Ethical Hacking: Case Study on Virtual Machine with Flags and Techniques
VerifiedAdded on 2023/06/03
|21
|2782
|194
AI Summary
This report focuses on ethical hacking with a case study on virtual machine and flags. It covers web server content, web shells, password cracking, TCP port scanner and Linux privilege escalation. The report provides insights on tools and techniques for ethical hacking.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Ethical Hacking
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Executive Summary
This report concentrates on the five flags, using a case study related to virtual machine. The
concept of ethical hacking is represented here to help the readers. Apart from flags, this
project contains explainstion of web server content, web shell, securing the systems from the
hackers and information related to basic Linux privilege escalation. The explanation
determines that the first flag ensures to do evaluation of web server content, by finding the
administrator's username and password. The other flags ensures to fetch knowledge in terms
of web shells, for cracking the password, for identification of the mistaken passwords
entered on the system with the help of TCP port scanner tool and the basics of Linux
privilege escalation, respectively.
1
This report concentrates on the five flags, using a case study related to virtual machine. The
concept of ethical hacking is represented here to help the readers. Apart from flags, this
project contains explainstion of web server content, web shell, securing the systems from the
hackers and information related to basic Linux privilege escalation. The explanation
determines that the first flag ensures to do evaluation of web server content, by finding the
administrator's username and password. The other flags ensures to fetch knowledge in terms
of web shells, for cracking the password, for identification of the mistaken passwords
entered on the system with the help of TCP port scanner tool and the basics of Linux
privilege escalation, respectively.
1
Table of Contents
1 Project Description...........................................................................................................2
2 Defined methodology and Testing Log...........................................................................2
Flag 1) web server................................................................................................................4
Flag 2) web shells..................................................................................................................6
Flag 3) Password cracker...................................................................................................8
Flag 4) TCP port scanner..................................................................................................14
Flag 5) Privilege..................................................................................................................17
3 Results and Recommendations......................................................................................18
References...............................................................................................................................19
2
1 Project Description...........................................................................................................2
2 Defined methodology and Testing Log...........................................................................2
Flag 1) web server................................................................................................................4
Flag 2) web shells..................................................................................................................6
Flag 3) Password cracker...................................................................................................8
Flag 4) TCP port scanner..................................................................................................14
Flag 5) Privilege..................................................................................................................17
3 Results and Recommendations......................................................................................18
References...............................................................................................................................19
2
1 Project Description
The idea of this project is to shed some light on a case study which talks about ethical
hacking. The requirements of this project includes that the given system has to be infiltrated
by the user for attaining root level privileges. Nearly five flags will be explained in the report
based on the virtual machine. The characters of each flag will be represented in the report,
where the flags, methods, tools and tevhbiques for ethical hacking are discussed. It is
expected that the flags help to scan the port and help with identification of wrongly entered
password, then password cracking and so on.
2 Defined methodology and Testing Log
As shown in the below figure, the installation of the Virtual machine is required to be
done by the user, at the beginning of the project (Ali, 2014).
3
The idea of this project is to shed some light on a case study which talks about ethical
hacking. The requirements of this project includes that the given system has to be infiltrated
by the user for attaining root level privileges. Nearly five flags will be explained in the report
based on the virtual machine. The characters of each flag will be represented in the report,
where the flags, methods, tools and tevhbiques for ethical hacking are discussed. It is
expected that the flags help to scan the port and help with identification of wrongly entered
password, then password cracking and so on.
2 Defined methodology and Testing Log
As shown in the below figure, the installation of the Virtual machine is required to be
done by the user, at the beginning of the project (Ali, 2014).
3
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4
Flag 1) web server
Any web server needs space to store the records of the website. The records could be
such as, all the HTML reports, it's related resources, images, audio, video, CSS templates,
JavaScript documents, textual styles and recordings. It is known that such inform ation or
records might be present in the user's system (Buchanan, 2014).
The below section mentions the content of web server.
