5.3.3 Exercise 13............................................................................................................144
Offensive Security
Lab Exercises
Mati Aharoni
MCT, MCSE + Security, CCNA, CCSA, HPOV, CISSP
1
© All rights reserved to Author Mati Aharoni, 2007
5.3.3 Exercise 13............................................................................................................144
Table of Contents
A note from the author...................................................................................................................10
Legal Stuff......................................................................................................................................14
REALY REALY IMPORTANT NOTE:...............................................................................................14
Before we begin.........................................................................................................................15
1. Module 1 - BackTrack Basics.....................................................................................................18
1.1 Finding your way around the tools......................................................................................19
1.1.1 Exercise 1.................................................................................................................21
1.2 Basic Services.....................................................................................................................22
1.2.1 DHCP.......................................................................................................................22
1.2.2 Static IP assignment................................................................................................22
1.2.3 Apache.....................................................................................................................23
1.2.4 SSHD.......................................................................................................................23
1.2.5 Tftpd........................................................................................................................25
1.2.6 VNC Server.............................................................................................................25
1.2.7 Exercise 2................................................................................................................26
1.3 Basic Bash Environment.....................................................................................................28
Overview................................................................................................................................28
1.3.1 Simple Bash Scripting.............................................................................................28
1.3.2 Exercise 3 ...............................................................................................................29
1.3.3 Possible Solution for ICQ Exercise..........................................................................30
1.3.4 Exercise 4................................................................................................................36
1.4 Netcat The Almighty...........................................................................................................37
Overview................................................................................................................................37
1.4.1 Connecting to a TCP/UDP port with Netcat............................................................37
1.4.2 Listening on a TCP/UDP port with Netcat...............................................................39
1.4.3 Transferring files with Netcat.................................................................................40
1.4.4 Remote Administration with Netcat........................................................................42
1.4.4.1 Scenario 1 – Bind Shell.................................................................................43
1.4.4.2 Scenario 2 – Reverse Shell...........................................................................45
1.4.5 Exercise 5................................................................................................................47
1.5 Using WireShark (Ethereal)................................................................................................49
Overview................................................................................................................................49
2
© All rights reserved to Author Mati Aharoni, 2007
5.3.3 Exercise 13............................................................................................................144
1.5.1 Peeking at a Sniffer.................................................................................................50
1.5.2 Capture filters.........................................................................................................53
1.5.3 Following TCP Streams...........................................................................................54
1.5.4 Exercise 6 ...............................................................................................................55
2. Module 2- Information Gathering Techniques...........................................................................56
A note from the authors.............................................................................................................57
2.1 Open Web Information Gathering.......................................................................................59
Overview................................................................................................................................59
2.1.1 Google Hacking.......................................................................................................59
2.1.1.1 Advanced Google Operators.........................................................................59
2.1.1.2 Searching within a Domain..........................................................................60
2.1.1.3 Nasty Example #1........................................................................................61
2.1.1.4 Nasty Example #2........................................................................................64
2.1.1.5 Email Harvesting..........................................................................................66
2.1.1.6 Finding Vulnerable Servers using Google....................................................70
2.1.1.7 Google API....................................................................................................71
2.2. Miscellaneous Web Resources...........................................................................................72
2.2.1 Other search engines ..............................................................................................72
2.2.2 Netcraft....................................................................................................................73
2.2.3 Whois Reconnaissance............................................................................................75
2.3 Exercise 7 ............................................................................................................................80
3. Module 3- Open Services Information Gathering......................................................................82
A note from the authors.............................................................................................................82
3.1 DNS Reconnaissance...........................................................................................................83
3.1.1 Interacting with a DNS server..................................................................................83
3.1.1.1 MX Queries...................................................................................................84
3.1.1.2 NS Queries...................................................................................................85
3.1.2 Automating lookups.................................................................................................85
3.1.3 Forward lookup bruteforce.....................................................................................86
3.1.4 Reverse lookup bruteforce......................................................................................90
3.1.5 DNS Zone Transfers................................................................................................92
3.1.6 Exercise 8 ................................................................................................................99
3.2 SNMP reconnaissance.......................................................................................................101
3
© All rights reserved to Author Mati Aharoni, 2007
