Professional Documents
Culture Documents
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts learn to d e te c t u n p a tc h e d secu rity
flaw s, v e rb o se e rro r m essag es, a n d m u c h m o re.
F o o tp rin t w e b servers
C rack re m o te p a ssw o rd s
Lab Environment
T o earn o u t tins, you need:
& Tools A co m p u ter ru n n in g Window Server 2012 a s H o s t m achine
dem onstrated in
this lab are A co m p u ter ru n n in g w in d o w server 2008, w indow s 8 and w in d o w s 7 as a
available in V irtual M achine
D:\CEH-
A w eb brow ser w ith In tern et access
Tools\CEHv8
Module 12 A dm inistrative privileges to 11111 tools
Hacking
W ebservers Lab Duration
Tim e: 40 M inutes
m T A S K 1 Lab Tasks
Overview R ecom m ended labs to dem o n strate w eb server hacknig:
Lab Analysis
A nalyze an d d o cu m en t the results related to die lab exercise. G ive your o p in io n 011
your targets security p ostu re an d exposure.
Lab Objectives
T h e o b jectiv e o f this lab is to h elp sm d e n ts le arn to fo o tp rin t w eb se rv e rs. I t will
te ac h y o u h o w to:
H Tools
U se th e h ttp r e c o n to o l
dem onstrated in
this lab are G e t Webserver fo o tp rin t
available D:\CEH-
Tools\CEHv8 Lab Environment
Module 12
Hacking T o carry o u t th e lab, y o u need:
W ebservers
httprecon to o l lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking
W ebservers\W ebserver Footprinting Tools\httprecon
Lab Duration
T im e: 10 M inutes
Overview of httprecon
h ttp re c o n is a tool for advanced w eb server fingerprinting, similar to httprint. T h e
h ttp re c o n p roject does research 111 th e held o f w eb server fingerprinting, also
k n o w n as http fingerprinting. T h e goal is lughlv accurate identification o f given
httpd im plem entations.
Target
GET existing | GET long request | GET nonexistag | GET wrong protocol | HEAD existing | OPTIONS com * I *
G1 Httprecon is distributed
as a ZIP file containing the
binary and fingerprint
databases.
GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 400 Bad Request
Content-Type: text/html
Data: Thu, 18 Oct 2012 11:35:20 GMT
Connection: close
Content-Length: 34
Ready
FIGURE 1.3: The fingerprint and G E T long request result o f the entered website
Lab Analysis
A nalyze an d d o cu m en t die results related to the lab exercise. G ive your o p in io n 011
your targets secuntv p ostu re an d exposure.
Questions
1. A nalyze th e m a jo r d iffe ren ce s b e tw e e n classic b a n n e r-g ra b b in g o f th e
serv er line a n d littp re c o n .
0 Y es No
P la tf o r m S u p p o r te d
0 C la s s r o o m !Labs
Lab
Lab Objectives
T h is lab w ill sh o w y o u h o w to f o o tp rin t w eb serv ers a n d h o w to u se ID Serve.
It w ill te ac h v o u h o w to:
U se th e ID Serve to o l
G e t a w eb serv er fo o tp rin t
A w e b b ro w s e r w ith Internet a c c e s s
Lab Duration
Tim e: 10 M inutes
m ID Serve is a simple,
free, small (26 Kbytes), and Overview of ID Serve
fast general-purpose
Internet server ID Serve attem pts to determ ine die domain name associated w idi an IP. Tins
identification utility.
process is kno w n as a reverse DNS lookup an d is h an d y w h e n checking firewall
logs o r receiving an IP address fro m som eone. N o t all IP s th at have a forward
direction lookup (D om ani-to-IP ) have a reverse (IP -to-D om ain) lookup, b u t m any
do.
T A S K 1 Lab Tasks
Footprinting a 1. 111 W in d o w s S erver 2012, n av ig ate to D:\CEH-Tools\CEHv8 Module 12
W ebserver Hacking W ebservers\W ebserver Footprinting Tools\ID Serve.
