Offensive Security Penetration Testing with BackTrack PWB Online Lab Guide v.3.2 2 Table of Contents Before We Begin 16 i. Legal Stuff 16 ii. Important Notes 16 iii. Labs and IP Address Spaces 16 iv. Control Panel 17 Network Keys / Secrets 17 v. PWB VPN Labs 18 vi. How to Approach This Course 19 vii. Reporting 19 Reporting for PWB 21 Interim Documentation 22 viii. Penetration Testing Methodology 23 1. Module 1: BackTrack Basics 25 1.1 Finding Your Way around BackTrack 26 1.1.1 Exercises 28 1.2 BackTrack Services 29 1.2.1 DHCP 29 1.2.2 Static IP Assignment 30 1.2.3 SSHD 30 1.2.4 Apache 32 1.2.5 FTP 33 OS-7561-PWB OS-7561-PWB OS-7561-PWB OS-7561-PWB 3 1.2.6 TFTPD 34 1.2.7 VNC Server 35 1.2.8 Additional Resources 35 1.2.9 Exercises 36 1.3 The Bash Environment 37 1.3.1 Simple Bash Scripting 37 1.3.2 Sample Exercise 37 1.3.3 Sample Solution 39 1.3.4 Additional Resources 43 1.3.5 Exercises 44 1.4 Netcat the Almighty 45 1.4.1 Connecting to a TCP/UDP Port with Netcat 45 1.4.2 Listening on a TCP/UDP Port with Netcat 48 1.4.3 Transferring Files with Netcat 49 1.4.4 Remote Administration with Netcat 50 1.4.5 Exercises 55 1.5 Using Wireshark 56 1.5.1 Peeking at a Sniffer 56 1.5.2 Capture and Display Filters 59 1.5.3 Following TCP Streams 60 1.5.4 Additional Resources 60 1.5.5 Exercises 61 OS-7561-PWB OS-7561-PWB OS-7561-PWB OS-7561-PWB 4 2. Module 2: Information Gathering Techniques 62 2.1 Open Web Information Gathering 64 2.1.1 Google Hacking 64 2.2. Miscellaneous Web Resources 79 2.2.1 Other Search Engines 79 2.2.2 Netcraft 79 2.2.3 Whois Reconnaissance 81 2.3 Exercises 86 3. Module 3: Open Services Information Gathering 87 3.1 DNS Reconnaissance 87 3.1.1 Interacting with a DNS Server 88 3.1.2 Automating Lookups 90 3.1.3 Forward Lookup Brute Force 91 3.1.4 Reverse Lookup Brute Force 95 3.1.5 DNS Zone Transfers 97 3.1.6 Exercises 103 3.2 SNMP Reconnaissance 104 3.2.1 Enumerating Windows Users 105 3.2.2 Enumerating Running Services 105 3.2.3 Enumerating Open TCP Ports 106 3.2.4 Enumerating Installed Software 107 3.2.5 Exercises 110 OS-7561-PWB OS-7561-PWB OS-7561-PWB OS-7561-PWB 5 3.3 SMTP Reconnaissance 111 3.3.1 Exercises 112 3.4 Microsoft NetBIOS Information Gathering 113 3.4.1 Null Sessions 113 3.4.2 Scanning for the NetBIOS Service 114 3.4.3 Enumerating Username/Password Policies 115 3.4.4 Exercises 119 3.5 Maltego 120 3.5.1 Network Infrastructure 120 3.5.2 Social Infrastructure 121 4. Module 4: Port Scanning 122 4.1 TCP Port Scanning Basics 123 4.2 UDP Port Scanning Basics 125 4.3 Port Scanning Pitfalls 125 4.4 Nmap 125 4.4.1 Network Sweeping 128 4.4.2 OS Fingerprinting 130 4.4.3 Banner Grabbing/Service Enumeration 131 4.4.4 Nmap Scripting Engine 132 4.5 PBNJ 136 4.6 Unicornscan 142 4.7 Exercises 144 OS-7561-PWB OS-7561-PWB OS-7561-PWB OS-7561-PWB 6 5. Module 5: ARP Spoofing 145 5.1 The Theory behind ARP Spoofing 146 5.2 Doing It the Hard Way 146 5.2.1 Victim Packet 148 5.2.2 Gateway Packet 149 5.3 Ettercap 152 5.3.1 DNS Spoofing 153 5.3.2 Fiddling with Traffic 155 5.3.3 SSL Man in the Middle 158 5.3.4 Exercises 159 6. Module 6: Buffer Overflow Exploitation 160 6.1 Looking for Bugs 161 6.2 Fuzzing 161 6.3 Exploiting Windows Buffer Overflows 164 6.3.1 Replicating the Crash 164 6.3.2 Controlling EIP 167 6.3.3 Locating Space for Your Shellcode 171 6.3.4 Redirecting the Execution Flow 173 6.3.5 Finding a Return Address 174 6.3.6 Basic Shellcode Creation 178 6.3.7 Getting the Shell 182 6.3.8 Exercises 186 OS-7561-PWB OS-7561-PWB OS-7561-PWB OS-7561-PWB 7 6.4 Exploiting Linux Buffer Overflows 188 6.4.1 Setting Things Up 188 6.4.2 Controlling EIP 193 6.4.3 Landing the Shell 196 6.4.4 Avoiding ASLR 199 7. Module 7: Working with Exploits 201 7.1 Looking for an Exploit on BackTrack 205 7.2 Looking for Exploits on the Web 209 8. Module 