C EH

Lab M a n u a l

H a c k in g

W

e b

S e r v e r s M o d u le 12

M odule 12 - H ackin g W e b servers

H a c k in g

W e b

S e r v e r s

A. w e bs e r v e r ,w h ic hc a nb er e fe r re dt oa st h eh a r d w a r e ,t h ec o m p / / t e r , ort h es o f t w a r e , is t h ec o m p u t e ra p p lic a tio nthath e lp st od eliverc o n t e n tthatc a nb ea c c e s s e dt h r o u g h t h eIn tern et.
i con
[£ Z 7 V a lu a b le in fo r m a tio n

key

~

L a b S c e n a r io
T o d a y , m o s t o f o n lin e se rv ic e s a re im p le m e n te d as w e b a p p lic a tio n s . O n lin e b a n k in g , w e b s e a rc h e n g in e s , e m a il a p p lic a tio n s , a n d so c ia l n e tw o rk s a re ju s t a fe w e x a m p le s o f s u c h w e b se rv ic e s. W e b c o n te n t is g e n e r a te d 111 re a l tim e b y a s o f tw a re a p p lic a tio n r u n n in g a t s e rv e r-sid e . S o h a c k e rs a tta c k 0 1 1 th e w e b s e r v e r to ste a l c re d e n tia l in f o r m a tio n , p a s s w o rd s , a n d b u s in e s s in f o r m a t io n b y D o S (D D o s ) a tta c k s , S Y N flo o d , p in g flo o d , p o r t sc a n , s n iffin g a tta c k s , a n d so c ia l e n g in e e rin g a tta c k s. 1 1 1 th e a re a o f w e b se c u rity , d e s p ite s tr o n g e n c r y p tio n 0 11 th e b ro w s e r - s e r v e r c h a n n e l, w e b u s e rs still h a v e 1 10 a s s u ra n c e a b o u t w h a t h a p p e n s a t th e o th e r e n d . W e p r e s e n t a s e c u rity a p p lic a tio n th a t a u g m e n ts w e b s e rv e rs w ith tr u s te d c o -s e rv e rs com posed of liig li-a s s u ra n c e s e c u re c o p r o c e s s o r s , c o n fig u re d w ith a p u b lic ly k n o w n g u a rd ia n p r o g r a m . W e b u s e rs c a n th e n e s ta b lis h th e ir a u th e n tic a te d , e n c ry p te d c h a n n e ls w ith a tr u s te d c o se rv e r, w h ic h th e n c a n a c t as a tm s t e d th ird p a rty 111 th e b ro w s e r - s e r v e r in te r a c tio n . S y ste m s are c o n s ta n tly b e in g a tta c k e d , a n d I T s e c u rity p ro f e s s io n a ls n e e d to b e a w a re o f c o m m o n a tta c k s 0 1 1 th e w e b s e r v e r a p p lic a tio n s . A tta c k e rs u s e s n iffe rs o r p r o t o c o l a n a ly z e rs to c a p tu r e a n d a n a ly z e p a c k e ts . I f d a ta is s e n t a c ro s s a n e tw o r k 111 c le a r te x t, a n a tta c k e r c a n c a p tu r e th e d a ta p a c k e ts a n d u se a s n iffe r to r e a d th e d a ta . 1 1 1 o th e r w o r d s , a s n iffe r c a n e a v e s d r o p 0 1 1 e le c tro n ic c o n v e rs a tio n s . A p o p u la r s n iffe r is W ir e s h a rk , I t ’s a lso u s e d b y a d m in is tra to rs f o r le g itim a te p u r p o s e s . O n e o f th e c h a lle n g e s f o r a n a tta c k e r is to g a m a c c e ss to th e n e tw o r k to c a p tu r e th e d a ta . I t a tta c k e rs h a v e p h y s ic a l a c c e ss to a r o u t e r
0 1 ‫ ־‬sw itc h , th e y c a n c o n n e c t th e s n iffe r a n d c a p m r e all tra ffic g o in g th r o u g h th e

S

Test your k n o w le d g e

=‫־‬

W e b e x e r c is e

m

W o r k b o o k r e v ie w

sy ste m . S tr o n g p h y s ic a l s e c u rity m e a s u re s h e lp m itig a te tin s risk. A s a p e n e tr a tio n te s te r a n d e th ic a l h a c k e r o f a n o rg a n iz a tio n , y o u m u s t p ro v id e s e c u rity to th e c o m p a n y ’s w e b se rv e r. Y o u m u s t p e r f o r m c h e c k s 0 1 1 th e w e b s e r v e r f o r v u ln e ra b ilitie s , m is c o n fig u ra tio n s , u n p a tc h e d im p r o p e r a u th e n tic a tio n w ith e x te r n a l sy ste m s. s e c u rity fla w s, a n d

L a b O b je c t iv e s
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a r n to d e te c t u n p a tc h e d s e c u rity flaw s, v e r b o s e e r r o r m e s s a g e s , a n d m u c h m o r e . T h e o b je c tiv e o f tin s la b is to : ■ ■ ■ F o o tp r in t w e b se rv e rs C ra c k r e m o te p a s s w o rd s D e te c t u n p a tc h e d se c u rity flaw s

C E H Lab Manual Page 731

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

L a b E n v ir o n m e n t
T o e a rn ‫ ־‬o u t tin s, y o u n eed : & T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs ■ ■ A c o m p u te r ru n n in g W in d o w S e r v e r 2 0 1 2 a s H o s t m a c h in e A c o m p u te r r u n n in g w in d o w serv er 20 0 8 , w in d o w s 8 a n d w in d o w s 7 as a V irtu al M a c h in e ■ ■ A w e b b ro w s e r w ith I n te rn e t access A d m in istra tiv e p rivileges to 11111 to o ls

L a b D u r a tio n
T u n e : 40 M in u te s

O v e r v ie w o f W e b S e r v e r s
A w e b serv er, w h ic h c a n b e re fe rre d to as d ie h a rd w a re , th e c o m p u te r, o r d ie so ftw are, is th e c o m p u te r a p p lic a tio n d ia t h e lp s to d eliv er c o n te n t th a t c a n b e a c ce sse d th r o u g h th e In te rn e t. M o s t p e o p le d u n k a w e b se rv e r is ju st th e h a rd w a re c o m p u te r, b u t a w e b se rv e r is also th e so ftw are c o m p u te r a p p lic a tio n th a t is in stalled
111 th e h a rd w a re c o m p u te r. T lie p rim a ry fu n c tio n o f a w e b se rv e r is to d eliv er w e b

p a g es o n th e re q u e s t to clien ts u sin g th e H y p e rte x t T ra n s fe r P ro to c o l (H T T P ). T in s m e a n s d eliv ery o f H T M L d o c u m e n ts a n d an y ad d itio n a l c o n te n t th a t m a y b e in c lu d e d b y a d o c u m e n t, su c h as im ag es, style sh e e ts, a n d scrip ts. M a n y g e n e ric w e b serv ers also s u p p o r t serv er-sid e s e n p tin g u sin g A c tiv e S erv e r P ag es (A SP), P H P , o r o d ie r sc rip tin g lang u ag es. T in s m e a n s th a t th e b e h a v io r o f th e w e b se rv e r c a n b e sc rip te d 111 sep ara te files, w lu le th e acm a l se rv e r so ftw a re re m a in s u n c h a n g e d . W e b serv ers are n o t alw ays u s e d fo r se rv in g th e W o rld W id e WT eb. T h e y c a n also b e f o u n d e m b e d d e d in dev ices su c h as p rin te rs , ro u te rs, w e b c a m s a n d serv in g o n ly a lo c a l n e tw o rk . T lie w e b se rv e r m a y d ie n b e u s e d as a p a r t o f a sy ste m fo r m o n ito r in g a n d / o r a d m in iste rin g th e d ev ice 111 q u e stio n . T in s u su a lly m e a n s d ia t n o a d d itio n a l so ftw a re h a s to b e in sta lle d o n th e c lien t c o m p u te r, since o n ly a w e b b ro w s e r is re q u ire d .

m TASK
O v e rv ie w

1

Lab T asks
R e c o m m e n d e d lab s to d e m o n s tra te w e b se rv e r hack in g : ■ ■ ■ F o o tp r in tin g a w e b serv e r u sin g th e h t t p r e c o n to o l F o o tp r in tin g a w e b serv e r u sin g th e ID S e r v e to o l E x p lo itin g Java v u ln erab ilities u s in g M e t a s p lo i t F r a m e w o r k

C E H Lab Manual Page 732

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

L a b A n a ly s is
A n a ly z e a n d d o c u m e n t th e resu lts re la te d to d ie lab exercise. G iv e y o u r o p in io n 0 11 y o u r ta rg e t’s secu rity p o s tu re a n d e x p o su re .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

C E H Lab Manual Page 733

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 12 - H ackin g W e b servers

F o o t p r in t in g h ttp re c o n

W

e b s e r v e r U s in g

th e

T o o l

The httprecon project undertakes research in thefield o f web serverfingerprinting, also known as http fingerprinting ICON KEY
/ V a lu a b le m t o m ia t io n

L a b S c e n a r io
W e b a p p lic a tio n s a re th e m o s t i m p o r t a n t w a y s t o r a n o r g a n iz a tio n to p u b lis h in f o r m a tio n , in te r a c t w ith I n t e r n e t u s e r s , a n d e s ta b lis h a n e - c o m m e r c e /e g o v e rn m e n t p re s e n c e . H o w e v e r, if an o rg a n iz a tio n is not r ig o ro u s in c o n fig u rin g a n d o p e r a tin g its p u b lic w e b s ite , it m a y b e v u ln e r a b le to a v a rie ty o f

Test yo u r

**

W e b e x e r c is e

se c u rity th re a ts . A lth o u g h th e th r e a ts 111 c y b e rs p a c e re m a in la rg e ly th e sa m e as
111 th e p h y s ic a l w o r ld (e.g., fra u d , th e f t, v a n d a lis m , a n d te r r o r is m ) , th e y a re fa r

m

W o r k b o o k re \

m o r e d a n g e r o u s as a re s u lt. O r g a n iz a tio n s c a n fa c e m o n e ta r y lo s s e s , d a m a g e to r e p u ta tio n , 0 1 ‫ ־‬le g a l a c tio n i f a n in t r u d e r su c c e s sfu lly v io la te s th e c o n fid e n tia lity o f th e ir d a ta . D o S a tta c k s a re e a sy f o r a tta c k e rs to a tt e m p t b e c a u s e o f th e n u m b e r o t p o s s ib le a tta c k v e c to r s , th e v a rie ty o f a u to m a te d to o ls a v a ila b le , a n d th e lo w skill le v e l n e e d e d to u s e th e to o ls . D o S a tta c k s , as w e ll as th r e a ts o f in itia tin g D o S a tta c k s , a re a ls o in c re a s in g ly b e in g u s e d to b la c k m a il o rg a n iz a tio n s . 1 1 1 o r d e r to b e a n e x p e r t e th ic a l h a c k e r a n d p e n e tr a tio n te s te r, }‫׳‬o n m u s t u n d e r s ta n d h o w to p e r f o r m f o o tp r in tin g 0 1 1 w e b se rv e rs.

