---
tags: 滲透測試, CPENT
---
# CPENT iLab筆記 - Module 06: Network Penetration Testing Methodology-Internal (Expected Duration 6 Hr 48 Minutes) - PART A
## Objective
The objective of this lab is to provide knowledge on the network, system and user enumeration and other penetration testing methodologies that include:
Service enumeration
Password audits
Vulnerability Assessment
OS pentesting
Privilege Escalation
Scenario
Both internal and external network attacks are conducted in almost the same way, except for the fact that in case of an internal pen test; the attacker may possess authorized access or is starting from a point within the internal network. Such insider attacks tend to be more disastrous since the attackers already have the knowledge of the essential ones within a network and their location.
As a penetration tester or a Security Auditor, you must know how to enumerate target networks, users, services, perform vulnerability assessment, exploit vulnerabilities, extract as much employee data as possible, and attain escalated privileges to the target.
## Exercise 1: Scanning with Netdiscover
Scenario
To begin the lab, a proficient tester may use any tool depending on his or her personal preference. The objective of this lab is to help students use the Netdiscover tool. This tool has higher ease-of-use. In this lab, you will
Start the Netdiscover tool
Explore the different scan options
Scan and review the data from Netdiscover
Lab Duration: 10 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default **pentester** is selected as the **user**. Type **toor** in the Password field and press Enter.
3. Open a terminal window and enter netdiscover -h. This will display the netdiscover commands as shown in the screenshot:
4. This tool allows the user to discover live systems. In the terminal window, enter sudo netdiscover -i eth0 -p. If you are asked to enter a password, enter toor.
5. In the passive option, targets are generated slowly. It takes a lot of time to display the result. To save time, you can create your own traffic by doing a ping sweep using nmap which is demonstrated in the next step.
6. In a new terminal window, enter an nmap ping sweep to generate traffic. To do a ping sweep, type nmap -sn 192.168.0.0/24 and press Enter.
7. Switch back to netdiscover window to view the output
8. At times, some machines may not be discovered due to reasons such as the existence of a firewall or some other filter. At such situation, you may use a Transmission Control Protocol (TCP) scan to confirm the existence of the new machine. To perform a TCP scan, enter the command nmap -sT 192.168.0.0/24.
9. Note that you have not scanned all 65,536 ports, which is preferable. Depending on the target machines' settings, access to and data obtained from this machine may be limited. Upon scan completion, switch back to netdiscover window to view the output. In this lab, the netdiscover output remains the same, as no new machines were discovered during the nmap scan.
10. If stealth is not part of the scope of the test and a passive scan is unnecessary, an active scan is the best choice. To discover targets, use Netdiscover as a scanner. To search for the network for targets, exit the current netdiscover scan, type sudo netdiscover -i eth0 -r 192.168.0.0/24 in the terminal window and press Enter. If you are asked to enter a password, enter toor.
11. The targets will be displayed on the screen after some time, as shown in the screenshot. (To speed up the process, you can run a nmap ping sweep scan.)
12. This new method validates your live and target machines. This concludes the lab exercise.
## Exercise 2: Scanning and Scripting with hping3
Scenario
To begin the lab, a proficient tester may use any tool depending on his or her personal preference. The objective of this lab is to help students use the hping3 tool.
In this lab, you will:
- Start the hping3 tool
- Conduct a query with hping3
- Check hping3 capabilities
- Execute a simple script within the hping3 command environment
- Capture packets with hping3
- Conduct a hping3 scan
- Review the data from the scan
- Send files using ICMP
Lab Duration: 10 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. In a terminal window, type sudo hping3 and press Enter. This will show the tool options.
4. Hping3 is a powerful tool. It is a TCL scripting engine contained within a shell. For the first attempt, practice with a few commands.
5. To begin the lab, launch hping3 by issuing the command sudo hping3 in a command line terminal. If you are asked you enter a password, type toor and press Enter.
6. The first command will send a simple Internet Control Message Protocol (ICMP) echo request to a target. Select one of the available targets you have discovered and enter the following command, replacing the IP address with that of the machine you are targeting. In this lab, we are targetting 192.168.0.7. So, type hping send {ip(daddr=192.168.0.7)+icmp(type=8,code=0)}. Press Enter. This command will send an ICMP type 8 code 0 echo request to a target, as shown in the screenshot.
```bash=
$sudo hping3
hping3> hping send{ip(daddr=192.168.0.7)+icmp(type=8,code=0)}
```
7. If the ICMP echo request is not visible, verify it by opening a new terminal window; type sudo tcpdump –i eth0 and press Enter. If you are asked you enter a password, type toor and press Enter. This will capture the network traffic. Run the command again and watch the output of the tcpdump command.
8. Start a query using the scripting capability of the TCL language. The basic syntax is easy to use. In the hping3 terminal window, type the following command (all on one line) and press Enter:
```bash=
hping3> foreach i [list 5 6 7 8 9 10] {hping send "ip(daddr=192.168.0.7,ttl=$i)+icmp(type=8,code=0)"}
```
This command will set the time-to-live (TTL) at 5, and then increment it by 1 when it sends an ICMP echo request. The output will take time to appear; you may run tcpdump and capture it by entering **sudo tcpdump –i eth0 –x –vv | grep ICMP**, as shown in the screenshot.
```bash=
$sudo tcpdump -i eth0 -x -vv | grep ICMP
```
9. Next, identify the capability of hping3 to receive packets. Enter a simple loop to receive packets. In the hping3 terminal window, enter the following command:
```
while 1 {
set p [lindex [hping recv eth0] 0]
puts "[hping getfield ip saddr $p] -> [hping getfield ip ttl $p]"
}
```
10. The command shown above will help loop and receive packets until you press Ctrl+C to stop the loop.
`Enter the commands exactly as shown above to keep the codes valid. To scroll through the packets view, open a new terminal window and ping a target by typing ping 192.168.0.7, as shown in the screenshot.`
11. Using your chosen text editor, type “**You are under attack!**” and save the file as **attack.sig** in Home folder.
12. The hping3 tool allows users to send messages. Accordingly, send the message as a string. Open a new terminal window, type **sudo hping3 -2 -p 500 192.168.0.7 -d 139 -E attack.sig**, and press Enter. Type toor in the password field and press Enter. This will send the packet to port 139 from port 500.