8: Transferring Files 211 8.1 The Non-interactive Shell 212 8.2 Uploading Files 213 8.2.1 Using TFTP 213 8.2.2 Using FTP 215 8.2.3 Inline Transfers 216 8.3 Exercises 218 9. Module 9: Exploit Frameworks 219 9.1 Metasploit 220 9.1.2 Metasploit 3 Command Line Interface (msfcli) 223 9.1.5 Exercises 233 9.2 Interesting Payloads 234 9.2.1 Meterpreter Payload 234 9.2.3 Binary Payloads 240 OS-7561-PWB OS-7561-PWB OS-7561-PWB OS-7561-PWB 8 9.2.3.1 Exercises 241 9.2.4 Additional Framework v3.x Features 242 10. Module 10: Client Side Attacks 244 10.1 Network Implications 245 10.2 CVE-2009-0927 245 10.3 MS07-017: From PoC to Shell 248 10.4 MS06-001: An Example from MSF 254 10.5 Client Side Exploits in Action 256 10.6 Exercises 257 11. Module 11: Port Fun 258 11.1 Port Redirection 259 11.2 SSL Encapsulation: Stunnel 262 11.2.1 Exercises 264 11.3 HTTP CONNECT Tunneling 265 11.4 ProxyTunnel 267 11.5 SSH Tunneling 268 11.6 What about Content Inspection? 271 11.7 Exercise 271 12. Module 12: Password Attacks 272 12.1 Online Password Attacks 273 12.2 Hydra 277 12.2.1 FTP Brute Force 278 OS-7561-PWB OS-7561-PWB OS-7561-PWB OS-7561-PWB 9 12.2.2 POP3 Brute Force 278 12.2.3 SNMP Brute Force 279 12.2.4 Microsoft VPN Brute Force 279 12.2.5 Hydra GTK 280 12.3 Password Profiling 280 12.3.1 CeWL 281 12.4 Offline Password Attacks 282 12.4.1 Windows SAM 282 12.4.2 Windows Hash Dumping: PWDump and FGDump 283 12.4.3 John the Ripper 285 12.4.4 Rainbow Tables 286 12.4.5 “Windows Does WHAT????” 289 12.4.6 Exercises 292 12.5 Physical Access Attacks 293 12.5.1. Resetting Microsoft Windows 293 12.5.2 Resetting a Password on a Domain Controller 296 12.5.3 Resetting Linux Systems 296 12.5.4 Resetting a Cisco Device 297 13. Module 13: Web Application Attack Vectors 298 13.1 Cross Site Scripting 299 13.1.2 Information Gathering 301 13.1.3 Browser Redirection and iframe Injection 303 OS-7561-PWB OS-7561-PWB OS-7561-PWB OS-7561-PWB 10 13.1.4 Stealing Cookies and Abusing Sessions 304 13.2 Local and Remote File Inclusion 306 13.3 SQL Injection in PHP/MySQL 308 13.3.1 Authentication Bypass 309 13.3.2 Enumerating the Database 310 13.3.3 Code Execution 313 13.4 SQL Injection in ASP/MSSQL 315 13.4.1 Identifying SQL Injection Vulnerabilities 318 13.4.2 Enumerating Table Names 319 13.4.3 Enumerating the Column Types 320 13.4.4 Fiddling with the Database 321 13.4.5 Microsoft SQL Stored Procedures 321 13.4.6 Code Execution 323 13.5 Web Proxies 324 13.6 Exercises 326 14. Module 14: Trojan Horses 328 14.1 Binary Trojan Horses 329 14.2 Open Source Trojan Horses 329 14.3 World Domination Trojan Horses 330 15. Module 15: Windows Oddities 331 15.1 Alternate NTFS Data Streams 331 15.2 Registry Backdoors 333 [...]... Listening on LPF/eth0/00:0c :29 :f6:08:7a Sending on LPF/eth0/00:0c :29 :f6:08:7a Sending on Socket/fallback DHCPDISCOVER on eth0 to 25 5 .25 5 .25 5 .25 5 port 67 interval 8 DHCPOFFER of 1 92. 168.1.155 from 1 92. 168.1 .25 4 DHCPREQUEST of 1 92. 168.1.155 on eth0 to 25 5 .25 5 .25 5 .25 5 port 67 DHCPACK of 1 92. 168.1.155 from 1 92. 168.1 .25 4 bound to 1 92. 168.1.155 renewal in 99903 seconds 29 1 .2. 2 Static IP Assignment The... following example shows how to set a static IP address assuming: • Host IP: 1 92. 168.0.4 • Subnet mask: 25 5 .25 5 .25 5.0 • Default gateway: 1 92. 168.0.1 • DNS Server: 1 92. 168.0 .20 0 WB P - 61 5 root@bt:~# ifconfig eth0 1 92. 168.0.4 /24 7 SO root@bt:~# route add default gw 1 92. 168.0.1 root@bt:~# echo nameserver 1 92. 168.0 .20 0 > /etc/resolv.conf 1 .2. 