DefCamp 2013 - MSF Into The Worm Hole
Upcoming SlideShare
Loading in...5
×
 

DefCamp 2013 - MSF Into The Worm Hole

on

  • 559 views

 

Statistics

Views

Total Views
559
Views on SlideShare
559
Embed Views
0

Actions

Likes
1
Downloads
19
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

DefCamp 2013 - MSF Into The Worm Hole Presentation Transcript

  • 1. Who Is This Ugly Dude In Front of Me? Kizz MyAnthia Senior Penetration Tester HP Fortify – ShadowLabs @Kizz_My_Anthia www.KizzMyAnthia.com
  • 2. Who Is This Ugly Dude In Front of Me? • Background: • Penetration Tester for 13 years • Network Engineer for 15 years • In IT for 18 years • Regulatory Technology Tester for 5 years • Specializes in mobile technologies and communications • Social Engineering • Physical Security
  • 3. • Introduction • PWN Bones • Metasploit Framework Parts • Metasploit for Web PenTesting • Direct Exploits • Browser Exploits • HeySexxyLady.pwnme • Client-side Attacks • Wrap Up
  • 4. PWN Bones
  • 5. The PWN Bone is connected to the ‘sploit bone • Metasploit is a Framework built like a skeletal structure • Each part builds on the others • • • • • • • • Exploit Payload Shellcode Modules Listeners Auxiliary Modules Plugins Utilities
  • 6. PWN Bones • Exploit • The means by which an attacker, or pen tester, takes advantage of a flaw within a system, application, or service. • Common eploits include: • Buffer Overflows • SQL Injections • Configuration Errors
  • 7. PWN Bones • Payload • Code that is executed within an exploit • These are selected and delivered by the Metasploit Framework • Reverse Shell • The payload creates a connection from the target machine back to the attacker • Bind Shell • “Binds” a command prompt to a listening port on the target machine that the attacker can connect to
  • 8. PWN Bones • Shellcode • A set of instructions used as a payload when exploitation occurs
  • 9. PWN Bones • Modules • Whereas Metasploit is concerned, Modules are the pieces of software used by the framework to perform a specific task • Exploit Modules • Auxiliary Modules
  • 10. PWN Bones • Listeners • A Metasploit Framework component • Waits for incoming connections or Reverse Payloads • Handles the remote connection
  • 11. PWN Bones • Auxiliary Modules • • • • Reconnaissance Brute-force Fuzzers Custom
  • 12. PWN Bones • Plugins • Applications that leverage the Metasploit Framework for exploitation • SET • Social Engineers Toolkit • WMAP • Web Application Scanner • Fast-track • Open source Python based tool to help perform advanced penetration testing techniques
  • 13. PWN Bones • Utilities • MSFPayload • MSFEncode • MSFVenom
  • 14. PWN Bones – WMAP • WMAP • Web Application “Scanner” • Focuses on utilizing the MSF Web Scanning & Data Collection Modules • Not a “Real” scanner
  • 15. PWN Bones - SET • SET – Social Engineers Toolkit – Social-Engineer.org • Conceived by Chris Hadnagy (loganWHD) • Written by David Kennedy • Used to perform attacks against human weaknesses exploiting curiosity, credibility, avarice and human stupidity
  • 16. Metasploit For Web PenTesting
  • 17. Metasploit For Web PenTesting • Direct Exploits • Host/Server Exploits • Service Exploits • “Feature” Exploits • Browser Exploits • MS10-002 “Aurora” • Tab Nabbing • Browser AutoPWN
  • 18. Metasploit For Web PenTesting • Direct Exploits • will exploit a specific host, run until completion, and then exit
  • 19. Metasploit For Web PenTesting • Passive exploits wait for incoming hosts and exploit them as they connect. Passive exploits almost always focus on clients such as web browsers, FTP clients, etc. • They can also be used in conjunction with email exploits, waiting for connections. • Passive exploits report shells as they happen can be enumerated by passing '-l' to the sessions command. Passing '-i' will interact with a shell.
