CEH v8 Labs Module 12 Hacking Webservers PDF

CEH Lab Manual
Hacking Web Servers

Module 12
Module 12 - Hacking Webservers
Hacking Web Servers

A web server, which can be referred to as the hardware, the comp.liter, or the software,
is the computer application that helps to deliver content that can be accessed through
the Internet.
icon key
~ Lab Scenario
[Z7 Valuable
information
S
Test your
knowledge
Web exercise
Workbook review
T o d ay , m o s t o f o n lin e services are im p le m e n te d as w e b ap p licatio n s. O n lin e

banking, w eb search eng in es, em ail ap p lica tio n s, a n d social n etw o rk s are just a
few exam ples o f su ch w e b services. W e b c o n te n t is g e n e ra te d 111 real tim e by a
so ftw are ap p lica tio n ru n n in g at server-side. So h ack ers attac k 011 th e w e b serv er
to steal cre d en tial in fo rm a tio n , p assw o rd s, a n d b u sin ess in fo rm a tio n by D o S
(D D o s) attacks, S Y N flo o d , p in g flo o d , p o r t scan, sn iffin g attack s, a n d social
en g in ee rin g attacks. 111 th e area o f w e b security, d esp ite stro n g en c ry p tio n 011
th e b ro w se r-se rv e r ch an n el, w e b u sers still h av e 110 assu ra n ce a b o u t w h a t
h a p p e n s a t th e o th e r end . W e p re s e n t a secu rity ap p lica tio n th a t a u g m en ts w eb
servers w ith tru ste d co -se rv e rs c o m p o s e d o f h ig li-assu ran ce secure
co p ro c e sso rs, co n fig u red w ith a p u blicly k n o w n g u ard ian p ro g ra m . W e b users
can th e n estab lish th e ir a u th e n tic a te d , en c ry p ted ch an n els w ith a tru ste d co server, w h ic h th e n ca n act as a tru ste d th ird p a rty 111 th e b ro w se r-se rv e r
in te ra c tio n . S ystem s are c o n stan tly b ein g attack ed , a n d I T secu rity p ro fe ssio n a ls
n ee d to b e aw are o f c o m m o n attack s 011 th e w eb serv er ap p licatio n s. A tta ck e rs
use sn iffers o r p ro to c o l analyzers to c a p tu re a n d analyze p ack ets. I f d ata is sen t
across a n e tw o rk 111 clear text, an attac k er ca n c a p tu re th e d ata p ac k ets a n d use a
sn iffer to re a d th e data. 111 o th e r w o rd s , a sn iffer ca n ea v esd ro p 011 electro n ic
co n v e rsatio n s. A p o p u la r sn iffer is W iresh ark , I t s also u se d b y ad m in istra to rs
fo r legitim ate p u rp o se s. O n e o f th e ch allen g es fo r an attac k er is to g am access
to th e n e tw o rk to c a p tu re th e data. If attack ers h av e phy sical access to a ro u te r
01 sw itch, th ey ca n c o n n e c t th e sn iffer a n d ca p m re all traffic g o in g th ro u g h th e
system . S tro n g p hysical secu rity m e asu res h elp m itigate tins risk.
A s a p e n e tra tio n te ste r a n d eth ical h ac k er o f an o rg an iz atio n , y o u m u s t p ro v id e
security to th e c o m p a n y s w e b server. Y o u m u s t p e rfo rm ch eck s 011 th e w eb
serv er fo r M ilner abilities, m isco n fig u ratio n s, u n p a tc h e d secu rity flaw s, an d
im p ro p e r a u th e n tic a tio n w ith ex tern al system s.
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts learn to d e te c t u n p a tc h e d secu rity
flaw s, v e rb o se e rro r m essag es, a n d m u c h m o re.
T h e o b jectiv e o f this lab is to:
C E H L ab M an u al Page 731
F o o tp rin t w e b servers
C rack re m o te p a ssw o rd s
D e te c t u n p a tc h e d secu rity flaws
E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Environment
T o earn o u t tins, you need:
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 12
Hacking
W ebservers
A co m p u ter ru n n in g Window Server 2012 a s H o s t m achine
A co m p u ter ru n n in g w in d o w server 2008, w indow s 8 and w in d o w s 7 as a

V irtual M achine
A w eb brow ser w ith In tern et access
A dm inistrative privileges to 11111 tools
Lab Duration
Tim e: 40 M inutes
Overview of Web Servers

A w eb server, w h ich can be referred to as die hardw are, the com p u ter, o r die
softw are, is the co m p u ter application d ia t helps to deliver c o n ten t th at can be
accessed th ro u g h the Intern et. M o st people d u n k a w eb server is just th e hardw are
com puter, b u t a w eb server is also the softw are co m p u ter application th a t is installed
111 the hardw are com puter. T lie prim ary fu nction o f a w eb server is to deliver w eb
pages o n the request to clients using the H y p ertex t T ran sfer P ro to co l (H T T P). T ins
m eans delivery o f H T M L d o cu m en ts an d any additional co n ten t th at m ay be
included by a d o cum ent, such as im ages, style sheets, an d scripts. M any generic w eb
servers also su p p o rt server-side scnpting using A ctive Server Pages (ASP), P H P , o r
o d ie r scnpting languages. T ins m eans th a t the behavior o f th e w eb server can be
scripted 111 separate files, w lule the acm al server softw are rem ains unchanged. W eb
servers are n o t always used for serving th e W o rld W ide Web. T h ey can also be
fo u n d em bed d ed 111 devices such as printers, routers, w ebcam s an d serving only a
local netw ork. T lie w eb server m ay d ien be used as a p a rt o f a system for
m o n ito rin g a n d /o r adm inistering th e device 111 question. T ins usually m eans d ia t n o
additional softw are has to be m stalled o n the client co m p u ter, since only a w eb
brow ser is required.
m
T A S K
Overview
Lab Tasks
R ecom m ended labs to dem o n strate w eb server hacknig:
F o o tp rin tin g a w eb server usnig the httprecon tool
F o o tp m itn ig a w eb server using the ID Serve tool
E xploiting Java vulnerabilities usnig M etasploit Framework
E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Module 12 - Hacking Webserver's
Lab Analysis
A nalyze an d d o cu m en t the results related to die lab exercise. G ive your o p in io n 011
your targets security p ostu re an d exposure.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D TO T H I S LAB.
E th ical H a ck in g a nd C ounterm easures Copyright by EC-Comicil

Footprinting Webserver Using the

httprecon Tool
The httpreconproject undertakes research in thefield of web serverfingerprinting,
also known as httpfingerprinting
I CON
KEY
/ Valuable
mtormadon
Test your
**
W e b exercise
W o rk b o o k re\
Lab Scenario
W e b ap p licatio n s are th e m o s t im p o rta n t w ays to r an o rg an iz atio n to p u b lish
in fo rm a tio n , in te ra c t w ith In te rn e t u se rs, a n d estab lish an e - c o m m e rc e /e g o v e rn m e n t p rese n ce .
H o w e v e r, if an o rg an iz atio n is n o t rig o ro u s in
co n fig u rin g a n d o p e ra tin g its p u b lic w eb site, it m ay be v u ln e ra b le to a v ariety o f
security threats. A lth o u g h th e th rea ts 111 cy b ersp ace re m a in largely th e sam e as
111 th e physical w o rld (e.g., frau d , th e ft, v an d alism , a n d te rro rism ), th e y are far
m o re d a n g e ro u s as a result. O rg a n iz a tio n s can face m o n e ta ry lo sses, d am ag e to
re p u ta tio n , 01 legal ac tio n if an in tru d e r successfully v io lates th e co n fid en tiality
o f th e ir data. D o S attack s are easy fo r attack ers to a tte m p t b ecau se o f th e
n u m b e r o t p o ssib le attac k v e c to rs, th e v arie ty o f a u to m a te d to o ls available, an d
th e lo w skill level n e e d e d to use th e to o ls. D o S attack s, as w ell as th re a ts o f
in itiatin g D o S attacks, are also in creasin g ly b e in g u se d to blackm ail
o rg an iz atio n s. 111 o rd e r to be an e x p e rt eth ical h ac k er a n d p e n e tra tio n tester,
}o il m u s t u n d e rs ta n d h o w to p e rfo rm fo o tp rin tin g 011 w e b servers.
Lab Objectives
T h e o b jectiv e o f this lab is to h elp sm d e n ts le arn to fo o tp rin t w eb se rv e rs. I t will
te ac h y o u h o w to:
H Tools
dem onstrated in
this lab are
available D:\CEHTools\CEHv8
Module 12
Hacking
W ebservers
U se th e h ttp r e c o n to o l
G e t Webserver fo o tp rin t
Lab Environment
T o carry o u t th e lab, y o u need:
httprecon to o l lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking

W ebservers\W ebserver Footprinting Tools\httprecon
E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Comicil

Y o u can also d o w n lo a d d ie la test v e rsio n o f httprecon fro m th e link
http://w w w .com putec.ch/projekte/httprecon
I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
m H ttprecon is an
open-source application
that can fingerprint an
application o f webservers.
R u n tins to o l 111 W indows Server 2012
A w e b b ro w se r w ith I n te r n e t access
A d m in istra tiv e privileges to r u n to o ls
Lab Duration
T im e: 10 M inutes
Overview of httprecon
h ttp re c o n is a tool for advanced w eb server fingerprinting, similar to httprint. T h e
h ttp re c o n p roject does research 111 th e held o f w eb server fingerprinting, also
k n o w n as http fingerprinting. T h e goal is lughlv accurate identification o f given
httpd im plem entations.
TASK
Footprinting a
Webserver
Lab Tasks
1.
N av ig ate to D:\CEH-Tools\CEHv8 Module 12 Hacking

W ebservers\W ebserver Footprinting Tools\httprecon.
2.
D o u b le-c lick h ttp recon .exe to la u n c h httprecon.
3.
T h e m a in w in d o w o f h ttp re c o n ap p e ars, as sh o w n 111 th e fo llo w in g

figure.
11
httprecon 7.3
File
Configuration
Fingergrinting
Reporting
I 1
Help
Target
|http;//
|80
T ]
6 "*
GET existing | GET long request | GET nonexistag | GET wrong protocol | HEAD existing | OPTIONS com * I *
G1 Httprecon is distributed
as a ZIP file containing the
binary and fingerprint
databases.
Full Matchlist | Fingerprint Details | Report Preview |

| Name
j Hits
1 Match % 1
FIGURE 1.1: httprecon main window
C E H L ab M anual P ag e 735
E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

4.
E n te r th e w eb site (URL) w w w .juggyboy.com th a t y o u w a n t to

footprint a n d select th e port number.
5.
Click Analyze to s ta rt analyzing th e e n te re d w eb site.
6.
Y o u sh o u ld receiv e a fo o tp rin t o f th e e n te re d w eb site.

httprecon 7.3 - http://juggyboy.com:80/
File
Configuration
Fingerprinting
Reporting
Help
Target (Microso(( IIS 6.0)
tewl Httprecon vises a simple

database per test case that
contains all die fingerprint
elements to determine die
given implementation.
I http://
1 |juggyboy ccxn|
GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 200 OK
bate: Thu, 18 Oct 2012 11:36:10 GMT
bontent-Length: 84S1
Content-Type: text/html
Content-Location: http://uggyboy.com/index.html
Last-Modified: Tue, 02 Oct 2012 11:32:12 GMT
Accept-Ranges: non
ETag: "a47ee9091a0cdl:7a49"
Server: Microsoft-IIS/6.0
K-Powered-By: ASP.NET
Matchlst (352 Implementations) | Fingerprint Details | Report Preview |

| Name
Microsoft IIS 6.0
^
Microsoft IIS 5.0

Microsoft IIS 7 0
Microsoft IIS 5.1
22
Sun ONE Web Server 61

V , Apache 1.3.26
O Zeus 4.3
V
m The scan engine o f

httprecon uses nine
different requests, which
are sent to the target web
server.
Apache 1.3.37
I Hits
| Match % |
88
71
S3
100
80.68...
71. 59
63
63
62
71 59 .
71.59
70.45. .
62
60
70.45...
6818
FIGU RE 1.2: Tlie footprint result o f the entered website
7.
Click die GET long request tab, w h ich will list d o w n die G E T request.
T h e n click die Fingerprint Details.
httprecon 7.3 - http://juggyboy.com:80/
File
Configuration
Fingerprinting
Reporting
1- l LJ |
Help
Target (Microsoft IIS 6.0)

I N ip;// j J ^
juggyboy com|
[* -
GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 400 Bad Request
Data: Thu, 18 Oct 2012 11:35:20 GMT
Connection: close
Content-Length: 34
Matchlst (352 Implementations)
i~~
H ttprecon does not
rely on simple banner
announcements by the
analyzed software.
P r o t o c o l V e r s io n
S ta tu sc o d e
S ta tu sta x t
B anner
K -P o v e r e d -B y
H eader S p aces
C a p i t a l a f t e r D a sh
H e a d e r-O r d e r F u l l
H e a d e r -O r d e r L im it
Fingerprint Details | Report F^eview |

HTTP
1 .1
400
1
1
C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h
C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h
Ready
FIGURE 1.3: The fingerprint and G E T long request result o f the entered website
C E H L ab M anual Page 736
Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council

Lab Analysis
A nalyze an d d o cu m en t die results related to the lab exercise. G ive your o p in io n 011
your targets secuntv p ostu re an d exposure.

RE L A T E D TO T H I S LAB.
T o o l/U tility
Information C o llected /O b jectives Achieved
O u tp u t: F o o tp rin t o f th e juggyboy w eb site
h ttp r e c o n T o o l
C o n te n t-ty p e : te x t/h tm l
c o n te n t-lo c a tio n :
h tt p : / / ju g g v b o v .c o m / 1n d e x .h tm l
E T ag : "a 4 7 ee 9 0 9 1eOcd 1:7a49"
server: M ic ro s o ft-IIS /6 .0
X -P o w ered -B v : A S P .N E T
Questions
1.
A nalyze th e m a jo r d iffe ren ce s b e tw e e n classic b a n n e r-g ra b b in g o f th e

serv er line a n d littp re c o n .
2.
E v alu ate th e type o f te s t req u e sts se n t b y littp re c o n to w e b servers.
Internet Connection Required
0 Y es
No
P la tf o r m S u p p o r te d
0 C la s s r o o m
!Labs

All Rights Reserved. Reproduction is Strictly Prohibited.
Lab
Footprinting a Webserver Using ID

Serve
ID Serve is a simple,free, small (26 Kbytes), andfastgeneral-purpose Internet server
identification utility.
I CON
KEY
/ Valuable
information
Test your
** Web exercise
m
Workbook re\
Lab Scenario
111 th e p rev io u s lab y o u h av e le arn ed to u se th e h ttp r e c o n tool, h ttp r e c o n is a
to o l fo r a d v a n ce d w e b serv er fin g erp rin tin g , sim ilar to h ttp rin t.

