User Account

All Pages

What is the vulnerable program

Assignment Help Other Subject
Reference no: EM133633007

Network Security

Project: Introduction to Penetration Testing

The goal of this project:
Penetration testing is an important part of ensuring the security of a system This project introduces some of the common tools used in penetration testing, while also exploring common vulnerabilities (such as Shellshock and setUID bit exploits

On September 24, 2014, a severe vulnerability in Bash, nicknamed Shelshock, was identified. Thi vulnerability can exploit many systems and be launched either remotely or from a local machine In thi project, you will gain a better understanding of the Shellshock vulnerability by exploiting it to attack a machine. The learning objective of this project is to get first-hand experience on this interesting attack, understand how it works, and think about the lessons that we can get out of this attack.

Installing Virtual B

1. Insta VirtualBox if i is not already installed. This project requires the latest version of VirtualBox Using an earlier version of Virtual Box has been known to cause errors where the project VM freezes, so if you run into this, ensure you are running on at least Virtual Box 6.1.0 or later.

2. Download the Orace Virtua Box Extension Pack available for download at the same location as Virtual Box is).

3. Import the Extension Pack under File-> Tools -> Extension Pack Manager

4. In Virtua Box go to File -> Tools -> Network Manager

5. Select the NAT network tab and click on Create Right click on the newly created NAT network, click on Properties and rename it to something related to the project Then save it and close the preferences.
Installing the Kali Linux VM(feel free to use any other OSbut we recommend using Kali):

6. Download the 64bit VirtuaBox version of the Kali VM from the link : kali download

7. Extract the above zip and double click on the vbox file. Once you have imported the VM, youll need to go into the VMSettings andand ncrease thethe number of CPUs if possible, as well as the RAM. Also enable 3 -d acceleration and set the zoom level to 300 (it makes it easier to read.

8. Go to the new Kali VM's settings. In the network tab change "Attached to:" from NAT to "NAT Network" in the Adapter 1 ab. The name of the network should autofi o your newly created network if you only have one, but if you have multiple NAT networks, you' need to select the correct one

9. Start the Kali VM. The default username/password s kali/kal

10. Repeat the process with the other VM shellshock_server.ova) which you will download in a later step so that these two VMs cancan communicate with each other.

Vulnerable machine

11. Download the project appliance using the link below:
1. shellshock_server.ova
sha256sum: b8729307ad6849d17c6b88e8a5893d5f7a7ccf3167d9279e4067039379be1703

12. Double click the downloaded ova file to start its import process

13. Once imported, adjust the CPU and RAM for this VM like you did for the Kali VM . Ensure Adapter 1 is set to NAT Network and the name of the NAT Network is the name you specified when creating the NAT Network n step 5.

14. Boot up the shellshock_server and you're good to go.

NOTE: You do not need to into the shellshock VM. Once you see the login screen, you're good to go.
Leave the sheshock VM running and switch to the Kali VM for the rest of the project now.

15. Now try to connect to the shellshock VM server from Kali. Once you find the IP of the VM in Task 1 below, navigate to the following URL: https://<IP address of the shellshock_server VM>:<http port found in part 1>/cgi-bin/shellshock.cgi
Then you should be able to see the content:

16. Notice that you do not need the password to access the web content hosted on the VM server. Instead of using a rea server, it is safer to perform the attack on an emulated Apache HTTP Server VM. To be clear, you will not be logging into the shellshock VM during this project. Once you configure the shellshock VM by following steps 17 -20 above, you will be exploiting it externally, from the Kali VM, by exploiting the Shellshock vulnerability.

Project Tasks

Task 1: Network Scanning
The first step in any penetration test is to gather information about the network and servers you'll be exploiting In this task, you wi perform network scanning and answer a few questions based on you findings On startup, the shellshock VM istens to several ports for ncoming messages.

1. Find the IP address of the vulnerable VM on the NAT network using nmap.

2. Use nmap to identify all the open ports on the shellshock server and submit the port number which handles the http traffic to the Apache web server on the VM.
Note: If possible please use VirtualBox for this part since in the previous semesters wVM are has been known to cause some issues with the network setup and Task 1.