5
Any web server needs space to store the records of the website. The records could be
such as, all the HTML reports, it's related resources, images, audio, video, CSS templates,
JavaScript documents, textual styles and recordings. It is known that such inform ation or
records might be present in the user's system (Buchanan, 2014).
The below section mentions the content of web server.
5
Apache httpd 2.4 default layout (apache.org source package):
Apache httpd 2.2 default layout (apache.org source package):
Apache httpd 2.0 default layout (apache.org source package):
6
Apache httpd 2.2 default layout (apache.org source package):
Apache httpd 2.0 default layout (apache.org source package):
6
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Flag 2) web shells
A web-shell is a pernicious content utilized by an attacker with the purpose to
heighten and keeping up constant access on the bargained web application. The Web-shells
can't assault or have adventure the remote helplessness, so it is dependably the second step of
an assault. The attacker can exploit any regular vulnerabilities. For example, SQL infusion,
RFI, FTP, or even utilizes XSS as a component of social designing assault with a specific end
goal to transfer the malevolent content. The normal usefulness incorporates, however isn't
restricted to shell order execution, code execution, database count and record administration
(Halton and Weaver, n.d.).
Constant Remote Access
The web-shell for the most part contains an indirect access which enables an
aggressor to remotely get to and conceivably control the server whenever needed. This can
leave the attacker with the concern of abusing the helplessness, when each time accessing the
traded off server is required. An aggressor may likewise settle the weakness themselves,
keeping in mind the end goal to guarantee that nobody else will abuse that powerlessness.
Thus, the assailant can stay under the radar and keep away from any collaboration with the
chairman, while acquiring a similar outcome. It is additionally worth specifying that few well
known web shells utilize secret key validation and different strategies to guarantee that just
the assailant transferring the web-shell approaches it. Such strategies incorporate securing the
content to a particular custom HTTP header, particular treat esteems, particular IP addresses,
or a blend of these systems. Most web shells likewise contain code to recognize and square
7
A web-shell is a pernicious content utilized by an attacker with the purpose to
heighten and keeping up constant access on the bargained web application. The Web-shells
can't assault or have adventure the remote helplessness, so it is dependably the second step of
an assault. The attacker can exploit any regular vulnerabilities. For example, SQL infusion,
RFI, FTP, or even utilizes XSS as a component of social designing assault with a specific end
goal to transfer the malevolent content. The normal usefulness incorporates, however isn't
restricted to shell order execution, code execution, database count and record administration
(Halton and Weaver, n.d.).
Constant Remote Access
The web-shell for the most part contains an indirect access which enables an
aggressor to remotely get to and conceivably control the server whenever needed. This can
leave the attacker with the concern of abusing the helplessness, when each time accessing the
traded off server is required. An aggressor may likewise settle the weakness themselves,
keeping in mind the end goal to guarantee that nobody else will abuse that powerlessness.
Thus, the assailant can stay under the radar and keep away from any collaboration with the
chairman, while acquiring a similar outcome. It is additionally worth specifying that few well
known web shells utilize secret key validation and different strategies to guarantee that just
the assailant transferring the web-shell approaches it. Such strategies incorporate securing the
content to a particular custom HTTP header, particular treat esteems, particular IP addresses,
or a blend of these systems. Most web shells likewise contain code to recognize and square
7
web indexes from posting the shell and as a result, boycotting the area or server, where the
web application is facilitated on, as stealth is vital.
Privilege Escalation
Except if a server is misconfigured, the web shell will be keep running under the web
server's client authorizations, which are restricted. Utilizing a web-shell, an assailant can
endeavour to perform benefit acceleration assaults by abusing neighbourhood vulnerabilities
on the framework to accept root benefits, which in Linux and other UNIX-based working
frameworks is the 'super-client'. With access to the root account, the assailant can basically
do anything on the framework including introducing programming, evolving consents,
including and expelling clients, taking passwords, perusing messages and the sky is the limit
from there.