2. D o u b le-c lick id serv e.ex e to la u n ch ID Serve.
0 ID Serve
Enter or copy I paste an Internet server URL a IP address here (example: www.microsoft.com):
Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):
C1 Ih ttp / / I 0 .0 0 .2 /re a lh o m e |
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Tue, 07 Aug 2012 06:05:46 GMT
Accept-Ranges: bytes
ETaq: "c95dc4af6274cd1:0"________________
Lab Analysis
D o c u m e n t all die server inform ation.
S e rv e r Q u e r y P r o c e s s in g :
I D S erv e H T T P / 1.1 200 o k
c o n te n t-T y p e : te x t/h tm l
L ast-M o d ificatio n : T u e , 07 A u g 2012 06:05:46
GMT
A cc ep t-R an g es: bytes
E T ag : "c 9 5 d c4 a f6 2 7 4 c d l:0 "
Questions
1. Analyze how ID Se1ve determines a sites web server.
2. What happens if we enter an IP address instead of a URL
A web browser and Microsoft .NET Framework 2.0 or later in both host
and target macliine
j RE. 7116 miming on the target macliine (remove any other version of jRE
installed 111 die target 111acl1111e).T11e |R E 7116 setup file (jre-7u6-wi11dows-
1586.exe) is available at D:\CEH-Tools\CEHv8 Module 12 Hacking
Webservers\Webserver Attack Tools\Metasploit
You can also download the The IRE 7116 setup tile at
http://www.oracle.com/technetwork/iava/javase/downloads/ire7-
downloads-163~5S8.html
Double-click m etasploit-latest-windows-installer.exe and follow the
wizard-driven installation steps to install Metasploit Framework
Time: 20 Minutes
Installing 2. After installation completes, it will automatically open in your default web
Metasploit browser as shown 111 the following figure.
Framework 3. Click I Understand the Risks to continue.
J! U*rudJ ConnerHon
I*
1- -I**
rt ,.ips; loct>ost. 90 C | - Google
obtain a reference and have Normally, wihrnyou tty to eonnert tee urrty titei wMpnwK truftrd Sentil*Men re prove that you
access to a restricted art going to the light plac. I lw r t, tlm t!t 1 itfrMj U l
I Add Excepaoi
5. 111 the Add Security Exception wizard, click Confirm Security Exception.
Server
Location: I liRMMHBMMfeMI
With sun.awt.SunToolkit,
we can actually invoke Certificate Status
getFieldQ by abusing This site attempts to identify itself with invalid information.
findMethod() in Wrong Site
StatementiavokeIntemal0
(but getFieldO must be Certificate belongs to a different site, which could indicate an identity theft.
public, and that's not Unknown Identity
always die case in JDK 6)
in order to access Certificate is not trusted, because it hasn't been verified by a recognized authority
Statement.acc's private using a secure signature.
field, modify
AccessControlContext, and
then disable Security
Manager.
6. On die Metasploit Setup and Configuration Login screen, enter text 111 die
Username. Password, and Password confirmation fields and click Create
Account.
k- M Vti .
Once Security Manager is
disabled, we can execute (Jlmetasploit
arbitrary Java code. Our
exploit has been tested
successfully against
multiple platforms,
including: IE, Firefox,
Safari, Chrome; Windows, Password confirma
Ubuntu, OS X, Solaris, etc.
Optional Info & Settings
Email address
ijaiKMtmn
| Q Cioatt Auwni
Enter your valid email address 111 the Metasploit Community option and
click GO.
Product F !
4 mve^V.e t*s?ot-pp^p^xJuct_k*yIkf>jtNrne ikLutName iStLrnsilAddieii c01g
These vulnerabilities are
Choose between two FREE Metasploit Offers
not applicable to Java
running on servers or
(J)metasploit GDmetasploit
standalone Java desktop ~ community
Lnteremail address:
___________ <ggmail.com||| Go 1
vulnerability. Successful
exploits can impact the M etasploit Product Key
availability, integrity, and WNMW-J8KJ-X3TW-RN68
confidentiality of the user's
system.
Thank you for choosing Rapid7 Metasploit Community Edition Metasploit Community Edition
simplifies network discovery and vulnerability verification for specific exploits, increasing the
effectiveness of vulnerability scanners such as Nexpose - for free
Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can
simply apply for a new license using the same registration mechanism.______________________
I. , n r ,
f A .(.. tocJhort-- SC!*.. . .,'p.oc..:>cy WNMW-.0<l-X3TW-RN68&SibmH ' C I (?I.
