n00bpentesting.com - Análisis de Vulnerabilidades

Vulnerability Analysis

n00bpentesting.com

n00bpentesting.com Lab Guide Two

Twitter @shai_saint 2

Prerequisites 3 Hardware 3 Software 3

Topics Covered 4 A Note 4 Before You Begin 4 Lab 0ne – Vulnerability Research 5

Finding A Vulnerable Application 5 Using exploit-‐db 11

Exploit-‐DB Challenge 12 Using Metasploit 13

What’s Next? 16



Prerequisites Thank you for downloading the n00bpentesting.com Lab Guide Two. This guide is designed to help the n00b penetration tester get their feet wet with some of the tools covered on n00bpentesting.com while honing their skills following the Penetration Testing Execution Standard.

Hardware

• Computer with Linux, Windows, or Mac OSX • 4GB RAM • Hard-‐drive with at least 50GB

Software VirtualBox Virtualization Software http://www.virtualbox.org/wiki/Downloads BackTrack 5 R1 Virtual Machine http://www.backtrack-‐linux.org/downloads Windows XP SP2 Virtual Machine Supply your own copy or use a NIST Image NIST -‐ http://nvd.nist.gov/fdcc/download_fdcc.cfm Metasploitable Virtual Machine http://updates.metaspoit.com/data/Metasploitable.zip.torrent



Topics Covered

• Vulnerability Testing • Vulnerability Validation • Vulnerability Research

A Note All n00bpentesting.com guides will follow applicable sections of the Penetration Testing Execution Standard (PTES). It is highly recommended that any penetration tester or one who wants to move into this field should read and regularly reference the standard. It can be found here: http://www.pentest-‐standard.org/

Before You Begin It is important to update BackTrack, SET, and Metasploit before you begin each lesson. Updating these packages will ensure the latest tool updates and fixes are applied for better stability and exploit success. To Update BackTrack At the command prompt type: apt-‐get update && apt-‐get upgrade && apt-‐get dist-‐upgrade, press ENTER To Update Set At the command prompt type: cd /pentest/exploits/set && svn update, press ENTER To Update Metasploit At the command prompt type: cd /pentest/exploits/framework && svn update, press ENTER



Lab 0ne – Vulnerability Research In this lab you will learn how to apply the knowledge we have of our target to determine if there are vulnerabilities that can be exploited. We have already run NMAP port scanner and did banner grabbing to get exact versions of software running on the open service ports. Let’s look at a few sources of vulnerability information to see if our target is vulnerable. We know the following applications are running on the target based on NMAP scanning. We only completed TCP scans, there will be any services listed that may be running using UDP. PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3. 22/tcp open ssh OpenSSH 4.7p1 (protocol 2) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 139/tcp open netbios-‐ssn Samba 3.x 445/tcp open netbios-‐ssn Samba 3.x 3306/tcp open mysql MySql 5.0.51a-‐3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7 8009/tcp open ajp13 Apache Jserv (protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

Finding A Vulnerable Application We know what services are running on what ports, but applications truly reside on each service? We can make the assumption that there is some type of web application running because we see in the table above that 80/tcp, 8009/tcp, and 8180/tcp are running web servers. There must be a web app on this server, let’s find it! In order to determine if the web application on the web server is vulnerable we must identify it first.

1. Start the BackTrack VM 2. Start the metasploitable VM 3. Verify IP connectivity by pinging metasploitable from the BackTrack VM

We are going to use an application called DirBuster to find out what directories are available on the web server running on the metasploitable VM. The directory names should give us a good indication what web application is running. We can then look for vulnerabilities.



4. In the Back Track VM at the command prompt type: cd /pentest/web/dirbuster, press ENTER

5. List the contents of the directory by typing: ls, press ENTER



6. To launch DirBuster, at the command prompt type: java –jar Dirbuster-‐0.12.jar, press ENTER



The application will launch and needs setup to run. 7. In the application window enter the following values:

a) Target URL: http://IP_Address_of_metasploitable b) Work Method: Auto Switch c) Select Scanning Type: List based brute force d) File with list of dirs/files: click browse, select “direcroty-‐list-‐2.3-‐

small.txt”, click Select List e) Leave the remaining options at default settings.

8. Click Start



Several directories and files will be found exposing to you what web application is running. To make sure you correctly identify the web application, let’s browse to a directory that has been found.



9. Open Firefox and enter the following in the address bar: http://IP_address_metasploitable/tikiwiki

It looks like the tikiwiki web application is running. Let’s search vulnerabilities with exploit code.



Using exploit-‐db Exploit-‐DB.com is a great resource for exploit code that has been validated, meaning it has been cleaned up and tested.

1. In the Firefox browser go to: http://www.exploit-‐db.com 2. Click search on the far right side at the top of the screen 3. In the search form enter “tikiwiki” (without quotes), then click SEARCH

There are several results to choose from, but which will work?



In theory, you can attempt to use all, but that could waste a lot of time. Let’s go back to the main twiki page to get the version information to narrow our potential exploits.

4. In the browser URL bar type: http://192.168.99.102/twiki

5. Click “readme.txt”, perhaps the version info is in this document. Looks like our version is 01 Feb 2003. We should look at earlier exploits.

BackTrack also has a local copy of the exploit-‐db you can search for exploits by running “searchexploit” from the exploitdb directory.

Exploit-‐DB Challenge Find the exploit listed that will dump the mysql user and password. Where can you get from here? If you are unsure, we will cover this exploit in Intro To Penetration Testing – Lab Guide Three. (Hint: You can get system root.)



Using Metasploit Metasploit is a great exploitation framework that can provide automation for many of the exploits we found on exploit-‐db. We will begin by searching for available exploits for tikiwiki.

1. In the BackTrack VM at the command prompt type: msfconsole, press ENTER



2. At the msfconsole prompt type: search tikiwiki, press ENTER

The search will provide all modules available for tikiwiki, including exploits and their ranking. In general you want to choose an exploit with a ranking of excellent if possible. Let’s use “exploit/unix/webapp/tikiwiki_graph_formula_exec”; it has a ranking of excellent.

3. At the msfconsole prompt type: use exploit/unix/webapp/tikiwiki_graph_formula_exec, press ENTER



4. To see what options we have for running the exploit, type: show options, press ENTER

We can see that there are some required options, RHOST, RPORT, and URI. RPORT and URI have current settings and are fine, but we need to tell the exploit who the remote host (RHOST) is.

5. At the msfconsole prompt type: set RHOST “ip_address_metasploitable”, press ENTER

6. To check if the selected exploit will work at the prompt type: check, press

ENTER

According to the check, the host is vulnerable, let’s exploit it!



What’s Next? The next step is Exploitation. Please see “Intro To Penetration Testing – Lab Guide Three.

n00bpentesting.com - Análisis de Vulnerabilidades

Documents

Transcript of n00bpentesting.com - Análisis de Vulnerabilidades