..I
tale 0 0a night 3 1Derbycon. U ubixand l woio discussing various tachniQuas or mas* wmao* WhsnMutMxtoldmea&outtheWinRMseivics.lwonoeied W h sort we h#* any M etaseon mooyle* tor m i*... Exploit Trends: Top 10 Searches lor Metasploit Modules in October Tim ter vour monthf/dose of Mstasploit exploit trends! Each monw we 03** sstartne most searched exploit and auxiliarymodules iromtne M etasploit dataoase To proted users' prtacy, 1 .. Weekly Metasploit Update: WinRM Part One. Exploiting Metasploit and More! VirRUEiploit L ibraryFor the last couple weeks. M etasploit core conktoutof David @ TheL1 cncCcsme M aloneyh3s Deen drino into M icrosoft's W m R Mserw:es w ith gmucor and @ _s1nn3r U ntil these... Weekly Metasploit Update: Microsoft Windows and SQL, TurboFTP, and Mote! *PfSecUSA 2012 Last week was AppSecUSA2012 here InAustin. wfUchm a* e*c<ainfte curious absence of3 weekly M etasploit Update bloe post Th* taljHs of *PCsec terms, were (in no particular... Weekly Metasploit Update: Reasonable disclosure. PUP FXF wrappers, and more!
This is about as easy as it gets. The nest service we should look at is die Network File System (NFS). NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services. The example below using rpcinfo to identify NFS and showmount -e to determine diat die "/" share (the root of die file system) is being exported.
FIGURE 3.15: Metasploit Creating a New Project
18. 1 1 1 Project Settings, provide the Project Name and enter a Description, leave the Network Range set to its default, and click Create Project.
n
^ A , .Ip. localhoit- V. a .
I. ,nr,
(]metasploit community1
Hie Metasploit Framework is a penetration testing system and development platform diat you can use to create security tools and exploits. The Metasploit Framework is written in Ruby and includes components in C and assembler. The Metasploit Framework consists of tools, libraries, modules, and user interfaces. Tlie basic function of die Metasploit Framework is a module launcher diat allows die user to configure an exploit module and launch the exploit against a target svstem.
I^
S B
Protect name* Description a Exploit | The exploit takes advantage of tiro issues in JDK 7 The OassFinOer and MethodFinder nndMernod() Botr! were newly introduced in JOK 7 dassFinder is a replacement for t tassF.orNarne back in JQg 6 R aicnrs untnisted code to obtain a reference and nave access to a restricted o a :o ? e r JOK 7. *men can oe used to aDuse sun a^-SuoJoolKit (a restricted package) VMh n ^SunTOoiwt we can actually invoke
3&OT
Network range
Q RestiKt to network range
*? R A P ID 7
FIGURE 3.16: Metasploit Project Settings
19. Click die Modules tab after die project is created.

A hfclps/ lott>ost. S C . ? C | ? Google Protect Java tx_ * p Account Jason * fi Administration r rt community fi # C ~1 ^ j> Help
1 (U community metasploit I
| Overview 1 H orn g* Analysis 0itw n r _ Sessions 1 Campaigns * W t*b Apps |& Modules | Java Lxptoit
I
lags Q) Reports JZ 11 *1 *
J Overview. Preset Java fpio* Discovery 01 1 0 4 1 3dlKovnrd 0 service* delected 0vumereDMM t Penetration ln n k ! opeatd 0 pHtimilt cracked 0 SM Bhasries stoiee 0 SSMkeys slofca Ujtrto>cc Q fiplal
"
^ Scan-
> f 1nrt_ j * f c y a - ,
Evidence Collection I 0 dale fries acoened
Cleanup 0 closed sasswas
iai cofcet... 1 Recent Events ------------------------------------------------------------------------------------------------------------
FIGURE 3.17: Metasploit Modules Tab

