Module 06: Network Penetration Testing

Methodology-Internal (Expected Duration 6

Hr 48 Minutes) - PART A
Objective
The objective of this lab is to provide knowledge on the network, system and user enumeration
and other penetration testing methodologies that include:

Service enumeration
Password audits
Vulnerability Assessment
OS pentesting
Privilege Escalation
Scenario
Both internal and external network attacks are conducted in almost the same way, except for the
fact that in case of an internal pen test; the attacker may possess authorized access or is starting
from a point within the internal network. Such insider attacks tend to be more disastrous since
the attackers already have the knowledge of the essential ones within a network and their
location.

As a penetration tester or a Security Auditor, you must know how to enumerate target networks,
users, services, perform vulnerability assessment, exploit vulnerabilities, extract as much
employee data as possible, and attain escalated privileges to the target.

Exercise 1: Scanning with Netdiscover

Scenario
To begin the lab, a proficient tester may use any tool depending on his or her personal
preference. The objective of this lab is to help students use the Netdiscover tool. This tool has
higher ease-of-use. In this lab, you will

Start the Netdiscover tool

Explore the different scan options

Scan and review the data from Netdiscover

Lab Duration: 10 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
3. Open a terminal window and enter netdiscover -h. This will display the netdiscover
commands as shown in the screenshot:
4. This tool allows the user to discover live systems. In the terminal window, enter sudo
netdiscover -i eth0 -p. If you are asked to enter a password, enter toor.

5. In the passive option, targets are generated slowly. It takes a lot of time to display the
result. To save time, you can create your own traffic by doing a ping sweep using nmap
which is demonstrated in the next step.
6. In a new terminal window, enter an nmap ping sweep to generate traffic. To do a ping
sweep, type nmap -sn 192.168.0.0/24 and press Enter.
7. Switch back to netdiscover window to view the output

8. At times, some machines may not be discovered due to reasons such as the existence of a
firewall or some other filter. At such situation, you may use a Transmission Control
Protocol (TCP) scan to confirm the existence of the new machine. To perform a TCP
scan, enter the command nmap -sT 192.168.0.0/24.
9. Note that you have not scanned all 65,536 ports, which is preferable. Depending on the
target machines' settings, access to and data obtained from this machine may be limited.
Upon scan completion, switch back to netdiscover window to view the output. In this lab,
the netdiscover output remains the same, as no new machines were discovered during the
nmap scan.
10. If stealth is not part of the scope of the test and a passive scan is unnecessary, an active
scan is the best choice. To discover targets, use Netdiscover as a scanner. To search for
the network for targets, exit the current netdiscover scan, type sudo netdiscover -i eth0 -r
192.168.0.0/24 in the terminal window and press Enter. If you are asked to enter a
password, enter toor.
11. The targets will be displayed on the screen after some time, as shown in the screenshot.
(To speed up the process, you can run a nmap ping sweep scan.)
 12. This new method validates your live and target machines. This concludes the lab
exercise.

Exercise 2: Scanning and Scripting with hping3

Scenario
To begin the lab, a proficient tester may use any tool depending on his or her personal
preference. The objective of this lab is to help students use the hping3 tool.

In this lab, you will:

 Start the hping3 tool

 Conduct a query with hping3
 Check hping3 capabilities
 Execute a simple script within the hping3 command environment
 Capture packets with hping3
 Conduct a hping3 scan
 Review the data from the scan
 Send files using ICMP

Lab Duration: 10 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
 3. In a terminal window, type sudo hping3 and press Enter. This will show the tool options.
4. Hping3 is a powerful tool. It is a TCL scripting engine contained within a shell. For the
first attempt, practice with a few commands.
5. To begin the lab, launch hping3 by issuing the command sudo hping3 in a command line
terminal. If you are asked you enter a password, type toor and press Enter.

6. The first command will send a simple Internet Control Message Protocol (ICMP) echo
request to a target. Select one of the available targets you have discovered and enter the
following command, replacing the IP address with that of the machine you are targeting.
In this lab, we are targetting 192.168.0.7. So, type hping send
{ip(daddr=192.168.0.7)+icmp(type=8,code=0)}. Press Enter. This command will send an
ICMP type 8 code 0 echo request to a target, as shown in the screenshot.

$sudo hping3
hping3> hping send{ip(daddr=192.168.0.7)+icmp(type=8,code=0)}
7. If the ICMP echo request is not visible, verify it by opening a new terminal window; type
sudo tcpdump –i eth0 and press Enter. If you are asked you enter a password, type toor
and press Enter. This will capture the network traffic. Run the command again and watch
the output of the tcpdump command.
8. Start a query using the scripting capability of the TCL language. The basic syntax is easy
to use. In the hping3 terminal window, type the following command (all on one line) and
press Enter:
hping3> foreach i [list 5 6 7 8 9 10] {hping send
"ip(daddr=192.168.0.7,ttl=$i)+icmp(type=8,code=0)"}

This command will set the time-to-live (TTL) at 5, and then increment it by 1 when it sends an
ICMP echo request. The output will take time to appear; you may run tcpdump and capture it by
entering sudo tcpdump –i eth0 –x –vv | grep ICMP, as shown in the screenshot.

$sudo tcpdump -i eth0 -x -vv | grep ICMP

 9. Next, identify the capability of hping3 to receive packets. Enter a simple loop to receive
packets. In the hping3 terminal window, enter the following command:

while 1 {
set p [lindex [hping recv eth0] 0]
puts "[hping getfield ip saddr $p] -> [hping getfield ip ttl $p]"
}

10. The command shown above will help loop and receive packets until you press Ctrl+C to
stop the loop.

Enter the commands exactly as shown above to keep the codes valid. To scroll
through the packets view, open a new terminal window and ping a target by
typing ping 192.168.0.7, as shown in the screenshot.
11. Using your chosen text editor, type “You are under attack!” and save the file as
attack.sig in Home folder.
 12. The hping3 tool allows users to send messages. Accordingly, send the message as a
string. Open a new terminal window, type sudo hping3 -2 -p 500 192.168.0.7 -d 139 -E
attack.sig, and press Enter. Type toor in the password field and press Enter. This will
send the packet to port 139 from port 500.

