ISEC3700 ASSIGNMENT 2 LEARNING KALI LINUX LYNDA COURSE

Transcription

1 ISEC3700 ASSIGNMENT 2 LEARNING KALI LINUX LYNDA COURSE Joudrey, Mark NSCC TRURO CAMPUS November 18, 2018

2 Contents Getting Started An Overview of Metasploit, Maltego, and Wifite... 2 Setting up the VirtualLab with VMware Workstation... 3 Screenshots of Virtual Machines Installing Virtual Machines and Appliances... 5 Exploring Kali Linux applications... 5 Gathering information with DMitry and DNSenum... 5 Conducting a vulnerability assessment... 6 Topic Summaries and Analysis... 7 Information Gathering (Understanding the Target)... 7 Introducing DMitry... 7 Introducing DNSenum Introducing Maltego Vulnerability Analysis Identifying web vulnerabilities with Nikto Installing and Running OpenVAS Installing and using Vega Passwords and Hashes Windows Credential Editor John (CLI) John (CLI) Windows Johnny (John The Ripper) Pass the Hash Use Rainbow Tables Exploiting Targets Exploit Linux with Metasploit Introducing mfsvenom Exploiting with Armitage Pivot Through the Network Getting Stealth and Persistence Access Course Results Page 1

3 Getting Started An Overview of Metasploit, Maltego, and Wifite Kali Linux is a Debian-Linux based operating system created for the sole purpose of IT Security testing. Penetration Testing (pen-testing for short) is becoming an increasing role of IT sysadmins and devops for security company infrastructure compliance, as the need for data security becomes an increasing necessity in businesses small to large, and even personal computing. Emphasis on business security, even though networks can be secured by many forms of equipment hardware, and software mitigation techniques, vulnerabilities appear every day in all forms of software, and IT professionals cannot always rely on their primary security counter-measure systems. Kali Linux comes pre-bundled with Metasploit, among other tools. Metasploit is a security vulnerability knowledgebase that not only contains information on vulnerabilities within its framework. It also contains exploits for carrying out attack-tests on client devices within a network infrastructure to provide feedback and insight to the pen-tester of the current security state of his or her network environment. If an attack is successful, the user can choose to carry out further exploitation of the enddevice to see the potential magnitude of the present vulnerability. Impact on the devices affected can vary depending on how often they are patched, monitored, and maintained. Within the Lynda course, instructor Malcolm Shore walks you through the usage of Metasploit not only through shell, but through its GUI application Armitage. Armitage makes beginning the use of Metasploit easier for newbies to Metasploit as it provides interactivity of options that would normally have to be executed via terminal commands. Examples of the interactivity include but aren t limited to, the current state icon of the enduser device. When a host has a recognized operating system, its icon will change. Also, when a computer goes from secure to compromised, its icon will change to a red hue with lightning bolts encased around it. This provides more fluid understanding for new users, but it can be assumed sometimes false positives could occur if any part of the Armitage code becomes not current or obsolete. This is where having a thorough understanding of the code behind Metasploit could separate recreational users from seasoned/veteran Metasploit users. Metasploit is primarily focuses on software-based vulnerabilities within internet protocols such as SMB, HTTP(S), and <BLANK>, along with operating system vulnerabilities such as Windows UAC, user password module bypassing, as well as creating a Fully Undetectable (FUD) payload. These are all serious but well-established attack-vectors for malicious/rogue users also known as threat agents. These attack-vectors can traverse the network through a local and/or remote means - depending on the hacker. Security of information systems through vulnerabilities within your system can be important to look after, but what happens if your company is potentially sharing too much information? Maltego helps with maintaining control of your information security by performing public queries to the internet to provide reports back on queried entity or entities. Maltego is primarily a tool for security researchers and associates along with private investigators and IT administrators alike. IT provides data mining capabilities for not only people but web-based information of infrastructure alike: such as DNS, whois, -servers, different types of metadata, and even API information. Wifite is a wireless penetration tool wifi tool for handling attacks on wireless WEP, WPA, and WPS encrypted networks in a row. It is a GUI/CLI hybrid meaning it runs in the terminal of linux but it also displays in a human readable text-based menu making it easy to start running attacks for beginners. This is not to confused with being an easy tool to start using, but however it is in fact still a tool that requires understanding of how the attacks are carried out, as they do not crack all networks natively by Page 2