3 SSHD The SSH server can be very useful in various situations, such... distance 61 prior written permission from the author system, without -75 OS learning, in any form or by any means such as any information storage, transmission, or retrieval 12 Penetration Testing with BackTrack A Note from the Authors Thank you for opting to take the Offensive Security PWB” extended lab training PWB is not your usual IT security course We hope to challenge you, give you a hard time,... not necessarily reflect the IP addresses in the Offensive Security labs Do not try to copy the examples in the lab guide verbatim; you need to adapt the example to your specific lab configuration Depending on your lab assignment, your VPN connection will connect you to the Student Network, either on the 1 92. 168.10 /23 , 1 92. 168. 12/ 23 or the 1 92. 168.14 /23 ranges Students are NOT able to communicate between... /root/.vnc/bt5:1.log root@bt:~# netstat -antp |grep vnc tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 928 7/Xtightvnc tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN 928 7/Xtightvnc root@bt:~# 1 .2. 8 Additional Resources • http://www .offensive- security. com/blog /backtrack/ • http://www .backtrack- linux.org/wiki/index.php/Main_Page 35 1 .2. 9 Exercises 1 Log on to BackTrack, and check what network interfaces you have: root@bt:~# dmesg |grep... fingerprint is: 2f:8c:e8:be:b5 :23 :6c:85:c3:71:e3:aa:c6:6c :28 :d1 root@bt The key's randomart image is: root@bt:~# /etc/init.d/ssh start Starting OpenBSD Secure Shell server: sshd root@bt:~# 31 You can verify that the server is up and listening using the netstat command: root@bt:~# netstat -antp |grep sshd tcp 0 0 0.0.0.0 :22 0.0.0.0:* LISTEN 8654/sshd tcp6 0 0 :: :22 :::* LISTEN 8654/sshd root@bt:~# 1 .2. 4 Apache... http://forums .offensive- security. com/forumsdisplay.php?f=69 http://forums .offensive- security. com/forumsdisplay.php?f=84 16 iv Control Panel Once logged into the VPN labs, you can access your PWB Labs control panel Through this control panel you can manage, revert, and reset lab machines and passwords The panel can be accessed at https://1 92. 168.10.7, https://1 92. 168. 12. 7 or https://1 92. 168.14.7 depending... name, using 127 .0.0.1 for ServerName root@bt:~# Using the init.d scripts: root@bt:~# /etc/init.d/apache2 start Starting web server: apache2: Could not reliably determine the server's fully qualified domain name, using 127 .0.1.1 for ServerName root@bt:~# /etc/init.d/apache2 stop Stopping web server: apache2: Could not reliably determine the server's fully qualified domain name, using 127 .0.1.1 for ServerName... to check pages such as http://en.wikipedia.org/wiki /Penetration_ test for additional 23 methodologies, such as the Open Source Security Testing Methodology (OSSTM) in order to broaden your point of view WB P - 61 5 7 SO 24 1 Module 1: BackTrack Basics Overview This module prepares the student for the modules to come, which heavily rely on proficiency with the basic usage of Linux and tools such as the... mental note of the tools and their names Please remember that the /pentest directory holds only a few of the pen testing tools Other tools are usually in the path 2 Use the Linux locate command to locate the sbd Linux binary and the sbd.exe Windows binary WB P - 61 5 7 SO 28 1 .2 BackTrack Services BackTrack includes several useful network services such as HTTPD, SSHD, TFTPD, VNC Server, and more These services . Hydra 27 7 12. 2.1 FTP Brute Force 27 8 OS-7561-PWB OS-7561-PWB OS-7561-PWB OS-7561-PWB 9 12. 2 .2 POP3 Brute Force 27 8 12. 2.3 SNMP Brute Force 27 9 12. 2.4 Microsoft VPN Brute Force 27 9 12. 2.5. GTK 28 0 12. 3 Password Profiling 28 0 12. 3.1 CeWL 28 1 12. 4 Offline Password Attacks 28 2 12. 4.1 Windows SAM 28 2 12. 4 .2 Windows Hash Dumping: PWDump and FGDump 28 3 12. 4.3 John the Ripper 28 5. 8 .2 Uploading Files 21 3 8 .2. 1 Using TFTP 21 3 8 .2. 2 Using FTP 21 5 8 .2. 3 Inline Transfers 21 6 8.3 Exercises 21 8 9. Module 9: Exploit Frameworks 21 9 9.1 Metasploit 22 0 9.1 .2 Metasploit 3 Command