CEHv8 Module 12 - Hacking Webservers PDF

CEH Lab Manual
Hacking Web Servers

Module 12
Module 12 - Hacking Webservers
Hacking Web Servers

A web server, which can be referred to as the hardware, the comp.liter, or the software,
is the computer application that helps to deliver content that can be accessed through
the Internet.
icon key ~ Lab Scenario

[Z7 Valuable T o d ay , m o s t o f o n lin e services are im p le m e n te d as w e b ap p licatio n s. O n lin e
information
banking, w eb search eng in es, em ail ap p lica tio n s, a n d social n etw o rk s are just a
S Test your few exam ples o f su ch w e b services. W e b c o n te n t is g e n e ra te d 111 real tim e by a
knowledge so ftw are ap p lica tio n ru n n in g at server-side. So h ack ers attac k 011 th e w e b serv er
= Web exercise to steal cre d en tial in fo rm a tio n , p assw o rd s, a n d b u sin ess in fo rm a tio n by D o S
(D D o s) attacks, S Y N flo o d , p in g flo o d , p o r t scan, sn iffin g attack s, a n d social
m Workbook review en g in ee rin g attacks. 111 th e area o f w e b security, d esp ite stro n g en c ry p tio n 011
th e b ro w se r-se rv e r ch an n el, w e b u sers still h av e 110 assu ra n ce a b o u t w h a t
h a p p e n s a t th e o th e r end . W e p re s e n t a secu rity ap p lica tio n th a t a u g m en ts w eb
servers w ith tru ste d co -se rv e rs c o m p o s e d o f h ig li-assu ran ce secure
co p ro c e sso rs, co n fig u red w ith a p u blicly k n o w n g u ard ian p ro g ra m . W e b users
can th e n estab lish th e ir a u th e n tic a te d , en c ry p ted ch an n els w ith a tru ste d co -
server, w h ic h th e n ca n act as a tru ste d th ird p a rty 111 th e b ro w se r-se rv e r
in te ra c tio n . S ystem s are c o n stan tly b ein g attack ed , a n d I T secu rity p ro fe ssio n a ls
n ee d to b e aw are o f c o m m o n attack s 011 th e w eb serv er ap p licatio n s. A tta ck e rs
use sn iffers o r p ro to c o l analyzers to c a p tu re a n d analyze p ack ets. I f d ata is sen t
across a n e tw o rk 111 clear text, an attac k er ca n c a p tu re th e d ata p ac k ets a n d use a
sn iffer to re a d th e data. 111 o th e r w o rd s , a sn iffer ca n ea v esd ro p 011 electro n ic
co n v e rsatio n s. A p o p u la r sn iffer is W iresh ark , I t s also u se d b y ad m in istra to rs
fo r legitim ate p u rp o se s. O n e o f th e ch allen g es fo r an attac k er is to g am access
to th e n e tw o rk to c a p tu re th e data. If attack ers h av e phy sical access to a ro u te r
01 sw itch, th ey ca n c o n n e c t th e sn iffer a n d ca p m re all traffic g o in g th ro u g h th e
system . S tro n g p hysical secu rity m e asu res h elp m itigate tins risk.
A s a p e n e tra tio n te ste r a n d eth ical h ac k er o f an o rg an iz atio n , y o u m u s t p ro v id e

security to th e c o m p a n y s w e b server. Y o u m u s t p e rfo rm ch eck s 011 th e w eb
serv er fo r M ilner abilities, m isco n fig u ratio n s, u n p a tc h e d secu rity flaw s, an d
im p ro p e r a u th e n tic a tio n w ith ex tern al system s.
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts learn to d e te c t u n p a tc h e d secu rity
flaw s, v e rb o se e rro r m essag es, a n d m u c h m o re.
T h e o b jectiv e o f this lab is to:
F o o tp rin t w e b servers
C rack re m o te p a ssw o rd s
D e te c t u n p a tc h e d secu rity flaws
C E H L ab M an u al Page 731 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab Environment
T o earn o u t tins, you need:
& Tools A co m p u ter ru n n in g Window Server 2012 a s H o s t m achine
dem onstrated in
this lab are A co m p u ter ru n n in g w in d o w server 2008, w indow s 8 and w in d o w s 7 as a
available in V irtual M achine
D:\CEH-
A w eb brow ser w ith In tern et access
Tools\CEHv8
Module 12 A dm inistrative privileges to 11111 tools
Hacking
W ebservers Lab Duration
Tim e: 40 M inutes
Overview of Web Servers

A w eb server, w h ich can be referred to as die hardw are, the com p u ter, o r die
softw are, is the co m p u ter application d ia t helps to deliver c o n ten t th at can be
accessed th ro u g h the Intern et. M o st people d u n k a w eb server is just th e hardw are
com puter, b u t a w eb server is also the softw are co m p u ter application th a t is installed
111 the hardw are com puter. T lie prim ary fu nction o f a w eb server is to deliver w eb
pages o n the request to clients using the H y p ertex t T ran sfer P ro to co l (H T T P). T ins
m eans delivery o f H T M L d o cu m en ts an d any additional co n ten t th at m ay be
included by a d o cum ent, such as im ages, style sheets, an d scripts. M any generic w eb
servers also su p p o rt server-side scnpting using A ctive Server Pages (ASP), P H P , o r
o d ie r scnpting languages. T ins m eans th a t the behavior o f th e w eb server can be
scripted 111 separate files, w lule the acm al server softw are rem ains unchanged. W eb
servers are n o t always used for serving th e W o rld W ide Web. T h ey can also be
fo u n d em bed d ed 111 devices such as printers, routers, w ebcam s an d serving only a
local netw ork. T lie w eb server m ay d ien be used as a p a rt o f a system for
m o n ito rin g a n d /o r adm inistering th e device 111 question. T ins usually m eans d ia t n o
additional softw are has to be m stalled o n the client co m p u ter, since only a w eb
brow ser is required.
m T A S K 1 Lab Tasks
Overview R ecom m ended labs to dem o n strate w eb server hacknig:
F o o tp rin tin g a w eb server usnig the httprecon tool
F o o tp m itn ig a w eb server using the ID Serve tool
E xploiting Java vulnerabilities usnig M etasploit Framework
C E H L ab M an u al Page 732 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Module 12 - Hacking Webserver's
Lab Analysis
A nalyze an d d o cu m en t the results related to die lab exercise. G ive your o p in io n 011
your targets security p ostu re an d exposure.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D TO T H I S LAB.
C E H L ab M an u al Page 733 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Comicil

Footprinting Webserver Using the

httprecon Tool
The httpreconproject undertakes research in thefield of web serverfingerprinting,
also known as httpfingerprinting
I CON KEY Lab Scenario

/ Valuable W e b ap p licatio n s are th e m o s t im p o rta n t w ays to r an o rg an iz atio n to p u b lish
mtormadon
in fo rm a tio n , in te ra c t w ith In te rn e t u se rs, a n d estab lish an e - c o m m e rc e /e -
Test your g o v e rn m e n t p rese n ce . H o w e v e r, if an o rg an iz atio n is n o t rig o ro u s in
co n fig u rin g a n d o p e ra tin g its p u b lic w eb site, it m ay be v u ln e ra b le to a v ariety o f
** W e b exercise security threats. A lth o u g h th e th rea ts 111 cy b ersp ace re m a in largely th e sam e as
111 th e physical w o rld (e.g., frau d , th e ft, v an d alism , a n d te rro rism ), th e y are far
m W o rk b o o k re\
m o re d a n g e ro u s as a result. O rg a n iz a tio n s can face m o n e ta ry lo sses, d am ag e to
re p u ta tio n , 01 legal ac tio n if an in tru d e r successfully v io lates th e co n fid en tiality
o f th e ir data. D o S attack s are easy fo r attack ers to a tte m p t b ecau se o f th e
n u m b e r o t p o ssib le attac k v e c to rs, th e v arie ty o f a u to m a te d to o ls available, an d
th e lo w skill level n e e d e d to use th e to o ls. D o S attack s, as w ell as th re a ts o f
in itiatin g D o S attacks, are also in creasin g ly b e in g u se d to blackm ail
o rg an iz atio n s. 111 o rd e r to be an e x p e rt eth ical h ac k er a n d p e n e tra tio n tester,
}o il m u s t u n d e rs ta n d h o w to p e rfo rm fo o tp rin tin g 011 w e b servers.
Lab Objectives
T h e o b jectiv e o f this lab is to h elp sm d e n ts le arn to fo o tp rin t w eb se rv e rs. I t will
te ac h y o u h o w to:
H Tools
U se th e h ttp r e c o n to o l
dem onstrated in
this lab are G e t Webserver fo o tp rin t
available D:\CEH-
Tools\CEHv8 Lab Environment
Module 12
Hacking T o carry o u t th e lab, y o u need:
W ebservers
httprecon to o l lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking
W ebservers\W ebserver Footprinting Tools\httprecon
C E H L ab M an u al Page 734 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Comicil

Y o u can also d o w n lo a d d ie la test v e rsio n o f httprecon fro m th e link

http://w w w .com putec.ch/projekte/httprecon
I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
m H ttprecon is an R u n tins to o l 111 W indows Server 2012
open-source application
that can fingerprint an
application o f webservers. A w e b b ro w se r w ith I n te r n e t access
A d m in istra tiv e privileges to r u n to o ls
Lab Duration
T im e: 10 M inutes
Overview of httprecon
h ttp re c o n is a tool for advanced w eb server fingerprinting, similar to httprint. T h e
h ttp re c o n p roject does research 111 th e held o f w eb server fingerprinting, also
k n o w n as http fingerprinting. T h e goal is lughlv accurate identification o f given
httpd im plem entations.
TASK 1 Lab Tasks

Footprinting a 1. N av ig ate to D:\CEH-Tools\CEHv8 Module 12 Hacking
Webserver W ebservers\W ebserver Footprinting Tools\httprecon.
2. D o u b le-c lick h ttp recon .exe to la u n c h httprecon.
3. T h e m a in w in d o w o f h ttp re c o n ap p e ars, as sh o w n 111 th e fo llo w in g

figure.
11 httprecon 7.3 I 1
File Configuration Fingergrinting Reporting Help
Target
|http;// | |80 T ] 6 "* |
GET existing | GET long request | GET nonexistag | GET wrong protocol | HEAD existing | OPTIONS com * I *
G1 Httprecon is distributed
as a ZIP file containing the
binary and fingerprint
databases.
Full Matchlist | Fingerprint Details | Report Preview |
| Name j Hits 1 Match % 1
FIGURE 1.1: httprecon main window
C E H L ab M anual P ag e 735 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

4. E n te r th e w eb site (URL) w w w .juggyboy.com th a t y o u w a n t to

footprint a n d select th e port number.
5. Click Analyze to s ta rt analyzing th e e n te re d w eb site.
6. Y o u sh o u ld receiv e a fo o tp rin t o f th e e n te re d w eb site.

httprecon 7.3 - http://juggyboy.com:80/
File Configuration Fingerprinting Reporting Help
tewl Httprecon vises a simple Target (Microso(( IIS 6.0)
database per test case that I http:// 1 |juggyboy ccxn|

contains all die fingerprint
elements to determine die GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
given implementation. HTTP/1.1 200 OK
bate: Thu, 18 Oct 2012 11:36:10 GMT
bontent-Length: 84S1
Content-Type: text/html
Content-Location: http://uggyboy.com/index.html
Last-Modified: Tue, 02 Oct 2012 11:32:12 GMT
Accept-Ranges: non
ETag: "a47ee9091a0cdl:7a49"
Server: Microsoft-IIS/6.0
K-Powered-By: ASP.NET
Matchlst (352 Implementations) | Fingerprint Details | Report Preview |
| Name I Hits | Match % |

Microsoft IIS 6.0 88 100
^ Microsoft IIS 5.0 71 80.68...
Microsoft IIS 7 0 S3 71. 59
^ Microsoft IIS 5.1 63 71 59 .
22 Sun ONE Web Server 61 63 71.59
V , Apache 1.3.26 62 70.45. .
O Zeus 4.3 62 70.45...
V Apache 1.3.37 60 6818
v
m The scan engine o f

httprecon uses nine FIGU RE 1.2: Tlie footprint result o f the entered website
different requests, which
are sent to the target web 7. Click die GET long request tab, w h ich will list d o w n die G E T request.
server.
T h e n click die Fingerprint Details.
httprecon 7.3 - http://juggyboy.com:80/ 1- l LJ |
File Configuration Fingerprinting Reporting Help
Target (Microsoft IIS 6.0)
I N ip;// j J ^ juggyboy com| [* -
GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 400 Bad Request
Data: Thu, 18 Oct 2012 11:35:20 GMT
Connection: close
Content-Length: 34
Matchlst (352 Implementations) Fingerprint Details | Report F^eview |
i~~ H ttprecon does not HTTP

P r o t o c o l V e r s io n 1 .1
rely on simple banner S ta tu sc o d e 400
S ta tu sta x t
announcements by the
B anner
analyzed software. K -P o v e r e d -B y
H eader S p aces 1
C a p i t a l a f t e r D a sh 1
H e a d e r-O r d e r F u l l C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h
H e a d e r -O r d e r L im it C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h
Ready
FIGURE 1.3: The fingerprint and G E T long request result o f the entered website
C E H L ab M anual Page 736 Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council

Lab Analysis
A nalyze an d d o cu m en t die results related to the lab exercise. G ive your o p in io n 011
your targets secuntv p ostu re an d exposure.

RE L A T E D TO T H I S LAB.
T o o l/U tility Information C o llected /O b jectives Achieved
O u tp u t: F o o tp rin t o f th e juggyboy w eb site

C o n te n t-ty p e : te x t/h tm l
h ttp r e c o n T o o l c o n te n t-lo c a tio n :
h tt p : / / ju g g v b o v .c o m / 1n d e x .h tm l
E T ag : "a 4 7 ee 9 0 9 1eOcd 1:7a49"
server: M ic ro s o ft-IIS /6 .0
X -P o w ered -B v : A S P .N E T
Questions
1. A nalyze th e m a jo r d iffe ren ce s b e tw e e n classic b a n n e r-g ra b b in g o f th e
serv er line a n d littp re c o n .
2. E v alu ate th e type o f te s t req u e sts se n t b y littp re c o n to w e b servers.
Internet Connection Required
0 Y es No
P la tf o r m S u p p o r te d
0 C la s s r o o m !Labs

All Rights Reserved. Reproduction is Strictly Prohibited.
Lab
Footprinting a Webserver Using ID

Serve
ID Serve is a simple,free, small (26 Kbytes), andfastgeneral-purpose Internet server
identification utility.
I CON KEY Lab Scenario

/ Valuable 111 th e p rev io u s lab y o u h av e le arn ed to u se th e h ttp r e c o n tool, h ttp r e c o n is a
information
to o l fo r a d v a n ce d w e b serv er fin g erp rin tin g , sim ilar to h ttp rin t.
Test your
It is v ery im p o rta n t fo r p e n e tra tio n testers to be fam iliar w ith b an n e r-g ra b b in g
te ch n iq u e s to m o n ito r servers to en su re co m p lia n ce a n d a p p ro p ria te security
** Web exercise u p d ates. U sin g this te c h n iq u e y o u can also lo cate ro g u e serv ers 01 d e te rm in e th e
m Workbook re\ role o f servers w ith in a n e tw o rk . 111 tins lab y o u w ill learn th e b a n n e r g ra b b in g
te c h n iq u e to d e te rm in e a re m o te ta rg e t system u sin g I D Serve. 111 o rd e r to b e an
e x p e rt ethical h ac k er an d p e n e tra tio n te ste r, v o u m u s t u n d e rs ta n d h o w to
fo o tp rin t a w e b server.
Lab Objectives
T h is lab w ill sh o w y o u h o w to f o o tp rin t w eb serv ers a n d h o w to u se ID Serve.
It w ill te ac h v o u h o w to:
U se th e ID Serve to o l
G e t a w eb serv er fo o tp rin t
H Tools Lab Environment

dem onstrated in
this lab are T o carry o u t th e lab, y o u need:
available in ID Serve lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking
D:\CEH- W ebservers\W ebserver Footprinting Tools\ID Serve
Tools\CEHv8
Module 12 Y o u can also d o w n lo a d th e la test v e rsio n o f ID Serve fro m th e link
Hacking h ttp : / / w w w .g rc .c o m / i d / 1d se rv e .h tm
W ebservers
I f v ou d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer

R u n diis to o l o n W indows Server 2012 as h o s t m a ch in e
A w e b b ro w s e r w ith Internet a c c e s s
A d m in istra tiv e privileges to r u n to o ls
Lab Duration
Tim e: 10 M inutes
m ID Serve is a simple,
free, small (26 Kbytes), and Overview of ID Serve
fast general-purpose
Internet server ID Serve attem pts to determ ine die domain name associated w idi an IP. Tins
identification utility.
process is kno w n as a reverse DNS lookup an d is h an d y w h e n checking firewall
logs o r receiving an IP address fro m som eone. N o t all IP s th at have a forward
direction lookup (D om ani-to-IP ) have a reverse (IP -to-D om ain) lookup, b u t m any
do.
T A S K 1 Lab Tasks
Footprinting a 1. 111 W in d o w s S erver 2012, n av ig ate to D:\CEH-Tools\CEHv8 Module 12
W ebserver Hacking W ebservers\W ebserver Footprinting Tools\ID Serve.
2. D o u b le-c lick id serv e.ex e to la u n ch ID Serve.
3. T h e m ain w in d o w ap p ears. C lick th e Server Query tab as sh o w n in th e

follow ing figure.
0 ID Serve
Internet Server Identification Utility, v l .02
ID Serve Personal Security Freeware by Steve Gibson

Copyright (c) 2003 by Gibson Research Corp.
Background | Seiver Query Q & A /H elp
Enter or copy I paste an Internet server URL a IP address here (example: www.microsoft.com):
. W hen an Internet URL or IP has been provided above.

Query The Server
press this button to initiate a query of the specified seiver
m ID Serve can connect Server query processing:

to any server port on any
domain or IP address.
The server identified itself a s :
Copy | Goto ID Serve web page
FIGU RE 2.1: Welcome screen o f ID Serve
4. 111 o p tio n 1, e n te r (01 c o p y /p a s te an In te r n e t serv er U R L o r IP address)

th e w e b site (URL) y o u w a n t to footprint.
5. E n te r h t t p : / / 10.0 .0 .2 /re a lh o m e (IP ad d re ss is w h e re th e real h o m e site

is h o ste d ) in step 1.
C E H L ab M anual Page 739 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

6. Click Query th e Server to sta rt q u ery in g th e e n te re d w eb site.
7. A fte r th e c o m p le tio n o f th e query. ID Serve displays th e resu lts o f th e

e n te re d w eb site as sh o w n 111 th e fo llo w in g figure.
,__ ID Serve uses the ID Serve

standard Windows TCP
In te rn e t S e r v e r Id e n tific a tio n U tility . v 1 .02
protocol when attempting
to connect to a remote
server and port.
ID Serve P e rs o n a l S e c u rity F re e w a re b y S te v e G ib s o n
Copyright (c) 2003 by Gibson Research Corp.
Background etver Query | Q & A /H elp
Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):
C1 Ih ttp / / I 0 .0 0 .2 /re a lh o m e |
r2 [ Query The Server

When an Internet URL a IP has been provided above,
press this button to initiate a query of the specified server
Server query processing:
HTTP/1.1 200 OK
Last-Modified: Tue, 07 Aug 2012 06:05:46 GMT
Accept-Ranges: bytes
ETaq: "c95dc4af6274cd1:0"________________
1y=H ID Serve can almost The server identified itself a s :

always identify the make,
model, and version of any
web site's server software.
| Copy | Goto ID Serve web page
FIGU RE 2.2: ID Serve detecting die footprint
Lab Analysis
D o c u m e n t all die server inform ation.

RE L A T E D TO T H I S LAB.
T o o l/U tility Information C o llected /O b jectives A chieved
S e rv e r I d e n tif ie d : ]M icro so ft-IIS /8 .0
S e rv e r Q u e r y P r o c e s s in g :
I D S erv e H T T P / 1.1 200 o k
c o n te n t-T y p e : te x t/h tm l
L ast-M o d ificatio n : T u e , 07 A u g 2012 06:05:46
GMT
A cc ep t-R an g es: bytes
E T ag : "c 9 5 d c4 a f6 2 7 4 c d l:0 "

Questions
1. Analyze how ID Se1ve determines a sites web server.
2. What happens if we enter an IP address instead of a URL

Yes 0 No
Platform Supported
0 Classroom 0 !Labs
C E H L ab M an u al Page 741 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

Exploiting Java Vulnerability Using

3
Metasploit Framework
Metasploit sofinare helps security and ITprofessionals identify security issues, verify
vulnerability Mitigations, and manage expert-driven security assessments.
ICON KEY
Lab Scenario
__ Valuable
inform ation
Penetration testing is a method of evaluating the security ol a computer system 01
network by simulating an attack from malicious outsiders (who do not have an
T est your authorized means of accessing the organization's systems) and malicious insiders
knowledge
(who have some level of authorized access). The process involves an active analysis
W eb exercise of the system for any potential vulnerabilities that could result from poor or
improper system configuration, either known and unknown hardware 01 software
m W orkbook review
flaws, 01 operational weaknesses 111 process or technical countermeasures. Tins
analysis is earned out from the position of a potential attacker and can involve active
exploitation of security vulnerabilities. The Metasploit Project is a computer secuntv
project that provides information about security vulnerabilities and aids 111
penetration testing and IDS signamre development. Its most well-known sub-
project is the open-source Metasploit Framework, a tool for developing and
executing exploit code against a remote target machine. Other important sub-
projects include die Opcode Database, shellcode arcluve, and security research.
Metasploit Framework is one of the main tools for every penetration test
engagement. To be an expert etliical hacker and penetration tester, you must have
sound understanding of ]Metasploit Framework, its various modules, exploits,
J T Tools payloads, and commands 111 order to perform a pen test of a target.
dem onstrated in
this lab are Lab Objectives
available in
D:\CEH- The objective of tins lab is to demonstrate exploitation ot JDK vulnerabilities to
Tools\CEHv8 take control ot a target machine.
Module 12
Hacking Lab Environment
Webservers
111 this lab, you need:

Metasploit located at D:\CEH-Tools\CEHv8 Module 12 Hacking

WebserversYWebserver Attack Tools\Metasploit
You can also download the latest version ot Metasploit Framework from
die link http://www.111etasplo1t.com/download/
It you decide to download the latest version, then screenshots shown 111
the lab might ditter
A computer running Windows Server 2012 as host macliine
Windows 8 running on virtual macliine as target macliine
A web browser and Microsoft .NET Framework 2.0 or later in both host
and target macliine
j RE. 7116 miming on the target macliine (remove any other version of jRE
installed 111 die target 111acl1111e).T11e |R E 7116 setup file (jre-7u6-wi11dows-
1586.exe) is available at D:\CEH-Tools\CEHv8 Module 12 Hacking
Webservers\Webserver Attack Tools\Metasploit
You can also download the The IRE 7116 setup tile at
http://www.oracle.com/technetwork/iava/javase/downloads/ire7-
downloads-163~5S8.html
Double-click m etasploit-latest-windows-installer.exe and follow the
wizard-driven installation steps to install Metasploit Framework
Time: 20 Minutes
Overview of the Lab

