Prepared by Tariq Khan (G-N-V) CompTIA Securtiy+ Course Labs Contents 1 Lab 1. Credential Harvesting Using Site Cloning ....................................... 2 2 Lab 2. Nmap ............................................................................................. 9 3 Lab 3. Recon-ng ...................................................................................... 13 4 Lab 4. Conducting a Dictionary Attack to Crack Online Passwords Using Hydra ........................................................................................................... 21 Instructor: Tariq Khan 1 Prepared by Tariq Khan (G-N-V) 1 Lab 1. Credential Harvesting Using Site Cloning Lab Objective: Learn how to harvest credentials using a cloned website. Lab Purpose: Credential harvesting is the process of gathering sensitive information on a target—such as passwords or the answers to secret questions—without them knowing that this information is being captured. Lab Tool: Kali Linux Lab Topology: You can use Kali Linux in a virtual machine for the purpose of this lab. Lab Walkthrough: Task 1: The first step is to boot your virtual machine and get Kali Linux up and running. Once this is complete, open a terminal and start the “SET: Social Engineering Toolkit” by typing as “root” user: setoolkit When “Do you agree to the terms of service [y/n]” message appears, type “Y”. Instructor: Tariq Khan 2 Prepared by Tariq Khan (G-N-V) First, update SET utility to get latest features. Choose option 5. Task 2: From the main menu, choose option 1 for “Social-Engineering Attacks”, then choose option 2 to select “Website Attack Vectors”. You will then be presented with the following screen asking you which kind of website attack you want to conduct. Choose option 3, the “Credential Harvester Attack Method”. Instructor: Tariq Khan 3 Prepared by Tariq Khan (G-N-V) Instructor: Tariq Khan 4 Prepared by Tariq Khan (G-N-V) Task 3: The next menu will ask you which method you’d like to choose to harvest a victim’s credentials. We will be cloning a site in this lab, so choose option 2 “Site Cloner”. Task 4: SET will ask you for your IP address so that it can send the POST requests from the cloned website back to your machine. Normally, SET can detect Instructor: Tariq Khan 5 Prepared by Tariq Khan (G-N-V) your IP address automatically. If your Kali node has many IP addresses, you can find the desired one by opening a new terminal and typing “ifconfig”. Once you tell SET that you would like to clone a website, it will then ask you for the URL of the site you wish to clone. You can enter any site you like. For this lab, I will be using https://www.facebook.com. Task 5: Once the URL is entered, SET will clone the site and display all the POST requests of the site back to this terminal. It is now time to navigate to the cloned site. Task 6: To get to the cloned site, open Firefox in your Kali machine and enter your local IP address into the browser. You will then be able to view the cloned Instructor: Tariq Khan 6 Prepared by Tariq Khan (G-N-V) login page for Facebook. Enter a random username and password into the fields and press Log In. Task 7: Finally, go back to the terminal where SET is running. You will see lots of text from the numerous POST requests being sent from the cloned site. Scroll down until you see the values “username” and “password”. You should be able to see the username and password you entered into the cloned site in cleartext. Instructor: Tariq Khan 7 Prepared by Tariq Khan (G-N-V) Instructor: Tariq Khan 8 Prepared by Tariq Khan (G-N-V) 2 Lab 2. Nmap Lab Objective: Learn how to scan a host using Nmap and understand the results. Lab Purpose: Nmap (Network Mapper) is one of the most common tools used among hackers and system administrators. It is used to scan a host, which can be a server, pc, network, etc. When running an Nmap scan, the goal is usually to discover various pieces of information about a target system or network. Examples of such information include: the devices that are connected to a network, the ports that are open on a device, the services that are running on these ports, whether the device is up, and whether there is a firewall protecting the device, among others. Lab Tool: Kali Linux Lab Topology: You can use Kali Linux in a virtual machine for the purpose of this lab. Scan the following site: scanme.nmap.org Note: This site has been developed by Nmap for the purpose of scanning. Never scan any site, system, or network without prior permission from the owner. Lab Walkthrough: Task 1: Nmap comes pre-installed in Kali Linux. Just open a terminal, type “nmap scanme.nmap.org” without the inverted commas. This will initiate a scan of Instructor: Tariq Khan 9 Prepared by Tariq Khan (G-N-V) the target and will attempt to determine which ports are open and what services are open on these ports. As we can see from the scan results, there are 4 ports open, and there are different services running on each port. The scan we just performed, however, is a very basic scan and will only scan the top 1000 ports for basic information. In the next step, we will run a more advanced scan. Task 2: In this step, we will be scanning the same target, scanme.nmap.org, but with a more advanced scan. Let’s say we want to determine the versions for the services running on each port, so that we can determine if they are out of date and potentially vulnerable to exploitation. We also want to determine the operating system of the