This is the report for the third series of exercises for my penetration testing course, taught by Tero Karvinen
The third assignment consists of five parts, as follows:
Muista scope eli pysy sallittujen harjoitusmaalien rajoissa.
1) Kokeile haavoittuvuusskanneria (vulnerability scanner). Käytä jotain muuta kuin tunnilla kokeiltua niktoa. Esim. openvas, w3af…
2) Haavoittuvuusskannaa 5 konetta HackTheBoxin verkosta. Käytä kahta skanneria, esimerkiksi niktoa ja edellisessä kohdassa valitsemaasi skanneria. Analysoi tulokset. Mitkä palvelut vaikuttavat helpoimmilta kohteilta aloittaa hyökkäys? Jos haluat, voit tuoda tulokset metasploit:iin db_import -komennolla.
3) Silmäile Mirai-haittaohjelman lähdekoodia. Etsi lista salasanoista, joita Mirai käyttää. (Tämän kohdan voi tehdä pelkästä lähdekoodista. Mitään ei tarvitse kääntää eikä ajaa. Binäärimuotoiset virukset ja madot voivat levitä, joten niiden käsittely vaatii erityisjärjestelyjä.)
4) Yritä korkata joku kone HackTheBoxin verkosta. Maaliin asti ei tarvitse päästä, mutta raportoi mitä kokeilit ja mitä johtolankoja jäi vielä tutkittavaksi.Voit apupyörinä katsoa listasta, mitkä koneet on arvioitu helpoiksi.
5) Vapaaehtoinen: Miten OWASP WebGoat:n Authentication Bypass -hyökkäys toimii? Voit lukea OWASP 10 mitä tämä hyökkäys tarkoittaa ja sitten ratkaista tehtävän WebGoatista. Lopuksi voit katsoa WebGoatin lähdekoodista “string fishing” -tekniikalla, miten koodi toimii.
Assignments 2 and 4 can be found in this link (password protected, in finnish)
These exercises are done on my home computer, the hardware consists of the following:
ASUS X99M-WS Motherboard
16Gb DDR4 Kingston RAM
Samsung 840 EVO 250Gb ssd
The operating system used is the Kali Linux version 2018.3.
1) For this assignment I decided to ty openvas as a new vulnerability scanner. The reason for this is that Nikto is an web application security scanner ,but openvas is an network vulnerability scanner. I started by isntalling openvas on my computer, this i done by using commands:
‘sudo apt-get install openvas’
After the program as been installed, I performed the setup. Note, that this has to be done with sudo.
The setup took about 10 minutes to complete. After it finished web browser popped up with a login page. Username and password where provided in the end of the installation. openvas uses ports 9390 and 9392, the browser address is http://127.0.0.1:9392
According to the kalilinux openvas intsructions, vulnerability scanners provide the most complete results, if you are able to provide the scanning engine with credentials to be used on the scanned system. So I starded by adding credentials, this can be done under the ‘configuration’ tab -> credentials.
After this assign a target. This can also be done under the ‘configuration’ tab. In this case i’m targeting a computer in my local subnet.
You can also use a .txt file, with a list of hosts to target.
You can also make a custom ascan configuration to use. I would guess that selecting all of them would result in a much longer scan. Since this is a test, I will just select a few.
Now I can setup a task, so I can perform my first scan.
The new task appears in the tasks list, you can start the scan from the actions tab.
After I started the custom scan, I realised that it was quite slow with the configurations I made. After 15 minutes, only 1% had been completed and this is only on one host. I configured a new task with the scan config ‘full and fast ultimate’. This took only 5 minutes to complete.
At first I thought that there was something wrong, since there was no pop up or info of the scan results.
I had to open up the specific scan on the dahsboard and click on results.
I also did a network discovery scan. The complete results of all scans can be found under the ‘Scans’ tab, submenu ‘results’.
The dashboard will also show you some useful info.
Mirai is a malware that turns network linux devices into bots, that can be used as apart of a larger botnet. Discovered in 2016, Mirai made headlines when it was used in a major DDoS attack against DNS provider Dyn. The source code for Mirai can be found in Github:
I started browsing the files by going through the folders in the repo, starting from dlr, loader, scripts and finally mirai. The reason why I started my search by folders other than the obvious name, was that when I do programming and the the program uses variables that have a possibility changing, in this case passwords and usernames. I like to put them in a different package than the actual program intended to run.
It seems that in this case I was wrong. Dlr, loader and scripts turned out duds regarding the passwords I searching. I finaly found the passwords and usernames in the scanner.c file, starting at line 124. the file is located in the mirai folder, file path for this is : Mirai-Source-Code/mirai/bot/scanner.c
The usernames seem to be pretty standard default usernames. The passwords range from stantard default, to something that wouldn’t ocme my mind straight up, like 666666. What I understand, these should be a collection of regularly used password and username combinations. I doubt that the last one is not one of those
The passowords and usernames are encoded, I doubt that the comments are a part of the original source code. I googled this and the only answer i found, was that this way the program can be a litlle less obvious.