Project 3: Taking Control of a Server with Armitage (15 pts)

What You Need for This Project

Starting the Virtual Machines

As you did in the previous projects, start both the Kali Linux and Windows Server 2016 virtual machines.

Log in to Kali with:

Log in to Windows with:

Testing Windows Networking

On your Windows Server 2016 desktop, at the lower left, click the magnifying glass icon. In the Search box, type CMD.

"Command Prompt" is found, as shown below.

Click "Command Prompt".

In the Command Prompt window, execute this command, as shown below. 

ping google.com
You should see replies, as shown below. If you do not, perform the "Troubleshooting" steps in the box below.

Troubleshooting VM Networking

In VMware Workstation Player, at the top left, click Player, Manage, "Virtual Machine Settings", as shown below.

In the "Virtual Machine Settings" window, on the left side, click "Network Adapter", as shown below.

On the right side, check that these settings are correct:

  • Connected box checked
  • "Connect at power on" box checked
  • NAT selected

Turning Off Windows Firewall

At the lower left of the Windows desktop, click the magnifying glass icon.

Type FIREWALL.

In the Search results, click "Windows Firewall", the second result in the image below.

In the Windows Firewall box, on the left side, click "Turn Windows Firewall on or off".

Check both of the boxes labelled "Turn off Windows Firewall (not recommended)", as shown below.

Click OK.

Testing Kali Linux Networking

On your Kali Linux desktop, at the top left, click the second icon, as shown below, to open a Terminal window.

In the Terminal window, execute this command, as shown below. 

ping google.com
After a few seconds, press Ctrl+C to stop the pings.

You should see replies, as shown below. If you do not, perform the "Troubleshooting" steps in the box above.

Testing Networking Between the VMs

On your Windows Server 2016 desktop, in the Command Prompt window, execute this command, as shown below. 
ipconfig
Find your IP address, as shown below.

On your Kali Linux machine, in the Terminal window, execute this command, as shown below, replacing the IP address with the IP address of your Windows Server 2016 machine. 

ping 172.16.1.247
After a few seconds, press Ctrl+C to stop the pings.

You should see replies, as shown below. If you do not, perform the "Troubleshooting" steps in the box above. You should also make sure the Windows firewall is off, as explained in an earlier project.

Installing EasyFTP

This is an old server product with known vulnerabilities. We'll run it, and see how using old software can endanger a modern operating system.

On your host system, click the link below to download EasyFtp Server 1.7.0.11

easyftp-server-1.7.0.11-en.zip
Drag the downloaded file onto your Windows Server 2016 desktop and drop it there.

On your Windows Server 2016 desktop, right-click easyftp-server-1.7.0.11-en.zip. Click "Extract All...". Click Extract.

In the "easyftp-server-1.7.0.11-en" window, double-click the folder.

There are two items in the folder, as shown below.

Double-click ftpconsole.

A blue window opens, as shown below.

At the top left of this window, click the gear icon.

A box pops up. At the top, check the "Bind IP" box and select your IP address, as shown below.

At the bottom, click Ok.

A "Restart Service" box pops up, as shown below. Click Yes.

Troubleshooting

If the service won't start, a broken version may be already installed. Execute this command to delete the broken service:
sc delete easyftpbasicsvr

Testing the FTP Service

On your Kali Linux machine, in the Terminal window, execute this command, as shown below, replacing the IP address with the IP address of your Windows Server 2016 machine. 
nc 172.16.1.247 21
You should see a "Welcome to my ftp server" banner, as shown below. If you don't, perform the Troubleshooting steps in the box below.

Troubleshooting

In the ftpconsole window, click Service, Stop, as shown below. Then click the green arrow to restart the service.

If you still cannot connect, make sure the Windows firewall is off and both machines are in NAT networking mode. Then use PING as explained above to see if the machines are nwtworked together.

If problems persist, try restarting both virtual machines.

Starting Armitage on Kali Linux

On your Kali Linux desktop, on the top left side, click the head icon, as shown below, to open Armitage.

In the "Connect..." box, accept the default values and click the Connect button.

In the "Start Metasploit?" box, click the Yes button.

Armitage opens, as shown below.

Troubleshooting

If Armitage won't start from the GUI, or the "Progress" box times out and cannot connect, execute these commands in a Terminal window to reinstall Armitage. 
curl http://www.fastandeasyhacking.com/download/armitage150813.tgz > armitage150813.tgz

tar xzf armitage150813.tgz

cd armitage

msfdb init

./armitage
If you get this error: The Parallel GC can not be combined with -XX:ParallelGCThreads=0, edit the armitage file with nano and change this line: 
Java -XX:+AggressiveHeap -XX:+UseParallelGC -jar armitage.jar $@
to this: 
Java -XX:+UseParallelGC -jar armitage.jar $@

Scanning for Targets

In Armitage, click Hosts, "Nmap Scan", "Intense Scan".

A box pops up saying "Enter scan range (e.g., 192.168.1.0/24):". Type in your Windows Server 2016 target machine's IP address with a /32 added to the end of it, as shown below. Click the OK button.

The scan will take a few minutes. When the scan is done, a box pops up saying "Scan Complete!", as shown below. Click OK.

The target machine appears in the upper center part of the Armitage window, with a Windows logo on it:

Troubleshooting

If your Windows machine is not detected, test your network with these steps:
  • On your Windows machine, in a Command Prompt, execute the IPCONFIG command to find its IP address.
  • On your Kali machine, in a Terminal window, ping the Windows machine. If you don't get replies, that indicates a problem with networking.
  • On the Windows machine, turn off the firewall.
  • In VMware Player Settings, verify your network modes. The Windows and Kali machines must be on the same network: either both Bridged, or both NAT.

Exploiting the Target with the easyftp_cwd_fixret Attack

In the upper left pane of Armitage, at the bottom, type in easyftp

Several exploits appear, as shown below.

Click easyftp_cwd_fixret, hold down the left mouse button, drag it onto the computer icon showing your target's IP address, and drop it there.

An Attack box pops up with details about the attack.

At the bottom of this box, in the "Targets:" drop-down list box, select "9 => Windows Universal - v1.7.0.11", as shown below.

Click Launch.

When the attack succeeds, the target machine shows electric arc graphics on it, as shown below, indicating this box is owned!

Troubleshooting

If you see an error message saying "connection refused", that usually means the EasyFTP service crashed. It does that a lot. To fix it, restart the EasyFTP service, as shown in an earlier Troubleshooting box on this page, or just restart the Windows target machine entirely.

Post-Exploitation: Looting

Now let's gather information from the target.

In Armitage, right-click the target computer icon, and click Meterpreter, Explore, Screenshot, as shown below.

The Target machine's desktop appears in the lower pane of Armitage, as shown below.

Recording Your Success

In Armitage, right-click the target computer icon, and click Meterpreter, Interact, "Meterpreter Shell", as shown below.

In Armitage, in the bottom pane, execute this command:

sysinfo
You should see information about your Windows version, as shown below. Find the text that is covered by a gray box in the image below.

EH1.3: Recording Your Success (15 pts)

Use the form below to record your success.
Name:
Text:

Hardening the Target Machine

To protect the Target from this attack, we will turn Data Execution Protection (DEP) back on. DEP prevents buffer overflow attacks like this, even if someone is foolish enough to install old, buggy software.

On your Windows Server 2016 desktop, at the lower left, right-click the Start button and click System, as shown below.

In the "System" box, on the left side, click "Advanced System Settings".

In the "System Properties" box, click the Advanced tab. In the Performance section, click the Settings... button, as shown below.

In the "Performance Options" box, click the "Data Execution Prevention" tab. Click the "Turn on DEP for all programs and services except those I select:" button, as shown below.

Click OK.

A "System Properties" box pops up. Click OK.

In the "System Properties" box, click OK.

Close all windows. At the lower left, right-click the Start button. Point to "Shut down or sign out" and click Restart, as shown below.

A box pops up asking you to "Choose a reason". Click Continue.

If a screen appears saying there are background tasks running, click "Restart Anyway".

Log in as normal when the server restarts, with the password P@ssw0rd

Restarting the EasyFTP Service

Open ftpconsole again, as you did before, and make sure the service is running, as shown below.

Launching the easyftp_cwd_fixret Exploit Again

In Armitage, drag easyftp_cwd_fixret onto the computer icon showing your target's IP address, and drop it there.

An Attack box pops up with details about the attack.

At the bottom of this box, in the "Targets:" drop-down list box, select "9 => Windows Universal - v1.7.0.11".

Click Launch.

On the Windows Server 2016 machine, a box pops up saying "ftpbasicsvr.exe has stopped working", as shown below.

DEP has saved your server by stopping the attack!

Sources

http://www.fastandeasyhacking.com/manual

Moved to local server 3-21-19