3. Basic Information Gathering & Exploitation
Right. So the first step in a server-side attack is gathering information gathering. Information gathering is very important because it will show us the operating system of the target, the installed programmers or running services on the target, and the ports associated with these services. We can now attempt to enter the system using the installed services. We can do this by trying the default passwords. And we saw this before in the network penetration testing part where the iPad had SSH installed, which basically gave you full access to the computer if the person still used the default password, which was “pine.” So we can do this with any other service.
And we’ll see another example here today; another thing we can do is that many people install and misconfigure services. So we’ll have another example of this. A lot of these services are designed to give access to that computer, but they obviously need to have some security implementations. People often misconfigure these services, so we can take advantage of these misconfigurations and gain access to these computers. Another problem with these services is that some of them might even have back doors, and we’ll see an example of that, and a lot of them would have vulnerabilities such as remote buffer overflows or code execution vulnerabilities that allow us to again gain full access to that computer. Now, the simplest way to do this is something that we’ve seen before, which is using Zen Map. So we use Zen Map and the IP address to get a list of all of these services, and then we Google each of them to see if they have any vulnerabilities.
Now we see how we used Zen Map before, but I just want to convey the idea that anything is a computer. And we’ve seen before how the metasploitable device is actually a website. It has a Web server running. So websites are nothing different from this. To obtain the IP address of a website, simply perform a ping. So, for example, if we’re targeting Facebook, all we have to do is do pingfacebook.com, and we’ll get their IP right here. So we have Facebook’s IP, and we’ll be able to run Zen Map against it and get a list of all the running services on Facebook. Now obviously, I’m not going to do that because I’m not allowed to do that. What I’m going to do is run Zen Map against this meta-exploitable device, which is basically a computer device, and that’s why we’re interested in testing.
So again, I can’t really stress this any more. Anything is a computer, whether it’s a website, a server, any online service, or a phone, anything is a computer. So you can go about penetration or anything else the same way. So I’ll launch Zen Map. This is the same way that we did it before. So I’m going to go on my activities I’m just going to look for Zen Map, and here is Zen Map, and I’m going to put the IP of my target, which is the metasploitable device, which was 1014 4 So, in the network penetration testing section, we used to put the base IP and put it over 24 to COVID all the IPS in the network around us. In this case, you might be testing a remote IP. So, for example, in the Facebook case, all you have to do is put the Facebook IP in there and test it. Now that’s granted; you have permission to do that.
Now I don’t have permission, so I’m not going to do that. What I have permission to do is test my own device, which is installed on the same network as me. So that’s why I’m putting that IP in there, but you can literally put any IP you want in there and test it. So I’m going to hit scan, and this will give me a list of all the installed applications. Okay, so the scan is finished now, and we have a lot of open ports and a lot of services. What I advise you to do in this case, if you want to do a simple test, is to literally go on ports, port by port, read what it is, and Google the name of the program. So, for example, we have port 21 here. That’s an FTP port. FTP is a service that’s installed to allow people to upload or download files from the remote server. As we can see, FTP services typically require a username and password. However, as you can see, this service was misconfigured and now allows anonymous FTP login. So unlike SSH, which we used before in network penetration testing, we use the default password. With this, you’ll be able to log in without a password. So all you have to do is download an FTP client such as FileZilla, and you’ll be able to connect using this IP address on port 21. Now, again, I’m not going to explain this because it’s very simple. You literally download the application and connect to it. What else can you do is According to Google, this is an FTP server. You can literally Google this to see if it has any issues, misconfigurations, or known code execution exploits. So if you Google this, I’ll know.
This particular application now has a back door installed with it. For the time being, I’d like to show you something simpler just to keep things short. So, I’m going to take a look at the 512 now. Assume we went through them one by one. We were unable to locate anything and were directed to the 512 TCP section. So I’m going to copy this. This is the service that’s running on this part. So literally, I don’t know what’s here, so I’m going to copy it. Go on. Google it. Okay, so we’re going to take a look at the first result that we got here. And we can see that this is a remote execution program. So that’s very nice; that’s very cool. So if we manage to log in with this, we’ll be able to execute commands on the target computer, and it uses the RSHR login. This is a Linux programmer that allows you to execute remote commands on the target computer in a manner similar to SSH. So let’s go back and see how we can relate to this. So this is all cool. So let’s see what’s in the package, what comes in with this package.
And you can see that this is Ubuntu. So the target computer system was running Ubuntu. If we go back So it’s running on Ubuntu here. And you can see that in here it uses the RSH client service to connect. So this is the package that you need to install to connect to the service. As you can see, it says “client programme for remote shell connection.” So let’s go back and install the RSH client.
So we usually, as we did before, when we need to install something, we do apt-get and we do install, and we’ll write down the name of the programmer that we want to install. So it’s RSH. Now the app Get is going to install it for me and configure it. And once it’s installed, we’re going to use our login to log in because remember, the first page told us that it uses the R login programmer to facilitate the login process. So I’m going to do our login, and again, I don’t know how to use this app, so I’m going to do the help to see how to use it. And we can see that the format is our login. You put in the options that you want.
So what’s important here is the username and the host, which is the target IP. So this is what we’re going to do. We’re going to do our login. We’re going to set the username to root. Again, we said root is the user with the most privileges on the system. And we’ll enter the target IP address, which is 1020. Now, as you can see, we’re logged into the metasploitable machine here. And if I use ID to get my ID, you can see that I am root. If I get to PWD, I’ll be in the root directory. I can make a list. If I do A, you name a variable that will list the host name and the kernel that’s running on the machine. And as you can see, I am on the metasploitable machine with root access.
So this was a manual way, a basic way of gaining access to the target computer only through a misconfiguration of an installed service. So our login service was not configured properly. All we had to do was just Google what came with that port, and we managed to find it or log in and gain full access to the target computer. Now, again, the key point here is that you do a Zen mapscan, and then you go to each port that you find. You can look up MS Configurations default passwords if you Google that port. If this service came in through a backdoor or cut execution, maybe it just wasn’t programmed properly. Or it had a flaw that could be used to gain access to that computer. Now, we’ll have examples of these things in future videos as well.
4. Hacking a Remote Server Using a Basic Metasploit Exploit
So far in the server-side attacks, we’ve seen how we can gain access to the target computer by using a default password or a misconfigured service. Today we’re going to have an example of a very simple thing, which is a backdoor. As a result, some programmers or services were shipped or arrived with back doors embedded. So we’re going to exploit that today. And I chose this very simple exploit because I want to introduce you to a framework called Metasploit. We’re going to be using that framework a lot. So I wanted something simple to start with, and then we’re going to go deeper into that framework. Now, let me show you how we discovered that exploit. So, using the same method we’ve always used, I’ve got my Nap scan, and as I mentioned, we’re going to go on each port and Google them for exploits. So I’m going to Google the service name here, and I’m going to go to my browser, go to Google, and I’m going to type in exploit, which is the service name followed by exploit.
And as you can see, the first result comes in from a website called Rapid Seven. Rapid Seven is now a company that forces me to use framework. So that’s why I chose this particular exploit to show you today. So let me go back and talk about Metasploit for a second. So we’re going to exploit this service or problem using Metasploit. And as you can see here, Rapid Seven is telling us that this version of FTP has a backdoor for command execution. So it allows us to basically execute commands on the target computer if it has this programmer installed. And from Nap, we know that this programmer is installed, which means that we can execute commands on the target machine. So I’m coming back here and I’m going to go to the next slide, which talks about Metasploit. Now, Metasploit, as I said, is made by Rapid Seven. It is a huge framework that contains a large number of exploits.
So it allows you to exploit vulnerabilities or create your own exploits. If you are an expert and you know how to discover and make exploits, then Metasploit will help you do that. Now for today, we’re making a very simple use of an existing vulnerability. So the commands on Metasploit are very easy. They might seem a bit complicated now, but once you get used to them, they are very easy to use. and a lot of them are generic commands. So here I’m showing you the basic generic commands, and then there are other commands that you get used to in time. So the first command is “MSF console.” And this basically just launches the Metasploit program. You can always type in “help” at any stage, and you’ll get help with the commands and their descriptions on how to use them. You can use the show command to show something. So you can show the available exploits, you can show the available auxiliaries, you can show the available payloads, and we’ll talk about what each of these means in the future. You can use the Use command to use something that you’ve shown.
So, for example, you showed the exploits and picked a certain exploit that you wanted to use. Then you use the Use command, and then you type in the exploit name to run it. Then you can use the Set option or the Set command to set specific options for the exploit. For example, if you wanted to set the IP address of your target, you would set the IP and then put the value of the IP that you wanted to set it to. And then, at the end, once you finish configuring your exploit, you can type in exploit to execute that exploit. Now, I know this might look a bit vague, but once I use it, it’s going to become very clear to you, and we’re going to be using these programmers and these commands a lot, so they’re going to become very easy and simple to use. So we’re coming back here.
So we went on Nmap, we Googled the name of the service, and the first thing that came up was that this service has a backdoor command execution. Because this is our Rapid Seven. The variability is exploitable using Metasploit, and the module name that we’re going to be using is this. So this made our lives much easier with this. So I’m going to copy the name; this is the name that I want to use to exploit this vulnerability. So I’ll go to my console and launch me to exploit using the command MSF console, and we’ll do a use and then put the name of the exploit that we just copied from Google or Rapid Seven. So we’re going to use that certain exploit. And as you can see now, the name here changed to “exploit” and then the name of the exploit that we’re using. Then we’re going to use the Show command to show the options that we need to set. So as I said, “Show” is a generic command that you can use in a number of cases. So in this case, we’re doing a Show Options to see all the options that we can change for this particular exploit. And as you can see now, The second option is the port that the service is running on, and it’s already set to port 21. and this is correct. If we go back to Nap, you’ll see that our target FTP client or server is running on port 21. So this is good; we don’t need to change any of that.
The host needs to be changed. So the host is the target IP address, as you can see here. And to change the value of this, as I explained before, we’re going to use the set option or the set command. So our command is going to be set, and we’re going to set the roses. And that’s the IP address of my target metasploitable machine. So we use “set,” and after “set,” you put the option name. So, for example, if you wanted to change the port, you set our port. We are changing the host. So we set our host to 1020-14-204. and I’m going to enter. And as you can see now, the host is set to this. Now what I want to do is show the options again just to make sure that everything is configured correctly. And as you can see now, the host has been changed to 1020-14-204.
So everything is ready. Now. And to execute the exploit, we just type in “exploit.” So the exploit appears to have been successful, but nothing has happened. We didn’t gain anything. So I’m just going to run it again and see what happens. Sometimes. And as you can see now, the exploit was successful, and now I have access to the target computer. If I do an ID, you’ll see that my ID is root. Now. Basically, I’m running Linux commands here. So, if you do a “you” and name a “you’re,” you’ll notice that this is my metasploitable machine. And if I do LS, then it will list the files for me. If I do PWD, it’ll show me where I am, and I can use Linux commands to do anything I want on the target machine. Now, this was a very simple use of Metasploit; in the future, we’re going to be using it for more advanced stuff.
5. Exploiting a Code Execution Vulnerability to Hack into a Remote Server
So far, we’ve seen how we can use a service with the default password, a service that has not been configured correctly, or a service that came with a backdoor to gain full access to the target computer. We also saw how we used Metasploit’s basic functionality to connect to a backdoor installed on the FTP server. Today we’re going to have a more advanced look at Metasploit, and we’ll see how we use it to run a vulnerability that exists in a certain service. It’s a code execution vulnerability that will give us full access to the target computer as well. So back to our results here with Nap, and we’re going to do the same thing that we’ve been doing for a while. We copied the service name and will see if it has any vulnerabilities.
So, for today, we’ll look at this specific port, one three nine, which has a Samba server version of three point x. So three points for anything. So we’re going to go to Google just like we did in the previous videos, and we’re going to look for the Samba three-x exploit. Now, as you can see, there are a number of results. The ones that we’re interested in are the ones that come in from Rapid 7, because, as I said, these are the people that make Metasploit. So the exploits that you see there can be used through Metasploit. So we have two examples here. Now I’ve actually tried both. The first one doesn’t work. So there is a bit of trial and error in this. The user map script is the second. As you can see, it’s a command execution variability. So the property’s name is verifiability. So it’s the same thing that we used before with the evil backdoor in the FTP service.
This is just a different name that we’re going to use. So I’m going to go to Metasploit, and I’ve already run MSF console, so you can see that the console is running here for me. So I’m going to do an exploit like we did before yesterday, and then I’m going to put the name of the exploit that I want to use. Then the next thing that we usually do is show options, like we did yesterday. So I’m going to show you options. So using these exploits is pretty much always the same. The only distinction is the options available for each exploit. So you always do “use” and then you put the exploit name, and then you do “show options” to see what you can change to make it work with this exploit. So you’ll probably get different exploits than I do in the future.
So every time you want to run an exploit, you do “use exploit name” and then “show options” to see the options that you want to configure. But using the exploits, setting the options, and running them is always the same. So I’m showing you a few examples that should cover pretty much everything that you want to do in the future. So again, we need to set up the rhost, which is the IP of the target computer. And we’re going to do it the same way that we did before. As I said, setting the options is always the same. So we’re going to set our host, and then we’re going to put the IP of the target computer, which is 1020 14 204.So exactly like we did before, we’re using this to set an option, which is the host.
So we’re going to do a show of hands. And as you can see now, the Rhodes has been set correctly. What we need to do now is identify where things differ from the previous lecture. In the previous lecture, we used a backdoor that was already installed on the target computer. So all we had to do was connect to the back door, and then we could run any commands, any Linux commands, on the target computer. In today’s video, the target computer does not have a backdoor. It has a normal programmer that has a buffer overflow or a code execution vulnerability.
So the programmer doesn’t have any code that allows us to run Linux commands. It has a certain flaw that will let us run a small piece of code. These small pieces of code are called payloads. So what we need to do is create a payload and then run it on the target computer using the vulnerability that we found. That piece of code will allow us to do different things. So the payload is what allows us to do things that are useful to us. Now the payload might let us do Linux commands and there is other type of payloads we’ll look at in the future. So to see the payloads that you can use with this particular exploit, all you have to do is run show payloads. And these are the different types of payloads that you can use. Now I’m going to talk about this again. So payloads are small pieces of code that will be executed on the target computer once the vulnerability has been exploited. So when we exploit the vulnerability, the code that we’re going to pick here will be executed. And depending on the type of payload we choose, that payload will do something that is useful to us.
So right now you can see that all the payloads are CMD. So that’s short for command. So they let you run commands on the target computer just like Linux commands. And all of them only run on Unix. And that’s okay, because our target is Linux. And there are two main types. There are two types of payloads: bind payloads and reverse payloads. The bind payloads, all they do is they open a proton the target computer and then we connect to that port. The reverse, they do the opposite. So they open a port on my machine, and then they connect from the target computer to my machine. This is useful because the reverse allows us to bypass firewalls.
So the firewall will filter any connections going to the target machine. But if the target machine connects to my network so that I don’t have a firewall, then I’ll be able to bypass the firewall. So I’m going to use the CMD Unix reverse, or actually, I’ll use the CMD Unix reverse net cat. The last parts of these payloads are the programming language or the tool that’s going to be used to facilitate the connection. There are payloads written in Perl, Ruby, or Python PHP, for example, or you can use antedate, a tool that allows connections between computers. So this is the one that I’m going to use, and I’m going to use it the same way you use an exploit.
So I’ll just say, “Actually, sorry, I’m going to use the Set command.” So the same way you set an adoption, we’re going to set a payload. So, just like an option to the payload name that we just picked, Now I’m going to do a “show options” to see if there are any other options that I need to set. And yes, because we picked Amazon, now there are more options. So there is an option called LHOST and it’s the listening address, which is my own address. So I’m going to get my own IP address usingifconfig, and my own address is 1020 14 203. So I’m going to close this and I’m going to set the LHOST. So it’s the same way that we set the RHOST before we set the LHOST to 1020. So before we used to set host to set this option, now we’re setting lost to set this particular option. Set is a very simple set. You enter the option name, followed by the value you want to assign to it. Then I’ll do show options, and everything appears to be in order. So we’re using this exploit.
The host is set to this, which is acceptable, and the LHOST is set to this, which is ideal. And then you can also set the port that you’re going to be listening to on your current computer. You can actually set it to 80 if you want to. That’s the port that is used by web browsers. So if you set the AL port to 80, the target computer will try to connect to you using port 80, which is never filtered on firewalls because that’s the port that web browsers or web servers use. So whenever you access a website, you actually access port 80 on that website. So if you open port 80 on your machine and the target connects to you on 80, then the firewall will think that the target is only browsing the Internet. I’m not going to do that now because I have a Web server running on port 80 and that will conflict.
So I’ll just set the L port to 5.5 as an example for you to see that you can change any option in the same way, which is by setting the option name first, followed by the value. So I’m going to do “show options” again. And as you can see, this has been changed to five, five, five. And I’m going to run the exploit. Now, as you can see, it’s telling me that session one has been opened and the connection is between this device and this device, which is the target and my device. So I’m going to do a PWD or an ID. If I do a you name, you’ll see that I’m root and that I’m in the midasploitable machine. And if I do an LS, I’ll be able to list the files and so on. I can use any Linux command, just like we did before in the other videos.
6. Nexpose – Installing Nexpose
So far, we’ve seen how we can use a service with the default password, a service that has not been configured correctly, or a service that came with a backdoor to gain full access to the target computer. We also saw how we used Metasploit’s basic functionality to connect to a backdoor installed on the FTP server. Today we’re going to have a more advanced look at Metasploit, and we’ll see how we use it to run a vulnerability that exists in a certain service. It’s a code execution vulnerability that will give us full access to the target computer as well.
So back to our results here with Nap, and we’re going to do the same thing that we’ve been doing for a while. We copied the service name and will see if it has any vulnerabilities. So, for today, we’ll look at this specific port, one three nine, which has a Samba server version of three point x. So three points for anything. So we’re going to go to Google just like we did in the previous videos, and we’re going to look for the Samba three-x exploit. Now, as you can see, there are a number of results. The ones that we’re interested in are the ones that come in from Rapid 7, because, as I said, these are the people that make Metasploit. So the exploits that you see there can be used through Metasploit. So we have two examples here.
Now I’ve actually tried both. The first one doesn’t work. So there is a bit of trial and error in this. The user map script is the second. As you can see, it’s a command execution variability. So the property’s name is verifiability. So it’s the same thing that we used before with the evil backdoor in the FTP service. This is just a different name that we’re going to use. So I’m going to go to Metasploit, and I’ve already run MSF console, so you can see that the console is running here for me. So I’m going to do an exploit like we did before yesterday, and then I’m going to put the name of the exploit that I want to use.
Then the next thing that we usually do is show options, like we did yesterday. So I’m going to show you options. So using these exploits is pretty much always the same. The only distinction is the options available for each exploit. So you always do “use” and then you put the exploit name, and then you do “show options” to see what you can change to make it work with this exploit. So you’ll probably get different exploits than I do in the future. So every time you want to run an exploit, you do “use exploit name” and then “show options” to see the options that you want to configure. But using the exploits, setting the options, and running them is always the same. So I’m showing you a few examples that should cover pretty much everything that you want to do in the future. So again, we need to set up the host, which is the IP of the target computer.
And we’re going to do it the same way that we did before. As I said, setting the options is always the same. So we’re going to set our host, and then we’re going to put the IP of the target computer, which is 1020 14 204.So exactly like we did before, we’re using this to set an option, which is the host. So we’re going to do a show of hands. And as you can see now, the Rhodes has been set correctly. What we need to do now is identify where things differ from the previous lecture. In the previous lecture, we used a backdoor that was already installed on the target computer. So all we had to do was connect to the back door, and then we could run any commands, any Linux commands, on the target computer. In today’s video, the target computer does not have a backdoor.
It has a normal programmer that has a buffer overflow or a code execution vulnerability. So the programme doesn’t have any code that allows us to run Linux commands. It has a certain flaw that will let us run a small piece of code. These small pieces of code are called payloads. So what we need to do is create a payload and then run it on the target computer using the vulnerability that we found. That piece of code will allow us to do different things. So the payload is what allows us to do things that are useful to us. Now the payload might let us do Linux commands, and there are other types of payloads we’ll look at in the future. So to see the payloads that you can use with this particular exploit, all you have to do is run show payloads. And these are the different types of payloads that you can use.
Now I’m going to talk about this again. So payloads are small pieces of code that will be executed on the target computer once the vulnerability has been exploited. So when we exploit the vulnerability, the code that we’re going to pick here will be executed. And depending on the type of payload we choose, that payload will do something that is useful to us. So right now, you can see that all the payloads are CMD. So that’s short for command. So they let you run commands on the target computer just like Linux commands. And all of them only run on Unix. And that’s okay, because our target is Linux. And there are two main types. There are two types of payloads: bind payloads and reverse payloads. The bind payloads do nothing more than open a port on the target computer and connect to it.
They do the opposite. So they open a port on my machine, and then they connect from the target computer to my machine. This is useful because the reverse allows us to bypass firewalls. So the firewall will filter any connections going to the target machine. But if the target machine connects to my network so that I don’t have a firewall, then I’ll be able to bypass the firewall. So I’m going to use the CMD Unix reverse, or actually, I’ll use the CMD Unix reverse netcat. The last parts of these payloads are the programming language or the tool that’s going to be used to facilitate the connection. There are payloads written in Perl, Ruby, or Python PHP, for example, or you can use anetcat, a tool that allows connections between computers.
So this is the one that I’m going to use, and I’m going to use it the same way you use an exploit. So I’ll just say, “Actually, sorry, I’m going to use the Set command.” So the same way you set an adoption, we’re going to set a payload. So, just like an option to the payload name that we just picked, Now I’m going to do a “show options” to see if there are any other options that I need to set. And yes, because we picked Amazon, now there are more options. So there is an option called LHOST, and it’s the listening address, which is my own address. So I’m going to get my own IP address using ifconfig, and my own address is 1020-14-203. So I’m going to close this and configure the LHOST.
So it’s the same way that we set the RHOST before we set the LHOST to 1020. So before we used to set rhost to set this option, now we’re setting lhost to set this particular option. Set is a very simple set. You enter the option name, followed by the value you want to assign to it. Then I’ll do show options, and everything appears to be in order. So we’re using this exploit. The rhost is set to this, which is acceptable, and the LHOST is set to this, which is ideal. And then you can also set the port that you’re going to be listening to on your current computer. You can actually set it to 80 if you want to. That’s the port that is used by web browsers. So if you set the port to 80, the target computer will try to connect to you using port 80, which is never filtered on firewalls because that’s the port that web browsers or web servers use.
So whenever you access a website, you actually access port 80 on that website. So if you open port 80 on your machine and the target connects to you on 80, then the firewall will think that the target is only browsing the Internet. I’m not going to do that now because I have a Web server running on port 80 and that will conflict. So I’ll just set the L port to 5.5 as an example for you to see that you can change any option in the same way, which is by setting the option name first, followed by the value. So I’m going to do “show options” again. And as you can see, this has been changed to five, five, five. And I’m going to run the exploit. Now, as you can see, it’s telling me that session one has been opened and the connection is between this device and this device, which is the target and my device. So I’m going to do a PWD or an ID. If I do a youname, you’ll see that I’m root and that I’m in the midasploitable machine. And if I do an LS, I’ll be able to list the files and so on. I can use any Linux command, just like we did before in the other videos.
7. Nexpose – Scanning a Target Server For Vulnerabilities
Okay, now that we’ve successfully installed Next Pose, let’s see how we can run that tool and see what that tool is. I know we spoke about it a lot and we went through the installation process, but you still haven’t seen what the tool does. So this is the home page of the tool. And as you can see now, everything is empty.
So, before I start explaining everything, let’s go ahead and add a target, and then we’ll do a test and see because this stuff will be filled after we do a test. So the first thing I’m going to do is go to a site and create and add a target. And I’m going to call this target metasploitable, and I’m going to go to the assets, and we’re going to add the target so the target can be arranged the same way we added it when we were doing the network penetration things with Zen Map. So you can add a range, or you can add a specific IP. So in this, we’re actually targeting the metasploitable machine. So we’re going to add our target, which is 1020, 1440, and 204. Confirm this here. This is our metasploitable machine, 1020 14 204.And we’ll add this to a group and call it Metasploitable, or we’ll call it a test.
So this is our group name. Now, in the authentication part, if the target uses some sort of authentication, anybody can access the target unless they need to authenticate with some sort of service. For example, if it’s an FTP service or AWeb, HTTP authentication, a telnet, or an SQL server, So you can take it from here, put the domain username and password, confirm your password, and that way, the framework will be able to authenticate with that service and test the security of your server. Now, our server doesn’t use any type of authentication, so we don’t need this. Also, if you’re targeting a web application and the web application uses a login page, say, for Facebook users, you won’t be able to access most of Facebook’s features unless you log in with a specific username and password. So again, using this feature here, you can login and then test the security of your target. And the templates are where you select the scan type. So it’s very similar to the scan type. We had a Zen Map that we saw in Zen Map.
Quick scan, quick scan plus, and intense scan are all options. This is the same. So each one of these profiles is different. It scans different things. For example, we have the full audit here, which takes a lot of time but pretty much checks for everything. Then you have a full audit. Enhanced Logging without Web Spider: A web spider is a tool or a script that finds all the files and directories in your target, and the default is a full audit without a web spider. So that’s the one we’re going to be doing. And you also have network-specific profiles. You have web audits as well. So I really encourage you to try all or most of them and get yourself familiar with them. Now we’re only going to try this one because using them is the same, which will be scanning for ICP and UDP ports. So I’m leaving that the same. I’m going to leave the engine the same as well, which means it’s going to use our local engine, which we installed instead of the one that is provided by Rapid Seven.
And for the alerts, you can set up custom alerts so that when a vulnerability is found, you get a notification, and the schedule is a really, really cool feature. Now say you’re working for a company or an enterprise that keeps pushing code—new code every day, for example—or maybe your own code. You did a test today, and everything you’re working on is good. Your web servers, your programs, and your applications are all up-to-date, and there are no vulnerabilities in them. Let’s say tomorrow you push a new Verncode, or maybe tomorrow someone discovers a new vulnerability with a programme that you’re using on your web server, so you’re not secure anymore. So this feature allows you to schedule this test so that it runs every week or every hour or every month, depending on how critical it is.
So all you have to do is just go into “Create a Schedule” and create the schedule so you can put a start date and an end date. And you set the frequency from here for every day, every Thursday, every 26 days, or whatever you want, and then the scan will run at the intervals you specify, and you can even get it to generate a report for you. So you can go over the report and see what’s changed or what has been discovered. So everything is good. Now the most important part of today, or what we did here, is that you put your target here, and the next thing is that you select the template. So we have both of them selected, and we’re going to do “save and scan,” which will save this configuration and start a scan for us. Now, as you can see, our asset discovery is in progress. I’m going to pause the video, and after that, we will talk about the results that we got.
8. Nexpose – Analysing Scan Results & Generating Reports
Okay, so my scan is over, and I’m here now at the Assets page. One asset, as you can see, has been scanned. We can see that the asset is running Ubuntu, and the skills that you need to hack into this asset are novice. Now, already from this, you can see that the next poll will show us much more information than Metasploit Community, and it will be a much more advanced vulnerability management framework. We can see that we scanned one target; it’s Metasploitable, and the site is global. Let me zoom in. It’s running on Ubuntu Linux 8.04, and we discovered no malware and 177 exploits. 308 vulnerabilities.
Remember, with Metasploit Community, I think we only discovered eight modules, only one exploitable vulnerability, and eight modules that can be used here. We discovered 308 vulnerabilities. So we discovered many more vulnerabilities and exploits. You can see that there is a risk factor assessed for this and that this was done last time. Now, if we go down, we can see that the operating system that we discovered is, again, Metasploit. We can see the software that is installed on the target computer. So we can see not only the services that are running on ports, but also the software that is installed on the target computer.
This can be very useful once we have the computer. So after we manage to hack into it, it’s very useful to find local exploits that can be used to increase our privileges. For example, if you are a normal user and you want to become a route, you can use a local buffer overflow to increase your privileges or to do other kinds of stuff. So these are very useful in terms of post-exploitation. If we go down, we’ll see the services that are installed on the target computer, just like Nmap gave them to us. We can see that Http is running DNS and so on. If you click on any of these services, you’ll see that it will give you more information about it. For example, it’s Http service, a description about it and the ports that it’s running on.
So we can see that HTTP is running on port 80 and on port 8180. Now let’s go up. If we want to dig deeper into the vulnerabilities, we can visit the Vulnerabilities page. And you can see we have a graph hereabout the vulnerabilities categorized based on their risk factor. And here they’re categorized based on the skill level needed in order to exploit these vulnerabilities. And you can see a list of all of them here. And we can switch between them using this right here. Again, if there is any malware, you’ll see it here. And if there is exploitation, you’ll see it here. Now, all of the top vulnerabilities listed here don’t have an exploitation tool, but they are ordered based on their risk. So these are very risky vulnerabilities. And then, as we proceed through them, the risk will be a bit less. As you can see, the VNC password is password. So we can go in and try to connect using VNC. Now, VNC is a service very similar to Remote Desktop. Basically it will show you the desktop and it’ll allow you to gain full access to the target computer, just like Remote Desktop.
I’m not going to show you how to do that, which is very simple, but it’s telling you here that the password is password. Now it’s also telling you that there is a backdoor running, and we use that already. It’s still enough that it’s running an old version of PHP that can be exploited; it’s just an old version, actually. Now let’s look at something that can be exploitable. So I’m going to click on this to order them by exploit. And you can see that all of these have an MLOGO, which means that they can be exploited using Metasploit. You can see here that we have the remote shell service that we use, and there is the R login service here that can be used as well that we already had a look at. So let’s click on something that we haven’t seen before. And you can read about this vulnerability here. Again, you can see the port that it’s running on, and you can see why it thinks that this particular target is vulnerable to this exploit. If you go down, it will show you how you can exploit it. So there are three different modules that can be used to exploit it, but it doesn’t really have to exploit it.
Sometimes you just see modules that can be used to verify the existence of this exploit, but basically, these are modules associated with it. And if we click on this, it’ll take us to the Rapid seven page that we always used to see when we Google stuff and we see the module name where we can just copy and paste it in metasploit and show the options and then use this exploit the same way that we’ve seen it in previous videos. Again, when you go down, you’ll see references to this particular exploit, and at the bottom, it will show you the solution on how you can fix this exploit. So for this one, all you need to do is just change the administrator password and not use the default configuration. Another useful thing are the reports. So this framework allows you to generate reports for each scan that you do. And there are different types of templates for the report. So if you go and create report you can see that there is an audit report that contains a lot of information, detailed information for the programmers or for the technical people.
Or you can use an executive summary, which has less information and is made for managers or top-level people who don’t have much experience with technical stuff. You can select any template you want and call it anything. So I’m going to call this Metasploitable or Metasploit, and you select the format that you want. So it’s set to PDF here. Then I’ll select the target scan for which I want to generate a report, and I’ll select my metasploitable. And then you save and run the report to generate the report. You can also get this to generate reports automatically everytime, because as I showed you, you can schedule reports, you can schedule scans, and you can also schedule anautomatic report after each time a scan is done.
So, for example, if you’re scanning every week, you can also generate a report every week, every time that scan is done. Now, let me just download the report and show you what it looks like. As you can see, it has the date, it has the title, and it has all the exploits that have been found. But this is the executive report. So it has small details about the exploits and more graphic stuff to show the executives the risks that have been found and how critical they are. So, as you can see, Next Pose shows you much more detail and is much more advanced. It’s directed towards bigger companies with bigger enterprise structures, where you need to always make sure everything is up to date, everything is installed, and there are no exploits.
9. Server-Side Attacks Conclusion
In the previous lectures, we learned the basic methodology of server-side attacks. So we learned the basic methodology of how to test the security of servers. We learned how to do that manually, and then we learned how to do it with the next pose using tools. So before moving to the next section, which is the client-side attacks, I want to spend one more lecture just reflecting over everything that we’ve done so far and just going over the steps that we used in order to discover and exploit vulnerabilities in servers.
Testing the security of servers or running server-side attacks are more or less always the same. Let me show you what I mean. So we’re always going to have to start by discovering information about our targets. And we’re going to do that by discovering the open ports and the running services. And we’re going to do that using Nmap, as we shown earlier. Then, once we have a list of all of the servers and the running services, as we can see in this section, for each one of these entries, So for each one of these ports and for each one of these services, we’re going to go ahead and search for vulnerabilities. And we’re going to do that using Google and websites such as exploit, DB, and so on. We’re going to look for vulnerabilities in these services. If we do find vulnerabilities, we’re going to see if they are exploitable, because sometimes the exploitation might not be public. And if it is, we’re going to try to exploit it or verify this vulnerability.
And once done, we’re going to write a note of it in our report and we will talk about Pentest reports at the end of the course. So, as you can see, the steps are always the same. You’re always going to use Nmap to discover the open ports and the running services. You’re always going to look for vulnerabilities in each one of these services using Google or other vulnerability websites like Exploit or DB. The only difference is that it’s going to be finding and verifying these exploits because using them could be slightly different, as we’ve seen previously. And a lot of the time, when you find vulnerabilities that aren’t in Metasploit, etc. The exploit itself will include documentation on how to use it, and if you can find it again, you can look for it on Google and learn how to exploit it. So although it looks very simple, this is really always going to be the methodology that we use when approaching server-side attacks. And this will always be the basic steps you’ll use in CTFs, such as hack the box and try HackMe. You’ll always start with an NMAP scan. You’re always going to try to discover vulnerabilities, search for them, try to exploit them, and verify your findings.
So although it sounds very simple, I just wanted to make one more lecture, just so that you know and so that it’s clear that it’s really as simple as this. And the only things that could be different are the exploits themselves, for which you might have to do a bit of research to learn how to exploit them. However, it is impossible to uncover all possible exploits. There are literally thousands of exploits. What I’m trying to do here is just teach you how to actually search for exploits and exploit them yourself, or search for information and apply it yourself, and give you the proper basic methodology for how to approach server-side attacks. Now, if you go throughout the whole list of the ports and services that you discovered and you could not discover any exploitable vulnerabilities, then the only hope for you is to actually try client side attacks.
