LAB 1 Network Mapping 4
Evaluation on Networking Mapping 7
LAB 2 RPC and NFS Exercise 8
UDP NFS Versions: 2-4 (RPC # 100003) 9
Analysis and Evaluation 11
LAB 3 RSH and Rlogin 12
Evaluation of Rlogin 12
Lab 4 X Window System Exercise 14
Evaluation on X windows 16
LAB 5 Common Solaris RPC Programs 17
Evaluation and Analysis 18
6.Windows Password Hashes Question 18
LAB 7 Windows Enumeration 19
LAB 8.Finger 21
Evaluation on Finger 22
Lab 9 SMTP 23
LAB 10DNS 25
DNS EVALUATION 27
LAB 11.Web Application 28
LEASON LEARNTAND EVALUATION 29
Network Mapping is a way for rapidly scanning large network. Network mapping uses IP packets in determine what hosts are alive on the network, what service hosts are offering.
1. Ping sweep is a basic network scanning technique used to determine which of a range of IP addresses map to live host (computers).A ping sweep consists of ICMP Echo request sent to multiple hosts. If a given address is alive, it will return an ICMP ECHO reply.
In this lab, a ping sweep against range 10.0.57.1-10.0.57.39 was conducted using a tool, ANGRY IP SCANNER and below figure 1.1 shows the results.
Figure 1.1 showing the ip range 10.0.57.1-39
The table 1.1 shows the IP address and ICMP TTL
IP Address ICMP TTL
2. Ping sweeps were sent on the network and most of them responded. One host that was alive on the network but didn???t respond to ping was 10.0.57.9 after running the scan again, Figure 1.2 below shows the results
Host IP Address: 10.0.57.9
MAC Address: 00:24:81:6c:6c:3A
Figure 1.2 showing a live machine not responding to ping
3. TCP port scan allows one to discover which tcp ports are open on target host. These are the entry points to a host that is either connected on a network or internet. TCP port scan was done on host 10.0.57.20 using a tool ,???ZENMAP??? and command nmap ???T4 ???v ???PE 10.0.57.20 and below figure 1.3 shows the results of the scan and 7 ports where open
Figure 1.3 TCP port scan
4.UP port scan was also done on host 10.0.57.20 using tool backtrack and only one port was open .figure 1.4 shows the result and the command that was run to get the results was nmap ???Su 10..0.57.20
Fig 1.5 UDP port scans
Evaluation on Networking Mapping
From the lab exercise, pings are useful in determining if a host is alive and we can use ping tools for host discovery. After obtaining a list of targets, next task was to scan the ports on the network. Main goal was to identify which ports where open on a host .scan was done and TCP and UDP, and from the information obtained, the results can be used to attack network devices, as vulnerabilities related to these ports are discovered.
LAB 2 RPC and NFS Exercise
RPC enables a system to make calls to programs such as NFS across the network transparently,
1. To list the rpc services listening on host pine, we use nmap with the following command Procedure :nmap ???sV 10.0.57.1.
The TCP NFS version is 2-4(rpc # 100003),
Below figure shows the results of the scan.
Fig 2.1 showing RPC services on pine
UDP NFS Versions: 2-4 (RPC # 100003)
Procedure:nmap ???sU sV 10.0.57.1
Fig 2.2 showing UDP port scan
2 .the results below show which NFS file system are exported by pine using the command showmount ???e
Fig 2.3 showmount -e
Filesystem Allowed Hosts
File system Not Allowed Hosts
3. Trophy Filename: pen_Test_Trophy_file
Fig 2.4 trophy file
Trophy File UID: 0
Trophy File GID: 0
The figure below shows the Trophy file UID and GID
Fig 2.5 showing UID and GID
4. Display contents of the trophy file, you run the cat command as show below
Fig 2.6 contents of the trophy file
Analysis and Evaluation
From the lab analysis of RPC, I have learnt that you can point Nmap to a remote machine and see what ports are open. After running a tcp and UDP port scan, ports are discovered to be open. The version detection interrogates those ports to determine more about what is actually running.
The show mount will display a list of exported directories on a host. Using the showmount ???e command, attackers can send a malicious crafted RPC request to obtain a list of directories exported and attacker may exploit them .File access are determined by the servers in most cases. NFS uses UID and GID. From the lab experiment, both had a value of 0.any user who has access to this will have root access, and if a malicious user has access, they can create any account or modify the uid and gid.