T A S K 5
20. Enter CVE ID (2012-4681) in Search Modules and click Enter.
Running the Exploit
Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
,'MrtMf** Modu ^ A hilpi toolboit. V - a . ii?ccv_' odu*e5
F I
C *!I C009l
' H V
Metasploit Pro contains tasks, such as bruteforce and discovery, in the form of modules. Hie modules automate die functionality diat die Metasploit Framework provides and enables you to perform multiple tasks simultaneously.
(]metasploit community1
ft Overview Analysis Sessions , }Campaigns * Web Apps i> Modules Tags r , Reports ~ Tasks
Search Modules
2012-4681
M odule Statistics show Search Keywords show
Found 10 matching modules M odule Type Am atory 1 AiMlffy StW Expbi 1 1 1 I UOt Server ExpM SarveffxpM S* Use* S*v L> 1W Ctnt UpW e**rfp* O S ra ra * A *M i A A * w m tm C M StM ?0113 local nie maaon vunersMty W MW fee'yne SxrrjN9n67s<0 55 r# ctoy Tr8vBai 1an 1CgBt Swty Uanaotr Plus 5.5buiM"05 SQLlnjcb on iVnOews Litalrt Sarrca Prmssjn* Local Pnvltot Escalator *feet no- *m arary tie upnadVurera&ty >c1ta pH .- RvMMiar f*ac B am otaCoda * '*aclbn TirtoHP S9r.tr 0230 PO RT Ovarttnv cro*yA<)nT 31Z2 aar.ar_aync pupD acW oor 1*312463l*rg*oMrnat twMi' w acConm aiM ) Uae-Altarffaa Vutnara& M y AH L*M QataiKcr (tttxf Com m andfeeuhon OcMarL20i2 3.2012 S w fc 25.2012 a * * a r*af ' iH Q 14.2012 < <<* 2012 *m KMT mm MfiU .?.* R A P ID 7 D tadcame O ut Z-***rZS. Z3\2 cxmtr 18. 12 0aaWtiw2012 C;teha S.2012 ?IMS M odule Rankloo 56136 0SVDS 0672 86563 E D S ZZI61 220 229*4
A project is die logical component diat provides die intelligent defaults, penetration testing workflow, and modulespecific guidance during the penetration test.
FIGURE 3.18: Metasploit Searching for Java Exploit
21. Click die Java 7 Applet Remote Code Execution 1111k.

* M etpfc>1 t - McdiM ^ A httpi. Iotat>ost. SC A. b^Kcv. rcduk:
>1
(1
(]metasploit Y community
ft Overview n Analysis ! ~ Sessions ,/ Campaigns # Web Apps *y Modules Tags ^ Hcpoiu
^ Tasks
S tid
Search Modules
?0 1? 4081
M odule Statistics show Searrh trywrrds si
M odule Type CltfUExOtt! a 7AodKR *n > U C oil*bucutbn
B ID
O SV D B
IX
B 4 B 6 T
'.'R A P ID 7
1x 1 addition to the capabilities offered by the open source framework, Metasploit Pro delivers a full graphical user interface, automated exploitation capabilities, complete user action audit logs, custom reporting, combined with an advanced penetration testing workflow.
FIGURE 3.19: Metasploit Java 7 Applet Remote Code Execution Exploit found
22. Configure die exploit settings: a. 1 1 1 Payload Options set die Connection Type as Reverse and 1 1 1 Listener Host ,enter die IP address where Metasploit is running.
b. 1 11 Module Options, enter die SRV Host IP address where Metasploit is running. c. Enter die URI Path (in diis lab we are using greetings) and click Run
Module.
m m r n m
^ A -It, !onlhoit - V- a-j 2 A*i~ k T o /t
C slnn3r 'enn3/^met3sp*0* 0 & *n >

j rjetll
(?I.
James forsnaw I |duck<Jduckgrnetasp*ocim
S o J a
iuan .aiquei uan.va:q1ie2em&ta5p)< : M:cr
IPv 6 is die latest version of die Internet Protocol designed by die Internet Engineering Task Force to replace die current version of IPv4. The implementation of IPv6 predominantly impacts addressing, routing, security, and services.
The module is designed to run in the bacK ground . exploitingdiem ss 1 6 - 1s 3s iney corned Inw case 01eCbrowser exploits, :?as setne U R 1P A T Hocoon Delow ityouwantio control which URLis usefllo nost>6 s j f . o zT s srvport coor can & e used cf!an<;e me I3tenng por inme case ot passve utility modules (autcary) me moaneoaput se *31ae !tornme Tasiclog alter vw m oiSute has ten started Target Seffiags IGeneric (Java Payload) v|
siybtaiVp
Meterpreter
v|
LttenwPwH |1aW-6S3S L M an' Heel 11Q001Q |
Connecfloo Type | Reverse vj
T libcalp o rt1 01 t a no n .( p o > t ) N$M ate 351.1 #r nfiynrj eonnectan* (M et) Pthto * customSSLc*tlffcl i0jt It fnde Seec<VIhe mwon 0<SSLthat hogid t um4 T h U R Ilouh 1 0 t t u x p to t Advanced Options show *1 mM a SS.2 SSO USIX
1o
t amob opooat snow
FIGURE 3.20: Metasploit Running Module
23. The task is started as shown 1 1 1the following screenshot.

