Presentation

Task3.3

The screenshot illustrates the creation of a reverse TCP connection payload using the
msfvenom tool, which is a component of the Metasploit framework. The payload is
designed to establish a secure connection back to the attacker’s server, enabling the
attacker to execute commands remotely on the infected machine.

In the highlighted section, we see the command used to generate an executable file (.exe)
named "Group3.exe". This file is configured to connect back to the attacker's host on IP
"10.10.10.3" through port 443.

the output of the command ls -la shows various files in the directory, including the newly
created "Group3.exe". Its presence is confirmed along with details such as file size and
timestamp.

Task3.4

This slide illustrates a more advanced technique used in cybersecurity, specifically within
penetration testing, to evade antivirus detection—this time focusing on the use of
encoders from the Metasploit framework.

1. *Command Overview*:
- The initial command msfvenom -l encoders displays a list of available encoders in
Metasploit. Encoders are used to transform payload data to make it unrecognizable by
antivirus systems like Windows Defender.

2. *Selecting an Encoder*:
encoder feedback, is chosen. This encoder is particularly effective because it generates a
unique version of the payload each time it is used, helping to bypass signature-based
detection systems.

3. *Generating the Encoded Payload*:

- The command third screenshot is used to generate an encoded version of the reverse
TCP payload. Here, the -i 200 option specifies that the encoding should be applied 200
times, enhancing evasion capabilities.

4. *Output*:
- The encoder successfully alters the payload multiple times, as shown by the different
sizes of the payload after each iteration. This process dramatically increases the
likelihood that the executable, now named "Group3-2.exe", will evade antivirus
detection.

5. *File Verification*:
- The ls -la command output confirms the presence of the newly created "Group3-
2.exe" in the directory, alongside other files.
Task4.5

In this task we are looking at how to set up a listener for a reverse TCP payload using the
Metasploit Framework,

2. *Configuring the Listener*:

- *Command*: The user inputs use exploit/multi/handler, which tells Metasploit to use
a general-purpose handler for payloads.
After that command - *Set Payload*: configures the handler to listen for a Windows
Meterpreter session that will be created when the payload (malicious software) on the
target machine calls back to the attacker’s machine.
 - *Set LHOST and LPORT*: The commands set LHOST 10.10.10.3 and set LPORT
443 specify the local host and port on which Metasploit will listen for incoming
connections from the compromised machine.

3. *Activating the Listener*:

- The command exploit initiates the listening service. Metasploit confirms that it has
started the reverse TCP handler on the specified IP and port, awaiting the incoming
connection from the target where the payload will execute.
Task4.6

1. *Creating a Non-Admin User*:

The first picture shows the creation of a new standard (non-administrative) user account
named "Group3." Standard accounts are limited and cannot make significant changes that
affect other users or the security of the system, which is recommended for regular
activities.

2. *Downloading Malicious File*: The subsequent screenshots show an attempt to

download a file named "Group3.exe" from a Kali Linux machine (indicated by the IP
address in the browser's address bar).

3.
The attempt to download the executable results in a virus detection alert by Windows
Defender, indicating that the file has been recognized as malicious. This illustrates the
antivirus system’s effectiveness in real-time threat detection and prevention, even when
actions are initiated by a standard user.
Task4.7
In this task
1. **: A non-admin user attempts to run an executable named "Group3.exe" which is
identified as a potentially harmful file. A Windows SmartScreen warning appears,
indicating that the file's safety cannot be verified due to an inability to reach the
SmartScreen service, presenting the user with options to either run or not run the file.
In the second screenshot
*Metasploit Configuration*:, Metasploit's Multi Handler is configured to listen for
incoming connections from the reverse TCP payload. The payload details shown
(windows/meterpreter/reverse_tcp) specify that upon execution, the malware will attempt
to establish a connection back to the attacker’s specified IP (10.10.10.3) and port (443).

4. *Successful Connection*: The final part of the image shows that despite the warning,
the executable was likely run, and a Meterpreter session was successfully opened. This
means the malware executed, bypassed the local defenses (partly because SmartScreen
could not be reached), and established a reverse TCP connection to the attacker's
machine, allowing remote control over the victim's computer.