$sudo hping3 -2 -p 500 192.168.0.7 -d 139 -E attack.sig

13. Use Wireshark to view the packet information. In a new terminal window, type sudo
wireshark press Enter. If you are asked to enter the password, enter toor.
14. Wireshark GUI appears, select eth0 interface.
15. The window shows the Internet Security Association and Key Management Protocol
(ISAKMP) traffic, as you are using User Datagram Protocol (UDP) port 500. The lower
window also shows that the message you specified is carried within the packet.
16. The message in the packet can also be displayed using tcpdump: Type sudo tcpdump –i
eth0 –nX in the terminal window. If you are asked to enter the password, enter toor.
17. Scan a target using hping3. Open a new terminal window and enter sudo hping3 –scan
known 192.168.0.7 -S. This command displays the list of open ports/services running on
the target.
$sudo hping3 --scan known 192.168.0.7 -S

18. Hping3 is a powerful scanning tool that, in the previous example, only showed the known
option for the ports listed in /etc/services. Next, specify a range to scan. In the terminal
window, enter sudo hping3 –scan ‘0-3000’ 192.168.0.7 –S, as shown in the screenshot.

$sudo hping3 --scan ‘0-3000’ 192.168.0.7 –S

 19. Finally, send files using the ICMP. Open two terminal windows and position them side-
by-side.
20. In the first terminal window, enter sudo hping3 127.0.0.1 –listen signature –safe –icmp.
Enter toor as password if asked.

$sudo hping3 127.0.0.1 --listen signature --safe -icmp

Enter password: toor

21. Create an ICMP packet to send as a file to the listening hping3 window. This could be
accomplished across the machines by simply changing the IP addresses. For the purposes
of this exercise, a loopback address will be used instead.
22. In the second terminal window, type sudo hping3 127.0.0.1 –icmp -d 100 –sign
signature –file /etc/passwd. Enter toor as password if asked.

$sudo hping3 127.0.0.1 --icmp -d 100 --sign signature --file /etc/passwd

23. The file contents begin to appear in the first terminal as shown in the following
screenshot:
 24. The file has been transmitted successfully. Note that this could be any ASCII file and the
process can be used for a number of different actions. This concludes the lab exercise.

Exercise 3: Scanning and Building a Target Database

Scenario
Once the tools are used, a target database must be created to prioritize targets. This is a critical
step in producing the final report. The objective of this lab is to help students analyze the output
of a tool and check if they can start to populate the target database used to produce the report.

In this lab, you will

 Scan for targets

 Conduct the scanning methodology
 Review the data from the scans
 Analyze the scan output
 Build an initial target database

Lab Duration: 10 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
3. Launch a command-line terminal. In a terminal window, type nmap and press Enter. This
exercise requires good understanding of the scanning methodology. A quick review of
the commands is listed here, but not the graphic images.
4. Enter the following:

 Live Systems: -sP

 Ports: -sS
 Services: -sV
 Enumerate: -A

5. The output can be made into an XML format by adding “X” to the output option. This
requires converting the output to HTML. Prior browsers could render the XML format,
but this not reliable, since most browsers no longer allow such rendering owing to
security settings.
6. Convert the file to HTML using the xsltproc command. Enter xsltproc -o
~/scanresults.html /usr/share/nmap/nmap.xsl scan.xml.
7. An example of the XML-formatted output is shown in the screenshot.

8. The XML format is a good choice for preparing and creating the database.
9. Next, populate the target database. For this, the following database information is
required:

 Host/IP
 OS
 Ports
 Services
 Vulnerabilities
 Exploit
 Notes
 Priority

10. The database table key is as follows:

 Host/IP: Include both items if available, or only the IP

 OS: Include all information available in order to provide specific service packs, so that
the target selection is easier
 Ports: If too many ports exist, only include those relevant
 Services: The service and the version to the best of knowledge
 Vulnerabilities: The vulnerabilities discovered either with a scanner, manually, or
through personal research
 Exploit: Any exploit that can be linked to a vulnerability for the targets; if successful,
write it in red
 Notes: Any additional information discovered about the target

11. An example of the above is shown in the screenshot

12. From this point forward, create a target database for every opportunity, range, or
environment.
13. This concludes the lab exercise.
Exercise 4: Using Workspaces and db_nmap
Scenario
In this lab, you will

 Conduct the task of creating workspaces

 Use db_nmap contained within the Metasploit Framework
 Store and retrieve the scan results from the tool
 Import the results into a Metaploit module

Lab Duration: 10 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
 3. Log in to the Parrot machine and open a terminal window. Set up and initialize the sql
server. In the terminal window, type sudo service postgresql start and press Enter.
Enter the password toor if you are required to. The postgresql command initializes the
PostgreSQLdatabase service.

$sudo service postgresql start

4. After the database is launched, type sudo msfdb init press Enter. Enter the password toor
if you are required to. The msfdb init command initializes and creates the PostgreSQL
database for Metasploit.

$sudo msfdb init

5. If a database appears to be already configured, a message to skip initialization appears;

ignore the message.
6. Once the databases are created and initialized, we can quickly fire up Metasploit using
the command sudo msfconsole. Enter the password toor if you are required to.