Launching and Pivoting Attacks
A web-shell can be used to rotate inside or outside the system. The attacker has to
screen the movement of the system on the framework, nect it checks the inner system for
identifying the live action of the system, and lists the firewalls and within the system sets the
switches. This type of process could need many days or several months for the attacker to be
under the radar, and retrives the minimum measure which are considered as conceivable. As
soon as the attacker's access is found, they could easily take their next action. Hence, the
traded off framework can likewise be used to attack or sweep the focuses for dwelling outside
the system. Zombie
The other utilization of web-shells indicates botnet's servers part. The botnet indicates a
system that contains the traded off frameworks which the attacker can control, either to use
themselves, or for renting it to various other offenders. The web shell is an indirect access
that has connection with the C&C server from which it could take help for execution based
on the directions or guidelines. Specifically, such a step is used in the DDoS attacks, as it
needs the sweeping measures for the transmission capacity. Therefore, the attackers will not
have any enthusiasm to hurt, or take anything off from the framework, where the web shell
was conveyed. Instead, it could use its assets at whatever point necessary, as represented in
the following image.
8
web application is facilitated on, as stealth is vital.
Privilege Escalation
Except if a server is misconfigured, the web shell will be keep running under the web
server's client authorizations, which are restricted. Utilizing a web-shell, an assailant can
endeavour to perform benefit acceleration assaults by abusing neighbourhood vulnerabilities
on the framework to accept root benefits, which in Linux and other UNIX-based working
frameworks is the 'super-client'. With access to the root account, the assailant can basically
do anything on the framework including introducing programming, evolving consents,
including and expelling clients, taking passwords, perusing messages and the sky is the limit
from there.
Launching and Pivoting Attacks
A web-shell can be used to rotate inside or outside the system. The attacker has to
screen the movement of the system on the framework, nect it checks the inner system for
identifying the live action of the system, and lists the firewalls and within the system sets the
switches. This type of process could need many days or several months for the attacker to be
under the radar, and retrives the minimum measure which are considered as conceivable. As
soon as the attacker's access is found, they could easily take their next action. Hence, the
traded off framework can likewise be used to attack or sweep the focuses for dwelling outside
the system. Zombie
The other utilization of web-shells indicates botnet's servers part. The botnet indicates a
system that contains the traded off frameworks which the attacker can control, either to use
themselves, or for renting it to various other offenders. The web shell is an indirect access
that has connection with the C&C server from which it could take help for execution based
on the directions or guidelines. Specifically, such a step is used in the DDoS attacks, as it
needs the sweeping measures for the transmission capacity. Therefore, the attackers will not
have any enthusiasm to hurt, or take anything off from the framework, where the web shell
was conveyed. Instead, it could use its assets at whatever point necessary, as represented in
the following image.
8
Flag 3) Password cracker
In case, where the website is hacked, the attacker is prone to leaving a constant
secondary passage or the web shell for having the capacity, to later get to the site effectively.
Only the attacker can access the website, as these things are jumbled regularly for keeping
away from the situations like, identification along with verification.
Step – 1 Open Hashcat
As mentioned below, the instructions had to be followed to open the hashcat (Parasram, n.d.):
9
In case, where the website is hacked, the attacker is prone to leaving a constant
secondary passage or the web shell for having the capacity, to later get to the site effectively.
Only the attacker can access the website, as these things are jumbled regularly for keeping
away from the situations like, identification along with verification.
Step – 1 Open Hashcat
As mentioned below, the instructions had to be followed to open the hashcat (Parasram, n.d.):
9
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
From the option which shows Kali Linux, the user is required to select the option password,
and then select the hashcat option from the menu. This results in displaying the help screen.
As followed below, the syntax of basic hashcat is represented,
10
and then select the hashcat option from the menu. This results in displaying the help screen.
As followed below, the syntax of basic hashcat is represented,
10
Step 2 Additional Extensive Options
The hashcat supports the rules which actually allow us to implement the exclusively
designed rules, for implementing on our system’s wordlist file.
The following hash types are the ones which work with the hashcat.
11
The hashcat supports the rules which actually allow us to implement the exclusively
designed rules, for implementing on our system’s wordlist file.
The following hash types are the ones which work with the hashcat.
