A Penetration Tester's Toolkit
https://haxordoubt.blogspot.com/2012/09/a-penetration-testers-toolkit.html
Ever wonder exactly how vulnerable your network is? Using these tools can give you an idea and provide the means to protect yourself.
I don't know about you, but during the years of my IT career, I've become more and more concerned with security. I'm sure everyone has to a certain degree, but for me, it has become a daily part of my job (not that I'm complaining; on the contrary, it's quite exciting). As such, there are a multitude of tools I've used to get said job done. Some I like, and some I don't. But, I keep coming back to three in particular: Nmap, Nessus and Metasploit. In this article, I introduce these three tools at a high level to give you an idea of how to use them and what to use them for. I also provide some examples from my own experiences to better explain how I use these tools (and how you could possibly use them) in the real world.
Nmap is my go-to tool when beginning my investigations on systems. Nmap has enjoyed quite a long life, starting back in 1997. It's a scanning tool that allows you to perform various tasks, such as remote scanning, fingerprinting, monitoring, inventory and other such functions. It utilizes various techniques like packet manipulation to get the answers to questions like the types of operating systems in use or the version of Web serving software that's running on a target. It's great information if you are to protect your network successfully.
The next tool in my bag is Metasploit. Metasploit has come a long way since its creation in early 2003. Metasploit is a framework for developing and testing vulnerabilities (these are its core functions; its features seem almost limitless at times). It's a great tool for testing server security (just be sure to use test servers, because you never know when code could crash a box).
Finally, the last (but certainly not least) tool in my bag is Nessus. Nessus is a scanner similar to Nmap and has been around almost as long (since 1998). However, Nessus is capable of running vulnerability code against a machine like Metasploit (whereas Metasploit can be used both to develop and run exploitation code), but at a much simpler level. In fact, that's Nessus' strong point; it's easy to use, like Nmap, and it has some of the strengths of Metasploit. Depending on the situation, I may use one or all of these tools, which brings me to a good point—duplication.
Redundant features aren't bad. For example, each one of these tools are capable of doing basic scans. However, you will find that Nmap runs the fastest and offers the least intrusive scanning method. These are the things to consider when taking into account each of these tool's features and how to best use them.
Regardless of the duplicating features in these tools, take the time to learn each tool's individual features to find what works best for you. You might discover that although Nmap is fast, you like the idea of scanning and exploiting with Nessus (all in one step, if you will). You might like the simplicity of Nessus but need the strength of Metasploit (for scripting and grouping tests together). Even though they all get the job done, it depends on your situation as to how you use these tools.
The first thing to do is install these tools. Because this article is in Linux Journal, I assume you're running this on a Linux platform, but all of these tools work on Windows as well. You could install these tools from your repositories, but I recommend going to each tool's Web site and installing from its packages (this ensures that you get the latest version with all current fixes and gives you the best success for installation).
Installation is pretty straightforward; just follow the steps from each tool's respective site, and you'll be fine. As soon as the tools are installed, it's time to start playing with them. I highly recommend that you have either a virtual machine or a test machine of some sort as your first target, so as not to crash anything critical. Nothing's worse than running a scan against a box, only to find out that you crashed it by accident (very high possibility with Nessus and Metasploit, depending on what you are doing) and interrupted someone's work.
For the purpose of this article, I'm going to set up an example scenario. I am going to use a virtual machine with Windows XP (SP3) loaded on it to run these three tools against. This machine will be a fresh install with no patches and the firewall disabled. The reason for this, quite simply, is to be realistic when running these scans. More often than not, I have come across this very machine, sitting in a corner, collecting dust and running some sort of old-mission-critical app (I'm sure you've encountered something similar). Especially in large environments, these machines are very easy to forget about and can give you the biggest amount of trouble. I have configured the host machine to use an IP of 192.168.56.1, and the guest machine to use an IP of 192.168.56.101.
