EXERCISES
- The tool ss is a Linux tool comparable to netstat. Test out the tool, and the effect of the options -l (listening ports) -a (all ports) -p (process listing) -e (extended information) -i (internal information) -t (TCP) and -u (UDP).
- Run one or more of the Sysinternals tools from the network via live.sysinternals.com\tools.
- Use the Sysinternals tool pslist from the command line to list the running processes, and use pskill to kill a process.
- Compare and contrast TCPLogView http://www.nirsoft.net/utils/tcp_log_view.html with Sysinternals TCPView.
- Wireshark is vulnerable to direct attack. Install Wireshark 1.4.4 on a Windows system, and use the Metasploit module exploit/windows/misc/wireshark_packet_dect to gain a shell on the target.
- Install the Microsoft Network Monitor, available from http://www.microsoft.com/en-us/download/details.aspx?id=4865. Use it to capture packets during a Metasploit attack against a browser using the reverse HTTPS Meterpreter payload. Can you identify the Meterpreter traffic in the packet capture?
- (Advanced) The command
msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -t dll -o test.dll
is used to create raw (R) shellcode for a Windows shell that binds to port 4444 on a system. This is piped to an encoder that converts the result to a .dll and stores the result in the output file test.dll.Copy test.dll to a Windows system, and run it using rundll32.exeC:\> rundll32.exe test.dll,1
Connect to the listening shell by configuring /exploit/multi/handler.Despite the fact that test.dll is purely shellcode, notice that Process Explorer reports the application as signed, and Virus Total does not see it as suspicious.
From Cyber Operations: Building, Defending, and Attacking Modern Computer Networks