5.3.3 Exercise 13............................................................................................................144
3.2.1 Enumerating Windows Users:...............................................................................102
3.2.2 Enumerating Running Services.............................................................................102
3.2.3 Enumerating open TCP ports................................................................................103
3.2.4 Enumerating installed software............................................................................104
3.2.5 Exercise 9 ..............................................................................................................108
3.3 SMTP reconnaissance.......................................................................................................109
3.3.1 Exercise 10.............................................................................................................111
3.4 Microsoft Netbios Information Gathering.........................................................................112
3.4.1 Null sessions...........................................................................................................112
3.4.2 Scanning for the Netbios Service...........................................................................114
3.4.3 Enumerating Usernames........................................................................................115
3.4.4 Exercise 11.............................................................................................................116
4. Module 4- Port Scanning.........................................................................................................117
A note from the authors...........................................................................................................117
4.1 TCP Port Scanning Basics.................................................................................................118
4.2 UDP Port Scanning Basics................................................................................................120
4.3 Port Scanning Pitfalls........................................................................................................120
4.4 Nmap.................................................................................................................................120
4.5 Scanning across the network............................................................................................123
4.5.1 Exercise 11 ............................................................................................................127
4.6 Unicornscan......................................................................................................................128
5. Module 5- ARP Spoofing..........................................................................................................133
A note from the authors...........................................................................................................133
5.1 The Theory........................................................................................................................133
5.2 Doing it the hard way........................................................................................................134
5.2.1 Victim Packet.........................................................................................................136
5.2.2 Gateway Packet.....................................................................................................137
5.3 Ettercap.............................................................................................................................140
5.3.1 DNS Spoofing........................................................................................................142
5.3.2 Fiddling with traffic...............................................................................................144
5.3.3 Exercise 12............................................................................................................147
6. Module 6- Buffer overflow Exploitation (Win32).....................................................................148
A note from the authors...........................................................................................................148
4
© All rights reserved to Author Mati Aharoni, 2007
5.3.3 Exercise 13............................................................................................................144
Overview..............................................................................................................................149
6.1 Looking for the Bugs.........................................................................................................149
6.2 Fuzzing..............................................................................................................................150
6.3 Replicating the Crash........................................................................................................152
6.4 Controlling EIP..................................................................................................................154
6.4.1 Binary Tree analysis..............................................................................................154
6.4.2 Sending a unique string........................................................................................155
6.5 Locating Space for our Shellcode.....................................................................................158
6.6 Redirecting the execution flow..........................................................................................160
6.7 Finding a return address...................................................................................................161
6.7.1 Using OllyDbg.......................................................................................................161
6.8 Getting our shell................................................................................................................165
6.9 Improving exploit stability................................................................................................169
6.9.1 Exercise 13.............................................................................................................170
7. Module 7- Working With Exploits............................................................................................172
7.1 Looking for an exploit on BackTrack..................................................................................177
7.1.1 RPC DCOM Example..............................................................................................177
7.1.2 Wingate Example....................................................................................................180
7.1.3 Exercise 14.............................................................................................................190
7.2 Looking for exploits on the web.........................................................................................191
7.2.1 Security Focus .......................................................................................................191
7.2.2 Milw0rm.com..........................................................................................................194
8. Module 8- Transferring Files...................................................................................................195
Exercise....................................................................................................................................195
8.1 The non interactive shell....................................................................................................196
8.2 Uploading Files..................................................................................................................197
8.2.1 Using TFTP.............................................................................................................197
8.2.1.1 TFTP Pros ..................................................................................................199
8.2.1.2 TFTP Cons .................................................................................................199
8.2.2 Using FTP...............................................................................................................199
8.2.3 Inline Transfer - Using echo and DEBUG.exe.........................................................200
8.3 Exercise 15........................................................................................................................201
9. Module 9 – Exploit frameworks...............................................................................................202
5
© All rights reserved to Author Mati Aharoni, 2007