Figure 1. Windows XP Machine
Figure 2. Scanning Machine
Let's start with Nmap to begin the information-gathering stage (you have to know what you're working with) on your target. Because you know the IP of the machine in question, you don't have to but just as easily could run a scan against a subnet or some other subset of IP addresses. For this article, let's stick with 192.168.56.101. In your terminal, run the following (remember that you can run this command as a regular user on the machine, as long as said user has access to /usr/bin/):
nmap -sV -A -v 192.168.56.101 > /tmp/nmap-output
I always send the output to a file, as it's easier to read through afterward. Before delving into the output, however, let's look at those switches:
-sV
— this tells Nmap the type of scan. In this case, it's a version scan to see what programs are running on what ports (where available).-A
— this tells Nmap to run a fingerprint check. This means Nmap will attempt to identify the version of the OS and any related information correctly.-v
— verbosity—this is important, as you need this to get critical information from Nmap.
Note:
When it comes to tools like Nmap, man pages are your friend. Remember that these tools are extremely complex and have a lot of functions, and that means a lot of switches. When in doubt, always refer to the man pages, lest you use the wrong switch and accidentally crash a box (easily done with tools like Nessus).Listing 1. Nmap Output
Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-07 15:45 EST
NSE: Loaded 57 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating ARP Ping Scan at 15:45
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 15:45, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:45
Completed Parallel DNS resolution of 1 host. at 15:45, 0.02s elapsed
Initiating SYN Stealth Scan at 15:45
Scanning 192.168.56.101 [1000 ports]
Discovered open port 139/tcp on 192.168.56.101
Discovered open port 445/tcp on 192.168.56.101
Discovered open port 135/tcp on 192.168.56.101
Completed SYN Stealth Scan at 15:46, 1.15s elapsed (1000 total ports)
Initiating Service scan at 15:46
Scanning 3 services on 192.168.56.101
Completed Service scan at 15:46, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101
NSE: Script scanning 192.168.56.101.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.15s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:5B:91:AC (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=245 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows
Host script results:
| nbstat:
| NetBIOS name: XPTESTVM, NetBIOS user: <unknown>,
| NetBIOS MAC: 08:00:27:5b:91:ac (Cadmus Computer Systems)
| Names
| XPTESTVM<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| XPTESTVM<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Name: WORKGROUP\XPTESTVM
|_ System time: 2011-11-07 15:46:06 UTC-5
TRACEROUTE
HOP RTT ADDRESS
1 0.77 ms 192.168.56.101
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect
results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
Raw packets sent: 1072 (47.866KB) | Rcvd: 1017 (41.234KB)
As you can see from the output in Listing 1, you can identify that this is indeed a Windows platform, most likely XP, with service pack 2 or 3 or 2003 server. This type of scan is a fingerprinting scan, which allows you to identify the OS and any services worth testing as closely as possible. The fact that you can pull this much information from a very basic scan alone indicates a low level of protection and a high level of threat. You easily can surmise that there is no local firewall, and that this box hasn't gone through any hardening process. Although you could run many other types of scans against this box to get more information, you have enough here to continue. You could narrow down whether this is a server through a process of elimination. For example, if this is a desktop, the chances of it running a service like MS SQL or Exchange are very minimal. That said, you have enough here to proceed to the second tool, Nessus.
With Nessus, let's put this box to the test to see just what hackers could do to this box if they got access. Nessus now uses a Web interface, but you still can use the command line if you prefer (remember to read the man pages). For this article though, let's stick with the Web interface. Once you log in to the Web GUI (note: it's a slick interface), click on the scan link to begin configuring a scan.
Figure 3. Nessus Landing Page
Figure 4. Nessus Scan Page
Once you click add, configure your scan using these basic settings (Figure 5). This will give you a quick scan with minimal impact, which is key on an internal network. You don't want to disrupt network traffic and bring on the wrath of your fellow admins and network engineers.
Figure 5. Nessus Scan Configuration Page
Once it's complete, click on Reports and double-click your report to open it.
Figure 6. Nessus Report on Test Box