Tins lab demonstrates the exploit that takes advantage of two issues 111 JDK 7: the
ClassFmder and MediodFinder.fmdMediod(). Both were newly introduced 111 JDK
7. ClassFmder is a replacement tor classForName back 111 JDK 6. It allows untrusted
code to obtain a reference and have access to a restricted package in JDK 7, which
can be used to abuse sun.awt.SuiiToolkit (a restricted package). With
sun.awt.SimToolkit, we can actually invoke getFieldQ by abusing fmdMethod() 111
Statement.mvokelnternalO (but getFieldQ must be public, and that's not always die
case 111 JDK 6. 111 order to access Statementacc's private field, modify
* t a s k 1 1. Install Metasploit on the host macliine Windows Server 2012.
Installing 2. After installation completes, it will automatically open in your default web
Metasploit browser as shown 111 the following figure.
Framework 3. Click I Understand the Risks to continue.
C E H L ab M an u al Page 743 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

J! U*rudJ ConnerHon
I*
1- -I**
rt ,.ips; loct>ost. 90 C | - Google
5 w This Connection is Untrusted

You have asked Firefox to connect secure*) to locaBrosU790. t-jt we cant confirmthat youc
Hie exploit takes advantage
of two issues in JD K 7: Normally, *henyou tryto connect securely, sites 1:, presenttrusted identification tc prove that you
are going to the nght place. Ho>ever. this site's der&tycan t be verrfsed.
The ClassFinder and
What Should 1 Do?
MethodFinder. findMediod( Ifyou usuallyconnect to this site without problem^flvs t0ec>d mun that someone is trying to
). Bodi were newly impersonate the site, andyou shouldn't continue.
introduced in JD K 7. [ Gel me oulofhete!
ClassFinder is a Technical Details
replacement for | 1 Understand the Risks |

classForName back in JDK
6.
FIGURE 3.1: Metasploit Untrusted connection in web browser
4. Click Add Exception.

|+1
& https:1 k>c*Kxt. V.' *f? C (JJ* Gocgle
This Connection is Untrusted

It allows untrusted code to You have aikeJ / to connect 1cu1l> 10
connection i>s*c01.
190.t jt*1 c t confirmthat you
obtain a reference and have Normally, wihrnyou tty to eonnert tee urrty titei wMpnwK truftrd Sentil*Men re prove that you
access to a restricted art going to the light plac. I lw r t, tlm t!t 1 itfrMj U l
package in JDK 7, which What Should I Do?

If you usually conned to this git wrthoi/t pobk-ns, th-, moi toJimun that someone n trying to
can be used to abuse irrtpertonate the ate, andyou shouldn't eenrmite.
sun.awt.SunToolkit (a | Gelmeoulotheiel
restricted package). Technical Details
I Understand the Risks
I Add Excepaoi
FIGURE 3.2: Metasploit Adding Exceptions
5. 111 the Add Security Exception wizard, click Confirm Security Exception.

Add Security Exception 1*I

You are about to override how Firefox identifies this site.
! Legitimate banks, stores, and o ther public sites will not ask you to do this.
Server
Location: I liRMMHBMMfeMI
With sun.awt.SunToolkit,
we can actually invoke Certificate Status
getFieldQ by abusing This site attempts to identify itself with invalid information.
findMethod() in Wrong Site
StatementiavokeIntemal0
(but getFieldO must be Certificate belongs to a different site, which could indicate an identity theft.
public, and that's not Unknown Identity
always die case in JDK 6)
in order to access Certificate is not trusted, because it hasn't been verified by a recognized authority
Statement.acc's private using a secure signature.
field, modify
AccessControlContext, and
then disable Security
Manager.
@ Permanently store this exception
| Confirm Security Exception | Cancel
FIGURE 3.3: Metasploit Add Security Exception
6. On die Metasploit Setup and Configuration Login screen, enter text 111 die
Username. Password, and Password confirmation fields and click Create
Account.
k- M Vti .
Once Security Manager is
disabled, we can execute (Jlmetasploit
arbitrary Java code. Our
exploit has been tested
successfully against
multiple platforms,
including: IE, Firefox,
Safari, Chrome; Windows, Password confirma
Ubuntu, OS X, Solaris, etc.
Optional Info & Settings
Email address
ijaiKMtmn
I SMrM 00) UTC~
| Q Cioatt Auwni
FIGURE 3.4: Metasploit Creating an Account
7. Click GET PRODUCT KEY 111 die Metasploit - Activate Metasploit

window.
Product Key
Activation

This Security Alert

addresses security issues
CYE-2012-4681 '(US-
CERT Alert TA12-240A
and Vulnerability Note
VU#636312) and two
other vulnerabilities
affecting Java running in
web browsers on desktops.
Enter your valid email address 111 the Metasploit Community option and
click GO.
Product F !
4 mve^V.e t*s?ot-pp^p^xJuct_k*yIkf>jtNrne ikLutName iStLrnsilAddieii c01g
These vulnerabilities are
Choose between two FREE Metasploit Offers
not applicable to Java
running on servers or
(J)metasploit GDmetasploit
standalone Java desktop ~ community
applications. They also do Mefa1.pl04Pro mipi \+am*! * IT Mct.1r.p10HCommunityEdMiontimplifiot

pror*tnon*l11r * :*> c **u i rfACfKd1<cvr no vulnerability
not affect Oracle server- bteacftet by ematr*, cc-nix&M) vmifkaaon far specific eiplolta lncreaing
btojd t&op pnk1>alMt pnottong Ihe tcBvono68 ofvulnerabilityscanners
based software. yin*jD111t*1. *no .*nf.-nj :00*0*1 tnc ucnasN*o*erortre
mitigatar!
Mcfabpicul Comjnfj plus
FREE EDITION
/ Snan wpKMUbsn J NaMwt discoveiy
f Password ijd*r; OR J vulnerabilityscann9rImport
J We0 appitcafcixi scam- S Basicexpioitallon
' Sooal engmerw3 / Module tyovwer
' Teamcoa&oa*on
S Reporting
S Entetpnse-lewl suppon
Lnteremail address:
___________ <ggmail.com||| Go 1
1us Vbs pa5 Piease email infoQrapid7 ci
These vulnerabilities may

be remotely exploitable FIGURE 3.6: Metasploit Community version for License Key
without authentication, i.e.,
they may be exploited over 9. Now log in to your email address and copy die license key as shown 111 die
a network without the need following figure.
for a username and
password.
C E H L ab M anual Page 746 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Your Metasploit Community Edition Product Key !

Bates, Ariana anana_bates@raptd7 com vis bounces netsuite com 6:27 PM (0 minutes ago)
To be successfully to me
exploited, an unsuspecting
user running an affected
release in a browser will
need to visit a malicious
web page that leverages tins r Rap1d7
vulnerability. Successful
exploits can impact the M etasploit Product Key
availability, integrity, and WNMW-J8KJ-X3TW-RN68
confidentiality of the user's
system.
Thank you for choosing Rapid7 Metasploit Community Edition Metasploit Community Edition
simplifies network discovery and vulnerability verification for specific exploits, increasing the
effectiveness of vulnerability scanners such as Nexpose - for free
Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can
simply apply for a new license using the same registration mechanism.______________________
FIGURE 3.7: Metasploit License Kevin youi email ID provided
10. Paste die product key and click Next to continue.

Due to die severity of these
Metaspfoit Product Ker t__1 x
vulnerabilities, the public
disclosure of teclinical
fc a!>01t-trial-i<ey,i^?pr0durt=a1murnPhURl=hrtp1%3A%2F%2fIocalhoTL3AT?9(WL2Fset1jp3Li>rtval<:-A\*e*wt; .1 ,1 p * c-
details and the reported (J) metasploit
exploitation of CVE-2012-
4 More Steps To Get Started
4681 "in the wild," Oracle
strongly recommends that 1. Copy the Product Key from the email we just sent you.
customers apply the
updates provided by this 2 Paste the Product Key here: [WM.nv jskj x3 tw rn 68T
Security Alert as soon as
3. Click Next on this page
possible.
4. Then dick Activate License on the next page
The Metasploit Framework

will always be free and FIGURE 3.8: Metasploit Activating using License Key
open source. The
Metasploit Project and 11. Click Activate License to activate die Metasploit license.
Rapid7 are fully committed
to supporting and growing
the Metasploit Framework
as well as providing
advanced solutions for
users who need an
alternative to developing
dieir own penetration
testing tools. It's a promise.