```bash=
$sudo hping3 -2 -p 500 192.168.0.7 -d 139 -E attack.sig
```
13. Use Wireshark to view the packet information. In a new terminal window, type sudo wireshark press Enter. If you are asked to enter the password, enter toor.
14. Wireshark GUI appears, select **eth0** interface.
15. The window shows the Internet Security Association and Key Management Protocol (ISAKMP) traffic, as you are using User Datagram Protocol (UDP) port 500. The lower window also shows that the message you specified is carried within the packet.
16. The message in the packet can also be displayed using tcpdump: Type sudo tcpdump –i eth0 –nX in the terminal window. If you are asked to enter the password, enter toor.
17. Scan a target using hping3. Open a new terminal window and enter **sudo hping3 --scan known 192.168.0.7 -S**. This command displays the list of open ports/services running on the target.
```bash=
$sudo hping3 --scan known 192.168.0.7 -S
```
18. Hping3 is a powerful scanning tool that, in the previous example, only showed the known option for the ports listed in /etc/services. Next, specify a range to scan. In the terminal window, enter **sudo hping3 --scan ‘0-3000’ 192.168.0.7 –S**, as shown in the screenshot.
```bash=
$sudo hping3 --scan ‘0-3000’ 192.168.0.7 –S
```
19. Finally, send files using the ICMP. Open two terminal windows and position them side-by-side.
20. In the first terminal window, enter **sudo hping3 127.0.0.1 --listen signature --safe –icmp**. Enter toor as password if asked.
```bash=
$sudo hping3 127.0.0.1 --listen signature --safe -icmp
Enter password: toor
```
21. Create an ICMP packet to send as a file to the listening hping3 window. This could be accomplished across the machines by simply changing the IP addresses. For the purposes of this exercise, a loopback address will be used instead.
22. In the second terminal window, type **sudo hping3 127.0.0.1 --icmp -d 100 --sign signature --file /etc/passwd**. Enter toor as password if asked.
```bash=
$sudo hping3 127.0.0.1 --icmp -d 100 --sign signature --file /etc/passwd
```
23. The file contents begin to appear in the first terminal as shown in the following screenshot:
24. The file has been transmitted successfully. Note that this could be any ASCII file and the process can be used for a number of different actions. This concludes the lab exercise.
## Exercise 3: Scanning and Building a Target Database
Scenario
Once the tools are used, a target database must be created to prioritize targets. This is a critical step in producing the final report. The objective of this lab is to help students analyze the output of a tool and check if they can start to populate the target database used to produce the report.
In this lab, you will
- Scan for targets
- Conduct the scanning methodology
- Review the data from the scans
- Analyze the scan output
- Build an initial target database
Lab Duration: 10 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default **pentester** is selected as the user. Type **toor** in the Password field and press Enter.
3. Launch a command-line terminal. In a terminal window, type nmap and press Enter. This exercise requires good understanding of the scanning methodology. A quick review of the commands is listed here, but not the graphic images.
4. Enter the following:
- Live Systems: **-sP**
- Ports: **-sS**
- Services: **-sV**
- Enumerate: **-A**
5. The output can be made into an XML format by adding “X” to the output option. This requires converting the output to HTML. Prior browsers could render the XML format, but this not reliable, since most browsers no longer allow such rendering owing to security settings.
6. Convert the file to HTML using the xsltproc command. Enter **xsltproc -o ~/scanresults.html /usr/share/nmap/nmap.xsl scan.xml**.
7. An example of the XML-formatted output is shown in the screenshot.
8. The XML format is a good choice for preparing and creating the database.
9. Next, populate the target database. For this, the following database information is required:
- Host/IP
- OS
- Ports
- Services
- Vulnerabilities
- Exploit
- Notes
- Priority
10. The database table key is as follows:
- Host/IP: Include both items if available, or only the IP
- OS: Include all information available in order to provide specific service packs, so that the target selection is easier
- Ports: If too many ports exist, only include those relevant
- Services: The service and the version to the best of knowledge
- Vulnerabilities: The vulnerabilities discovered either with a scanner, manually, or through personal research
- Exploit: Any exploit that can be linked to a vulnerability for the targets; if successful, write it in red
- Notes: Any additional information discovered about the target
11. An example of the above is shown in the screenshot
12. From this point forward, create a target database for every opportunity, range, or environment.
13. This concludes the lab exercise.
## Exercise 4: Using Workspaces and db_nmap
Scenario
In this lab, you will
- Conduct the task of creating workspaces
- Use db_nmap contained within the Metasploit Framework
- Store and retrieve the scan results from the tool
- Import the results into a Metaploit module
Lab Duration: 10 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. Log in to the Parrot machine and open a terminal window. Set up and initialize the **sql server**. In the terminal window, type **sudo service postgresql start** and press Enter. Enter the password toor if you are required to. The postgresql command initializes the **PostgreSQLdatabase** service.
```bash=
$sudo service postgresql start
```
4. After the database is launched, type **sudo msfdb init** press Enter. Enter the password toor if you are required to. The **msfdb init** command initializes and creates the PostgreSQL database for Metasploit.
```bash=
$sudo msfdb init
```
5. If a database appears to be already configured, a message to skip initialization appears; ignore the message.
6. Once the databases are created and initialized, we can quickly fire up Metasploit using the command **sudo msfconsole**. Enter the password toor if you are required to.
