Project 2: Taking Control of a Machine with Metasploit (15 points)

What You Need for This Project

A computer with VMware Player. You can use any host OS you like, and if you prefer to use some other virtual machine software like VirtualBox or Xen, that's fine too. You can download VMware Player here:
https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/5_0
The instructions below assume you are using Windows 7. You can use VMware on the Mac and other operating systems, but the steps may be somewhat different.
You need the DVD that was handed out in class, which contains two Windows XP virtual machines: WinXPSP3 and WinXP_TARGET. (If you don't have it, all you really need is an old Windows XP machine with no service packs as the target.)

Installing Java on the Windows 7 Host

On the Windows 7 host machine, open a Web browser and go to http://java.com

Click the "Free Java Download" button. On the next screen, click the "Agree and Start Free Download" button.

When the installer has downloaded it, run it and install Java with the default options.

and follow the prompts on your screen to install Java.

Installing Metasploit on the Windows 7 Host

Disable or uninstall your antivirus scanner before installing Metasploit. This obviously places you at some risk, so you may want to use a machine you don't care about too much, such as the lab machines in S214.

If you have antivirus running, it will freak out when you install Metasploit. This hacking tool contains hundreds of attack tools, which contain virus signatures.

In your Windows 7 host machine, open a Web browser and go to http://www.metasploit.com

On the upper right, click DOWNLOAD.

In the "For Windows" section, click the "Free Download" button. It's a 222 MB download when I did it (Jan. 17, 2013), so it might take a while.

When the file downloads, run it and click through the installer, accepting all the default selections. It will take several minutes. When it reaches the end, "Setting Windows Permissions", it freezes for about 3 minutes. That's OK, just wait.

When the installation is done, a Web browser pops up with a warning about an untrusted security certificate, as shown below.

Just close the browser.

Updating Metasploit

On your Windows 7 host machine's desktop, click Start, "All Programs", Metasploit, "Framework Update".

Wait till the updates are complete. When I did it, no updates were available.

Running the Metasploit Console

To initialize the database, you must run the Metasploit console once.

On your Windows 7 host machine's desktop, click Start, "All Programs", Metasploit, "Metasploit Console".

Wait for a minute or two, as white text appears in the black "Metasploit Pro Console" window.

When you see the msf > prompt, as shown below, it's done.

Close the "Metasploit Pro Console" window.

Starting Armitage

Click Start, "All Programs", Metasploit, Framework, Armitage.

In the "Connect..." box, accept the default values and click the Connect button.

In the "Start Metasploit?" box, click the Yes button.

A box pops up asking "Where is Metasploit installed?".

Navigate to C:\metasploit\apps\pro, as shown below, and click the Open button.

Wait a minute or so while a progress bar moves.

Armitage opens, as shown below.

Starting Your Target Virtual Machine

Start the WinXP_TARGET virtual machine, as you did in the previous project.

In VMware Player, on the top left, click Player, Manage, "Virtual Machine Settings".

In the "Virtual Machine Settings" box, on the left side, click "Network Adapter".

On the right side, click "Bridged: Connect directly to the physical network", as shown below. Click OK.

Testing Your Target Virtual Machine's Internet Connection

On the Target virtual machine, open Internet Explorer and verify that you can reach the Internet. If you cannot, which happens very often, try the troubleshooting steps listed below.

Troubleshooting a VMware Network Connection

RESTART: Restart the virtual machine
USE DHCP: In the virtual machine, click Start, Control Panel, Network Connections. Right-click "Local Area Connection" and click Properties. Double-click "Internet Protocol (TCP/IP)" and make sure both the "Obtain an IP address automatically" and "Obtain DNS server address automatically" buttons are selected. Click OK. Click OK.
REPAIR THE CONNECTION: In the virtual machine, click Start, Control Panel, Network Connections. Right-click "Local Area Connection" and click Repair.
VMWARE BRIDGE PROTOCOL: In the Host machine, click Start and type "NETWORK CONNECTIONS" into the Search box. In the results, click "View network connections". Right-click "Local Area Connection" and click Properties. Make sure the "VMware Bridge Protocol" item is checked. Click OK.
MAKE A NEW VIRTUAL MACHINE: When all these actions fail, which is very common, you need to discard the virtual machine and extract a fresh one from the original .7z file.

Finding Your Target Virtual Machine's IP Address

Click Start, Run.

Type in CMD and press the Enter key.

In the Command Prompt screen, type in IPCONFIG and press the Enter key.

Write down your IP address.

Scanning for Targets

In Armitage, click Hosts, "Nmap Scan", "Intense Scan".

A box pops up saying "Enter scan range (e.g., 192.168.1.0/24):". Type in your target machine's IP address with a /32 added to the end of it, as shown below. Click the OK button.

When the scan is done, a box pops up saying "Scan Complete!", as shown below. Click OK.

Exploiting the Target with the MS04_011 Attack

In the upper left pane of Armitage, double-click exploit.

Scroll down and double-click windows.

Scroll down and double-click smb.

Find ms04_011_lsass, as shown below.

Click ms04_011_lsass, hold down the left mouse button, drag it onto the computer icon showing your target's IP address, and drop it there.

An Attack box pops up with details about the attack, as shown below. Click Launch.

When the attack succeeds, the bottom pane will show "Meterpreter session 1 opened", (or some other session number) as shown below. (Even though it says "Exploit failed", it worked!)

The target machine now shows electric arc graphics on it, indicating this box is owned!

Post-Exploitation

Now let's gather information from the target.

Right-click the target computer icon, and click Meterpreter, Explore, Screenshot, as shown below.

The Target machine's screen appears in the lower pane of Armitage, as shown below.

Saving a Screen Image

Make sure the electric arc around the target machine is visible in the upper pane of Armitage, demonstrating that you "owned" the Target machine.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

Save the document with the filename "YOUR NAME Proj 2a", replacing "YOUR NAME" with your real name.

Restarting the Target Machine

In the Target virtual machine, click Start, "Turn Off Computer". If possible, shut the machine down normally.

If it freezes, in the upper left portion of the VMware Player window, click Player, Power, "Power Off" to force it to shut down.

Start the target machine again.

Patching the Target Machine

To protect the Target from this attack, we will install a Microsoft security patch. To save time, I already downloaded the patch from microsoft.com/technet/security/bulletin/ms04-011.mspx and saved it in the Target Machine.

In the Target Machine, click Start, "My Documents".

Double-click the WindowsXP-KB835732-x86-ENU.EXE file. Some files are extracted, and the "Windows XP KB83572 Setup Wizard" opens. Click through the wizard to install the patch.

Restart your Target machine when prompted to.

Launching the MS04-011 Exploit Again

In Armitage, drag ms04_011_lsass onto the computer icon showing your target's IP address, and drop it there.

An Attack box pops up with details about the attack, as shown below. Click Launch.

In the lower pane of Armitage, you see the message "Server appears to have been patched", as shown below.

Saving a Screen Image

Make sure the "Server appears to have been patched" message is visible, as shown above.

Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

On the host machine, not the virtual machine, click Start.

Type mspaint into the Search box and press the Enter key.

Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.

Save the document with the filename "YOUR NAME Proj 2b", replacing "YOUR NAME" with your real name.

Turning in Your Project

Email the images to me as attachments to an e-mail message. Send it to: cnit.123@gmail.com with a subject line of "Proj 2 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Sources

http://www.fastandeasyhacking.com/manual

Last Modified: 12 pm 1-18-13