$sudo msfconsole

7. To find out the status of the database, type db_status in the terminal window, as shown in
the screenshot.

msf>db_status
 8. The Metasploit tool has different workspaces; type workspace -h to see the different
commands available for the workspace. Once you have reviewed them, continue.

msf>type workspace -h
 9. Create a workspace for your data by typing workspace -a LPT. You now have a
workspace setup. You are ready to use the built-in Nmap database within Metasploit.

msf>workspace -a LPT

10. Next, use the tool to conduct the scanning methodology. Enter: db_nmap -sP
192.168.0.0/24, as shown in the screenshot.

msf>db_nmap -sP 192.168.0.0/24

11. Once the scan is complete, move to the next step; type db_nmap -sS 192.168.0.2-30.
12. Once the scan is complete, move to the next step; type db_nmap -sV 192.168.0.2-30.
13. Once the scan is complete, move to the next step; type db_nmap -A 192.168.0.2-30.
14. You have now conducted the bulk of the scanning methodology. Sufficient data have
been stored in the workspace. To examine the database information, type services and
press Enter, as shown in the screenshot.
 15. The results show all services from the scans; this is the start of the target database, and
works well for penetration testing.
16. Next, examine the database list of hosts; type hosts, as shown in the screenshot.

msf> host
17. Because of the virtual environment, you may not receive the most accurate data.
Additional analysis is needed to better clarify the targets.
18. Enter host -h to see the different available options. Query the “hosts’” command to
display only the IP address and OS type using the “-c” switch.
19. Type hosts -c address,os_flavor and press Enter, as shown in the screenshot.
 20. Note that you can also search all entries for a specific target. If you wish to find only
Linux-based machines from the scan, use the “-S” option. This option can be combined
with our previous example to fine-tune the results. Type hosts -c address,os_flavor -S
Linux.

msf> hosts -c address,os_flavor -S Linux

21. Next, import the results of the scans into a Metasploit Module. Type use
auxiliary/scanner/portscan/tcp and press Enter.

msf> use auxiliary/scanner/portscan/tcp

22. Input the data into the scanner by using the R option; type hosts -c address,os_flavor -S
Linux -R and press Enter, as shown in the screenshot.

msf> hosts -c address,os_flavor -S Linux -R

 23. The above command will import the results in the host table into RHOSTS; you can view
this by entering show options. Note that there might be extra hosts in the database.

>show options
24. Once you are ready, type run and press Enter. The scan will be conducted against the
target added to the database, as shown in the screenshot.
 25. You have diverse search options; for this, type: services -c name,info -S http and press
Enter. This will search the hosts for services with HTTP in the name.

>services -c name,info -S http

26. There are many combinations for searching. You can use specific ports or port ranges, or
the full or partial service name when using the “-s” or “-S” switches, as well as for all
hosts or a select few. However, you may need to experiment with these features in order
to obtain the desired results.
27. As you have seen in this exercise, we have many options to work with when using the
database capability within Metasploit; therefore, you are encouraged to research on your
own.
28. This concludes the lab exercise.

Exercise 5: Performing Passive OS Fingerprinting to Obtain

Remote Operating System Information
Scenario
Active OS fingerprinting involves sending a packet to the designated system in a network and
examining the response to identify the operating system. Passive OS fingerprinting, in contrast to
active OS fingerprinting, is the process of identifying the operating system by inspecting the
initial Time To Live (TTL) in the IP header and the TCP window size (the size of the receive
window) of the first packet sent from a host in TCP session, i.e. the SYN or SYN+ACK packet.
As a penetration tester, you need to have knowledge of how to perform passive OS fingerprinting
in a network.
In this lab, you will learn how to perform passive OS fingerprinting using p0f tool.

Lab Duration: 15 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
3. In this lab, we will try to retrieve operating system related information from a machine
hosting an FTP server, using a tool named p0f.
4. Now, launch a command line terminal, type sudo p0f -i any -p -o /tmp/sniff.log and press
Enter. Type toor and press Enter when prompted for password. p0f begins to listen on all
the interfaces of Parrot, and whenever it captures a packet, it decodes the header
information and guesses the operating system.
a. The -i switch corresponds to the interface b. By setting the -p
switch, we are setting the tool to run in promiscuous mode. c. We are
setting the p0f tool to store the output (-o) in /tmp location inside a
file named sniff.log.
5. Now, launch another command line terminal, type ftp 172.19.19.9 and press Enter. This
will ask you to enter login credentials. By doing so, the client i.e., Parrot machine will
send the request and the machine hosting the FTP server will respond to the query.
Note: 172.19.19.9 is the IP address of the machine hosting the FTP
server.
6. Switch to the command line terminal where p0f is running and scroll up the window. You
will observe that p0f has analyzed all the requests and responses and decoded them to
display information such as OS, raw signature and raw mtu. In this lab, p0f identified
the operating system as Windows 7 or 8 (or its equivalent). Scroll down the window to
view the header information of each packet decoded by the tool.
Thus, you have learned how to perform passive OS fingerprinting using p0f tool.

Exercise 6: OS Fingerprinting with Nmap

Scenario
A penetration tester must use a tool to fingerprint the OS. The choice of tool here is the most
popular tool on the market that is free and open source: Nmap. The objective of this lab is to help
students use the Nmap tool and focus on the tool’s OS capability. In this lab, you will

• Fingerprint the OS
• Compare different scan options
• Analyze the tool output

Lab Duration: 10 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
3. There is a specific option for attempting to enumerate the OS with Nmap: –O option (the
“O” does not stand for zero).
4. Using your target database, use the –O option to fingerprint the OS.
5. Start capturing on Wireshark.
6. In a terminal window, type sudo nmap –O 192.168.0.X, replacing the “X” with the
required IP address number from your target database, as shown in the screenshot.
Note: If you are asked to enter the password, type toor and press Enter.
 7. Carefully review the results and transfer the required data to the target database.
8. As required, re-scan and enter the required IP addresses for the other machines to finish
populating your target database.
9. Note that Nmap is noisy and uses many packets to detect the OS; if stealth is a
requirement, this may not be the best tool.
10. It is imperative to use multiple tools—at least two to validate and verify the information
that a tool discovers.
11. Once you fully understand the process, you may continue to review and evaluate the tools
that you need to be a professional security tester.
12. This concludes the lab exercise.