4 any stretch of the imagination and may require further software intervention along with further human intervention. It advertises as an automated wireless auditor. Setting up the VirtualLab with VMware Workstation We were asked to use VirtualBox as our main type-ii hypervisor. With my laptop I was faced with performance issues using VirtualBox so I was unfortunately forced to use VMware Workstation as my main hypervisor since every troubleshooting technique I tried carried similar results across all virtual machines required as part of the assignment. Troubleshooting options I tried: Installing distribution-based versions of additional guest tools included with virtualbox and within googled recommendations of each distribution Hardware modifications of each VM including: CPU count (1-2 max), RAM adjustments (10GB RAM max), Video Memory (128MB max) Tried using older versions of VirtualBox as well as the newest version of VirtualBox. VMware Workstation seemed like the only feasible option that didn t make my machine run in an unstable manner carrying out the assignment. The setup included installing Kali Linux 64-Bit with updates, Debian 9, Metasploitable, and a Windows 7 VM. All these VMs run within a Host-Only internal environment ( x network), with Kali being a NAT d private environment with the Laptop so it and it alone can communicate with the outside world( xx NAT network x internal host-only network). Linux <hostname> kali2-amd64 #1 SMP Debian kali1 ( ) x86_64 GNU/Linux (uname -a) Page 3

5 Linux <hostname> amd64 #1 SMP Debian ( ) x86_64 GNU/Linux (uname -a) An example of metasploitable. In this photo is the /var/www folder on metasploitable. IE11.Win7.VMWare.zip IE11.Win7.VirtualBox.zip Page 4

6 Installing Virtual Machines and Appliances Installing the virtual machines and appliances was rather simple as it only required that we set the networks to NAT with each other and just perform installs through the means of typical.iso step-bystep and.ova imports. After that I would just simple perform apt-get update && apt-get upgrade on all machines to make sure everything was all as up to date as possible, so machines were current with each other. I performed necessary restarts I saw fit after updates and installing the VMware tools software just so updates would integrate as they were designed to. Exploring Kali Linux applications For a quick overview of Kali Linux s included tools, one could view the website Kali Linux Tools Listing for a listing of all tools currently loaded on a post-installation boot. Like many web-based documentation platforms, it gives a breakdown of each individual item, including a description, examples of use, and a raw copy of the readme file attached to the item page. This is especially handy for any learner looking to dive into the IT Security Kali Linux world and discover penetration testing tools within the open-source world. Many topics explained for each item is especially technical and may require deeper research than other items. An example of a tool would include sslstrip as it is a simple vulnerability for terminating https traffic and redirecting it to http. This tool could only work in some situations as most websites and browsers have counter-measures in place to stop this particular attack(exploit) from happening. Some patches may make attacks like this become available so as an IT administrator, it is always important to stay up to date with security knowledge-bases and news feed outlets to see when these events do happen. An example of a tool that require a larger scope of research include OVAS, Sqlninja, and RainbowCrack just as starters. The reason I say these tools is because unlike sslstrip it requires some background knowledge on the vulnerabilities you are testing for or in hacker s eye, taking advantage of. OVAS outputs information on vulnerabilities and solution types, but it does not give you the exact stepby-step walkthrough of the solution. Sqlninja requires knowledge of what SQL actually is, what the syntax is, and what the terminology means of the SQL vulnerabilities you are testing for. If you don t understand SQL schema structure, and the intricacies of a particular SQL database, you won t be able to efficiently work with testing at as further depth as potentially possible. RainbowCrack requires you to understand exactly what happens with rainbow tables and how to implement the attack and establish connections to an attack vector. Gathering information with DMitry and DNSenum Dmitry is a tool specific for the use of domain queries. It allows you to perform sub-domain lookups tied to a particular primary domain. Results can provide a great deal of overlay to security techs who want further verification to sub-domains they don t have administrative cpanel access to. Granted there are online tools such as pentest-tools.com that can provide similar information gathering to Dmitry, but Kali Linux as a pre-bundle adds extra value and options as opposed to other web-based pentesting utilities. DMitry also allows for whois lookups, and TCP port lookups which have been around for awhile but still are yet another reason to have the utility available as a security tech. Page 5

