You can find the lab demo here:

Similar documents
1. On Kali, first start the PostgreSQL database management and metasploit services:

Lab 3: Introduction to Metasploit

Lab 4: Scanning, Enumeration and Hashcat

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Lab 1: Creating Secure Architectures (Revision)

Metasploit Unleashed. Class 1: Metasploit Fundamentals. Georgia Weidman Director of Cyberwarface, Reverse Space

GAUTAM SINGH STUDY MATERIAL SOFTWARE QUALITY Unit 17. Metasploit

Nmap & Metasploit. Chun-Jen (James) Chung. Arizona State University

Lab 2: Creating Secure Architectures

A Taste of SANS SEC 560: Adventures in High-Value Pen Testing

ETHICAL HACKING LAB SERIES. Lab 13: Exploitation with IPv6

Audience. Pre-Requisites

Penetration Testing with Kali Linux

Lab 5: Web Attacks using Burp Suite

Lab 4: Metasploit Framework

Contents in Detail. Foreword by Peter Van Eeckhoutte

Evaluating Website Security with Penetration Testing Methodology

ETHICAL HACKING LAB SERIES. Lab 3: Using the SYSTEM Account

Metasploit. Installation Guide Release 4.4

AUTHOR CONTACT DETAILS

CONTENTS IN DETAIL. FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 2 METASPLOIT BASICS 7

SECURITY TESTING: WINDOWS OS

PENETRATION TESTING. A HattdA-Oti Introduction. to Hacking. by Georgia Weidman. <e> no starch. press. San Francisco

Hackveda Training - Ethical Hacking, Networking & Security

APPLICATION NOTE AN0004 CHANGING THE IP ADDRESS ON AN EWSi PORTAL PLUS CONTROLLER WITH WINDOWS 7

Lab 8: Introduction to Pen Testing (HPING)

Vulnerability Validation Tutorial

Advanced Penetration Testing

CyberP3i Hands-on Lab Series

Vulnerability Assessment using Nessus

1. Download the latest version of the Kali Linux 64 bit ISO image:

Evaluation Guide for SNMPc v7.0

Access Switch VLAN Y Y.1 /24

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

Network I Lab 02. What are the major external components of the PC including the peripherals? / Characteristics

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

TROUBLESHOOTING : 1. Set up your wireless router via wired connection. 2. Please make sure your adapter is set to obtain IP automatically

TexSaw Penetration Te st in g

Hands-On Ethical Hacking and Network Defense 3rd Edition

NETWORK EXPLOITATION USING METASPLOIT FRAMEWORK

Who Am I. Chris Gates

Lab 6: OWASP, Backdoors and Web Discovery

Exploit Development. License. Contents. General notes about the labs. General notes about the labs. Preparation. Introduction to exploit development

PIG: Finding Truffles Without Leaving A Trace. Ryan Linn DEFCON 19

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

CPTE: Certified Penetration Testing Engineer

HHC 2017 writeup, by RedTeam611

Penetration testing using Kali Linux - Network Discovery

ISDP 2018 Industry Skill Development Program In association with

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

Introduction to Raspberry Pi 3 Model B Updates: 9/18/17 6/2/2018

If you have a computer enabled with Intel Active Management Technology

Pearson: Certified Ethical Hacker Version 9. Course Outline. Pearson: Certified Ethical Hacker Version 9.

Advanced Network Troubleshooting Using Wireshark (Hands-on)

CISSP - Certified Information Systems Security Professional

Cisco Unified Serviceability

Technical Support Information

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

ETHICAL HACKING LAB SERIES. Lab 15: Abusing SYSTEMS

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

CEH Tools. Sniffers. - Wireshark: The most popular packet sniffer with cross platform support.

دوره تست نفوذ. Ver.1.2 شما میتوانید آنلاین در این دوره ثبت نام بلافاصله از آن استفاده کنید. Information Gathering. Bash scripting

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

Network+ Guide to Networks, Seventh Edition Chapter 2, Solutions

Quick Start Guide. Get started in 5 minutes! This document will give a brief introduction about the product and its installation procedure.