I. , n r ,
f A .(.. tocJhort-- SC!*.. . .,'p.oc..:>cy WNMW-.0<l-X3TW-RN68&SibmH ' C I (?I.
(J)metasploit'
Hie Metasploit Framework
will always be free and Activate Your Metasploit License
open source. The 1. Get Your Product Key
Metasploit Project and 33
Chooseihe profluclthatbest nteds jurreeds ue< piolProorthefreeMetasploit CommunityEdition you irea > 3 0ra*ta commgn^tfaiorWlicenseproductkt/.oucansupthisslep
Rapid7 are fully committed
to supporting and growing
die Metasploit Framework 2. Enter Product Key You've Received by Email
Paste nthe product fcejt*al was sent to fte 13<J9<ss ;ou registered v and dick the ACT1WTELICENSE &u0
as well as providing
|WNtW-J6tU-X3TW-RN6a
advanced solutions for
D Us an HTTPPrat*to react! V* tomet?
users who need an
alternative to developing
dieir own penetration
testing tools. It's a promise.
FIGURE 3.9: Metasploit Activation

The Metasploitable virtual
machine is an intentionally 12. Tlie Activation Successful window appears.
vulnerable version of
Ubuntu Linus designed for
1^ A hips/ lot*t>ost. 90 ' ' 7C ) Google fi # C ~I
testing security tools and
demonstrating common , m i 11 i^ ic j o p iw i 1
I community
vulnerabilities. Version 2 of
1 Home Protect* & He Hf-w* Pen! II
diis virtual machine is
available for download
1 |^ Activation Successful
from Soiuceforge.net and
ships with even more 1 ^ oe to !*fen ^ , **** O Search 1 / Pr04ct Mr**
vulnerabilities than the thow 10 v.imtoe Abating Window* Kemot Management (WinUM) with Metasploit
original image. This virtual I jt cnerngr1t.il Derb,con Mu&lianill were dlacuaalng various ledwqueaof
I (tolaur 0 0 0 y1em 0 ?0mjhM90 mass crwnage When Mubci told me about the WinRMservice 1wondered Whji
machine is compatible with STvowmg1 to 1of 1ratrws PcevkMt 1 *!I last don't we any M*tfspl0ft modul* forthis
VMVTare, VirtualBox, and Exploit Trends; Top tO Searches for Mimaip loft Modules in October
odier common Time tot rowr morthl, dose 01Metasploit eplo!t trenas' Each monlh we jarfhertms
kstctme most searched eaioit and auxiliary modules fromthe MetasdMt
virtualization platforms. c3T3M3e To protect users- pr%acy t..
Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit. and

More!
WinRMExploit Library Forthe last couple weeks Metasplolt core conV.DJtoi Da.*d
iTieugWCosin8Malone; has Doen (Wng into Microsoffs WinRMsendees wWi
$mu:x and @_smn3c. UnOlttiese..
Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end

More?
*ccSecUSA20l2L3stweekwas AppSecUSA2012 here mAustin. ivtiicf may
eclair?curious aosenceofaweeKtrMetaspioitupoatebioapost Tnerw11yr.s :f
Appjec for me, !were pn no particular
IU-.... ....
FIGURE 3.10: Metasploit Activation Successful
T A S K 3
13. Go to Administration and click Software Updates.
Updating e - X *| - Google PH D
AdinlnInti11lion v ^
Metasploit GJ community1
metasploit | software upaates
somvare ucense

Home Project* 1 & Hidebw* Par*1 1
FIGURE 3.11: Metasploit Updating Software
14. Click Check for Updates, and after checking die updates, click Install.

By default, Metasploitable's
network interfaces are
bound to die NAT and
Host-only network
adapters, and die image
should never be exposed to
a hostile network. (Note: A
video tutorial on installing
Metasploitable 2 is available
at die link Tutorial on
installing Metasploitable 2.0
on a Virtual Box Host Only
network)
FIGURE 3.12: Metasploit Checking for Updates
15. After completing the updates it will ask you to restart, so click Restart.
This document outlines

many of die security flaws
in die Metasploitable 2
image. Currendy missing is
documentation on the web
server and web application
flaws as well as
vulnerabilities diat allow a
local user to escalate to
root privileges. This
document will continue to
expand over time as many
of die less obvious flaws
widi diis platform are
detailed.
16. Wait until Metasploit restarts.
C E H L ab M anual Page 749 Etliical H a ck in g a nd C ounterm easures Copyright by EC-Council

1-
^ Af 1loc*txt - SO*^lspKCV x -| - Geogl, fi\ ft c -
TCP ports 512, 513, arid

514 are known as "r"
services, and have been
If you've just finished installing Metasploit. the application
misconfigured to allow will now take up to 5 minute* to mmaine. ir* normal -
please be patient and have a coffee...
remote access from any
you have aireaay been using the product, *is message may
host (a standard ".rhosts + point to a bog in the application and require the Metasploit
+" situation). To take services to be restarted 10 resume lunctocaity
advantage of this, make If the problem persists you may want to consul the Mowing
resources.
sure the "rsh-client" client
Metasploit Community Edition userv: Pease vtol the
is installed (on Ubuntu), Rapid? security street forum to seaxh for answers or
post a question
and run the following Metasploit trial utert: Please contact your Rapf7 sales
command as your local representative or emai *aiea1ffraMdr.com
Metasploit user* with a support contract: (Vase visit
root user. If you are the Rapid7 Customer Canter to Rte a support ease or
prompted for an SSH key, email *uPD0rt!graD1d7.c0m
this means die rsh-client

tools have not been Retrying your request In 5 seconds ..
installed and Ubuntu is

defaulting to using SSH.
FIGURE 3.14: Metasploit Restarts
17. After completion of restart it will redirect to Metasploit - Home. Now click
Create New Project from die Project drop-down list.
Creating a New *MeUspKxt - Pfojerts
Metasploit Project
..-TP
metasploit
community :m t NewPrcici
y Hide NttvvaPmw(
1 St'ov* HI P10jcts
| ac to *offn J M o , Q m n iic t j Search \ 4 product Mews 1
*hW tO V MillMl Abusing Window* Remote Management (WlnRM) with Metasploit

Q Mine tom Actrvc sessions tasks owner Members Upared w oesenpooft tale 00a night 31Derbycon. Uubixand l woio discussing various tachniQuas or
u <Mut : : 0 1 system 0 beut1how ago mas* wmao* WhsnMutMxtoldmea&outtheWinRMseivics.lwonoeied Wh
sort we h#* any Metaseon mooyle* tor mi*...
*howto* 110 1of I,I Kirvm. I art L..I
Exploit Trends: Top 10 Searches lor Metasploit Modules in October
Tim ter vour monthf/dose of Mstasploit exploit trends! Each monw we 03**
sstartne most searched exploit and auxiliarymodules iromtne Metasploit
dataoase To proted users' prtacy, 1..
Weekly Metasploit Update: WinRM Part One. Exploiting Metasploit and

More!
VirRUEiploit LibraryFor the last couple weeks. Metasploit core conktoutof David
@TheL1cncCcsme Maloneyh3s Deen drino into Microsoft's WmRMserw:es with
gmucor and @_s1nn3r Until these...
Weekly Metasploit Update: Microsoft Windows and SQL, TurboFTP, and

Mote!
This is about as easy as it *PfSecUSA 2012 Last week was AppSecUSA2012 here InAustin. wfUchma*
e*c<ainfte curious absence of3 weekly Metasploit Update bloe post Th* taljHs of
gets. The nest service we *PCsec terms, were (in no particular...
should look at is die
Weekly Metasploit Update: Reasonable disclosure. PUP FXF wrappers,
Network File System and more!
(NFS). NFS can be

identified by probing port FIGURE 3.15: Metasploit Creating a New Project
2049 directly or asking the
portmapper for a list of 18. 111 Project Settings, provide the Project Name and enter a Description,
services. The example
below using rpcinfo to
leave the Network Range set to its default, and click Create Project.
identify NFS and
showmount -e to determine
diat die "/" share (the root
of die file system) is being
exported.