webserver running the target site. We will run the following scan to determine this information: Instructor: Tariq Khan 10 Prepared by Tariq Khan (G-N-V) Oops! You must be root before doing this type of scan. Type “sudo” and reenter nmap command with desired parameters. The line in the terminal will be like the following: sudo nmap -v -sT -sV -O scanme.nmap.org When asked for the password, type “kali” without inverted commas. Instructor: Tariq Khan 11 Prepared by Tariq Khan (G-N-V) The results from our scan show us the exact versions of software running on each open port. Note, if there was a firewall protecting this webserver, we may be unable to see this information. We can also determine with relatively high accuracy the version of the operating system running on the web server. An easier way to perform a full scan on a target is to use the -A flag, which will scan a target using the -sS, -sV, and -O flags. Task 3: Try scanning the same target with a number of different flags. Visit the following site to see the different scans you can run against targets, as well as the different outputs different flags will provide. https://nmap.org/book/port-scanning-options.html Instructor: Tariq Khan 12 Prepared by Tariq Khan (G-N-V) 3 Lab 3. Recon-ng Lab Objective: Learn how to find WHOIS information on a target domain-name. Lab Purpose: WHOIS information can consist of location, registration and expire dates, contact information (email, phone numbers, etc.) and more about domainname. The purpose of this lab is to use recon-ng to automate the discovery of this information. Lab Tool: Kali Linux Lab Topology: You can use Kali Linux in a virtual machine for the purpose of this lab. Lab Walkthrough: Task 1: Begin this lab by opening Kali Linux within your virtual machine. Then, as root user, open a terminal and type: recon-ng Instructor: Tariq Khan 13 Prepared by Tariq Khan (G-N-V) Task 2: recon-ng offers the opportunity for users to create different workstations based on their project needs. For this lab, we will be gathering WHOIS information. So, create a new lab by typing the following: workspaces create whois_recon Task 3: We will begin by gathering WHOIS information about a target domainname. Since WHOIS information is available to anyone, it is ok to do this for any domain. The domain we will be targeting is, once again, “facebook.com”, but you can do this lab for any other domain you wish. Instructor: Tariq Khan 14 Prepared by Tariq Khan (G-N-V) We will need to install modules from the marketplace to search for WHOIS information. We will begin by searching WHOIS for all related information regarding a target site. To do this, we first need to install the WHOIS search module. To do this, type: marketplace search whois We want to install the fourth option, which is “recon/domainscontacts/whois_pocs”. To do this, type: marketplace install recon/domains-contacts/whois_pocs To begin searching, we first need to set the source by typing: options set SOURCE facebook.com To load the module for use, type: modules load recon/domains-contacts/whois_pocs Then, to see information about this module and how it is used, type “info” and hit enter. Instructor: Tariq Khan 15 Prepared by Tariq Khan (G-N-V) We are now ready to search WHOIS for information regarding “facebook.com”. Simply type “run” and hit enter to begin the search. As you will see, various contact and location information will show up for facebook.com. This information will be automatically saved in our workstation. Instructor: Tariq Khan 16 Prepared by Tariq Khan (G-N-V) Instructor: Tariq Khan 17 Prepared by Tariq Khan (G-N-V) Task 4: We will now attempt to discover as many subdomains as possible, with their IPv4 address for facebook.com, using HackerTarget.com API. We will need to import the “hackertarget” module, as we did previously for whois_pocs. Before we do this, you should first type “back” and press enter to quit out of the whois_pocs module. We will begin by searching the marketplace for “hackertarget” modules using: marketplace search hackertarget Only one option should show, which is “recon/domains-hosts/hackertarget”. You can highlight this option and press ctrl + shift + c to copy the path to the module. You can paste using ctrl + shift + v. To install the module use: marketplace install recon/domains-hosts/hackertarget We then want to load the module using: modules load recon/domains-hosts/hackertarget We are now ready to begin searching HackerTarget for subdomain information regarding Facebook. First, set the source by typing: options set SOURCE facebook.com Instructor: Tariq Khan 18 Prepared by Tariq Khan (G-N-V) If you want to see some information around what this module is used for and how, simply type “info” and hit enter. Task 5: Once this is done, type “run” and hit enter. You will notice a list of various subdomains associated with facebook.com appearing. Instructor: Tariq Khan 19 Prepared by Tariq Khan (G-N-V) This information can be useful for an attacker who may be targeting Facebook. They can use this information to attack the various subdomains and their IP addresses associated with Facebook, as they may not all be equally secure, to find a way through their security. Instructor: Tariq Khan 20 Prepared by Tariq Khan (G-N-V) 4 Lab 4. Conducting a Dictionary Attack to Crack Online Passwords Using Hydra Lab Objective: Learn how to conduct a dictionary attack to crack passwords online, using Hydra. Lab Purpose: Hydra is an advanced