Archive
Fall 2010
The homework for clientside explitation was split into two parts:
1. Profile a department at Poly for a client-side attack
- What intelligence would you gather and why?
- Based on the information you gathered, develop a scenario to successfully execute a client-side attack
2. Plugin Detection
- Create a webpage to detect browser version, 3rd party apps, CLASSIDS, etc...
- Consider cross-browser functionality
- Deliver a unique page based on browser/OS
Extra Credit: If you did Dino's ActiveX exploitation midterm question, convert your exploit to a Metasploit module. If you didn't do it, do it any way you can.
Discussed in the post-exploitation class was the xspy keylogger. Students should compile xspy for their machine and run it locally. Try running "su -", sudo, and locking your screen and unlocking it. Did it capture your password?
Compilation instructions:
7cc26e0ea6eea9452f5f5f87afcce595 xspy-1.0c.tgz
tar -zxvf
xspy-1.0c.tgz
cd xspy xmkmf; make
If you get NULL error in usleep.c, add the following lines to it:
#ifndef NULL
#define NULL (void *)0
#endif //#ifndef NULL
The homework for the post-exploitation class was to write a persistence script for Windows or Linux that uses two forms of persistence: one user-level and one privilege escalation. For Windows, the script must be written in VB or PowerShell. For Linux, the script can be written in Bash, Perl, Python or Ruby.
For example, on Windows you could:
- Change the password for Guest and re-enable the account for login
- Create a vulnerable service so that you can privilege escalate
- Create a new user
- Move sethc.exe to sethc.exe.bk and copy cmd.exe to sethc.exe
On Linux, you could:
- Install SSH keys into a user's home directory
- Install or make an existing binary setuid root
- Add a . to the user's path and put a trojan sudo in their home directory
- Install a version of netcat with the "-e gaping security hole" enabled and start it listening with "nc -l 666 -e /bin/bash"
Fall 2009
Students had three choices for their homework in the client-side exploitation section.
Option 1: Plugin Detection
- Create a webpage that detects browser version, 3rd party apps, class IDs, etc
- Consider cross-browser functionality
- Deliver or exploit or a unique page based on collected information
Option 2: Create and obfuscate MDAC RDS code
- Try to bypass a network IDS, consider what the signatures are triggering on
- Code sample available (check presentation, milw0rm, or ask Dean)
Option 3: Malicious PDF
- Encode/obfuscate a malicious PDF to bypass AV on a host. Test the PDF against VirusTotal. The malicious PDF must remain functionality (open calc.exe)
- Code sample available (ask Dean)
The homework the post-exploitation section was to write a meterpreter script for which functionality did not already exist.
Fall 2008
- Clientside Exploitation videos (part 1 and part 2) and slides
- Post-exploitation videos (part 1 and part 2) and slides
Students had two choices for their homework in the client-side exploitation section.
Option 1: Run a Phishing Campaign
- 1a. Intelligence Gathering
- Find all e-mail addresses for poly.edu
- Find any other domains, URLs, or other info that can be used to improve a phish's success
- Describe methods, tools and scripts used for this step
- 1b. Target phishfood@###.com
- Develop an e-mail (create a scenario) and link it to malicious site that you create
- At your landing page, gather the following info: remote IP, plugins, browser, etc...
- If possible, drop and execute a file on the target
Option 2: Analyze a web-based malware
- Decode the JS and describe its obfuscation techniques
- Describe what it does, what bug it exploits, how, etc...
- Modify the code [payload] to use your own payload.exe
The homework the post-exploitation section was to write a meterpreter script for which functionality did not already exist.
Discussion
Share Article 