laboratory exercise - network security - penetration testing

Click here to load reader

Post on 02-Dec-2014

4.276 views

Category:

Documents

1 download

Embed Size (px)

DESCRIPTION

This is a training material for a laboratory exercise that I\'ve practiced with the students at the Master Program - Network Security course

TRANSCRIPT

  • 1. Securitatea Retelelor de Calculatoare Lucrare de laborator Adrian Furtun M.Sc. C|EH [email_address]

2. Scopul lucrarii

  • Exemplificarea unui atac informatic folosind tool-uri open-source:
  • Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima exploatand o vulnerabilitate a acesteia.
  • Parcurgerea etapelor unui atac*:
    • Recunoastere -
    • Scanare si Enumerare - Nmap, Nessus
    • Obtinerea accesului - Metasploit
    • Escalarea privilegiilor -
    • Mentinerea accesului -
    • Stergerea urmelor si instalarea de backdoors -

* conform documentatiei pentru certificarea Certified Ethical Hacker(ECCouncil) 3. Pregatirea Laboratorului(30 min)

  • Descarcati si instalati urmatoarele tool-uri:
    • nmap-5.00-setup.exe( http:// nmap.org )
    • Nessus-4.0.2-i386.msi( http:// www.nessus.org )
    • framework-3.3.3.exe( http:// www.metasploit.org )
  • Update Nessus plugins
    • Obtain an activation code (home feed)
    • Register(dupa inregistrare incepe automat update-ul plugin-urilor)
  • Pregatirea victimei:
    • Descarcati local si dezarhivati arhiva:winxp_SP2_strip.zip
    • Porniti masina virtuala:Windows XP Professional.vmx
    • Autentificare: (user:user , pass:user )
  • Verificare conectivitate (private network Host Guest):
    • ping HostGuest

4. Disclaimer Ethical Hacking / Penetration Testing

  • Actiuni similare unui atacator/hacker
  • Scop etic:
    • Descoperirea vulnerabilitatilor
    • Propunerea de masuri corective
    • Fara actiuni distructive/neaprobate
    • Activitate proactiva, preventiva

5. Ce vom exersa

  • Scanare cu Nmap
    • Porturi deschise
    • Versiunile serviciilor expuse
    • Versiunea sistemului de operare
  • Scanare cu Nessus
    • Cautare automata de vulnerabilitati pentru serviciile gasite anterior
  • Exploatarea unei vulnerabilitati folosind Metasploit
    • Obtinerea accesului la sistemul tinta

6. Tinta atacului (victima)

  • Sistem de operare: ?????
  • Servicii expuse:?????
  • Vulnerabilitati:?????
  • Masina virtuala (vmware)
  • Firewall ON/OFF
  • Fara antivirus

7. Scanare folosind Nmap (1) http:// insecure.org

  • nmap h[fragmente]
  • HOST DISCOVERY:
  • -sP: Ping Scan - go no further than determining if host is online
  • -PN: Treat all hosts as online -- skip host discovery
  • -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  • -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  • SCAN TECHNIQUES:
  • -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  • -sU: UDP Scan
  • -sN/sF/sX: TCP Null, FIN, and Xmas scans
  • PORT SPECIFICATION AND SCAN ORDER:
  • -p : Only scan specified ports
  • -F: Fast mode - Scan fewer ports than the default scan
  • SERVICE/VERSION DETECTION:
  • -sV: Probe open ports to determine service/version info
  • SCRIPT SCAN:
  • -sC: equivalent to --script=default
  • --script=: is a comma separated list of directories, script-files or script-categories
  • OS DETECTION:
  • -O: Enable OS detection
  • OUTPUT:
  • -oN/-oX/-oS/-oG : Output scan in normal, XML, s|

8. Scanare folosind Nmap (2)

  • nmap -sS -sV -O -F -n 10.0.40.69

9. Scanare folosind Nmap (2)

  • nmap -sS -sV -O -F -n 10.0.40.69
  • Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-01-04 17:20 GTB Standard Time
  • Nmap scan report for 10.254.40.69
  • Host is up (0.00011s latency).
  • Not shown: 98 filtered ports
  • PORTSTATE SERVICEVERSION
  • 139/tcp opennetbios-ssn
  • 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
  • MAC Address: 00:0C:29:86:DF:91 (VMware)
  • Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  • Device type: general purpose
  • Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (97%)
  • Aggressive OS guesses:Microsoft Windows XP SP2 (97%),Microsoft Windows XP SP3 (94%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows XP (93%), Microsoft Windows XP SP2 or SP3 (93%), Microsoft Windows 2003 Small Business Server (92%), Microsoft Windows XP Professional SP2 (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2000 SP4 (91%)
  • No exact OS matches for host (test conditions non-ideal).
  • Network Distance: 1 hop
  • Service Info: OS: Windows
  • OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  • Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds

10. Scanare folosind Nessus (1) http:// www.nessus.org

  • Nessus Server ManagerStart Nessus Server
  • Nessus Client
    • Connect - clientul se conecteaza la server
    • + Networks to scan - se specifica IPul statiei tinta
    • + Select a scan policy se creaza o noua politica de scanare
      • Plugin SelectionDisable All
      • Plugin SelectionWindows (activeaza numai plugin-urile pentru Windows)
    • Scan Now - incepe scanarea
    • Export- salveaza raportul rezultat

11. Scanare folosind Nessus (2) http:// www.nessus.org 12. Obtinerea accesului Metasploit (1) Arhitectura Metasploit

  • Metasploit Console, Metasploit Web
  • Modules
      • Exploits- exploateaza o vulnerabilitate si livreaza unpayload
      • Auxiliaries port scanning, dos, fuzzing, etc
      • Payloads - incapsuleaza cod arbitrar (shellcode) careeste executat in urma unui exploit
      • Nops genereaza instructiuni de tip NOP cudimensiune arbitrara
  • Tutorial:http://www.offensive-security.com/metasploit-unleashed /

13. Obtinerea accesului Metasploit (2) http:// www.metasploit.org

  • Exploatam vulnerabilitatea ms08-067 (Conficker/Kido/Downadup)http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
  • Start Metasploit Web
  • Exploits -> Search [ms08-067]
  • Set TARGET - Windows XP SP2 English
  • Set PAYLOAD- windows/meterpreter/bind_tcp(sau reverse_tcp)
  • Set OPTIONS - RHOST(adresa IP a victimei)
  • Exploit

14. Obtinerea accesului Metasploit (3) http:// www.metasploit.org 15. Obtinerea accesului Metasploit (4) http:// www.metasploit.org Stdapi: System Commands Command Description ------- ----------- clearev Clear the event log execute Execute a command kill Terminate a process ps List running processes reboot Reboots the remote computer shell Drop into a system command shell sysinfo Gets information about the remote system, such as OS Stdapi: User interface Commands Command Description ------- ----------- keyscan_dump Dump they keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes

  • Meterpreterhelp[fragmente]
  • Stdapi: File system Commands
  • CommandDescription
  • ------------------
  • catRead the contents of a file to the screen
  • cdChange directory
  • delDelete the specified file
  • downloadDownload a file or directory
  • editEdit a file
  • getlwdPrint local working directory
  • getwdPrint working directory
  • lcdChange local working directory
  • lpwdPrint local working directory
  • lsList files
  • mkdirMake directory
  • pwdPrint working directory
  • rmDelete the specified file
  • rmdirRemove directory
  • uploadUpload a file or directory

16. Indeplinirea obiect