^ A hdpi. Io ta t> o s t - X v.i39acon-le-
,I
(1
(]metasploit community
In Metasploit Pro, you can define IPv6 addresses for target hosts. For example, when you perform a discovery scan, scan a web application, execute a bruteforce attack, or run a module, you can define an IPv 6 address for die target hosts. For modules, Metasploit Pro provides several payloads diat provide IPv6 support for Windows x86, Linux x86, BSD x86, PHP, and cmd.
% Overview M Analysis Inti [ Stwioni lath ,/Campaigns 0 Web Apps V Modules lags 3 Reports Tasks Q mU pton
SUrtrt 2012-IMS 14 04 SO U T C
FIGURE 3.21: Metasploit Task Started
24. Now switch to Windows 8 Virtual Maclune, launch die Chrome browser and enter http:// 10.0.0.10:8080/greetings in die address bar and press
Enter.
25. Click die Run this tim e for Java(TM) w as blocked b ecau se it is out of date prompt 1 1 1 die Chrome browser.
File
Action
Medi
Clf)t)0<*d
View
Hdp
"
Window*; 8 on WIN-PNQSTOSGlFN * Virtual Machine Cornprtion
j O c G ll l
is
- *
if
10 Q0.10t8080 /greetings/
Update plug-in... Run this time
JavafTM) was blockec because it is out of date
Note: Metasploit Pro does not support IPv6 for link local broadcast discovery, social engineering, or pivoting. However, you can import IPv6 addresses from a text file or you can manually add them to your project. If you import IPv6 addresses from a text file, you must separate each address widi a new line.
FIGURE 3.22: Windows 8 Virtual Machine Running die Exploit
26. Now switch to your Windows Server 2012 host machine and check die Metasploit task pane. Metasploit will start capturing die reverse connecdon from die target macliine.
^
A hti|>K//'loC*icti79Qp'1*oi3pccvtW
^7 C 11Google
G Dcommunity1 metasploit'
b Overview Analysis . Sessions Campaigns * Web Apps Modules lags _J Reports Tasks Q
Project Management A Metasploit Pro project contains die penetration test diat you want to run. A project defines die target systems, network boundaries, modules, and web campaigns diat you want to include in die penetration test. Additionally, within a project, you can use discovery scan to identify target systems and bruteforce to gain access to systems. FIGURE 3.23: Metasploit Capturing die reverse connection of targeted macliine
27. Click die S essio n s tab to view die captured connecdon of die target macliine.
User Management Administrators can assign user roles to manage the level of access that the user has to projects and administrative tasks. You can manage user accounts from die Administration menu.
FIGURE 3.24: Metasploit Session tab
28. Click die captured session to view die information of a target machine as shown 1 1 1 die following screenshot.
- a x A .Ipi; loiafttost. '!C 1 r, e oogle 1 G ____ p { -
GDcommunity metasploit
(> v< *1 viL w Horn M Analysis I ~ Sessions Q ttiin n i ^ Cuiiipulgns V f> Web Ap|n V Modules lags Repoits
CZ fasks Q
Java Ixptvt
ttCoM
(J C M afw p
Active Sessions
| * S cmcm O S M oat J # 012 100 -wndewad Typv Melerpffier Agw 4m m Dvet1U011 ** v! 0 v*m se Attack M odulo + JA V A _JH E1 7 JLX E C
Closed Sessions
Global Settings Global settings define settings that all projects use. You can access global settings from the Administration menu. From the global settings, you can set die payload type for die modules and enable access to die diagnostic console through a web browser. Additionally, from global settings, you can create API keys, post-exploitation macros, persistent listeners, and Nexpose Consoles.
I Ueissploit Commune? 4.4.0 - U&dato2012103101
2010-2012 R8pitf7Inc. B03K* U*
-' R A P ID 7
FIGURE 3.25: Metasploit Captured Session of a Target Machine
29. You can view die information of the target machine.
System Management As an administrator, you can update the license key and perform software updates. You can access die system management tools from the Administration menu.
FIGURE 3.26: Metasploit Target Machine System information Host Scan A host scan identifies vulnerable systems within the target network range that you define. When you perform a scan, Metasploit Pro provides information about die services, vulnerabilities, and captured evidence for hosts that the scan discovers. Additionally, you can add vulnerabilities, notes, tags, and tokens to identified hosts.
30. To access die tiles of die target system, click A c c e ss Filesystem.