May 2016 Version 1.2.7

A+ Guide to Managing & Maintaining Your PC, 8th Edition. Chapter 17 Windows Resources on a Network

Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration

Freshservice Discovery Probe User Guide

Emulex OneConnect NIC Teaming and Multiple VLAN Driver and Application Release Notes

Emulex OneConnect NIC Teaming and Multiple VLAN Driver and Application Release Notes

Sun Mgt Bonus Lab 2: Zone and DoS Protection on Palo Alto Networks Firewalls 1

Frequently Asked Questions. Scan to an SMB Share

FireAMP Connector for Mac Diagnostic Data Collection

Preview from Notesale.co.uk Page 11 of 332

Supporting Networked Computers

Computer Security 2017

eggplant v11.0 Mac OS X EggPlant: Getting Started

Cross Platform Penetration Testing Suite

Basics of executing a penetration test

Computer Security 2017

1. OnDemand ClientPack Download Instructions

Project 4: Penetration Test

Setting up. Discovering the Network. Planning Discovery Runs CHAPTER

Wireshark Lab: HTTP SOLUTION

Becoming the Adversary

QRM+ Tutorials. QNAP s Remote Server Management Solution. rev

POS. EPSON TM-U220 IP CONFIGURATION Windows Version (Firmware V. 4.00) a project guide to rezku POS

Introduction to TCP/IP

ISEC3700 ASSIGNMENT 2 LEARNING KALI LINUX LYNDA COURSE

It is possible to use OpenDLP in an agentless mode, but the agent shifts the processing to the host instead of the server.

Cisco 1: Networking Fundamentals

Radio over IP. Network Troubleshooting. IWCE 2019 Las Vegas Convention Center Las Vegas, Nevada

Chapter 3 LAN Configuration

Mobile Zero Client Management Console User Guide

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

MOC 6420A: Fundamentals of Windows Server 2008 Network and Applications Infrastructure

5.5.3 Lab: Managing Administrative Settings and Snap-ins in Windows XP

n Describe sniffing concepts, including active and passive sniffing n Describe sniffing countermeasures n Describe signature analysis within Snort

Transcription:

Lab 8: Armitage Aim The aim of this lab is to introduce you to Armitage. Armitage developed by Raphael Mudge provides an open source Graphical User Interface (GUI) front end to Metasploit and supports the security testing against a range of vulnerabilities. We will mainly be using a Kali instance a Windows XP instance, and a Windows 2003 server target. We will use Windows 2003 vulnerabilities to build exploits. Fir this, we will take the basic steps of: Scan, Exploit and Gathering. Further information about Armitage can be obtained at Armitage s Official Website. Activities: Complete Lab 8: Time to Complete: Armitage 2-3 hours Learning activities: At the end of this lab, you should understand: How to use Metasploit modules via Armitage GUI How to do host discovery using Armitage How to run an exploit using Armitage How to gather information about a compromised source using Armitage Lab Overview In this lab, our challenge is to use Windows 2003 and Windows XP vulnerabilities in order to build exploits. For this lab, you will be using Kali instance, Windows XP, and Windows 2003 instance. Your Kali DMZ, you Windows XP, and your Windows 2003 DMZ should be sitting in the same domain, having an IP address and being able to ping each other. You can find the lab demo here: http://asecuritysite.com/subjects/chapter52 We will be using ALLOCATION A [Link] http://asecuritysite.com/csn10107/prep 1 Bill, Naghmeh

A Setting up 1. On Kali, first start two services: PostgreSQL database management and Metasploit services by typing: service postgresql start service metasploit start Intro: PostgreSQL is an open source relational database management system (DBMS) developed by a worldwide team of volunteers and Metasploit framework is a tool for developing and executing exploit code against a remote target machine. 2. Next run Armitage on Kali: armitage Accept the default values, click on Connect, and then press Yes to start Metasploit. Check if you can see auxiliary, exploit, payload and post in Armitage window. Look back at previous labs, can you find the following: Double-click on exploit android browser webview_addjavascriptinterface Read about the exploit and answer the following questions: What is the version of Android that is affected by this vulnerability (hint: this could be found on the top window)? What the parameters used with the exploit (hint: they are the ones with + )? B Host discovery 3. Next we will try and discover some of the hosts on the network with an ARP sweep using Armitage by browsing to: auxillary scanner discovery arp_sweep (double click) Then click on RHOSTS+ and enter an IP range that includes your Windows 2003 machine (e.g. 172.16.174.0-172.16.174.20) in Value. Then click on Launch. Intro: The ARP Scan Tool (also called ARP Sweep or MAC Scanner) is a very fast ARP packet scanner that shows every active device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN (local subnet or network segment). 2 Bill, Naghmeh

