Exploits and Metasploit
Objective
Lab 4 is designed to provide you with hands-on, practical experience with exploiting vulnerabilities that we identify during the scanning and enumeration phase. Upon completion of lab 4, you will have an understanding of the following:
1. Nessus Refresher - we will revisit using Nessus to identify specific vulnerabilities
2. Metasploit - exploit the vulnerability that was identified with Nessus and use Meterpreter commands to gather information
Procedures
1. Nessus Refresher
1. Power on the XP Security/Win7 VM along with the Win 2000 Server VM
2. Re-run a Nessus scan looking for ONLY MS03-026. You will need to modify the scan policy and selected plug-ins to achieve this
3. Screeshot your scan results and include in your submission
2. Exploiting MS03-026 - Manual
1. Power on the BackTrack 5/Kali VM. Power off the XP Security VM for better performance.
2. (In-class Students ONLY) Since the CDM lab does not allow internet connectivity to the VMs, you will need to download and transfer (via a USB drive) the exploit (oc- 192.dcom) from the COL site to the BackTrack 5 VM system. Or download the exploit from https://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
3. (DL Students ONLY) The oc192-dcom.c file is on the desktop of the BT5R3-GNOME- VM-32 virtual machines in the new Gold snapshot
4. To see the contents of the file, type cat oc192-dcom.c from the directory where the file resides (where did you put it?) and press enter
5. Compile and run to view the options for the exploit. Include a screenshot of the complied exploit and output from running the exploit without any options
6. Run the exploit against the Windows 2000 system. Gather the following information about the server and include in your submission:
1. The full version information
2. The current network card/IP address settings on the server
3. A list of the user accounts on the system
4. The ARP table showing if any other systems have connected recently
3. Exploiting MS03-026 and Meterpreter Use - Metasploit
1. Let's exploit the same vulnerability using Metasploit. On the BackTrack 5/Kali VM open a new terminal and type msfconsole and press enter
2. Type search ms03-026 and press enter
3. Figure out how to use this exploit and run it against the Windows 2000 Server, using Meterpreter as your payload (should be the default payload)
4. Once connected via Meterpreter examine the options you have (i.e. stdapi, core, priv, etc.). Collect the same information as above in Part 2 Step 6 and include in your submission
5. Figure out how to dump the password hashes off of the Windows 2000 Server, include a screenshot of the hashes in your submission. Q1. What accounts in this password hash dump would be of interest? Which ones would you likely skip/not crack?
6. Q2. What process ID is Meterpreter running in? Gather the PID and then the service name. What account was running the exploited process? What is this process and what does it do in Windows? Run the command to identify the user context that Meterpreter is running in and include a screenshot in your submission. Q3. Given our current context, is token stealing possible - why or why not?
7. Q4. If token stealing works from our current context, see if you can steal the token for the local admin account (hint: you'll need to look at the running processes and then steal the token of a process running in the user's context)
8. Try to dump the hashes again. Q5. Why does it not work?
9. Q6. Try to steal the token of the System account again by going back to the initial process by re-stealing the associated token. Why does it not work (i.e. what accounts have access to the tokens, specifically the impersonate delegate tokens)?
10. Figure out how to get System level access again - there is a Meterpreter command that you can run that will put your Meterpreter session back in the context of the System account from a standard user account. Verify this by running the command that shows your current user context - include this work as a screenshot in your submission
11. Q7. Which process ID did it migrate you to? Verify this by running the command that shows your current process ID after migration to the System account
12. Now, steal the token associated with the winmgmt.exe process...attempt to dump the hashes again. It should work, include this as a screenshot in your submission file.
Note - the above questions and usage of Meterpreter is very important. You need to understand both how to exploit a system, and to understand the level of access you have
What you need to submit
To get credit for this lab you need to submit the following:
- A screenshot of the Nessus output, highlighting the MS03-026 vulnerability and all mentioned screenshot requirements listed in the lab instructions and answers to all questions in this lab assignment in a single file
- Note - it is helpful to the grader (me) if you put some level of explanation prior to each screenshot. Random screenshots that do not fulfill the requirement will receive zero credit. If you put "some" explanation at least the grader will know what you were trying to show and is more likely to issue partial credit.
Additional Exercises
The following items are additional exercises related to the lab. Feel free to explore these topics on your own.
- Spend time learning the ins and outs of Metasploit. Take a look at all the different payloads and meterpreter options and scripting. We will examine some of the more advanced features in Metasploit in a later module. In addition, this may come in handy for the capture the flag exercise at the conclusion of the course!
- We examined some of Meterpreter's options, look at the others as well. In addition, examine the other /post exploitation options...not all are available from Metrepreter.