```bash=
$sudo msfconsole
```
7. To find out the status of the database, type db_status in the terminal window, as shown in the screenshot.
```bash=
msf>db_status
```
8. The Metasploit tool has different workspaces; type **workspace -h** to see the different commands available for the workspace. Once you have reviewed them, continue.
```bash=
msf>type workspace -h
```
9. Create a workspace for your data by typing **workspace -a LPT**. You now have a workspace setup. You are ready to use the built-in Nmap database within Metasploit.
```bash=
msf>workspace -a LPT
```
10. Next, use the tool to conduct the scanning methodology. Enter: db_nmap -sP 192.168.0.0/24, as shown in the screenshot.
```bash=
msf>db_nmap -sP 192.168.0.0/24
```
11. Once the scan is complete, move to the next step; type **db_nmap -sS 192.168.0.2-30**.
12. Once the scan is complete, move to the next step; type **db_nmap -sV 192.168.0.2-30**.
13. Once the scan is complete, move to the next step; type **db_nmap -A 192.168.0.2-30**.
14. You have now conducted the bulk of the scanning methodology. Sufficient data have been stored in the workspace. To examine the database information, type services and press Enter, as shown in the screenshot.
15. The results show all services from the scans; this is the start of the target database, and works well for penetration testing.
16. Next, examine the database list of hosts; type **hosts**, as shown in the screenshot.
```bash=
msf> host
```
17. Because of the virtual environment, you may not receive the most accurate data. Additional analysis is needed to better clarify the targets.
18. Enter **host -h** to see the different available options. Query the “hosts’” command to display only the IP address and OS type using the “-c” switch.
19. Type **hosts -c** address,os_flavor and press Enter, as shown in the screenshot.
20. Note that you can also search all entries for a specific target. If you wish to find only Linux-based machines from the scan, use the “-S” option. This option can be combined with our previous example to fine-tune the results. Type **hosts -c address,os_flavor -S Linux**.
```bash=
msf> hosts -c address,os_flavor -S Linux
```
21. Next, import the results of the scans into a Metasploit Module. Type **use auxiliary/scanner/portscan/tcp** and press Enter.
```bash=
msf> use auxiliary/scanner/portscan/tcp
```
22. Input the data into the scanner by using the R option; type **hosts -c address,os_flavor -S Linux -R** and press Enter, as shown in the screenshot.
```bash=
msf> hosts -c address,os_flavor -S Linux -R
```
23. The above command will import the results in the host table into RHOSTS; you can view this by entering **show options**. Note that there might be extra hosts in the database.
```bash=
>show options
```
24. Once you are ready, type **run** and press Enter. The scan will be conducted against the target added to the database, as shown in the screenshot.
25. You have diverse search options; for this, type: services -c name,info -S http and press Enter. This will search the hosts for services with HTTP in the name.
```bash=
>services -c name,info -S http
```
26. There are many combinations for searching. You can use specific ports or port ranges, or the full or partial service name when using the “-s” or “-S” switches, as well as for all hosts or a select few. However, you may need to experiment with these features in order to obtain the desired results.
27. As you have seen in this exercise, we have many options to work with when using the database capability within Metasploit; therefore, you are encouraged to research on your own.
28. This concludes the lab exercise.
## Exercise 5: Performing Passive OS Fingerprinting to Obtain Remote Operating System Information
Scenario
Active OS fingerprinting involves sending a packet to the designated system in a network and examining the response to identify the operating system. Passive OS fingerprinting, in contrast to active OS fingerprinting, is the process of identifying the operating system by inspecting the initial Time To Live (TTL) in the IP header and the TCP window size (the size of the receive window) of the first packet sent from a host in TCP session, i.e. the SYN or SYN+ACK packet.
As a penetration tester, you need to have knowledge of how to perform passive OS fingerprinting in a network.
In this lab, you will learn how to perform passive OS fingerprinting using p0f tool.
Lab Duration: 15 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. In this lab, we will try to retrieve operating system related information from a machine hosting an FTP server, using a tool named **p0f**.
4. Now, launch a command line terminal, type sudo p0f -i any -p -o /tmp/sniff.log and press Enter. Type toor and press Enter when prompted for password. p0f begins to listen on all the interfaces of Parrot, and whenever it captures a packet, it decodes the header information and guesses the operating system.
`
a. The -i switch corresponds to the interface
b. By setting the -p switch, we are setting the tool to run in promiscuous mode.
c. We are setting the p0f tool to store the output (-o) in /tmp location inside a file named sniff.log.
`
5. Now, launch another command line terminal, type ftp 172.19.19.9 and press Enter. This will ask you to enter login credentials. By doing so, the client i.e., Parrot machine will send the request and the machine hosting the FTP server will respond to the query.
`
Note: 172.19.19.9 is the IP address of the machine hosting the FTP server.
`
6. Switch to the command line terminal where p0f is running and scroll up the window. You will observe that p0f has analyzed all the requests and responses and decoded them to display information such as **OS**, **raw signature** and **raw mtu**. In this lab, p0f identified the operating system as **Windows 7 or 8** (or its equivalent). Scroll down the window to view the header information of each packet decoded by the tool.
Thus, you have learned how to perform passive OS fingerprinting using p0f tool.
## Exercise 6: OS Fingerprinting with Nmap
Scenario
A penetration tester must use a tool to fingerprint the OS. The choice of tool here is the most popular tool on the market that is free and open source: Nmap. The objective of this lab is to help students use the Nmap tool and focus on the tool’s OS capability. In this lab, you will
• Fingerprint the OS
• Compare different scan options
• Analyze the tool output
Lab Duration: 10 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. There is a specific option for attempting to enumerate the OS with Nmap: –O option (the “O” does not stand for zero).
4. Using your target database, use the –O option to fingerprint the OS.
5. Start capturing on Wireshark.
6. In a terminal window, type sudo nmap –O 192.168.0.X, replacing the “X” with the required IP address number from your target database, as shown in the screenshot.
