4. create a nessus user to access the system 5 Update the plug-ins.
one of the key components of nessus is the plug-ins. A plug-in is a small block of code that is sent to the target machine to check for a known vulner- ability. nessus has literally thousands of plug-ins. these will need to be down- loaded the first time you start the program. the default installation will set up nessus to automatically update the plug-ins for you.
once you have installed the nessus server, you can access it by opening a browser and entering https://127.0.0.1:8834 in the Url (assuming you are accessing nessus on the same computer you installed the server on). do not forget the “https” in the Url as nessus uses a secure connection when com- municating with the server. You will be prompted with a log-in screen. You can use the username and password you created when installing the program. once you log into the program, you will be presented with a screen similar to figure 3.6.
Before we can use nessus, we need to set up a scan policy. You can do this by clicking on the “Policies” tab at the top of the web page. to set up a scan policy, you need to provide a name. if you are going to set up multiple policies, you should also enter a description. Please take a minute to review figure 3.6 and notice there is a check in the box next to “safe checks.”
when setting up nessus for the first time, it is common to create two policies: one with the “safe checks” checked and the other with the “safe checks” unchecked. the reason for this is simple. some plug-ins and checks are considered dangerous because they check for the vulnerability by attempt- ing to actually exploit the system. Be aware that removing the “safe checks”
check has the potential to cause network and system disruptions or even take systems off-line. By setting up one policy with the “safe checks” enabled and one with the “safe checks” disabled, you can avoid unintentional network disruptions.
there are many options that you can use to customize your scan. for the pur- pose of this book, we will use the defaults. take a moment to review the vari- ous options by clicking “next” in the lower right. this will take you through each of the remaining pages where you can set additional options for your scan.
once your scan is set, you can save it by clicking on the “submit” button that will appear after you have reviewed each of the scan option pages. You only need to set up your scan policy one time. once your scan has been submitted, you will be able to use that policy to perform vulnerability scans against your target.
now that you have a scan policy set up, you can run a scan against your target. to set up a scan, you need to click on the “scans” link located in the top menu. You can enter individual addresses to scan a single target or a list of iPs to scan multiple hosts. figure 3.7 shows the “scan” screen.
You need to enter a name for the scan, select a policy, and enter the iP address of your targets. You can enter your target iP addresses individually in the “scan targets” box or if you have your target iP addresses saved to a text file, you can use the “Browse…” button to locate and load it. once your options are set, you can click on the “launch scan” button in the lower right. nessus will provide you with information about the progress of your scan while it is running. when nessus finishes the scan, you will be able to review the results by click- ing on the “reports” link in the menu bar. the report will provide you with a detailed listing of all the vulnerabilities that nessus discovered. we are espe- cially interested in vulnerabilities labeled as High. You should take time to closely review the report and make detailed notes about the system. we will use these results in the next step to gain access to the system.
once we have completed port scanning and vulnerability scanning for each of our targets, we should have enough information to begin attacking the system.
hOW DO I pRACTICE ThIS STEp?
the easiest way to practice port scanning is to set up two machines or use virtual machines. You should work your way through each of the options and scan types that we covered in this chapter. Pay special attention to the out- put from each scan. You should run scans against both linux and windows boxes.
You will probably want to add some services or programs to the target system so that you can be sure you will have open ports. installing and starting ftP, a web server, telnet, or ssH will work nicely.
when a person is first learning about port scanning, one of the best ways to practice is to pick a subnet and hide an iP address in the network. After hid- ing the target in the subnet, the goal is to locate the target. once the target has been located, the next step is to conduct a full port scan of the system.
to assist with the scenario described above, a simple script has been created, which can be used to “hide” your system in a given subnet. the code is meant to be run on a linux machine. feel free to modify it by changing the iP address so that it will work on your network. the script generates a random num- ber between 1 and 254. this number is to be used as the final octet in the iP address. once the random iP address is created, the script applies the address to the machine.
running this script will allow you to become familiar with the tools and tech- niques we covered in this chapter. You can enter the script into a text editor and save the file as iP_gen.sh.
echo "Setting up the victim machine, this will take just a moment..."
ifconfig eth0 down
ifconfig eth0 172.16.45.$((( $RANDOM %254) 1)) up
# uncomment the following lines by removing the #, to start up services on your victim
# please note, you may need to change the location / path depending on your distro
# note, you may have to generate your SSH key using sshd-generate #/etc/init.d/apache2 start
echo "This victim machine is now setup."
echo "The IP address is somewhere in the 172.16.45.0/24 network." echo "You may now close this window and begin your attack...Good luck!"