(J)metasploit'
Hie Metasploit Framework
will always be free and Activate Your Metasploit License
open source. The 1. Get Your Product Key
Metasploit Project and 33
Chooseihe profluclthatbest nteds jurreeds ue< piolProorthefreeMetasploit CommunityEdition you irea > 3 0ra*ta commgn^tfaiorWlicenseproductkt/.oucansupthisslep
Rapid7 are fully committed
to supporting and growing
die Metasploit Framework 2. Enter Product Key You've Received by Email
Paste nthe product fcejt*al was sent to fte 13<J9<ss ;ou registered v and dick the ACT1WTELICENSE &u0
as well as providing
|WNtW-J6tU-X3TW-RN6a
advanced solutions for
D Us an HTTPPrat*to react! V* tomet?
users who need an
alternative to developing
dieir own penetration
testing tools. It's a promise.
vulnerabilities than the thow 10 v.imtoe Abating Window* Kemot Management (WinUM) with Metasploit
original image. This virtual I jt cnerngr1t.il Derb,con Mu&lianill were dlacuaalng various ledwqueaof
I (tolaur 0 0 0 y1em 0 ?0mjhM90 mass crwnage When Mubci told me about the WinRMservice 1wondered Whji
machine is compatible with STvowmg1 to 1of 1ratrws PcevkMt 1 *!I last don't we any M*tfspl0ft modul* forthis
VMVTare, VirtualBox, and Exploit Trends; Top tO Searches for Mimaip loft Modules in October
odier common Time tot rowr morthl, dose 01Metasploit eplo!t trenas' Each monlh we jarfhertms
kstctme most searched eaioit and auxiliary modules fromthe MetasdMt
virtualization platforms. c3T3M3e To protect users- pr%acy t..
T A S K 3
13. Go to Administration and click Software Updates.
Updating e - X *| - Google PH D
AdinlnInti11lion v ^
Metasploit GJ community1
metasploit | software upaates
somvare ucense
Home Project* 1 & Hidebw* Par*1 1
14. Click Check for Updates, and after checking die updates, click Install.
By default, Metasploitable's
network interfaces are
bound to die NAT and
Host-only network
adapters, and die image
should never be exposed to
a hostile network. (Note: A
video tutorial on installing
Metasploitable 2 is available
at die link Tutorial on
installing Metasploitable 2.0
on a Virtual Box Host Only
network)
15. After completing the updates it will ask you to restart, so click Restart.
1-
^ Af 1loc*txt - SO*^lspKCV x -| - Geogl, fi\ ft c -
advantage of this, make If the problem persists you may want to consul the Mowing
resources.
sure the "rsh-client" client
Metasploit Community Edition userv: Pease vtol the
is installed (on Ubuntu), Rapid? security street forum to seaxh for answers or
post a question
and run the following Metasploit trial utert: Please contact your Rapf7 sales
command as your local representative or emai *aiea1ffraMdr.com
Metasploit user* with a support contract: (Vase visit
root user. If you are the Rapid7 Customer Canter to Rte a support ease or
prompted for an SSH key, email *uPD0rt!graD1d7.c0m
17. After completion of restart it will redirect to Metasploit - Home. Now click
Create New Project from die Project drop-down list.
Creating a New *MeUspKxt - Pfojerts
Metasploit Project
..-TP
metasploit
community :m t NewPrcici
y Hide NttvvaPmw(
1 St'ov* HI P10jcts
n I. ,nr,
^ A ,.Ip. localhoit- V. a .
(]metasploit
community1
SB 3&OT
Hie Metasploit Framework
is a penetration testing
system Protect name* a Exploit |
and development platform
Description
diat you can use to create The exploit takes advantage of tiro issues in JDK 7 The OassFinOer and
MethodFinder nndMernod() Botr! were newly introduced in JOK 7 dassFinder is a
security tools and exploits. replacement for t tassF.orNarne back in JQg 6 R aicnrs untnisted code to obtain a
reference and nave access to a restricted o a :o ? e r JOK 7. *men can oe used to aDuse
The sun a^-SuoJoolKit (a restricted package) VMh n ^SunTOoiwt we can actually invoke
Metasploit Framework is
Network range
written in Ruby and
includes components in C
and assembler.