`
Note: If you are asked to enter the password, type toor and press Enter.
`
7. Carefully review the results and transfer the required data to the target database.
8. As required, re-scan and enter the required IP addresses for the other machines to finish populating your target database.
9. Note that Nmap is noisy and uses many packets to detect the OS; if stealth is a requirement, this may not be the best tool.
10. It is imperative to use multiple tools—at least two to validate and verify the information that a tool discovers.
11. Once you fully understand the process, you may continue to review and evaluate the tools that you need to be a professional security tester.
12. This concludes the lab exercise.
## Exercise 7: Scanning with DMitry
Scenario
To begin the lab, a proficient tester may use any tool depending on his or her personal preference. The objective of this lab is to help students use the DMitry tool. The following activities are included in this lab:
• Start the DMitry tool
• Setup the network environment
• Scan and review the data from the DMitry tool
Lab Duration: 5 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. Obtain the list of targets using the following scanning methodology: a. Live Systems b. Ports c. Services d. Enumeration e. Identify vulnerabilities f. Exploitation
4. Enter **sudo nmap -sn 192.168.0.0/24**. Type toor if you are asked to enter the password. An example of a partial output from the command is shown in the screenshot.
```bash=
$sudo nmap -sn 192.168.0.0/24
```
5. The scan reveals a selection of targets, records information about the targets, and determines which ones to target. Since you have used the Nmap tool, switch to another tool. Note that this module requires proficiency in at least two to three tools for each step of the process.
6. Open a terminal window and enter dmitry -pf 192.168.0.22, as shown in the screenshot.
```bash=
$dmitry -pf 192.168.0.22
```
7. The DMitry tool, a port scanner, provides all port information (for more information about the tool, please see the main page)
8. In the terminal window, enter **dmitry -pb 192.168.0.22**, as shown in the screenshot
```bash=
$dmitry -pb 192.168.0.22
```
9. You are now viewing a banner grab as well as port scan, as shown in the above screenshot
10. If there is time, continue using the tool and explore more options.
11. This concludes the lab exercise.
## Exercise 8: Create a Python Script to Grab the Banner of the ssh Service
Scenario
In this lab, you will create a python script to grab the banner of the secure shell (SSH) service.
Lab Duration: 10 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. Open a terminal window on the Parrot machine and enter the following code
4. As you review the image, consider the following explanation:
- The import statement helps obtain the required socket library
- The bangrab is a variable that stores the content of the created socket
- The socket type is a TCP socket base on the SOCK_STREAM
- Once the socket is created, you can access and manipulate the socket using the appropriate function calls
- The connect function is used to identify the address and port for the connection
- The receive statement receives the data from the socket
5. This process is used to extract the banner of any port, provided you change the number of the connecting port
6. For a more robust type of banner grabbing tool, you can refer to the following code:
```python=
#/usr/bin/python
Import socket
Import sys
Import os
#grab the banner
def grab_banner(ip_address,port):
try:
s=socket.socket()
s.connect((ip_address,port))
banner = s.recv(1024)
print ip_address + ':' + banner
except:
return
def checkVulns(banner):
if len(sys.argv) > =2:
filename = sys.argv[1]
for line in filename.readlines():
line = line.strip('\n')
if banner in line:
print "%s is vulnerable" %banner
else:
print "%s is not vulnerable"
def main():
portList = [21,22,25,80,110]
for x in range(0,255):
for port in portList:
ip_address = '192.168.0.' + str(x) # change the IP address to the one you want here
grab_banner(ip_address,port)
if__name__== '__main__':
main()
```
7. Please see the appendix for select coding examples.
## Exercise 9: Use Metasploit to Detect Version of HTTP
Scenario
In this lab, you will
• Take an exploit from the Metasploit and review it
Lab Duration: 10 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. Open a terminal window on the Parrot machine
4. The module you investigate is the one that is used to detect the version of http. Review the Metasploit core info; type **cd /usr/share/metasploit-framework/lib/rex/proto/http** and press Enter in the terminal window
```bash=
$cd /usr/share/metasploit-framework/lib/rex/proto/http
```
5. Enter ls -lx
```bash=
$ls -lx
```
6. All these files contain a variety of **HTTP** methods, which include functions to set up a connection, the **GET** and **POST** request, and response handling.
7. To open the module, navigate to **Places**, select **File System**, and navigate to **/usr/share/metasploit-framework/modules/auxiliary/scanner/http**. In the **HTTP** folder, scroll down and right-click on **http_version.rb**, and then click on **Open With Pluma** from the context menu.
8. Carefully review the information. Next, explore mixin. Once the review is done, close the text editor window.
9. Navigate to **Places**; select **File System** and navigate to **/usr/share/metasploit-framework/lib/rex/proto/http**. In the **http** folder, right-click on client.rb, and then click on **Open With Pluma** from the context menu.
10. This is the code for the mixin; there are the routines that you will need for handling the sockets in order to conduct tasks to extract the data from the site.
11. An example of an excerpt of the code is shown in the screenshot:
12. The key to this routine is in the defined class:
- self.hostname = host
- self.port = port.to_i
- self.context = context
- self.ssl = ssl
- self.ssl_version = ssl_version
- self.proxies = proxies
- self.username = username
- self.password = password
13. Once you have reviewed the file, close all open windows. As the class shows, you have covered most requirements when acting as a client for a web server.
14. This is the process you should follow when you are working as a practitioner and professional security and penetration tester. Always investigate the code that is being used BEFORE you ever deploy it on a site.
15. This concludes the lab exercise.
## Exercise 10: Enumerating SMB
Scenario
A proficient tester should be aware of the different tools used to enumerate the Server Message Block (SMB). The Parrot security OS has SMB tools that can be used to familiarize oneself with data for enumeration. The objective of this lab is to help students use tools to enumerate the SMB. In this lab, you will
• Identify SMB is running
• Scan for SMB information
• Enumerate information from the SMB protocol
• Add information, based on your analysis, to the target database
Lab Duration: 5 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. Nmap has a number of scripting engines that you can use. So far, there are over 200 engines. This lab concerns the one for the SBM.