You will need to use a terminal to navigate to the directory where you created the file. You need to make the file executable before you can run it. You can do this by typing:
chmod 755 IP_Gen.sh
to run the script, you type the following command into a terminal: ./IP_Gen.sh
the script should run and provide you with a message saying the victim machine is all set up. Using the script above you will be able to practice locat- ing and scanning a target machine.
WhERE DO I GO fROM hERE?
once you have mastered the basics of nmap and nessus, you should dig into the advanced options for both tools. this chapter only scratched the surface of both of these fine tools. insecure.org is a great resource for learning more about nmap. You should dedicate time to exploring and learning all of the var- ious switches and options. likewise, nessus has a plethora of additional fea- tures. take time to review the various scans and policy options.
After you are comfortable with the advanced features of these tools, you should look at other scanners as well. there are dozens of good port scanners avail- able. Pick a few, install them, and learn their features. there are several com- mercial products that you should become familiar with; these products are not exclusively vulnerability scanners (they are much more), but core impact and saint both provide excellent vulnerability assessment components, although both of these tools will cost you actual cash.
this chapter focused on step 2 that consists mainly of scanning. the chapter started with a brief overview of pings and ping sweeps before moving into the specifics of scanning. the topic of scanning is further broken down into two distinct types including port scanning and vulnerability scanning. the port scanner nmap was introduced and several different types of scans were dis- cussed. Actual examples and outputs of the various scans were demonstrated as well as the interpretation of the nmap output. the concept of vulnerability scanning was introduced through the use of nessus. Practical examples were presented and discussed throughout the chapter.
exploitation is the process of gaining control over a system. this process can take many different forms but for the purpose of this book the end goal always remains the same: administrative-level access to the computer. in many ways,
Information in This Chapter:
n Gaining Access to Remote Services with Medusa n Metasploit: Hacking Hugh Jackman Style! n John the Ripper: King of the Password Crackers
n Password Resetting: Kind of Like Driving a Bulldozer through the Side of a
n Sniffing Network Traffic
n Macof: Making Chicken Salad Out of Chicken Sh*t n Fast-Track Autopwn: Breaking Out the M-60
exploitation is the attempt to turn the target machine into a puppet that will execute your commands and do your bidding. Just to be clear, exploitation is the process of launching an exploit. An exploit is the realization of a vulner- ability. exploits are issues or bugs in the software code that allow a hacker or attacker to alter the original functionality of the software.
of all the steps we cover, exploitation is probably the step aspiring hackers are most interested in. it certainly gets a lot of attention because this phase involves many of the traditional activities that people associate with “hacking” and penetration testing. there are volumes of books that are dedicated to the process of exploitation. Unfortunately, there are also volumes of misinforma- tion regarding step 3. stories from Hollywood and urban legends of famed hacker exploits have tainted the mind of many newcomers. However, this does not mean that exploitation is any less exciting or exhilarating. on the contrary, exploitation is still my favorite step, even if there is a little less “shock and awe” than portrayed in a typical hacker movie. But when completed successfully, exploitation remains simply breathtaking.
of all the steps we discuss, exploitation is probably the least well defined and most open to interpretation. when combined, these two qualities often bring chaos and confusion to people trying to learn penetration testing and hacking. the lack of order and structure in a penetration test often leads to frustration and failure. it is not uncommon for a novice to read about a new tool, or lis- ten to a speaker talk about some advanced technique that can be used to gain access to a system, and want to jump directly to step 3 (exploitation). However, it is important to remember that penetration testing is more than just exploi- tation. fortunately by following the process identified in this book or by any other solid penetration testing methodology, you can alleviate many of these issues.
Because this book focuses on the basics, and as a final warning, it is critical to stress the importance of completing steps 1 and 2 prior to conducting exploi- tation. it can be tempting to bypass reconnaissance and scanning and jump directly to chapter 4. that is ok for now, but if you are ever going to advance your skills beyond the script kiddie level, you will need to master the other steps as well. the failure to do so will not only severely limit your ability to grow as a penetration tester but will also eventually stunt your growth as an exploitation expert. reconnaissance and scanning will help to bring order and direction to exploitation.
ok. now that the speech is over, let us put away the soapbox and get to the business at hand: exploitation. As mentioned earlier, exploitation is the most free-flowing phase we will cover. the reason for this is simple; each system is different and each target is unique. depending on a multitude of factors, your attack vectors will vary from target to target. different operating systems, dif- ferent services, and different processes require different types of attacks. skilled attackers have to understand the nuances of each system they are attempting to exploit. As your skills continue to progress from Padawan to Jedi, you will
need to expand your knowledge of systems and their exploits. eventually, you will learn how to create custom exploits.
You can use the previous step’s output as a guide for where to begin your exploitation attempts. the output from scanning should be used to help shape, focus, and direct your attacks.