How many hosts did it discover, and what are their details? 3. For one of the hosts found (select the one that is in your folder on vsoc), now do a TCP port scan. For this, select the host and then go to: auxillary scanner portscan tcp (double click) Then drop the number of the ports to 1-1000 Then click on Launch What are the set parameters? Which ports did it discover: 4. Next we will try and discover some Windows instances. For this run the nbname scanner: auxillary scanner netbios nbname Then check the RHOSTS+ value with the IP address of your Windows 2003 machine and then press Launch. (Hint: This sends NetBIOS requests to the host(s)) Intro: A NetBIOS Name is a unique identifier, up to 15 characters long with a 16th character type identifier, that NetBIOS services use to identify resources on a network running NetBIOS over TCP/IP (NetBT). Due to security issues with NetBIOS, mainly information leaks, it is often disabled on corporate networks. What are the set parameters? Which hosts did it discover, and what are their details: 3 Bill, Naghmeh

5. Next we will try and discover some Windows instances which are sharing with SMB. For this run the nbname scanner: auxillary scanner smb smb_version Launch Intro: In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS, /ˈsɪfs/), operates as an applicationlayer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. What are the set parameters? Define the SMB hosts on the network, and their operating system? Can you see that the logo is changed? Which port does SMB use? C Running an Exploit 7. The SMB service on Windows XP can be susceptible to MS08-067. Select the following and run it against your Windows XP instance: Exploit windows smb ms08_067_netapi Outline the MS08-067 vulnerability. Which parameter used in the exploit? Press Launch. How the icon on the main window changed? If so what does it look like? 4 Bill, Naghmeh

8. Next run the Meterpreter Shell Right click on the new red icon that appears on your Armitage window and select Meterpreter1 > Interact> Meterpreter Shell In the console window, type the following commands and look at the information each command gives you: help: getsystem: getuid: getsid: getpid: 9. Next we will grab the username database and use John the Ripper to crack them: Type: Hashdump Then copy and paste the hashdump by creat a file name hashtocrack and paste the hash sudo nano hashtocrack and then call John the Ripper: john hashtocrack 10. Log into your Windows XP target. Now using the Administrator details for Windows XP, connect to the server with psexec, perform the following: Now right-click on the compromised Windows XP in Armitage, and capture a screen shot by right click on compromised Windows XP on Armitage > select: Metepreter 1> select: Explore > select: Screenshot. Was it successful? Now: right click on compromised Windows XP on Armitage> select: Metepreter 1> select: Explore > select: show processes. What are some of the processes running? 5 Bill, Naghmeh

Now return to Windows XP and run a program, e.g. nopepad.exe and follow the command above and check if you can see notepad.exe in the list of processes. Now: right click on compromised Windows XP on Armitage> select: Metepreter 1> select: Explore > select: Brows Files. What are the folders in the top level of C? Now: right click on compromised Windows XP on Armitage> select: Metepreter 1> select: Explore > select: Log Keystrokes > Launch Which file was used to store the key strokes? Return to Windows XP and type some worlds. On Armitage, check if you can see the keystrokes sent from compromised Windows XP. Check if you see see the keystrokes on the specified path. Now: right click on compromised Windows XP on Armitage> select: Metepreter 1> select: Interact > select: Desktop (VNC) Armitage will tell you the IP address and port to connect to on the screen. Next open a terminal any enter the command: vncviewer [IP]:port Can you connect to the remote instance? 6 Bill, Naghmeh

D Gathering information 11. Next we want to gather some information from a host. First run the following: Post Windows Gather CheckVM Launch (hint: to check if the machine is a virtual machine or a real server) Is the instance a virtual machine? Run an ARP scan by click on: Post Windows Gatherer Arp_scanner Launch Which nodes and MAC addresses did it find: Now run a netstat on the compromised node: Post Windows Gatherer tcpnetstat Launch Outline some of the ports that are open: Next run the following and gather information: Module Post/Windows/Gatherer/enum_ie Information gained post/windows/gather/credential_collector post/windows/manage/migrate post/windows/gather/dumplinks post/windows/gather/enum_applications 7 Bill, Naghmeh

post/windows/gather/enum_logged_on_users post/windows/gather/enum_shares post/windows/gather/usb_history post/windows/capture/keylog_recorder 8 Bill, Naghmeh

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback