Vulnerability Analysis
n00bpentesting.com
n00bpentesting.com
Lab Guide Two
Prerequisites Hardware Software
3 3 3
Topics Covered
4
A Note
4
Before You Begin
4
Lab 0ne – Vulnerability Research Finding A Vulnerable Application Using exploit-‐db Exploit-‐DB Challenge Using Metasploit
5 5 11 12 13
What’s Next?
16
Twitter @shai_saint
2
n00bpentesting.com
Lab Guide Two
Prerequisites Thank you for downloading the n00bpentesting.com Lab Guide Two. This guide is designed to help the n00b penetration tester get their feet wet with some of the tools covered on n00bpentesting.com while honing their skills following the Penetration Testing Execution Standard.
Hardware • • •
Computer with Linux, Windows, or Mac OSX 4GB RAM Hard-‐drive with at least 50GB
Software VirtualBox Virtualization Software http://www.virtualbox.org/wiki/Downloads BackTrack 5 R1 Virtual Machine http://www.backtrack-‐linux.org/downloads Windows XP SP2 Virtual Machine Supply your own copy or use a NIST Image NIST -‐ http://nvd.nist.gov/fdcc/download_fdcc.cfm Metasploitable Virtual Machine http://updates.metaspoit.com/data/Metasploitable.zip.torrent
Twitter @shai_saint
3
n00bpentesting.com
Lab Guide Two
Topics Covered
• • •
Vulnerability Testing Vulnerability Validation Vulnerability Research
A Note
All n00bpentesting.com guides will follow applicable sections of the Penetration Testing Execution Standard (PTES). It is highly recommended that any penetration tester or one who wants to move into this field should read and regularly reference the standard. It can be found here: http://www.pentest-‐standard.org/
Before You Begin
It is important to update BackTrack, SET, and Metasploit before you begin each lesson. Updating these packages will ensure the latest tool updates and fixes are applied for better stability and exploit success. To Update BackTrack At the command prompt type: apt-‐get update && apt-‐get upgrade && apt-‐get dist-‐ upgrade, press ENTER To Update Set At the command prompt type: cd /pentest/exploits/set && svn update, press ENTER To Update Metasploit At the command prompt type: cd /pentest/exploits/framework && svn update, press ENTER
Twitter @shai_saint
4
n00bpentesting.com
Lab Guide Two
Lab 0ne – Vulnerability Research In this lab you will learn how to apply the knowledge we have of our target to determine if there are vulnerabilities that can be exploited. We have already run NMAP port scanner and did banner grabbing to get exact versions of software running on the open service ports. Let’s look at a few sources of vulnerability information to see if our target is vulnerable. We know the following applications are running on the target based on NMAP scanning. We only completed TCP scans, there will be any services listed that may be running using UDP. PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3. 22/tcp open ssh OpenSSH 4.7p1 (protocol 2) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 139/tcp open netbios-‐ssn Samba 3.x 445/tcp open netbios-‐ssn Samba 3.x 3306/tcp open mysql MySql 5.0.51a-‐3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7 8009/tcp open ajp13 Apache Jserv (protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Finding A Vulnerable Application We know what services are running on what ports, but applications truly reside on each service? We can make the assumption that there is some type of web application running because we see in the table above that 80/tcp, 8009/tcp, and 8180/tcp are running web servers. There must be a web app on this server, let’s find it! In order to determine if the web application on the web server is vulnerable we must identify it first. 1. Start the BackTrack VM 2. Start the metasploitable VM 3. Verify IP connectivity by pinging metasploitable from the BackTrack VM We are going to use an application called DirBuster to find out what directories are available on the web server running on the metasploitable VM. The directory names should give us a good indication what web application is running. We can then look for vulnerabilities.