4. Open a terminal window, type **nmap --script smb-os-discovery 192.168.0.7**, and press Enter.
```bash=
$nmap --script smb-os-discovery 192.168.0.7
```
5. In the terminal window, type **nmap –sC 192.168.0.7** and press Enter.
```bash=
$nmap –sC 192.168.0.7
```
6. The output of the command in step 5 reveals more details than that of the command in step 4. The scan may take approximately 5 to 10 minutes complete.
7. Add the “d” option to the command to show the debug trace, as shown in the screenshot illustrating the output.
8. As the ERROR shows, the login attempts fail. This result is common when dealing with newer Windows systems.
9. If you add the XML output capability, the information can be displayed on a graphic user interface (GUI) in an easy-to-read format for documentation
## Exercise 11: Pentesting Misconfigured RPC Service and NFS Shares
Scenario
Network File System (NFS) is a client/server application which allows you to view or share files and folders between Linux/Unix systems. It is a way of mounting Linux discs/directories over a network. RPC server is a program which accepts connections from an RPC client and provides services to the client.
Poor configuration of NFS and RPC services might allow attackers to:
First, find the NFS and mountd services running on a computer, using rpc
Second, mount the NFS shares and view the contents in the mounted directories
As a pentester, you need to know how to enumerate RPC services and mount poorly configured servers.
Lab Duration: 20 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. In this lab, we will be scanning a subnet for live machines. Select one machine and pentest the machine to gain access to it. For doing a quick scan, we will do a ping sweep using Nmap. In this lab, we are choosing an internal network for pentesting. Launch a command line terminal, type **nmap -sP 172.19.19.1-255** and press Enter. This displays all the hosts that are up in the network within a minute. In this lab, we are choosing **172.19.19.51 (RPC Server Ubuntu)** as our target.
```bash=
$nmap -sP 172.19.19.1-255
```
4. Type **nmap -T4 -A 172.19.19.51** in the terminal and press Enter. This will launch an Nmap scan on **RPC Server Ubuntu machine**.
```bash=
$nmap -T4 -A 172.19.19.51
```
5. Nmap takes around 30 seconds to complete the scan. On completing the scan, you will observe that the services rpc, ftp, nfs and mountd are running on the victim machine. From the scan, it is observed that an NFS File system is mounted on the remote machine. In this lab, we shall focus on the **RPC**, **NFS** and **mountd** services.
6. Now, we shall perform RPC enumeration to enumerate all the RPC services. Type** rpcinfo -p 172.19.19.51** in the command line terminal and press Enter.
```bash=
$rpcinfo -p 172.19.19.51
```
7. We observe that nfs and mountd services are active on the remote machine.
8. Now, we shall issue the showmount command to discover NFS shares listed in /etc/exports file of the remote machine. Type **showmount -e 172.19.19.51** and press Enter. This will display all the NFS shares on the remote machine as shown in the screenshot below:
```bash=
$show.ount -e 172.19.19.51
```
9. As we saw in the previous task, the /home file system was shared on the remote machine. We will be mounting this file system on the Parrot machine to the mnt directory. To mount, type **sudo mount -t nfs 172.19.19.51:/home /mnt -o nolock** and press Enter. Type **toor** and press Enter when prompted.
``
note: -t specifies the type of the file system (nfs). Specifying **nolock** disables the file locking.
``
```bash=
$sudo mount -t nfs 172.19.19.51:/home /mnt -o nolock
```
10. Now, we have successfully mounted the file system to the /mnt directory. To view the contents of the file system, we need to change the present directory to /mnt. Type cd /mnt and press Enter.
```bash=
$cd /mnt
```
11. Type **ls** and press Enter to view the files and directories contained in the /home folder i.e., /mnt.
12. As a proof of concept, we shall now view the contents of a secret.txt file located in the administrator/Documents directory. Type cat administrator/Documents/secret.txt and press Enter.
13. On entering the command in the previous task, the cat command displays the file contents in the secret.txt file successfully, meaning we have successfully mounted the remote file system and accessed the contents in it.
14. Now, we shall see if we are able to tamper/delete the files in the remote file system. Type rm administrator/Documents/secret.txt and press Enter. Type y and press Enter to confirm the deletion. To confirm that the file has been successfully deleted, type cat administrator/Documents/secret.txt and press Enter. The terminal displays an error stating no such file or directory has been found. This proves that we have unrestricted access to the file system.
15. The reason we were able to access the remote shares is:
a. The entire subnet has been specified in the exports file, allowing everyone in that particular network to access the file.
We were able to manipulate the files in the file system since:
b. no_root_squash option was enabled, allowing any user to perform read, write and execute actions on the mounted file system.
``This is just a proof of concept to show the reason for the vulnerability and you are not required to log in to the machine to view the above-mentioned file.``
In this lab, you have learned how to enumerate RPC services and mount NFS shared directories.
## Exercise 12: Enumerating Logged on Users Using Finger Protocol
Scenario
The Finger service displays information such as currently logged-on users (if any), email address, full name etc.
During a penetration test, the initial task of a pentester is to enumerate user information such as usernames, email addresses, etc.
In this lab, you are going to learn how to enumerate user information using finger client.
Lab Duration: 15 Minutes
1. Click @lab.VirtualMachine(RedHatEnterpriseLinux-SubnetC(ECSAv10)).SelectLink. Type Admin in the Username field, password in the Password field and press Enter.
2. On successful login, Red Hat Enterprise Linux CentOS desktop appears as shown in the screenshot. We are logging into the machine since Finger enumerates only the logged on users.
