IDS and Penetration Testing Lab 2 - George Mason Universityastavrou/courses/ISA_674_F12/IDS … ·...
-
Upload
nguyenkien -
Category
Documents
-
view
218 -
download
0
Transcript of IDS and Penetration Testing Lab 2 - George Mason Universityastavrou/courses/ISA_674_F12/IDS … ·...
ISA 674, Angelos Stavrou
Laboratory 2
IDS and Penetration Testing Lab II
Software Requirements:
1. A secure shell (SSH) client. For windows you can download a free version from here: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.62-installer.exe
Mac/Linux distributions come with ssh, you just have to open a console to invoke the program.
2. The BackTrack Linux – Penetration Testing Distribution http://www.backtrack-linux.org/downloads/ (PROVIDED, no need to download unless you want to run in locally).
3. Metasploitable 2 vulnerable platform (http://sourceforge.net/projects/metasploitable/files/Metasploitable2/) (PROVIDED, no need to download unless you want to run in locally)
4. Windows Users please install Xming X Server for X-windows support (Free)
5. Mac Users install X11 XQUARTZ
6. Linux just need to start X-Windows
Lab Exercise Steps:
A. Connect to BackTrack Linux on DSLSRV.GMU.EDU and port 10022 (or 11022) as root using ssh and password “isa674.”(with the dot):
- For Mac/Linux, type: ssh [email protected] -p 11022
Or ssh [email protected] -p 10022
You should get:
[email protected]'s password:
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux
ISA 674, Angelos Stavrou
Laboratory 2
[… ] root@bt:~#
For Windows
Enter dslsrv.gmu.edu for Host name and 10022 or 11022 (second server) for Port and click Open
ISA 674, Angelos Stavrou
Laboratory 2
login as: root
password: isa674. (with the dot).
Now we are all logged in in an ssh terminal and we can continue with the Lab.
Your metasploitable machines are directly connected to your backtrack on IP addresses: 10.1.1.2 and 10.1.1.3
Target Reconnaissance The first step for any penetration testing approach is the reconnaissance part. All of you used nmap in the past to:
- Detect the machines with open ports available in a subnet
- Identify the open ports and potentially more information about the services and machine running the services
Questions:
1. How do we identify which subnets are available for us in a host? Which command will provide that to us? Can we find that command using the “man –k keyword” search?
2. What is the NMAP syntax that we will use to scan a subnet?
ISA 674, Angelos Stavrou
Laboratory 2
3. What is the NMAP syntax to find the operating system of the machines in the
subnet?
4. Can NMAP identify vulnerable services and point us to the exploits?
Although nmap is a very useful tool, it is limited in what it can do for us. An alternative tool with graphical user interface and more detailed analysis of the potential vulnerabilities of each services on a target host is NESSUS (http://www.tenable.com/products/nessus)
In this lab, we will be using NESSUS to scan the vulnerable machines and identify exploits that can be used to attack those machines. NESSUS is yet another tool in our penetration testing arsenal and a complement to Metasploit that we used in the last Lab.
Reconnaissance with NMAP
B. Start your X-windows client
a. Mac Users start XQuartz
b. Windows users start Xming X Server
C. Start SSH connection to the Backtrack server as per step A but with a modification:
a. Mac Use ssh Connect to the Backtrack servers as per step (A) but with a slight change for Mac and Linux: ssh –Y [email protected] -p 11022
b. For Windows
Start putty and enable the X11 forwarding on the Putty program before you try to connect (see Figure in next page)
ISA 674, Angelos Stavrou
Laboratory 2
The “-Y” flag instructs the remote server to forward any graphical windows to your local X-Windows so you can view GUIs. You should be in a prompt like this:
root@bt:~#
To test if you have the GUI activated, type “xterm” on the prompt, you should get (the window might be flashing at your command bar and you have to click it to bring it up):
ISA 674, Angelos Stavrou
Laboratory 2
D. Now we are ready to start with NESSUS which is browser driven For your convenience, I have installed already NESSUS on the backtrack so you do not have to perform any steps other than execute the program. In general though, you will need to install NESSUS on a backtrack installation using the following steps: http://www.fuzzysecurity.com/tutorials/8.html
In the command prompt root@bt:~#, type:
“firefox -ProfileManager”
This should bring up the window of the firefox browser. Depending on your Internet or network connection this might take few seconds. In the end, you should see:
Create your own profile by clicking NEXT and then fil out your name click NEXT and then Start Firefox with your profile” (See Figure next page).
ISA 674, Angelos Stavrou
Laboratory 2
Next time you can use your profile instead of creating one.
E. Start Nessus
Type https://localhost:8834” in the Browser Address and press return:
In the NESSUS Login Window Type “root” for Username and “msec641.”
ISA 674, Angelos Stavrou
Laboratory 2
Click Login to enter and “OK” in the next screen.
Click on “Scans” and “Add”. You need to fill the form with a name (your own), the type is “Run Now” and the policy is “Internal Network Scan” and for Scan Targets you enter the IP addresses of the hosts to scan (like in nmap).
After you complete the form press “Lunch Scan” at the bottom right of the screen.
The next step is to Browse the report (it takes 4-5 mins to complete the scan). To browse the existing reports, you click on Reports-> Browse (on top). You should get a screen similar to the one in the next page.
ISA 674, Angelos Stavrou
Laboratory 2
By selecting one of the two and clicking on Browse (or double click), you get:
By clicking further you get:
ISA 674, Angelos Stavrou
Laboratory 2
Using this information and either metasploit (msfconsole or armitage which we will cover in class, you can attack the two machines).
Another option is to use http://www.exploit-db.com/ (see next page)
ISA 674, Angelos Stavrou
Laboratory 2
Use the SEARCH option and copy the CVE or OSVDB option to get:
By double clicking on the link, you get:
ISA 674, Angelos Stavrou
Laboratory 2
The above is a python exploit
This is the exploit in python. Follow their recommended steps to exploit the vulnerability. Where you successful?
Futher Questions:
Select 4 High and 4 Medium threats and test to see if you can break into the machines. Note that not all exploits are exploitable! Describe what you did even if it was not successful. Include screenshots of your effots.
Extra Credit
- Install your own Backtrack 5 R2 (you can get it from here: (http://www.backtrack-linux.org/downloads/)
- Install NESSUS using the home feed (free)
http://www.fuzzysecurity.com/tutorials/8.html
ISA 674, Angelos Stavrou
Laboratory 2
- Provide scans for dslsrv.gmu.edu and the GMU mail server mh-x.gmu.edu
- Provide scans for www.gmu.edu and another server of your choice
- If you cannot install your own NESSUS use the one provided to perform the same scans
Interesting video with some instructions but more advanced:
http://www.youtube.com/watch?v=gw5xioiteLw&feature=player_embedded
We will discuss and dive into the tools more in class!