LAB 3 RSH and Rlogin
RSH, remote shell is a command that executes the command on a remote machine and Rlogin allows remote login like telnet
1. To remotely login into Rodney???s account, we run the command rlogin 10.0.57.1 ???l Rodney and the figure below show the results
rlogin 10.0.57.1 ???l Rodney
Fig 3.1login into rodneys account
To gain interactive access to rodneys account and run the runme .we use the command sudo /.runme which will allows us to execute the runme.The result will show the trophy file
The trophy file is lab 3 trophy file as shown in the figure below
Fig 3.2 lab 3trophy file
Evaluation of Rlogin
Rlogin is a service that runs on port 513 and allows users to login into the host remotely. Hats was successfully achieved was that I was able to login into pine using the command rlogin ???l.I successfully logged into the remote host using Rodney???s account on pine as shown in figure 3.1.
My other observation, the reason why I was able to connect remotely without any authentication problems was because the rlogin service is insecure and can potentially allow anyone to login in without providing a password or using the same password the remote user uses.
Lab 4 X Window System Exercise
X windows system x11, is a windows system for bitmap displays or the standard UNIX windowing system.
1. Use a TCP port scan to find a system in the range 10.0.57.1 ??? 10.0.57.39 that is running the X Window system and accepting network connections. Enter the host???s IP address and the listening TCP port below.
Fig 4.1 X11
2. Given this IP address and port, what value would you need to use for the DISPLAY environment variable or ???display option to cause an X client program to use the X server on this system?
Fig 4.2 display string
Display String: 10.0.57.12 43042 10.0.571.22
3. To determine the information from the server, the figure below shows the results
Fig 4.3 X.org version
X.org version number: 7.1.1
Screen dimensions (pixels): width 800, height 600, depth 600 visual class: truecolor
Fig 4.4 screen dimensions
Evaluation on X windows
X windows was lab was a challenge but interesting as this gave me depth understanding of how a client is an applications and server controls the display.the x server runs multiple displays and each display has multiple screens attached to it .
X windows is implemented from start as a client/server model, and from my observation run on Rodeys account on pine, it???s also suited for remote application deployment.
LAB 5 Common Solaris RPC Programs
Program Solaris Versions Vulnerability / Notes
bootparam 8,9 Attacker can obtain the domain name from bootparam.attacker can guess which system on the client or server. Attacker can use the domain name to make NIS provide password file
cachefsd 2.5.1 Allows a remote attacker to execute arbitrary command with root privileges
cmsd 4 Owned by bin, run by root
dmispd 7 Allows local users to fill up restricted disk space by adding files to the /var/dmi/db database
kcms_server 2.6, 7, 8, 9 read any file as root
mountd 0.4 Allows remote attacker to cause a buffer overflow
Nfs Any Often allows access via uid/gid manipulation
nlockmgr Any Remote denial of service attack,causes lock demon to fail
rpcbind Any Always present if RPC enabled
rquotad any It returns quotas for a user of a local file system which is mounted by remote machine over the NFS
rstatd 2,3,4 Server which returns performance statistics obtained from kernel
rusersd any Command returns users currently on the network
sadmind 7, 8, 9 root command execution
snmpXdmid 2.6, 7, 8 root command execution
sprayd Version1 Used to send a stream of packets to host you specify
ttdbserverd 2.6,8 Attacker can cause buffer overflow and execute aribitary code
walld 2.6 Allows local users to send messages to logged on users that appear to come from arbitrary users ids
Evaluation and Analysis
6.Windows Password Hashes Question
Analysis and evaluation
LAB 7 Windows Enumeration
1. Retrieve the NetBIOS name table for each of the systems below and complete the table. The first row has been filled in for you.
Fig 7.1 NetBIOS name
IP System Name Domain / WG DC (Yes/No) Master Browser (Yes/No)
10.0.57.10 AZURE LONDON No No
10.0.57.12 Mumbika-hp workgroup No no
10.0.57.13 chelani workgroup No No
10.0.57.15 Nduba cathias No No
10.0.57.16 cholwe workgroup No No
10.0.57.17 Edward-pc workgroup No No
2. To obtain the results, I used nmap ???T4 ???A ???v 10.0.57.10-17
System Name Version Service Pack SQL Server PDC
AZURE Windows 2003 SP1 No No
mumbika Windows 7 Sp1 no
cathias Windows 7 ultimate SP1 No NO
cholwe Windows7 ultimate SP1 No NO
edward Windows 7 enterprise SP1 NO NO
3. The Windows 2000 system has Restrict Anonymous set to zero. Obtain a list of users on this system and find the trophy user with a username of six random lowercase characters. Write the trophy username below:
Note: you should not use RID cycling for this question.
Trophy username: YENDOR
4. Find the trophy share name on the Windows 2000 system, and write the share name below:
Trophy share name: yendor@pine
5. Obtain a list of users from the PDC for the LONDON domain. Find the name of the built in administrator account, and the name of the trophy user. The trophy user name consists of six lowercase letters, and is not a window built in account. Write the names below:
Administrator username: admin
Windows enumeration was done using a tool called advanced ip scanner to scan to the network. Main goal was to enumerate users on the windows system to retrieve information of the NetBIOS name and work group they belong. A pen tester who is examiming the network may wish to determine the purpose each result, it being computer name, work group or operating system. From the lab that was carried from Nmap, the computer name and domain where returned in the SMB OS discovery.
1. Use the finger service on pine to get a list of users. One of the users has some sensitive information that can be obtained through finger. Write the name of that user below:
Fig 8.1 list of user on pine
2. Using the information obtained, login as the user and display the trophy file.
Fig 8.2 list trophy file
Trophy: lab 4 trophy and lab 8 trophy
Finger successfully completed
Evaluation on Finger
One of the first activities in conducting penetration testing using backtrack is to perform user enumeration In order to discover valid user names.in this lab, I examined how to manually discover user names using finger on pine host and obtaining some sensitive information on a user .once logged in ,remotely ,I was able to run the runme file. Obtaining user information of a specific user can lead to loss of data.
Lab 9 SMTP
Use the SMTP service on oak to determine which of the following users exist:
User Exists (Yes/No)
Fig 9.1 users on oak
To enumerate users in an SMTP server using nmap, you enter the command nmap – -script smtp-enum-users 10.0.57.7.once users are found, they will be included in the script
SMTP is a service that can help a pen tester to perform user enumeration. The SMTP lab was performed using Nmap and the smtp-user-enum command. The only thing that was required was to enter the Ip address of the remote host and execute the command.
SMTP is a common service that can be found on every network as learnt from this lab.Its best practice to properly configure mail servers by disallowing the execution of commands.
DNS resolves names to ip addresses allowing us to type a website into the address bar without having to remember the ip address instead.
1. using the name server 10.0.57.1, determine the following information. You can obtain all this information with regular DNS queries.
IP address of host yew.training.nta-monitor.com 10.0.57.103
IP address of name server for london.training.nta-monitor.com 10.0.57.102
IP address of primary mail server for training.nta-monitor.com 10.0.57.104
Serial number for training.nta-monitor.com zone 13
Operating system for yew.training.nta-monitor.com Windows 98
Hostname associated with ntp0.training.nta-monitor.com
Fig 10.1 determine name servers
2. using the name server 10.0.57.1, determine the following information:
FQDN of host with address 10.0.57.99 Training.nta-monitor.com
3Using the name server 10.0.57.1, obtain all the DNS records for the zone demo.nta-monitor.com, and determine the name of the text record with the value “DNS zone transfer trophy”.
Text Record Name:
Determine the version of the BIND name server at 10.0.57.1 using a DNS query:
BIND Version 9.3.6-P1-redhat-9.3.6
This lab was based on security reconnaissance point of view after carrying out the DNS labs on host yew.trainning.nta.monitor.com.DNS can be exploited and offers a means of discovery of an organisation public and possibly private server???s service and the corresponding IP addresses location. One observation noticed, a domain authorative DNS server will give information regarding the domain mail servers. To successfully complete the lab, I used nslookup to obtain all the results.
LAB 11.Web Application
Valid User Message: thank you for banking with hacme bank
Invalid User Message: invalid login
2. the sql injection used was ???OR 1=1 ??? in hack me bank
LEASON LEARNTAND EVALUATION
The web application penetration test lab was focused on evaluating the security of a website. The process involved activities and analysis of the application weakness flaws and vulnerabilities. From the lab exercise, a very important observation is that an attacker can gain access to unauthorised data or perform activities .An attacker is able to force user sessions ids to explicit value and thus, they process steal or manipulate user session and cookies, which may be used to impersonate a legitimate user allowing the hacker to view or altar certain records and perform transactions.
The website had stored administrative contents such as directories. An attacker can manipulate these directories and they can be able to access them. In other word, the attacker is able to reconfigure the web servers and access sensitive information.
An attacker can launch cross site scripting attacks or several other tricks to obtain the session id of the remote logged in user and can gain access to the user account sitting remotely through different ip addresses and cause loss of information. Cross site scripting attack have proven to be an injection problem. From my evaluation, malicious scripts were injected into the websites and they mostly occur on web applications.
The SQL injection technique exploited security vulnerability in the database layer of the web application. Vulnerabilities where presented by inserting strings in the login boxes.
...(download the rest of the essay above)