Task 2: Attack CGI Program
In this task, you wi launch the Shellshock attack on a remote web server. Many web servers enable CGI which is a standard method used to generate dynamic content on Web pages and Web applications. Many CGI programs are written using a shell script. Therefore, before a CGI program is executed, the shell program will be invoked first, and such an invocation can be triggered by a user from a remote computer
To access this CGI program from the Web, you need to first check the server VM s running. Then, you can either use a browser by typing the following URL:
https://<IP address found in part 1>:<http port found n part 1>/cgi -bin/shelshock.cgi or use the following command line program curl to do the same thing:
$ curl https:// <IP address found in part 1>:<http port found n part 1>/cgi -bin/shellshock.cgi
For this task, your goa s to aunch the attack through this URL, such that you can achieve something that you cannot do as a remote user. For example, you can execute some fie on the server, or look up some file located on the server When you successfuly aunch an attack, please execute the /bin/task2 program (which needs your GT username as the input) inside the VM. It wi generate the submission hash for you.
For students that want to verify their work, here's an example correct input/output for /bin/task2:
$ /bin/task2 gburdell3
Here s your task2 hash:
5fb2eef938755ab61f49c41a7085b0957253ab7fea06728a4b3b80d863c31b31

Task 3: Reverse Shell with Metasploit
Now you have successfully launched the Shellshock attack, and you can execute commands on the server VM. However, during a penetration test, you likely won't have time to craft a payload for every exploit you use. And, what if the server was not in fact vulnerable to shellshock. How woud you know f your exploit failed because it was wrong, or because there was not a vulnerability?

That is where Metasploit comes n. Metasploit is a standard in the penetration testing community. It allows pen testers to run precompiled exploits against a host, using predefined payloads For this project, we're going to use Metasploit to establish a reverse shell between your machine and the host machine.

Let us first see how Metasploit works by using it to scan the open TCP ports of the shellshock_server VM. While this s a task better suited to ools ike nmap as seen n Task 1, t serves as a good demonstration of how to use a Metasploit module. If you have used Metasploit before, you can skip this ntroduction and go directly to the Task 3 assignments section at the end.

1. Begin by opening a new terminal on your Kali VM. In the new termina type: msfconsole. After a moment, the Metasploit Framework console msfconsole wil oad. For ths project, the msfconsole is the main way of accessing Metasploit. While there are other tools and command prompts associated with Metasploit, the msfconsole s suitable for th e entirety of this project.

2. For this example, we're going to scan the ports of a host. You can use the results from task 1 to ensure Metasploit s behaving properly. In practce using a Metasploit modue solely for the purpose of scanning ports on a host is a little overcomplicated, since nmap can do much more and takes less setup, but this does offer a good introduction to using a Metasploit module.

3. A metasploit module is the base of any task performed in metasploit It consists of Ruby code tha is written to perform a certain task like exploiting a certain vulnerability or scanning a certain kind of system). There are multiple different varieties of modules, but for our purposes we'll focus on three of them:
a The Exploit modules These are modules written to exploit a certain vulnerability
b The Auxiliary modules These are modules written to perform some tasks related to exploiting a system like scanning) Within he auxiliary modules here are many kinds of modules. We'll be using the "scanner" modules for this example.
c. Payloads:Calling these modules is a little misleading. They are the payloads for example the shellcode) that are sent within the exploit

4. First, we must find the correct module. We know it's scanning the system, so let's start by searching for "scanner" using the command (in the msfconsole) search scanner. Hmm... that's quite a few results (582 at the time of writing this).

The reason there are so many results is that "scanner" is a class of auxiliary modules (as seen by there being so many modules beginning with "auxiliary/scanner"). So, searching for "scanner" (or "scan") will give everything at all related to network or vulnerability scanning.

5. So, we need to narrow our search. One way of doing this is with the "grep" command, which filters the output. Since we're looking to scan the ports, let's try grep portscan search scanner to search for "portscan" within the search results from "scanner". We get:
That seems a little better. Only 7 results. Since we're scanning for open tcp ports, let's use: "auxiliary/scanner/portscan/tcp". To use a metasploit module, you should run the command: 
Use module name
msf5 > use auxiliary scanner portscan tcp
msf5 auxiliary( ) >
You should now see "auxiliary(scanner/portscan/tcp)" after "msf5" indicating you are using
the auxiliary(scanner/portscan/tcp) module.

6. Now that we're using the correct module, we must set the correct options. Try running the command options. You should see something like:

While each of the options is marked as required, most of the pre-filled values work for our purposes. The only one we need to change is RHOSTS. RHOSTS should be the IP address of the host we want to scan. In this case, you should set it to the IP address of the shellshock_server VM that you found in part 1. You can use the command: set rhosts IP_of_host. Now try running options again and ensure the RHOST option is set to the right IP address.

