CEH v8 labs module 12 Hacking webservers
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.27 MB, 31 trang )
CEH Lab Manual
Hacking Web Servers
Module 12
Module 12 - Hacking Webservers
Hacking Web Servers
A web server, which can be referred to as the hardware, the comp.liter, or the software,
is the computer application that helps to deliver content that can be accessed through
the Internet.
icon key
~ Lab Scenario
[£Z7 Valuable
information
S
Test your
knowledge
=־
Web exercise
m
Workbook review
T o d ay , m o s t o f o n lin e services are im p le m e n te d as w e b ap p licatio n s. O n lin e
banking, w eb search eng in es, em ail ap p lica tio n s, a n d social n etw o rk s are just a
few exam ples o f su ch w e b services. W e b c o n te n t is g e n e ra te d 111 real tim e by a
so ftw are ap p lica tio n ru n n in g at server-side. So h ack ers attac k 011 th e w e b serv er
to steal cre d en tial in fo rm a tio n , p assw o rd s, a n d b u sin ess in fo rm a tio n by D o S
(D D o s) attacks, S Y N flo o d , p in g flo o d , p o r t scan, sn iffin g attack s, a n d social
en g in ee rin g attacks. 111 th e area o f w e b security, d esp ite stro n g en c ry p tio n 011
th e b ro w se r-se rv e r ch an n el, w e b u sers still h av e 110 assu ra n ce a b o u t w h a t
h a p p e n s a t th e o th e r end . W e p re s e n t a secu rity ap p lica tio n th a t a u g m en ts w eb
servers w ith tru ste d co -se rv e rs c o m p o s e d o f h ig li-assu ran ce secure
co p ro c e sso rs, co n fig u red w ith a p u blicly k n o w n g u ard ian p ro g ra m . W e b users
can th e n estab lish th e ir a u th e n tic a te d , en c ry p ted ch an n els w ith a tru ste d co server, w h ic h th e n ca n act as a tru ste d th ird p a rty 111 th e b ro w se r-se rv e r
in te ra c tio n . S ystem s are c o n stan tly b ein g attack ed , a n d I T secu rity p ro fe ssio n a ls
n ee d to b e aw are o f c o m m o n attack s 011 th e w eb serv er ap p licatio n s. A tta ck e rs
use sn iffers o r p ro to c o l analyzers to c a p tu re a n d analyze p ack ets. I f d ata is sen t
across a n e tw o rk 111 clear text, an attac k er ca n c a p tu re th e d ata p ac k ets a n d use a
sn iffer to re a d th e data. 111 o th e r w o rd s , a sn iffer ca n ea v esd ro p 011 electro n ic
co n v e rsatio n s. A p o p u la r sn iffer is W iresh ark , I t ’s also u se d b y ad m in istra to rs
fo r legitim ate p u rp o se s. O n e o f th e ch allen g es fo r an attac k er is to g am access
to th e n e tw o rk to c a p tu re th e data. If attack ers h av e phy sical access to a ro u te r
01 ־sw itch, th ey ca n c o n n e c t th e sn iffer a n d ca p m re all traffic g o in g th ro u g h th e
system . S tro n g p hysical secu rity m e asu res h elp m itigate tins risk.
A s a p e n e tra tio n te ste r a n d eth ical h ac k er o f an o rg an iz atio n , y o u m u s t p ro v id e
security to th e c o m p a n y ’s w e b server. Y o u m u s t p e rfo rm ch eck s 011 th e w eb
serv er fo r M ilner abilities, m isco n fig u ratio n s, u n p a tc h e d secu rity flaw s, an d
im p ro p e r a u th e n tic a tio n w ith ex tern al system s.
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts learn to d e te c t u n p a tc h e d secu rity
flaw s, v e rb o se e rro r m essag es, a n d m u c h m o re.
T h e o b jectiv e o f this lab is to:
C E H L ab M an u al Page 731
■
F o o tp rin t w e b servers
■
C rack re m o te p a ssw o rd s
■
D e te c t u n p a tc h e d secu rity flaws
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
Lab Environment
T o earn ־o u t tins, you need:
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 12
Hacking
W ebservers
■
A co m p u ter ru n n in g Window Server 2012 a s H o s t m achine
■
A co m p u ter ru n n in g w in d o w server 2008, w indow s 8 and w in d o w s 7 as a
V irtual M achine
■
A w eb brow ser w ith In tern et access
■
A dm inistrative privileges to 11111 tools
Lab Duration
Tim e: 40 M inutes
Overview of Web Servers
A w eb server, w h ich can be referred to as die hardw are, the com p u ter, o r die
softw are, is the co m p u ter application d ia t helps to deliver c o n ten t th at can be
accessed th ro u g h the Intern et. M o st people d u n k a w eb server is just th e hardw are
com puter, b u t a w eb server is also the softw are co m p u ter application th a t is installed
111 the hardw are com puter. T lie prim ary fu nction o f a w eb server is to deliver w eb
pages o n the request to clients using the H y p ertex t T ran sfer P ro to co l (H T T P). T ins
m eans delivery o f H T M L d o cu m en ts an d any additional co n ten t th at m ay be
included by a d o cum ent, such as im ages, style sheets, an d scripts. M any generic w eb
servers also su p p o rt server-side scnpting using A ctive Server Pages (ASP), P H P , o r
o d ie r scnpting languages. T ins m eans th a t the behavior o f th e w eb server can be
scripted 111 separate files, w lule the acm al server softw are rem ains unchanged. W eb
servers are n o t always used for serving th e W o rld W ide W’eb. T h ey can also be
fo u n d em bed d ed 111 devices such as printers, routers, w ebcam s an d serving only a
local netw ork. T lie w eb server m ay d ien be used as a p a rt o f a system for
m o n ito rin g a n d /o r adm inistering th e device 111 question. T ins usually m eans d ia t n o
additional softw are has to be m stalled o n the client co m p u ter, since only a w eb
brow ser is required.
m
T A S K
1
Overview
C E H L ab M an u al Page 732
Lab Tasks
R ecom m ended labs to dem o n strate w eb server hacknig:
■
F o o tp rin tin g a w eb server usnig the httprecon tool
■
F o o tp m itn ig a w eb server using the ID Serve tool
■
E xploiting Java vulnerabilities usnig M etasploit Framework
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webserver's
Lab Analysis
A nalyze an d d o cu m en t the results related to die lab exercise. G ive your o p in io n 011
your target’s security p ostu re an d exposure.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
R E L A T E D TO T H I S LAB.
C E H L ab M an u al Page 733
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Comicil
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
Footprinting Webserver Using the
httprecon Tool
The httpreconproject undertakes research in thefield of web serverfingerprinting,
also known as httpfingerprinting
I CON
KEY
/ Valuable
mtormadon
Test your
**
W e b exercise
m
W o rk b o o k re\
Lab Scenario
W e b ap p licatio n s are th e m o s t im p o rta n t w ays to r an o rg an iz atio n to p u b lish
in fo rm a tio n , in te ra c t w ith In te rn e t u se rs, a n d estab lish an e - c o m m e rc e /e g o v e rn m e n t p rese n ce .
H o w e v e r, if an o rg an iz atio n is n o t rig o ro u s in
co n fig u rin g a n d o p e ra tin g its p u b lic w eb site, it m ay be v u ln e ra b le to a v ariety o f
security threats. A lth o u g h th e th rea ts 111 cy b ersp ace re m a in largely th e sam e as
111 th e physical w o rld (e.g., frau d , th e ft, v an d alism , a n d te rro rism ), th e y are far
m o re d a n g e ro u s as a result. O rg a n iz a tio n s can face m o n e ta ry lo sses, d am ag e to
re p u ta tio n , 01 ־legal ac tio n if an in tru d e r successfully v io lates th e co n fid en tiality
o f th e ir data. D o S attack s are easy fo r attack ers to a tte m p t b ecau se o f th e
n u m b e r o t p o ssib le attac k v e c to rs, th e v arie ty o f a u to m a te d to o ls available, an d
th e lo w skill level n e e d e d to use th e to o ls. D o S attack s, as w ell as th re a ts o f
in itiatin g D o S attacks, are also in creasin g ly b e in g u se d to blackm ail
o rg an iz atio n s. 111 o rd e r to be an e x p e rt eth ical h ac k er a n d p e n e tra tio n tester,
}׳o il m u s t u n d e rs ta n d h o w to p e rfo rm fo o tp rin tin g 011 w e b servers.
Lab Objectives
T h e o b jectiv e o f this lab is to h elp sm d e n ts le arn to fo o tp rin t w eb se rv e rs. I t will
te ac h y o u h o w to:
H Tools
dem onstrated in
this lab are
available D:\CEHTools\CEHv8
Module 12
Hacking
W ebservers
C E H L ab M an u al Page 734
■
U se th e h ttp r e c o n to o l
■
G e t Webserver fo o tp rin t
Lab Environment
T o carry o u t th e lab, y o u need:
■
httprecon to o l lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking
W ebservers\W ebserver Footprinting Tools\httprecon
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Comicil
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
■
Y o u can also d o w n lo a d d ie la test v e rsio n o f httprecon fro m th e link
http://w w w .com putec.ch/projekte/httprecon
■
I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
m H ttprecon is an
open-source application
that can fingerprint an
application o f webservers.
■
R u n tins to o l 111 W indows Server 2012
■
A w e b b ro w se r w ith I n te r n e t access
■
A d m in istra tiv e privileges to r u n to o ls
Lab Duration
T im e: 10 M inutes
Overview of httprecon
h ttp re c o n is a tool for advanced w eb server fingerprinting, similar to httprint. T h e
h ttp re c o n p roject does research 111 th e held o f w eb server fingerprinting, also
k n o w n as http fingerprinting. T h e goal is lughlv accurate identification o f given
httpd im plem entations.
TASK
1
Footprinting a
Webserver
Lab Tasks
1.
N av ig ate to D:\CEH-Tools\CEHv8 Module 12 Hacking
W ebservers\W ebserver Footprinting Tools\httprecon.
2.
D o u b le-c lick h ttp recon .exe to la u n c h httprecon.
3.
T h e m a in w in d o w o f h ttp re c o n ap p e ars, as sh o w n 111 th e fo llo w in g
figure.
11
httprecon 7.3
File
Configuration
Fingergrinting
Reporting
I —1
Help
Target
|http;//
|
|80
T ]
6 "*”
|
GET existing | GET long request | GET nonexistag | GET wrong protocol | HEAD existing | OPTIONS com * I *
£G1 Httprecon is distributed
as a ZIP file containing the
binary and fingerprint
databases.
Full Matchlist | Fingerprint Details | Report Preview |
| Name
j Hits
1 Match % 1
FIGURE 1.1: httprecon main window
C E H L ab M anual P ag e 735
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
4.
E n te r th e w eb site (URL) w w w .juggyboy.com th a t y o u w a n t to
footprint a n d select th e port number.
5.
Click Analyze to s ta rt analyzing th e e n te re d w eb site.
6.
Y o u sh o u ld receiv e a fo o tp rin t o f th e e n te re d w eb site.
httprecon 7.3 - :80/
File
Configuration
Fingerprinting
Reporting
Help
Target (Microso(( IIS 6.0)
tewl Httprecon vises a simple
database per test case that
contains all die fingerprint
elements to determine die
given implementation.
I http://
▼1 |juggyboy ccxn|־
GET existing | GET long request | GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 200 OK
bate: Thu, 18 Oct 2012 11:36:10 GMT
bontent-Length: 84S1
Content-Type: text/html
Content-Location: http://כuggyboy.com/index.html
Last-Modified: Tue, 02 Oct 2012 11:32:12 GMT
Accept-Ranges: non•
ETag: "a47ee9091a0cdl:7a49"
Server: Microsoft-IIS/6.0
K-Powered-By: ASP.NET
Matchlst (352 Implementations) | Fingerprint Details | Report Preview |
| Name
Microsoft IIS 6.0
^
Microsoft IIS 5.0
Microsoft IIS 7 0
Microsoft IIS 5.1
^
•22
Sun ONE Web Server 61
V , Apache 1.3.26
O Zeus 4.3
V
m The scan engine o f
httprecon uses nine
different requests, which
are sent to the target web
server.
Apache 1.3.37
I Hits
| Match % |
88
71
S3
100
80.68...
71. 59
63
63
62
71 59 .
71.59
70.45. .
62
60
70.45...
6818
v
£
FIGU RE 1.2: Tlie footprint result o f the entered website
7.
Click die GET long request tab, w h ich will list d o w n die G E T request.
T h e n click die Fingerprint Details.
httprecon 7.3 - :80/
File
Configuration
Fingerprinting
Reporting
1- l ״L»J |
Help
Target (Microsoft IIS 6.0)
I N ip;// j ׳J ^
juggyboy com|
[* -
פ
GET existing | GET long request ] GET non existing | GET wrong protocol | HEAD existing | OPTIONS com * I * I
HTTP/1.1 400 Bad Request
Content-Type: text/html
Data: Thu, 18 Oct 2012 11:35:20 GMT
Connection: close
Content-Length: 34
Matchlst (352 Implementations)
i~~
H ttprecon does not
rely on simple banner
announcements by the
analyzed software.
P r o t o c o l V e r s io n
S ta tu sc o d e
S ta tu sta x t
B anner
K -P o v e r e d -B y
H eader S p aces
C a p i t a l a f t e r D a sh
H e a d e r-O r d e r F u l l
H e a d e r -O r d e r L im it
Fingerprint Details | Report F^eview |
HTTP
1 .1
400
1
1
C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h
C o n t e n t -T y p e ,D a t e ,C o n n e c t io n ,C o n t e n t- L e n g t h
Ready
FIGURE 1.3: The fingerprint and G E T long request result o f the entered website
C E H L ab M anual Page 736
Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
Lab Analysis
A nalyze an d d o cu m en t die results related to the lab exercise. G ive your o p in io n 011
your target’s secuntv p ostu re an d exposure.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
RE L A T E D TO T H I S LAB.
T o o l/U tility
Information C o llected /O b jectives Achieved
O u tp u t: F o o tp rin t o f th e juggyboy w eb site
י
h ttp r e c o n T o o l
י
י
י
י
C o n te n t-ty p e : te x t/h tm l
c o n te n t-lo c a tio n :
h tt p : / / ju g g v b o v .c o m / 1n d e x .h tm l
E T ag : "a 4 7 ee 9 0 9 1eOcd 1:7a49"
server: M ic ro s o ft-IIS /6 .0
X -P o w ered -B v : A S P .N E T
Questions
1.
A nalyze th e m a jo r d iffe ren ce s b e tw e e n classic b a n n e r-g ra b b in g o f th e
serv er line a n d littp re c o n .
2.
E v alu ate th e type o f te s t req u e sts se n t b y littp re c o n to w e b servers.
Internet Connection Required
0 Y es
□ No
P la tf o r m S u p p o r te d
0 C la s s r o o m
C E H L ab M an u al Page 737
□ !Labs
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 - Hacking Webservers
Lab
Footprinting a Webserver Using ID
Serve
ID Serve is a simple,free, small (26 Kbytes), andfastgeneral-purpose Internet server
identification utility.
I CON
KEY
/ Valuable
information
Test your
** Web exercise
m
Workbook re\
Lab Scenario
111 th e p rev io u s lab y o u h av e le arn ed to u se th e h ttp r e c o n tool, h ttp r e c o n is a
to o l fo r a d v a n ce d w e b serv er fin g erp rin tin g , sim ilar to h ttp rin t.
It is v ery im p o rta n t fo r p e n e tra tio n testers to be fam iliar w ith b an n e r-g ra b b in g
te ch n iq u e s to m o n ito r servers to en su re co m p lia n ce a n d a p p ro p ria te security
u p d ates. U sin g this te c h n iq u e y o u can also lo cate ro g u e serv ers 01 ־d e te rm in e th e
role o f servers w ith in a n e tw o rk . 111 tins lab y o u w ill learn th e b a n n e r g ra b b in g
te c h n iq u e to d e te rm in e a re m o te ta rg e t system u sin g I D Serve. 111 o rd e r to b e an
e x p e rt ethical h ac k er an d p e n e tra tio n te ste r, v o u m u s t u n d e rs ta n d h o w to
fo o tp rin t a w e b server.
Lab Objectives
T h is lab w ill sh o w y o u h o w to f o o tp rin t w eb serv ers a n d h o w to u se ID Serve.
It w ill te ac h v o u h o w to:
H Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 12
Hacking
W ebservers
■
U se th e ID Serve to o l
■
G e t a w eb serv er fo o tp rin t
Lab Environment
T o carry o u t th e lab, y o u need:
■
ID Serve lo c a te d at D:\CEH-T0 0 ls\CEHv8 Module 12 Hacking
W ebservers\W ebserver Footprinting Tools\ID Serve
■
Y o u can also d o w n lo a d th e la test v e rsio n o f ID Serve fro m th e link
h ttp : / / w w w .g rc .c o m / i d / 1d se rv e .h tm
■
I f v ou d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
C E H L ab M an u al Page 738
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
■
R u n diis to o l o n W indows Server 2012 as h o s t m a ch in e
■
A w e b b ro w s e r w ith Internet a c c e s s
■
A d m in istra tiv e privileges to r u n to o ls
Lab Duration
Tim e: 10 M inutes
m ID Serve is a simple,
free, small (26 Kbytes), and
fast general-purpose
Internet server
identification utility.
T A S K
1
Footprinting a
W ebserver
Overview of ID Serve
ID Serve attem pts to determ ine die domain name associated w idi an IP. Tins
process is kno w n as a reverse DNS lookup an d is h an d y w h e n checking firewall
logs o r receiving an IP address fro m som eone. N o t all IP s th at have a forward
direction lookup (D om ani-to-IP ) have a reverse (IP -to-D om ain) lookup, b u t m any
do.
Lab Tasks
1.
111 W in d o w s S erver 2012, n av ig ate to D:\CEH-Tools\CEHv8 Module 12
Hacking W ebservers\W ebserver Footprinting Tools\ID Serve.
2.
D o u b le-c lick id serv e.ex e to la u n ch ID Serve.
3.
T h e m ain w in d o w ap p ears. C lick th e Server Query tab as sh o w n in th e
follow ing figure.
0
ID Serve
Internet Server Identification Utility, v l .02
Personal Security Freeware by Steve Gibson
ID Serve
Background
|
Copyright (c) 2003 by Gibson Research Corp.
Seiver Query
Q & A /H elp
Enter or copy I paste an Internet server URL a IP address here (example: www.microsoft.com):
.
™
Query The Server
m
ID Serve can connect
to any server port on any
domain or IP address.
W hen an Internet URL or IP has been provided above.
press this button to initiate a query of the specified seiver
Server query processing:
The server identified itself a s :
Copy
|
Goto ID Serve web page
FIGU RE 2.1: Welcome screen o f ID Serve
C E H L ab M anual Page 739
4.
111 o p tio n 1, e n te r (01 ־c o p y /p a s te an In te r n e t serv er U R L o r IP address)
th e w e b site (URL) y o u w a n t to footprint.
5.
E n te r h t t p : / / 10.0 .0 .2 /re a lh o m e (IP ad d re ss is w h e re th e real h o m e site
is h o ste d ) in step 1.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
6.
Click Query th e Server to sta rt q u ery in g th e e n te re d w eb site.
7.
A fte r th e c o m p le tio n o f th e query. ID Serve displays th e resu lts o f th e
e n te re d w eb site as sh o w n 111 th e fo llo w in g figure.
,__ ID Serve uses the
standard Windows TCP
protocol when attempting
to connect to a remote
server and port.