7 DNSenum is a further look into DNS enumerations of A records, MX records, nameservers, etc. It is a query tool that puts a lot of its attention in data mining of web server data and the contents stored on web servers. Conducting a vulnerability assessment For conducting vulnerability assessments of a particular host or network, Kali Linux comes preloaded with a few tools to perform such tasks. For the initial vulnerability test I ran on a metasploitable VM, I used Nikto. Nikto is a CLI-based vulnerability scanner that provides live feedback of vulnerabilities found within the entity being scanned. The output of Nikto scan on host > nikto -h Page 6

8 Photos Topic Summaries and Analysis Information Gathering (Understanding the Target) Introducing DMitry Description This is a Dmitry query of a command where it returns information on the domain lookup, subdomains attached to the domain. Below is a full output of a simple dmitry google.com query. ARIN listings - Regional Internet Registries (RIRs) are nonprofit corporations that administer and register Internet Protocol (IP) address space and Autonomous System (AS) numbers within a defined region. RIRs also work together on joint projects. wledge/rirs.html AFRINIC Africa, portions of the Indian Ocean APNIC Portions of Asia, portions of Oceania ARIN Canada, many Caribbean and North Atlantic islands, and the United States LACNIC Latin America, portions of the Caribbean RIPE NCC Europe, the Middle East, Central Asia Page 7

9 Page 8

10 Page 9

11 Photos Introducing DNSenum Description Results of > dnsenum scanme.org Multithreaded perl script to enumerate DNS information of a domain and to discover noncontiguous ip blocks. OPERATIONS: Get the host s addresse (A record). Get the namservers (threaded). Get the MX record (threaded). Perform axfr queries on nameservers and get BIND VERSION (threaded). Get extra names and subdomains via google Page 10

12 scraping (google query = allinurl: -www site:domain ). Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded). Calculate C class domain network ranges and perform whois queries on them (threaded). Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded). Write to domain_ips.txt file ip-blocks. Photos Introducing Maltego Description When Maltego first opens, you want to click Create a new graph or simply hit ctrl+t. To demonstrate a maltego DNS query, you want to search through the entity palette listing and select the Domain An internet domain and drag it into the new graph tab you just created. Page 11

13 The domain it defaults to is paterva.com, the main website for Maltego. To change the domain to query, simply edit the domain name field in the property view tab. When you right click the domain icon in the graph-view, it will show you Run Transform(s) These are the query types available. There are configure and run all buttons next to most of the transforms. Under configure you will see a list of all the types of transforms. This can be especially useful for newbies to Maltego to explore the scope and complexity of the scans being performed. Page 12

14 Run all on DNS from Domain is what I run for the first scan. This will display sub-domains attached to scanme.org For the transform scan with scanme.org these were the following results. To add to the previous scan, you can select any of the sub domains and perform additional queries. I selected Resolve to IP to make a graphic appear with the sub-domain IP Maltego nmap.scanme.org showcase of the IP address tied to the domain. In this case the IP of the sub-domain is Page 13

15 Vulnerability Analysis Identifying web vulnerabilities with Nikto Photos Description Nikto Web Scanner is a Web server scanner that tests Web servers for dangerous files/cgis, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received. - Wikipedia Installing and Running OpenVAS Photos Description Installation instructions for installing OpenVAS from scratch on Kali Linux After installation prompt for opening OpenVAS in its Web UI interface. Usr: admin Pw: 2461ffca c4a- 843b-731a2457bf68 Page 14