Exercise 7: Scanning with DMitry

Scenario
To begin the lab, a proficient tester may use any tool depending on his or her personal
preference. The objective of this lab is to help students use the DMitry tool. The following
activities are included in this lab:

• Start the DMitry tool

• Setup the network environment
• Scan and review the data from the DMitry tool

Lab Duration: 5 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
 3. Obtain the list of targets using the following scanning methodology: a. Live Systems b.
Ports c. Services d. Enumeration e. Identify vulnerabilities f. Exploitation
4. Enter sudo nmap -sn 192.168.0.0/24. Type toor if you are asked to enter the password.
An example of a partial output from the command is shown in the screenshot.

$sudo nmap -sn 192.168.0.0/24

 5. The scan reveals a selection of targets, records information about the targets, and
determines which ones to target. Since you have used the Nmap tool, switch to another
tool. Note that this module requires proficiency in at least two to three tools for each step
of the process.
6. Open a terminal window and enter dmitry -pf 192.168.0.22, as shown in the screenshot.

$dmitry -pf 192.168.0.22

7. The DMitry tool, a port scanner, provides all port information (for more information
about the tool, please see the main page)
8. In the terminal window, enter dmitry -pb 192.168.0.22, as shown in the screenshot
$dmitry -pb 192.168.0.22

9. You are now viewing a banner grab as well as port scan, as shown in the above
screenshot
10. If there is time, continue using the tool and explore more options.
 11. This concludes the lab exercise.

Exercise 8: Create a Python Script to Grab the Banner of

the ssh Service
Scenario
In this lab, you will create a python script to grab the banner of the secure shell (SSH) service.

Lab Duration: 10 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
3. Open a terminal window on the Parrot machine and enter the following code

4. As you review the image, consider the following explanation:

 The import statement helps obtain the required socket library

 The bangrab is a variable that stores the content of the created socket
 The socket type is a TCP socket base on the SOCK_STREAM
 Once the socket is created, you can access and manipulate the socket using the
appropriate function calls
 The connect function is used to identify the address and port for the connection
 The receive statement receives the data from the socket

5. This process is used to extract the banner of any port, provided you change the number of
the connecting port
6. For a more robust type of banner grabbing tool, you can refer to the following code:
#/usr/bin/python
Import socket
Import sys
Import os

#grab the banner

def grab_banner(ip_address,port):
try:
s=socket.socket()
s.connect((ip_address,port))
banner = s.recv(1024)
print ip_address + ':' + banner
except:
return
def checkVulns(banner):
if len(sys.argv) > =2:
filename = sys.argv[1]
for line in filename.readlines():
line = line.strip('\n')
if banner in line:
print "%s is vulnerable" %banner
else:
print "%s is not vulnerable"
def main():
portList = [21,22,25,80,110]
for x in range(0,255):
for port in portList:
ip_address = '192.168.0.' + str(x) # change the IP address to the
one you want here
 grab_banner(ip_address,port)
if__name__== '__main__':
main()

7. Please see the appendix for select coding examples.

Exercise 9: Use Metasploit to Detect Version of HTTP

Scenario
In this lab, you will

• Take an exploit from the Metasploit and review it

Lab Duration: 10 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
 3. Open a terminal window on the Parrot machine
4. The module you investigate is the one that is used to detect the version of http. Review
the Metasploit core info; type cd /usr/share/metasploit-framework/lib/rex/proto/http
and press Enter in the terminal window

$cd /usr/share/metasploit-framework/lib/rex/proto/http

5. Enter ls -lx

$ls -lx

6. All these files contain a variety of HTTP methods, which include functions to set up a
connection, the GET and POST request, and response handling.
7. To open the module, navigate to Places, select File System, and navigate to
/usr/share/metasploit-framework/modules/auxiliary/scanner/http. In the HTTP
folder, scroll down and right-click on http_version.rb, and then click on Open With
Pluma from the context menu.
8. Carefully review the information. Next, explore mixin. Once the review is done, close the
text editor window.
9. Navigate to Places; select File System and navigate to /usr/share/metasploit-
framework/lib/rex/proto/http. In the http folder, right-click on client.rb, and then click
on Open With Pluma from the context menu.
10. This is the code for the mixin; there are the routines that you will need for handling the
sockets in order to conduct tasks to extract the data from the site.
11. An example of an excerpt of the code is shown in the screenshot:

12. The key to this routine is in the defined class:

  self.hostname = host
 self.port = port.to_i
 self.context = context
 self.ssl = ssl
 self.ssl_version = ssl_version
 self.proxies = proxies
 self.username = username
 self.password = password

13. Once you have reviewed the file, close all open windows. As the class shows, you have
covered most requirements when acting as a client for a web server.
14. This is the process you should follow when you are working as a practitioner and
professional security and penetration tester. Always investigate the code that is being
used BEFORE you ever deploy it on a site.
15. This concludes the lab exercise.

Exercise 10: Enumerating SMB

Scenario
A proficient tester should be aware of the different tools used to enumerate the Server Message
Block (SMB). The Parrot security OS has SMB tools that can be used to familiarize oneself with
data for enumeration. The objective of this lab is to help students use tools to enumerate the
SMB. In this lab, you will

• Identify SMB is running

• Scan for SMB information
• Enumerate information from the SMB protocol
• Add information, based on your analysis, to the target database

Lab Duration: 5 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
 3. Nmap has a number of scripting engines that you can use. So far, there are over 200
engines. This lab concerns the one for the SBM.
4. Open a terminal window, type nmap –script smb-os-discovery 192.168.0.7, and press
Enter.