n I. ,nr,
^ A ,.Ip. localhoit- V. a .
(]metasploit
community1
SB 3&OT
Hie Metasploit Framework
is a penetration testing
system Protect name* a Exploit |
and development platform
Description
diat you can use to create The exploit takes advantage of tiro issues in JDK 7 The OassFinOer and
MethodFinder nndMernod() Botr! were newly introduced in JOK 7 dassFinder is a
security tools and exploits. replacement for t tassF.orNarne back in JQg 6 R aicnrs untnisted code to obtain a
reference and nave access to a restricted o a :o ? e r JOK 7. *men can oe used to aDuse
The sun a^-SuoJoolKit (a restricted package) VMh n ^SunTOoiwt we can actually invoke
Metasploit Framework is
Network range
written in Ruby and
includes components in C
and assembler.
The Metasploit Framework
consists of tools, libraries, Q RestiKt to network range
modules, and user

interfaces. Tlie
basic function of die
Metasploit Framework is a *? R A P ID 7
module launcher diat

allows die user to
configure an exploit FIGURE 3.16: Metasploit Project Settings
module and launch the
exploit against a target 19. Click die Modules tab after die project is created.
svstem.
I^ A hfclps/ lott>ost. SC . ? C | ? Google fi # C ~1
Protect Java tx_ * p Account Jason * fi Administration r rt community j> Help ^

1 (U community
metasploit
I I
| Overview g* Analysis _ Sessions 1 Campaigns * Wt*b Apps |& Modules | lags Q) Reports JZ 11 *1*
1 Horn Java Lxptoit 0itw n r
J Overview. Preset Java fpio*
Discovery Penetration
0 110413dlKovnrd ln n k ! opeatd
1 0 service* delected 0 pHtimilt cracked
0vumereDMMt 0 SMBhasries stoiee "
0 SSMkeys slofca
^ Scan- > f 1nrt_ j * f c y a - , Ujtrto>cc Q fiplal
Evidence Collection Cleanup
I 0 dale fries acoened 0 closed sasswas
iai cofcet...
1 Recent Events ------------------------------------------------------------------------------------------------------------
FIGURE 3.17: Metasploit Modules Tab
T A S K 5
20. Enter CVE ID (2012-4681) in Search Modules and click Enter.
Running the
Exploit
C E H L ab M an u al Page 751 Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council

,'MrtMf** Modu F I '

^ A hilpi toolboit. V- a . ii?ccv_' odu*e5 C *!I C009l
Metasploit Pro contains
tasks, such as bruteforce (]metasploit H V
community1
and discovery, in the form ft Overview Analysis Sessions ,}Campaigns * Web Apps i> Modules Tags r , Reports ~ Tasks
of
modules. Hie modules
Search Modules 2012-4681
automate die functionality
diat die Metasploit Module Statistics show Search Keywords show
Framework provides Found 10 matching modules

Module Type OS Dtadcame Out Module Rankloo 0SVDS EDS
and enables you to perform Amatory ra C M StM ?0113 local nie maaon vunersMty Z-***rZS. Z3\2 0672 ZZI61
multiple tasks 1 AiMlffy ra WMWfee'yne SxrrjN9n67s<0 55 r#ctoy Tr8vBai cxmtr 18. 12 86563 220
StW Expbi * A 1an1CgBt Swty Uanaotr Plus 5.5buiM"05 SQLlnjcbon 0aaWtiw2012 56136 229*4
simultaneously.
1 UOt *M i iVnOews Litalrt Sarrca Prmssjn* Local Pnvltot Escalator C;teha S.2012
Server ExpM A *feet no- *marary tie upnadVurera&ty
1 SarveffxpM A >c1ta pH.- RvMMiar f*ac BamotaCoda *'*aclbn OcMarL20i2 ?IMS
S* Use* * w TirtoHP S9r.tr 0230 PORT Ovarttnv 3.2012 KMT
1 S*v L>1W cro*yA<)nT 31Z2 aar.ar_aync pupDacWoor S w fc 25.2012
Ctnt UpW m 1*312463l*rg*oMrnat twMi' wacConmaiM) Uae-Altarffaa Vutnara&My
a**ar*af ' iH Q 2012 *m mm
I e**rfp* tm AH L*M QataiKcr (tttxf Commandfeeuhon 14.2012 < <<* MfiU
.?.* R A P ID 7
A project is die logical

component diat provides FIGURE 3.18: Metasploit Searching for Java Exploit
die intelligent defaults,
penetration testing 21. Click die Java 7 Applet Remote Code Execution 1111k.
workflow, and module- * Metpfc>1t - McdiM
specific guidance during the ^ A httpi. Iotat>ost. SC A. b^Kcv. rcduk: c >1 (1
penetration test.
(]metasploit S tid
Y community
ft Overview n Analysis ! ~ Sessions ,/ Campaigns # Web Apps *y Modules Tags ^ Hcpoiu ^ Tasks
Search Modules ?0 1? 4081
Module Statistics show Searrh trywrrds si
Module Type BID OSVDB IX

CltfUExOtt! a 7AodKR*n>UCoil*bucutbn B4B6T
'.'R A P ID 7
1x1 addition to the

capabilities offered by the FIGURE 3.19: Metasploit Java 7 Applet Remote Code Execution Exploit found
open source framework,
Metasploit Pro delivers a 22. Configure die exploit settings:
full graphical user interface,
automated exploitation a. 111 Payload Options set die Connection Type as Reverse and 111
capabilities, Listener Host ,enter die IP address where Metasploit is running.
complete user action audit
logs, custom reporting,
combined with an
b. 111 Module Options, enter die SRV Host IP address where Metasploit is
advanced penetration running.
testing workflow.
c. Enter die URI Path (in diis lab we are using greetings) and click Run
Module.

mmrnm
^ A -It, !onlhoit - V- a-j 2A*i~ k C (?I.
James forsnaw
I |duck<Jduckgrnetasp*ocim o /t
T
3
SoJa slnn3r 'enn3/^met3sp*0* 0&*n>
iuan .aiquei j
uan.va:q1ie2em&ta5p)<:M:cr rjetll
The module is designed to run in the bacKground. exploitingdiem ss16- 1s 3s iney corned Inw case 01eCbrowser exploits,
:?as setne UR1PATHocoon Delow ityouwantio control which URLis usefllo nost>6 sjf.oz Ts srvport coor can &e used
cf!an<;e me I3tenng por inme case ot passve utility modules (autcary) me moaneoaput se *31ae !tornme Tasiclog alter
vw moiSute has ten started
IPv 6 is die latest version of
Target Seffiags
die Internet Protocol IGeneric (Java Payload) v|
designed by die Internet
Engineering Task
siybtaiVp Meterpreter v| LttenwPwH |1aW-6S3S
Force to replace die current Connecfloo Type | Reverse vj LMan' Heel 11Q001Q |
version of IPv4. The
implementation of IPv6
predominantly Tlibcalport101tanon. (po>t)
impacts addressing, routing, N$Mate 351.1#r nfiynrj eonnectan* (Met)
Pthto * customSSLc*tlffcl i0jt It fnde
security, and services.
Seec<VIhe mwon 0<SSLthat hogid t um4 a SS.2 SSO USIX
ThURIlouh 10 ttuxptot * 1m M
Advanced Options show

t amob opooat snow
1o
FIGURE 3.20: Metasploit Running Module
23. The task is started as shown 111the following screenshot.
^ A hdpi. Iotat>ost - X v.i39acon-le- c -, I (1
(]metasploit
community
% Overview M Analysis [ Stwioni ,/Campaigns 0 Web Apps V Modules lags 3 Reports Tasks Q
In Metasploit Pro, you can
mUpton Inti lath
define IPv6 addresses for
target hosts. For example,
when you
perform a discovery scan, SUrtrt 2012-IMS 14 04 SOUTC
scan a web application,
execute a bruteforce attack,
or run a
module, you can define an
IPv 6 address for die target
hosts. For modules,
Metasploit Pro
provides several payloads
diat provide IPv6 support
for Windows x86, Linux
x86, BSD x86,
PHP, and cmd.
FIGURE 3.21: Metasploit Task Started
24. Now switch to Windows 8 Virtual Maclune, launch die Chrome browser
and enter http:// 10.0.0.10:8080/greetings in die address bar and press
Enter.
25. Click die Run this tim e for Java(TM) w as blocked b ecau se it is out of
date prompt 111 die Chrome browser.

