252
Chapter 17
Metasploitable virtual machine alongside the Windows XP system to simulate
a small networked environment, with one virtual machine acting as an Inter-
net-facing system and another acting as an internal network host.
NOTE
The simulated penetration test in this chapter is a small one. You would do something
more in-depth if your target were a large corporation. We’ve kept this simple to make it
easy for you to replicate.
Pre-engagement Interactions
Planning is the first step in pre-engagement. During a true planning phase,
we would identify our target(s) and our primary method of planned attack,
which might include social engineering, wireless, Internet, or internal attack
vectors. Unlike an actual penetration test, here we will not be targeting a spe-
cific organization or a group of systems; we will perform a simulation using
our known virtual machine.
For the purposes of this simulation, our target will be the protected Meta-
sploitable virtual machine at IP address 172.16.32.162 (to configure Metasploit-
able, use the username and password of
msfadmin
). The Metasploitable target
is a machine attached to an internal network, protected by a firewall, and
not
directly connected to the Internet. Our Windows XP machine is behind the
firewall (turn on Windows Firewall) with only port 80 open at IP address
172.16.32.131.
Intelligence Gathering
The next step, intelligence gathering, is one of the most important phases
in the process, because if you miss something here you might miss an entire
avenue of attack. Our goal at this point is to understand what we are going to
attack and determine how we might gain access to the system.
We begin with a basic
nmap
scan (as shown next) against our Win-
dows XP virtual machine, and we find that port 80 is open. We use
nmap
’s
stealth TCP scan, which is typically effective in detecting ports without trig-
gering defenses. Most IPSs can detect port scans, but because port scans are
so common, they are generally considered regular noise and are ignored as
long as they’re not very aggressive.
root@bt:/#
nmap -sT -P0 172.16.32.131
Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-22 23:29 EDT
Nmap scan report for 172.16.32.131
Host is up (0.00071s latency).