ID Serve
ID Serve
In te rn e t S e r v e r Id e n tific a tio n U tility . v 1 .02
Background
|
P e rs o n a l S e c u rity F re e w a re b y S te v e G ib s o n
Copyright (c) 2003 by Gibson Research Corp.
£etver Query
Q & A /H elp
Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):
C1
Ih ttp / / I 0 .0 0 .2 /re a lh o m e |
r2 [
When an Internet URL a IP has been provided above,
press this button to initiate a query of the specified server
Query The Server
Server query processing:
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Tue, 07 Aug 2012 06:05:46 GMT
Accept-Ranges: bytes
ETaq: "c95dc4af6274cd1:0"________________
1y=H ID Serve can almost
always identify the make,
model, and version of any
web site's server software.
The server identified itself a s :
|
Copy
Goto ID Serve web page
|
FIGU RE 2.2: ID Serve detecting die footprint
Lab Analysis
D o c u m e n t all die server inform ation.
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
RE L A T E D TO T H I S LAB.
T o o l/U tility
Information C o llected /O b jectives A chieved
S e rv e r I d e n tif ie d : ]M icro so ft-IIS /8 .0
S e rv e r Q u e r y P r o c e s s in g :
I D S erv e
C E H L ab M anual Page 740
י
H T T P / 1.1 200 o k
■
c o n te n t-T y p e : te x t/h tm l
■
L ast-M o d ificatio n : T u e , 07 A u g 2012 06:05:46
GMT
■
■
A cc ep t-R an g es: bytes
E T ag : "c 9 5 d c4 a f6 2 7 4 c d l:0 "
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
Questions
1. Analyze how ID Se1־ve determines a site’s web server.
2. What happens if we enter an IP address instead of a URL׳׳
Internet Connection Required
□ Yes
0 No
Platform Supported
0 Classroom
C E H L ab M an u al Page 741
0 !Labs
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
3
Exploiting Java Vulnerability Using
Metasploit Framework
Metasploit sofinare helps security and ITprofessionals identify security issues, verify
vulnerability Mitigations, and manage expert-driven security assessments.
ICON
KEY
__ Valuable
inform ation
T est your
knowledge
W eb exercise
m
W orkbook review
J T Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 12
Hacking
Webservers
C E H L ab M an u al Page 742
Lab Scenario
Penetration testing is a method of evaluating the security ol a computer system 01־
network by simulating an attack from malicious outsiders (who do not have an
authorized means of accessing the organization's systems) and malicious insiders
(who have some level of authorized access). The process involves an active analysis
of the system for any potential vulnerabilities that could result from poor or
improper system configuration, either known and unknown hardware 01 ־software
flaws, 01 ־operational weaknesses 111 process or technical countermeasures. Tins
analysis is earned out from the position of a potential attacker and can involve active
exploitation of security vulnerabilities. The Metasploit Project is a computer secuntv
project that provides information about security vulnerabilities and aids 111
penetration testing and IDS signamre development. Its most well-known subproject is the open-source Metasploit Framework, a tool for developing and
executing exploit code against a remote target machine. Other important subprojects include die Opcode Database, shellcode arcluve, and security research.
Metasploit Framework is one of the main tools for every penetration test
engagement. To be an expert etliical hacker and penetration tester, you must have
sound understanding of ]Metasploit Framework, its various modules, exploits,
payloads, and commands 111 order to perform a pen test of a target.
Lab Objectives
The objective of tins lab is to demonstrate exploitation ot JDK
take control ot a target machine.
vulnerabilities to
Lab Environment
111 this lab, you need:
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 - Hacking Webservers
■
Metasploit located at D:\CEH-Tools\CEHv8 Module 12 Hacking
WebserversYWebserver Attack Tools\Metasploit
■ You can also download the latest version ot Metasploit Framework from
die link />■ It you decide to download the latest version, then screenshots shown 111
the lab might ditter
■ A computer running Windows Server 2012 as host macliine
■ Windows 8 running on virtual macliine as target macliine
■ A web browser and Microsoft .NET Framework 2.0 or later in both host
and target macliine
■ j RE. 7116 miming on the target macliine (remove any other version of jRE
installed 111 die target 111acl1111e).T11e |R E 7116 setup file (jre-7u6-wi11dows1586.exe) is available at D:\CEH-Tools\CEHv8 Module 12 Hacking
Webservers\Webserver Attack Tools\Metasploit
■ You can also download the The IRE 7116 setup tile at
/>■ Double-click m etasploit-latest-windows-installer.exe and follow the
wizard-driven installation steps to install Metasploit Framework
Time: 20 Minutes
Overview of the Lab
Tins lab demonstrates the exploit that takes advantage of two issues 111 JDK 7: the
ClassFmder and MediodFinder.fmdMediod(). Both were newly introduced 111 JDK
7. ClassFmder is a replacement tor classForName back 111 JDK 6. It allows untrusted
code to obtain a reference and have access to a restricted package in JDK 7, which
can be used to abuse sun.awt.SuiiToolkit (a restricted package). With
sun.awt.SimToolkit, we can actually invoke getFieldQ by abusing fmdMethod() 111
Statement.mvokelnternalO (but getFieldQ must be public, and that's not always die
case 111 JDK 6. 111 order to access Statementacc's private field, modify
* t a s k
1
Installing
Metasploit
Framework
C E H L ab M an u al Page 743
1. Install Metasploit on the host macliine Windows Server 2012.
2. After installation completes, it will automatically open in your default web
browser as shown 111 the following figure.
3. Click I Understand the Risks to continue.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
J! U*׳rud«J ConnerHon
1- -I** ־
I*
rt ,.ips;•’ loc»t>ost. 90
C
5 w
This Connection is Untrusted
You have asked Firefox to connect secure*) ׳to locaBrosU790. t-jt we cant confirmthat youc
Hie exploit takes advantage
of two issues in JD K 7:
The ClassFinder and
MethodFinder. findMediod(
). Bodi were newly
introduced in JD K 7.
ClassFinder is a
replacement for
classForName back in JDK
6.
Normally, ■*henyou tryto connect securely, sites «1:, ־presenttrusted identification tc prove that you
are going to the nght place. Ho»>ever. this site's ■der&tycan t be verrfsed.
What Should 1 Do?
Ifyou usuallyconnect to this site without problem^flvs t0»״ec>d mun that someone is trying to
impersonate the site, andyou shouldn't continue.
[ Gel me oulofhete!
Technical Details
|
1 Understand the Risks |
FIGURE 3.1: Metasploit Untrusted connection in web browser
4. Click Add Exception.
|+1
£
*f? ▼C (ןJJ* Gocgle
& https:•1 k>c*Kx»t. V.'