Window*; 8 on WIN-PNQSTOSGlFN * Virtual Machine Cornprtion
File Action Medi

Clf)t)0<*d View
"
Hdp
j O c G ll l is
- * C 10Q0.10t8080/greetings/
if JavafTM) was blockec because it is out of date Update plug-in... Run this time
Note: Metasploit Pro does

not support IPv6 for link
local broadcast discovery,
social
engineering, or pivoting.
However, you can import
IPv6 addresses from a text
file or you
can manually add them to
your project. If you import
IPv6 addresses from a text
file,
you must separate each
address widi a new line.
FIGURE 3.22: Windows 8 Virtual Machine Running die Exploit
26. Now switch to your Windows Server 2012 host machine and check die
Metasploit task pane. Metasploit will start capturing die reverse connecdon
from die target macliine.
^ A hti|>K//'loC*icti79Qp'1*oi3pccvtW ^7 C 11Google
GDcommunity1
metasploit'
b Overview Analysis . Sessions Campaigns * Web Apps Modules lags _J Reports Tasks Q
Project Management
A Metasploit Pro project
contains die penetration test
diat you want to run. A
project defines
die target systems, network
boundaries, modules, and
web campaigns diat you
want to
include in die penetration
test. Additionally, within a
project, you can use
discovery scan to
identify target systems and
bruteforce to gain access to
systems.
FIGURE 3.23: Metasploit Capturing die reverse connection of targeted macliine
27. Click die S essio n s tab to view die captured connecdon of die target
macliine.

User Management
Administrators can assign
user roles to manage the
level of access that the user
has to
projects and administrative
tasks. You can manage user
accounts from die
Administration
menu.
FIGURE 3.24: Metasploit Session tab
28. Click die captured session to view die information of a target machine as
shown 111 die following screenshot.
- a x
A .Ipi; loiafttost. '!C 1 r, e 1 Google ____ p { -
GDcommunity
metasploit
(>v<*1viLw M Analysis I ~ Sessions Q ^ Cuiiipulgns Vf> Web Ap|n V Modules lags Repoits CZ fasks Q
Horn Java Ixptvt ttiin n i
ttCoM (J CMafwp
Active Sessions
OS Moat Typv Agw Dvet1U011 Attack Modulo
| * S cmcm J #012 100 -wndewad Melerpffier 4m m ** v! 0 v*mse + JAVA_JHE17JLXEC
Closed Sessions
Global Settings
Global settings define I Ueissploit Commune? 4.4.0 - U&dato2012103101 2010-2012 R8pitf7Inc. B03K* U* -' R A P ID 7
settings that all projects use.
You can access global
settings from the
Administration menu.
From the global settings,
you can set die payload type
for die modules and enable
access to
die diagnostic console FIGURE 3.25: Metasploit Captured Session of a Target Machine
through a web browser.
Additionally, from global 29. You can view die information of the target machine.
settings, you can create API
keys, post-exploitation
macros,
persistent listeners, and
Nexpose Consoles.

System Management
As an administrator, you can
update the license key and
perform software updates.
You can
access die system
management tools from the
Administration menu.
FIGURE 3.26: Metasploit Target Machine System information
Host Scan 30. To access die tiles of die target system, click A c c e ss Filesystem.
A host scan identifies
vulnerable systems within I -Sesac1
c >1 (1
the target network range that
you define. (u) metasploit
^ Y
r community
When you perform a scan,
\ Overview ^ A n ily ib I ~ Stw toM Q ',/Campaigns Wob Apps V I
Metasploit Pro provides
information about die
services, Session 1 on 10.0.0.12
vulnerabilities, and captured &
a
k
>n
Ty
i
ni
41
*'n
a
ta
i
pi <
p

j 1*
'
O
Infoi mallon * 1 O
evidence for hosts that the A
t
t
ack
Mo
du
l
o.
io Ipv
scan discovers. Additionally, Available Actions
you can ( Collect System . CoeeasrstHr anasensitiveaaia iscresnshois, passwords. s>t*mirtformMon)
add vulnerabilities, notes, o*rseVieremoteJif systemandupload, download, and OeleteHies
tags, and tokens to identified . 1ntMaw1aremctecommand snell or 6 taro6t !advanced users!
C1M Piory Pot
hosts. . Ptolatacts using V* rtmote host as a gateway (TCPAJDP)
i Gos ts session. Furmsrmteracaonieijuires aapioitaDon
0 2010-2012 R3Pd7me Be VR APID 7
Bruteforce uses a large

number of user name and FIGURE 3.27: Metasploit Accessing Filesystem of a Target Machine
password combinations to
attempt to gain 31. You can view and modify die files from die target macliine.
access to a host. Metasploit
Pro provides preset
bruteforce profiles that you
can use to
customize attacks for a
specific environment. If you
have a list of credentials diat
you want to
use, you can import the
credentials into the system.
C E H L ab M anual Page 756 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

fik 1M01? '

P A ,'ttpi tocdhoit. % m . '1,tilo'ptfh-iViridavn C !G009I. P ft
Sal SpMCti 2012-05-19093340UTC i
SyW0W5 2012-11-15135852ITTC
U System 201205-18093341 UTC
If a bruteforce is successful, L Sy8tem32 2012-11-15135652UTC
Metasploit Pro opens a L* X4P1 201205-1909413 UTC
L &ls 20120918 09272\ -TC
session on die target system. t* Ten 2012-11-1514.13.50UTC
oasCala 2012-05-190ft 37 UTC
You can
Li V 2012-05-19Oft40 UTC
take control of die session L_ 2012-05-19Oft33.<1UTC
GmWmSlot* 2012-0912 113529UTC
dirough a command shell or 2012-11-1514ftS 17UTC
AtaS*S
Meterpreter session. If there { *Ins 2012-05-19Oft33*5 UTC
sstch 2012-05-190*3051UTC
is an > 2012-10 09070351 UTC
open session, you can collect 20120ft 10005650UTC
2012-05-19Oft3340UTC
system data, access die n-ys 201205-190ft0927UTC
remote file system, pivot Li, ChMNM 2012-05-19Oft3341UTC a
attacks and _ cutty 2012 05-190911 54UTC
2012 05^19Oft0920UTC
traffic, and run post- _fr-aong 201245.19093341UTC
Qllwax.fi 7012415.190 3351UTC
exploitation modules. 90C70912K23IC lyt 2012.104411 14JUTC ( . STOAt i 1|l 0CLCT( . 1|

OKMalalb* 1720 2012-09.12Hfil2UTC ( . STOflE!)11 QfLtTf . )
MMpfW exe &&24a :012-04.190* 1,uic 1 <:ST0nH0LTt.)
14a6 ?OOW1r.M23S*aSUTC ( . STOWEl )| (.OELETE . )
PfROb* 718 M12-10-1S0SMMUTC ( . STORE 1 )1( DELETE )
PrefMvrnal *1 1 ?012-05-1821 46 7UTC ( . STOREi )1( . DELETE. )
carter j-iseb
J
Modules expose and exploit
vulnerabilities and security FIGURE 3.28: Metasploit Modifying Filesystem of a Target Machine
flaws in target systems.
Metasploit 32. You can also launch a command shell of die target machine by clicking
Pro offers access to a Command Shell from sessions capUired.
comprehensive library of
exploit modules, auxiliary
modules, and
postexploitation modules.
You can run automated
exploits or manual exploits.
Automated exploitation uses

die minimum reliability FIGURE 3.29: Metasploit Launching Command Shell of Target Machine
option to determine the set
of exploits to 33. To view die system IP address and odier information dirough die
run against die target command shell 111Metasploit, type ipconfig Iall and press Enter.
systems. You cannot select
die modules 01 define
evasion options diat
Metasploit Pro uses.

