Project 2: Taking Control of a Server with Metasploit and Armitage (15 points)

What You Need for This Project

Starting the Virtual Machines

As you did in the previous project, start both the Kali Linux and Windows Server 2008 virtual machines. Make sure they are both using Bridged networking.

If you have problems with the virtual machines, refer to the previous project.

Finding Your Target Virtual Machine's IP Address

Click Start, Run.

Type in CMD and press the Enter key.

In the Command Prompt screen, type in IPCONFIG and press the Enter key.

Write down your IP address.

Make sure both machines are in Bridged networking mode!

The most common problem students have is incorrect networking modes. Unless otherwise specified, make sure all virtual machines you use in this class are in Bridged networking mode.

Turning off "Blank Screen" in Kali

By default, Kali 2.0 will keep locking the screen after a few seconds of inactivity, which is irritating. To fix this, on the left side of the Kali 2.0 desktop, click the bottom button to "Show Applications", as shown below.

On the right side of the Kali 2.0 desktop, click the lowest circle to show the bottom screen.

Then click Settings, as shown below.

In the "All Settings" window, click Power.

Set "Blank screen" to Never, as shown below.

Updating Kali

In a Terminal window, execute these commands:
apt-get update

apt-get upgrade

apt-get dist-upgrade

Starting Armitage on Kali Linux

To start Armitage, in a Terminal window, execute these commands:
msfdb init

armitage

In the "Connect..." box, accept the default values and click the Connect button.

In the "Start Metasploit?" box, click the Yes button.

Armitage opens, as shown below.

Troubleshooting

If the "Progress" box times out and cannot connect, try this:
curl http://www.fastandeasyhacking.com/download/armitage150813.tgz > armitage150813.tgz

tar xzf armitage150813.tgz

cd armitage

msfdb init

./armitage

Scanning for Targets

In Armitage, click Hosts, "Nmap Scan", "Intense Scan".

A box pops up saying "Enter scan range (e.g., 192.168.1.0/24):". Type in your target machine's IP address with a /32 added to the end of it, as shown below. Click the OK button.

The scan will take a few minutes. When the scan is done, a box pops up saying "Scan Complete!", as shown below. Click OK.

The target machine appears in the upper center part of the Armitage window, with a Windows logo on it:

Exploiting the Target with the easyftp_cwd_fixret Attack

In the upper left pane of Armitage, at the bottom, type in easyftp

Several exploits appear, as shown below.

Click easyftp_cwd_fixret, hold down the left mouse button, drag it onto the computer icon showing your target's IP address, and drop it there.

An Attack box pops up with details about the attack.

At the bottom of this box, in the "Targets:" drop-down list box, select "9 => Windows Universal - v1.7.0.11", as shown below.

Click Launch.

When the attack succeeds, the bottom pane will show "Meterpreter session 1 opened", (or some other session number) as shown below.

The target machine now shows electric arc graphics on it, indicating this box is owned!

Troubleshooting

If you see an error message saying "connection refused", that usually means the EasyFTP service crashed. It does that a lot. To fix it, on the Windows server, click Start, type in SERVICES, open the Services console, and restart the EasyFTP service. Then try the exploit again.

Saving a Screen Image

Make sure the electric arc around the target machine is visible in the upper pane of Armitage, demonstrating that you "own" the Target machine.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

Save the document with the filename "YOUR NAME Proj 2a", replacing "YOUR NAME" with your real name.

Post-Exploitation

Now let's gather information from the target.

Right-click the target computer icon, and click Meterpreter, Explore, Screenshot, as shown below.

The Target machine's desktop appears in the lower pane of Armitage, as shown below.

Hardening the Target Machine

To protect the Target from this attack, we will turn Data Execution Protection (DEP) back on. DEP prevents buffer overflow attacks like this, even if someone is foolish enough to install old, buggy software.

In the Target Machine, click Start, right-click Computer, and click Properties.

In the System window, in the left portion, click "Advanced system settings".

In the "System Properties" sheet, click the Advanced tab, as shown below:

In the "Performance" section, click the Settings button.

In the "Performance Options" box, click the "Data Execution Prevention" tab.

Click the "Turn on DEP for all programs and services except those I select:" radio button, as shown below:

Troubleshooting

If you see a message at the bottom of this box saying "Your hardware does not support DEP", this indicates either that your computer is very old, or, far more likely, DEP is disabled in the BIOS.

Close all windows and restart the machine. Press the function key to get into the BIOS and enable DEP before proceeding.

Click OK. Click OK. Click OK.

Restart your Target machine.

Log in as Administrator with a password of P@ssw0rd

Launching the easyftp_cwd_fixret Exploit Again

In Armitage, drag easyftp_cwd_fixret onto the computer icon showing your target's IP address, and drop it there.

An Attack box pops up with details about the attack.

At the bottom of this box, in the "Targets:" drop-down list box, select "9 => Windows Universal - v1.7.0.11".

Click Launch.

On the Windows target's desktop, a "Microsoft Windows" button starts blinking at the bottom of the screen.

Click the "Microsoft Windows" button

A "Microsoft Windows" box appears, with the message "ftpbasicsvr.exe has stopped working", as shown below.

DEP has saved your server by stopping the attack!

Saving a Screen Image

Make sure the "Sftpbasicsvr.exe has stopped working" message is visible, as shown above.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

Save the document with the filename "YOUR NAME Proj 2b", replacing "YOUR NAME" with your real name.

Turning in Your Project

Email the images to me as attachments to an e-mail message. Send it to: cnit.123@gmail.com with a subject line of "Proj 2 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Sources

http://www.fastandeasyhacking.com/manual

Last Modified: 2-4-16