This Connection is Untrusted
It allows untrusted code to
obtain a reference and have
access to a restricted
package in JDK 7, which
can be used to abuse
sun.awt.SunToolkit (a
restricted package).
You have aikeJ יזיז/ גסto connect 1«cu1«l> 10
connection i>׳s*c01«.
190.t jt*1 c• יוt confirmthat you•
Normally, wihrnyou tty to eonnert tee urrty titei wMpnwK truftrd יSentil*Men re prove that you
art going to the light plac«. I lw r t, tlm t!t« 1 itfrMj « יU
«l
What Should I Do?
If you usually conned to this git wrthoi/t p׳obk-׳ns, th׳-, moi to•Jimun that someone n trying to
irrtpertonate the ate, andyou shouldn't eenrmite.
| Gelmeoulotheiel
Technical Details
I Understand the Risks
I Add Excepaoi
FIGURE 3.2: Metasploit Adding Exceptions
5. 111 the Add Security Exception wizard, click Confirm Security Exception.
C E H L ab M anual Page 744
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
1*־I
Add Security Exception
You are about to override how Firefox identifies this site.
!
Legitimate banks, stores, and o ther public sites will not ask you to do this.
Server
Location: I liRMMHBMMfeMI
With sun.awt.SunToolkit,
we can actually invoke
getFieldQ by abusing
findMethod() in
StatementiavokeIntemal0
(but getFieldO must be
public, and that's not
always die case in JDK 6)
in order to access
Statement.acc's private
field, modify
AccessControlContext, and
then disable Security
Manager.
Certificate Status
This site attempts to identify itself with invalid information.
Wrong Site
Certificate belongs to a different site, which could indicate an identity theft.
Unknown Identity
Certificate is not trusted, because it hasn't been verified by a recognized authority
using a secure signature.
@ Permanently store this exception
| Confirm Security Exception |
Cancel
FIGURE 3.3: Metasploit Add Security Exception
6. On die Metasploit —Setup and Configuration Login screen, enter text 111 die
Username. Password, and Password confirmation fields and click Create
Account.
k-
Once Security Manager is
disabled, we can execute
arbitrary Java code. Our
exploit has been tested
successfully against
multiple platforms,
including: IE, Firefox,
Safari, Chrome; Windows,
Ubuntu, OS X, Solaris, etc.
M Vti .
(Jlmetasploit
Password confirma•©•־
Optional Info & Settings
Email address
״ijaiKMtmn
I «SMr«M 00) UTC~
| Q Cioatt Auwni
FIGURE 3.4: Metasploit Creating an Account
7. Click GET PRODUCT KEY 111 die Metasploit - Activate Metasploit
window.
Product Key
Activation
C E H L ab M anual Page 745
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
This Security Alert
addresses security issues
CYE-2012-4681 '(USCERT Alert TA12-240A
and Vulnerability Note
VU#636312) and two
other vulnerabilities
affecting Java running in
web browsers on desktops.
Enter your valid email address 111 the Metasploit Community option and
click GO.
׳
These vulnerabilities are
not applicable to Java
running on servers or
standalone Java desktop
applications. They also do
not affect Oracle serverbased software.
4■ ־
־F !
Product
mv־e^V.e
«t*s?ot-pp^p«^xJuct_k*y־Ikf>׳jtN»rne ikLutName iStLrnsilAddieii c«01g»■׳
Choose between two FREE Metasploit Offers
(J)metasploit
G
Dmetasploit
~ community
Mefa1.pl04Pro mipi \+am*! * גיIT
pror*tnon*l11r * ׳:«•»*> c *־♦*־u i
bteacftet by ematr*, cc-nix&M)
btojd t&op• p»n«k«1>»alMt» pnottong
«yin*־jD111t*1. *no .*׳nf.-nj :00*0*1 tnc
mitigatar!
Mct.1r.p10HCommunityEdMiontimplifiot
r♦fACfKd1»
Ihe «׳t«cBvono68 ofvulnerabilityscanners
»ucnasN*®o*e־rortre•
Mcfabpicul Com»״jnfj plus
•/
•f
J
'׳י
'׳י
S
S
Snan wpKMUbsn
Password ijd*r;
We0 appitcafcixi scam-•ג ־
Sooal engme«rw»3
Teamco«a&o«a*on
Reporting
Entetpnse-lewl suppon
OR
✓ FREE EDITION
J NaMwt discoveiy
J vulnerabilityscann9rImport
■
S Basicexpioitallon
■/ Module tyovwer
Lnteremail address:
___________
1»u«s « י«יVbs pa5•° Piease email infoQrapid7 ci
These vulnerabilities may
be remotely exploitable
without authentication, i.e.,
they may be exploited over
a network without the need
for a username and
password.
C E H L ab M anual Page 746
FIGURE 3.6: Metasploit Community version for License Key
9. Now log in to your email address and copy die license key as shown 111 die
following figure.
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
ם! ק
Your Metasploit Community Edition Product Key
Bates, Ariana anana_bates@raptd7 com vis bounces netsuite com
to me ■׳
To be successfully
exploited, an unsuspecting
user running an affected
release in a browser will
need to visit a malicious
web page that leverages tins
vulnerability. Successful
exploits can impact the
availability, integrity, and
confidentiality of the user's
system.
6:27 PM (0 minutes ago)
■r Rap1d7
M etasploit Product Key
WNMW-J8KJ-X3TW-RN68
Thank you for choosing Rapid7® Metasploit® Community Edition Metasploit Community Edition
simplifies network discovery and vulnerability verification for specific exploits, increasing the
effectiveness of vulnerability scanners such as Nexpose - for free
Your license is valid for one year and expires on 11/15/2013 When your license runs out, you can
simply apply for a new license using the same registration mechanism.______________________
FIGURE 3.7: Metasploit License Kevin youi email ID provided
10. Paste die product key and click Next to continue.
Due to die severity of these
vulnerabilities, the public
disclosure of teclinical
details and the reported
exploitation of CVE-20124681 "in the wild," Oracle
strongly recommends that
customers apply the
updates provided by this
Security Alert as soon as
possible.
t__«1
Metaspfoit Product Ker
־־fc
«a!>01t-trial-i<ey,i^»?pr0durt=a1murnP«hURl=hrtp1%3A%2F%2fIocalho«T׳L3AT?9(WL2Fset1jp3Li>»rtval<:-׳A\«*»e*wt;
.־1 • ־־־־,1־
x ד
p * c-
(J) metasploit
4 More Steps To Get Started
1. Copy the Product Key from the email we just sent you.
2
Paste the Product Key here: [WM.nv jskj x3 tw rn 68T
3. Click Next on this page
4. Then dick Activate License on the next page
The Metasploit Framework
will always be free and
open source. The
Metasploit Project and
Rapid7 are fully committed
to supporting and growing
the Metasploit Framework
as well as providing
advanced solutions for
users who need an
alternative to developing
dieir own penetration
testing tools. It's a promise.
