Exercise 5

This is the report for the fifth series of exercises for my penetration testing course, taught by Tero Karvinen
The fifth assignment consists of four parts, as follows:


1) Tee troijan hevosia, vähintään kaksi erilaista. Voit tehdä esimerkiksi saastuneen asennusohjelman, dokumentteja joissa on vihamielisiä makroja sekä älypuhelimen apsin. Nimeä ohjelmat siten, että haitallinen tarkoitus ilmenee MALWARE-installer.exe. Vihamielisenä hyötykuormana voi olla esimerkiksi meterpreter. Älä tee itsestään leviäviä ohjelmia. Voit käyttää troijan hevosen tekoon esim. setoolkit, msfvenom.

2) Mitä uusia keksintöjä Confickerissa esiteltiin? Lue jokin artikkeli Confickerista. ‘conficker analysis’ on hyvä hakusana. Kiinnitä huomiosi C2:n.

3) Blogeja. Etsi Krebsin tai Schneierin blogeista ideoita pentestiin. Näissä blogeissa on paljon turvallisuuteen liittyviä aiheita, tee erityisesti huomioita tunkeutumistestaukseen liittyen.

4) Safarionline. Opettele ja testaa jokin uusi Pentesting-tekniikka kirjasta tai videosta, jonka löydät Safarionlinesta.


Trojan .exe

The first Trojan I will make is a .exe file that is infected with a windows meterpreter reverse tcp payload. For this I will be using setoolkit, that is included in Kali linux.

I start by launching setoolkit, this is done with the command:

sudo setoolkit.



























I select the option 1 (social-engineering attacks).

From the next selection option 4 is our choice.  For this payload we will need a windows reverse_tcp meterpreter, so I choose option 2.
Insert the ip address and port for the listener (you’re host).











Once this is done you can start metasploit by selecting “yes”, or return to the root menu. Since this is the first time I’m doing this, I will select “no” and start the metasploit lestener manualy later.

The newly created payload can be found in /root/.set/ folder, with a name payload.exe. Since I have to move this to a USB for testing, I’l copy it to my Documents folder.







Let’s rename the file, so we know what it is.










For the test victim I will be using a windows 7 computer, with the antivirus (f-secure) turned off. When I first tried this, the antivirus blocked the program.

Before I run the .exe file, we need to start a listener in the host side.  I’l start up msfconsole and select the appropriate exploit and run it.









Once we run the program in the target computer, we will get meterpreter connection established. You just need to double click on the .exe file to run it, no admin right needed.











Trojan QR code

The second trojan I made was a QR code to harvest credentials through a fake website. The idea is that the victim scans the QR code and is directed to the phishing website. I’l do this using setoolkit again. I’l select the social engineering attacks option. For this attack we will need the website attack vectors option (2) and from there credentials harvester attack method (3)













I’l select a webpage template to be used as the snair. The IP address will in this case be the address of the Kali host, since this is only a test in controled enviroment. As the web template I will choose google’e login page. Once I finnish, the console will wait for the incomming credentials, which are sent in POST.












Now we will need to make the QR code to be sent for the victim. I’l start a new session with setoolkit to create this.  The creation is quite straight forward, select the QRcode generator attack vector and input an URL for it to redirect to, in this case the Kali host.




















I will just copy the .png file containing the QR code.











I will use my android phone to scan the QR code. The google template ended up being an empty page, I rerun the process and chose twitter as the template and this one work as intended. Ok, the address may not be legit, since it’s the Kali host’s IP.



























Once the username password combination is entered, they pop on on the setoolkit console.






















Conficeker was a computer worm that first appeared in november of 2008, it infected only computers running on Windows. To this date, is has at least five generations. Each generation is differentiated by a letter, in the alphabetical order (conficker A, conficker B and so forth).  At it’s peak, conficker had reportedly infected any where from 9 to 15 million computers, making it the largest computer worm infection to date.

It exloited the MS08-067 vulnerabilities and dictionary attacks on admin accounts.

Conficker introduced a number of new features, never seen before.

The biggest one of them is it’s ability to generate large amount of unigue and random domain names (in conficker.C it was 50000 a day.). This means, that Conficker source code does not contain fixed IP-addresses or domain names so it can contact the command and control server (C2). The creators of Conficker could precalculate what domain names would come up and register them. This would allow them to take control of the infected machine, or for the worm to update itself.

This is a so called “call home function”. Conficker selects only a predetermined number of domain names from the randomly generated list, in Conficker.C this number was 500. It tries to query the addresses for a one that it could contact. In Conficker.C the DNS query interval was random, so it would be harder to detect. Once the contact has been established, Conficker verifies the digital signature of the encrypted payload it has received, if verified Conficker writes the content to file and executes it. Once this has been done, the Conficker infected host sleeps for three days, before resuming the call home function again.

Conficker also contained preventive measures against it’s removal.

It was able to lock it’s DDL(Data definition language) file, so other applications could not read or write on that specific file.
By manipulating the windows ACL (Access control list), Conficker was able to prevent any system user (including administrator) from accessing, reading, writing or deleting the Conficker DDL file.
Conficker was able to disable windows update and security functions, this prevented the infected machine from patching it self or trying to start any security measures against Conficker. This was also done by preventing security diagnostic tools and tools for removing Conficker to function. Also security related websites where blocked. These actions make removing Conficker from the system extremely hard, without formating the system.

Conficker was also able to spread by infected USB media, even if USB autorun was disabled. another attack vector was the ability to spread inside a local area network by using Windows domain rights to infect machines.




The first article I read, was from KrebsonSecurity.

It discussed on the dangers that web browser extensions might have on a user, and also the possibilisty that a legitimate browser extension might be hacked. In the articles example, it was MEGA’s chrome etxtension.

This got me thinking of the possible dangers and exploits that this kind of approach might offer. Browser extension are meant be helpful and make the browsing experiense more easy, but in some cases the permission levels they need to be used is concerning.

Using these with you’re personal browsing, one might see the benefits they offer, but are people really aware of the risk’s they impose?

In a corporate world, use of these should of banned or discouraged but what if the company’s own browser extension get’s comporimised. How much damage can happen before the system admins notice this, there is also a real possibility that this could go unnoticed for quite some time or even indefinitely.

The question might be that do company’s or people actually need browser extensions?

In a penetration testing stand point, web extensions can offer an angle on social engineering attempt, or if the pentester can hack and alter the extensions code. One use of this could be keylogging for usernames and passwords.

The social engineering angle is to make a innocent looking browser extensions (this could mean obfuscating the code a bit) and try to add it to the browsers extensions “store”, fire fox has its add-ons and chrome it’s webstore. There is a possibility that this might get banned, but the attacker can always give it a try or alter the code so it could get accepted. Then the attacker should just wait.

If the attacker could alter the extensions code, this could be more easier since in most cases, the extensions is already installed somewhere.

The final argument for this is, that a user should question the need for a browser extension. If it is deemed necessary, the user should be very careful on the permissions they grant to the extension.

Schneier on Security

The second article was from Schneier on Security.

It’s actually a short commentary on another article describing how NSA cracked the VPN (Virtual Private Network) on some of their target’s.

This is from Edward Snowden’s leaked arcives. Maybe the alarming thing is that they are from the 2006. If this was possible over a decade ago, what are they’re capabilities today.  The arcticle does not mention what VPN technologies have been compromised and the technical details of the VPN cracking is a closely guarded secret. It still does offer a intresting information.

One is a tool called Vividdream, that can test if NSA is capable oh exploiting a targeted VPN.

There is also a mention of a mallware called Hammerstein, installed on the routers that traverse VPN traffic. This would allow it to forward the VPN traffic back to NSA to be decrypted. The details of this is still uknown. Sadly, NSA declined to comment the story.

The artcile end’s with a brief story from 2015. A team of cryptographers described a new attack called Logjam that is able to compromise the Diffie–Hellman key exchange, used to securely exchange cryptographic keys over a public channel. The report concluded that this attack was able to compromise 66% of  IPSec VPNs, and hint that the NSA is able to orchestrate such an attack.

VPN’s are considered secure to use and have a reputation of being imposible, or extremely hard to crack. This article raises concerns that they may not be that secure as believed.


The book I chose from Safari online was Mastering Kali Linux Wireless Pentesting by Jilumudi Raghu Ram and Brian Sak. The fourth chapter deals with wireless cracking, specifically WPA, WPA2 and WPS. Since most wireless networks use WPA2 security protocol, I decided to try and crack a WPA2 network using the instructions the book gives.

Now WPA2 is a strong encryption, so we will not focus on cracking the encryption but the wireless password using a dictionary attack.

For this exercise I have added a new wireless network in my network, called BI66ER. The password is robotboy1234, this I have also added to the best1050.txt wordlist, somewhere in the middle of the file.
the file template can be found in /usr/share/wordlists/dirp/
To keep things safe, I chose a channel that is not used by other wireless networks.This is not mandatory, since you can separate the target by using it’s MAC address.

The procedure has three steps. First you set up a monitor and scan the network, secondly you try to make a WPA handshake with the target network and last the actual dictionary attack.

The four-way handshake is a method of how the access point and the client can independently prove to each other that they know the PSK/PMK (pre-shared key/Pairwise Master Key), without ever disclosing the key.

I start by configuring a monitor mode interface on my wireless card.







Once the monitor is up, I’ll start scanning the network for a target. This done with the command:

sudo airmon-ng <monitor-interface> (in this case wlan0mon)










The target network is the first one on the list and i’m glad to see that it’s the only one on channel 12.

Next, I will try to capture the four-way handshake. With out it, I can’t use the dictionary attack.
the command for this is:

sudo airdump-ng -c <channel> –bssid <network MAC address> -w output file name.

– c states the channel to listen to

— bssid specifies the target MAC address, so you can target only a specific network.

-w specifies the name for the output file of the scan, like wpa2/target.

In my case the commad is:

sudo airdump-ng  -c 12 –bssid A0:40:A0:7C:D2:77 -w BI66ER_2.4

Once I hit enter, the packet capture starts.










This can take a looong time to give results. You need a client to connect to the network to capture the handshake. In this exercise I speeded things up and connected to the network from another machine. Once this was done, the four-way handshake is captured.










Now I can try to implement the dictionary attack. The capture resulted in a <output file>.cap file, in my case BI66ER_2.4.cap. To make this attack work, i’ll need to use that file in the attack, it also specifies the network/networks that can be attack upon.

the command for the attack is as follows:

sudo aircrack-ng <output file>.cap -w <wordlist>

In my case the command is:

sudo aircrack-ng BI66ER_2.4-01.cap -w best1050.txt

The results came quite quickly, it took only about 10 seconds to find the password.