HW4: Recon, Exploits, and Snort in Virtual Machines
CS 493/693 Homework,
Dr. Lawlor, 2006/04/11. Due at 5pm
on Monday, May 1.
This assignment asks you to try out the whole security lifecycle on the
virtual machines distributed on the 493 DVD. You can download the pieces of the 493 DVD here from on-campus, or drop by my office to get a disc.
Turn in the resulting screenshots and text files via BlackBoard.
Wednesday Afternoon Update! For Problem 2, I highly recommend using kqemu,
the QEMU accellerator. This cuts the time for a Nessus scan from
half an hour to under a minute. For Problem 3, you'll have to
copy the disk image to your hard drive *and* make sure it's
writeable--if the disk image isn't writeable, the Apache installer just
flashes up a DOS window and exits.
Friday Evening Update! For Problem 3, a bug in QEMU *without* kqemu seems to prevent any metasploit bind shell from functioning. So you must use kqemu.
If you still need a working exploit for problem 3, you can download and
unzip this floppy disk image, do a fresh start of backtrack (without
-loadvm) with "-fda ipuke.144 -boot d", and do:
ifconfig eth0 10.0.2.10
cd /pentest/exploits/framework-2.5/
mkdir tmp
mount /dev/fd0 tmp
cp tmp/ipuke.pm exploits
msfconsole
and use the new "ipuke" exploit. This has been tested to work against
the "ipuke.exe" program running on the NT virtual machine, which you
can load up by starting NT with "-fda ipuke.144".
Tuesday Afternoon Update!
For Windows, I screwed up the kqemu instructions before. You need to:
- Unpack the DVD's qemu\qemu-0.8.0-win.zip file to C:\Program
Files\QEMU. Be sure to use QEMU from the DVD, or you won't get -net support.
- Download kqemu-0.7.2.tar.gz from the QEMU download
page
- Unpack the kqemu archive anywhere, and open it.
- Right-click on "kqemu.inf", and hit "Install". This installs the
kqemu Windows kernel module, which hides as a network driver. You can
uninstall it with "net stop kqemu".
- Double-click on any QEMU image's "run.bat" file on the DVD and run
normally. To verify you've got kqemu working, you can hit ctrl-alt-2 and
type "info kqemu". You should see "kqemu is enabled".
To reiterate, you MUST HAVE KQEMU OR METASPLOIT WON'T SPLOIT!
1.) Network setup.
Start a small virtual network--use win98/run_server (or pass the
command-line argument "-net socket,listen=:1234" to any other QEMU
image). Now start another QEMU instance, like winNT/run, and
start a command shell to verify you can ping the first machine.
Submit a screenshot called "problem1" of a successful virtual network
ping. You can take a screenshot in windows with the "Print Scrn"
button on your keyboard, which copies the screenshot to the clipboard,
where you can paste it into Microsoft Paint or another image
editor. In Linux, use The GIMP (File->Aquire->Screen Grab)
or xv. You can also use the QEMU
shell (ctrl-alt-2) and say "screendump problem1.ppm".
2.) Reconnaissance.
Use nmap, wget --server-response, and nessus to perform reconnaissance
on any of the virtual machines. I recommend the "backtrack"
virtual machine for this. Come up with a list of the top five
remotely exploitable security holes.
Submit a text file "problem2.txt" containing five sentences, one for
each security hole you found. List the vulnerable virtual
machine, the TCP port number and service affected, and give a short but
specific summary of the problem. Note that Nessus often reports
"Multiple known vulnerabilties". This isn't specific enough--find
the actual holes using the SecurityFocus vulnerability list or Google.
For example, you might turn in a sentence like this:
"h2k port 80 is running apache 1.3.6, which is vulnerable to the
chunked_encoding attack, http://www.securityfocus.com/bid/5033/info."
3.) Exploit.
Download an old version of Apache from the apache archive.
I used 1.3.22. Use mkisofs or "-net user" to smuggle Apache into
the winNT virtual machine, and install Apache on the virtual machine.
Use the backtrack virtual machine to fire up Metasploit,
in /pentest/exploits/framework-2.5/msfconsole. Remember to press
the ctrl and alt keys one at a time after you've started backtrack, or
else the keyboard acts all weird (because backtrack still thinks ctrl
and alt are down). SecurityFocus has a good overview of metasploit.
Exploit the installed apache using the exploit
"apache_chunked_win32". Be aware that after you are successful
once, the Apache heap has changed, and the same exploit will not work
again until you reboot winNT. The QEMU "savevm" and "loadvm"
commands might be useful here, to save a VM image with NT already
booted and ready to be attacked.
Submit a screenshot "problem3" of a successful metasploit run, with a
win32_bind shell opened at the bottom. You're welcome to use any
attack you can get to work against any virtual machine.
4.) Detection.
Inside backtrack, start snort in IDS mode with:
snort -c /etc/rules/snort.conf -A console
Re-run any attack (nessus, the apache exploit above, etc.), and submit
a screenshot "problem4" showing snort alerting on the attack.
5.) More Exploits (693 students ONLY)
Get any other exploit working against any virtual machine. For
example, several of the exploits in /pentest/exploits/secfocus will
work against the virtual machines I've given you--but figuring out
which ones work may be tricky!
Submit a screenshot "problem5" showing a successful run of the
exploit. Again, you can use any exploit against any virtual
machine, but it's got to actually work.