L a b O b je c t iv e s
T h e o b je c tiv e o f th is la b is to h e lp s tu d e n ts le a r n to f o o t p r in t w e b s e rv e rs . I t w ill te a c h y o u h o w to : H T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le D:\CEHT o o ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs ■ ■ U s e th e h tt p r e c o n to o l G e t W e b se rv e r f o o t p r in t

L a b E n v ir o n m e n t
T o c a rry o u t th e la b , y o u n e e d : ■ h t t p r e c o n to o l lo c a te d a t D :\C EH -T 0 0 ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o l s \ h t t p r e c o n

C E H Lab Manual Page 734

Ethical Hacking and Countemieasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

Y o u c a n a lso d o w n lo a d d ie la te s t v e r s io n o f h t t p r e c o n f r o m th e lin k h ttp ://w w w .c o m p u te c .c h /p r o je k te /h ttp r e c o n


m Httprecon is an open-source application that can fingerprint an application of webservers.

I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n
111 th e la b m ig h t d if fe r

■ ■ ■

R u n tin s to o l 111 W in d o w s S e r v e r 2 0 1 2 A w e b b r o w s e r w ith I n t e r n e t a c c e ss A d m in is tra tiv e p riv ile g e s to r u n to o ls

L a b D u r a tio n
T u n e : 10 M in u te s

O v e r v ie w o f h t t p r e c o n
h ttp r e c o n is a to o l fo r a d v a n c e d w e b s e r v e r fin g e rp rin tin g , sim ilar to h ttp rin t. T h e h ttp r e c o n p ro je c t d o e s r e s e a r c h 111 th e h e ld o f w e b serv er fin g e rp rin tin g , also k n o w n as h tt p fin g e rp rin tin g . T h e g o a l is h ig h ly a c c u r a t e id e n tific a tio n o f g iv en h ttp d im p le m e n ta tio n s.

TASK 1
F o o tp rin tin g a W eb serv er

Lab T asks
1. N a v ig a te to D :\C E H -T o o ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o l s \ h t t p r e c o n . 2. 3. D o u b le -c lic k h t t p r e c o n . e x e t o la u n c h h t t p r e c o n . T h e m a in w in d o w o f h t t p r e c o n a p p e a rs , as s h o w n 111 th e fo llo w in g fig u re .

11
File Configuration Target
|http;// |

httprecon 7.3
Fingergrinting Reporting Help

I

— 1
6 "* ” |

|80

T ]

GET existing | GET long request | GET nonexisbng | GET wrong protocol | HEAD existing | OPTIONS com * I *

£G1 Httprecon is distributed as a Z IP file containing the binary and fingerprint databases.

Full Matchlist | Fingerprint Details | Report Preview |

| Name

j Hits

| Match

% 1

F IG U R E 1.1: httprecon main window

C E H Lab Manual Page 735

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 12 - H ackin g W e b servers

4.

E n t e r th e w e b s ite (U R L ) w w w .ju g g y b o y .c o m th a t y o u w a n t to f o o t p r in t a n d se le c t th e p o r t n u m b e r .

5. 6.

C lic k A n a ly z e to s ta r t a n a ly z in g th e e n te r e d w e b s ite . Y o u s h o u ld re c e iv e a f o o t p r in t o f th e e n te r e d w e b s ite .
h ttp re co n 7.3 - h ttp ://ju g g yb o y.co m :8 0 /
File Configuration Fingerprinting Reporting Help

tewl Httprecon uses a simple database per test case that contains all die fingerprint elements to determine die given implementation.

Target (Microsoft IIS 6.0) I http:// ▼1 | juggyboy com|

GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I

HTTP/1.1 200 O K bate: Thu, 1 8 Oct 2012 11:36:10 G M T bontent-Length: 84S1 Content-Type: text/html Content-Location: http: //‫כ‬uggyboy.com/index.html Laat-Modified: Tue, 0 2 Oct 2012 11:32:12 G M T Accept-Ranges: non® ETag: "a47ee9091a0cdl:7a49" Server: Microsoft-IIS/6.0 K-Powered-By: ASP.NET

Matchlst (352 Implementations) | Fingerprint Details | Report Preview | | Name Microsoft IIS 6.0 ^ ^ Microsoft IIS 5.0 Microsoft IIS 7 0 Miciosofl IIS 5.1 Sun ONE W eb Server 61 Zeus 4.3 Apache 1.3.37 I Hits 88 71 S3 63 63 62 62 60 | Match 100 80 68. 71. 59 71 59 . 71.59 70.45. . 70.45... 6818 v

%|

•22 O
V

V , Apache 1.3.26

m The scan engine of httprecon uses nine different requests, which are sent to the target web server.

£
F IG U R E 1.2: The footprint result of the entered website

7.

C lick d ie G E T lo n g r e q u e s t tab , w h ic h w ill list d o w n d ie G E T re q u est. T h e n click d ie F in g e r p r in t D e ta ils .
h ttp re co n 7.3 - h ttp ://ju g g yb o y.co m :8 0 /
File Configuration Fingerprinting Reporting Help

1 - l‫״‬ L» J |

Target (Microsoft IIS 6.0) I Nip:// j ‫׳‬J ^ juggyboy com| [* ‫פ‬

GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I

HTTP/1.1 400 Bad Request Content-Type: text/html Date: Thu, 1 8 Oct 2012 11:35:20 G H T Connection: close Content-Length: 3 4

Matchlst (352 Implementations)

Fingerprint Details | Report F^eview |

i~ ~ Httprecon does not rely on simple banner announcements by the analyzed software.

Protocol Version Statuscode Statustext Banner K-Povered-By Header Spaces Capital after Dash Header-Order Full Header-Order Limit
Ready

H TTP

1 .1
4 0 0

Content-Type,Date,Connection,Content-Length Content-Type,Date,Connection,Content-Length

1 1

F IG U R E 1.3: The fingerprint and G ET long request result of the entered website

C E H Lab Manual Page 736

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

L a b A n a ly s is
A n aly ze a n d d o c u m e n t d ie resu lts re la te d to th e lab exercise. G iv e y o u r o p in io n 0 11 y o u r ta rg e t’s sec im tv p o s tu re a n d e x p o su re .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U

H A V E

Q U E S T I O N S

R E L A T E D

L A B .

T o o l/U tility

I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d O u t p u t : F o o tp r in t o f th e ju g g y b o y w e b s ite ‫י‬ C o n te n t- ty p e : t e x t / h t m l c o n te n t- lo c a tio n : h t t p : / / ju g g v b o v .c o m / 1 n d e x .h tm l E T a g : " a 4 7 e e 9 0 9 1eO cd 1:7 a49 " se rv e r: M i c r o s o f t- I I S /6 .0 X -P o w e re d -B v : A S P .N E T

h ttp re c o n T o o l

‫י‬ ‫י‬ ‫י‬ ‫י‬

Q u e s t io n s
1. A n a ly z e th e m a jo r d if fe re n c e s b e tw e e n classic b a n n e r - g r a b b in g o f th e s e r v e r lin e a n d h tt p r e c o n . 2. E v a lu a te th e ty p e o f te s t r e q u e s ts s e n t b y h t t p r e c o n to w e b se rv e rs.

I n te r n e t C o n n e c tio n R e q u ire d 0 Y es P la tfo rm S u p p o rte d 0 C la s s ro o m □ !L ab s □ No

C E H Lab Manual Page 737

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

Lab

F o o t p r in t in g S e r v e

a

W

e b s e r v e r U s in g

ID

ID Serve is a simple,free, sm all (26 Kbytes), andfastgenera/purpose Internet server identification utility. ICON KEY
/ V a lu a b le in fo r m a tio n

L a b S c e n a r io
1 1 1 th e p re v io u s la b y o u h a v e le a r n e d to u s e th e h tt p r e c o n to o l, h t t p r e c o n is a

to o l fo r a d v a n c e d w e b s e rv e r fin g e rp rin tin g , s im ila r to h ttp r in t. I t is v e ry im p o r t a n t f o r p e n e tr a tio n te s te rs to b e fa m ilia r w ith b a n n e r - g r a b b in g te c h n iq u e s to m o n i to r s e rv e rs to e n s u r e c o m p lia n c e a n d a p p r o p r ia te se c u rity u p d a te s . U s in g th is te c h n iq u e y o u c a n a lso lo c a te r o g u e s e rv e rs 0 1 ‫ ־‬d e te r m in e th e ro le o f s e rv e rs w ith in a n e tw o rk . 1 1 1 tin s la b y o u w ill le a r n th e b a n n e r g ra b b in g te c h n iq u e to d e te r m in e a r e m o te ta r g e t s y s te m u s in g I D S e rv e . 111 o r d e r to b e a n e x p e r t e th ic a l h a c k e r a n d p e n e tr a ti o n te s te r, y o u m u s t u n d e r s ta n d h o w to f o o t p r in t a w e b se rv e r.

