Laboratory guide for student

Course name: Penetration testing

Level: master program
Developers:
 Alexander Dorofeev, Training center Echelon, Russia
 Andrian Piskozub, National University Lviv Polytechnic, Ukraine

Table of Contents
Chapter 1. Introduction to the penetration testing ............................................................... 3
Laboratory 1.1 Basic configuration of Kali Linux and Metasploitable 2 ..................................... 3

Chapter 2. Intelligence Gathering ............................................................................................ 3

Laboratory 2.1. Using Google for OSINT in penetration testing projects................................... 3
Laboratory 2.2. Technical reconnaissance of IT-infrastructure................................................... 4
Laboratory 2.3. Using Maltego for reconnaisance ........................................................................ 4

Chapter 3. Vulnerability Analysis ............................................................................................ 5

Laboratory 3.1. Ports scanning........................................................................................................ 5
Laboratory 3.2. Using Netcat ............................................................................................................ 5
Laboratory 3.3. Manual vulnerability assessment ......................................................................... 6
Laboratory 3.4 Using vulnerability scanners for vulnerability assessment ............................... 7
Laboratory 3.6 Specific scanning tools .......................................................................................... 8

Chapter 5 Exploitation of Web-applications ....................................................................... 8

Laboratory 5.1 Scanning of web-application ............................................................................... 11
Laboratory 5.2 Password bruteforcing of web-application ........................................................ 11
Laboratory 5.3 OS command execution through web-server .................................................... 12
Laboratory 5.4 SQL-injection and offline password cracking ................................................... 12
Laboratory 5.5 Exploitation of XSS vulnerability ......................................................................... 13

Chapter 4. Exploitation ............................................................................................................. 8

Laboratory 4.1 ARP-spoofing attack ............................................................................................... 8
Laboratory 4.3 Use of Metasploit command line for vulnerability exploitation ......................... 9
1
 Laboratory 4.3 Use of Armitage for vulnerability exploitation ..................................................... 9
Laboratory 4.4 Database passwords attacks ................................................................................. 9
Laboratory 4.5 Password attacks for different services ............................................................. 10
Laboratory 4.6 Modern 2014 attacks - heartbleed, shellshock .................................................. 10

Chapter 6. Social engineering................................................................................................ 13

Laboratory 6.1 Social engineering toolkit (SET) usage .............................................................. 13

Chapter 7 Exploitation using client-side attacks ............................................................. 14

Laboratory 7.1 Client exploitation with BeEF............................................................................... 14

Chapter 8. Maintaining access............................................................................................... 14

Laboratory 8.1 Rootkit installation and usage ............................................................................. 14

2
Chapter 1. Introduction to the penetration testing

Laboratory 1.1 Basic configuration of Kali Linux and Metasploitable 2

Purpose: get basic knowledge about the virtual environment which will be used during the
course.

After the work the student must

 know: how to run VM machines used in the course;
 be able to: configure network connection between all hosts used in the course labs.

Task:
 run all three VM’s used in the course;
 update Kali Linux;
 configure network connection between all hosts;
 ping from Kali Linux other VMs;
 find file “hydra” with commands “locate” and “find”;

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)

Chapter 2. Intelligence Gathering

Laboratory 2.1. Using Google for OSINT in penetration testing projects

Purpose: understand how Google search engine could be useful for OSINT in penetration
testing projects.

After the work the student must

 know: what is google search operators
 be able to: find information required for penetration testing

Tasks:
 find people which work in IBM using social networks like Linkedin.
 Determine how email address of IBM’s employee is formed;
 Discover the specific of use of the following advanced search operators:

3
 - “” and “site:” - find all pages containing phrase “top secret” on the site of pentagon;
- “inurl:” – find login pages on domain whitehouse.gov
- “filetype:” – find all docx files on .gov domains containing phrase “top secret”;
- Find Google documentation about advanced search operators and play with other
operators.
 Discover what URLs are hidden from search robots in robots.txt files on sites of Pentagon
and Whitehouse.
 Discover contents of Google Hacking Database;
 Check where a user is registered with specific user ID using services like
https://namechk.com/
 Find how defense.gov site looked like 5 years ago using service waybackmachine.org

Material and technical equipping of the workplace

 Workstation with web browser and connection to the Internet.

Laboratory 2.2. Technical reconnaissance of IT-infrastructure

Purpose: understand what technical information about IT-infrastructure could be collected for
external penetration testing

After the work the student must

 know: what information could be collected
 be able to: collect required information

Tasks:
 using online traceroute determine path to domain given by tutor;
 determine what DNS and mail servers are used by domain given by tutor;
 determine IP-address of site given by tutor;
 determine range of IP-addresses with whois utility where the site given by tutor is registered
 conduct DNS bruteforcing with fierce utility for domain given by tutor;
 run theharvester utility for domain given by tutor.

Material and technical equipping of the workplace

 Kali 2 and connection to the Internet.

Laboratory 2.3. Using Maltego for reconnaisance

Purpose: understand how to use Maltego tool for reconnaissance tasks

After the work the student must

 know: what information could be collected with Maltego
4
  be able to: collect required information with Maltego

Tasks:
 using Maltego collect information regarding specific company given by tutor.
 using Maltego ccollect information regarding specific domain given by tutor

Material and technical equipping of the workplace

 Workstation with web browser and connection to the Internet.

Chapter 3. Vulnerability Analysis

Laboratory 3.1. Ports scanning

Purpose: understand what is ports scanning.

After the work the student must

 know: what is ports scanning and it’s application in penetration testing;
 be able to: conduct ports scanning by means different utilities.

Tasks:
 Scan 192.168.12.6 with Zenmap – determine open ports;
 Scan 192.168.12.6 with NMap Metasploitable 2 – determine open ports, version of running
services and version of operating system
 Scan 192.168.12.6 with db_nmap from Metasploit Framework
 Export scan results from the Metasploit database and open it in LibreOffice Calc.

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)

Laboratory 3.2. Using Netcat

Purpose: understand what is netcat.

After the work the student must

5
  know: what is netcat;
 be able to: conduct different tasks with netcat.

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)

Lab Objectives

In this lab, you will perform the following six exercises:

 Exercise 1 - Use Netcat for port scanning 

 Exercise 2 - Use Netcat for Banner Grabbing 
 Exercise 3 - Use Netcat to transfer files between hosts 
 Exercise 4 – Use Netcat to configure a remote backdoor 
 Exercise 5 – Use Netcat for chatting between two users 
 Exercise 6 – Use Netcat to perform a remote backups 

Laboratory 3.3. Manual vulnerability assessment

Purpose: understand principle of identification of vulnerabilities based on service version.

After the work the student must

 know: what is a service banner and how it could be used for identification of vulnerabilities;
 be able to: conduct manual vulnerability assesment.

Tasks:
1. Connect of FTP server on 192.168.12.6 and determine it’s version;
2. Using information about version find what vulnerabilities exist for given FTP-server;
3. Exploit the discovered backdoor in FTP-server;
4. Perform Steps 1-2 for Web Server on 192.168.12.6. For determining version of web-server
use NMAP.

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)

6
Laboratory 3.4 Using vulnerability scanners for vulnerability assessment
Purpose: understand principles of using vulnerability scanners

After the work the student must

 know: how vulnerability scanners work;
 be able to: conduct vulnerability assessment using vulnerability scanners;

Tasks:
1. Configure and update OpenVAS scanner in KaliLinux;
2. Conduct scanning 192.168.12.6 with OpenVAS;
3. Install and update Nessus;
4. Conduct scanning 192.168.12.6 with Nessus;
5. Import results of Nessus scanning to Metasploit database.
6. Compare results of scanners.

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)
Laboratory 3.5 Configuration review
Purpose: understand what is configuration review

After the work the student must

 know: what is configuration review approach;
 be able to: conduct configuration review;

Tasks:
1. Upload on Metasploitable 2 «unix-privesc-check» utility and conduct local security check;
2. Conduct scanning 192.168.12.6 with Nessus with “Credential Patch Audit policy”. Provide
ssh credentials.
3. Compare report generated by Nessus with report obtained in previous lab.
4. Find an appropriate for Metasploitable 2 checklist on https://www.cisecurity.org/ and
conduct at least 5 manual checks from it.

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)

7
Laboratory 3.6 Specific scanning tools

Purpose: practice with specific scanning tools

After the work the student must

 know: that there are a plenty of specific scanning tools;
 be able to: use some specific scanning tools;

Tasks:
1. Find SMB shares on Metasploitable 2 with corresponding scanning module in Metasploit
Framework;
2. Find NFS shares on Metasploitable 2 with corresponding scanning module in Metasploit
Framework;
3. Check the existence of backdoor on vsftpd with nmap script .

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)

Chapter 4. Exploitation

Laboratory 4.1 ARP-spoofing attack

Purpose: practice with conducting MITM attack

After the work the student must

 know: what is MITM attack;
 be able to: conduct MITM attack for intercepting data;

Tasks:
1. Conduct ARP-spoofing attack between Lubuntu and Metasploitable 2; Review ARP-tables
on each hosts before and after attack;
2. Intercept FTP-session with Ettercap sniffer and intercept images with driftnet utility;

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)
 Ubuntu_LTS (192.168.12.10)

8
Laboratory 4.2 Use of Metasploit command line for vulnerability exploitation

Purpose: practice with exploiting of vulnerabilities using Metasploit command line

After the work the student must

 know: how to exploit vulnerabilities of different types;
 be able to: use command line of Metasploit Framework;

Tasks:
Using Metasploit Framework console exploit the following vulnerabilities:
 unreal_ircd_3281_backdoor
 java_rmi_server
 drb_remote_codeexec

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)

Laboratory 4.3 Use of Armitage for vulnerability exploitation

Purpose: practice with exploiting of vulnerabilities using Metasploit command line

After the work the student must

 know: how to exploit vulnerabilities with Armitage GUI for Metasploit Framework;
 be able to: use Armitage;

Tasks:
Using Armitage check misc attacks and find one for which Metasploitable 2 is vulnerable.

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)
 Windows XP SP2 VM (192.168.12.11)

Laboratory 4.4 Database passwords attacks

Task:

9
Using Metasploit Framework determine what DBMS are running on the target server. Bruteforce
passwords and get contents of tables with users accounts data.

Purpose: Learn how to penetrate to DBMS systems

After the work the student must

 know how to penetrate to DBMS systems;
 know how to brute force passwords.

Material and technical equipping of the workplace

- Kali Linux 2 VM (192.168.12.5)
- Metasploitable 2 VM (192.168.12.6)

Laboratory 4.5 Password attacks for different services

Task:

 run NMAP and define network services which are supporting authentication;
 find wild command shells and connect to them;
 find modules in Metasploit Framework which are used for login to ftp, tomcat, vnc, etc.
bruteforce passwords;
 enumerate users via SMB-protocol using corresponding Metasploit Framework module.
Check whether exist users with passwords equal to accounts’ names.

Purpose: Learn how to bruteforce different services

After the work the student must

Be able to conduct fingerprinting of web-server

Material and technical equipping of the workplace

- Kali Linux 2 VM (192.168.12.5)
- Metasploitable 2 (192.168.12.6)

Laboratory 4.6 Modern 2014 attacks - heartbleed, shellshock

Task:
10
Using nmap and Metasploit Framework determine if remote systems are vulnerable to mentioned
attacks. Detect the mentioned vulnerabilities and exploit remote systems.

Purpose: Learn how to use modern attacks heartbleed, shellshock

After the work the student must

 know how to penetrate to vulnerable system through Web
 know how to penetrate to vulnerable system through other bash dependent sevices.

Material and technical equipping of the workplace

- Kali Linux 2 VM (192.168.1.10)
- Metasploitable 2 VM (192.168.1.100)

Chapter 5 Exploitation of Web-applications

Laboratory 5.1 Scanning of web-application

Task:

 Define version of web-server on Metasploitable 2 with netcat or telnet client;

 Use Nikto for discovering vulnerabilities;
 Discover technical information leakage;
 Find and browse interesting directories on the server;

Purpose: Learn how fingerprint web-server

After the work the student must

Be able to conduct fingerprinting of web-server

Material and technical equipping of the workplace

- Kali Linux 2 VM (192.168.12.5)
- Metasploitable 2 (192.168.12.6)

Laboratory 5.2 Password bruteforcing of web-application

Task:

Using Burpsuite conduct password bruteforcing task in DVWA

11
Purpose: Learn how to brute force form-based authentication

After the work the student must

 know how to use Burpsuite for bruteforcing of form-based authentication

Material and technical equipping of the workplace

- Kali Linux 2 VM (192.168.12.5)
- Metasploitable 2 VM (192.168.12.6)

Laboratory 5.3 OS command execution through web-server

Task:

 Using THC-hydra check default passwords for Tomcat server on 8180 on Metasploitable 2
 Find in the Internet cmd.war and deploy it on the Tomcat server;
 List users of Tomcat and OS;

Purpose: Learn how to brute force http-basic authentication and execute OS commands through
the web-server.

After the work the student must

 know how to use THC-Hydra for brute-forcing Web-applications

Material and technical equipping of the workplace

- Kali Linux 2 VM (192.168.12.5)
- Metasploitable 2 VM (192.168.12.6)

Laboratory 5.4 SQL-injection and offline password cracking

Task:

 Exploit SQL-injection flaw in DVWA (Low level of security);

 Using the vulnerability download users of OS and users and hashes of the database;
 Crack received hashes by john-the-ripper utility.

12
Purpose: Learn how to exploit SQL-injection and hot to conduct offline brute-forcing of user
passwords.

Material and technical equipping of the workplace

- Kali Linux 2 VM (192.168.12.5)
- Metasploitable 2 VM (192.168.12.6)

Laboratory 5.5 Exploitation of XSS vulnerability

Task:

 Exploit XSS-vulnerability in DVWA

Purpose: Learn how to exploit stored cross site scripting vulnerability.

Material and technical equipping of the workplace

- Kali Linux 2 VM (192.168.12.5)
- Metasploitable 2 VM (192.168.12.6)

Chapter 6. Social engineering

Laboratory 6.1 Social engineering toolkit (SET) usage

Purpose: practice with conducting MITM attack

After the work the student must

 know: what is social engineering attack;
 be able to: use Social engineering toolkit;

Tasks:
1. SET - clone website to gain victim's passwords;
2. Create Malicious Weblink to Sniff Victim's Keystrokes;
3. Create Malicious Weblink, Install Virus, Capture Forensic Images

Material and technical equipping of the workplace

 Kali Linux VM (192.168.12.5)
 Metasploitable 2 VM (192.168.12.6)
 Windows XP SP2 (192.168.12.11)

13
Chapter 7 Exploitation using client-side attacks

Laboratory 7.1 Client exploitation with BeEF

Task:

Using BeeF framework hook user browser.

Purpose: Learn how to hook user browser

After the work the student must

 know how to use BeeF framework

Material and technical equipping of the workplace

- Kali Linux 2 VM (192.168.12.5)
- Lubuntu VM (192.168.1.55)

Chapter 8. Maintaining access

Laboratory 8.1 Rootkit installation and usage

Purpose: Learn how to create and install basic Trojan horse.

After the work the student must

 know when backdoors is used in penetration testing
 be able to use Metasploit Framework for creation of backdoors for penetration testing
purposes.

Task:
Using Metasploit Framework to create a backdoor with Meterpreter payload. Put in the
existing debian installation package of any small game. Install it and get Meterpreter shell.
Took the etc/shadow file from the remote host

14
Material and technical equipping of the workplace
- Kali Linux 2 VM (192.168.12.5)
- Lubuntu 12.04 VM (192.168.1.55)

15