16 OpenVAS Web-GUI based on port 9392 Task Wizard for scanning a host. Ongoing scan page of a host. This particular host is Kali Linux. Page 15

17 Scan base results of host on without report. Scan results page of 17 vulnerabilities found on a Kali Linux host. Photos/Instructions Installing and using Vega Description (extract into home directory in vega folder) > sudo update-alternatives -- config java and choose java 8 if available Add the following to sources.list Page 16

18 deb stretch main deb-src stretch main deb stretch main deb-src stretch main > sudo apt-get install libwebkitgtk-1.0 > sudo./vega Main screen of Vega when you open the software. Vega scan ongoing on which is a metasploitable machine. Live results will appear, and you can scroll down to see them. These results are pretty much in plain English which makes troubleshooting the problems easier to fix. Page 17

19 An example of this is the Cleartext Password over HTTP which requires the installation of a HTTPs certificate of some sort This scan continued for about 3hours and still only made it to a climbing 30% completion. Vega proxy is rather simple to integrate with web browsers as it is just a matter of going to the Proxy tab and clicking the toolbar at the top-left of Vega. Here is what was prompted in the Request tab when loading a virtual machine IP running metasploitable. Page 18

20 Passwords and Hashes Windows Credential Editor Photos Description Running wce is considered a hacking tool by most anti-viruses and will get flagged. WCE is a tool that can not only show the hash of usernames passwords, but if you attach the -w option, it will show the passwords in plain-text. Using the -g option will convert an input of your choice to NTLM hash format. If you add a new user, they should appear on the list in wce. If you do the command > wce -l -o name.txt It will output the dump of the wce listings to the.txt document. Page 19

21 Photos John (CLI) Description Before I began, I made a copy of the shadow file which stores hashes of usernames on the Linux machine. After that I output the file just to see the template of the original shadow file. I shortened down the list in the screenshots quite a bit just to show a few of the many linux users. Notice root and mork user names. Root being root user, and mork being a user I created for samba purposes. Here is the input of the shadow file to john application which looks after the offline password cracking mechanism. John was not able to crack the mork user password, but it was able to crack the root user password, which is toor. Here is an attempt at using the hash file from my windows machine. None of the password hashes were able to be cracked by john using the default dictionary file John included. These passwords were: Passw0rd! & P@$$w0rd123 It is important to not forget that john has a GUI interface, John the Ripper. It makes navigating the features of John much quicker at a glance, allowing you to change what type of attacks to carry out. Changes include dictionary attacks brute force attacks vs. algorithm-based brute force attacks. Page 20

22 Photos Johnny (John The Ripper) Description Here is the opening UI of Johnny (John The Ripper) Mask Mode Here are the different modes you have as selection for password cracking. The modes include: Single crack, Wordlist, Incremental, External, Mask, Markov, and Prince. Single crack Uses fuzzing modes to use relatable information from the username Wordlist As the name suggests, it relies on a dictionary file along with filters. Incremental Uses an algorithm based on exhaustive incremental character experimentation until it finds the password. External Allows for a user to make a coded method using a language similar to C and linked to John the Ripper to try custom generations of passwords. Mask Uses custom supplied syntax from John to Page 21

23 Markov Uses a special algorithm to generate word-like strings. It can be use with nonhybrid or hybrid mode for added masking rules. Markov Mode Prince Uses a word list file to create a combination of words to build up word chains. Prince stands for Probability Infinite Chained Elements and is intended for hard-hash recovery, where the real alternative is brute force incremental. This requires a vast understanding of the algorithm. Prince Mode Page 22

24 Photos Pass the Hash Description Activating the built-in Administrator user on Windows 7. We are using this to execute full admin privileged commands to a remote windows machine using kali s built in tool pthwinexe Gather the hash information for built-in Administrator Execute the following command to initiate the remote session. The following text prompts will occur ending with a familiar input field sysadmins will recognize from windows OS. You can tell this works by attempting a command that normally works from physical access of the machine. Here I run ipconfig where you can see which I used in the original pth-winexe initiation command to start the session with the remote Windows 7 machine. Here shows another example of a remote command on the directory listing of the remote Windows 7 machine. Page 23