The Metasploit Framework
consists of tools, libraries, Q RestiKt to network range
Discovery Penetration
0 110413dlKovnrd ln n k ! opeatd
1 0 service* delected 0 pHtimilt cracked
0vumereDMMt 0 SMBhasries stoiee "
0 SSMkeys slofca
iai cofcet...
T A S K 5
20. Enter CVE ID (2012-4681) in Search Modules and click Enter.
Running the
Exploit
of
modules. Hie modules
Search Modules 2012-4681
automate die functionality
diat die Metasploit Module Statistics show Search Keywords show
.?.* R A P ID 7
'.'R A P ID 7
mmrnm
^ A -It, !onlhoit - V- a-j 2A*i~ k C (?I.
James forsnaw
I |duck<Jduckgrnetasp*ocim o /t
T
3
SoJa slnn3r 'enn3/^met3sp*0* 0&*n>
iuan .aiquei j
uan.va:q1ie2em&ta5p)<:M:cr rjetll
The module is designed to run in the bacKground. exploitingdiem ss16- 1s 3s iney corned Inw case 01eCbrowser exploits,
:?as setne UR1PATHocoon Delow ityouwantio control which URLis usefllo nost>6 sjf.oz Ts srvport coor can &e used
cf!an<;e me I3tenng por inme case ot passve utility modules (autcary) me moaneoaput se *31ae !tornme Tasiclog alter
vw moiSute has ten started
IPv 6 is die latest version of
Target Seffiags
die Internet Protocol IGeneric (Java Payload) v|
designed by die Internet
Engineering Task
siybtaiVp Meterpreter v| LttenwPwH |1aW-6S3S
Force to replace die current Connecfloo Type | Reverse vj LMan' Heel 11Q001Q |
version of IPv4. The
implementation of IPv6
predominantly Tlibcalport101tanon. (po>t)
impacts addressing, routing, N$Mate 351.1#r nfiynrj eonnectan* (Met)
Pthto * customSSLc*tlffcl i0jt It fnde
security, and services.
Seec<VIhe mwon 0<SSLthat hogid t um4 a SS.2 SSO USIX
ThURIlouh 10 ttuxptot * 1m M
(]metasploit
community
% Overview M Analysis [ Stwioni ,/Campaigns 0 Web Apps V Modules lags 3 Reports Tasks Q
In Metasploit Pro, you can
mUpton Inti lath
define IPv6 addresses for
target hosts. For example,
when you
perform a discovery scan, SUrtrt 2012-IMS 14 04 SOUTC
scan a web application,
execute a bruteforce attack,
or run a
module, you can define an
IPv 6 address for die target
hosts. For modules,
Metasploit Pro
provides several payloads
diat provide IPv6 support
for Windows x86, Linux
x86, BSD x86,
PHP, and cmd.
24. Now switch to Windows 8 Virtual Maclune, launch die Chrome browser
and enter http:// 10.0.0.10:8080/greetings in die address bar and press
Enter.
25. Click die Run this tim e for Java(TM) w as blocked b ecau se it is out of
date prompt 111 die Chrome browser.
j O c G ll l is
- * C 10Q0.10t8080/greetings/
if JavafTM) was blockec because it is out of date Update plug-in... Run this time
26. Now switch to your Windows Server 2012 host machine and check die
Metasploit task pane. Metasploit will start capturing die reverse connecdon
from die target macliine.
^ A hti|>K//'loC*icti79Qp'1*oi3pccvtW ^7 C 11Google
GDcommunity1
metasploit'
b Overview Analysis . Sessions Campaigns * Web Apps Modules lags _J Reports Tasks Q
Project Management
A Metasploit Pro project
contains die penetration test
diat you want to run. A
project defines
die target systems, network
boundaries, modules, and
web campaigns diat you
want to
include in die penetration
test. Additionally, within a
project, you can use
discovery scan to
identify target systems and
bruteforce to gain access to
systems.
27. Click die S essio n s tab to view die captured connecdon of die target
macliine.