7. Now run run and you should see the same list of open ports that nmap showed. While "run" is usually used to run auxiliary exploits, the command "check" and "exploit" are often used to check and run exploit modules.

Now you've seen an example of how to use Metasploit. You'll follow a similar process when exploiting the shellshock vulnerability.

Task 3 Assignments:

1. Find an exploit module that exploits the shellshock vulnerability on an Apache web server. Once you've found the module, place the module name in assignment_questionnaire.txt.

2. Use show a loads to show the possible payloads for the module. Find a payload that spawns a reverse tcp shell. Place the full name of the payload in assignment_questionnaire.txt.

3. Run the exploit and spawn a reverse shell on the VM.

4. Run /bin/task3 in the resulting shell, then type cs6262 then your user ID. Report the hash value for your user ID in assignment_questionnaire.txt.

You'll submit all your answers for this section in assignment_questionnaire.txt. You should keep the reverse shell running after finishing Task 3, as you will need it in Task 4.

Task 4: Privilege Escalation

Your goal:
You aim to upgrade the privilege for your command shell by exploiting the setUlD vulnerability. You will run /bin/task4 as the higher privileged user "shellshock_server", not the default user "www-data". Background:

In Unix based systems, setUlD is access rights flags that determine what users can run a program. For instance, when users want to change their password, they may run the passwd that requires root privilege. The setUlD can help the user run the passwd with temporarily elevated privileges. However, if setUlD ismisused or setUID flags are misconfigured, it can cause a variety of vulnerabilities such as information leakage, unwanted privilege escalation, etc
Assignments:

As a first step, type whoami in your shell. You should see "www-data" which is your user ID. Now, run /bin/task4 gt_username You would see a permission denied error. That is because /bin/task4 configured to allow only the "shellshock_server" user to run it. So, you need to find a way to run task4 as the "shellshock_server" user. A feasible approach is to spawn a shell running as a "shellshock_server" user and run task4 through it.
Your goal is to find a program which:
1. Has a hgher priviege than the defaut user.
2. Can spawn a shell.

You may want to ransack /usr/bin for a program which has a higher privilege than the default user and run /bin/task4 gt_username in the shell spawned.
What is the vulnerable program? What command do you use to search it? What command do you use to to spawn a shell with the vulnerable program? And what is the hash value from /bin/task4 gt_username like /bin/task2? Pease leave your answers in assignmentquestionnaire.txt.

Task 5: Password Cracking
An invaluable part of any penetration test is password cracking Whie there may be no known vulnerabilities in a system, a weak password could be just as damaging in allowing an attacker to gain access to a system or view sensitive information once they gain access). We're going to look at two kinds of weak passwords in this task: passwords that are too short, and passwords that can easily be guessed via password scraping

To begin, start a Meterpreter shell using aa meterpreter shell payload through the Metasploit shellshock module in Task 3. A Meterpreter shel is dfferent fom the reverse TCP shell in Task 3, as it alows you to run Metasploit specific commands on the vulnerable machine (like download) Navigate to /home/shellshock_server/secret_files/ There are two encrypted .pyc files here. task51.zip encrypted with zip, while task52.pyc.gpg is encrypted with gpg (a common file encryption tool in Linux) Download these two files task51.zip and task52.pyc.gpg) to your Kali VM using he meterpreter.

We already know he developers of this web server are not very security savvy, since they let a shellshock vulnerability plus a setUID exploitgive a high privilege shel on their machine.So, chances are they did not pick very secure passwords for these secret files. Your goal in this task is to crack the passwords of these two files using John the Ripper (a popular password cracker) and cewl (a password scraper).
The command line tools used in Task 5 are in /usr/sbin on the Kali VM. To run them, you can either add /usr/sbin to the $PATH variable or write /usr/sbin/ before each command

You should use zip2john and gpg2john to extract the password hashes from the encrypted files. For task51.zip, try running John the Ripper incrementally Report your John the Ripper command in assignment_questionnaire.txt whether you also report your the zip2john and gpg2john commands is up to you, but they will not be graded).

For task52.pyc.gpg, try running John the Ripper incrementally again. Hmm... it seems to run forever.

