CSC300 – Topics in Computer Science: Offensive Security (Labs)

image_pdfimage_print

CSC300 – Topics in Computer Science: Offensive Security

Lab Exercises

  1. Getting Familiar With The Lab Environment
  2. Warming Up
  3. Pre-Engagement Activities
  4. Intelligence Gathering
  5. First Hacking Challenge
  6. Vulnerability Analysis
  7. Exploitation
  8. Post Exploitation

Lab1: Getting Familiar With The Lab Environment

For the lab portion of this class you have been provided with four virtual machines which coinside with the virtual machine set that the Penetration Testing book suggests:

  • A default installation of Metasploitable 2 (Ubuntu 8.10)
  • A default installation of Kali Linux
  • A default installation of Windows XP with SP3 unpatched
  • A default installation of Windows 7 with SP1 unpatched

Since all machines are located on the “DarkNet” they will not be accessable from any outside networks in order to ensure that none of the activities we will perform in our labs will interfere with production networks on campus. In order to access your virtual machines you must utilize the Utica College CS Virtual Laboratory Environment web portal loacted here

After verifying that all the above requirements are met you should have a proper environment setup to begin working on the exercises outlined in the books. Please take some time to verify that you can access and log into your virtual machines, also ensure that there is network connectivity between the virtual machines themselves. You will have to assign network address information to each VM. Please see the instructor for your allocated IP address block and other network information required to build your virtual network.

You will then need to perform the following tasks on your VMs to prepare them for future use:

  • Kali Linux
    • Install software as described on pg. 17-22 in the Penetration Testing book
  • Windows XP SP3
    • Disable Windows fireall (pg. 37)
    • Setup the user account georgia as administrator with a password of password
    • Setup the user account secret with password Password123
    • Setup Windows XP so it acts like it is on a domain (pg. 39-40)
    • Install all vulnerable software (pg. 40-46)
  • Windows 7 SP1
    • Create user Georgia Weidman as an administrator with the password password
    • Prepare the VM in accordance to the guidelines laid out in pg. 48-54 of the Penetration Testing book

Lab 2: Warming Up

Metasploit: Quick Test

Make sure that your Kali and Windows XP virtual machines are powered on. Log into your Kali virtual machine as the root user and run through the exercises found on pages 88-108 in the Penetration Testing book. These exercises will provide you with a basic introduction to using Metasploit as well as ensure that Metasploit is working properly on your virtual machine.

How can you identify the Meterpreter session from your Kali box on your Windows XP box? Provide a screenshot of the Windows XP machine in your write-up that shows the connection from Metasploit to your Windows XP machine.

Telnet: Banner Grabbing

Banner grabbing over Telnet is quite easy and allows you to gather a wealth of information against a target. From a Kali LiveUSB or a Windows workstation SSH over to chewy and try to perform a telnet banner grab against the Utica College web server.

telnet utica.edu 80

Once connected type the following:
HEAD / HTTP/1.0
Then press enter twice

What kind of information did you find? What about if you banner grab against the CS web server at cs.utica.edu?

Pick a few other sites and try the same thing, what did you find? Now go out and try to find some vulnderabilities that are related to the services you discovered. Try to establish how you would use the vulnerability to your advantage in order to exploit the service. DO NOT EXPLOIT THE SERVICE!! At this point we are just trying to see if we can decipher how to exploit the vulnerability.

NMap: Primer

First things first, type man nmap and start reading!

When your done with that run a basic nmap scan against your metasploitable and windows XP virtual machines. Note the services that you find open, what ports they are running on, and what Nmap lists them as. Are they correct?

Start getting more granular with NMap. Use the Nmap man pages and your Nmap book to figure out how to scan using specific port ranges, IP ranges, and finding live hosts. Also figure out how to scan for UDP services.

Mess around with Zenmap after you have a handle on the basics of command line NMap. Notice how the GUI incorporates the command line functionality. Try the same types of scans as you did above. Which do you think you would prefer to work with every day? GUI or CLI?

Deliverables

Write up a report on your findings while working on this lab, as well as what steps you performed during the exercises. Did you find anything surprising or encounter any issues? If so how did you resolve them? Be sure to answer any questions asked above in your write up.

Lab 3: Pre-Engagement Activities

Mock Negotiations

Get into groups of 4. Two members of the group will be representing the client and the other two will be representing the pen-testing firm.

The Scenario

XYZ Corp is looking to hire a pen-testing team to assess the state of their organization’s security and identify areas of weakness that they need to improve upon in order to reduce their risk of loosing corporate assets and proprietary information. XYZ Corp is a major manufacturer of aerospace technologies for the US Air Force and other private organizations. In tern this requires them to undertake regular security audits in order to remain in compliance with Air Force regulations. Today is the day of the scoping and rules of engagement meetings, members from XYZ Corp are meeting with the representatives of the information assurance contractor they have hired to discuss the details of the up-incomming penetration test.

XYZ Corp Background

XYZ Corp is a fortune 500 company with multiple locations throughout the world. Much of their data exchange is done through third party cloud service providers that are located in key locations all across the globe. Their customers all have access to a company extranet in which they can communicate with representatives of XYZ Corp as well as view information regarding the history and status of their past and present contracts with the company. Employees of XYZ Corp also have access to a company intranet that provides them with access to documentation they require to work on their respective projects. It also allows them access to their payroll information, time sheets, corporate phone lists, and other HR documents.

Your Job – XYZ Corp Reps

As representatives of XYZ Corp it is your job to ensure that the pen-testing firm has all of the required information it needs in order to perform its testing. It is also your responsibility to define the bounds in which the testers are able to work within. Be creative with this, each group should have different scenarios. I am leaving it open to the XYZ Corp reps to mock up the organization (NDA agreements, locations, services, capabilities, etc…)

Your Job – Pen-Testing Firm Reps

Establish exactly what XYZ Corp is looking to have done. Scope out the engagement and provide a time-line for the representatives. Write up a contract spelling out the details of the engagement as well as how much it will cost and the billing terms. Be sure to also build your contact list and establish the lines of communication that will be required throughout the test.

Deliverables

Each team of 4 should turn in the following documents after completing the activity:

  • Scope of work document
  • Rules of engagement document
  • Non-Disclosure Agreement document
  • Billing terms and Pricing document
  • Final contract and statement of work

Note that all four members of the group are encouraged to participate in all parts of the final documentation process, the intial “mock up” meeting is an exercise that allows the students to assume the role of a certian individual within the context of the meeting. The final documentation is a group exercise that allows everyone to see the “birds eye view” of the entire process

Each member of the group is to turn in a copy of the entire packet in PDF form to their Engage drop box for credit, be sure to note who your group members were and what role they played in the process

Again have fun with this and be creative! This is due next Thursday so start it today and work on it together over the next few days. This will require some investigation on your part especially when starting to draft up contracts and NDAs. There are plenty of examples out on the web to get you started.

Lab 4: Intelligence Gathering

WHOIS Lookups

WHOIS lookups can provide a tester with information pertaining to a domain registration. This can include but is not limited to; IP address ranges, location addresses, and authorized contact information.

  • Locate 3 resources on the Internet that allow you to perform WHOIS lookups. Choose 5 domains that you are interested in and perform WHOIS lookups on them using the three resources you found.
    • Were the results the same for each domain on each resource?
    • Did any of the listings seem anonymous or falsified?
    • What interesting information did you gain that could be used in the future during exploitation or vulnerability analysis?

  • SSH over to chewy (our Kali VM’s don’t have Internet access), use the whois command to perform the same lookups again at the command line
    • Were the results any different?
    • Which would you rather use the CLI version or Web resources?

  • Use the Netcraft site as explained on page 114 of the Penetration Testing book on the same domains you have been passively footprinting. Once you have the IP addresses attempt to perform a whois lookup on them to verify that the same information you received previously is returned. Use either an Internet resource or the whois command on chewy to perform this task. Did you receive the expected information? If not what was different?

NSLookup

Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain.

  • Use nslookup to find the DNS server information for your 5 domains used in the previous exercise
  • Use the nslookup command to find out MX record information for each of those domains
  • In all cases what was the DNS server that the output of the nslookup command identified as your DNS server?
  • Figure out how to use different DNS servers than reported in the previous step with nslookup, (ie. use Google’s name server 8.8.8.8). Do not just change the DNS server configuration on your machines, use nslookup to perform this task to proxy DNS queries through a different server.
  • Figure out how to perform all of the above tasks in both non-interactive and interactive modes
    • Non-interactive uses command line options appended to the nslookup command to return results
      • Example: nslookup -querytype=mx utica.edu
    • Interactive mode is used when nslookup is run with no options and the user types commands within the nslookup CLI
      • Example: > set type=mx

Port Scanning with NMap

Perform the exercises detailed on pages 123-131 in the Penetration Testing book. These scans should be targeted against your Windows XP and Metasploitable virtual machines.

OSINT

During lecture we discussed many different types of OSINT. Attempt to use at least 10 different OSINT resources to gain information about yourself from publicly available sources. Do not reveal the information obtained in your write-up, instead detail the resources you used and provide a brief description of the results as well as if the information received from the resource was accurate or not. Also note if you found anything surprising such as the amount or type of information you were able to retrieve from each source.