Test yo u r

**

W e b e x e r c is e

m

W o r k b o o k re \

L a b O b je c t iv e s
T h is la b w ill s h o w y o u h o w to f o o t p r in t w e b s e rv e rs a n d h o w to u s e I D S erv e . I t w ill te a c h y o u h o w to: ■ ■ H T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs U s e th e I D S e rv e to o l G e t a w e b s e rv e r f o o t p r in t

L a b E n v ir o n m e n t
T o c a rry o u t th e la b , y o u n e e d : ■ ID S e r v e lo c a te d a t D :\C EH -T 0 0 ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o ls\ID S e r v e ■ Y o u c a n also d o w n lo a d th e la te s t v e r s io n o f ID S e r v e f r o m th e lin k h ttp : / / w w w .g r c .c o m / i d / 1 d s e r v e .h tm ■ I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , th e n s c r e e n s h o ts s h o w n
111 th e la b m ig h t d if fe r

C E H Lab Manual Page 738

Ethical Hacking and Countenneasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M odule 12 - H ackin g W e b servers

■ ■ ■

R u n tliis to o l o n W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e A w e b b r o w s e r w ith I n t e r n e t a c c e s s A d m n iis tra tiv e p riv ile g e s to r u n to o ls

L a b D u r a tio n
T im e : 10 M in u te s
m ID Serve is a simple, free, small (26 Kbytes), and fast general-purpose Internet server identification utility.

O v e r v ie w o f ID S e r v e
I D S erv e a tte m p ts to d e te rm in e d ie d o m a in n a m e a sso c ia te d w id i a n IP. T in s p ro c e s s is k n o w n as a r e v e r s e DNS lo o k u p a n d is h a n d y w h e n c h e c k in g fire w a ll lo g s o r r e c e iv in g a n IP a d d r e s s fr o m s o m e o n e . N o t all IP s th a t h a v e a fo rw a rd d ire c tio n lo o k u p (D o m a in -to -IP ) h a v e a r e v e r s e (IP -to -D o m a in ) lo o k u p , b u t m a n y do.

TASK 1
F o o tp rin tin g a W eb serv er

Lab T asks
1. 111 W in d o w s S e rv e r 2 0 1 2 , n a v ig a te to D :\C E H -T o o ls\C E H v 8 M o d u le 1 2 H a c k in g W e b s e r v e r s \ W e b s e r v e r F o o tp r in tin g T o o ls\ID S e r v e . 2. 3. D o u b le -c lic k i d s e r v e . e x e to la u n c h ID S e r v e . T h e m a in w in d o w a p p e a rs . C lic k th e S e r v e r Q u e ry ta b as s h o w n in th e fo llo w in g fig u re.

0 ID S e rv e

ID Serve

In te r n e tS e rv e rId e n tific a tio nU tility ,vl. 0 2 P e rs o n a lS e c u rityF re e w a reb yS te v eG ib s o n
Copyright (c) 2003 by Gibson Research Corp.

B a c k g r o u n d | Se iverQ u e r y

Q & A / H e lp

Enter or copy I paste an Internet server URL or IP address here (example: www microsoft.com):

Query The Server

. ™

When an Internet U R L or IP has been provided above. press this button to initiate a query of the specified seiver

ID Serve can connect to any server port on any domain or IP address.

m

Server query processing:

The server identified itself a s :

Copy |

Goto ID Serve web page

F IG U R E 2.1: Welcome screen of ID Serve

4.

111 o p ti o n

1 , e n te r

(0 1 ‫ ־‬c o p y / p a s t e a n I n t e r n e t s e rv e r U R L o r I P a d d re s s)

th e w e b s i t e (U R L ) y o u w a n t to f o o t p r in t . 5. E n t e r h t t p : / / 1 0 .0 .0 .2 /r e a lh o m e (IP a d d re s s is w h e r e th e re a l h o m e site is h o s te d ) in s te p 1.

C E H Lab Manual Page 739

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

6. 7.

C lic k Q u e ry t h e S e r v e r to s ta r t q u e ry in g th e e n te r e d w e b s ite . A f te r th e c o m p le tio n o f th e q u e r y . I D S e rv e d isp la y s th e re s u lts o f th e e n te r e d w e b s ite as s h o w n 111 th e fo llo w in g fig u re.

, _ _ ID Serve uses tlie standard Windows TCP protocol when attempting to connect to a remote server and port.

IDServe

ID

S e rv e

B a c k g r o u n d

In te r n e tS e rv e rId e n tific a tio nU tility .v 1 . 0 2 P e rs o n a lS e c u rityF re e w a reb yS te v eG ib s o n C o p y r ig h t(c )2 0 0 3 b yG ib s o n R e s e a r c hC o r p . £ e tv e rQ u e ry | Q & A / H e lp

Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):

C 1 Ihttp //I 0.0 0.2/realhome|

r2 [

Query The Server

When an Internet URL a IP has been provided above, press this button to initiate a query of the specified server

Server query processing:

H T T P / 112 0 0O K C o n te n tT y p e :t e x t / h t m l L a s tM o d ifie d :T u e ,0 7 A u g2 0 1 20 6 :0 5 :4 6G M T A c c e p tR a n g e s :b y te s E T a q :" c 9 5 d c 4 a f6 2 7 4 c d 1 :0 "__________
1 y= H ID Serve can almost always identify the make, model, and version of any web site's server software.
| Copy The server identified itself a s :

|

Goto ID Serve web page

F IG U R E 2.2: ID Serve detecting the footprint

L a b A n a ly s is
D o c u m e n t all d ie se rv e r in fo rm a tio n .

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R T O T H I S

I F

Y O U L A B .

H A V E

Q U E S T I O N S

R E L A T E D

T o o l/U tility

I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d S e r v e r I d e n t i f i e d : M ic r o s o f t- I I S /8 .0 S e rv e r Q u e ry P ro c e s s in g :

I D S e rv e

‫י‬ ■ ■ ■ ■

H T T P / 1.1 2 0 0 o k c o n te n t- T y p e : t e x t / h t m l L a s t- M o d if ic a tio n : T u e , 0 7 A u g 2 0 1 2 0 6 :0 5 :4 6 GMT A c c e p t-R a n g e s : b y te s E T a g : " c 9 5 d c 4 a f 6 2 7 4 c d l:0 "

C E H Lab Manual Page 740

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 12 - H ackin g W e b servers

Q u e s t io n s
1. 2. A n a ly z e h o w I D S e rv e d e te r m in e s a s ite ’s w e b se rv e r. W h a t h a p p e n s i f w e e n te r a n I P a d d re s s in s te a d o f a U R L ‫׳׳‬

I n te r n e t C o n n e c tio n R e q u ire d □ Y es P la tfo rm S u p p o rte d 0 C la s s ro o m 0 !L a b s 0 No

C E H Lab Manual Page 741

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.

M odule 12 - H ackin g W e b servers

3
E x p lo it in g M Ja v a V u ln e r a b ilit y e w o rk U s in g e t a s p lo it F r a m

Metasploitsofin ar eh e lp ss e c u r itya n dITprofessionalsid e n tifys e c u r ityi s s u e s ,v e rify vulnerabilitym it ig a t io n s ,a n dm a n a g ee x p e r t d r iv e ns e c u r itya s s e s s m e n t s .
I CON KEY
£_ _ V a lu a b le in fo r m a tio n

L a b S c e n a r io
P e n e tra tio n te stin g is a m e th o d o f ev alu a tin g th e secu rity o l a c o m p u te r sy stem 0 1 ‫־‬ n e tw o rk b y sim u latin g a n a tta c k fro m m alicio u s o u tsid e rs (w h o d o n o t h a v e a n a u th o riz e d m e a n s o f a c cessin g th e o rg a n iz a tio n 's system s) a n d m alicio u s in sid ers (w h o h a v e so m e level o f a u th o riz e d access). T h e p ro c e s s in v o lv e s a n activ e analysis o f th e sy ste m fo r a n y p o te n tia l v u ln erab ilities th a t c o u ld re su lt fro m p o o r o r im p ro p e r sy ste m c o n fig u ra tio n , e ith e r k n o w n a n d u n k n o w n h a rd w a re 0 1 ‫ ־‬so ftw are flaw s, 01 ‫ ־‬o p e ra tio n a l w e a k n e sse s 111 p ro c e s s o r te c h n ic a l c o u n te rm e a s u re s. T in s analysis is e a rn e d o u t fro m th e p o s itio n o f a p o te n tia l a tta c k e r a n d c a n in v o lv e active e x p lo ita tio n o f secu rity vuln erab ilities. T h e M e ta sp lo it P ro je c t is a c o m p u te r se c u n tv p ro je c t th a t p ro v id e s in fo rm a tio n about secu rity v u ln erab ilities and aids in p e n e tra tio n te stin g a n d ID S signaU ire d e v e lo p m e n t. Its m o s t w e ll-k n o w n su b p ro je c t is th e o p e n -s o u rc e M e ta sp lo it F ra m e w o rk , a to o l fo r d e v e lo p in g an d e x e c u tin g ex p lo it c o d e ag ain st a re m o te ta rg e t m a c h in e . O th e r im p o rta n t su b p ro je c ts in c lu d e d ie O p c o d e D a ta b a se , sh ellco d e arcluv e, a n d secu rity research . M e ta sp lo it F ra m e w o rk is o n e o f th e m a in to o ls fo r e v ery p e n e tra tio n te st

s
‫ב‬ ‫ב‬ ca

Test yo u r k n o w le d g e

W e b e x e r c is e

W o r k b o o k r e v ie w

e n g a g e m e n t. T o b e a n e x p e rt etliical h a c k e r a n d p e n e tra tio n te ste r, y o u m u s t h a v e s o u n d u n d e rs ta n d in g o f ]M etasploit F ra m e w o rk , its v a rio u s m o d u le s, ex p lo its, J T T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 12 H a c k in g W e b se rv e rs p ay lo ad s, a n d c o m m a n d s 111 o rd e r to p e rf o rm a p e n te st o f a target.