It is v ery im p o rta n t fo r p e n e tra tio n testers to be fam iliar w ith b an n e r-g ra b b in g
te ch n iq u e s to m o n ito r servers to en su re co m p lia n ce a n d a p p ro p ria te security
u p d ates. U sin g this te c h n iq u e y o u can also lo cate ro g u e serv ers 01 d e te rm in e th e
role o f servers w ith in a n e tw o rk . 111 tins lab y o u w ill learn th e b a n n e r g ra b b in g
te c h n iq u e to d e te rm in e a re m o te ta rg e t system u sin g I D Serve. 111 o rd e r to b e an
e x p e rt ethical h ac k er an d p e n e tra tio n te ste r, v o u m u s t u n d e rs ta n d h o w to
fo o tp rin t a w e b server.
Lab Objectives
T h is lab w ill sh o w y o u h o w to f o o tp rin t w eb serv ers a n d h o w to u se ID Serve.
It w ill te ac h v o u h o w to:
H Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 12
Hacking
W ebservers
U se th e ID Serve to o l
G e t a w eb serv er fo o tp rin t
Lab Environment
T o carry o u t th e lab, y o u need:
ID Serve lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking

W ebservers\W ebserver Footprinting Tools\ID Serve
Y o u can also d o w n lo a d th e la test v e rsio n o f ID Serve fro m th e link

h ttp : / / w w w .g rc .c o m / i d / 1d se rv e .h tm
I f v ou d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer

R u n diis to o l o n W indows Server 2012 as h o s t m a ch in e
A w e b b ro w s e r w ith Internet a c c e s s
A d m in istra tiv e privileges to r u n to o ls
Lab Duration
Tim e: 10 M inutes
m ID Serve is a simple,
free, small (26 Kbytes), and
fast general-purpose
Internet server
identification utility.
T A S K
Footprinting a
W ebserver
Overview of ID Serve
ID Serve attem pts to determ ine die domain name associated w idi an IP. Tins
process is kno w n as a reverse DNS lookup an d is h an d y w h e n checking firewall
logs o r receiving an IP address fro m som eone. N o t all IP s th at have a forward
direction lookup (D om ani-to-IP ) have a reverse (IP -to-D om ain) lookup, b u t m any
do.
Lab Tasks
1.
111 W in d o w s S erver 2012, n av ig ate to D:\CEH-Tools\CEHv8 Module 12
Hacking W ebservers\W ebserver Footprinting Tools\ID Serve.

2.
D o u b le-c lick id serv e.ex e to la u n ch ID Serve.
3.
T h e m ain w in d o w ap p ears. C lick th e Server Query tab as sh o w n in th e

follow ing figure.
ID Serve
Internet Server Identification Utility, v l .02
Personal Security Freeware by Steve Gibson
ID Serve
Background
Copyright (c) 2003 by Gibson Research Corp.
Seiver Query
Q & A /H elp
Enter or copy I paste an Internet server URL a IP address here (example: www.microsoft.com):
Query The Server
ID Serve can connect

to any server port on any
domain or IP address.
W hen an Internet URL or IP has been provided above.

press this button to initiate a query of the specified seiver
Server query processing:
The server identified itself a s :
Copy
Goto ID Serve web page
FIGU RE 2.1: Welcome screen o f ID Serve
4.
111 o p tio n 1, e n te r (01 c o p y /p a s te an In te r n e t serv er U R L o r IP address)

th e w e b site (URL) y o u w a n t to footprint.
5.
E n te r h t t p : / / 10.0 .0 .2 /re a lh o m e (IP ad d re ss is w h e re th e real h o m e site

is h o ste d ) in step 1.

6.
Click Query th e Server to sta rt q u ery in g th e e n te re d w eb site.
7.
A fte r th e c o m p le tio n o f th e query. ID Serve displays th e resu lts o f th e

e n te re d w eb site as sh o w n 111 th e fo llo w in g figure.
,__ ID Serve uses the

standard Windows TCP
protocol when attempting
to connect to a remote
server and port.
ID Serve
ID Serve
In te rn e t S e r v e r Id e n tific a tio n U tility . v 1 .02
Background
P e rs o n a l S e c u rity F re e w a re b y S te v e G ib s o n
Copyright (c) 2003 by Gibson Research Corp.
etver Query
Q & A /H elp
Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):
C1
Ih ttp / / I 0 .0 0 .2 /re a lh o m e |
r2 [
When an Internet URL a IP has been provided above,

press this button to initiate a query of the specified server
Query The Server
Server query processing:
HTTP/1.1 200 OK
Last-Modified: Tue, 07 Aug 2012 06:05:46 GMT
Accept-Ranges: bytes
ETaq: "c95dc4af6274cd1:0"________________
1y=H ID Serve can almost

always identify the make,
model, and version of any
web site's server software.
The server identified itself a s :
Copy
Goto ID Serve web page
FIGU RE 2.2: ID Serve detecting die footprint
Lab Analysis
D o c u m e n t all die server inform ation.

RE L A T E D TO T H I S LAB.
T o o l/U tility
Information C o llected /O b jectives A chieved
S e rv e r I d e n tif ie d : ]M icro so ft-IIS /8 .0

S e rv e r Q u e r y P r o c e s s in g :
I D S erv e
H T T P / 1.1 200 o k
c o n te n t-T y p e : te x t/h tm l
L ast-M o d ificatio n : T u e , 07 A u g 2012 06:05:46

GMT
A cc ep t-R an g es: bytes

E T ag : "c 9 5 d c4 a f6 2 7 4 c d l:0 "

Questions
1. Analyze how ID Se1ve determines a sites web server.
2. What happens if we enter an IP address instead of a URL
Yes
0 No
Platform Supported
0 Classroom
0 !Labs

3
Exploiting Java Vulnerability Using
Metasploit Framework
Metasploit sofinare helps security and ITprofessionals identify security issues, verify
vulnerability Mitigations, and manage expert-driven security assessments.
ICON
KEY
__ Valuable
inform ation
T est your
knowledge
W eb exercise
m
W orkbook review
J T Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 12
Hacking
Webservers
Lab Scenario
Penetration testing is a method of evaluating the security ol a computer system 01
network by simulating an attack from malicious outsiders (who do not have an
authorized means of accessing the organization's systems) and malicious insiders
(who have some level of authorized access). The process involves an active analysis
of the system for any potential vulnerabilities that could result from poor or
improper system configuration, either known and unknown hardware 01 software
flaws, 01 operational weaknesses 111 process or technical countermeasures. Tins
analysis is earned out from the position of a potential attacker and can involve active
exploitation of security vulnerabilities. The Metasploit Project is a computer secuntv
project that provides information about security vulnerabilities and aids 111
penetration testing and IDS signamre development. Its most well-known subproject is the open-source Metasploit Framework, a tool for developing and
executing exploit code against a remote target machine. Other important subprojects include die Opcode Database, shellcode arcluve, and security research.
Metasploit Framework is one of the main tools for every penetration test
engagement. To be an expert etliical hacker and penetration tester, you must have
sound understanding of ]Metasploit Framework, its various modules, exploits,
payloads, and commands 111 order to perform a pen test of a target.
Lab Objectives
The objective of tins lab is to demonstrate exploitation ot JDK
take control ot a target machine.
vulnerabilities to
Lab Environment
111 this lab, you need:

Metasploit located at D:\CEH-Tools\CEHv8 Module 12 Hacking

WebserversYWebserver Attack Tools\Metasploit
You can also download the latest version ot Metasploit Framework from
die link http://www.111etasplo1t.com/download/
It you decide to download the latest version, then screenshots shown 111
the lab might ditter
A computer running Windows Server 2012 as host macliine
Windows 8 running on virtual macliine as target macliine
A web browser and Microsoft .NET Framework 2.0 or later in both host
and target macliine
j RE. 7116 miming on the target macliine (remove any other version of jRE
installed 111 die target 111acl1111e).T11e |R E 7116 setup file (jre-7u6-wi11dows1586.exe) is available at D:\CEH-Tools\CEHv8 Module 12 Hacking
Webservers\Webserver Attack Tools\Metasploit
You can also download the The IRE 7116 setup tile at
http://www.oracle.com/technetwork/iava/javase/downloads/ire7downloads-163~5S8.html
Double-click m etasploit-latest-windows-installer.exe and follow the
wizard-driven installation steps to install Metasploit Framework
Time: 20 Minutes
Overview of the Lab

Tins lab demonstrates the exploit that takes advantage of two issues 111 JDK 7: the
ClassFmder and MediodFinder.fmdMediod(). Both were newly introduced 111 JDK
7. ClassFmder is a replacement tor classForName back 111 JDK 6. It allows untrusted
code to obtain a reference and have access to a restricted package in JDK 7, which
can be used to abuse sun.awt.SuiiToolkit (a restricted package). With
sun.awt.SimToolkit, we can actually invoke getFieldQ by abusing fmdMethod() 111
Statement.mvokelnternalO (but getFieldQ must be public, and that's not always die
case 111 JDK 6. 111 order to access Statementacc's private field, modify
* t a s k
Installing
Metasploit
Framework
1. Install Metasploit on the host macliine Windows Server 2012.

