CprE231_Lab3_Jacob_Boicken

pdf

School

Iowa State University *

*We aren’t endorsed by this school

Course

231

Subject

Computer Science

Date

Apr 3, 2024

Type

pdf

Pages

9

Report

Uploaded by MasterSalamanderPerson1036

Jacob Boicken 1 NSE 1. Screenshot of banners and discussion If we didn’t have the previous lab’s information, we can learn the OSes from the 3 servers that returned banners. We see a FreeBSD, an Ubuntu, and a Windows machine. As well, we learn that the SSH servers are using SSH-2.0 and their OpenSSH versions. And we find out the mail server running on the Windows machine being version 5 of Microsoft’s Extended SMTP. (Others are seemingly random sets of hex or unicode, otherwise we have a beautiful quote.)
Jacob Boicken 2 2. Screenshot of nmap --script smb-vuln-ms08* results and list of found vulnerabilities 3. Find an additional vulnerability using NSE. Support your finding with a screenshot and/or other supporting information. Heartbleed was a bug in openSSL in its heartbeat extension, where it would send/receive occasional messages to confirm normal operation between server and client. This extension means that a client could ask for the server echo back a message with a specified length. However, it lacked any bounds checking so a user could ask for a reply of a message that is 1 byte long, but say it was 1000 bytes. Then, the server would reply with the message plus 999 bytes from RAM. (Heartbleed OverSimplified)
Jacob Boicken 3 Nessus 4. Brief list of protocols identified in Wireshark capture: I added to pictures to show what I think is happening with Nessus. It seems to test for up machines with ping requests and then for open ports on the machines using SYN scans, 1st picture. Then, it probably attempts to get banners and get the versions of the software on open ports. Then, it attempts to know vulnerabilities against the version of software running, which in the 2nd picture shows numerous SMB connections to X.X.X.102 to get info or detect if it is vulnerable. It attempts to connect on all the assumed services, so SSH, chargen, SMB, http/s … all establish connections with “nessus”.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Jacob Boicken 4 5. Comment on a vulnerability that is common between NSE and Nessus (include screenshot to verify this common vulnerability) I said that NSE showed the Heartbleed vulnerability earlier, and Nessus shows it too on the same machine. 6. List two or three additional vulnerabilities of interest CVE-2005-1206 - X.X.X.102 CVE-2009-2412 - X.X.X.102,106 CVE-2006-3439 - X.X.X.102
Jacob Boicken 5 Metasploit 7. Screenshot of command sysinfo on exploited system 8. List five Metasploit commands (to view a full list, type help in a Metasploit meterpreter session) and explain how they may be useful to an attacker migrate: I am unsure exactly what this does, but it seems to merge our meterpreter session with another process running on the server. These are then running under the same PID and seem to hide the existence of the process running. edit: This opens up a vim like editor to modify files. download: This allows us to exfiltrate files back to the computer connected to the meterpreter. clearev: Clears Windows’ event log. Hiding the actions you did on the remote server. hashdump: Dumps the contents of the SAM database. Giving us access to the users hashes. Honorable Mentions: getuid execute lcd & lpwd
Jacob Boicken 6 Armitage 9. Screenshot of exploited host (red icon) Gaining a Foothold 10. Screenshot of meterpreter shell after persistence
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Jacob Boicken 7 Assignment 11. How did you find the vulnerability? (NSE, Nessus , etc.) 12. How did you find the exploit? (which CVE database) https://www.cvedetails.com/ It shows that I there is a metasploit module associated with the vulnerability.
Jacob Boicken 8 13. Steps that were taken to exploit this vulnerability (using Metasploit , Armitage, etc.) I decided to use this vulnerability, which has the ms06_040 exploit in metasploit for smb. Then, set it to establish a shell over meterpreter, since meterpreter’s commands won’t work with this exploit. (I tried.) Then, I targeted the vulnerable machine at the X.X.X.102 ip. Then, I executed the exploit, and looked up the users and info on them. ( I forgot to picture.)
Jacob Boicken 9 14. How did you establish persistence? (Again, include screenshots for credit) I created a new user account named john and added it to the group Administrators.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help