L a b O b je c t iv e s
T h e o b je ctiv e o f tin s lab is to d e m o n s tra te ex p lo ita tio n o t JD K ta k e c o n tro l o t a ta rg e t m ac h in e . v u ln erab ilities to

L a b E n v ir o n m e n t
1 1 1 d iis lab , y o u n eed :

C E H Lab Manual Page 742

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

M e ta s p lo it lo c a te d a t D :\C E H -Tools\C E H v8 M o d u le 1 2 H a c k in g W e b se rv e rsY W e b se rv e r A tta c k T o o ls \M e ta s p lo it

Y o u c a n also d o w n lo a d th e la te st v e rs io n o t M e ta s p lo it F ra m e w o r k fro m d ie lin k h t t p : / A v w w .m eta sp lo 1 t . c o m / d o w n lo a d /

I t y o u d e c id e to d o w n lo a d th e l a t e s t v e rs io n , th e n sc re e n sh o ts s h o w n 111 th e lab m ig h t d itte r

■ ■ ■

A c o m p u te r ru n n in g W in d o w s S e r v e r 2 0 1 2 as h o s t m a c h in e W in d o w s 8 ru n n in g o n v irtu a l m a c h in e as ta rg e t m a c h in e A w e b b ro w se r a n d M ic ro so ft .N E T F ra m e w o rk 2.0 o r la te r in b o th h o s t a n d ta rg e t m a c h in e

j R E 7116 ru n n in g o n th e ta rg e t m a c h in e (re m o v e a n y o th e r v e rs io n o f jR E in stalled 111 d ie ta rg e t m a c h in e ).T h e |R E 7116 se tu p file (jre-7u6-w111dows1586.exe) is available a t D :\C E H -Tools\C E H v8 M o d u le 1 2 H a c k in g W e b s e r v e r s \W e b s e r v e r A tta c k T o o ls \M e ta s p lo it

Y o u c a n also d o w n lo a d th e T h e I R E 7116 s e tu p tile at h t t p : / A v w w .o ra c le .c o m /te c h n e tw o r k /ia v a /ja v a s e /d o w n lo a d s /ir e 7 d o w n lo a d s^ 163~ 5S S .htm l

D o u b le -c lic k m e ta s p lo it- la te s t- w in d o w s - in s ta lle r .e x e a n d fo llo w th e w iz a rd -d riv e n in sta lla tio n ste p s to install M e ta s p lo it F ra m e w o r k

T im e : 2 0 M in u te s

O v e r v ie w o f t h e L a b
T in s lab d e m o n s tra te s th e e x p lo it th a t tak es a d v a n ta g e o f tw o issu es 111 J D K 7: th e C la ssF in d e r a n d M e d io d F in d e r.fm d M e d io d (). B o th w e re n e w ly in tro d u c e d 111 J D K 7. C la ssF in d e r is a re p la c e m e n t to r c la s sF o rN a m e b a c k 111 J D K 6. I t allow s u n tr u s te d c o d e to o b ta in a re fe re n c e a n d h a v e access to a re s tric te d p ac k a g e in J D K 7, w h ic h can be u se d to a b u se s u n .a w t.S u n T o o lk it (a re s tric te d p ack ag e). W ith su n .a w t.S u n T o o lk it, w e ca n actually in v o k e getF ieldQ b y a b u sin g fin d M e th o d Q m S ta te m e n t.in v o k e ln te rn a lO (b u t getF ieldQ m u s t b e p u b lic , a n d th a t's n o t alw ays d ie case
111

JD K

6.

111 o rd e r

to

access

S ta te m e n ta c c 's

p riv a te

field,

m o d ify

*

t a s k

1

1. 2.

In stall M e ta s p lo it o n th e h o s t m a c h in e W in d o w s S e r v e r 2 0 1 2 . A fte r in stallatio n c o m p le te s , it w ill au to m atically o p e n in y o u r d e fa u lt w e b b ro w se r as s h o w n 111 th e fo llo w in g figure. C lick I U n d e r s ta n d t h e R is k s to c o n tin u e .

In s ta llin g M e ta s p lo it F ra m e w o r k

3.

C E H Lab Manual Page 743

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

J ! U‫׳‬ *rud«JC o n n e r l i o n rt t p s : • ’l o i a i t o s t .9 0

1♦ C ‫־‬ *I - G o o g l e

1-

-I‫* * ־‬

5 w

This Connection is Untrusted You h a v ea s k e dF i r e f o xt oc o n n e c ts e c u r e * ) ‫׳‬ t ol o c a BrosU7 9 0 .t j twe cantc o n f i r mt h a ty o u ! N o r m a l l y ,when yout i y t oc o n n e c ts e c u r e l y ,: i t r . wi p r e s e n tt r e s s e di d e n t i f i c a t i o nt cp r o v et h a ty cu a r eg o i n gt ot h en g h tp l a c e .H o » > e v e r .t h i ss i t e ' s■ d e r & t yc a ntbev e r r f s e d . What Should 1 Do? I f you u s u a l l yc o n n e c tt ot h i ss i t ew i t h o u tp roblem^f l v s« 0 ‫*״‬ec>d mu n t i v j tsomeone i s t r y i n gt o i m p e r s o n a t et h es i t eandyous h o u l d n ' tc o n t i n u e . [ Gel me o u l o f h e t e l Technical Details | 1Understand the Risks |

H ie exploit takes advantage of two issues in JD K 7: The ClassFinder and MethodFinder. findMethod( ). Both were newly introduced in JD K 7. ClassFinder is a replacement for classForName back in JD K

6.

FIG U RE 3.1: Metasploit Untrusted connection in web browser

4.
£

C lick A dd E x c e p tio n .

|+ 1
& h t t p s : • 1k > c * K x » t .V . ' * f ? ▼ C ‫(ן‬ JJ* G o o g l e

This Connection is Untrusted

It allows untrusted code to obtain a reference and have access to a restricted package in JD K 7, which can be used to abuse sun.awt.SunToolkit (a restricted package).

You h a v e• t k t d‫ז‬ ‫י‬ ‫ז‬ ‫י‬ / ‫ס‬ ‫ג‬t oc o n n o c t1 «1 u‫׳‬ « l >10 c o n n e c t i o ni ‫׳‬ >s * c 01« .

1 9 0 . tj t

* 1

c • ntc o n f i r m t h a ty o u t

N o rm a lly ,w ih rnyoutrytoe o n n e rtik u rrty t*e»w MpnwKtruftrd‫* י‬Menrep ro v eth a ty o u art g o in gtoth eu g h (p la 1«.Ilwrt, tlmt!t«1 itfrMj « ‫ י‬U «l
What Should I Do?

Ifyo uu su a llyco n n edtoth isS itew rth o i/ tp ‫׳‬o b k ‫׳‬n v . th r,moi to•Ji mun tK « tso m e o n entryin gto im p e rso n a teth ea te , an dyo ush o u ld n 'te o n tm u e .
| Gelmeoulolhetel Technical Details IUnderstand the Risks

I Add Excepaoi

FIG U R E 3.2: Metasploit Adding Exceptions

5.

111 th e A dd S e c u r ity E x c e p tio n w iz ard , click C o n firm S e c u r ity E x c e p tio n .

C E H Lab Manual Page 744

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 12 - H ackin g W e b servers

Add S e c u r i t yE x c e p t i o n
You are about to override how Firefox identifies this site. ! Server Location: I liR M M H B M M fe M I

1‫ *־‬I

Legitimate banks, stores, and other public sites will not ask you to do this.

With sun.awt.SunToolkit, we can actually invoke getFieldQ by abusing findMethod() in StatementiavokeIntemal0 (but getFieldO must be public, and that's not always die case in JD K 6) in order to access Statement.acc's private field, modify AccessControlContext, and then disable Security Manager.

Certificate Status This site attempts to identify itself with invalid information. Wrong Site Certificate belongs to a different site, which could indicate an identity theft. Unknown Identity Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.

@ Permanently store this exception | Confirm Security Exception | Cancel

FIG U R E 3.3: Metasploit Add Security Exception

6.

O n d ie M e ta sp lo it — S e tu p a n d C o n fig u ra tio n L o g in scree n , e n te r te x t 111 d ie U s e rn a m e . P a s s w o r d , a n d P a s s w o r d c o n firm a tio n fields a n d click C r e a te A c c o u n t.

k- M Vti .

Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE , Firefox, Safari, Chrome; Windows, Ubuntu, OS X , Solaris, etc.

(Jlmetasploit

Password coafinrrtc••

Optional I n f o& S e t t i n g s
Em ail address orgaattillon I (QMT«00:00) UTC‫־‬

|Q C 10a t« Auwni

FIG U RE 3.4: Metasploit Creating an Account

7.

C lick G ET PROD UCT KEY 111 d ie M e ta s p lo it - A c tiv a te M e ta s p lo it w in d o w .

P r o d u c t K ey A c tiv a tio n

C E H Lab Manual Page 745

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

This Security Alert addresses security issues CYE-2012-4681 '(USC ERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops.

E n te r y o u r v a lid em ail a d d re ss 111 th e M e ta s p lo it C o m m u n ity o p tio n a n d click GO.

‫־‬F !
mv r e g a i e « t * s ? o t p p ^ p « ^ x J u c t _ k * y ‫־‬I k f > ‫׳‬ j t N » r n e BtLutName i S t L r n s i l A d d i e i ic « 0 1 g » ■ ‫׳‬

These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle serverbased software.