Task 4.8
In this task
1.: session begins with navigation commands (pwd and cd) to confirm the current
working directory on the victim's machine, which is located at the root of the C: drive.

3. *Result*: As a result of the execution, the command prompt window is successfully

launched on the target machine, allowing command line access directly from the
attacker’s Kali Linux system.

Task 4.9

1. In this task we navigates to the Desktop directory on the Windows VM.

- The systeminfo command is executed, redirecting its output to a file named
"systeminfo.txt" on the desktop. This command provides detailed information about the
system, including hardware and OS configurations.

After that we did a Verification of File Creation**:

By running dir command which is used to list the contents of the Desktop directory,
confirming the presence and size of the "systeminfo.txt" file.
Task 4.11

The image showcases a process where files from the "Documents" folder of a Windows
10 system are being downloaded to a Kali Linux system using Meterpreter, a common
payload within the Metasploit framework for remote system access.

We navigates to the "Documents" directory using command line (cd command), and then
lists the contents using the dir command, revealing the files and folders present.

After that
- The Meterpreter command download Documents is used to transfer the entire contents
of the "Documents" directory to the Kali Linux system.
- The output shows the progress of each file as it is downloaded. Specific files
mentioned "Group3", and "Group3.txt".
Task 4.12

This task demonstrates the use of a keystroke logger implemented through Meterpreter.

1. *Keystroke Sniffer Activation*:

- The process begins in the Meterpreter shell with the command keyscan_start to
initiate keystroke logging on the Windows machine.
- After collecting enough data, the command keyscan_stop is issued to halt the
keystroke logging.

2. *Dumping Keystrokes*:
- The keyscan_dump command is then used to display the captured keystrokes. This
results in the output "HELLO THIS IS GROUP3", indicating the text that was typed
during the logging session.
After that
4. *Downloading the Keystroke File*:
"keystroke.txt" is downloaded to the Kali Linux system using the download command,
specifically targeting the file's location on the desktop of the Windows machine.

5. *Verification of Download*:
- The final part of the image shows the Kali Linux file system with the "keystroke.txt"
file successfully transferred,

Task 5.13

This task is basically about the use of Meterpreter to identify vulnerable services on a
Windows virtual machine (VM) using tools available on a Kali Linux system.

1. *Reverse TCP Handler*: establishes a connection with the target Windows VM.

After that
- The command run post/multi/recon/local_exploit_suggester This Metasploit module
scans the compromised system to identify potential local vulnerabilities that could be
exploited further.
- The system collects data and checks for applicable vulnerabilities.

4. *Identified Vulnerable Service*:

- The output highlights that the system found a vulnerable service The message
confirms that this particular exploit could be successfully used against the system.

Task 5.14
This Metasploit module used to identify potential local exploits on a Windows machine.
This particular tool, known as the "local_exploit_suggester," checks the target system for
vulnerabilities that could potentially be exploited.

1. *List of Exploits*: The output shows a list of various exploits along with their status
regarding the target's vulnerability to each exploit.
There is
3. *Specific Exploits*: on The top entry in the list, "is marked as "Yes" for potentially
vulnerable and "The target appears to be vulnerable"

Task 5.15

This task shows the execution of an exploit to elevate privileges on a compromised

Windows 10 system using the Metasploit framework,

1. *Exploit Selection and Configuration*:

- highlighted command is designed to bypass User Account Control (UAC) to gain
elevated privileges without triggering a prompt.
- also necessary options are set, including the payload , local host , port and the session
number to be elevated (SESSION 1).

2. *Exploit Execution*:
- The exploit is executed (run), and the process begins with the starting of a reverse
TCP handler on the specified local host and port.

- The exploit successfully bypasses UAC, as indicated by the text stating UAC is set to
Default and the confirmation of continuing under the assumption of being part of the
Administrators group.

3. *Result of Exploit*:
 - After execution, the payload delivers a new Meterpreter session with elevated
privileges, evidenced by session 2 being opened.
- Commands like pwd (print working directory) show the session is operating from the
System32 directory, and location typically restricted to administrative users.
- command sysinfo confirms the system details, including the architecture and
operating system version.