Twitter @shai_saint
5
n00bpentesting.com
Lab Guide Two
4. In the Back Track VM at the command prompt type: cd /pentest/web/dirbuster, press ENTER 5. List the contents of the directory by typing: ls, press ENTER
Twitter @shai_saint
6
n00bpentesting.com
Lab Guide Two
6. To launch DirBuster, at the command prompt type: java –jar Dirbuster-‐ 0.12.jar, press ENTER
Twitter @shai_saint
7
n00bpentesting.com
Lab Guide Two
The application will launch and needs setup to run. 7. In the application window enter the following values: a) Target URL: http://IP_Address_of_metasploitable b) Work Method: Auto Switch c) Select Scanning Type: List based brute force d) File with list of dirs/files: click browse, select “direcroty-‐list-‐2.3-‐ small.txt”, click Select List e) Leave the remaining options at default settings.
8. Click Start
Twitter @shai_saint
8
n00bpentesting.com
Lab Guide Two
Several directories and files will be found exposing to you what web application is running. To make sure you correctly identify the web application, let’s browse to a directory that has been found.
Twitter @shai_saint
9
n00bpentesting.com
Lab Guide Two
9. Open Firefox and enter the following in the address bar: http://IP_address_metasploitable/tikiwiki
It looks like the tikiwiki web application is running. Let’s search vulnerabilities with exploit code.
Twitter @shai_saint
10
n00bpentesting.com
Lab Guide Two
Using exploit-‐db Exploit-‐DB.com is a great resource for exploit code that has been validated, meaning it has been cleaned up and tested. 1. In the Firefox browser go to: http://www.exploit-‐db.com 2. Click search on the far right side at the top of the screen 3. In the search form enter “tikiwiki” (without quotes), then click SEARCH
There are several results to choose from, but which will work?
Twitter @shai_saint
11
n00bpentesting.com
Lab Guide Two
In theory, you can attempt to use all, but that could waste a lot of time. Let’s go back to the main twiki page to get the version information to narrow our potential exploits.
4. In the browser URL bar type: http://192.168.99.102/twiki
5. Click “readme.txt”, perhaps the version info is in this document. Looks like our version is 01 Feb 2003. We should look at earlier exploits.
BackTrack also has a local copy of the exploit-‐db you can search for exploits by running “searchexploit” from the exploitdb directory.
Exploit-‐DB Challenge Find the exploit listed that will dump the mysql user and password. Where can you get from here? If you are unsure, we will cover this exploit in Intro To Penetration Testing – Lab Guide Three. (Hint: You can get system root.)
Twitter @shai_saint
12
n00bpentesting.com
Lab Guide Two
Using Metasploit Metasploit is a great exploitation framework that can provide automation for many of the exploits we found on exploit-‐db. We will begin by searching for available exploits for tikiwiki. 1. In the BackTrack VM at the command prompt type: msfconsole, press ENTER
Twitter @shai_saint
13
n00bpentesting.com
Lab Guide Two
2. At the msfconsole prompt type: search tikiwiki, press ENTER
The search will provide all modules available for tikiwiki, including exploits and their ranking. In general you want to choose an exploit with a ranking of excellent if possible. Let’s use “exploit/unix/webapp/tikiwiki_graph_formula_exec”; it has a ranking of excellent. 3. At the msfconsole prompt type: use exploit/unix/webapp/tikiwiki_graph_formula_exec, press ENTER
Twitter @shai_saint
14
n00bpentesting.com
Lab Guide Two
4. To see what options we have for running the exploit, type: show options, press ENTER
We can see that there are some required options, RHOST, RPORT, and URI. RPORT and URI have current settings and are fine, but we need to tell the exploit who the remote host (RHOST) is. 5. At the msfconsole prompt type: set RHOST “ip_address_metasploitable”, press ENTER 6. To check if the selected exploit will work at the prompt type: check, press ENTER
According to the check, the host is vulnerable, let’s exploit it!
Twitter @shai_saint
15
n00bpentesting.com
Lab Guide Two
What’s Next?
The next step is Exploitation. Please see “Intro To Penetration Testing – Lab Guide Three.
Twitter @shai_saint
16