Choose between two FREE Metasploit Offers

( J ) metasploit
M etatplotl Prohetpt \+ am *! * ‫ גי‬IT p r0fe1 »10 nal• m*‫׳‬:«•»*> c‫♦*־‬ ‫ *־‬u t breatftet b yemaer*, corvoxanq broad tcope p enefcatio ntests pnottong «yin*‫־‬jD111t*1 .*no *nfyns C 0 0*0*1 tnc m itigat&r! M etasploit ComTun‫״‬v plus Snan ejpK M U bsn Password ijd*r; W e0appiisa!:‫ ר׳‬scam .-a Social eng»eerw»3 Tear*coH ab o»a*on R• po rting S Enterpnse-lew t su pp o rt • / • f J ‫'׳י‬ ‫'׳י‬

G Dmetasploit
~ com m unity
M ct.1r.p 10HCom m unityEd M io ntim plifiot n«ACfK «»< c‫׳‬/*r‫ ׳‬anovu lnerab ility vm ifkaaon far specific eiplolta Increasing Ihe effectiveness o fvulnerabilityscanners »ucnasNe®o*e‫־‬rortree

✓ FREE EDITION

OR

S

J S ■S ■ /

N etw orkdlscoveiy v u l n e r a b i l i t yscann9 rI m p o r t Ba s i ce x p l o i t a t i o n M od ule firovw ef

Lnterem ail address: ___________ < ggm ail.com ||| Go 1

1»u«s «‫ י«י‬Vas pass0 Piease em ail infoQ rapid7 c <

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password.

FIG U R E 3.6: Metasploit Community version for License Key

9.

N o w lo g in to y o u r em ail a d d re ss a n d c o p y d ie licen se key as s h o w n 111 d ie fo llo w in g figure.

C E H Lab Manual Page 746

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 12 - H ackin g W e b servers

Your Metasploit Community Edition Product Key
Bates, Ariana anana_bates@raptd7 com vis bounces netsuite com
6:27 P M (0 minutes ago)

‫ם! ק‬

To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages tins vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.

to me ■ ‫׳‬

■ r Rap1d7

Metasploit Product Key

WNMW-J8KJ-X3TW-RN68

Thank you for choosing Rapid7® Metasploit® Community Edition Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose -for free Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can simply apply for a new license using the same registration mechanism.____________________________

FIG U RE 3.7: Metasploit License Key in you! email ID provided

10. P a ste d ie p r o d u c t k ey a n d click N e x t to c o n tin u e .
Due to die severity of these vulnerabilities, die public disclosure of teclinical details and die reported exploitation of CVE-20124681 "in die wild," Oracle strongly recommends diat customers apply die updates provided by this Security Alert as soon as possible.
M e t a s p f o i tP r o d u c tK e r

t_ _ « l x ‫ד‬
.‫־‬1• ‫־־־־‬,1 ‫־‬

‫־‬ ‫־‬ fc

«a!>0 1ttria li< e y ,i^ » ?p r0d u rt= a1m u rn P !»th U R l=h rtp !% 3 A % 2 F% 2 fIo calh o «T ‫׳‬L 3 A T ?9 (W L 2 F s e t1 jp 3 L i> » rtv a l< :A ‫׳‬ \ «*»e *w t;

p*

c-

(J)metasploit
4 More Steps To Get Started 1 .Copy t h e ProductKey from theemail we j u s tsent yo u .
2 Paste the Product Key here: [WM.nv jskj x3tw r n 68T 3 .Click Next on this page 4 .Then dick Activate License on the next page

The Metasploit Framework will always be free and open source. The Metasploit Project and Rapid7 are fully committed to supporting and growing the Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing dieir own penetration testing tools. It's a promise.

FIG U R E 3.8: Metasploit Activating using License Key

11. C lick A c tiv a te L ic e n s e to a ctiv ate d ie M e ta sp lo it license.

C E H Lab Manual Page 747

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

I. , n r ,
f A ■ • .» (.. to ceh o afc- SC!*.. ,■ A ■ .* . .,'p.oc..:>cy W NM W-.0 < lX 3T W -RN 68& S«ib m H' C • ‘I (‫?־־״‬I.

(J)m etasploit'
H ie Metasploit Framework will always be free and open source. Tlie Metasploit Project and Rapid7 are fully committed to supporting and growing die Metasploit Framework as well as providing advanced solutions for users who need an alternative to developing their own penetration testing tools. It's a promise.
Activate Your Metasploit License
1 . Get Your Product Key Chooseme p r o f l u c lt h a t b e s tntedsj < w rr » e e d sM e t a s p i o i lP r oo rt h ef r e eM e t a s p l o i tCommunityE d i t i o n‫ז‬ ‫ז‬ y ou3 i r e a 0 >r a * ta commgn^ tfalorMil i c e n s ep r o d u c tk e /»oucansupt h i ss l e p

2 . Enter ProductKey You've Received by Email

P a s te■ n th ep ro d u c tf c e j‫־‬ t* a lw a ss e n tto fte« ‫<יז־‬ J ‫<׳‬ ‫־‬ ss/ ure g is te r e d « v ‫ו‬a n dd ic kth eA C TW T EL IC E N S EO u H o ‫״‬

13 9 0

1

| w 1 W W J 6 t U X 3 T W R N 6 8
DU s •a nH T T PP ra t*tore a c t!r»

FIG U RE 3.9: Metasploit Activation Tlie Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linus designed for testing security tools and demonstrating common vulnerabilities. Version 2 of diis virtual machine is available for download from Soiuceforge.net and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and odier common virtualization platforms.

12. T lie A c tiv a tio n S u c c e s s f u l w in d o w ap p ears.
1^
A hips/ lot*t> ost. 90

' ' 7‫ י‬C ‫)ן‬

‫ ־‬Google

P

#

E ~I

I
1

, m i 1 1 i^ ic - io p iw i 1 community H om e Protect* & H«e H fw * Panel

II

1 1

| ^

Activation Successful
J

^aeto^ofen

0
0

%rsr^t

Q ut* *ojrct

Starch

1 / Product Mr*‫*׳‬
Abating Window* Kemot• Management (WinUM) with Metasploit

thow ‫— י‬ y ,1 ml 0 I □ (to lau r S T vo w m g1 to1of 1 t«n n 0 0 » y » 1 6 m 0 ?0m ‫׳‬ ■ jhM• 90 Fm h I Pi«.vk«j» 1

*•«!

laM

I cnem gnt.il D erb,con Mu&lianill *leredlacuaaingvariouiledvvquMof mass crw nage W hen M u b ci to ldm e about theW inRMservice 1w ondered ■ W h ji d o n'twe nav• an yM ateap toitm odui•* ro rthia Fxploit Trends: Top to Searches for MotAsploit Module* in October T 1r»e to rrow m cnthl/dose 01 M etasploite»p lo !t (renas* Each m o n thw e jarfh erns 11st err* m ost searched eaioit ana a u x ilia ry m odules fro mtns M etaspor. e‫ ידי‬aa*e T op ro tect usersprivacyt.. Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit. and More! W inRMEx p lo itLibrary Form e lastcoupleweeks M etasplolt coreoanV i& iJto iD a‫־‬ .*d © iTieugWCosin8M alone/has & «en living in toM icrosoffsWinRMservices w fln $m u:«x and@ _sm n3r. UnO lttiese.. Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end M ore? *ccSecUSA20l2Lastweekwas AppSecUSA2012here m A ustin. ivtiid‫ ־‬m at‫׳‬ exstair‫וזז‬scunous aosenceofaweeKtrMetaspioitupoateDioapost Tn*n«grfis o f A ppjec fo rm e, !w e re p nno p articular

‫ן‬

IU-... ...

FIG U R E 3.10: Metasploit Activation Successful

as T A S K

3
e

13. G o to A d m in is tra tio n a n d click S o f tw a r e U p d a te s .
• • • X •*| - G oogle A dm inhtinlio nT^ | softw are upaates Softw are ucense 1 a ” a3- » P it D•

U p d a tin g M e ta s p lo it

(‫)״‬m etasploit
community1 Project* H om e

‫ו‬
1 & H id eb«w* Pan«1 1

FIG U R E 3.11: Metasploit Updating Software

14. C lick C h e c k f o r U p d a te s , a n d a fte r c h e c k in g d ie u p d a te s , click In s ta ll.

C E H Lab Manual Page 748

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 12 - H ackin g W e b servers

By default, Metasploitable's network interfaces are bound to die N A T and Host-only network adapters, and the image should never be exposed to a hostile network. (Note: A video tutorial on installing Metasploitable 2 is available at die link Tutorial on installing Metasploitable 2.0 on a Virtual Box Host Only network)

FIG U R E 3.12: Metasploit Checking for Updates

15. A fte r c o m p le tin g th e u p d a te s it w ill a sk y o u to re sta rt, so click R e s ta r t.

This document outlines many of the security flaws in die Metasploitable 2 image. Currendy missing is documentation on the web server and web application flaws as well as vulnerabilities diat allow a local user to escalate to root privileges. This document will continue to expand over time as many of die less obvious flaws widi diis platform are detailed.

16. W a it u n til M e ta sp lo it restarts.

C E H Lab Manual Page 749

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

1^ A I'tlpiJ'locaVrat. ■w x • I- G e o g l ,

■‫יי־׳וי‬ c-

fi\ ft

TCP ports 512, 513, arid 514 are known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation). To take advantage of diis, make sure the "rsh-client" client is installed (on Ubuntu), and run die following command as your local root user. If you are prompted for an SSH key, this means die rsh-client tools have not been installed and Ubuntu is defaulting to using SSH.

I fyou've just finished i n s t a l l i n g Metasploit. the application w i l l now take up to 5 minutes to i n i t i a l i z e . ir* normal please b« patient and have a c o f f e e . . . ‫ו‬ ‫ז‬you nave already been usingtne p r o d u c t , *is message may p o i n tt o a bog i nthe a p p l i c a t i o n and r e q u i r ethe M e t a s p l o i t s e r v ices tobe r e s t a r t e dto resume lunctocaity I fthe problem p e r s i s t s you may want toconsul the Mowing r esources. • Metasploit Community Edition users: Pease v t o lt r i e R*pid7 Security street forum• toseaxnf o ra n s w e r sor po s t a question • Metasploit t r i a l users: Please contactyour Rap«f7 sales rep r e s e n t a t i v eore t n a i ■1fnqrjwd7.com • Metasploit users with a support contract: Ptcasc v i s i t t he Rapld7 Customer Canter t of B ca supportease o r *man suPD0rtgraD1d7.c0m

Retrying your request I n 5 seconds . .

FIG U R E 3.14: Metasploit Restarts

17. A fte r c o m p le tio n o f re s ta rt it w ill re d ire c t to M e ta s p lo it - H o m e. N o w click C r e a te N e w P r o je c t fro m d ie P r o je c t d ro p - d o w n list. C re a tin g a N e w M e ta s p lo it P r o je c t
• * ‫־‬ M e t a s p K x t-P r o j e c t s

‫זזד‬
..‫״‬-■TP
:• m tN e w P r o je c t
yM k l eN t t v v aPmw( 1 S t ' o v *U l P10j » c t s

© m etasploit
community I act o* ■ o j r n Mo , Q m niict j Search s

4 Pro d u c tMews Abusing Window* Remote Management (WlnRM) with M e t a s p l o i t

1

■ Show 1 0 V • M i l l M l «Q lame u < '‫״‬-1 Showing1K>1 o f

Horn : ‫נ‬

A c t r v cs e s s i o n s

t a s k s owner Memoera o • y s t a m 0

Upared w oescnpoo • b e u t1how a g o Pnmam I ■wt l»i

lato onenight 3 1O artiyco n .M u b txandl w oto dtsaisslngvarious techniques o r mass wm aoe WhenMutmtoldmea&outtheWinRMseivice.iwonoeiea ■ W h » a ortwe hM a nyM e t aseon m odulestorm is... E x p l o i tT r e n d s : Top 10 Searches l o r Me t a s p l o i t Modules i nOctober Tim •teryo ur m onthsdose o fM etasploit e x p lo ittrends! Each m ow nwe 0a V > ertn 1s tstortne m ost searches e x p lo itand aux iliarym odules iromtneM etasploit dataoase Toprotedusers' prtacy, 1 . . Weekly M e t a s ploit Update: WinRM PartOne, E x p l o i t i n g Metasploit and More! •V inR UE«ploit LibraryFor theI3sl couplew eeks. M etasploit core co n trib u to rD avid gTheLicficCcsm eM aloneyh3s D eend r«in oin to M icro so ft'sW m RMserw:es w ith grm icor and @ _s1nn3r U n til these... Weekly Me t a s p l o i t Update: Miaosoft Windows and SQL, TurboFTP, and Mote! *ppSecOSA2012 Last w eekwas AppSecUSA2012here InA ustin , *filch ro a* ex p lain•re curious absence o f aweeklyM etasploit U pdate bloe poslThe tal j H so f *wsecfcrme. were (mnop articu la r... Weekly Me t a s p l o i t Update: Reasonnble d i s c l o s u r e . PHP FXF wrappers, and moie!

This is about as easy as it gets. The nest service we should look at is die Network File System (NFS). N FS can be identified by probing port 2049 directly or asking the portmapper for a list of services. The example below using rpcinfo to identify N FS and showmount -e to determine diat die "/" share (the root of die file system) is being exported.

FIG U RE 3.15: Metasploit Creating a New Project

18. 111 P r o je c t S e ttin g s , p ro v id e th e P r o je c t N a m e a n d e n te r a D e s c rip tio n , leave th e N e tw o rk R a n g e set to its d efau lt, a n d click C r e a te P ro je c t.

C E H Lab Manual Page 750

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

‫־‬ n
^ A ‫־‬, .Ip. lo calho it. V. a.

I. , n r ,

(‫]״‬m etasploit
▼ community1

SB

3 & ar

H ie Metasploit Framework is a penetration testing system and development platform diat you can use to create security tools and exploits. The Metasploit Framework is written in Ruby and includes components in C and assembler. The Metasploit Framework consists of tools, libraries, modules, and user interfaces. Tire basic function of die Metasploit Framework is a module launcher diat allows die user to configure an exploit module and launch the exploit against a target svstem.
I ^

Protect nam e* D escription

‫׳‬ aExploit | The e x p l o i ttakes advantage oft i r oiss u e si nJDK 7 The ClassFinder and MethodFinder nndMemod() Botn were newly introduced i nJOK 7 dassFinder i sa replacement f o rc i a s s F . i x N f l r n gback i nJQg 6 R alows untnisted code t ooOtam a reference ana nave access t oa r e s t r i c t e d oa:o?e rJ O K7.‫׳‬ a m e ncan oe used to aDuse suna^-SuoJoolKit (a r esrcled package) / / ! ® ‫ו‬sun ^SunTwiwt we can a c t u a l l yinvoke

Networ*r a n g e

Q RvttiKt tonetworkrange

•*? R A P I D 7

FIG U R E 3.16: Metasploit Project Settings

19. C lick d ie M o d u le s ta b a fte r d ie p ro je c t is created .
W fl»5f40T Ah f c l p s / lot»t> ost. SC . ■ |+™ £? ▼ C | ?§ ‫ ־‬G oogle £ P r o t e c t Javatx_ * ‫ ־‬Account Jason e f iA d m i n i s t r a t i o nr rt community fi # C ' 1 ^ I *1 * ‫י‬

1 (Um etasploit
I community |4kOvervle«v 4 * ‫י‬Analysis 1 H o rn • Java Lx p to it 0itwnr Sessions Campaigns * • Wt*b Apps |«& » Modules |

j> H e l p

lags

Q) Reports

JZ 1 ■1

J ” Overvtew.ProperJavaT ipto■ Discovery 01 1 0 4 1 3dt*C O M fC 4 0 services dctaclod 0vum eraDM M t *•utm ed Penetration • MMlOHCpNtd 0 pHtimilt cracked 0 SMB Msr »s ttotee 0 SSHk*r* stu k a Q fiplat

1

"

^ Scan-

aw p nrt— j * ■a^mm— ,

0 « j t r t o > c c

Evidence Collection I 0 data friesacqaned

Cleanup OctoHdMssoas

iai C oeect... 1 Recent Event*

Cleanep-

----------------------------------------------------------

FIG U R E 3.17: Metasploit Modules Tab

«

TASK

5

20. E n te r CVE ID (2012-4681) in S e a r c h M o d u le s a n d click E n te r.

R u n n in g t h e E x p lo it

C E H Lab Manual Page 751

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

,'MrtMf** M odu»« ^ A h t t p s t o o l b o i t .V - a .ii ? » c c v _ ' ‫׳‬o d u * e 5

‫־‬F I
C *!I C009l«

'‫־‬ H V
* ‫ י‬Web Apps « i> ‫ ׳‬Modules Tags r, Reports ~ Tasks

Metasploit P 1‫־‬ o contains tasks, such as bruteforce and discovery, in the form of modules. The modules automate the functionality diat die Metasploit Framework provides and enables you to perform multiple tasks simultaneously.

(‫]״‬m etasploit
▼ community1 ft Overview Analysis Sessions ■ ,} Campaigns

Search Modules

2012-4681

M o d u le Sta tisticsshow Se a rchK eyw o rd s sh o w
Found 10 m atchingm odules M oduleType A uw iery 1 AiMlffy Srv»r Expbi 1 1 U»Ot serverIKPW S»rv*‫׳‬fnpW S*‫ ׳•«׳‬Use* 1 S*‫׳‬v•‫ ׳‬L> 1W I Ctnt Up** Ser^rfKpM O S ra ra * A ‫י״‬ *M i A “ ‫ ייי‬A *• w ‫—ן‬ ♦ m tm Ckafipaae?0‫ ג זו‬localm em clisonvunerawty W M W fee*fln«S4cuty4lfln 69er 550r# cto ‫׳‬y T rave rsa l »wn1C ‫־‬gmS«wty Uanaer‫־‬Plu s5 .5b u iM "05 SQ LIn je c tio n iVndew s Lssalal* Serve•Prm *s«jns Lo ca l PnvitgeEtcalato n < * ■ • (» ei ncr **•rary > * •u p n adVurem boy >c1ta p H • .-RvM M iar ;!IC CBam X •C o d •> 4• clto n TirtoHP $ « 0 2 3 3 0‫־׳‬.«‫ד ׳‬PO R TO vrltow cro*yA<)n T 31 Z2 M ‫« ״‬r_»ync p 1‫׳‬e D a cW o o r «*SI2O C 3lftcrg »o nMrnet U w oc•! **ecC o n tn aiH JU w A lto r-fr• •V g tn w ab M y Ah l*M Q a taiK cr(tttxf C o m m n Sf»ee u h o n D Hdooiie O u t• Z-***rZS. Z 3 \ 2 zrm»r-9.zv12 :: M r ‫•־‬.2012 2.*tor ,i. 2012 0e «*^».‫־‬01‫־‬ OcMar t. 2 0 1 2 C;•*•‫׳‬3 .2 0 1 2 Swfc• 2 5 .2 0 1 2 ‫■־‬ ‫״‬ • * * • '‫*־‬ ‫»'•י‬.2012 1 4 .2012 2012 *m <« < <* ★ ★★★★ KMT mm MfiU » ‫יי‬ ?IMS M odule Ran klo o ★★ 5 6 1 3 6 0SVD6 0 6 7 2 • 8 6 5 6 3 ED S zztei 220» 2 2 9 0 4

• . ? . *RAPID7

A project is die logical component diat provides die intelligent defaults, penetration testing workflow, and modulespecific guidance dating the penetration test.