C E H L ab M anual Page 747
FIGURE 3.8: Metasploit Activating using License Key
11. Click Activate License to activate die Metasploit license.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
I. , n r ,
f
A ■•.»(.. tocJhort-- SC!*..
C •‘I (?־־״I.
. .,'p.oc..:>cy WNMW-.0
(J)metasploit'
Hie Metasploit Framework
will always be free and
open source. The
Metasploit Project and
Rapid7 are fully committed
to supporting and growing
die Metasploit Framework
as well as providing
advanced solutions for
users who need an
alternative to developing
dieir own penetration
testing tools. It's a promise.
Activate Your Metasploit License
1. Get Your Product Key
Chooseihe profluclthatbest nteds j«urr»eeds ue< pio«lProorthefreeMetasploit CommunityEdition זזyou irea >
33
3 0ra*ta commgn^tfaiorWlicenseproductkt/.׳oucansupthisslep
2. Enter Product Key You've Received by Email
Paste ■nthe product fcej־t*al was sent to fte «13<יז־J9־<׳ss ;ou registered «v רand dick the ACT1WTELICENSE &u»0״
|WNt»W-J6tU-X3TW-RN6a
D Us• an HTTPPrat*to react! V* «tomet?
FIGURE 3.9: Metasploit Activation
The Metasploitable virtual
machine is an intentionally
vulnerable version of
Ubuntu Linus designed for
testing security tools and
demonstrating common
vulnerabilities. Version 2 of
diis virtual machine is
available for download
from Soiuceforge.net and
ships with even more
vulnerabilities than the
original image. This virtual
machine is compatible with
VMVTare, VirtualBox, and
odier common
virtualization platforms.
12. Tlie Activation Successful window appears.
1^
A hips/ lot*t>ost. 90
' ' 7יC )ן
fi #
C ~I
, m i 11 i^ ic j o p iw i 1
I
community
1 Home
Protect*
1
Activation Successful
|^
1
^ oe to !■►*fen
& H«e Hf-w* Pen•!
^
, ’■****»
Search
O
1 / Pr04«ct Mr**׳
Abating Window* Kemot• Management (WinUM) with Metasploit
thow 10 v.imtoe
I
□ (tolaur
STvowmg1 to 1of 1ratrws
II
0
0
0
»y»1em
0
?0m■׳jhM•90
PcevkMt• 1 *•!I
last
I jt» cnerngr1t.il Derb,con Mu&lianill were dlacuaalng various ledwqueaof
mass crwnage When Mubci told me about the WinRMservice 1wondered ■Whji
don't we •ל«חany M*tfspl0ft modul•* forthis
ן
Exploit Trends; Top tO Searches for Mimaip loft Modules in October
Time tot rowr morthl, dose 01Metasploit e»plo!t trenas' Each monlh we jarfhertms
kstctme most searched eaioit and auxiliary modules fromthe MetasdMt
c3T3M3e To protect users- pr%acy t..
Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit. and
More!
WinRMExploit Library Forthe last couple weeks Metasplolt core conV.DJtoi Da־.*d
©iTieugWCosin8Malone; has Doen (Wng into Microsoffs WinRMsendees wWi
$mu:«x and @_smn3c. UnOlttiese..
Weekly Metasploit Update: Microsoft Windows and SQL. TurboFTP. end
More?
*ccSecUSA20l2L3stweekwas AppSecUSA2012 here mAustin. ivtiicf ־may
eclair?וזזcurious aosenceofaweeKtrMetaspioitupoatebioapost Tnerw11yr.s :f
Appjec for me, !were pn no particular
IU-.... ....
FIGURE 3.10: Metasploit Activation Successful
«
T A S K
13. Go to Administration and click Software Updates.
3
Updating
Metasploit
e »-
X
Home
PH
D•
AdinlnInti11lion v ^
GJ community1
metasploit
| software upaates
somvare ucense
Project*
ו
1
& Hideb«w* Par*1
1
FIGURE 3.11: Metasploit Updating Software
14. Click Check for Updates, and after checking die updates, click Install.
C E H L ab M anual Page 748
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
By default, Metasploitable's
network interfaces are
bound to die NAT and
Host-only network
adapters, and die image
should never be exposed to
a hostile network. (Note: A
video tutorial on installing
Metasploitable 2 is available
at die link Tutorial on
installing Metasploitable 2.0
on a Virtual Box Host Only
network)
FIGURE 3.12: Metasploit Checking for Updates
15. After completing the updates it will ask you to restart, so click Restart.
This document outlines
many of die security flaws
in die Metasploitable 2
image. Currendy missing is
documentation on the web
server and web application
flaws as well as
vulnerabilities diat allow a
local user to escalate to
root privileges. This
document will continue to
expand over time as many
of die less obvious flaws
widi diis platform are
detailed.
16. Wait until Metasploit restarts.
C E H L ab M anual Page 749
Etliical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
1Af
^
1loc*tx»t - SO*^lspKCV«־
x
TCP ports 512, 513, arid
514 are known as "r"
services, and have been
misconfigured to allow
remote access from any
host (a standard ".rhosts +
+" situation). To take
advantage of this, make
sure the "rsh-client" client
is installed (on Ubuntu),
and run the following
command as your local
root user. If you are
prompted for an SSH key,
this means die rsh-client
tools have not been
installed and Ubuntu is
defaulting to using SSH.
-•| - Geogl,
■ יי ־׳וי
fi\ ft
c -
If you've just finished installing Metasploit. the application
will now take up to 5 minute* to mmaine. ir* normal please be patient and have a coffee...
זוyou have aireaay been using the product, *is message may
point to a bog in the application and require the Metasploit
services to be restarted 10 resume lunctocaity
If the problem persists you may want to consul the Mowing
resources.
• Metasploit Community Edition userv: Pease vtol the
Rapid? security street forum• to seaxh for answers or
post a question
• Metasploit trial utert: Please contact your Rap«f7 sales
representative or emai *aiea1ffraMdr.com
• Metasploit user* with a support contract: (Vase visit
the Rapid7 Customer Canter to Rte a support ease or
email *uPD0rt!graD1d7.c0m
Retrying your request In 5 seconds ..
FIGURE 3.14: Metasploit Restarts
17. After completion of restart it will redirect to Metasploit - Home. Now click
Create New Project from die Project drop-down list.