2. After installation completes, it will automatically open in your default web
browser as shown 111 the following figure.
3. Click I Understand the Risks to continue.
J! U*rudJ ConnerHon
1- -I**
I*
rt ,.ips; loct>ost. 90
5 w
| - Google
This Connection is Untrusted

You have asked Firefox to connect secure*) to locaBrosU790. t-jt we cant confirmthat youc
Hie exploit takes advantage

of two issues in JD K 7:
The ClassFinder and
MethodFinder. findMediod(
). Bodi were newly
introduced in JD K 7.
ClassFinder is a
replacement for
classForName back in JDK
6.
Normally, *henyou tryto connect securely, sites 1:, presenttrusted identification tc prove that you
are going to the nght place. Ho>ever. this site's der&tycan t be verrfsed.
What Should 1 Do?
Ifyou usuallyconnect to this site without problem^flvs t0ec>d mun that someone is trying to
impersonate the site, andyou shouldn't continue.
[ Gel me oulofhete!
Technical Details
|
1 Understand the Risks |
FIGURE 3.1: Metasploit Untrusted connection in web browser
4. Click Add Exception.

|+1
*f? C (JJ* Gocgle
& https:1 k>c*Kxt. V.'
This Connection is Untrusted
It allows untrusted code to

obtain a reference and have
access to a restricted
package in JDK 7, which
can be used to abuse
sun.awt.SunToolkit (a
restricted package).
You have aikeJ / to connect 1cu1l> 10

connection i>s*c01.
190.t jt*1 c t confirmthat you
Normally, wihrnyou tty to eonnert tee urrty titei wMpnwK truftrd Sentil*Men re prove that you
art going to the light plac. I lw r t, tlm t!t 1 itfrMj U
l
What Should I Do?
If you usually conned to this git wrthoi/t pobk-ns, th-, moi toJimun that someone n trying to
irrtpertonate the ate, andyou shouldn't eenrmite.
| Gelmeoulotheiel
Technical Details
I Understand the Risks
I Add Excepaoi
FIGURE 3.2: Metasploit Adding Exceptions
5. 111 the Add Security Exception wizard, click Confirm Security Exception.

1*I
Add Security Exception

You are about to override how Firefox identifies this site.
!
Legitimate banks, stores, and o ther public sites will not ask you to do this.
Server
Location: I liRMMHBMMfeMI
With sun.awt.SunToolkit,
we can actually invoke
getFieldQ by abusing
findMethod() in
StatementiavokeIntemal0
(but getFieldO must be
public, and that's not
always die case in JDK 6)
in order to access
Statement.acc's private
field, modify
AccessControlContext, and
then disable Security
Manager.
Certificate Status
This site attempts to identify itself with invalid information.
Wrong Site
Certificate belongs to a different site, which could indicate an identity theft.
Unknown Identity
Certificate is not trusted, because it hasn't been verified by a recognized authority
using a secure signature.
@ Permanently store this exception

| Confirm Security Exception |
Cancel
FIGURE 3.3: Metasploit Add Security Exception
6. On die Metasploit Setup and Configuration Login screen, enter text 111 die
Username. Password, and Password confirmation fields and click Create
Account.
k-
Once Security Manager is

disabled, we can execute
arbitrary Java code. Our
exploit has been tested
successfully against
multiple platforms,
including: IE, Firefox,
Safari, Chrome; Windows,
Ubuntu, OS X, Solaris, etc.
M Vti .
(Jlmetasploit
Password confirma
Optional Info & Settings

Email address
ijaiKMtmn
I SMrM 00) UTC~
| Q Cioatt Auwni
FIGURE 3.4: Metasploit Creating an Account
7. Click GET PRODUCT KEY 111 die Metasploit - Activate Metasploit

window.
Product Key
Activation

This Security Alert

addresses security issues
CYE-2012-4681 '(USCERT Alert TA12-240A
and Vulnerability Note
VU#636312) and two
other vulnerabilities
affecting Java running in
web browsers on desktops.
Enter your valid email address 111 the Metasploit Community option and
click GO.
These vulnerabilities are

not applicable to Java
running on servers or
standalone Java desktop
applications. They also do
not affect Oracle serverbased software.
F !
Product
mve^V.e
t*s?ot-pp^p^xJuct_k*yIkf>jtNrne ikLutName iStLrnsilAddieii c01g
Choose between two FREE Metasploit Offers
(J)metasploit
G
Dmetasploit
~ community
Mefa1.pl04Pro mipi \+am*! * IT

pror*tnon*l11r * :*> c **u i
bteacftet by ematr*, cc-nix&M)
btojd t&op pnk1>alMt pnottong
yin*jD111t*1. *no .*nf.-nj :00*0*1 tnc
mitigatar!
Mct.1r.p10HCommunityEdMiontimplifiot
rfACfKd1<cvr no vulnerability
vmifkaaon far specific eiplolta lncreaing
Ihe tcBvono68 ofvulnerabilityscanners
ucnasN*o*erortre
Mcfabpicul Comjnfj plus

/
f
J
'
'
S
S
Snan wpKMUbsn
Password ijd*r;
We0 appitcafcixi scam-
Sooal engmerw3
Teamcoa&oa*on
Reporting
Entetpnse-lewl suppon
OR
FREE EDITION
J NaMwt discoveiy
J vulnerabilityscann9rImport
S Basicexpioitallon
/ Module tyovwer
Lnteremail address:
___________ <ggmail.com||| Go 1
1us Vbs pa5 Piease email infoQrapid7 ci
These vulnerabilities may

be remotely exploitable
without authentication, i.e.,
they may be exploited over
a network without the need
for a username and
password.
FIGURE 3.6: Metasploit Community version for License Key
9. Now log in to your email address and copy die license key as shown 111 die
following figure.

Your Metasploit Community Edition Product Key

Bates, Ariana anana_bates@raptd7 com vis bounces netsuite com
to me
To be successfully
exploited, an unsuspecting
user running an affected
release in a browser will
need to visit a malicious
web page that leverages tins
vulnerability. Successful
exploits can impact the
availability, integrity, and
confidentiality of the user's
system.
6:27 PM (0 minutes ago)
r Rap1d7
M etasploit Product Key

WNMW-J8KJ-X3TW-RN68
Thank you for choosing Rapid7 Metasploit Community Edition Metasploit Community Edition
simplifies network discovery and vulnerability verification for specific exploits, increasing the
effectiveness of vulnerability scanners such as Nexpose - for free
Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can
simply apply for a new license using the same registration mechanism.______________________
FIGURE 3.7: Metasploit License Kevin youi email ID provided
10. Paste die product key and click Next to continue.

Due to die severity of these
vulnerabilities, the public
disclosure of teclinical
details and the reported
exploitation of CVE-20124681 "in the wild," Oracle
strongly recommends that
customers apply the
updates provided by this
Security Alert as soon as
possible.
t__1
Metaspfoit Product Ker
fc
a!>01t-trial-i<ey,i^?pr0durt=a1murnPhURl=hrtp1%3A%2F%2fIocalhoTL3AT?9(WL2Fset1jp3Li>rtval<:-A\*e*wt;
.1 ,1
p * c-
(J) metasploit
4 More Steps To Get Started
1. Copy the Product Key from the email we just sent you.
Paste the Product Key here: [WM.nv jskj x3 tw rn 68T
3. Click Next on this page

4. Then dick Activate License on the next page
The Metasploit Framework

will always be free and
open source. The
Metasploit Project and
Rapid7 are fully committed
to supporting and growing
the Metasploit Framework
as well as providing
advanced solutions for
users who need an
alternative to developing
dieir own penetration
testing tools. It's a promise.
FIGURE 3.8: Metasploit Activating using License Key
11. Click Activate License to activate die Metasploit license.