11
Step 3 Wordlist selection
Type the following in the Kali system, for identifying the built-in wordlists,
12
Type the following in the Kali system, for identifying the built-in wordlists,
12
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Step 4 Grabbing the Hashes
The fourth step helps in grabbing the hashes. Generally, it indicates grabbing the hashes
present in the Kali system. This process can be eased if the user will log in as the root user, as
it eases the viewing of hashes in such case. But, there exists a storage place for these hashes,
in the Linux system and /etc/shadow file is the storage location (Sak and Ram, 2016).
For Kali system, enter the following,
kali > more /etc/login.defs
13
The fourth step helps in grabbing the hashes. Generally, it indicates grabbing the hashes
present in the Kali system. This process can be eased if the user will log in as the root user, as
it eases the viewing of hashes in such case. But, there exists a storage place for these hashes,
in the Linux system and /etc/shadow file is the storage location (Sak and Ram, 2016).
For Kali system, enter the following,
kali > more /etc/login.defs
13
Type the above command to open the file, as displayed below.
Step 5 Crack the Hashes
The fifth step helps in cracking the hashes, hence it needs a separate file for
segregating the hashes. The user is suggested to name the file as, hash.lst to easily identify
the file.
Later, check whether the file is copied or not, by entering the command stating,
more hash.lst
Thus, this step allows to commence the process of hash cracking.
14
Step 5 Crack the Hashes
The fifth step helps in cracking the hashes, hence it needs a separate file for
segregating the hashes. The user is suggested to name the file as, hash.lst to easily identify
the file.
Later, check whether the file is copied or not, by entering the command stating,
more hash.lst
Thus, this step allows to commence the process of hash cracking.
14
Flag 4) TCP port scanner
Port examining is a method used to recognize whether a port on the objective host is
open or shut; a port can be open if there is an administration that uses that particular port to
speak with different frameworks. This is the motivation behind why if a port is open it is
conceivable in the long run to recognize what sort of administration utilizes it, by sending
uncommonly created parcels to the objective. When we know the objective IP address, we
can dispatch the port checking assault.
Nmap is a popular network sniffing tool used by many cyber security professionals.
Before using this tool, you must learn how to install it. You also need to be able to check the
version and locate the user manual. It is recommended that you use Kali Linux as the
operating system when using Nmap. Kali Linux comes with many pre-installed tools such as
Nmap and Wireshark. If you are using a version of Linux without pre-installed tools, you
must perform a fresh install.
15
Port examining is a method used to recognize whether a port on the objective host is
open or shut; a port can be open if there is an administration that uses that particular port to
speak with different frameworks. This is the motivation behind why if a port is open it is
conceivable in the long run to recognize what sort of administration utilizes it, by sending
uncommonly created parcels to the objective. When we know the objective IP address, we
can dispatch the port checking assault.
Nmap is a popular network sniffing tool used by many cyber security professionals.
Before using this tool, you must learn how to install it. You also need to be able to check the
version and locate the user manual. It is recommended that you use Kali Linux as the
operating system when using Nmap. Kali Linux comes with many pre-installed tools such as
Nmap and Wireshark. If you are using a version of Linux without pre-installed tools, you
must perform a fresh install.
15
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
TCP 3-Way Handshake
For comprehending such a sweep it tends to help in reviving the TCP 3-way
handshake hypothesis that represents the beginning of TCP association.
In case where the A framework requires setting up connection with the B framework,
the A framework sends the SYN (Synchronize) bundle to the B framework and as the B
framework receives the message it returns it back to the A framework, with SYN-ACK
(Synchronize-Acknowledgment). Once A framework received this flag, the ACK will be sent
to B framework. Henceforth, the B framework receives the ACK and builts up the association
of TCP attachment.
TCP Scan
The TCP SYN Scan works as mentioned in the below section.
The A framework is the one that has communication with our attacking machine, it's
objective is to send SYN to the B framework and waits until it receives the SYN-ACK. If it is
seen that the B framework reacts, then it inficates that there is an open port, and A framework
will not send the final SYN-ACK, which means that the port could be shut or it could be
separated and represents the firewall's closeness. Here, the TCP port sweep is played
irrespective of any set up which has complete connection with the objective.