Creating a New
Metasploit Project
זזד
•*־MeUspKxt - Pfojerts
..״-■TP
©metasploit
community
:•m t NewPrci«ci
y Hide NttvvaPmw(
1 St'ov* HI P10j»cts
|
ac to *■offn
•J M o
*h«W tO V •MillMl■
Q Mine
u
,
Q m n iic t
j Search
\י
4 product Mews
1
Abusing Window* Remote Management (WlnRM) with Metasploit
•tom
:
Actrvc sessions
:
tasks
0
owner
1 system
Members
0
Upared
w oesenpooft
•beut1how ago
I״,I Kirvm. I ■art L..I
tale 00a night 31Derbycon. Uubixand l woio discussing various tachniQuas or
mas* wmao* WhsnMutMxtoldmea&outtheWinRMseivics.lwonoeied ■Wh»
sort we h#•* any Metaseon mooyle* tor mi*...
Exploit Trends: Top 10 Searches lor Metasploit Modules in October
Tim• ter vour monthf/dose of Mstasploit exploit trends! Each monw we 03*»ויסז*י
sstartne most searched exploit and auxiliarymodules iromtne Metasploit
dataoase To proted users' prtacy, 1..
Weekly Metasploit Update: WinRM Part One. Exploiting Metasploit and
More!
•VirRUEiploit LibraryFor the last couple weeks. Metasploit core conktoutof David
@TheL1cncCcsme Maloneyh3s Deen dr«ino into Microsoft's WmRMserw:es with
gmucor and @_s1nn3r Until these...
This is about as easy as it
gets. The nest service we
should look at is die
Network File System
(NFS). NFS can be
identified by probing port
2049 directly or asking the
portmapper for a list of
services. The example
below using rpcinfo to
identify NFS and
showmount -e to determine
diat die "/" share (the root
of die file system) is being
exported.
C E H L ab M anual Page 750
Weekly Metasploit Update: Microsoft Windows and SQL, TurboFTP, and
Mote!
*PfSecUSA 2012 Last week was AppSecUSA2012 here InAustin. wfUchma*
e*c
Weekly Metasploit Update: Reasonable disclosure. PUP FXF wrappers,
and more!
FIGURE 3.15: Metasploit Creating a New Project
18. 111 Project Settings, provide the Project Name and enter a Description,
leave the Network Range set to its default, and click Create Project.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
I. ,nr,
־n
^
A ־,.Ip. localhoit- V. a .
SB
(]״metasploit
▼ community1
Hie Metasploit Framework
is a penetration testing
system
and development platform
diat you can use to create
security tools and exploits.
The
Metasploit Framework is
written in Ruby and
includes components in C
and assembler.
The Metasploit Framework
consists of tools, libraries,
modules, and user
interfaces. Tlie
basic function of die
Metasploit Framework is a
module launcher diat
allows die user to
configure an exploit
module and launch the
exploit against a target
svstem.
Protect name*
Description
3&OT
׳a Exploit |
The exploit takes advantage of tiro issues in JDK 7 The OassFinOer and
MethodFinder nndMernod() Botr! were newly introduced in JOK 7 dassFinder is a
replacement for t tassF.orNarne back in JQg 6 R aicnrs untnisted code to obtain a
reference and nave access to a restricted o a :o ? e r JOK 7. *men can oe used to aDuse
sun a^-SuoJoolKit (a restricted package) VMh » n ^SunTOoiwt we can actually invoke
Network range
Q RestiKt to network range
•*? R A P ID 7
FIGURE 3.16: Metasploit Project Settings
19. Click die Modules tab after die project is created.
I^
A hfclps/ lot»t>ost. SC
.
£? ▼C | ?§ ־Google
■
1
(U community
metasploit
I
| •Overview
1 Horn•
יg* Analysis
Java Lxptoit
£ Protect Java tx_ * p Account Jason * fi Administration r
fi
rt community
#
j> Help
C ~1
^
I
_ Sessions
•1 •״Campaigns
*• Wt*b Apps
|«&» Modules |
lags
Q) Reports
JZ 1■1
*1*י
0itw n r
J ” Overview. Preset Java f«pio*
Discovery
1
Penetration
0 110413dlKovnrd
0 service* delected
0vumereDMMt
^ Scan-
> f 1nrt_ j * f c y a ■ - ,
Evidence Collection
I
0 dale fries acoened
ln n k ■ ! opeatd
0 pHtimilt cracked
0 SMBhasries stoiee
0 SSMkeys slofca
U«jtrto>cc
"
Q fiplal
Cleanup
0 closed sasswas
iai cofcet...
1
Recent Events
------------------------------------------------------------------------------------------------------------
FIGURE 3.17: Metasploit Modules Tab
«
T A S K
5
20. Enter CVE ID (2012-4681) in Search Modules and click Enter.
Running the
Exploit
C E H L ab M an u al Page 751
Etliical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
Metasploit Pro contains
tasks, such as bruteforce
and discovery, in the form
of
modules. Hie modules
automate die functionality
diat die Metasploit
Framework provides
and enables you to perform
multiple tasks
simultaneously.
'־
־F I
,'MrtMf** Modu»«
^
A hilpi toolboit. V- a . ii?»ccv_' ׳odu*e5
C
*!I C009l«
H V
(]״metasploit
▼ community1
ft Overview
Analysis
Sessions
■,}Campaigns
* ־Web Apps
Search Modules
«i> ׳Modules
Tags
r , Reports
~ Tasks
2012-4681
Module Statistics show Search Keywords show
Found 10 matching modules
Module Type
Amatory
1 AiMlffy
StW Expbi
OS
ra
ra
C M StM ?0113 local nie maaon vunersMty
WMWfee'yne S««xrrjN9n67s<0 55 ־r#cto׳y Tr8v«׳Bai
Dtadcame Out•
Z-***rZS. Z3\2
cxmtr 18. »12
* A י״
1
1
»1an1C־gBt S«wty Uanaotr Plus 5.5buiM"05 SQLlnj»cbon
0aaWtiw2012
*M i
iVnOews Litalrt Sarrca Prmss«jn* Local Pnvltot Escalator
C;teha• ׳S.2012
Server ExpM
A “
*•feet no- *marary tie upnadVurera&ty
SarveffxpM
יייA
>c1ta pH•.- RvMMiar f*ac BamotaCoda *'*aclbn
OcMar«L20i2
TirtoHP S9r.tr 0230 נדPORT Ovarttnv
cro*yA<)nT 31Z2 aar.ar_aync pupDacWoor
3.2012
S w fc • 25.2012
1*312463l»*rg*o«Mrnat twMi' wacConmaiM) Uae-Altarffaa Vutnara&My
■־
»a**ar*־af ' iH Q
U»Ot
S* ׳•«׳Use*
*• w
1
S*׳v• ׳L>1W
I
Ctnt UpW
£e**rf«p•*
—ן
♦m
tm
Module Rankloo
0SVDS
0672•
86563
★★
56136
EDS
ZZI61
220»
229*4
» יי
AH L*M QataiKcr (tttxf Commandf»eeuhon
?IMS
★★★★★
14.2012
KMT
2012 *m
mm
MfiU
<« <<*
•.?.* R A P ID 7
A project is die logical
component diat provides
die intelligent defaults,
penetration testing
workflow, and modulespecific guidance during the
penetration test.
