ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 

IDS and Penetration Testing Lab II

Software Requirements:

1. A secure shell (SSH) client. For windows you can download a free version from here: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.62-installer.exe

Mac/Linux distributions come with ssh, you just have to open a console to invoke the program.

2. The BackTrack Linux – Penetration Testing Distribution http://www.backtrack-linux.org/downloads/ (PROVIDED, no need to download unless you want to run in locally).

3. Metasploitable 2 vulnerable platform (http://sourceforge.net/projects/metasploitable/files/Metasploitable2/) (PROVIDED, no need to download unless you want to run in locally)

4. Windows Users please install Xming X Server for X-windows support (Free)

5. Mac Users install X11 XQUARTZ

6. Linux just need to start X-Windows

Lab Exercise Steps:

A. Connect to BackTrack Linux on DSLSRV.GMU.EDU and port 10022 (or 11022) as root using ssh and password “isa674.”(with the dot):

- For Mac/Linux, type: ssh root@dslsrv.gmu.edu -p 11022

Or ssh root@dslsrv.gmu.edu -p 10022

You should get:

root@dslsrv.gmu.edu's password:

Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 [… ] root@bt:~#

For Windows

Enter dslsrv.gmu.edu for Host name and 10022 or 11022 (second server) for Port and click Open

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 

login as: root

password: isa674. (with the dot).

Now we are all logged in in an ssh terminal and we can continue with the Lab.

Your metasploitable machines are directly connected to your backtrack on IP addresses: 10.1.1.2 and 10.1.1.3

Target Reconnaissance The first step for any penetration testing approach is the reconnaissance part. All of you used nmap in the past to:

- Detect the machines with open ports available in a subnet

- Identify the open ports and potentially more information about the services and machine running the services

Questions:

1. How do we identify which subnets are available for us in a host? Which command will provide that to us? Can we find that command using the “man –k keyword” search?

2. What is the NMAP syntax that we will use to scan a subnet?

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 3. What is the NMAP syntax to find the operating system of the machines in the

subnet?

4. Can NMAP identify vulnerable services and point us to the exploits?

Although nmap is a very useful tool, it is limited in what it can do for us. An alternative tool with graphical user interface and more detailed analysis of the potential vulnerabilities of each services on a target host is NESSUS (http://www.tenable.com/products/nessus)

In this lab, we will be using NESSUS to scan the vulnerable machines and identify exploits that can be used to attack those machines. NESSUS is yet another tool in our penetration testing arsenal and a complement to Metasploit that we used in the last Lab.

Reconnaissance with NMAP

B. Start your X-windows client

a. Mac Users start XQuartz

b. Windows users start Xming X Server

C. Start SSH connection to the Backtrack server as per step A but with a modification:

a. Mac Use ssh Connect to the Backtrack servers as per step (A) but with a slight change for Mac and Linux: ssh –Y root@dlssrv.gmu.edu -p 11022

b. For Windows

Start putty and enable the X11 forwarding on the Putty program before you try to connect (see Figure in next page)

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 

The “-Y” flag instructs the remote server to forward any graphical windows to your local X-Windows so you can view GUIs. You should be in a prompt like this:

root@bt:~#

To test if you have the GUI activated, type “xterm” on the prompt, you should get (the window might be flashing at your command bar and you have to click it to bring it up):

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 D. Now  we  are  ready  to  start  with  NESSUS  which  is  browser  driven  For your convenience, I have installed already NESSUS on the backtrack so you do not have to perform any steps other than execute the program. In general though, you will need to install NESSUS on a backtrack installation using the following steps: http://www.fuzzysecurity.com/tutorials/8.html

In the command prompt root@bt:~#, type:

“firefox -ProfileManager”

This should bring up the window of the firefox browser. Depending on your Internet or network connection this might take few seconds. In the end, you should see:

Create your own profile by clicking NEXT and then fil out your name click NEXT and then Start Firefox with your profile” (See Figure next page).

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 

Next time you can use your profile instead of creating one.

E. Start Nessus

Type https://localhost:8834” in the Browser Address and press return:

In the NESSUS Login Window Type “root” for Username and “msec641.”

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 Click Login to enter and “OK” in the next screen.

Click on “Scans” and “Add”. You need to fill the form with a name (your own), the type is “Run Now” and the policy is “Internal Network Scan” and for Scan Targets you enter the IP addresses of the hosts to scan (like in nmap).

After you complete the form press “Lunch Scan” at the bottom right of the screen.

The next step is to Browse the report (it takes 4-5 mins to complete the scan). To browse the existing reports, you click on Reports-> Browse (on top). You should get a screen similar to the one in the next page.

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 

By selecting one of the two and clicking on Browse (or double click), you get:

By clicking further you get:

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 

Using this information and either metasploit (msfconsole or armitage which we will cover in class, you can attack the two machines).

Another option is to use http://www.exploit-db.com/ (see next page)

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 

Use the SEARCH option and copy the CVE or OSVDB option to get:

By double clicking on the link, you get:

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 

The above is a python exploit

This is the exploit in python. Follow their recommended steps to exploit the vulnerability. Where you successful?

Futher Questions:

Select 4 High and 4 Medium threats and test to see if you can break into the machines. Note that not all exploits are exploitable! Describe what you did even if it was not successful. Include screenshots of your effots.

Extra Credit

- Install your own Backtrack 5 R2 (you can get it from here: (http://www.backtrack-linux.org/downloads/)

- Install NESSUS using the home feed (free)

http://www.fuzzysecurity.com/tutorials/8.html

 

 ISA  674,    Angelos  Stavrou  

 Laboratory  2  

 - Provide scans for dslsrv.gmu.edu and the GMU mail server mh-x.gmu.edu

- Provide scans for www.gmu.edu and another server of your choice

- If you cannot install your own NESSUS use the one provided to perform the same scans

Interesting video with some instructions but more advanced:

http://www.youtube.com/watch?v=gw5xioiteLw&feature=player_embedded

We will discuss and dive into the tools more in class!