FIG U R E 3.18: Metasploit Searching forJava Exploit

21. C lick d ie J a v a 7 A p p le t R e m o te C o d e E x e c u tio n 1111k.
■ * ‫־‬M e ta sp lo it-McdM
^ A httpi. Iotat> ost. S C .v.-tepscev-'r-odule

c >1

( 1 ‫־‬

(‫]״‬m etasploit
Y community ft Overview n Analysis Sessions ‫־‬ ,/ Campaigns #‫ י‬Web Apps *y Modules Tags ^ Hcpoiu


^ Tasks

S t id ‫־‬

Search Modules

201? 4081 M odule Statutes show Searrh trywrrds s i

WirJuk Typv C lint ‫ «׳‬AodKR a rro l•C o « l« r!*• C u tb O7

B ID

O SVD B

C 0 6

B 4 B 6 T

•'.'RAPID7

111 addition to the
capabilities offered by the open source framework, Metasploit Pro delivers a full graphical user interface, automated exploitation capabilities, complete user action audit logs, custom reporting, combined widi an advanced penetration testing workflow.

FIG U R E 3.19: MetasploitJava 7 Applet Remote Code Execution Exploit found

22. C o n fig u re d ie ex p lo it settings: a. 111 P a y lo a d O p tio n s set d ie C o n n e c tio n T y p e as R e v e r s e a n d 111 L is te n e r H o s t ,e n te r d ie IP a d d re ss w h e re M e ta sp lo it is ru n n in g . b. 111 M o d u le O p tio n s , e n te r d ie SR V H o s t I P ad d re ss w h e re M e ta sp lo it is ru n n in g . E n te r d ie URI P a th (in d iis la b w e are u sin g greetin g s) a n d click R un M od u le.

c.

C E H Lab Manual Page 752

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

^ T I j

A ‫•׳‬ It ‫״‬ , !onlhoit -V -a j iipo.c, 2A*i‘~ k James forsnaw |duck< Jduckgrnetasp*o«c£im » slnnV 'enn3/^m et3sp*0* 0 & *n > iuan .aiquei <)uanva:que:@m Masp:s!::c‫״‬r‫־‬ o/e SoJa‫״‬ rjetll

C

(‫״‬ ‫־‬ ‫־‬ ?I.

m m r n m
3

IPv6 is die latest version of die Internet Protocol designed by die Internet Engineering Task Force to replace die current version of IPv4. The implementation of IPv6 predominantly impacts addressing, routing, security, and services.

The m o dule is (*signedtoruninthob acK gro und . ox p lo ib n gdiemsj‫׳‬sterns 3sin•ycomod. h ■ wc3s«0 1«‫«׳‬Cbrow ser e x p lo its, :•?as‫ ־‬setne U R 1 PA T HocoonD elowityouwantio co ntrol w hichURL is usecio nos»t> 6eg** T ‫־‬s srvport co«or can & eused » cf!a n < ;em e I3tenng per inm e case o t passve u8M ym odules(auxaary) m e moaae caput‫ ואו‬se *31ae iromne T asiclog alter vw m o iSu tehas t»«n started Target Sefltogs I Generic (Java Payload) v|

s*yb »a1 V p•

Interpreter

v|

C o n n o c flo oT yp • |Reverse vj

LttonwPwH |1aW -€6S3S UllOMrHMl 11Q001Q

j

T h •bcil p o rtto!• to no n . Ip o't) N «gM «w5 5 11 0 rneiynrj eonnectan*(M et) P a '.hto* cu clo mSSL c o rtlfcirtolO o fo al I* tnO e 5 © o c ‫׳‬V th ovo rw o n0< SSL th e )• h o o k ) toM od T h oU RItou o oto rttu »o x p to t1 3 0'ajt * im M AdvancedO p t i o n sshow ivaMoa opooas snow a SS.2 SSO USIX

1 o
FIG U R E 3.20: Metasploit Running Module

23. T h e ta sk is s ta rte d as s h o w n 111 th e fo llo w in g sc re e n sh o t.
^ A hd p i. Io t*t> o s t - X v.i390con-le•-

c ■ ’ §

( 1 ‫־‬

(‫]״‬m etasploit
community

In Metasploit Pro, you can define IPv6 addresses for target hosts. For example, when you perform a discovery scan, scan a web application, execute a bruteforce attack, or run a module, you can define an IPv6 address for die target hosts. For modules, Metasploit Pro provides several payloads diat provide IPv6 support for Windows x86, Linux x86, BSD x86, PH P, and cmd.

f tOverview

ga A n a l y s i s in ti

[_ SmioM Imk

. /Campaigns

* ■ Web Apps

V Module*

lags

3 Reports

~ Tasks Q

m Upton

5U‫׳‬to < J2 3 1 2 IMS 1 40 1S 3LT C

FIG U R E 3.21: Metasploit Task Started

24. N o w sw itch to W in d o w s 8 V irtu a l M acliu ie, la u n c h d ie C h ro m e b ro w se r a n d e n te r h t t p : / / 10.0.0 .1 0 :8 0 8 0 /g re e tin g s in d ie a d d re ss b a r a n d p re ss E n te r. 25. C lick d ie R un t h i s ti m e fo r Ja v a (T M ) w a s b lo c k e d b e c a u s e it is o u t o f d a t e p r o m p t 111 d ie C h ro m e b ro w se r.

C E H Lab Manual Page 753

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

F i l e A c t i o n Medi« Clpboard View Hdp

‫י‬

"

Window*; 8 on WIN‫?־‬N9ST0SG!FN * Virtual Machine Connprtion

‫׳‬j

O (. ® O

II I► >3 i>

«‫ ־‬-* C □ 1 0 Q 0 .1 0 t8 0 8 0 /g reetin g s/
i f JavafTM) was blockec because it is out of date Update plug-in... Run this time

Note: Metasploit Pro does not support IPv6 for link local broadcast discovery, social engineering, or pivoting. However, you can import IPv6 addresses from a text file or you can manually add them to your project. If you import IPv6 addresses from a text file, you must separate each address with a new line.

FIG U R E 3.22: Windows 8 Virtual Machine — Running die Exploit

26. N o w sw itch to y o u r W in d o w s S e rv e r 2 0 1 2 h o s t m ac liin e a n d c h e c k d ie M e ta sp lo it ta sk p a n e . M e ta sp lo it w ill sta rt c a p tu rin g d ie re v e rse c o n n e c tio n fro m d ie ta rg e t m acliin e.
^ Ah ti|> K / / 'lo C * i» c « ti7 9 Q p '1 * o » i3 p « c c v £ t» W
^7

▼C1

1

G o o g le

G D m etasploit' community1
b Overview Analysis .‫ ־‬Sessions Campaigns *‫ ־‬Web Apps Modules lags _j Reports i _ Tasks 0

Project Management A Metasploit Pro project contains die penetration test diat you want to nm. A project defines die target systems, network boundaries, modules, and web campaigns diat you want to include in die penetration test. Additionally, within a project, you can use discovery scan to identify target systems and bruteforce to gain access to systems. FIG U R E 3.23: Metasploit Capturing die reverse connection of targeted macliine

27. C lick d ie S e s s i o n s ta b to v ie w d ie c a p tu re d c o n n e c tio n o f d ie ta rg e t m acliin e.

C E H Lab Manual Page 754

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

User Management Administrators can assign user roles to manage the level of access that the user has to projects and administrative tasks. You can manage user accounts from tire Administration menu.

FIG U R E 3.24: Metasploit Session tab

28. C lick d ie c a p tu re d se ssio n to v ie w d ie in f o rm a tio n o f a ta rg e t m a c h in e as s h o w n 111 d ie fo llo w in g sc re e n sh o t.
‫ ן‬- ‫י‬a ‫ ״‬x ‫י‬ A .Ip i;• loiaNmt. '!C 1‫ ׳‬r, e oogle •1 ‫ ־‬G ____ p { • ‫ם‬-

G D m etasploit
community Overview M o rn * M Aiiolyv) I ~ Sessions Q ttiinni ^ Cufiipulgns V f>Web Ap|n V Modules lags £, Reports £1 Tasks Q Java Ixptvt

ttCoM

(J C M a fw p

Active Sessions
O S M o a t ‫׳‬-W ndew ad

| *SCMM 1 Closed Sessions

J #012 100

Type M e tw p re te r

Age

4 mm

0vet1«(kj1 1 *• *■ ‫ר‬Q .v‫׳‬ v * m s e

A ttack M o d u lo + JAW_JRE17JLXEC

Global Settings Global settings define settings that all projects use. You can access global settings from the Administration menu. From the global settings, you can set the payload type for the modules and enable access to die diagnostic console through a web browser. Additionally, from global settings, you can create A P I keys, post-exploitation macros, persistent listeners, and Nexpose Consoles.

1 Ueissploit C om m une? 4 .4 .0-U & dato2 0 1 2 103 10 1

© 20 1 0 -2 0 1 2R 8 p itf7 Inc.B 0 3 K *U *

RAPID7

FIG U R E 3.25: Metasploit Captured Session of a Target Machine

29. Y o u c a n v ie w d ie in f o rm a tio n o f th e ta rg e t m a ch in e .

C E H Lab Manual Page 755

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

System Management As ail administrator, you can update die license key and perform software updates. You can access die system management tools from the Administration menu.

FIG U R E 3.26: Metasploit Target Machine System information Host Scan A host scan identifies vulnerable systems within die target network range diat you define. When you perform a scan, Metasploit Pro provides information about die services, vulnerabilities, and captured evidence for hosts that the scan discovers. Additionally, you can add vulnerabilities, notes, tags, and tokens to identified hosts.