25 Photos Use Rainbow Tables Descriptions Rainbow Tables have been around for a while but have made a stance in the password-cracking/brute forcing password realm. They are known for coming in large file sizes containing templates for cracking specific password layouts. For example: Small Alphabetic NTLM passwords 600MB Small Alphanumeric NTLM passwords 3GB Tables can obviously become much larger depending on the scope of the password(s) being cracked. With the most recent version of Kali, you should see included Rainbow Crack 1.7. This is one of the main Rainbow Table tools included with Kali Linux. Here is a directory listing of the rainbowcrack folder in Kali. Included in the directory is not only rcrack, but rtgen which is a rainbow table generator. rt2rtc and rtc2rt are converters between the rt and rtc rainbow table formats. Rtsort is used to sort rt rainbow tables before use. Page 24

26 rtc files are a compressed version of rt files which save about 50% of disk space. Generating a simple rainbow table for a Windows (NTLM) six lowercase alphabetic characters long. This format being created is using 335,540 chains of length at 3800bytes. This might not always be an optimized approach for every 6-lowercase alphabetic character long passwords. As you can see, it takes a little while to perform the generation of this rainbow table file. It creates a non-compressed rainbow table file (.rt) which is now located in the rainbowcrack folder. vs. We need to sort this table using rtsort before we use it. That is what at least the guided learning said should be done. Here you can see my results compared to the Lynda tutorial results. Mine did not have any verbose output. Regardless, the rt file should now be ready to be used. Unfortunately, I was unable to use the rainbow table I created. This area will require more troubleshooting to fix. Page 25

27 Exploiting Targets Exploit Linux with Metasploit Photos Description Metasploit is a framework that has curated exploits in its knowledge database. Don t be alarmed if it looks different from the last time you used it. Splashscreens are randomized on each bootup of Metasploit. Notice it has 1825 exploits and 541 payloads in its database. There are also other modules too including encoders, auxiliary, post, and nops. Metasploit includes a wealth of commands in its backend. Be aware that introducing other exploits will change the help menu to represent the active exploits being used. As an example, you will see this shortly in the msfvenom section, where we are able to run exploits on a Windows 7 machine. These exploits include keylogging, webcam monitoring, and many others. Page 26

28 Page 27

29 If you type show exploits, you will be a presented with a list of exploit commands available in the Metasploit database. The format of the output is: Exploit Name, Disclosure date, the exploit effectiveness, and the description of what the exploit achieves. Unfortunately, I could not find what the check field(yes/no) indicated. Here are available options for zeroing-in on your Metasploit search filters. If I wanted to find exploits for windows 8, I could simply type: > search win8 Same goes with win7 and windows 10 Now if I want to exploit a Linux system, here is a way how I could go about that. Here I initiate the use of unreal_ircd_3281_backdoor exploit. I type show targets. With this particular exploit, it can automatically determine what type of target it has, so we leave it set as automatic. Page 28

30 Typing show payloads will show a list of payloads that can be used with this exploit. If there was a payload I wanted more information on, such as reverse, I could simply type > info cmd/unix/reverse I set the payload by typing > set payload cmd/unix/reverse After setting the payload, I can see what options the payload has by typing > show options Before we run the exploit, we set the remote and local host IP addresses. Page 29

31 When we type > exploit We can see the processing output messages displayed. Once A is input is shown, I typed ifconfig, which confirms we are in the shell of which is the metasploitable virtual machine IP. If I type whoami it will show I am the root user on the metasploitable VM. If I type pwd it will show I m located in the /etc/unreal directory. If I type cd../.. and type > ls -l It will show me the contents of the metasploitable VM root directory. You can type CTRL+C at any point to terminate the remote shell session. Other exploits are possible against metasploitable. Here we try multi/samba/usermap_script Page 30

