Assessment go!
- Log into the Kali VM
- Open a terminal window and let's verify that we cannot connect to the internet
- In Terminal, type in "ping www.msn.com" and press the Enter key
- That should be good enough to verify we can't get out. Let's see our IP configuration.
- In Terminal, type in "ifconfig" and press the Enter key
- When we set up the host-only network configuration in VirtualBox, we could see that the IP addresses would automatically start at .3. It appears that our Kali box has the first IP address from the DHCP pool for the "eth0" adapter.
- Let's use netdiscover to see if that can pick up any hosts in our network. Note: Your results may vary depending on what else you've configured to run in the host-only network.
- In Terminal, type in "netdiscover" and press the Enter key
- The command will enumerate IP ranges and eventually we should find the Kioptrix Level 1 VM!
- We can correlate the Kioptrix VM with the IP address based on the MAC address. This is why we needed to note that MAC address from the previous post!
- Let's use another tool to further investigate Kioptrix. We're going to use Zenmap.
- In terminal, type in "zenmap" and press the Enter key
- This will launch the GUI front-end for the nmap tool.
- We can see default options are already set for us. Let's configure Zenmap to scan Kioptrix.
- In Zenmap, enter in "192.168.56.5" for the Target, and change the Profile to "Intense scan, all TCP"
- Click the "Scan" button
- Depending on a few factors, your entire scan of the host could take 1 or up to a few minutes. The scan I performed took about 5 minutes for the entire scan to finish. However, you'll quickly see preliminary results based on the different phases of the scan.
- Once the scan finishes, you'll see various points of interest from the scan results. In the first part of the scan results we can see open ports on the Kioptrix VM.
- Here's a quick breakdown of the results and why we care:
- Port 22 - Could identify a vulnerable SSH implementation
- Port 80 - Could identify a vulnerable web server and OS
- Port 111 - Could identify a vulnerable RPC implementation
- Port 139 - Could identify a vulnerable file sharing/SMB implementation
- Port 443 - Could identify a vulnerable web server and OS
- Port 32768 - Could identify some kind of vulnerable network thing
- Let's keep scrolling
- This scan helped further identify services behind the ports and interesting tidbits of information
- On the left, click "Services"
- This view provides a quick interface to each service and further information
- Click on "http" to see more information about the version of Apache and identification of Red Hat
- Scrolling to the right reveals more info
- Click on "netbios-ssn" to reveal Samba is being used for SMB
- Click on "ssh" to show information about OpenSSH
- Let's save our scan results for future reference
- Click "Scan" at the top and click "Save Scan"
- Let's name the results "Kioptrix Level 1" and save it in the Documents folder. But, you can save it wherever you want!
- Let's take a quick peek at what's running!
- Open Firefox
- In Firefox, open a new tab/window, type in 192.168.56.5, and press Enter
- You should see the default page for an Apache install (albeit pretty old) on port 80
- If we type in https://192.168.56.5 in Firefox, we'll get a warning about insecure SSL settings (e.g. an expired self-signed certificate).
- Click "Advanced"
- Add in the exception by clicking on "Add Exception"
- Click on "Confirm Security Exception"
- We see the same default install page for Apache, but on port 443
Now that we have a basic enumeration of the system done, the next post will use more tools to identify more information about each service and we will exploit it.
Many thanks, you save my day
ReplyDelete