30. T o access d ie tiles o f d ie ta rg e t sy stem , click A c c e s s F ile s y s te m .
I S e s a c 1‫״‬
c >1 ( 1 ‫־‬

(‫]״‬m etasploit
^ Y r community \ Overview ^Anilyib I ~ StwtoM Q ',/Campaigns ■ * ‫־‬Web Apps V I

Session 1 on 10.0.0.12

& 4 1 « a k > n T y in i ‫׳‬ n a t a ip i < p e j— 3 > 1 — * * ‫*י‬ 'O '*
I n f o im a l l o n *1‫י‬ ‫י‬ »O

A tta c kM o d u lo
Available Actions

(■ ‫ג‬C o lle ct System

. Cooa JrstKr evidence ana sensitivedaii iscreenshois, passw ords. s> »temirtform M on) o a r s eV i erem o t e« i e 3 y 3 t e mandu p l o a d ,d o w n l o a d ,and O e l e t eH i e s . u*ef»ct1u*\ a rem cte com m and sn«ll onm e tarcet !advanced users)

‫ ״‬C1«M Piory P‫»׳‬o t

. Ptolatacts usirtgV ie rem otehost as a gatew ay(TCPAJDP) i Close V bs session. Furm srm teracaonieijuires ex p lo itatio n

e2 0 1 0 2 0 1 2R 3 p i d 7I n cB e ‫׳‬

•VRAPID7

Bruteforce uses a large number of user name and password combinations to attempt to gain access to a host. Metasploit Pro provides preset bruteforce profiles diat you can use to customize attacks for a specific environment. If you have a list of credentials diat you want to use, you can import the credentials into the system.

FIG U R E 3.27: Metasploit Accessing Filesystem of a Target Machine

31. Y o u c a n v iew a n d m o d ify d ie files fro m d ie ta rg e t m acliin e.

C E H Lab Manual Page 756

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

If a bruteforce is successful, Metasploit Pro opens a session on die target system. You can take control of die session dirough a command shell or Meterpreter session. If there is an open session, you can collect system data, access die remote file system, pivot attacks and traffic, and run postexploitation modules.

PA , 't t p it o c d h o i t .%m » • . '1, t io 'p t f h i V i r i d a v n S a l S p M C t i S y » W 0 W 6 4 U S y s t e m L » S y 8 t e m 3 2 L * X 4 P 1 L‫־‬ & « l s t *T e n © o a s C a l a L iV « L _ G m W m S l o t * A t a S * S {• * I n s Ia s s s a t c h > ■ ■ « ■ » [■ • M T S L i ,• C h M N M _• • c u ty L * * • ‫׳‬ V W 9 _f r a o n g Q b l w a x . f i 9 0 C 7 D 9 1 2 B E 2 3 I 4 ly t ‫־‬O K M a t a l b * □ M M p f W e x e 'L U W H P f R O b * P r e f M v r n a l* 1 ‫י‬ c a r t e r

M rtK ffc it fik

1M01?

» 1 7 2 0 1 4 a 6 7 1 8 ‫נ‬ 1 ‫ג‬ 2 9 j i s e b

2 0 1 2 4 5 1 9 0 9 3 3 4 0 U T C 2 0 1 2 1 1 1 5 1 3 5 8 5 2 U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 1 U T C 2 0 1 2 1 1 1 5 1 3 5 6 5 2 U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 1 U T C 2 0 1 2 0 9 1 8 0 9 2 7 2 1 U T C 2 0 1 2 1 1 1 5 1 4 . 1 3 . 5 0 U T C 2 0 1 2 0 5 1 9 0 9 3 3 . 5 7 U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 0 U T C 2 0 1 2 0 5 1 9 O f t 3 3 . < 1 U T C 2 0 1 2 0 9 1 2 1 1 3 5 2 9 U T C 2 0 1 2 1 1 1 5 1 4 f t S 1 7 U T C 2 0 1 2 0 5 1 9 0 9 3 3 * 5 U T C 2 0 1 2 0 5 1 9 0 9 3 0 S 1 U T C 2 0 1 2 1 0 0 9 0 7 0 3 5 1 B T C 2 0 1 2 0 9 1 0 0 9 5 6 5 0 U T C 2 0 1 2 0 5 1 9 O f t 3 3 4 0 U T C 2 0 1 2 0 5 1 9 0 9 0 9 2 'U T C 2 0 1 2 0 5 1 9 0 9 3 3 4 1 U T C 2 0 1 2 0 5 1 9 0 9 1 1 5 4 U T C 2 0 1 2 0 5 1 9 0 9 0 9 2 0 U T C 2 0 1 2 4 5 . 1 9 0 9 3 3 4 1 U T C 2 0 1 2 4 1 5 . 1 9 0 • 3 3 5 1 U T C 2 0 1 2 . 1 0 4 4 1 1 1 4 ® U T C 2 0 1 2 0 9 . 1 2 H f i l 2 U T C 2 0 1 2 4 5 . 1 9 U 1 7 3 1 B T C ? 0 0 « 4 4 ‫ו‬ ‫ז‬ . ‫נ‬ 0 ‫מ‬ a s u t c 2 O 1 2 1 0 1 S 0 S M M U T C I* 0 1 2 4 I S 1 8 2 1 4 6 V U T C

C‫־‬ • f*G 0 0 9 I.

p ft

'‫־‬

i

a (iS T O R E i1 | l• 0 £ l £ T I.1 | (.S T O R E 1 > | (> O f L t T f.) < .S T O R E ;> | { ■ D E L E T E .) (.S T O R E I ) |(. O E L E T E .) (.S T O R E 1 ) 1 (• D E L E T E • ) (.S T O R E i) 1 (. D E L E T E .)

Modules expose and exploit vulnerabilities and security flaws in target systems. Metasploit Pro offers access to a comprehensive library of exploit modules, auxiliary modules, and postexploitation modules. You can run automated exploits or manual exploits.

J

FIG U RE 3.28: Metasploit Modifying Filesystem of a Target Macliine

32. Y o u c a n also la u n c h a c o m m a n d shell o f d ie ta rg e t m a c h in e b y clicking C o m m a n d S h e ll fro m se ssio n s capU ired.

Automated exploitation uses die minimum reliability option to determine the set of exploits to run against die target systems. You cannot select die modules or define evasion options diat Metasploit Pro uses.

FIG U RE 3.29: Metasploit Launching Command Shell of Target Macliine

33. T o v iew d ie sy stem IP a d d re ss a n d o d ie r in f o rm a tio n d iro u g h d ie c o m m a n d shell 111 M e ta sp lo it, ty p e ip c o n fig Iall a n d p ress E n te r.

C E H Lab Manual Page 757

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

Manual exploitation provides granular control over die exploits diat you ran against die target systems. You run one exploit at a time, and you can choose die modules and evasion options diat you want to use.

F IG U R E 3.30: Metasploit IP C O N F IG command for Target Machine

Social engineering exploits client-side vulnerabilities. You perform social engineering through a campaign. A campaign uses e-mail to perform phishing attacks against target systems. To create a campaign, you must set up a web server, e-mail account, list of target emails, and email template.

34. The following screenshot shows die IP address and other details of your target machine.
‫־‬F !
!<■ a • • Ip * . U**

l -‫ ־־‬n

«U12 - KM M iniport (Vwtwork. Monitor)

k»m : « U 1 3 H iero so rc K a rrw ti H a rd w a re K M 0 0 :0 0 :0 0 :0 0 :0 4 :0 0:‫־‬ M T U :« 2 » 4 » « ?2 » ‫צ‬

n e tw o rk A rt.ip to r

In terface 13

N a w >
Meterpretcr >|

!n et« -Hteroiort IS A T A PA d a p te r

WebScan spiders web pages and applications for active content and forms. I f the WebScan identifies active content, you can audit die content for vulnerabilities, and dien exploit die vulnerabilities after Metasploit Pro discovers diem.

F IG U R E 3.31: Metasploit Target Machine IP Address in Metasploit Command Shell

35. Click die Go b a c k command shell.

o n e p age

button in Metasploit browser to exit die

C E H Lab Manual Page 758

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

A task chain is a series o f tasks that you can automate to follow a specific schedule. The Metasploit W eb U I provides an interface that you can use to set up a task chain and an interactive clock and calendar diat you can use to define die schedule.

A report provides comprehensive results from a penetration test. Metasploit Pro provides several types o f standard reports diat range from high level, general overviews to detailed report findings. You can generate a report in PD F, W ord, X M L , and H T M L.

F IG U R E 3.32: Metasploit closing command shell

F IG U R E 3.33: Metasploit Terminating Session You can use reports to compare findings between different tests or different systems. Reports provide details on compromised hosts, executed modules, cracked passwords, cracked SM B hashes, discovered SSH keys, discovered services, collected evidence, and web campaigns.

37. It will display Session
Logout.

K illed.

Now from die A c c o u n t drop-down list, select
’7'8‫ח‬, ‫י‬ JJj AA c c o u n tJ a s o n▼
j U s e rS e ttin g s T -J L o g o u t

I* ©metasploit r community1
f cO v e rv ie w

r tAnalysis

~S e s s io n s

C a m p a ig n s

W e bA p p s

t yM o d u le s

la g s

□ IR e p o r ts

Session killed

Active Sessions Closed Sessions A t t a c kM o d u le ♦JA V A _ ^ N £ V _ E X IC

E 5 C M W 1 1

&

•#*0 t Z -.V r x w w » 8

w c t e r p r e t e f

« l1 2 tM S 1 40 e » U T C

A t f n e0 1 V n < lo w » p

u M ta m ia iH
F IG U R E 3.34: Metasploit Session Killed and Logging out

C E H Lab Manual Page 759

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

M odule 12 - H ackin g W e b servers

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s secuntv posture and exposure.

PLE A SE

TA LK

TO

Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB.

H A V E

Q U E ST IO N S

Tool/U tility

Information Collected/Objectives Achieved Output: Interface Infomation ■ Name: etl14-M1crosoft Hyepr-v Network Adapter ‫ י‬Hardware MAC: 00:00:00:00:00:00 ■ MTU: 1500 ■ IPv4 Address: 10.0.0.12 ■ IPv6 Netmask: 255.255.255.0 ■ IPv6 Address: fe80::b9ea:d011:3e0e:lb7 ■ IPv6 Netmask: ffff:ffff:ffff:ffff:ffff::

Metasploit Framework

Question
1 . How would you create an initial user account from a remote system? 2. Describe one 01‫־‬more vulnerabilities that Metasploit can exploit.

Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H Lab Manual Page 760

Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.