password cracker which can be used to crack passwords for online pages, such as the login page of a website. This is useful as we don’t need to capture a hash and attempt to crack it offline; we can simply target the login page itself, with any username and password combination we like. A dictionary attack is a type of password attack which uses a combination of words from a wordlist and attempts all of them in association with a username to login as a user. It typically takes a long time to perform, and the results are dependent on the accuracy and quality of your wordlist. A dictionary attack is a form of brute forcing. Lab Tool: Kali Linux Lab Topology: You can use Kali Linux in a virtual machine for this lab. Instructor: Tariq Khan 21 Prepared by Tariq Khan (G-N-V) Note: This site has been developed for the purpose of specific types of hacking. Never use hydra on any site, system, or network without prior permission from the owner. Lab Walkthrough: Task 1: The first step is to power up Kali Linux in a virtual machine. Then, open the Hydra help menu with the following command as “root” user: sudo hydra For this lab, I will be focusing on the command line interface version of Hydra, but you can also access the GUI version of hydra using the following command as “root” user: sudo xhydra Type “hydra -h” to get the help menu and see what kind of attacks we can run using Hydra. Note the examples at the bottom of the help menu, which will provide you with a better idea of the syntax Hydra supports. Instructor: Tariq Khan 22 Prepared by Tariq Khan (G-N-V) Task 2: The site we will be targeting is the following: http://testasp.vulnweb.com/Login.asp?RetURL=/Default.asp? Note that this site has been developed for the purpose of hacking, and you should not use Hydra on any other site without permission from the owner. To use Hydra against an online target such as this one, we need to capture the post-form parameters. Hydra will use these parameters to send its various requests to the correct target. To capture this information, open target site with web browser in Kali. Then, press ctrl + shift + I to open the browser developer tools panel. Navigate to the tab called “Network”. When you are there, reload the page by pressing ctrl + F5. You should see several GET requests. This is our machine requesting data from the server so that we can see the login form. Instructor: Tariq Khan 23 Prepared by Tariq Khan (G-N-V) Now enter a random username and password into the login page and click login. You should see a new POST request pop up in the Network tab. This is our machine sending the data to the server. This request contains the parameters we need. Task 3: Right click on the POST request and select “Edit and Resend”. A page will open to the right of the Network header, with information regarding the POST request. Scroll down to the Request Body section and copy the tfUName and tfUPass Parameters. Hydra will need this information. Instructor: Tariq Khan 24 Prepared by Tariq Khan (G-N-V) Task 4: For this attack, we will be attempting to login as admin. We will need to choose a wordlist to guess passwords to login as this account. Open the terminal and type: “locate wordlists” to see all the different wordlists Kali has installed. We will use the rockyou.txt wordlist for this attack. Type “locate rockyou.txt” to see the path to this wordlist. Instructor: Tariq Khan 25 Prepared by Tariq Khan (G-N-V) If the rockyou.txt wordlist file has a .gz extension on it, we will first need to extract the file. To do this, change directory to the wordlist directory using the following command: cd /usr/share/wordlists Then use the following command to extract the file: gunzip rockyou.txt.gz Type ls into the terminal after this and you will see that the rockyou.txt file is now available. Great! We now have all the information we need and are ready to open Hydra and begin the attack. Task 5: Let’s begin the attack by submitting the following command to hydra: hydra -l admin -P /usr/share/wordlists/rockyou.txt testasp.vulnweb.com http-post-form “/Login.asp?RetURL=/Default.asp?:tfUName=^USER^&tfUPass=^PASS^:S=logout” -vV -f Once you press enter, the attack will begin and Hydra will start guessing a lot of passwords for the username admin in an attempt to login. Instructor: Tariq Khan 26 Prepared by Tariq Khan (G-N-V) Ok, this may be a lot to take in; let’s break it down with ctrl + C. -l is the username we will be logging in as -P is the wordlist we will be using to guess the password for this user http-post-form is the type of request hydra will be sending to the server in order for us to login “/Login.asp? RetURL=/Default.asp?:tfUName=^USER^&tfUPass=^PASS^:S= – This is the actual request hydra is sending to the server, it will replace USER and PASS with the -l and -P values we specified earlier -vV will show us each of the username and password login attempts -f will finish that attack when the correct username and password combination is entered Task 6: Note that hydra will probably not be able to guess the password, so you can end the attack at any point by pressing ctrl + c. This is an example of Hydra attempting a dictionary attack for a POST request. Hydra can also be used to attack usernames and passwords of different services—such as SSH, FTP, Instructor: Tariq Khan 27 Prepared by Tariq Khan (G-N-V) telnet, proxy, etc.—making it an extremely powerful and useful tool to have in your arsenal. Instructor: Tariq Khan 28