Continue and specify as follows,
• Open port: Here, the A framework sends the SYN to the B framework and the B
framework reacts with the SYN-ACK;
• Closed port: Here, the A framework sends the SYN to the B framework and B
framework reacts with the RST-ACK (Reset-Acknowledgment);
• Filtered port: Here, the A framework sends the SYN to the B framework, however it
won't get any type of reaction or receives any ICMP port inaccessible blunder
message.
16
For comprehending such a sweep it tends to help in reviving the TCP 3-way
handshake hypothesis that represents the beginning of TCP association.
In case where the A framework requires setting up connection with the B framework,
the A framework sends the SYN (Synchronize) bundle to the B framework and as the B
framework receives the message it returns it back to the A framework, with SYN-ACK
(Synchronize-Acknowledgment). Once A framework received this flag, the ACK will be sent
to B framework. Henceforth, the B framework receives the ACK and builts up the association
of TCP attachment.
TCP Scan
The TCP SYN Scan works as mentioned in the below section.
The A framework is the one that has communication with our attacking machine, it's
objective is to send SYN to the B framework and waits until it receives the SYN-ACK. If it is
seen that the B framework reacts, then it inficates that there is an open port, and A framework
will not send the final SYN-ACK, which means that the port could be shut or it could be
separated and represents the firewall's closeness. Here, the TCP port sweep is played
irrespective of any set up which has complete connection with the objective.
Continue and specify as follows,
• Open port: Here, the A framework sends the SYN to the B framework and the B
framework reacts with the SYN-ACK;
• Closed port: Here, the A framework sends the SYN to the B framework and B
framework reacts with the RST-ACK (Reset-Acknowledgment);
• Filtered port: Here, the A framework sends the SYN to the B framework, however it
won't get any type of reaction or receives any ICMP port inaccessible blunder
message.
16
When the Nmap is not determined in an unexpected manner, then it sets the output for
testing the most widely recognized 1000 ports and experiences them haphazardly. It should
be obvious from the outcomes, that nearly thousand ports are examined, just in 0.20 seconds,
where approximately 977 ports are closed and the remaining are open.
The Nmap provides the administration which runs on them. For scanning the port, the
tool included specific additional manual option. The following represents all the
switches which can be utilized for information to enhance the information in the
form of the result.
2. TCP Connect Scan: In general, the normal scan identifies the results which
belongs to the TCP ports but, when -sT is added to the command it adds the
IP to the log file of the Targeted System.
For instance: nmap -sT 192.168.1.10
3. TCP SYN Stealth: This is a type of scan that sends large number of
requests without creating any session. However, here it needs the privileged
access.
For instance: nmap -sS 192.168.1.10
4. TCP Fin: Here, the packets are sent as SYN form but when -sF is added to the
command it converts it to Fin packets.
For instance: nmap -sF 192.168.1.10
5. TCP Null: When -sN is added it sends the packets to the system with the
absence of Flag.
For instance: nmap -sN 192.168.1.10
6. TCP Xmas: This is a type of scan which sends URG, PUSH, and FIN
packets to the system to find out the status of the ports. The switch
is known as -sX.
For instance: nmap -sX 192.168.1.10
7. TCP Ack: The switch known as -sA is added to the command for
sending the Ack package to the remote system, to grab the details of
the port.
For instance: nmap -sA 192.168.1.10
Then type the following on the terminal,
17
testing the most widely recognized 1000 ports and experiences them haphazardly. It should
be obvious from the outcomes, that nearly thousand ports are examined, just in 0.20 seconds,
where approximately 977 ports are closed and the remaining are open.
The Nmap provides the administration which runs on them. For scanning the port, the
tool included specific additional manual option. The following represents all the
switches which can be utilized for information to enhance the information in the
form of the result.
2. TCP Connect Scan: In general, the normal scan identifies the results which
belongs to the TCP ports but, when -sT is added to the command it adds the
IP to the log file of the Targeted System.