Manual exploitation
provides granular control
over die exploits diat you
ran against die target
systems. You run one
exploit at a time, and you
can choose die modules and
evasion options
diat you want to use.
FIGURE 3.30: Metasploit IPCONFIG command for Target Machine
34. The following screenshot shows die IP address and odier details of your
Social engineering exploits target macliine.
client-side vulnerabilities.
You perform social F ! l -n
engineering through !< a Ip*. U**
a campaign. A campaign
uses e-mail to perform
phishing attacks against U12 - KM Miniport (Vwtwork. Monitor)
target systems. To
create a campaign, you must
set up a web server, e-mail
km : U13 Hierosorc Karrwti network Art.iptor
account, list of target e- Hardware KM00:00:00:00:04:00 :
MTU : 24?2
mails, and email template.
Interface 13
Naw> ! net - Hteroiort 1SATAP Adapter
Meterpretcr >|
WebScan spiders web pages

and applications for active FIGURE 3.31: Metasploit Target Machine IP Address in Metasploit Command Shell
content and forms. If the
WebScan 35. Click die Go back one page button in Metasploit browser to exit die
identifies active content, you command shell.
can audit die content for
vulnerabilities, and dien
exploit die
vulnerabilities after
Metasploit Pro discovers
diem.

A task chain is a series of

tasks that you can automate
to follow a specific schedule.
Tlie
Metasploit Web UI provides
an interface diat you can use
to set up a task chain and an
interactive clock and
calendar diat you can use to
define die schedule.
A report provides
comprehensive results from FIGURE 3.32: Metasploit closing command shell
a penetration test. Metasploit
Pro provides
several types of standard
reports diat range from high
level, general overviews to
detailed
report findings. You can
generate a report in PDF,
Word, XML, and HTML.
FIGURE 3.33: Metasploit Terminating Session

You can use reports to
compare findings between 37. It will display Session Killed. Now from die Account drop-down list, select
different tests or different Logout.
systems. Reports
provide details 0x1 I* 7'8,
compromised hosts,
J J j A Account Jason
executed modules, cracked metasploit
r community1 j User Settings
passwords, cracked SMB T- J Logout
fc Overview rt Analysis ~ Sessions Campaigns Web Apps Modules lags I Reports
hashes, discovered SSH
keys, discovered services,
collected evidence, and web Session killed
campaigns.
Active Sessions
Closed Sessions
Attack Module
E5CMW11 & 1t012-Wn<tow6 wcterpretef l12-tMS14 0eUTC Atfnil 0 1Vn<lowp JAVA^HEU_EWC
uMtamiaiH
FIGURE 3.34: Metasploit Session Killed and Logging out
C E H L ab M anual Page 759 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011
your targets secunty posture and exposure.
P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU HAVE QUESTIONS

R E L A T E D T O T H I S LAB.
T ool/U tility Information Collected/Objectives Achieved

Output: Interface Infomation
Name: etl14-M1crosoft Hyepr-v Network
Adapter
Metasploit Hardware MAC: 00:00:00:00:00:00
Framework MTU: 1500
IPv4 Address: 10.0.0.12
IPv6 Netmask: 255.255.255.0
IPv6 Address: fe80::b9ea:d011:3e0e:lb7
IPv6 Netmask: ffff:ffff:ffff:ffff:ffff::
Question
1. How would you create an initial user account from a remote system?
2. Describe one or more vulnerabilities that Metasploit can exploit.

Yes 0 No
Platform Supported
0 Classroom 0 !Labs
C E H L ab M an u al Page 760 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Comicil


CEHv8 Module 12 - Hacking Webservers PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 12 - Hacking Webservers PDF

Uploaded by

Copyright:

Available Formats

CEH Lab Manual

Hacking Web Servers

Hacking Web Servers

icon key ~ Lab Scenario

A s a p e n e tra tio n te ste r a n d eth ical h ac k er o f an o rg an iz atio n , y o u m u s t p ro v id e

T h e o b jectiv e o f this lab is to:

D e te c t u n p a tc h e d secu rity flaws

C E H L ab M an u al Page 731 E th ical H a ck in g a nd C o untenneasures Copyright by EC-Council

Overview of Web Servers

F o o tp rin tin g a w eb server usnig the httprecon tool

F o o tp m itn ig a w eb server using the ID Serve tool

E xploiting Java vulnerabilities usnig M etasploit Framework

C E H L ab M an u al Page 732 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

C E H L ab M an u al Page 733 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Comicil

Footprinting Webserver Using the

I CON KEY Lab Scenario

C E H L ab M an u al Page 734 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Comicil

Y o u can also d o w n lo a d d ie la test v e rsio n o f httprecon fro m th e link

A d m in istra tiv e privileges to r u n to o ls

TASK 1 Lab Tasks

3. T h e m a in w in d o w o f h ttp re c o n ap p e ars, as sh o w n 111 th e fo llo w in g

|http;// | |80 T ] 6 "* |

Full Matchlist | Fingerprint Details | Report Preview |

| Name j Hits 1 Match % 1

FIGURE 1.1: httprecon main window

C E H L ab M anual P ag e 735 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

4. E n te r th e w eb site (URL) w w w .juggyboy.com th a t y o u w a n t to

6. Y o u sh o u ld receiv e a fo o tp rin t o f th e e n te re d w eb site.

tewl Httprecon vises a simple Target (Microso(( IIS 6.0)

database per test case that I http:// 1 |juggyboy ccxn|

Matchlst (352 Implementations) | Fingerprint Details | Report Preview |

| Name I Hits | Match % |

m The scan engine o f

Target (Microsoft IIS 6.0)

I N ip;// j J ^ juggyboy com| [* -

Matchlst (352 Implementations) Fingerprint Details | Report F^eview |

i~~ H ttprecon does not HTTP

C E H L ab M anual Page 736 Etliical H a ck in g a nd C o untenneasures Copyright by EC-Council

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

T o o l/U tility Information C o llected /O b jectives Achieved

O u tp u t: F o o tp rin t o f th e juggyboy w eb site

2. E v alu ate th e type o f te s t req u e sts se n t b y littp re c o n to w e b servers.

Internet Connection Required

C E H L ab M an u al Page 737 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

Footprinting a Webserver Using ID

I CON KEY Lab Scenario

H Tools Lab Environment

C E H L ab M an u al Page 738 E th ical H a ck in g a nd C ountem ieasures Copyright by EC-Council

R u n diis to o l o n W indows Server 2012 as h o s t m a ch in e

A d m in istra tiv e privileges to r u n to o ls

3. T h e m ain w in d o w ap p ears. C lick th e Server Query tab as sh o w n in th e

Internet Server Identification Utility, v l .02

ID Serve Personal Security Freeware by Steve Gibson

Background | Seiver Query Q & A /H elp

. W hen an Internet URL or IP has been provided above.

m ID Serve can connect Server query processing:

The server identified itself a s :

Copy | Goto ID Serve web page

FIGU RE 2.1: Welcome screen o f ID Serve

4. 111 o p tio n 1, e n te r (01 c o p y /p a s te an In te r n e t serv er U R L o r IP address)

5. E n te r h t t p : / / 10.0 .0 .2 /re a lh o m e (IP ad d re ss is w h e re th e real h o m e site

C E H L ab M anual Page 739 E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

applications. They also do Mefa1.pl04Pro mipi \+am! IT Mct.1r.p10HCommunityEdMiontimplifiot

hW tO V MillMl Abusing Window Remote Management (WlnRM) with Metasploit