I -S e sa c 1
c >1 (1
(u) metasploit ^ Y r community

\ Overview ^ A n ily ib I ~ Stw toM Q ',/Campaigns Wob Apps V I
Session 1 on 10.0.0.12 & a k > n T y i n i 4 1 * ' n a t a i p i < p j 1 * ' O
Infoi m allon
A t t a c k M o d u l o . i o Ipv
*1 O
Available Actions
( Collect System
. CoeeasrstHr
anasensitiveaaia iscresnshois, passw ords. s>t*mirtform M on)
o*rseV ierem oteJif systemandupload, dow nload, and O e le teH ie s .1 ntMaw1arem ctecom m and snell or 6 taro6t !advanced users!
C1M Piory Pot . Ptolatacts using V* rtmote host as a gateway (TCPA JDP) i Gos ts session. Furmsrmteracaonieijuires aapioitaD on
0 2010-2012 R 3P d7me B e
VR APID 7
Bruteforce uses a large number of user name and password combinations to attempt to gain access to a host. Metasploit Pro provides preset bruteforce profiles that you can use to customize attacks for a specific environment. If you have a list of credentials diat you want to use, you can import the credentials into the system.
FIGURE 3.27: Metasploit Accessing Filesystem of a Target Machine
31. You can view and modify die files from die target macliine.
E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
fik
S al SpMCti SyW 0W 5 U System L Sy8tem 32 L* X 4 P 1 L &ls t* T en oasCala Li V L_ m Slot* G mW AtaS*S { *Ins sstch >
1 M 0 1 ?
C 2012-05-19093340U T C 2012-11-15135852IT T C 201205-1809334 1U T C 2012-11-15135652U TC 201205-19094 13 U T C 20120918 09272\ -TC 2012-11-1514.13.50U T C 2012-05-190ft 37 U T C 2012-05-19O ft40 U T C 2012-05-19O ft3 3 .< 1U T C 2012-0912 1 13529U T C 2012-11-1514ftS 1 7U TC 2012-05-19O ft33*5 U T C 2012-05-190*305 1U T C 2012-10 09070351 U T C 20120ft 10005650U T C 2012-05-19O ft3340U T C 201205-190ft0927U T C 2012-05-19O ft334 1U T C 2012 05-190911 54U TC 2012 0 5 ^19O ft0920U T C 201245.1909334 1U T C 7012415.190 335 1U T C 2012.104411 14JUTC 2012-09.12Hfil2UTC : 012-04.190* 1,uic 1 ?O O W 1r.M 23S*aSU TC M12-10-1S0SMMUTC 1 ?012-05-182 1 46 7U T C !G009I.
'
P ft i
P A ,'ttpi tocdhoit. % m . '1,tilo'ptfh-iViridavn
If a bruteforce is successful, Metasploit Pro opens a session on die target system. You can take control of die session dirough a command shell or Meterpreter session. If there is an open session, you can collect system data, access die remote file system, pivot attacks and traffic, and run postexploitation modules.
n-ys Li, ChM N M _ cutty _fr-aong Qllwax.fi 90C70912K23IC lyt OKMalalb* MMpfW exe PfROb* PrefMvrnal *1 carter
1 720 & & 24a 1 4 a 6 718 j-iseb
(. S TO A t i 1|l 0CLCT( . 1 | (. S T O flE!)11 Q fLtTf . ) <:ST0nH0LTt.) (. S T O W El )| (.O E L E T E. ) ( . STO RE 1 )1( DELETE ) (. S T O R Ei )1( . D E L E T E. ) J
Modules expose and exploit vulnerabilities and security flaws in target systems. Metasploit Pro offers access to a comprehensive library of exploit modules, auxiliary modules, and postexploitation modules. You can run automated exploits or manual exploits.
FIGURE 3.28: Metasploit Modifying Filesystem of a Target Machine
32. You can also launch a command shell of die target machine by clicking Command Shell from sessions capUired.
Automated exploitation uses die minimum reliability option to determine the set of exploits to run against die target systems. You cannot select die modules 01 define evasion options diat Metasploit Pro uses.
FIGURE 3.29: Metasploit Launching Command Shell of Target Machine
33. To view die system IP address and odier information dirough die command shell 1 1 1Metasploit, type ipconfig Iall and press Enter.
