Security Book Give Away: Intermediate Security Testing with Kali Linux 2

UPDATE 4/3 – The Contest is now over, and winners have been notified. Thank you everyone for your interest and support!

Want a chance to win a signed copy of “Intermediate Security Testing with Kali Linux 2”?

This almost 500 page hands-on, step-by-step tutorial style book doesn’t dwell on the theory of security, but instead walks you through implementing and using the latest security tools and techniques using the most popular computer security testing platform, Kali Linux:

Book Cover proof

My third book, “Basic Security Testing with Kali Linux 2” a total update of my hugely popular “Basic Security Testing” book, has just been published! To celebrate I am giving away four signed copies of my second book, “Intermediate Security Testing with Kali Linux 2”.

Simply share a link to this article on your favorite social media site. Then place a copy of the link in the comments field below. Winners will be chosen at random in two weeks (April 1st) from links in the comments section.

Advertisements

Using Problem Steps Recorder (PSR) Remotely with Metasploit

Windows includes a built in program that captures screenshots and text descriptions of what a user is doing on their system. This program could be accessed remotely by a hacker. In this article we will see how to run the program from a remote shell using Metasploit.

Introduction

Windows includes a great support program that you have probably never heard of called “Problem Steps Recorder” (psr.exe). Microsoft made this program to help troubleshooters see step-by-step what a user is doing. If a user is having a computer problem that they either can’t articulate well or tech support just can’t visualize the issue, all the support personnel needs to do is have the user run psr.exe.

When PSR runs it automatically begins capturing screen captures of everything that the user clicks on, it also keeps a running dialog of what the user is doing in a text log. When done, the data is saved into an HTML format and zipped so all the user needs to do is e-mail this to the tech support department.

I have honestly never heard of PSR before yesterday when Mark Burnett (@m8urnett) mentioned it on Twitter:

PSR Metasploit 1

Creepy indeed, but I thought that if you could run it remotely, it would be a great tool for a penetration tester. Well, you can! Though running PSR as an attack tool isn’t a new idea. I did some searching and it is mentioned multiple times over the last several years in this manner. Pipefish even mentions using it with Metasploit back in this 2012 article (http://pipefish.me/tag/psr-exe/).

To use Steps Recorder normally, all you need to do is click the start button in Windows and type “psr” into the search box. Then click on “Steps Recorder”.

A small user interface opens up:

PSR Metasploit 2

Just click “Start Record” to start. It then immediately begins grabbing screenshots. It displays a red globe around the pointer whenever a screenshot is taken. Then press “Stop Recording” when done. You will then be presented with a very impressive looking report of everything that you did. You then have the option of saving the report.

PSR can be run from the command prompt. Below is a listing of command switches from Microsoft :

psr.exe [/start |/stop][/output <fullfilepath>] [/sc (0|1)] [/maxsc <value>]
[/sketch (0|1)] [/slides (0|1)] [/gui (0|1)]
[/arcetl (0|1)] [/arcxml (0|1)] [/arcmht (0|1)]
[/stopevent <eventname>] [/maxlogsize <value>] [/recordpid <pid>]

/start Start Recording. (Outputpath flag SHOULD be specified)
/stop Stop Recording.
/sc Capture screenshots for recorded steps.
/maxsc Maximum number of recent screen captures.
/maxlogsize Maximum log file size (in MB) before wrapping occurs.
/gui Display control GUI.
/arcetl Include raw ETW file in archive output.
/arcxml Include MHT file in archive output.
/recordpid Record all actions associated with given PID.
/sketch Sketch UI if no screenshot was saved.
/slides Create slide show HTML pages.
/output Store output of record session in given path.
/stopevent Event to signal after output files are generated.

Using PSR remotely with Metasploit

Using the command line options, PSR works very nicely with Metasploit in a penetration testing scenario. I will start with an active remote Meterpreter session between a test Windows 7 system and Kali Linux. There are many ways that you could do this, but I simply made a short text file as seen below:

  • psr.exe /start /gui 0 /output C:\Users\Dan\Desktop\cool.zip;
  • Start-Sleep -s 20;
  • psr.exe /stop;

The commands above start PSR, turns off that pesky Gui window that pops up when running and turns off the red pointer glow when recording pages. It then saves the file to the desktop.

The script waits 20 seconds and then stops recording.

I then encoded the command and ran it in a command shell:

PSR Metasploit 3
After 20 seconds a new “cool.zip” file popped up on the Windows 7 desktop:

PSR Metasploit 4
This file contained a complete step by step list of everything the user did during the 20 second window. At the top of the file are the screenshots:

PSR Metasploit 5
And at the bottom was the step by step text log:

PSR Metasploit 6
I actually like using PSR now better than Metasploit’s built in screenshot capability, especially with the blow by blow text log that is included. The script also worked well against Windows 10 with some minor tweaks.

Defending against this attack

Problem Steps Recorder can be disabled in group policy. Though I did not see anywhere on how to completely uninstall PSR.

The best defense is to block the remote connection from being created, so standard security practices apply. Keep your operating systems and AV up to date. Don’t open unsolicited, unexpected or questionable e-mail attachments. Avoid questionable links, be leery of shortened URLs and always surf safely.

If you want to learn more about computer security testing using Metasploit and Kali Linux, check out my latest book, “Intermediate Computer Security Testing with Kali Linux 2”.

Don’t Trust your Router “Update” Feature

With all the news of router exploits and compromised units being used by hacker groups for attacks, make sure you include installing router firmware updates as part of your scheduled maintenance routine. Just don’t trust the built in “Update” feature…

One top name router I was working with yesterday needed updating. I went into the router admin screen and dutifully checked the “Check for Update” button. Good news – the router checked the manufacturer’s site and was using the latest firmware!

But it wasn’t…

I knew the manufacturer had just released a new critical firmware update. Doing a manual check on the support site verified my suspicion – the currently installed version was several months and several revisions old! If I believed that the router was using the current one, it would have remained vulnerable!

Sometimes router updates are not set as the latest version on the manufacturer’s update server. Check your firewall/routers/ Wi-Fi devices manually and make sure they are using the latest and greatest firmware. Also, never leave default credentials set on these devices, especially internet facing ones – use long complex passwords.

 

Installing Veil Framework on Kali Linux

I have been notified that they are problems installing Veil Framework (AV bypass) in Kali using the apt-get install command. From the creator’s website it looks like the recommended install is to now clone Veil from the Github repository and then run the included setup routine.

Instructions can be found at the Veil Framework updates page, but I will include a tutorial here.

For advanced users:

$ git clone https://github.com/Veil-Framework/Veil-Evasion.git
$ cd Veil-Evasion/setup/
$ ./setup.sh

Then just follow through the install, taking the defaults.

Step-by-Step Guide

From a Kali terminal prompt type, “git clone https://github.com/Veil-Framework/Veil-Evasion.git. This will clone Veil into the “Veil-Evasion” directory. When done change to the “Veil-Evasion/setup” directory and run “./setup.sh”:

Veil 1

Type, “Y” when prompted to continue with install, then sit back and relax, as the next part can take a while.

At the Python setup screen just click, “Next”:

Veil 2

At the Select Destination Directory screen, leave the default destination and click “Next”, then click “Yes” when prompted to overwrite existing Python files:

Veil 3

Continue through Python install leaving default settings, click “Finish” when done.

The install then begins the pywin32 setup.

At the main pywin32 setup screen, press “Next” to continue:

Veil 4

Leave default values on the Python directory location screen and click “next”, then “next” again, and “finish” to complete install.

The install then begins the pycrypto setup.

At the main pycrypto setup screen, press “Next” to continue:

Veil 5

Again leave the Python information that is populated by default and click “Next”, “next” again and then “Finish” when done.

Setup will then complete. And that is it; we are now ready to run Veil!

Running Veil Evasion

From the Veil-Evasion directory, run “./Veil-Evasion.py”, and you will see the main Veil Screen:

Veil 6

And there you go, you are now all set to use Veil Evasion on Kali Linux!

(** Note: My book, Basic Security Testing with Kali Linux which includes a tutorial on using Veil Evasion, is in the process of being updated to reflect the install tutorial changes.)