I. , n r ,
f
A .(.. tocJhort-- SC!*..
C I (?I.
. .,'p.oc..:>cy WNMW-.0<l-X3TW-RN68&SibmH '
(J)metasploit'
Hie Metasploit Framework
will always be free and
open source. The
Metasploit Project and
Rapid7 are fully committed
to supporting and growing
die Metasploit Framework
as well as providing
advanced solutions for
users who need an
alternative to developing
dieir own penetration
testing tools. It's a promise.
Activate Your Metasploit License

1. Get Your Product Key
Chooseihe profluclthatbest nteds jurreeds ue< piolProorthefreeMetasploit CommunityEdition you irea >
33
3 0ra*ta commgn^tfaiorWlicenseproductkt/.oucansupthisslep
2. Enter Product Key You've Received by Email

Paste nthe product fcejt*al was sent to fte 13<J9<ss ;ou registered v and dick the ACT1WTELICENSE &u0
|WNtW-J6tU-X3TW-RN6a
D Us an HTTPPrat*to react! V* tomet?
FIGURE 3.9: Metasploit Activation

The Metasploitable virtual
machine is an intentionally
vulnerable version of
Ubuntu Linus designed for
testing security tools and
demonstrating common
vulnerabilities. Version 2 of
diis virtual machine is
available for download
from Soiuceforge.net and
ships with even more
vulnerabilities than the
original image. This virtual
machine is compatible with
VMVTare, VirtualBox, and
odier common
virtualization platforms.
12. Tlie Activation Successful window appears.

1^
A hips/ lot*t>ost. 90
' ' 7C )
Google
fi #
C ~I
, m i 11 i^ ic j o p iw i 1
I
community
1 Home
Protect*
Activation Successful
|^
1
^ oe to !*fen
& He Hf-w* Pen!
, ****
Search
1 / Pr04ct Mr**
Abating Window* Kemot Management (WinUM) with Metasploit
thow 10 v.imtoe
I
(tolaur
STvowmg1 to 1of 1ratrws
II
y1em
?0mjhM90
PcevkMt 1 *!I
last
I jt cnerngr1t.il Derb,con Mu&lianill were dlacuaalng various ledwqueaof

mass crwnage When Mubci told me about the WinRMservice 1wondered Whji
don't we any M*tfspl0ft modul* forthis
Exploit Trends; Top tO Searches for Mimaip loft Modules in October

Time tot rowr morthl, dose 01Metasploit eplo!t trenas' Each monlh we jarfhertms
kstctme most searched eaioit and auxiliary modules fromthe MetasdMt
c3T3M3e To protect users- pr%acy t..
Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit. and
More!
WinRMExploit Library Forthe last couple weeks Metasplolt core conV.DJtoi Da.*d
iTieugWCosin8Malone; has Doen (Wng into Microsoffs WinRMsendees wWi
$mu:x and @_smn3c. UnOlttiese..
Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end
More?
*ccSecUSA20l2L3stweekwas AppSecUSA2012 here mAustin. ivtiicf may
eclair?curious aosenceofaweeKtrMetaspioitupoatebioapost Tnerw11yr.s :f
Appjec for me, !were pn no particular
IU-.... ....
FIGURE 3.10: Metasploit Activation Successful
T A S K
13. Go to Administration and click Software Updates.
Updating
Metasploit
e -
Home
PH
*| - Google
AdinlnInti11lion v ^
GJ community1
metasploit
| software upaates
somvare ucense
Project*
& Hidebw* Par*1
FIGURE 3.11: Metasploit Updating Software
14. Click Check for Updates, and after checking die updates, click Install.

By default, Metasploitable's
network interfaces are
bound to die NAT and
Host-only network
adapters, and die image
should never be exposed to
a hostile network. (Note: A
video tutorial on installing
Metasploitable 2 is available
at die link Tutorial on
installing Metasploitable 2.0
on a Virtual Box Host Only
network)
FIGURE 3.12: Metasploit Checking for Updates
15. After completing the updates it will ask you to restart, so click Restart.
This document outlines

many of die security flaws
in die Metasploitable 2
image. Currendy missing is
documentation on the web
server and web application
flaws as well as
vulnerabilities diat allow a
local user to escalate to
root privileges. This
document will continue to
expand over time as many
of die less obvious flaws
widi diis platform are
detailed.
16. Wait until Metasploit restarts.
Etliical H a ck in g a nd C ounterm easures Copyright by EC-Council

1Af
1loc*txt - SO*^lspKCV
TCP ports 512, 513, arid

514 are known as "r"
services, and have been
misconfigured to allow
remote access from any
host (a standard ".rhosts +
+" situation). To take
advantage of this, make
sure the "rsh-client" client
is installed (on Ubuntu),
and run the following
command as your local
root user. If you are
prompted for an SSH key,
this means die rsh-client
tools have not been
installed and Ubuntu is
defaulting to using SSH.
-| - Geogl,
fi\ ft
c -
If you've just finished installing Metasploit. the application

will now take up to 5 minute* to mmaine. ir* normal please be patient and have a coffee...
you have aireaay been using the product, *is message may
point to a bog in the application and require the Metasploit
services to be restarted 10 resume lunctocaity
If the problem persists you may want to consul the Mowing
resources.
Metasploit Community Edition userv: Pease vtol the
Rapid? security street forum to seaxh for answers or
post a question
Metasploit trial utert: Please contact your Rapf7 sales
representative or emai *aiea1ffraMdr.com
Metasploit user* with a support contract: (Vase visit
the Rapid7 Customer Canter to Rte a support ease or
email *uPD0rt!graD1d7.c0m
Retrying your request In 5 seconds ..
FIGURE 3.14: Metasploit Restarts
17. After completion of restart it will redirect to Metasploit - Home. Now click
Create New Project from die Project drop-down list.
Creating a New
Metasploit Project
*MeUspKxt - Pfojerts
..-TP
metasploit
community
:m t NewPrcici
y Hide NttvvaPmw(
1 St'ov* HI P10jcts
ac to *offn
J M o
*hW tO V MillMl
Q Mine
u
<Mut
*howto* 110 1of
Q m n iic t
j Search
4 product Mews
Abusing Window* Remote Management (WlnRM) with Metasploit

tom
:
Actrvc sessions
:
tasks
0
owner
1 system
Members
0
Upared
w oesenpooft
beut1how ago
I,I Kirvm. I art L..I
tale 00a night 31Derbycon. Uubixand l woio discussing various tachniQuas or

mas* wmao* WhsnMutMxtoldmea&outtheWinRMseivics.lwonoeied Wh
sort we h#* any Metaseon mooyle* tor mi*...
Exploit Trends: Top 10 Searches lor Metasploit Modules in October
Tim ter vour monthf/dose of Mstasploit exploit trends! Each monw we 03**
sstartne most searched exploit and auxiliarymodules iromtne Metasploit
dataoase To proted users' prtacy, 1..
Weekly Metasploit Update: WinRM Part One. Exploiting Metasploit and
More!
VirRUEiploit LibraryFor the last couple weeks. Metasploit core conktoutof David
@TheL1cncCcsme Maloneyh3s Deen drino into Microsoft's WmRMserw:es with
gmucor and @_s1nn3r Until these...
This is about as easy as it

gets. The nest service we
should look at is die
Network File System
(NFS). NFS can be
identified by probing port
2049 directly or asking the
portmapper for a list of
services. The example
below using rpcinfo to
identify NFS and
showmount -e to determine
diat die "/" share (the root
of die file system) is being
exported.
Weekly Metasploit Update: Microsoft Windows and SQL, TurboFTP, and

Mote!
*PfSecUSA 2012 Last week was AppSecUSA2012 here InAustin. wfUchma*
e*c<ainfte curious absence of3 weekly Metasploit Update bloe post Th* taljHs of
*PCsec terms, were (in no particular...
Weekly Metasploit Update: Reasonable disclosure. PUP FXF wrappers,
and more!
FIGURE 3.15: Metasploit Creating a New Project
18. 111 Project Settings, provide the Project Name and enter a Description,
leave the Network Range set to its default, and click Create Project.