3. Click Parrot. Parrot lock screen appears.
4. By default **pentester** is selected as the user. Type **toor** in the Password field and press Enter.
5. In this lab, we are going to target the IP address 192.168.0.50 (Red Hat Enterprise Linux machine) that was discovered during the ping sweep scan in the earlier lab exercises. Finger protocol uses port 79, so, choosing CentOS as our target machine, let us perform an Nmap scan on port 79. Launch a command line terminal, type **nmap -p 79 192.168.0.50** and press Enter.
```bash=
$nmap -p 79 192.168.0.50
```
6. You will observe that the **port 79** is open in the Nmap result, meaning finger service is running on the target machine.
7. Now, we shall enumerate the logged on users on the remote machine using Finger client. Assuming we don't know the logged on username, type **finger @192.168.0.50**, and press Enter.
```bash=
$finger @192.168.0.50
```
8. Finger client returns the logged in user information such as the login name, name of the user and login time as shown in the screenshot below.
9. Since we found the username, we shall use this to extract additional information such as the name of the user, home directory, login name, and shell. Type finger Admin@192.168.0.50 and press Enter.
10. Alternatively, we can enumerate usernames using Telnet service by issuing the following command in the command line terminal: telnet 192.168.0.50 79
11. Type **Admin** and press **Enter**. This displays the enumerated user information as shown in the screenshot below.
12. To safeguard your machine from returning the logged in user information, it is recommended to disable finger service on the machine by editing the finger text file located in the /etc/xinetd.d.
``This is just a proof of concept to show the reason for the vulnerability and you are not required to log in to the machine to view the above-mentioned file.``
``The finger text file is located in /etc/xinetd.d.``
In this lab, you have learned how to enumerate user information using finger client.
## Exercise 13: Performing Man-in-the-Middle Attack using Cain & Abel
Scenario
Unlike capturing network traffic in a hub-based network, it is not possible to capture traffic in a switch based network. Since most of the networks today are implemented on switch-based networks, it is not possible to capture traffic flowing between two hosts.
At this point, attackers implement techniques such as arp poisoning/MITM to capture clear-text traffic flowing between two machines in a network. MITM is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. MITM attacks come in many variations and can be carried out on a switched LAN. As a penetration tester, you need to know how to capture plain text traffic in a switch-based network.
In this lab, you will learn how to:
1. Perform ARP Poisoning
2. Launch a Man-in-the-Middle attack
3. Sniff a network for password
Lab Duration: 25 Minutes
1. Click Windows Server 2019 link and then click Ctrl+Alt+Delete.
2. Click Pa$$w0rd and press Enter to login.
3. Launch Cain & Abel application by double-clicking the shortcut icon of Cain on the desktop.
4. The main window of Cain & Abel appears as shown in the screenshot.
5. To configure the Ethernet card, click Configure from the menu bar.
6. The Configuration Dialog window appears. The window consists of several tabs. Click Sniffer tab to select sniffing adapter. Select the Adapter associated with the IP address 172.19.19.20, click Apply and OK.
7. Click Start/StopSniffer (second icon from left) on the toolbar to begin sniffing.
``If a Cain Warning pop-up appears, click OK.``
8. Now click the Sniffer tab and then, click the Plus (+) icon (or) right click in the window, and select Scan MAC Addresses to scan the network for hosts.
9. The MAC Address Scanner window appears. Click on the Range radio button, enter the range (172.19.19.2 - 172.19.19.20), check All Tests option and click OK. Cain & Abel starts scanning for MAC addresses and lists all those found.
10. After scanning is completed, a list of detected MAC addresses is displayed as shown in the screenshot.
11. Click the APR tab at the lower end of the window.
12. Click anywhere on the top most section in the right pane to activate the + icon.
13. Click the Plus (+) icon; the New ARP Poison Routing window opens, from which we can add IP’s to listen to traffic.
14. To monitor the traffic between two computers, select 172.19.19.9 (FTP Server) and 172.19.19.15 (Advertisement Dept). Click OK. In this lab, we are going to log in to FTP server from Advertisement Dept machine.
15. Select the added IP address in the Configuration/Routed packets, and click Start/Stop APR (third icon from left) icon. Cain begins ARP poisoning in between these machines.
16. Log on to Advertisement Dept and Sign in as Administrator. For doing this, select Advertisement Dept machine from the Resources pane. Go to Commands and click Ctrl+Alt+Delete.
17. Select Administrator user in the login window.
18. In the logon box enter the password Pa$$w0rd press Enter:
19. Click on the Close button at the top right corner of the Server Manager window.
20. Now launch a command prompt in the machine, type ftp 172.19.19.9 (IP address of FTP Server machine) and press Enter. When prompted for the Username, type "Martin" and press Enter. When prompted for the password, type "mystery" and press Enter.
21. Switch Windows Server 2019 machine. You will observe that Cain & Abel captured some packets which can be observed under the Packets field.
22. Click the Passwords tab in the Cain & Abel GUI. Select FTP from the left pane under the Passwords section. You will observe the credentials being captured by Cain & Abel as shown in the screenshot.
23. This way, you have successfully captured user credentials traversing in clear-text. In this lab, you have learned how to capture user credentials in a switch based network.
## Exercise 14: Auditing a Machine for Weak Passwords Using L0phtCrack
Scenario
Since security and compliance are high priorities for most organizations, attacks on a company or organization's computer systems take many different forms, such as spoofing, smurfing, and other types of denial-of-service (DoS) attacks. These attacks are designed to harm or interrupt the use of your operational systems.
Password cracking is a term used to describe the penetration of a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password. In this lab, we will look at what password cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. Through an examination of several scenarios, in this lab, we describe some of the techniques they deploy and the tools that aid them in their assaults and how password crackers work both internally and externally to violate a company's infrastructure.
In order to be an **Expert Penetration Tester** or a **Security Administrator**, you must understand how to crack administrator passwords. In this lab, we crack the system user accounts using **L0phtCrack**.
