HW4: Recon, Exploits, and Snort in Virtual Machines

CS 493/693 Homework, Dr. Lawlor, 2006/04/11.  Due at 5pm on Monday, May 1.

This assignment asks you to try out the whole security lifecycle on the virtual machines distributed on the 493 DVD.  You can download the pieces of the 493 DVD here from on-campus, or drop by my office to get a disc.

Turn in the resulting screenshots and text files via BlackBoard.

Wednesday Afternoon Update!  For Problem 2, I highly recommend using kqemu, the QEMU accellerator.  This cuts the time for a Nessus scan from half an hour to under a minute.  For Problem 3, you'll have to copy the disk image to your hard drive *and* make sure it's writeable--if the disk image isn't writeable, the Apache installer just flashes up a DOS window and exits.

Friday Evening Update!  For Problem 3, a bug in QEMU *without* kqemu seems to prevent any metasploit bind shell from functioning.  So you must use kqemu.

If you still need a working exploit for problem 3, you can download and unzip this floppy disk image, do a fresh start of backtrack (without -loadvm) with "-fda ipuke.144 -boot d", and do:
    ifconfig eth0 10.0.2.10
    cd /pentest/exploits/framework-2.5/
    mkdir tmp
    mount /dev/fd0 tmp
    cp tmp/ipuke.pm exploits
    msfconsole
and use the new "ipuke" exploit.  This has been tested to work against the "ipuke.exe" program running on the NT virtual machine, which you can load up by starting NT with "-fda ipuke.144".

Tuesday Afternoon Update!

For Windows, I screwed up the kqemu instructions before. You need to:

  1. Unpack the DVD's qemu\qemu-0.8.0-win.zip file to C:\Program Files\QEMU. Be sure to use QEMU from the DVD, or you won't get -net support.
  2. Download kqemu-0.7.2.tar.gz from the QEMU download page
  3. Unpack the kqemu archive anywhere, and open it.
  4. Right-click on "kqemu.inf", and hit "Install". This installs the kqemu Windows kernel module, which hides as a network driver. You can uninstall it with "net stop kqemu".
  5. Double-click on any QEMU image's "run.bat" file on the DVD and run normally. To verify you've got kqemu working, you can hit ctrl-alt-2 and type "info kqemu". You should see "kqemu is enabled".
To reiterate, you MUST HAVE KQEMU OR METASPLOIT WON'T SPLOIT!
1.) Network setup.
Start a small virtual network--use win98/run_server (or pass the command-line argument "-net socket,listen=:1234" to any other QEMU image).  Now start another QEMU instance, like winNT/run, and start a command shell to verify you can ping the first machine.

Submit a screenshot called "problem1" of a successful virtual network ping.  You can take a screenshot in windows with the "Print Scrn" button on your keyboard, which copies the screenshot to the clipboard, where you can paste it into Microsoft Paint or another image editor.  In Linux, use The GIMP (File->Aquire->Screen Grab) or xv.  You can also use the QEMU shell (ctrl-alt-2) and say "screendump problem1.ppm".


2.) Reconnaissance.
Use nmap, wget --server-response, and nessus to perform reconnaissance on any of the virtual machines.  I recommend the "backtrack" virtual machine for this.  Come up with a list of the top five remotely exploitable security holes.

Submit a text file "problem2.txt" containing five sentences, one for each security hole you found.  List the vulnerable virtual machine, the TCP port number and service affected, and give a short but specific summary of the problem.  Note that Nessus often reports "Multiple known vulnerabilties".  This isn't specific enough--find the actual holes using the SecurityFocus vulnerability list or Google. 

For example, you might turn in a sentence like this:
"h2k port 80 is running apache 1.3.6, which is vulnerable to the 
 chunked_encoding attack, http://www.securityfocus.com/bid/5033/info."

3.) Exploit.
Download an old version of Apache from the apache archive.  I used 1.3.22.  Use mkisofs or "-net user" to smuggle Apache into the winNT virtual machine, and install Apache on the virtual machine.

Use the backtrack virtual machine to fire up Metasploit, in /pentest/exploits/framework-2.5/msfconsole.  Remember to press the ctrl and alt keys one at a time after you've started backtrack, or else the keyboard acts all weird (because backtrack still thinks ctrl and alt are down).  SecurityFocus has a good overview of metasploit.

Exploit the installed apache using the exploit "apache_chunked_win32".  Be aware that after you are successful once, the Apache heap has changed, and the same exploit will not work again until you reboot winNT.  The QEMU "savevm" and "loadvm" commands might be useful here, to save a VM image with NT already booted and ready to be attacked.

Submit a screenshot "problem3" of a successful metasploit run, with a win32_bind shell opened at the bottom.  You're welcome to use any attack you can get to work against any virtual machine.


4.) Detection.
Inside backtrack, start snort in IDS mode with:

snort -c /etc/rules/snort.conf -A console

Re-run any attack (nessus, the apache exploit above, etc.), and submit a screenshot "problem4" showing snort alerting on the attack.


5.) More Exploits (693 students ONLY)
Get any other exploit working against any virtual machine.  For example, several of the exploits in /pentest/exploits/secfocus will work against the virtual machines I've given you--but figuring out which ones work may be tricky!

Submit a screenshot "problem5" showing a successful run of the exploit.  Again, you can use any exploit against any virtual machine, but it's got to actually work.