I. ,nr,
n
^
A ,.Ip. localhoit- V. a .
SB
(]metasploit
community1
Hie Metasploit Framework
is a penetration testing
system
and development platform
diat you can use to create
security tools and exploits.
The
Metasploit Framework is
written in Ruby and
includes components in C
and assembler.
The Metasploit Framework
consists of tools, libraries,
modules, and user
interfaces. Tlie
basic function of die
Metasploit Framework is a
module launcher diat
allows die user to
configure an exploit
module and launch the
exploit against a target
svstem.
Protect name*
Description
3&OT
a Exploit |
The exploit takes advantage of tiro issues in JDK 7 The OassFinOer and
MethodFinder nndMernod() Botr! were newly introduced in JOK 7 dassFinder is a
replacement for t tassF.orNarne back in JQg 6 R aicnrs untnisted code to obtain a
reference and nave access to a restricted o a :o ? e r JOK 7. *men can oe used to aDuse
sun a^-SuoJoolKit (a restricted package) VMh n ^SunTOoiwt we can actually invoke
Network range
Q RestiKt to network range
*? R A P ID 7
FIGURE 3.16: Metasploit Project Settings
19. Click die Modules tab after die project is created.

I^
A hfclps/ lott>ost. SC
? C | ? Google
1
(U community
metasploit
I
| Overview
1 Horn
g* Analysis
Java Lxptoit
Protect Java tx_ * p Account Jason * fi Administration r
fi
rt community
j> Help
C ~1
^
I
_ Sessions
1 Campaigns
* Wt*b Apps
|& Modules |
lags
Q) Reports
JZ 11
*1*
0itw n r
J Overview. Preset Java fpio*

Discovery
Penetration
0 110413dlKovnrd
0 service* delected
0vumereDMMt
^ Scan-
> f 1nrt_ j * f c y a - ,
Evidence Collection
I
0 dale fries acoened
ln n k ! opeatd
0 pHtimilt cracked
0 SMBhasries stoiee
0 SSMkeys slofca
Ujtrto>cc
"
Q fiplal
Cleanup
0 closed sasswas
iai cofcet...
1
Recent Events
------------------------------------------------------------------------------------------------------------
FIGURE 3.17: Metasploit Modules Tab
T A S K
20. Enter CVE ID (2012-4681) in Search Modules and click Enter.
Running the
Exploit
Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council

Metasploit Pro contains

tasks, such as bruteforce
and discovery, in the form
of
modules. Hie modules
automate die functionality
diat die Metasploit
Framework provides
and enables you to perform
multiple tasks
simultaneously.
'
F I
,'MrtMf** Modu
^
A hilpi toolboit. V- a . ii?ccv_' odu*e5
*!I C009l
H V
(]metasploit
community1
ft Overview
Analysis
Sessions
,}Campaigns
* Web Apps
Search Modules
i> Modules
Tags
r , Reports
~ Tasks
2012-4681
Module Statistics show Search Keywords show
Found 10 matching modules

Module Type
Amatory
1 AiMlffy
StW Expbi
OS
ra
ra
C M StM ?0113 local nie maaon vunersMty

WMWfee'yne SxrrjN9n67s<0 55 r#ctoy Tr8vBai
Dtadcame Out
Z-***rZS. Z3\2
cxmtr 18. 12
* A
1
1
1an1CgBt Swty Uanaotr Plus 5.5buiM"05 SQLlnjcbon
0aaWtiw2012
*M i
iVnOews Litalrt Sarrca Prmssjn* Local Pnvltot Escalator
C;teha S.2012
Server ExpM
*feet no- *marary tie upnadVurera&ty
SarveffxpM
>c1ta pH.- RvMMiar f*ac BamotaCoda *'*aclbn
OcMarL20i2
TirtoHP S9r.tr 0230 PORT Ovarttnv

cro*yA<)nT 31Z2 aar.ar_aync pupDacWoor
3.2012
S w fc 25.2012
1*312463l*rg*oMrnat twMi' wacConmaiM) Uae-Altarffaa Vutnara&My
a**ar*af ' iH Q
UOt
S* Use*
* w
S*v L>1W
Ctnt UpW
e**rfp*
m
tm
Module Rankloo
0SVDS
0672
86563
56136
EDS
ZZI61
220
229*4
AH L*M QataiKcr (tttxf Commandfeeuhon
?IMS
14.2012
KMT
2012 *m
mm
MfiU
< <<*
.?.* R A P ID 7
A project is die logical

component diat provides
die intelligent defaults,
penetration testing
workflow, and modulespecific guidance during the
penetration test.
FIGURE 3.18: Metasploit Searching for Java Exploit
21. Click die Java 7 Applet Remote Code Execution 1111k.

* Metpfc>1t - McdiM
^
A httpi. Iotat>ost. SC A. b^Kcv. rcduk:
(]metasploit
Y community
ft Overview
>1
(1
n Analysis
! ~ Sessions
,/ Campaigns
Search Modules
# Web Apps
*y Modules
Tags
^ Hcpoiu
S tid
^ Tasks
?0 1? 4081
Module Statistics show Searrh trywrrds si
Module Type
BID
CltfUExOtt!
OSVDB
IX
B4B6T
a 7AodKR*n>UCoil*bucutbn
'.'R A P ID 7
1x1 addition to the

capabilities offered by the
open source framework,
Metasploit Pro delivers a
full graphical user interface,
automated exploitation
capabilities,
complete user action audit
logs, custom reporting,
combined with an
advanced penetration
testing workflow.
FIGURE 3.19: Metasploit Java 7 Applet Remote Code Execution Exploit found
22. Configure die exploit settings:

a.
111 Payload Options set die Connection Type as Reverse and 111
Listener Host ,enter die IP address where Metasploit is running.
b. 111 Module Options, enter die SRV Host IP address where Metasploit is
running.
c. Enter die URI Path (in diis lab we are using greetings) and click Run
Module.

mmrnm
^
A -It, !onlhoit - V- a-j
2A*i~ k
James forsnaw
I
|duck<Jduckgrnetasp*ocim
(?I.
T
o /t
SoJa
slnn3r 'enn3/^met3sp*0* 0&*n>
iuan .aiquei
uan.va:q1ie2em&ta5p)<:M:cr
j
rjetll
The module is designed to run in the bacKground. exploitingdiem ss16- 1s 3s iney corned Inw case 01eCbrowser exploits,
:?as setne UR1PATHocoon Delow ityouwantio control which URLis usefllo nost>6 sjf.oz Ts srvport coor can &e used
cf!an<;e me I3tenng por inme case ot passve utility modules (autcary) me moaneoaput se *31ae !tornme Tasiclog alter
vw moiSute has ten started
IPv 6 is die latest version of

die Internet Protocol
designed by die Internet
Engineering Task
Force to replace die current
version of IPv4. The
implementation of IPv6
predominantly
impacts addressing, routing,
security, and services.
Target Seffiags
IGeneric (Java Payload) v|
siybtaiVp
Meterpreter
v|
LttenwPwH |1aW-6S3S
Connecfloo Type | Reverse vj
LMan' Heel 11Q001Q
Tlibcalport101tanon. (po>t)
N$Mate 351.1#r nfiynrj eonnectan* (Met)
Pthto * customSSLc*tlffcl i0jt It fnde
Seec<VIhe mwon 0<SSLthat hogid t um4
ThURIlouh 10 ttuxptot
a SS.2 SSO USIX
* 1m M
Advanced Options show

t amob opooat snow
1o
FIGURE 3.20: Metasploit Running Module
23. The task is started as shown 111the following screenshot.

^
A hdpi. Iotat>ost - X v.i39acon-le-
-, I
(1
(]metasploit
community
In Metasploit Pro, you can
define IPv6 addresses for
target hosts. For example,
when you
perform a discovery scan,
scan a web application,
execute a bruteforce attack,
or run a
module, you can define an
IPv 6 address for die target
hosts. For modules,
Metasploit Pro
provides several payloads
diat provide IPv6 support
for Windows x86, Linux
x86, BSD x86,
PHP, and cmd.
% Overview
M Analysis
mUpton
Inti
[ Stwioni
,/Campaigns
0 Web Apps
V Modules
lags
3 Reports
Tasks Q
lath
SUrtrt 2012-IMS 14 04 SOUTC
FIGURE 3.21: Metasploit Task Started
24. Now switch to Windows 8 Virtual Maclune, launch die Chrome browser
and enter http:// 10.0.0.10:8080/greetings in die address bar and press
Enter.
25. Click die Run this tim e for Java(TM) w as blocked b ecau se it is out of
date prompt 111 die Chrome browser.

File
Action
Medi
Clf)t)0<*d
j O c G ll l
- *
if
View
is
"
Window*; 8 on WIN-PNQSTOSGlFN * Virtual Machine Cornprtion
Hdp
10Q0.10t8080/greetings/
JavafTM) was blockec because it is out of date
Update plug-in...
Run this time
Note: Metasploit Pro does

not support IPv6 for link
local broadcast discovery,
social
engineering, or pivoting.
However, you can import
IPv6 addresses from a text
file or you
can manually add them to
your project. If you import
IPv6 addresses from a text
file,
you must separate each
address widi a new line.
FIGURE 3.22: Windows 8 Virtual Machine Running die Exploit
26. Now switch to your Windows Server 2012 host machine and check die
Metasploit task pane. Metasploit will start capturing die reverse connecdon
from die target macliine.
^
A hti|>K//'loC*icti79Qp'1*oi3pccvtW
^7 C 11Google
GDcommunity1
metasploit'
b Overview
Analysis
. Sessions
Campaigns
* Web Apps
Modules
lags
_J Reports
Tasks Q
Project Management
A Metasploit Pro project
contains die penetration test
diat you want to run. A
project defines
die target systems, network
boundaries, modules, and
web campaigns diat you
want to
include in die penetration
test. Additionally, within a
project, you can use
discovery scan to
identify target systems and
bruteforce to gain access to
systems.
FIGURE 3.23: Metasploit Capturing die reverse connection of targeted macliine
27. Click die S essio n s tab to view die captured connecdon of die target
macliine.

User Management
Administrators can assign
user roles to manage the
level of access that the user
has to
projects and administrative
tasks. You can manage user
accounts from die
Administration
menu.
FIGURE 3.24: Metasploit Session tab
28. Click die captured session to view die information of a target machine as
shown 111 die following screenshot.
- a x
1 r,
A .Ipi; loiafttost. '!C
1 Google
____ p {
GDcommunity
metasploit
(>v<*1viLw
Horn
M Analysis I ~ Sessions Q
Java Ixptvt
ttCoM
^ Cuiiipulgns
Vf> Web Ap|n
V Modules
lags
Repoits
CZ fasks Q
ttiin n i
(J CMafwp
Active Sessions
| * S cmcm
OS
Moat
J #012 100
-wndewad
Typv
Melerpffier
Agw
4m m
Dvet1U011
** v! 0 v*mse
Attack Modulo
+ JAVA_JHE17JLXEC
Closed Sessions
Global Settings
Global settings define
settings that all projects use.
You can access global
settings from the
Administration menu.
From the global settings,
you can set die payload type
for die modules and enable
access to
die diagnostic console
through a web browser.
Additionally, from global
settings, you can create API
keys, post-exploitation
macros,
persistent listeners, and
Nexpose Consoles.
I Ueissploit Commune? 4.4.0 - U&dato2012103101
2010-2012 R8pitf7Inc. B03K* U*
-' R A P ID 7
FIGURE 3.25: Metasploit Captured Session of a Target Machine
29. You can view die information of the target machine.

System Management
As an administrator, you can
update the license key and
perform software updates.
You can
access die system
management tools from the
Administration menu.
FIGURE 3.26: Metasploit Target Machine System information

Host Scan
A host scan identifies
vulnerable systems within
the target network range that
you define.
When you perform a scan,
Metasploit Pro provides
information about die
services,
vulnerabilities, and captured
evidence for hosts that the
scan discovers. Additionally,
you can
add vulnerabilities, notes,
tags, and tokens to identified
hosts.
30. To access die tiles of die target system, click A c c e ss Filesystem.

I
-Sesac1
c
(u)
metasploit
^ Y
r community
\ Overview
^ A n ily ib
>1
(1
I ~ Stw toM Q
',/Campaigns
Wob Apps
V I
Session 1 on 10.0.0.12
&
a
k
>
n
T
y
i
n
i
41
*
'n
a
t
a
i
p
i <
p
j 1*
'
O
Infoi mallon
* 1 O
A
t
t
a
c
k
M
o
d
u
l
o.
io
Ipv
Available Actions
( Collect System
. CoeeasrstHr
anasensitiveaaia iscresnshois, passwords. s>t*mirtformMon)
o*rseVieremoteJif systemandupload, download, and OeleteHies

. 1ntMaw1aremctecommand snell or 6 taro6t !advanced users!
C1M Piory Pot
. Ptolatacts using V* rtmote host as a gateway (TCPAJDP)

i Gos ts session. Furmsrmteracaonieijuires aapioitaDon
0 2010-2012 R3Pd7me Be
Bruteforce uses a large

number of user name and
password combinations to
attempt to gain
access to a host. Metasploit
Pro provides preset
bruteforce profiles that you
can use to
customize attacks for a
specific environment. If you
have a list of credentials diat
you want to
use, you can import the
credentials into the system.
VR APID 7
FIGURE 3.27: Metasploit Accessing Filesystem of a Target Machine
31. You can view and modify die files from die target macliine.

fik
1M01?
'
P A ,'ttpi tocdhoit. % m . '1,tilo'ptfh-iViridavn
If a bruteforce is successful,
Metasploit Pro opens a
session on die target system.
You can
take control of die session
dirough a command shell or
Meterpreter session. If there
is an
open session, you can collect
system data, access die
remote file system, pivot
attacks and
traffic, and run postexploitation modules.
Modules expose and exploit

vulnerabilities and security
flaws in target systems.
Metasploit
Pro offers access to a
comprehensive library of
exploit modules, auxiliary
modules, and
postexploitation modules.
You can run automated
exploits or manual exploits.
Automated exploitation uses

die minimum reliability
option to determine the set
of exploits to
run against die target
systems. You cannot select
die modules 01 define
evasion options diat
Metasploit Pro uses.
Sal SpMCti
SyW0W5
U System
L Sy8tem32
L* X4P1
L &ls
t* Ten
oasCala
Li V
L_
GmWmSlot*
AtaS*S
{ *Ins
sstch
>
n-ys
Li, ChMNM
_ cutty
_fr-aong
Qllwax.fi
90C70912K23IC lyt
OKMalalb*
MMpfW exe
PfROb*
PrefMvrnal *1
carter
1720
&&24a
14a6
718
j-iseb
2012-05-19093340UTC
2012-11-15135852ITTC
201205-18093341 UTC
2012-11-15135652UTC
201205-1909413 UTC
20120918 09272\ -TC
2012-11-1514.13.50UTC
2012-05-190ft 37 UTC
2012-05-19Oft40 UTC
2012-05-19Oft33.<1UTC
2012-0912 113529UTC
2012-11-1514ftS 17UTC
2012-05-19Oft33*5 UTC
2012-05-190*3051UTC
2012-10 09070351 UTC
20120ft 10005650UTC
2012-05-19Oft3340UTC
201205-190ft0927UTC
2012-05-19Oft3341UTC
2012 05-190911 54UTC
2012 05^19Oft0920UTC
201245.19093341UTC
7012415.190 3351UTC
2012.104411 14JUTC
2012-09.12Hfil2UTC
:012-04.190* 1,uic 1
?OOW1r.M23S*aSUTC
M12-10-1S0SMMUTC
1 ?012-05-1821 46 7UTC
!G009I.
ft
i
( . STOAt i 1|l 0CLCT( . 1|

( . STOflE!)11 QfLtTf . )
<:ST0nH0LTt.)
( . STOWEl )| (.OELETE . )
( . STORE 1 )1( DELETE )
( . STOREi )1( . DELETE. )
J
FIGURE 3.28: Metasploit Modifying Filesystem of a Target Machine
32. You can also launch a command shell of die target machine by clicking
Command Shell from sessions capUired.
FIGURE 3.29: Metasploit Launching Command Shell of Target Machine
33. To view die system IP address and odier information dirough die
command shell 111Metasploit, type ipconfig Iall and press Enter.