Manual exploitation provides granular control over die exploits diat you ran against die target systems. You run one exploit at a time, and you can choose die modules and evasion options diat you want to use.
FIGURE 3.30: Metasploit IPCONFIG command for Target Machine
Social engineering exploits client-side vulnerabilities. You perform social engineering through a campaign. A campaign uses e-mail to perform phishing attacks against target systems. To create a campaign, you must set up a web server, e-mail account, list of target emails, and email template.
34. The following screenshot shows die IP address and odier details of your target macliine.
!< a Ip *.
U**
F !
l -n
U12 - KM Miniport (Vw tw ork. Monitor)
km : U13 Hierosorc Karrw ti Hardware KM00:00:00:00:04:00 : MTU : 24?2
network Art.iptor
Interface 13 N a w > Meterpretcr >| ! net - Hteroiort 1SATAP Adapter
WebScan spiders web pages and applications for active content and forms. If the WebScan identifies active content, you can audit die content for vulnerabilities, and dien exploit die vulnerabilities after Metasploit Pro discovers diem.
FIGURE 3.31: Metasploit Target Machine IP Address in Metasploit Command Shell
35. Click die Go back one page button in Metasploit browser to exit die command shell.
A task chain is a series of tasks that you can automate to follow a specific schedule. Tlie Metasploit Web UI provides an interface diat you can use to set up a task chain and an interactive clock and calendar diat you can use to define die schedule.
A report provides comprehensive results from a penetration test. Metasploit Pro provides several types of standard reports diat range from high level, general overviews to detailed report findings. You can generate a report in PDF, Word, XML, and HTML.
FIGURE 3.32: Metasploit closing command shell
FIGURE 3.33: Metasploit Terminating Session You can use reports to compare findings between different tests or different systems. Reports provide details 0x 1 compromised hosts, executed modules, cracked passwords, cracked SMB hashes, discovered SSH keys, discovered services, collected evidence, and web campaigns.
37. It will display Session Killed. Now from die Account drop-down list, select
Logout.
I*
metasploit r community1
fc Overview rt Analysis ~ Sessions Campaigns Web Apps Modules lags I Reports J J j A Account Jason j User Settings T- J Logout
7'8,
Session killed
Active Sessions
Closed Sessions
Attack M odule E5CMW11 & 1t012-Wn<tow6 w cterpretef l12-tMS14 0eUTC Atfnil 0 1 V n<low p JA V A ^H EU _EW C
uMtamiaiH FIGURE 3.34: Metasploit Session Killed and Logging out
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011 your targets secunty posture and exposure.
P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU R E L A T E D T O T H I S LAB.
HAVE
QUESTIONS
T ool/U tility
Information Collected/Objectives Achieved Output: Interface Infomation Name: etl14-M1crosoft Hyepr-v Network Adapter Hardware MAC: 00:00:00:00:00:00 MTU: 1500 IPv4 Address: 10.0.0.12 IPv6 Netmask: 255.255.255.0 IPv6 Address: fe80::b9ea:d011:3e0e:lb7 IPv6 Netmask: ffff:ffff:ffff:ffff:ffff::
Metasploit Framework
Question
1. How would you create an initial user account from a remote system? 2. Describe one or more vulnerabilities that Metasploit can exploit. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
E th ical H a ck in g a nd C ounterm easures Copyright by EC-Comicil All Rights Reserved. Reproduction is Stricdy Prohibited.