$nmap --script smb-os-discovery 192.168.0.7

5. In the terminal window, type nmap –sC 192.168.0.7 and press Enter.

$nmap –sC 192.168.0.7

6. The output of the command in step 5 reveals more details than that of the command in
step 4. The scan may take approximately 5 to 10 minutes complete.
7. Add the “d” option to the command to show the debug trace, as shown in the screenshot
illustrating the output.
8. As the ERROR shows, the login attempts fail. This result is common when dealing with
newer Windows systems.
9. If you add the XML output capability, the information can be displayed on a graphic user
interface (GUI) in an easy-to-read format for documentation
Exercise 11: Pentesting Misconfigured RPC Service and
NFS Shares
Scenario
Network File System (NFS) is a client/server application which allows you to view or share files
and folders between Linux/Unix systems. It is a way of mounting Linux discs/directories over a
network. RPC server is a program which accepts connections from an RPC client and provides
services to the client.

Poor configuration of NFS and RPC services might allow attackers to:

First, find the NFS and mountd services running on a computer, using rpc
Second, mount the NFS shares and view the contents in the mounted directories
As a pentester, you need to know how to enumerate RPC services and mount poorly configured
servers.

Lab Duration: 20 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
 3. In this lab, we will be scanning a subnet for live machines. Select one machine and
pentest the machine to gain access to it. For doing a quick scan, we will do a ping sweep
using Nmap. In this lab, we are choosing an internal network for pentesting. Launch a
command line terminal, type nmap -sP 172.19.19.1-255 and press Enter. This displays
all the hosts that are up in the network within a minute. In this lab, we are choosing
172.19.19.51 (RPC Server Ubuntu) as our target.

$nmap -sP 172.19.19.1-255

 4. Type nmap -T4 -A 172.19.19.51 in the terminal and press Enter. This will launch an
Nmap scan on RPC Server Ubuntu machine.

$nmap -T4 -A 172.19.19.51

5. Nmap takes around 30 seconds to complete the scan. On completing the scan, you will
observe that the services rpc, ftp, nfs and mountd are running on the victim machine.
From the scan, it is observed that an NFS File system is mounted on the remote machine.
In this lab, we shall focus on the RPC, NFS and mountd services.
 6. Now, we shall perform RPC enumeration to enumerate all the RPC services. Type**
rpcinfo -p 172.19.19.51** in the command line terminal and press Enter.

$rpcinfo -p 172.19.19.51
7. We observe that nfs and mountd services are active on the remote machine.
 8. Now, we shall issue the showmount command to discover NFS shares listed in
/etc/exports file of the remote machine. Type showmount -e 172.19.19.51 and press
Enter. This will display all the NFS shares on the remote machine as shown in the
screenshot below:

$show.ount -e 172.19.19.51

9. As we saw in the previous task, the /home file system was shared on the remote machine.
We will be mounting this file system on the Parrot machine to the mnt directory. To
mount, type sudo mount -t nfs 172.19.19.51:/home /mnt -o nolock and press Enter.
Type toor and press Enter when prompted.
note: -t specifies the type of the file system (nfs). Specifying
**nolock** disables the file locking.

$sudo mount -t nfs 172.19.19.51:/home /mnt -o nolock

 10. Now, we have successfully mounted the file system to the /mnt directory. To view the
contents of the file system, we need to change the present directory to /mnt. Type cd /mnt
and press Enter.

$cd /mnt

11. Type ls and press Enter to view the files and directories contained in the /home folder i.e.,
/mnt.
12. As a proof of concept, we shall now view the contents of a secret.txt file located in the
administrator/Documents directory. Type cat administrator/Documents/secret.txt and
press Enter.
13. On entering the command in the previous task, the cat command displays the file contents
in the secret.txt file successfully, meaning we have successfully mounted the remote file
system and accessed the contents in it.

14. Now, we shall see if we are able to tamper/delete the files in the remote file system. Type
rm administrator/Documents/secret.txt and press Enter. Type y and press Enter to
confirm the deletion. To confirm that the file has been successfully deleted, type cat
administrator/Documents/secret.txt and press Enter. The terminal displays an error stating
no such file or directory has been found. This proves that we have unrestricted access to
the file system.
15. The reason we were able to access the remote shares is:
a. The entire subnet has been specified in the exports file, allowing everyone in that
particular network to access the file.
We were able to manipulate the files in the file system since:
b. no_root_squash option was enabled, allowing any user to perform read, write and
execute actions on the mounted file system.
This is just a proof of concept to show the reason for the vulnerability
and you are not required to log in to the machine to view the above-
mentioned file.
In this lab, you have learned how to enumerate RPC services and mount NFS shared directories.

Exercise 12: Enumerating Logged on Users Using Finger

Protocol
Scenario
The Finger service displays information such as currently logged-on users (if any), email
address, full name etc.
During a penetration test, the initial task of a pentester is to enumerate user information such as
usernames, email addresses, etc.
In this lab, you are going to learn how to enumerate user information using finger client.

Lab Duration: 15 Minutes

1. Click @lab.VirtualMachine(RedHatEnterpriseLinux-SubnetC(ECSAv10)).SelectLink.
Type Admin in the Username field, password in the Password field and press Enter.
2. On successful login, Red Hat Enterprise Linux CentOS desktop appears as shown in the
screenshot. We are logging into the machine since Finger enumerates only the logged on
users.
3. Click Parrot. Parrot lock screen appears.
4. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
 5. In this lab, we are going to target the IP address 192.168.0.50 (Red Hat Enterprise Linux
machine) that was discovered during the ping sweep scan in the earlier lab exercises.
Finger protocol uses port 79, so, choosing CentOS as our target machine, let us perform
an Nmap scan on port 79. Launch a command line terminal, type nmap -p 79
192.168.0.50 and press Enter.

$nmap -p 79 192.168.0.50

6. You will observe that the port 79 is open in the Nmap result, meaning finger service is
running on the target machine.
 7. Now, we shall enumerate the logged on users on the remote machine using Finger client.
Assuming we don't know the logged on username, type finger @192.168.0.50, and press
Enter.