32 Here we see that the command went through similar to the last exploit and can be confirmed by typing ifconfig to confirm the remote hosts IP address does in fact show up. Photos Introducing mfsvenom Description msfvenom is a CLIbased software that can be use to make trojans (RATs) for x- platform devices. ` This is an example of a trojan being created. LHOST being the attacker machine, not the victim machine. To have a listener for the trojan, we use Metasploit for msfvenom to be its callback handler. Page 31

33 Now we need a way to get the file over to the Windows victim. The client is running Windows7 in this test. The instructions I followed are as outlined on the left in the photos column. On the Kali Client - I substituted the username with something more appropriate, and changed WinXP_User_Name to the username I selected. After all changes needed were made to the kali samba, I ran the service start commands. This in turn made the share appear on the Win7 VM. I now execute the winjan trojan, on the Kali machine you will notice Sending stage ( bytes to Page 32

34 If you now type help in the meterpreter session, you will find options for all the different options of exploits on the victim that can be carried out. Not all the different types of attacks are displayed on the left. Right now you are free to run as many commands available as you want on the victim machine as it is compromised. getuid will display the current user logged in. It appears we successfully got administrative overhead. If the getsystem method didn t work, you could run the following which would give the desired results. Notice the green UAC bypassing sections. Page 33

35 sysinfo for gathering all system information on the compromised windows system. There can be some issues with trying to get a hashdump due to privileges, or the current process being used. The following link helped me troubleshoot the issue for obtaining dumps. / dumping-hasheson-win2k8-r2-x64-withmetasploit/ An example of keyscan tool being used for logging keystrokes on the victim machine. Photos Exploiting with Armitage Description When I first open Armitage, it still detects the computer that was just exploited using msfvenom. You can click Attacks/Find Attacks as soon as have host machines available to attack. This results in the displayed information in the attack drop-down menu in each host menu. As shown in the picture, the particular host has exploits available in dcerpc, oracle, samba, smb, and ssh. Page 34

36 This is how you add a host. Here I added the Metaspolitable machine. Here is an example of what attacks can be found on a Metasploitable machine natively as of November 17 th Page 35

37 For testing purposes, we ll try the usermap_script for now. This prompts after usermap_script selection. Right now the settings are fine as they are. This module exploits a command execution vulnerability in Samba versions through rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication! An exploit tab opens as it shows the commands and actions being traversed between the attack vector. The metasploitable machine now compromised and you can see that as the linux machine is now enveloped with lightning bolts and has turned red. Page 36

38 When you right click the metasploitable machine now, you will see a new menu lableled Shell 1 appears and I will now select Interact. This will open a new tab labeled Shell 1. You can see I typed whoami and it displays root as the user. I also typed ls which displays a directory listing of the root linux directory that has been compromised. If you run a Hail Mary attack scan, you will find even more attacks available to you. Photos Pivot Through the Network Description Covert penetration testing within a red team exercise framework is sometimes required of a business s company network. Sometimes it s hard to scope out targets, but the process of pivoting can help with capturing targets, gaining faster access to a whole network. To initiate the pivot, use meterpreter - reverse_tcp on the compromised Windows 7 machine. Page 37

39 One the reverse_tcp fully loads, it shows the windows 7 machine as compromised. I later ran into issues with making the pivot due to the network adaptor setup in the virtual machines in VMware. VirtualBox defaults to NAT Network for this course, where I had to try out NAT and Host-only pairs but could still not achieve the wanted results. Photos Getting Stealth and Persistence Access Description Picking up where we left off with the windows7 exploited machine through reverse_tcp, we enter the meterpreter shell and we list the running processes. Note that winjan2 is running on Administrator with processid For stealth purposes, it would be in our best interest to hide the process from the user. With meterpreter shell, we can inject a process into another process. User Administrator explorer.exe is running on PID So we will migrate PID 3652 into Page 38

40 This eliminates process 3652 and now the trojan is located in Administrator explorer.exe. Now for ongoing access, we want persistence of course. This will help with picking things up where we left off with a vulnerability testing, and the like. As you can see, I had issues with this part. I wish I had a solution! Page 39

41 Course Results Final Quiz Results (2 nd Try) Certificate of Completion Page 40