Deliverables

Write up a report on your findings while working on this activity, as well as what steps you performed during the exercises. Did you find anything surprising or encounter any issues? If so how did you resolve them? Be sure to answer any questions asked above in your write up.

Lab5: First Hacking Challenge

A Linux server has been deployed on the DarkNet that is running a few misconfigured services. Your job is to gather as much information as possible about the vulnerable server and attempt to gain root access. Once you have gained root access find the surprise in the root home directory and provide a screenshot of the output in your write-up. Your write-up should provide a detailed description of the methods and utilities that you used to progress through the challenge. You should also note any issues you encountered along the way and how you were able to overcome them. In the end the write-up should be able to be used by another student as a guide to breaking into the server. Full credit will be given to students who gain root access and provided the most detailed write-ups.

Note: Do not do anything malicous to the VM once you gain root access. This will result in a failing grade for the lab exercise! This challenge is intended to simulate a pen-test and the rules of engagement specify that you can only attempt to gain root privileges and provide proof that you did.

You are allowed to work in teams of two on this challenge.

Hint: You will only require your Kali VMs, so it is suggested that you turn all other unnecessary VM’s off. The less systems that are running on the DarkNet the easier it will be to find the vulnerable machine!

Lab6: Vulnerability Analysis

Scanning with Nessus

  • Refer to pages 17-20 in your Penetration Testing book for instructions on how to obtain and install Nessus
  • Nessus is installed and ran with the following commands
    • dpkg -i Nessus-*.deb
    • /etc/init.d/nessusd start
    • browse to: https://127.0.0.1:8834
    • Follow the on screen instructions to complete the installation and activate your copy of Nessus
    • Download and Install the Nessus plugins
  • This exercise will require Internet access to your Kali VM
  • Do the exercises on pages 134-142 in your Penetration Testing book

The NMap Scripting Engine

  • Do the exercises on pages 142-146 in your Penetration Testing book to gain familiarity with the NSE.

Scanning with Modules in Metasploit

  • Do the exercises on pages 146-148 in your Penetration Testing book to gain familiarity with the using Metasploit as a vulnerability scanner.

Other Tricks

  • Do the exercises on pages 148-153 in your Penetration Testing book to gain familiarity with web application scanning and port anaylasis.

Deliverables

Write up a report on your findings while working on this activity, as well as what steps you performed during the exercises. Did you find anything surprising or encounter any issues? If so how did you resolve them?

Lab7: Exploitation

Metasploit – Server Side Exploits

  • Perform the exercises in chapter 8 of the Penetration Testing book
  • Provide a summary of the exploits you performed and their results in your lab write-up

Password Attacks

  • Perform the exercises in chapter 9 of the Penetration Testing book
  • Provide as summary of the exploits you performed and their results in your lab write-up

Metasploit – Client Side Exploits

  • Perform the exercises in Chapter 10 of the Penetration Testing book
  • Provide as summary of the exploits you performed and their results in your lab write-up

Lab8: Post Exploitation

Avoiding Detection

  • Perform at least 5 of the exercises in Chapter 12 of the Penetration Testing book
  • Provide a summary of the exercises you performed and their results in your lab write-up

Tunnelling

  • Figure out how to use SSH in order to create a tunnel between two hosts
  • Use the tunnel as a way to forward traffic to the remote machine
    • This can be done on the gentoo boxes or your Darknet VMs
    • Example Scenario: Trying to use instant messaging behind a firewalled network that allows SSH but not the protocol you want to use
  • Knowledge of how to perform this task can provide ways of exfiltrating data out of a network undetected

Proxying

  • Figure out how to use SSH in order to proxy internal web services to a remote host
  • Hint SOCKS
    • This can be done on the gentoo boxes or your Darknet VMs
    • Example Scenario: Trying to access a nagios service accessable only from inside the network, better yet from a single host within the internal network

Netstat

  • On your Kali LiveUSB man netstat
  • Explore the netstat command and see how much detail you can get out of it regarding the systems network connections
  • Can you tell exactly what application and process id owns a specific network connection?
  • Why would this information be important for an attacker, or a systems administrator?
  • Is it possible to hide connection inforamtion from netstat? Why would this be useful?

NetCat

  • Figure out how to use netcat to setup a reverse tunnel (backdoor) from your Metasploitable VM to your Kali VM.


More Post-Exploitation Fun

  • Perform at least 5 of the exercises from Chapter 13 in the Penetration Testing book
  • Provide a summary of the post-exploitation exercises you chose to do as well as the results in your write-up.