Manual exploitation
provides granular control
over die exploits diat you
ran against die target
systems. You run one
exploit at a time, and you
can choose die modules and
evasion options
diat you want to use.
FIGURE 3.30: Metasploit IPCONFIG command for Target Machine
Social engineering exploits

client-side vulnerabilities.
You perform social
engineering through
a campaign. A campaign
uses e-mail to perform
phishing attacks against
target systems. To
create a campaign, you must
set up a web server, e-mail
account, list of target emails, and email template.
34. The following screenshot shows die IP address and odier details of your
target macliine.
!< a Ip*.
U**
F !
l -n
U12 - KM Miniport (Vwtwork. Monitor)
km
: U13 Hierosorc Karrwti
Hardware KM00:00:00:00:04:00 :
MTU
: 24?2
network Art.iptor
Interface 13
Naw>
! net - Hteroiort 1SATAP Adapter
Meterpretcr >|
WebScan spiders web pages

and applications for active
content and forms. If the
WebScan
identifies active content, you
can audit die content for
vulnerabilities, and dien
exploit die
vulnerabilities after
Metasploit Pro discovers
diem.
FIGURE 3.31: Metasploit Target Machine IP Address in Metasploit Command Shell
35. Click die Go back one page button in Metasploit browser to exit die
command shell.

A task chain is a series of

tasks that you can automate
to follow a specific schedule.
Tlie
Metasploit Web UI provides
an interface diat you can use
to set up a task chain and an
interactive clock and
calendar diat you can use to
define die schedule.
A report provides
comprehensive results from
a penetration test. Metasploit
Pro provides
several types of standard
reports diat range from high
level, general overviews to
detailed
report findings. You can
generate a report in PDF,
Word, XML, and HTML.
FIGURE 3.32: Metasploit closing command shell
FIGURE 3.33: Metasploit Terminating Session

You can use reports to
compare findings between
different tests or different
systems. Reports
provide details 0x1
compromised hosts,
executed modules, cracked
passwords, cracked SMB
hashes, discovered SSH
keys, discovered services,
collected evidence, and web
campaigns.
37. It will display Session Killed. Now from die Account drop-down list, select
Logout.
I*
7'8,
J J j A Account Jason
metasploit
r community1
fc Overview
rt Analysis
~ Sessions
Campaigns
Web Apps
Modules
lags
I Reports
j User Settings
T- J Logout
Session killed
Active Sessions
Closed Sessions
Attack Module
E5CMW11
&
1t012-Wn<tow6
wcterpretef
l12-tMS14 0eUTC
Atfnil 0 1Vn<lowp
JAVA^HEU_EWC
uMtamiaiH
FIGURE 3.34: Metasploit Session Killed and Logging out

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011
your targets secunty posture and exposure.
P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.
T ool/U tility
HAVE
QUESTIONS
Information Collected/Objectives Achieved

Output: Interface Infomation
Metasploit
Framework
Name: etl14-M1crosoft Hyepr-v Network

Adapter
Hardware MAC: 00:00:00:00:00:00

MTU: 1500
IPv4 Address: 10.0.0.12
IPv6 Netmask: 255.255.255.0
IPv6 Address: fe80::b9ea:d011:3e0e:lb7
IPv6 Netmask: ffff:ffff:ffff:ffff:ffff::
Question
1. How would you create an initial user account from a remote system?
2. Describe one or more vulnerabilities that Metasploit can exploit.
Yes
0 No
Platform Supported
0 Classroom
0 !Labs
E th ical H a ck in g a nd C ounterm easures Copyright by EC-Comicil


CEH v8 Labs Module 12 Hacking Webservers PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEH v8 Labs Module 12 Hacking Webservers PDF

Uploaded by

Copyright:

Available Formats

CEH Lab Manual

Hacking Web Servers

Module 12 - Hacking Webservers

Hacking Web Servers

T o d ay , m o s t o f o n lin e services are im p le m e n te d as w e b ap p licatio n s. O n lin e

D e te c t u n p a tc h e d secu rity flaws

E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

Module 12 - Hacking Webservers

A co m p u ter ru n n in g Window Server 2012 a s H o s t m achine

A co m p u ter ru n n in g w in d o w server 2008, w indow s 8 and w in d o w s 7 as a

A w eb brow ser w ith In tern et access

A dm inistrative privileges to 11111 tools

Overview of Web Servers

F o o tp rin tin g a w eb server usnig the httprecon tool

F o o tp m itn ig a w eb server using the ID Serve tool

E xploiting Java vulnerabilities usnig M etasploit Framework

E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Module 12 - Hacking Webserver's

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Comicil

Module 12 - Hacking Webservers

Footprinting Webserver Using the

httprecon to o l lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking

E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Comicil

Module 12 - Hacking Webservers

Y o u can also d o w n lo a d d ie la test v e rsio n o f httprecon fro m th e link

http://w w w .com putec.ch/projekte/httprecon

R u n tins to o l 111 W indows Server 2012

A d m in istra tiv e privileges to r u n to o ls

N av ig ate to D:\CEH-Tools\CEHv8 Module 12 Hacking

D o u b le-c lick h ttp recon .exe to la u n c h httprecon.

T h e m a in w in d o w o f h ttp re c o n ap p e ars, as sh o w n 111 th e fo llo w in g

Full Matchlist | Fingerprint Details | Report Preview |

FIGURE 1.1: httprecon main window

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Module 12 - Hacking Webservers

E n te r th e w eb site (URL) w w w .juggyboy.com th a t y o u w a n t to

Click Analyze to s ta rt analyzing th e e n te re d w eb site.

Y o u sh o u ld receiv e a fo o tp rin t o f th e e n te re d w eb site.

Target (Microso(( IIS 6.0)

tewl Httprecon vises a simple

Matchlst (352 Implementations) | Fingerprint Details | Report Preview |

Microsoft IIS 5.0

Sun ONE Web Server 61

m The scan engine o f

FIGU RE 1.2: Tlie footprint result o f the entered website

Target (Microsoft IIS 6.0)

Matchlst (352 Implementations)

Fingerprint Details | Report F^eview |

C E H L ab M anual Page 736

Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council

Module 12 - Hacking Webservers

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

Information C o llected /O b jectives Achieved

O u tp u t: F o o tp rin t o f th e juggyboy w eb site

A nalyze th e m a jo r d iffe ren ce s b e tw e e n classic b a n n e r-g ra b b in g o f th e

E v alu ate th e type o f te s t req u e sts se n t b y littp re c o n to w e b servers.

Internet Connection Required

E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Module 12 - Hacking Webservers

Footprinting a Webserver Using ID

to o l fo r a d v a n ce d w e b serv er fin g erp rin tin g , sim ilar to h ttp rin t.

ID Serve lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking

f? C (JJ Gocgle