User Management
Administrators can assign
user roles to manage the
level of access that the user
has to
projects and administrative
tasks. You can manage user
accounts from die
Administration
menu.
28. Click die captured session to view die information of a target machine as
shown 111 die following screenshot.
- a x
GDcommunity
metasploit
(>v<*1viLw M Analysis I ~ Sessions Q ^ Cuiiipulgns Vf> Web Ap|n V Modules lags Repoits CZ fasks Q
Horn Java Ixptvt ttiin n i
ttCoM (J CMafwp
Active Sessions
OS Moat Typv Agw Dvet1U011 Attack Modulo
| * S cmcm J #012 100 -wndewad Melerpffier 4m m ** v! 0 v*mse + JAVA_JHE17JLXEC
Closed Sessions
Global Settings
Global settings define I Ueissploit Commune? 4.4.0 - U&dato2012103101 2010-2012 R8pitf7Inc. B03K* U* -' R A P ID 7
settings that all projects use.
You can access global
settings from the
Administration menu.
From the global settings,
you can set die payload type
for die modules and enable
access to
die diagnostic console FIGURE 3.25: Metasploit Captured Session of a Target Machine
through a web browser.
Additionally, from global 29. You can view die information of the target machine.
settings, you can create API
keys, post-exploitation
macros,
persistent listeners, and
Nexpose Consoles.
System Management
As an administrator, you can
update the license key and
perform software updates.
You can
access die system
management tools from the
Administration menu.
Host Scan 30. To access die tiles of die target system, click A c c e ss Filesystem.
A host scan identifies
vulnerable systems within I -Sesac1
c >1 (1
the target network range that
you define. (u) metasploit
^ Y
r community
When you perform a scan,
\ Overview ^ A n ily ib I ~ Stw toM Q ',/Campaigns Wob Apps V I
Metasploit Pro provides
information about die
services, Session 1 on 10.0.0.12
vulnerabilities, and captured &
a
k
>n
Ty
i
ni
41
*'n
a
ta
i
pi <
p
j 1*
'
O
Infoi mallon * 1 O
evidence for hosts that the A
t
t
ack
Mo
du
l
o.
io Ipv
scan discovers. Additionally, Available Actions
you can ( Collect System . CoeeasrstHr anasensitiveaaia iscresnshois, passwords. s>t*mirtformMon)
add vulnerabilities, notes, o*rseVieremoteJif systemandupload, download, and OeleteHies
tags, and tokens to identified . 1ntMaw1aremctecommand snell or 6 taro6t !advanced users!
C1M Piory Pot
hosts. . Ptolatacts using V* rtmote host as a gateway (TCPAJDP)
i Gos ts session. Furmsrmteracaonieijuires aapioitaDon
Manual exploitation
provides granular control
over die exploits diat you
ran against die target
systems. You run one
exploit at a time, and you
can choose die modules and
evasion options
diat you want to use.
34. The following screenshot shows die IP address and odier details of your
Social engineering exploits target macliine.
client-side vulnerabilities.
You perform social F ! l -n
a campaign. A campaign
uses e-mail to perform
phishing attacks against U12 - KM Miniport (Vwtwork. Monitor)
target systems. To
create a campaign, you must
set up a web server, e-mail
km : U13 Hierosorc Karrwti network Art.iptor
account, list of target e- Hardware KM00:00:00:00:04:00 :
MTU : 24?2
mails, and email template.
Interface 13
Naw> ! net - Hteroiort 1SATAP Adapter
Meterpretcr >|
A report provides
comprehensive results from FIGURE 3.32: Metasploit closing command shell
a penetration test. Metasploit
Pro provides
several types of standard
reports diat range from high
level, general overviews to
detailed
report findings. You can
generate a report in PDF,
Word, XML, and HTML.
Closed Sessions
Attack Module
E5CMW11 & 1t012-Wn<tow6 wcterpretef l12-tMS14 0eUTC Atfnil 0 1Vn<lowp JAVA^HEU_EWC
uMtamiaiH
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011
your targets secunty posture and exposure.
Question
1. How would you create an initial user account from a remote system?
2. Describe one or more vulnerabilities that Metasploit can exploit.