FIGURE 3.18: Metasploit Searching for Java Exploit
21. Click die Java 7 Applet Remote Code Execution 1111k.
■* ־Met«pfc>1t - McdiM
^
A httpi. Iotat>ost. SC A. b^Kcv. rcduk:
c
(]״metasploit
Y community
ft Overview
>1
(1־
—
n Analysis
! ~ ־Sessions
־,/ Campaigns
Search Modules
# יWeb Apps
*y Modules
Tags
^ Hcpoiu
S tid ־
^ Tasks
?0 1? 4081
Module Statistics show Searrh trywrrds si
Module Type
BID
CltfUExOtt!
OSVDB
IX
B4B6T
׳a 7AodKR*n>U»Coil*bucutbn
•'.'R A P ID 7
1x1 addition to the
capabilities offered by the
open source framework,
Metasploit Pro delivers a
full graphical user interface,
automated exploitation
capabilities,
complete user action audit
logs, custom reporting,
combined with an
advanced penetration
testing workflow.
FIGURE 3.19: Metasploit Java 7 Applet Remote Code Execution Exploit found
22. Configure die exploit settings:
a.
111 Payload Options set die Connection Type as Reverse and 111
Listener Host ,enter die IP address where Metasploit is running.
b. 111 Module Options, enter die SRV Host IP address where Metasploit is
running.
c. Enter die URI Path (in diis lab we are using greetings) and click Run
Module.
C E H L ab M an u al Page 752
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
mmrnm
^
A •׳-It״, !onlhoit - V- a-j
C
2A*i‘~ k
James forsnaw
I
|duck
(?־־״I.
3
T
o /t
SoJa
slnn3r 'enn3/^met3sp*0* 0&*n>״
iuan .aiquei
uan.va:q1ie2em&ta5p)<:׳M:c״r׳
j
rjetll
The module is designed to run in the bacKground. exploitingdiem s׳s16- 1s 3s iney corned In■w case 01«׳eCbrowser exploits,
:•?as ־setne UR1PATHocoon Delow ityouwantio control which URLis usefllo nos»t>6 sjf.oz T־s srvport co«or can &e used
» cf!an<;e me I3tenng por inme case ot passve utility modules (autc«ary) me moaneoaput ואוse *31ae !tornme Tasiclog alter
vw moiSute has t»en started
IPv 6 is die latest version of
die Internet Protocol
designed by die Internet
Engineering Task
Force to replace die current
version of IPv4. The
implementation of IPv6
predominantly
impacts addressing, routing,
security, and services.
Target Seffiags
IGeneric (Java Payload) v|
siybtaiVp•
Meterpreter
v|
LttenwPwH |1aW-€6S3S
Connecfloo Type | Reverse vj
L■Man•' Heel 11Q001Q
|
Tli•bcalport101«tanon. (po>t)
N«$Mate 351.1#r nfiynrj eonnectan* (Met)
P«thto * customSSLc*׳tlffc«l» i0»»׳jt It f»nde
Seec
a SS.2 SSO USIX
* 1m M
Advanced Options show
t •amob opooat snow
1o
FIGURE 3.20: Metasploit Running Module
23. The task is started as shown 111the following screenshot.
^
A hdpi. Iotat>ost - X v.i39acon-le•-
c
-, I
(1־
(]״metasploit
community
In Metasploit Pro, you can
define IPv6 addresses for
target hosts. For example,
when you
perform a discovery scan,
scan a web application,
execute a bruteforce attack,
or run a
module, you can define an
IPv 6 address for die target
hosts. For modules,
Metasploit Pro
provides several payloads
diat provide IPv6 support
for Windows x86, Linux
x86, BSD x86,
PHP, and cmd.
% Overview
M Analysis
mUpton
Inti
[ Stwioni
,/Campaigns
■0■ Web Apps
V Modules
lags
3 Reports
“ Tasks Q
lath
SUrtrt 2012-IMS 14 04 SOUTC
FIGURE 3.21: Metasploit Task Started
24. Now switch to Windows 8 Virtual Maclune, launch die Chrome browser
and enter http:// 10.0.0.10:8080/greetings in die address bar and press
Enter.
25. Click die Run this tim e for Java(TM) w as blocked b ecau se it is out of
date prompt 111 die Chrome browser.
C E H L ab M an u al Page 753
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 12 - Hacking Webservers
File
Action
Medi«
י
Clf)t)0<*d
׳j O c■ ® G ll l»
« ־- *
if
C
View
is
"
Window*; 8 on WIN-PNQSTOSGlFN * Virtual Machine Cornprtion
Hdp
צ
□ 10Q0.10t8080/greetings/
JavafTM) was blockec because it is out of date
Update plug-in...
Run this time
Note: Metasploit Pro does
not support IPv6 for link
local broadcast discovery,
social
engineering, or pivoting.
However, you can import
IPv6 addresses from a text
file or you
can manually add them to
your project. If you import
IPv6 addresses from a text
file,
you must separate each
address widi a new line.
FIGURE 3.22: Windows 8 Virtual Machine —Running die Exploit
26. Now switch to your Windows Server 2012 host machine and check die
Metasploit task pane. Metasploit will start capturing die reverse connecdon
from die target macliine.
^
A hti|>K//'loC*i»c«ti79Qp'1*o»i3p«ccv£t»W
^7 ▼C 11Google
GDcommunity1
metasploit'
b Overview
Analysis
. ־Sessions
Campaigns
* ־Web Apps
Modules
lags
_J Reports
Tasks Q
Project Management
A Metasploit Pro project
contains die penetration test
diat you want to run. A
project defines
die target systems, network
boundaries, modules, and
web campaigns diat you
want to
include in die penetration
test. Additionally, within a
project, you can use
discovery scan to
identify target systems and
bruteforce to gain access to
systems.
FIGURE 3.23: Metasploit Capturing die reverse connection of targeted macliine
27. Click die S essio n s tab to view die captured connecdon of die target
macliine.
C E H L ab M anual Page 754
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
![[CEH V3] Introduction to Ethical Hacking](https://media.store123doc.com/images/document/13/ly/ap/medium_3ABUW8WdDH.jpg)