For instance: nmap -sT 192.168.1.10
3. TCP SYN Stealth: This is a type of scan that sends large number of
requests without creating any session. However, here it needs the privileged
access.
For instance: nmap -sS 192.168.1.10
4. TCP Fin: Here, the packets are sent as SYN form but when -sF is added to the
command it converts it to Fin packets.
For instance: nmap -sF 192.168.1.10
5. TCP Null: When -sN is added it sends the packets to the system with the
absence of Flag.
For instance: nmap -sN 192.168.1.10
6. TCP Xmas: This is a type of scan which sends URG, PUSH, and FIN
packets to the system to find out the status of the ports. The switch
is known as -sX.
For instance: nmap -sX 192.168.1.10
7. TCP Ack: The switch known as -sA is added to the command for
sending the Ack package to the remote system, to grab the details of
the port.
For instance: nmap -sA 192.168.1.10
Then type the following on the terminal,
17
This will ensure the user of the Kali Linux to open NMAP.
The above stated command's result reflects on displaying the help screen. This step's result is
reflected from the below image.
The above figure is the result that is displayed. This result represents the open TCP port on
the targeted machine. Additionally, the default service of the port is also represented here.
18
The above stated command's result reflects on displaying the help screen. This step's result is
reflected from the below image.
The above figure is the result that is displayed. This result represents the open TCP port on
the targeted machine. Additionally, the default service of the port is also represented here.
18
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Flag 5) Privilege
The basic Linux privilege escalations are listed below:
File System
OS
Applications & Services
Communications & Networking
Confidential Information & Users
Preparation & Finding Exploit Code
The above stated list is learnt from the fifth step.
3 Results and Recommendations
The five flags are explored in this report, using a case study related to virtual machine.
The concept of ethical hacking is represented. Apart from flags, this project contains explain
of web server content, web shell, securitying the systems from the hackers and information
related to basic Linux privilege escalation. The explanation determines that the first flag
ensures to do evaluation of web server content, by finding the administrator's username and
password. The other flags ensure to fetch knowledge in terms of web shells, for cracking the
password, for identification of the mistaken passwords entered on the system with the help of
TCP port scanner tool and the basics of Linux privilege escalation, respectively.
19
The basic Linux privilege escalations are listed below:
File System
OS
Applications & Services
Communications & Networking
Confidential Information & Users
Preparation & Finding Exploit Code
The above stated list is learnt from the fifth step.
3 Results and Recommendations
The five flags are explored in this report, using a case study related to virtual machine.
The concept of ethical hacking is represented. Apart from flags, this project contains explain
of web server content, web shell, securitying the systems from the hackers and information
related to basic Linux privilege escalation. The explanation determines that the first flag
ensures to do evaluation of web server content, by finding the administrator's username and
password. The other flags ensure to fetch knowledge in terms of web shells, for cracking the
password, for identification of the mistaken passwords entered on the system with the help of
TCP port scanner tool and the basics of Linux privilege escalation, respectively.
19
References
Ali, S. (2014). Kali Linux. [Place of publication not identified]: Packt Publishing.
Buchanan, C. (2014). Kali Linux CTF Blueprints. Birmingham: Packt Publishing.
Halton, W., & Weaver, B. Kali Linux 2: Windows penetration testing.
Parasram, S. Digital Forensics with Kali Linux.
Sak, B., & Ram, J. (2016). Mastering Kali Linux wireless pentesting. Birmingham, UK:
Packt Publishing.
20
Ali, S. (2014). Kali Linux. [Place of publication not identified]: Packt Publishing.
Buchanan, C. (2014). Kali Linux CTF Blueprints. Birmingham: Packt Publishing.
Halton, W., & Weaver, B. Kali Linux 2: Windows penetration testing.
Parasram, S. Digital Forensics with Kali Linux.
Sak, B., & Ram, J. (2016). Mastering Kali Linux wireless pentesting. Birmingham, UK:
Packt Publishing.
20
1 out of 21
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.