CEH v8 Labs Module 12 Hacking Webservers

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEH v8 Labs Module 12 Hacking Webservers

Uploaded by

Copyright:

Available Formats

CEH Lab Manual

Hacking Web Servers

Module 12 - Hacking Webservers

Hacking Web Servers

Test your knowledge Web exercise Workbook review

Module 12 - Hacking Webservers

Overview of Web Servers

Module 12 - Hacking Webserver's

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D TO T H I S LAB.

Module 12 - Hacking Webservers

Footprinting Webserver Using the httprecon Tool

mtormadon Test your

U se th e h ttp r e c o n to o l G e t Webserver fo o tp rin t

httprecon to o l lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking W ebservers\W ebserver Footprinting Tools\httprecon

Module 12 - Hacking Webservers

Y o u can also d o w n lo a d d ie la test v e rsio n o f httprecon fro m th e link

http://w w w .com putec.ch/projekte/httprecon

m H ttprecon is an open-source application that can fingerprint an application o f webservers.

Full Matchlist | Fingerprint Details | Report Preview | | Name j Hits 1 Match % 1

FIGURE 1.1: httprecon main window

Module 12 - Hacking Webservers

FIGU RE 1.2: Tlie footprint result o f the entered website

Matchlst (352 Implementations)

Fingerprint Details | Report F^eview |

P r o t o c o l V e r s io n S ta tu sc o d e S ta tu sta x t B anner K -P o v e r e d -B y H eader S p aces C a p i t a l a f t e r D a sh H e a d e r-O r d e r F u l l H e a d e r -O r d e r L im it

C E H L ab M anual Page 736

Module 12 - Hacking Webservers

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S RE L A T E D TO T H I S LAB.

Information C o llected /O b jectives Achieved

O u tp u t: F o o tp rin t o f th e juggyboy w eb site

Internet Connection Required

Module 12 - Hacking Webservers

Footprinting a Webserver Using ID Serve

information Test your ** Web exercise

Module 12 - Hacking Webservers

R u n diis to o l o n W indows Server 2012 as h o s t m a ch in e A w e b b ro w s e r w ith Internet a c c e s s A d m in istra tiv e privileges to r u n to o ls

Hacking W ebservers\W ebserver Footprinting Tools\ID Serve.

Query The Server

ID Serve can connect to any server port on any domain or IP address.

Server query processing:

The server identified itself a s :

Goto ID Serve web page

FIGU RE 2.1: Welcome screen o f ID Serve

C E H L ab M anual Page 739

Module 12 - Hacking Webservers

Query The Server

Server query processing:

The server identified itself a s :

Goto ID Serve web page

FIGU RE 2.2: ID Serve detecting die footprint

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S RE L A T E D TO T H I S LAB.

S e rv e r I d e n tif ie d : ]M icro so ft-IIS /8 .0 S e rv e r Q u e r y P r o c e s s in g : I D S erv e

C E H L ab M anual Page 740

Module 12 - Hacking Webservers

Module 12 - Hacking Webservers

__ Valuable inform ation T est your knowledge W eb exercise

Module 12 - Hacking Webservers

Metasploit located at D:\CEH-Tools\CEHv8 Module 12 Hacking WebserversYWebserver Attack Tools\Metasploit

Overview of the Lab

Installing Metasploit Framework

Module 12 - Hacking Webservers

J! U*rudJ ConnerHon rt , .ips; loct>ost. 90

This Connection is Untrusted

ts?ot-pp^p^xJuct_kyIkf> jtNrne ikLutNam e iS tLrnsilA ddieii c 0 1 g

a!>01t-trial-i<ey,i^?pr0durt=a1m urnPhU R l=hrtp 1% 3A % 2F % 2fIo calho T L 3 A T ? 9 (W L 2 F se t1 jp 3 L i> rtva l< :- A \ew t;

1^ Af 1 loctxt - SO^lspKCV x -| - Geogl,

hW tO V M illM l Q Mine u <M ut howto* 110 1of