That is because John the Ripper is trying every combination of characters If the password is too long among other things), John the Ripper could run for years before it finds it

Just because the password is too long to be found incrementally, does not mean it cannot be cracked. Take a look at the shellshock.cgi page in the browser. It looks like it gives a link to a profile of the authors If the authors are not great at picking secure passwords, maybe the password is something about them that we can guess from their profile page But, even if the password is on the profile page, it can still take a while to guess by hand. What f the password was kItt3n$ or deVEL0p3r. It would be hard o guess that, even f the word t was based on like "kittens", or "developer") was on the profile page Instead, let us use a password scraper to create a custom wordlist for John the Ripper. For this project, we suggest using cewl. cewl is a simple command line program that comes preinstalled on Kali and creates password word lists off of webpages. Since we want to get every possible password including if the authors based the password off something on shellshock.cgi, or one of the landing pages), you should run cewl on shellshock.cgi, with the proper settings to ensure it follows the links all the way to profile.cgi you may need to tune the cewl parameters). Report your cew command n assignment_questionnaire.txt. Then try running John the Ripper on task52.pyc.gpg with the wordlist (and the default wordlist rules for testing different permutations of the words) Report your John the Ripper command in assignment_questionnaire.txt

*Note: Need Task 4 and Task 5 only

Attachment:- Project writeup.rar

Reference no: EM133633007

Questions Cloud

Importance of understanding tax consequences : What is your brief reply to this post above - importance of understanding tax consequences when making financial decisions cannot be overstated
Write an essay that describes your personal culture profile : TSL 4081- write an essay that describes your personal culture profile as related to each of these dimensions.
Organization to attend job-training program : Walter is a 35-year-old male who comes to your organization to attend a job-training program.
Nurse is caring for client who has been experiencing pain : The nurse is caring for a client who has been experiencing pain. which outcome should indicate to the nurse that the goal of pain management have been met?
What is the vulnerable program : CS 6262 Network Security, Georgia Institute of Technology - What is the vulnerable program? What command do you use to search it? What command do you use to
Understand teaching within natural environment : Candidates are to provide careful thought including the process of reconsidering previous actions, events or learning within your insightful reflection
Analyze the three videos to gain insight into best practices : Analyze the three videos located in the Readings and Resources for this assignment to gain insight into best practices in early childhood education.
Discuss the budget process where you work : Discuss the budget process where you work. Do you feel it is effective? What are the positive points? What could be improved?
Managing learners engagement with each teaching strategy : DNP 836-Discussion of managing learner's engagement with each teaching strategy. Summary of how the teaching strategies compare to each other.

Reviews

Write a Review

Other Subject Questions & Answers

  Health care coverage

What of listening would be used if Jim was trying to determine his employees' opinions on new health care coverage?

  What works in prison reform

What works in prison reform? Why should the criminal justice system be concerned about aging inmates? Is the privatization of incarceration a good strategy?

  Define several forms of metadata

Write an essay of 300 words Define several forms of metadata that can be useful to an investigation. How are valuable to an investigator?

  Discuss the fundamental actions

Discuss the fundamental actions that the leadership of the selected country is-or is not-taking to improve the living standards of its people.

  What are gender-related variations in the prognosis of asd

What are the gender-related variations in the prognosis of ASD among women and men? Why are ASD often overlooked in women and miss diagnosed in women?

  How obstruction could influence operation of fire protection

Write an essay discussing how an obstruction could influence the operation of a fire protection system in a large, indoor self-storage facility.

  Analyze impact of becoming a high-reliability organization

Identify elements which meet the criteria of a high-reliability health care organization - Analyze the impact of becoming a high-reliability organization

  Thoughts on the view held by many scientists

What are your thoughts on the view held by many scientists that our feelings, emotions, and even a sense of our spirituality are linked to chemicals in our brai

  What is the responsibility of christians

What is the responsibility of Christians with regards to economic development, leadership within the community, and the mandates of the Gospel?

  Discuss unusual punishment for juveniles

Summarize your opinion on whether capital punishment is cruel and unusual punishment for juveniles. Be sure to support your opinion

  Developing a full-blown business plan

ToolsCorp Corporation is a fictitious company that does not exist anywhere. For the purpose of this course, it is located in Tennessee.

  How important is timing in the communication process

As chief of police, you are in negotiations with the union, representing officers within your department. After a heated discussion, you lose your temper.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd