Here posted
1 Info3002 Ethical Hacking Principles and Practice Pentesting Project Due: 9pm, Friday, 1 0 June 2022 In this project, you will mainly pentest the Metasploitable2 VM by accomplishing the tasks described below. The tasks in this document will be a little harder than what you have seen in our lectures and labs. However, the basic skills involved are similar. Since pentesting is of exploration nature, you should try to complete the tasks without seeking help from tutors. There are hints and notes provided within this document to help you. Besides these, you should do research yourself first if you encounter difficulty in completing a task. For instance, if you do not know the usage of the 'xxx' command and its options, use ‘man xxx’ to find out. After you have tried almost everything and still cannot figure out, limited help can be obtained from tutors. Write your answers for all tasks into a project report. When asked to grab a screenshot in a task, the screenshot must include the VM name which includes your Student ID. If you are using VMs created on your own laptop, then the screenshot must show the IP address of the target somewhere. For instance, the target IP can appear in your command line, or if the command line does not include the target IP, you can use ‘ip a’ command to display the IP address intentionally. An exemplar screenshot is included as follows. Failing to do so will cause you lose marks for relevant tasks. You are suggested to read the entire specification first, and then start with the tasks that are already covered by our lectures, and especially Task 6. 1 General Hacking Capability [2 marks] 1.1 Give your answer to the following cryptogram, and attach at least two screenshots of your own handwritings (one during the solving process and the other on the final result) to prove that it is solved by yourself. If you forget about cryptogram, please refer to the last task of Lab 1. Since you cannot play it using the website (you have to use paper and pencil), we offer you a hint that ‘Q’ is ‘T’. [1 mark] This project is of individual work. By working on this project, you promise that you will never ask or offer inappropriate help from/to others. 2 1.2 Give your answer to the following matchstick puzzle. You are only allowed to move one matchstick to make the equation hold. All matchsticks have to be used, and you shouldn’t make it an inequality. We emphasize again that you should not ask or share your answers with others. [1 mark] 2 Service and Vulnerability Detection [3 marks] 2.1 If using nmap to scan all TCP ports of Metasploitable2 instead of the default 1000 ports, it will show that the port 8787 is open. Suppose you are interested in knowing which service is running on this TCP port. Use nmap to scan only this port to achieve this. [1 mark] a) Include a screenshot showing your command line and its output. b) Then, based on the output, use your own words to describe the detected service and software version into your report. 2.2 In GVM, explore its interface to create a port list with all TCP ports 1-65535 included (let's ignore port 0, which is a port number not supported by all OS kernels). Name this port list All TCP Ports. Then, create a target for scanning the Metasploitable2 VM with this port list. Finally, create a task to scan this target with 'Full and Fast' as the Scan Config. a) Detail your steps for achieving the above into your project report and include a screenshot for port list creation, target creation and task creation respectively. [1 mark] b) Complete the scan task created above, and obtain the PDF report from this scan. Compare this report (denoted by Report 1) with the report you obtained from Lab 4 Task 4.8 (denoted by Report 2). Detail how you have made the comparison, and give at least one TCP port that is shown to have severity 'High' results in Report 1, but not listed in Report 2. Also, list the severity 'High' results from that port. [1 mark] 3 3 Exploitation [3 marks] 3.1 The "Metasploitable 2 Exploitability Guide" (https://metasploit.help.rapid7.com/docs/metasploitable-2- exploitability-guide ) gives a great tutorial on how to exploit the Metasploitable2 VM. Please read through this guide, and especially focus on the ‘Services: Backdoors’ section. Then, accomplish the following tasks. a) The ‘Services: Backdoors’ section first describes how to manually exploit the backdoor in the tampered FTP server VSFTPD v2.3.4. Follow it to complete the exploitation on your Metasploitable2 using 'nc' instead of 'telnet'. Detail your steps and include a screenshot on your success. This screenshot should include the 'nc' command line, and the results of executing the following commands after gaining access: ‘id’, ‘ip addr show dev eth0’, and ‘hostname’. [1 mark] Note: The 'telnet' command has been deprecated in Linux today. This is why you are asked to use the 'nc' command instead. The 'nc' command runs the 'netcat' tool, which is very flexible and is dubbed 'the Swiss army knife for networking'. The 'netcat' tool will be covered in Week 7's lecture. b) The ‘Services: Backdoors’ section also describes how to exploit the old standby "ingreslock" backdoor that is listening on port 1524. Use the ‘netcat’ tool instead of ‘telnet’ to accomplish this exploitation. Detail your steps and include a screenshot on your success. This screenshot should include the 'netcat' command line, and the results of executing the following commands after gaining access: ‘whoami’, ‘ip a show dev eth0’, and ‘pwd’. [1 mark] 3.2 Your GVM report for Metasploitable2 obtained in Task 2.2 should show the ‘distcc Remote Code Execution Vulnerability’ on TCP port 3632. Follow the Section 6 Steps 1-5 from the following tutorial https://www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesso n2/index.html to exploit this vuln. Detail your steps and include a screenshot on your success. This screenshot should include the results of executing the following commands after gaining access: whoami and 'ip a show dev eth0'. [1 mark] Note: The ‘BackTrack’ mentioned in this tutorial is the previous name of Kali Linux. Moreover, since Kali 2020, you need to add 'sudo' before 'msfconsole' when starting msfconsole. 4 Post Exploitation [3 marks] After completing Task 3.2, you will notice that the user account you get is ‘daemon’, not ‘root’. Follow the Section 6 Steps 6-10 from the tutorial mentioned in Task 3.2 to escalate the privilege to ‘root’. Detail your steps and include a screenshot on your success. This screenshot should include the results of executing the following commands in the obtained ‘netcat’ session: 'whoami' and 'ip a show dev eth0'. The different things you should do from this tutorial are mentioned in the hints below. [3 marks] Hints: • Since the VMs in our school cloud might not be allowed to visit exploit-db.com, you should obtain the 'exploit-8572.c' through another method. We recommend you to use 'searchsploit' to find it in the local installation of exploit-db in your Kali. You will see that it is named '8572.c' in the local installation of exploit-db. Refer to our lecture 5 about 'searchsploit'. • To upload '8572.c' to Metasploitable2, there can be several methods. Here we suggest to you to use netcat, which is available in both Metasploitable2 and Kali. Basically, in your Kali, start a new terminal, and then run 'netcat' in server mode to transfer this file, and finally hit 'Ctrl +c' to end the transmission when you estimate the transmission is over. And in the remote shell you obtained in Task 3.2, run 'netcat' in client mode to receive this file; after the transmission is over, use 'ls -l' to double check if it is received. https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide https://www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson2/index.html https://www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson2/index.html 4 • In Linux, sometimes you don't see responses to your commands, but you should still proceed. Check if it is a success by issuing verifying command. • Since Kali 2020, 'sudo' is needed when running 'netcat' in server mode. This task is very challenging. Be very careful and make sure you understand every step. You can also watch the following video on Youtube to get a clearer idea on this privilege escalation: https://www.youtube.com/watch?v=DoUZFHwZntY . 5 Web Pentesting [4 marks] In our lectures and labs, we used the DVWA as our web pentesting target. In this project, you will be asked to pentest another intentionally vulnerable web application called ‘Mutilliadae’, which is also installed in Metasploitable2. The use of Mutillidae is straightforward. Simply enter the following URL into Firefox: http://
/mutillidae/, and you will see the Mutillidae interface. If you see there are warning messages from the database, you should click the ‘Reset DB’ link in the Mutillidae interface to restore the database to its initial state. Then, those warning messages should disappear. Note that, different from DVWA, you do not need to log into Mutillidae to access its pages. Also note that, the default security level of Mutillidae is ‘0’ (the lowest security level) when you start browsing this application (see the screenshot below). This is the security level you should use during your pentest, and you should leave it as it is, i.e., never toggle it. Mutillidae contains the pages corresponding to the OWASP Top 10 Security Risks. These pages can be accessed by the ‘OWASP Top 10’ menu located in the left. In this project, you are only required to