$finger @192.168.0.50
8. Finger client returns the logged in user information such as the login name, name of the
user and login time as shown in the screenshot below.

9. Since we found the username, we shall use this to extract additional information such as
the name of the user, home directory, login name, and shell. Type finger
Admin@192.168.0.50 and press Enter.
10. Alternatively, we can enumerate usernames using Telnet service by issuing the following
command in the command line terminal: telnet 192.168.0.50 79
 11. Type Admin and press Enter. This displays the enumerated user information as shown in
the screenshot below.

12. To safeguard your machine from returning the logged in user information, it is
recommended to disable finger service on the machine by editing the finger text file
located in the /etc/xinetd.d.

This is just a proof of concept to show the reason for the vulnerability and
you are not required to log in to the machine to view the above-mentioned
file.

The finger text file is located in /etc/xinetd.d.

In this lab, you have learned how to enumerate user information using finger client.

Exercise 13: Performing Man-in-the-Middle Attack using

Cain & Abel
Scenario
Unlike capturing network traffic in a hub-based network, it is not possible to capture traffic in a
switch based network. Since most of the networks today are implemented on switch-based
networks, it is not possible to capture traffic flowing between two hosts.

At this point, attackers implement techniques such as arp poisoning/MITM to capture clear-text
traffic flowing between two machines in a network. MITM is a form of active eavesdropping in
which the attacker makes independent connections with the victims and relays messages between
them, making them believe that they are talking directly to each other over a private connection,
when in fact the entire conversation is controlled by the attacker. MITM attacks come in many
variations and can be carried out on a switched LAN. As a penetration tester, you need to know
how to capture plain text traffic in a switch-based network.

In this lab, you will learn how to:

1. Perform ARP Poisoning

2. Launch a Man-in-the-Middle attack
3. Sniff a network for password
Lab Duration: 25 Minutes
4. Click Windows Server 2019 link and then click Ctrl+Alt+Delete.
2. Click Pa$$w0rd and press Enter to login.
3. Launch Cain & Abel application by double-clicking the shortcut icon of Cain on the
desktop.
4. The main window of Cain & Abel appears as shown in the screenshot.
5. To configure the Ethernet card, click Configure from the menu bar.
6. The Configuration Dialog window appears. The window consists of several tabs. Click
Sniffer tab to select sniffing adapter. Select the Adapter associated with the IP address
172.19.19.20, click Apply and OK.
 7. Click Start/StopSniffer (second icon from left) on the toolbar to begin sniffing.

If a Cain Warning pop-up appears, click OK.

8. Now click the Sniffer tab and then, click the Plus (+) icon (or) right click in the window,
and select Scan MAC Addresses to scan the network for hosts.
9. The MAC Address Scanner window appears. Click on the Range radio button, enter the
range (172.19.19.2 - 172.19.19.20), check All Tests option and click OK. Cain & Abel
starts scanning for MAC addresses and lists all those found.
10. After scanning is completed, a list of detected MAC addresses is displayed as shown in
the screenshot.
11. Click the APR tab at the lower end of the window.
12. Click anywhere on the top most section in the right pane to activate the + icon.
13. Click the Plus (+) icon; the New ARP Poison Routing window opens, from which we can
add IP’s to listen to traffic.
14. To monitor the traffic between two computers, select 172.19.19.9 (FTP Server) and
172.19.19.15 (Advertisement Dept). Click OK. In this lab, we are going to log in to FTP
server from Advertisement Dept machine.
15. Select the added IP address in the Configuration/Routed packets, and click Start/Stop
APR (third icon from left) icon. Cain begins ARP poisoning in between these machines.
16. Log on to Advertisement Dept and Sign in as Administrator. For doing this, select
Advertisement Dept machine from the Resources pane. Go to Commands and click
Ctrl+Alt+Delete.
17. Select Administrator user in the login window.

18. In the logon box enter the password Pa$$w0rd press Enter:
19. Click on the Close button at the top right corner of the Server Manager window.
20. Now launch a command prompt in the machine, type ftp 172.19.19.9 (IP address of FTP
Server machine) and press Enter. When prompted for the Username, type "Martin" and
press Enter. When prompted for the password, type "mystery" and press Enter.
21. Switch Windows Server 2019 machine. You will observe that Cain & Abel captured
some packets which can be observed under the Packets field.
22. Click the Passwords tab in the Cain & Abel GUI. Select FTP from the left pane under the
Passwords section. You will observe the credentials being captured by Cain & Abel as
shown in the screenshot.
 23. This way, you have successfully captured user credentials traversing in clear-text. In this
lab, you have learned how to capture user credentials in a switch based network.

Exercise 14: Auditing a Machine for Weak Passwords Using

L0phtCrack
Scenario
Since security and compliance are high priorities for most organizations, attacks on a company
or organization's computer systems take many different forms, such as spoofing, smurfing, and
other types of denial-of-service (DoS) attacks. These attacks are designed to harm or interrupt
the use of your operational systems.

Password cracking is a term used to describe the penetration of a network, system, or resource
with or without the use of tools to unlock a resource that has been secured with a password. In
this lab, we will look at what password cracking is, why attackers do it, how they achieve their
goals, and what you can do to do to protect yourself. Through an examination of several
scenarios, in this lab, we describe some of the techniques they deploy and the tools that aid them
in their assaults and how password crackers work both internally and externally to violate a
company's infrastructure.

In order to be an Expert Penetration Tester or a Security Administrator, you must understand

how to crack administrator passwords. In this lab, we crack the system user accounts using
L0phtCrack.

In this lab, being a security auditor, you will be running the L0phtCrack tool by giving the
remote machine’s administrator user credentials. User accounts' passwords that are cracked in a
short amount of time are considered to be weak, and you need to take certain measures to make
them stronger. The objective of this lab is to help students learn how to:

 Extract the Administrators password using L0phtCrack

Lab Duration: 20 Minutes

1. Click Windows Server 2019, click Ctrl+Alt+Delete.

 2. In the password field click Pa$$w0rd and press Enter.

You can use the Type Password option from the Commands menu to enter the
password.
 3. In this lab, we are going to audit user accounts on a machine to check for weak passwords
using L0phtCrack. To install L0phtCrack, navigate to E:\CPENT Module 06 Network
Penetration Testing Methodology-Internal\L0phtCrack and double-click
lc7setup_v7.1.16_Win64.exe. If an Open File -Security Warning pop-up appears; click
Run. Follow the wizard-driven installation steps to install L0phtCrack.

While installing the application, a Program Compatibility Assistant pop-up

appears, click Close.
4. On the Completing L0phtCrack 7 (Win64) Setup page, ensure to check Run L0phtCrack
7 (Win64) and click Finish to launch the L0phtCrack tool.
5. L0phtCrack 7 - Trial window appears. Click Proceed With Trial button.
6. A L0phtCrack 7 pop up appears; select Password Auditing Wizard option.
7. In the Introduction page of LC7 Password Auditing Wizard, click Next.
8. In the Choose Target System Type window select Windows: radio button and click Next.
9. In the Windows Import window, select A remote machine radio button and click Next.
10. In the Host field of Windows Import From Remote Machine (SMB) window, provide the
IP address of Advertisement Dept. machine and click Next. Here, the IP address of
Advertisement Dept. is 172.19.19.15.
11. In the Choose Audit Type window, select Quick Password Audit option and click Next.
12. In the Reporting Options window, leave the options set to default and click Next.
13. In the Job Scheduling window, select Run this job immediately and click Next.
14. In the Summary window, read the summary and click Finish.
15. A caution box appears regarding changed LC7Agent on the remote machine as shown in
the screenshot. Click Yes.
16. L0phtCrack will begin to decode the hashes. You can see the Progress bar in the lower
right-hand corner of the window. Once done with the password auditing, it displays the
weak passwords set for the respective user accounts present in Advertisement Dept
machine as shown in the screenshot.
 17. Click Reports tab on the left-pane and click Export Accounts Table in the Report
Types box. Select HTML (Hypertext Markup Language) under Format: box and
provide a name for the file and click Run Report Immediately.

After clicking the Run Report Immediately button, a Warning pop-up window
appears. Click Yes.
18. To save this session, navigate to MENU icon at the top left corner of the window and
click Save Session option.
19. A Save Session As window appears on the screen. Select the destination location (here,
Desktop), specify the file name as Credentials and click Save. Now close the L0phtCrack
window.
20. To open the saved result, navigate to Desktop and double-click the Credentials.lcs file to
view result.
21. A L0phtCrack 7 - Trial reminder pop-up appears, click the Proceed With Trial button.
22. Now you can see the saved result in the L0phtCrack window.
 23. Close all the open windows.

In this lab you have learnt how to extract the Administrators password using L0phtCrack.

Exercise 15: Automating Penetration Testing Tasks Using

Bash Scripting
Scenario
Bash is a command processor that typically runs in a text window, where the user types
commands that cause actions. Bash can also read commands from a file, called a script. Like all
Unix shells, it supports filename globbing (wildcard matching), piping, here documents,
command substitution, variables and control structures for condition-testing and iteration. The
keywords, syntax and other basic features of the language were all copied from sh.
Bash Scripting aids pentesters during the penetration testing process as they can perform
multiple tasks such as running Nmap commands, running FTP commands, etc all at a time,
thereby avoiding the need to run each command individually.

Lab Duration: 30 Minutes

1. Click Parrot. Parrot lock screen appears.

2. By default pentester is selected as the user. Type toor in the Password field and press
Enter.
3. Navigate to Places and click Home Folder. The Home Folder directory window appears,
double-click on the pentest.sh file to open and view the bash script.
4. This bash script is used to perform:
a. Automated reconnaissance on a specified network range for live machines with FTP
port open
b. Dictionary attack on selected IP Address and reveal user credentials
c. Login to the FTP server using the attained credentials
5. The first line of the bash script is #!/bin/bash, meaning that the script should always be
run with bash, rather than another shell.
6. The tput clear command in the second line clears the screen and puts you at the top of the
terminal screen.
7. The echo command is used to display a line of text/string on standard output or a file. So,
whatever you type in between double quotes will be printed on the screen. In this lab, we
are performing an Nmap scan for live host and FTP open port identification. So, you can
observe the text written in the echo command as shown in the screenshot:
8. Minimize the pentest.sh file window. Now, let us run the bash script. Launch a command
line terminal, type bash pentest.sh and press Enter.

9. Minimize the command line terminal and maximize the Leafpad window. The read
command allows you to read a line from standard input. It accepts the input from the
keyboard and assigns it to a variable. In this lab, we are using the read command to enter
the IP Address range on which we will be performing Nmap scan for live host detection.
In this lab, the variable used for addressing the IP Address range is ip_range.
10. Minimize the Leafpad window and maximize the command line terminal. As described in
the earlier steps, the screen is cleared and the mouse cursor is pointed at the top of the
terminal screen, followed by echo command. Type 172.19.19.7-50 and press Enter. We
selected IP range from 7-50 to ease the process and save time.
11. Minimize the command line terminal and maximize the text editor window. nmap -sP
$ip_range -oG out.txt: -sP is used to identify live hosts in the entered IP Address range.
$ip_range grabs the value (IP Address range) you entered in the read command. -oG
represents greppable output. It is a simple format that lists each host on one line and can
be trivially searched and parsed with standard Unix tools such as grep. Once the Nmap
scan is completed, its output is stored to out.txt file.So, by entering nmap -sP $ip_range -
oG out.txt, nmap is going to perform live host detection and send the greppable output to
out.txt file. You can view the out.txt file created in the root folder for a better
understanding.
12. The cat (in short "concatenate") command allows you to view contents of a
single/multiple files, create files, concatenate files and redirect the output to the terminal
or files. The pipe | redirects the output of cat out.txt to the grep command. The grep
command is used to search the given file (out.txt) for lines containing a match to the
given string (Up). So, by entering the script cat out.txt | grep Up > out1.txt: A search is
performed in the out.txt file for all the lines containing the status of the IP addresses as
Up and these IP Addresses are saved to out1.txt. You can view the out1.txt file created in
the root folder for better understanding.
13. The cut command is used to select a portion of text from each line of a file. You can use
the cut command to select fields or columns from a line by specifying a delimiter. By
entering the script cat out1.txt | cut -d " " -f2 > open.txt: The content of out1.txt is
redirected to the cut command, where the delimiter is " " (space). So, the field 2 will be
selected from each line of the out1.txt in between the spaces; and the output will be saved
to the open.txt file. For a better understanding, you may view the open.txt file created in
the root folder.
14. By entering the script nmap -p 21 'cat open.txt' -oG final.txt: Nmap performs a scan on
the IP addresses present in the open.txt file and saves the greppable output to the final.txt
file. You may view the final.txt file created in the root folder for a better understanding.
15. So far, Nmap has performed live host and FTP open port identification. The script cat
final.txt | grep open > ftp.txt is used to view the output stored in final.txt, find the lines
containing the string "open" and save those lines to a file named ftp.txt. You may view
the ftp.txt file created in the root folder for a better understanding.
16. So far, we have obtained machines which are up and have the FTP port open. Now, we
shall echo the IP Addresses of these machines on the screen. The echo "" represents an
empty line. In the next line, we are writing something stating that the scan has been
performed. This will be returned on the screen as we are using the echo command.
17. Note that our aim is to view only the IP Addresses in the file ftp.txt. To view only the IP
Address, we shall be using the script cat ftp.txt | cut -d " " -f2. Here, the field 2 will be
selected from each line of the ftp.txt file in between the spaces; and the output (i.e., only
the IP Address) will be displayed on the screen.
18. Now, minimize the text editor window and maximize the command line terminal. Nmap
has performed live host identification on the given IP Address range. Once the live hosts
are identified, the script is written in such a way, that a new nmap scan is initiated to find
the machines (among the identified live hosts) that have the FTP port open. The live
machines with the FTP port open are displayed as shown in the screenshot.
Screenshots may differ while performing the lab.
19. Minimize the command line terminal and maximize the text editor window. So far, the
above explained scripts are used to perform live host and FTP port identification. Now,
we shall use a machine obtained from the Nmap scanning; and perform dictionary attack
to crack user credentials which have weakly implemented passwords. Before that, we
shall use echo command to write some content related to the dictionary attack, for better
understanding.
20. As discussed before, regarding the read command, we shall use this command to enter the
target machine's IP Address. In this lab, the variable used for addressing the IP Address
range is ip_addr.
21. Minimize the text editor window and maximize the command line terminal. Since we
have obtained the machines whose FTP ports are open, we shall enter the IP Address of a
machine on which you would like to perform a dictionary attack to obtain FTP
credentials. In this lab, we are going to attack the FTP server of FTP Server whose IP
Address is 172.19.19.9. So, type the IP Address 172.19.19.9 and press Enter.
This performs a Dictionary attack on the machine's user accounts using
Hydra.
22. Minimize the command line terminal and maximize the text editor window. hydra -L
/home/pentester/Wordlists/Usernames.txt -P /home/pentester/Wordlists/Passwords.txt
ftp://ipaddr:WearegoingtousehydratoperformadictionaryattackontheFTPserver.
−Lswitchinthescriptrepresentstheusernamelist.Thelistisprovidedinthelocation/home/
pentester/Wordlists/Usernames.txt.
−Pswitchinthescriptrepresentsthepasswordlist.Thelistisprovidedinthelocation/home/
pentester/Wordlists/Passwords.txt.ftp://ip_addr: Here, $ip_addr grabs the value (IP
Address range) you entered in read command. So, a dictionary attack will be performed
on the IP address you entered in the previous step, using Hydra.
23. Minimize the text editor window and maximize the command line terminal. On issuing
the IP Address, Hydra begins to a perform Dictionary attack on the machine and starts
displaying the user credentials as shown in the screenshot.
It takes around 3 minutes for Hydra to crack all the credentials.

24. Minimize the command line terminal and maximize the text editor window. By now, you
would have attained the user credentials to log in to the FTP server. So, your next task
will be to log in to the server. Before that, we shall use the echo command to write some
content related to the server to log in to the server as shown in the screenshot:
25. Now, we shall use the read command to enter the target machine's IP Address. In this lab,
the variable used for addressing the IP Address range is ftp_ip.
26. Minimize the text editor window and maximize the command line terminal. Once the
credentials are obtained, you will be asked to enter the IP Address of the machine to log
in to the FTP server. Type 172.19.19.9 and press Enter.

27. Minimize the command line terminal and maximize the text editor window. Upon
entering the IP Address, the command ftp $ftp_ip is given to login to the IP Address of
the target machine.
 28. Minimize the Leafpad window and maximize the command line terminal. You will be
asked to enter a username. In this lab, we are logging in to a user named jason's account.
So type jason and press Enter.

You may issue any one of the account's username in the Name field.
29. You will be asked to enter the password for the user account. Since we are going to log in
to john's user account, type green (password for jason's user account) and press Enter.
The Password field remains blank while you are typing the password.
30. On issuing the user credentials, you will be logged in to the FTP Server, as shown in the
screenshot.
31. In the same way, you may run this script to crack the user credentials and access the FTP
Server if hosted in the other networks. Close all the opened windows.
In this lab, you have successfully performed subnet scan, found machines having FTP ports
open, performed dictionary attack to attain credentials, and successfully logged in to the server
using the obtained credentials.