  • 20. Metasploit For Web PenTesting • So how does this help me? • This sounds cool, but your full of shit….. Metasploit only works on NetPen tests
  • 21. Metasploit For Web PenTesting
  • 22. Metasploit For Web PenTesting • MSFPayload • a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit.
  • 23. Metasploit For Web PenTesting
  • 24. Metasploit For Web PenTesting
  • 25. Metasploit For Web PenTesting • Start the Metasploit Listener • Use exploit/multi/handler
  • 26. Metasploit For Web PenTesting
  • 27. Metasploit For Web PenTesting
  • 28. OSINT – Information Gathering
  • 29. OSINT – Information Gathering • Information Gathering or Intelligence Gathering • Create a plan of attack • Gain an in-depth knowledge of the target • Record information for later use
  • 30. OSINT – Information Gathering • Metasploit & Nmap • Uses Metasploit DB Connection • Stores Target information • • • • Ports Version Banners Scan Details
  • 31. OSINT – Information Gathering • We need to create a Metasploit Framework DB and DB Connection • First we need to start the DB • service postgressql start
  • 32. OSINT – Information Gathering • Launch MSFConsole and Connect to the DB • msfconsole
  • 33. OSINT – Information Gathering • Connect to newly created DB • db_connect msfdev1:Password1@localhost:5432/msfdev2
  • 34. OSINT – Information Gathering • Closer than Bert and Ernie • Metasploit Framework and Nmap
  • 35. OSINT – Information Gathering • Calling Nmap from Metasploit Framework • nmap –PN –vvv ….. • Nmap can be called from within MSF and run natively • db_nmap –PN –vvv ….. • db_nmap will store the returned Nmap data to the MSF DB for use later
  • 36. OSINT – Information Gathering • Metasploit Framework has many other Information Gathering Auxiliary Modules available • • • • • SMB scanning SQL scanning SSH scanning FTP scanning SNMP scanning
  • 37. HeySexxyLady.pwnme
  • 38. HeySexxyLady.pwnme • Metasploit Client-side Attacks • Browser Attacks • Buffer Overflow • Code Injection • Heap Spraying
  • 39. HeySexxyLady.pwnme • Browser Based Exploits • Heap Spraying • “Heap” • Memory that is unallocated and used by the application as needed for the duration of the program’s runtime • NOP • No-Operation Instructions • Assembly Instruction to do Nothing until the next instruction • NOP Slide • Multiple NOP instructions in succession
  • 40. HeySexxyLady.pwnme • NOP Slide
  • 41. HeySexxyLady.pwnme • Create Payload • msfpayload windows/shell/bind_tcp LPORT=443 C
  • 42. HeySexxyLady.pwnme • Copy the “Stage 1” Binary code
  • 43. HeySexxyLady.pwnme • Copy & Edit the Binary Payload • Remove all un-needed characters • “ • x • Add “90”s to create NOP Slide
  • 44. HeySexxyLady.pwnme • Load IE In Immunity Debugger
  • 45. HeySexxyLady.pwnme • Paste the Binary Payload Into the Debugger
  • 46. HeySexxyLady.pwnme • When Internet Explorer is run within Immunity Debugger the code will be executed
  • 47. HeySexxyLady.pwnme • Does this work in the real world?
  • 48. HeySexxyLady.pwnme • MS10-002 “Aurora”
  • 49. HeySexxyLady.pwnme • Aurora In The Browser
  • 50. HeySexxyLady.pwnme
  • 51. HeySexxyLady.pwnme
  • 52. HeySexxyLady.pwnme
  • 53. HeySexxyLady.pwnme
  • 54. Wrap Up Metasploit = Power
  • 55. Wrap Up • Where can I get more information? • http://www.offensive-security.com/metasploit-unleashed/Introduction • Metasploit: The Penetration Tester's Guide • http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X • www.KizzMyAnthia.com