background image

252

Chapter 17

Metasploitable virtual machine alongside the Windows XP system to simulate 
a small networked environment, with one virtual machine acting as an Inter-
net-facing system and another acting as an internal network host.

NOTE

The simulated penetration test in this chapter is a small one. You would do something 
more in-depth if your target were a large corporation. We’ve kept this simple to make it 
easy for you to replicate.

Pre-engagement Interactions

Planning is the first step in pre-engagement. During a true planning phase, 
we would identify our target(s) and our primary method of planned attack, 
which might include social engineering, wireless, Internet, or internal attack 
vectors. Unlike an actual penetration test, here we will not be targeting a spe-
cific organization or a group of systems; we will perform a simulation using 
our known virtual machine.

For the purposes of this simulation, our target will be the protected Meta-

sploitable virtual machine at IP address 172.16.32.162 (to configure Metasploit-
able, use the username and password of 

msfadmin

). The Metasploitable target 

is a machine attached to an internal network, protected by a firewall, and 

not

 

directly connected to the Internet. Our Windows XP machine is behind the 
firewall (turn on Windows Firewall) with only port 80 open at IP address 
172.16.32.131.

Intelligence Gathering

The next step, intelligence gathering, is one of the most important phases 
in the process, because if you miss something here you might miss an entire 
avenue of attack. Our goal at this point is to understand what we are going to 
attack and determine how we might gain access to the system.

We begin with a basic 

nmap

 scan (as shown next) against our Win-

dows XP virtual machine, and we find that port 80 is open. We use 

nmap

’s 

stealth TCP scan, which is typically effective in detecting ports without trig-
gering defenses. Most IPSs can detect port scans, but because port scans are 
so common, they are generally considered regular noise and are ignored as 
long as they’re not very aggressive.

root@bt:/# 

nmap -sT -P0 172.16.32.131

Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-22 23:29 EDT
Nmap scan report for 172.16.32.131
Host is up (0.00071s latency).