In this lab, being a security auditor, you will be running the L0phtCrack tool by giving the remote machine’s administrator user credentials. User accounts' passwords that are cracked in a short amount of time are considered to be weak, and you need to take certain measures to make them stronger. The objective of this lab is to help students learn how to:
- Extract the Administrators password using L0phtCrack
Lab Duration: 20 Minutes
1. Click Windows Server 2019, click Ctrl+Alt+Delete.
2. In the password field click Pa$$w0rd and press Enter.
``You can use the Type Password option from the Commands menu to enter the password.``
3. In this lab, we are going to audit user accounts on a machine to check for weak passwords using L0phtCrack. To install L0phtCrack, navigate to E:\CPENT Module 06 Network Penetration Testing Methodology-Internal\L0phtCrack and double-click lc7setup_v7.1.16_Win64.exe. If an Open File -Security Warning pop-up appears; click Run. Follow the wizard-driven installation steps to install L0phtCrack.
``While installing the application, a Program Compatibility Assistant pop-up appears, click Close.``
4. On the Completing L0phtCrack 7 (Win64) Setup page, ensure to check Run L0phtCrack 7 (Win64) and click Finish to launch the L0phtCrack tool.
5. L0phtCrack 7 - Trial window appears. Click Proceed With Trial button.
6. A L0phtCrack 7 pop up appears; select **Password Auditing Wizard** option.
7. In the Introduction page of LC7 Password Auditing Wizard, click Next.
8. In the Choose Target System Type window select Windows: radio button and click Next.
9. In the Windows Import window, select A remote machine radio button and click Next.
10. In the Host field of Windows Import From Remote Machine (SMB) window, provide the IP address of Advertisement Dept. machine and click Next. Here, the IP address of Advertisement Dept. is 172.19.19.15.
11. In the Choose Audit Type window, select Quick Password Audit option and click Next.
12. In the Reporting Options window, leave the options set to default and click Next.
13. In the Job Scheduling window, select Run this job immediately and click Next.
14. In the Summary window, read the summary and click Finish.
15. A caution box appears regarding changed LC7Agent on the remote machine as shown in the screenshot. Click Yes.
16. L0phtCrack will begin to decode the hashes. You can see the Progress bar in the lower right-hand corner of the window. Once done with the password auditing, it displays the weak passwords set for the respective user accounts present in Advertisement Dept machine as shown in the screenshot.
17. Click **Reports** tab on the left-pane and click **Export Accounts Table** in the **Report Types** box. Select **HTML (Hypertext Markup Language)** under Format: box and provide a name for the file and click **Run Report Immediately**.
``After clicking the Run Report Immediately button, a Warning pop-up window appears. Click Yes.``
18. To save this session, navigate to MENU icon at the top left corner of the window and click Save Session option.
19. A Save Session As window appears on the screen. Select the destination location (here, Desktop), specify the file name as Credentials and click Save. Now close the L0phtCrack window.
20. To open the saved result, navigate to Desktop and double-click the Credentials.lcs file to view result.
21. A L0phtCrack 7 - Trial reminder pop-up appears, click the Proceed With Trial button.
22. Now you can see the saved result in the L0phtCrack window.
23. Close all the open windows.
In this lab you have learnt how to extract the **Administrators** password using **L0phtCrack**.
## Exercise 15: Automating Penetration Testing Tasks Using Bash Scripting
Scenario
Bash is a command processor that typically runs in a text window, where the user types commands that cause actions. Bash can also read commands from a file, called a script. Like all Unix shells, it supports filename globbing (wildcard matching), piping, here documents, command substitution, variables and control structures for condition-testing and iteration. The keywords, syntax and other basic features of the language were all copied from sh.
Bash Scripting aids pentesters during the penetration testing process as they can perform multiple tasks such as running Nmap commands, running FTP commands, etc all at a time, thereby avoiding the need to run each command individually.
Lab Duration: 30 Minutes
1. Click Parrot. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. Navigate to Places and click Home Folder. The Home Folder directory window appears, double-click on the pentest.sh file to open and view the bash script.
4. This bash script is used to perform:
a. Automated reconnaissance on a specified network range for live machines with FTP port open
b. Dictionary attack on selected IP Address and reveal user credentials
c. Login to the FTP server using the attained credentials
5. The first line of the bash script is #!/bin/bash, meaning that the script should always be run with bash, rather than another shell.
6. The tput clear command in the second line clears the screen and puts you at the top of the terminal screen.
7. The echo command is used to display a line of text/string on standard output or a file. So, whatever you type in between double quotes will be printed on the screen. In this lab, we are performing an Nmap scan for live host and FTP open port identification. So, you can observe the text written in the echo command as shown in the screenshot:
8. Minimize the pentest.sh file window. Now, let us run the bash script. Launch a command line terminal, type bash pentest.sh and press Enter.
9. Minimize the command line terminal and maximize the Leafpad window. The read command allows you to read a line from standard input. It accepts the input from the keyboard and assigns it to a variable. In this lab, we are using the read command to enter the IP Address range on which we will be performing Nmap scan for live host detection. In this lab, the variable used for addressing the IP Address range is ip_range.
10. Minimize the Leafpad window and maximize the command line terminal. As described in the earlier steps, the screen is cleared and the mouse cursor is pointed at the top of the terminal screen, followed by echo command. Type 172.19.19.7-50 and press Enter. We selected IP range from 7-50 to ease the process and save time.
11. Minimize the command line terminal and maximize the text editor window. nmap -sP $ip_range -oG out.txt: -sP is used to identify live hosts in the entered IP Address range. $ip_range grabs the value (IP Address range) you entered in the read command. -oG represents greppable output. It is a simple format that lists each host on one line and can be trivially searched and parsed with standard Unix tools such as grep. Once the Nmap scan is completed, its output is stored to out.txt file.So, by entering nmap -sP $ip_range -oG out.txt, nmap is going to perform live host detection and send the greppable output to out.txt file. You can view the out.txt file created in the root folder for a better understanding.
