Hello, if you have any need, please feel free to consult us, this is my wechat: wx91due
Assignment #4
CS GY 6573 – Penetration Testing and Vulnerability Analysis
● Directions:
o Submit answers by deadline posted on the assignment page.
o Keep your answers short, to the point, and explain all your commands.
o All questions are in the context of penetration testing.
o This assignment is based on all Lectures.
Part 1 – Short Answer
1. [2 pts] What are the two main types of password attacks? Explain each and provide a detailed example of when you would use it
2. [1 pt each] How many bits make up each hash?
a. MD5?
b. Unsalted SHA1?
c. SHA256?
d. NTLMv2?
e. Salted SHA1?
3. [2 pts] During a test, you launched a service exploit and just popped your first basic user shell in Linux, verified by using the `id` command. Nice work, but you’re still not root, which is your eventual goal. What’s the first thing you should do after successfully exploiting this vulnerability?
4. [1 pt each] Where can we find users and password hashes on
a. Windows?
b. Linux?
5. [2 pts each] During a pen test on a remote host, you got a limited shell and found some loot. You want to transfer it to your testing machine for further inspection. The file is
/secret/passwordsandstuff.bin, a 500B binary file. You can run and do whatever you want on
your testing machine. The remote host blocks all new incoming connection requests. Explain
how, with *specific commands on both hosts*, could you transfer the file from the remote host to your testing machine.
a. Using netcat on the remote host?
b. In Powershell using only Powershell classes?
c. In bash but without netcat, ncat, socat, and using only native bash tools?
6. [1 pts each] How can we check lockout setting before password guessing on
a. Windows?
b. Linux?
7. [1 pts each]
a. What Windows tooldid we review that can attack a network at the data link layer?
b. What could we use in Kali to accomplish the same thing?
c. What kind (not examples) of packets does it send? Be as specific as possible.
8. [2 pts] What OS would we most likely not use Rainbow Tables to attack password hashes? Why?
9. [2 pts] You’re trying to build a new rainbow table and you use the same reduction function every time. What’s going to happen?
Part 2 – Technical
10. [10 points] Sniff the SMB authentication from the hw3.pcap file, then crack Alice’s password. You can use Cain and the default wordlist, wireshark, or ophcrack. Hint: If using Cain, try Uppercase, lowercase, or substitute number permutations. Provide a screenshot or your command, showing how you got it.
11. [15 points] Write a powershell script or function to scan TCP ports 8075-8085 of the subnet 10.10.0.32/29.
Requirements:
● Your script should only scan for valid host IPs of the given CIDR.
● The scan should be successful even if not all hosts are online and not all ports are open.
● Output should contain at least the IP address, how many ports are open, and which ones they were.
● Provide your code in a plain-text file with your submission.
● Okay to pass in targets as arguments, but need to show commands too.
● Hint: You can use the Wumpus VM from the previous assignment to test your script against a live target.
Implement it in powershell, do not use powershell to call another program.
12. [10 points] Look at the following php snippet from a web app running PHP v5.3.3. What could you edit in the URL below if you wanted to see the contents of the passwd file? Briefly explain why that might work.
URL: http://nb n.corp/hello.php?name=Alice&lang=en
Hello, ';
Hola, ';
';
13. [16 pts] For this question, use the Wumpus VM. The target page is
http://10.10.0.35:8080/xss.php
A webpage that accepts user input, saves it to a file, and echoes is back is vulnerable to stored cross site scripting. There are some controls in place, such as dropping any input that contains the string “ script” . You want to inject something that will steal users’ cookies!
Making this easy: You may assume that the victim’s browser doesn’t block popups, block cookie requests, or disables JavaScript. Also assume the victim will also interact with anything they need to get exploited.
Write a line of text that will evade XSS filtering, get saved onto the page, and redirect any users that view it to your machine and steal their cookies for the vulnerable site. Explain your injection and anything else you will have to do to on the attacker’s end. Provide screenshots of it working.
14. Multipart Question
a. [6 pts] Provide the following commands (and explain) to generate and format a wordlist called hw3list.lst used for password attacks. We want to generate a list using words on a webpage and every page linked from
https://www.eff.org/wp/digital-privacy-us-border-2017. The wordlist should only contain words between 6 and 8 characters in length.
b. [11 pts] Using your created wordlist, crack at least 5 of the 6 passwords in the hash file. Look at different rules in John and try some
DIFFERENT
l33t m@ngl1ng rules1234
Note: You should be able to get at least two passwords without mangling if you did the previous question correct
c. [6 points] Edit John.conf to create your own rules to find the last password.
Write a rules file that turns these letters into numbers: [a=4][e=3]. It should try all
variations of each swap for each word with multiple letters. For example, if the seed is “searches”, it would try [s3arches, se4rches, search3s, s34rches, s3arch3s, se4rch3s, s34rch3s]