metasploitation part-1 (murtuja)
DESCRIPTION
Slightly NSFW, be carefulTRANSCRIPT
![Page 1: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/1.jpg)
Metasploitation 4 Adultsit’s not family affair…
Murtuja Bharmal
![Page 2: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/2.jpg)
Disclaimer
Courtesy http://entertainment.desktopnexus.com_get_46421
![Page 3: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/3.jpg)
About Me
• Now Work Busy Man….
• Unemployed….
• Interest…. /dev/random….
• Co-founder of null…. :-D
• X-IBMer’s …..
• Dal, Roti ka jugad, Security Consulting/Training
![Page 4: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/4.jpg)
Agenda
Courtesy http://asonchua.com
![Page 5: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/5.jpg)
Agenda
• Basics
• Metasploit Auxiliary
• Database Integration & Exploit Automation
• Client Side Exploit & Extended Usage
• Post Exploitation Fun
• Metasploit Add-ons
![Page 6: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/6.jpg)
Basics
• What is vulnerability?
• What is Exploit?
• What is Payload?
• What is encoder?
![Page 7: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/7.jpg)
Vulnerability
Courtesy http://harryjerry.com
![Page 8: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/8.jpg)
Exploit
Courtesy http://entertainment.in.msn.com
![Page 9: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/9.jpg)
Payload
• Use your imagination
![Page 10: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/10.jpg)
Encoder
• Still Thinking? Ask me offline
![Page 11: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/11.jpg)
Basics
• Vulnerability – Opportunity Window
• Exploit – En-cashing Opportunity
• Payload – En-cashment Window
• Encoder – Masking
![Page 12: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/12.jpg)
How it works?
• Input malicious code Instead of Data
• Malicious code = Exploit Code + Payload
![Page 13: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/13.jpg)
Payload + Exploit
Courtesy http://ivillage.comCourtesy http://guardian.co.uk
Sanitized
You should be at ClubHACK
![Page 14: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/14.jpg)
Exploit Code
Courtesy 1. advice.eharmony.com 3. good-times.webshots.com2. superstock.com 4. sheknows.com
1 2
3 4
![Page 15: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/15.jpg)
Metasploit Framework
• Open Source
• Developed in Ruby
• Easy to Use
• 600+ Exploits
• 200+ payloads
• 25+ encoders
• 300+ auxiliary
![Page 16: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/16.jpg)
Metasploit Auxiliary
Courtesy http://www.flickr.com
![Page 17: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/17.jpg)
Metasploit Architecture
Courtesy http://www.offensive-security.com
![Page 18: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/18.jpg)
Directory Structure
![Page 19: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/19.jpg)
Filesystem And Libraries
• lib: the 'meat' of the framework code base
• data: editable files used by Metasploit
• tools: various useful command-line utilities
• modules: the actual MSF modules
• plugins: plugins that can be loaded at run-time
• scripts: Meterpreter and other scripts
• external: source code and third-party libraries
Courtesy http://www.offensive-security.com/metasploit-unleashed
![Page 20: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/20.jpg)
msfconsole
![Page 21: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/21.jpg)
msfconsole
• It is the only supported way to access most of the features within Metasploit.
• Provides a console-based interface to the framework
• Contains the most features and is the most stable MSF interface
• Full readline support, tabbing, and command completion
• Execution of external commands in msfconsole is possible:
Courtesy http://www.offensive-security.com/metasploit-unleashed
![Page 22: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/22.jpg)
![Page 23: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/23.jpg)
Exploit Modules
Confused how to explain technically?
Courtesy http://www.sunpacmortgage.com
![Page 24: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/24.jpg)
Metasploit – Exploit & Payloads
• Exploit– Active– Passive
• Payload Types– Inline ( Non Staged)– Staged– Meterpreter– PassiveX– NoNX– Ord– IPv6– Reflective DLL injection
![Page 25: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/25.jpg)
Exploit DEMO
![Page 26: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/26.jpg)
Metasploit Auxiliary
• Helper modules for pre-exploitation phase
– Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc.
• 300+ Auxiliary modules
![Page 27: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/27.jpg)
We will cover
• SCANNER
• MSSQL
• SNMP
• FTP
![Page 28: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/28.jpg)
Auxiliarry DEMO
![Page 29: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/29.jpg)
Database Integration and Exploit Automation
![Page 30: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/30.jpg)
Data
Courtesy http://www.joy2day.com
![Page 31: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/31.jpg)
Need of Database
SanitizedYou should be at ClubHACK
![Page 32: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/32.jpg)
Need of Database
• Network Penetration Testing
• Easy management/storage of result
• Report Generation
![Page 33: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/33.jpg)
Database Integration& Exploit Automation
• Database Support
• Nmap
• Nessus Bridge
![Page 34: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/34.jpg)
Supported Database
• Mysql - BackTrack 4 r2, MYSQL and Metasploit work
together "out of the box“
• Postgres
• Sqlite3 – file based database, might be pull-off in future
![Page 35: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/35.jpg)
![Page 36: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/36.jpg)
Nmap
• db_nmap command to scan host/network
• Result will be stored in database
• Can view the result using db_hosts and db_services command
![Page 37: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/37.jpg)
NMAP Demo
![Page 38: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/38.jpg)
Nessus Bridge
• Can perform vulnerability scan inside msfconsole
• Supported using nessus bridge plugin
• Use xmlrpc to connect with nessusd
![Page 39: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/39.jpg)
![Page 40: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/40.jpg)
![Page 41: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/41.jpg)
Nessus Bridge Demo
![Page 42: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/42.jpg)
In a Finger tip
• db_autopwn
– Automate exploitation process
– Take target /service/vulnerability info from database
– Spawns a meterpeter shell on success
– Noisy
![Page 43: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/43.jpg)
![Page 44: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/44.jpg)
db_autopwn Demo
![Page 45: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/45.jpg)
Client Side Exploit & Extended Usage
![Page 46: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/46.jpg)
Client Side Exploit
![Page 47: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/47.jpg)
Client Side Exploit & Extended Usage
• Browser autopwn
• Exploiting PDF
• Payload Generation & Back-dooring EXE
• Linux Backdoor
![Page 48: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/48.jpg)
Browser autopwn
• Automate browser based vulnerability exploitation
• Perform browser finger printing
• Auxiliary module server/browser_autopwnle
![Page 49: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/49.jpg)
Browser autopwn Demo
![Page 50: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/50.jpg)
Exploiting PDF
• Most exploited software since last 2 years
• Universally used software for document format
• Favorite carrier for commercial malware toolkit
![Page 51: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/51.jpg)
What all PDF do?
• JavaScript runs under the context of App Object Model
• File Attachment
• XML, SOAP capabilities
• Forms
• Web Services
• Database connections(ADBC)
![Page 52: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/52.jpg)
What’s cracking up?
• Vulnerable APIs– util.printf() (CVE-2008-2992)– getIcons() (CVE-2009-0927)– getAnnots() (CVE-20091492)– customDictionaryOpen() (CVE-2009-1493)– Doc.media.newPlayer (CVE-2009-4324)
• File parsing vulnerabilities – JBIG2( Over a dozen CVE)– libTiff (CVE-2010-0188)
• Social engineered arbit. command execution– PDF escape by Didier Stevens– Not a bug (feature)– Exploitation in the wild
• Embedded Files– libTiff (CVE-2010-0188)
![Page 53: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/53.jpg)
PDF exploitation Demo
![Page 54: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/54.jpg)
Payload Generation and BackdooringEXE
• Payload can be converted to various file format i.e. exe, dll, javascript etc.
• Encode payload to evade antivirus
• Can be embed with third party software/utility
![Page 55: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/55.jpg)
msfpayload & msfencode
![Page 56: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/56.jpg)
Linux Backdoor
• Back-dooring payload with linux package
• Embed payload with deb installation package
![Page 57: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/57.jpg)
Linux Backdooring Demo
![Page 58: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/58.jpg)
Metasploit Add-ons
![Page 59: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/59.jpg)
Metasploit Add-ons
Courtesy http://draftblogmm.blogspot.com
![Page 60: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/60.jpg)
Fast-Track
• Easy Automation
• Utilize Metaspolit Framework on Backend
• Modes
– Interactive
– Web interface
![Page 61: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/61.jpg)
Fast-Track Demo
![Page 62: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/62.jpg)
SET(Social Engineering Toolkit)
• Weakest link in the information security chain is the natural human willingness to accept someone at their word.
• SET focuses on attacking the human element
• Develop in python
• Very easy to use
• Utilize Metaspolit Framework on Backend
![Page 63: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/63.jpg)
SET(Social Engineering Toolkit)
• Operational Mode
– Interactive
– Web Interface
• Configuration file - config/set_config
![Page 64: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/64.jpg)
SET Demo
![Page 65: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/65.jpg)
Post Exploitation Fun
![Page 66: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/66.jpg)
Post Exploitation Fun
![Page 67: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/67.jpg)
What next after getting a Shell?
• One can run the command supported by command prompt/shell.
• So what extra bit control needed to en-cash the opportunity?
![Page 68: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/68.jpg)
Meterpreter
• Meta Interpreter
• Post exploitation payload(tool)
• Uses in-memory DLL injection stagers
• Can be extended over the run time
• Encrypted communication
![Page 69: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/69.jpg)
What can be done?
• Command execution• File Upload/Download• Process migration• Log Deletion• Privilege escalation• Registry modification• Deleting logs and killing antivirus• Backdoors and Rootkits• Pivoting• …..etc.
![Page 70: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/70.jpg)
Demo Meterpreter
![Page 71: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/71.jpg)
Channels
• Communication using TLV (Type-Length-Value)
• Tagging of data with channel number
• Multiple program can be run at victim machine using different channel
![Page 72: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/72.jpg)
Local Lan
Firewall/IPS
INTERNET
DMZ
LAN
12
34
Pivoting
Web Server
Database Server
![Page 73: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/73.jpg)
Demo Pivoting
![Page 74: Metasploitation part-1 (murtuja)](https://reader033.vdocuments.us/reader033/viewer/2022060110/5559ff52d8b42ad00a8b4db8/html5/thumbnails/74.jpg)
Courtesy
• http://www.metasploit.com/• http://www.backtrack-linux.org• http://www.offensive-security.com/metasploit-
unleashed/• http://www.secmaniac.com/• http://securitytube.net/• http://vimeo.com/• http://www.irongeek.com/• http://www.windowsecurity.com/whitepapers/Social-
Engineering-The-Weakest-Link.html• http://www.google.co.in