12. The cat (in short "concatenate") command allows you to view contents of a single/multiple files, create files, concatenate files and redirect the output to the terminal or files. The pipe | redirects the output of cat out.txt to the grep command. The grep command is used to search the given file (out.txt) for lines containing a match to the given string (Up). So, by entering the script cat out.txt | grep Up > out1.txt: A search is performed in the out.txt file for all the lines containing the status of the IP addresses as Up and these IP Addresses are saved to out1.txt. You can view the out1.txt file created in the root folder for better understanding.
13. The cut command is used to select a portion of text from each line of a file. You can use the cut command to select fields or columns from a line by specifying a delimiter. By entering the script cat out1.txt | cut -d " " -f2 > open.txt: The content of out1.txt is redirected to the cut command, where the delimiter is " " (space). So, the field 2 will be selected from each line of the out1.txt in between the spaces; and the output will be saved to the open.txt file. For a better understanding, you may view the open.txt file created in the root folder.
14. By entering the script nmap -p 21 'cat open.txt' -oG final.txt: Nmap performs a scan on the IP addresses present in the open.txt file and saves the greppable output to the final.txt file. You may view the final.txt file created in the root folder for a better understanding.
15. So far, Nmap has performed live host and FTP open port identification. The script cat final.txt | grep open > ftp.txt is used to view the output stored in final.txt, find the lines containing the string "open" and save those lines to a file named ftp.txt. You may view the ftp.txt file created in the root folder for a better understanding.
16. So far, we have obtained machines which are up and have the FTP port open. Now, we shall echo the IP Addresses of these machines on the screen. The echo "" represents an empty line. In the next line, we are writing something stating that the scan has been performed. This will be returned on the screen as we are using the echo command.
17. Note that our aim is to view only the IP Addresses in the file ftp.txt. To view only the IP Address, we shall be using the script cat ftp.txt | cut -d " " -f2. Here, the field 2 will be selected from each line of the ftp.txt file in between the spaces; and the output (i.e., only the IP Address) will be displayed on the screen.
18. Now, minimize the text editor window and maximize the command line terminal. Nmap has performed live host identification on the given IP Address range. Once the live hosts are identified, the script is written in such a way, that a new nmap scan is initiated to find the machines (among the identified live hosts) that have the FTP port open. The live machines with the FTP port open are displayed as shown in the screenshot.
``Screenshots may differ while performing the lab.``
19. Minimize the command line terminal and maximize the text editor window. So far, the above explained scripts are used to perform live host and FTP port identification. Now, we shall use a machine obtained from the Nmap scanning; and perform dictionary attack to crack user credentials which have weakly implemented passwords. Before that, we shall use echo command to write some content related to the dictionary attack, for better understanding.
20. As discussed before, regarding the read command, we shall use this command to enter the target machine's IP Address. In this lab, the variable used for addressing the IP Address range is ip_addr.
21. Minimize the text editor window and maximize the command line terminal. Since we have obtained the machines whose FTP ports are open, we shall enter the IP Address of a machine on which you would like to perform a dictionary attack to obtain FTP credentials. In this lab, we are going to attack the FTP server of FTP Server whose IP Address is 172.19.19.9. So, type the IP Address 172.19.19.9 and press Enter.
``This performs a Dictionary attack on the machine's user accounts using Hydra.``
22. Minimize the command line terminal and maximize the text editor window. hydra -L /home/pentester/Wordlists/Usernames.txt -P /home/pentester/Wordlists/Passwords.txt ftp://$ip_addr: We are going to use hydra to perform a dictionary attack on the FTP server. -L switch in the script represents the username list. The list is provided in the location /home/pentester/Wordlists/Usernames.txt. -P switch in the script represents the password list. The list is provided in the location /home/pentester/Wordlists/Passwords.txt. ftp://$ip_addr: Here, $ip_addr grabs the value (IP Address range) you entered in read command. So, a dictionary attack will be performed on the IP address you entered in the previous step, using Hydra.
23. Minimize the text editor window and maximize the command line terminal. On issuing the IP Address, Hydra begins to a perform Dictionary attack on the machine and starts displaying the user credentials as shown in the screenshot.
``It takes around 3 minutes for Hydra to crack all the credentials.``
24. Minimize the command line terminal and maximize the text editor window. By now, you would have attained the user credentials to log in to the FTP server. So, your next task will be to log in to the server. Before that, we shall use the echo command to write some content related to the server to log in to the server as shown in the screenshot:
25. Now, we shall use the read command to enter the target machine's IP Address. In this lab, the variable used for addressing the IP Address range is ftp_ip.
26. Minimize the text editor window and maximize the command line terminal. Once the credentials are obtained, you will be asked to enter the IP Address of the machine to log in to the FTP server. Type 172.19.19.9 and press Enter.
27. Minimize the command line terminal and maximize the text editor window. Upon entering the IP Address, the command ftp $ftp_ip is given to login to the IP Address of the target machine.
28. Minimize the Leafpad window and maximize the command line terminal. You will be asked to enter a username. In this lab, we are logging in to a user named jason's account. So type jason and press Enter.
``You may issue any one of the account's username in the Name field.``
29. You will be asked to enter the password for the user account. Since we are going to log in to john's user account, type green (password for jason's user account) and press Enter.
``The Password field remains blank while you are typing the password.``
30. On issuing the user credentials, you will be logged in to the FTP Server, as shown in the screenshot.
31. In the same way, you may run this script to crack the user credentials and access the FTP Server if hosted in the other networks. Close all the opened windows.
In this lab, you have successfully performed subnet scan, found machines having FTP ports open, performed dictionary attack to attain credentials, and successfully logged in to the server using the obtained credentials.
Sign in with Wallet
Connect another wallet