Metasploitation part-1 (murtuja)
Upcoming SlideShare
Loading in...5
×
 

Metasploitation part-1 (murtuja)

on

  • 3,387 views

Slightly NSFW, be careful

Slightly NSFW, be careful

Statistics

Views

Total Views
3,387
Views on SlideShare
2,912
Embed Views
475

Actions

Likes
1
Downloads
182
Comments
0

5 Embeds 475

http://clubhack.com 396
http://www.clubhack.com 76
http://static.slidesharecdn.com 1
https://blue-box4.appspot.com 1
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Metasploitation part-1 (murtuja) Metasploitation part-1 (murtuja) Presentation Transcript

    • Metasploitation 4 Adults it’s not family affair… Murtuja Bharmal
    • Disclaimer Courtesy http://entertainment.desktopnexus.com_get_4642 1
    • About Me• Now Work Busy Man….• Unemployed….• Interest…. /dev/random….• Co-founder of null…. :-D• X-IBMer’s …..• Dal, Roti ka jugad, Security Consulting/Training
    • Agenda Courtesy http://asonchua.com
    • Agenda• Basics• Metasploit Auxiliary• Database Integration & Exploit Automation• Client Side Exploit & Extended Usage• Post Exploitation Fun• Metasploit Add-ons
    • Basics• What is vulnerability?• What is Exploit?• What is Payload?• What is encoder?
    • Vulnerability Courtesy http://harryjerry.com
    • Exploit Courtesy http://entertainment.in.msn.com
    • Payload• Use your imagination
    • Encoder• Still Thinking? Ask me offline
    • Basics• Vulnerability – Opportunity Window• Exploit – En-cashing Opportunity• Payload – En-cashment Window• Encoder – Masking
    • How it works?• Input malicious code Instead of Data• Malicious code = Exploit Code + Payload
    • Payload + Exploit Sanitized You should be at ClubHACKCourtesy http://guardian.co.uk Courtesy http://ivillage.com
    • Exploit Code 1 23 4Courtesy 1. advice.eharmony.com 2. superstock.com 3. good-times.webshots.com 4. sheknows.com
    • Metasploit Framework• Open Source• Developed in Ruby• Easy to Use• 600+ Exploits• 200+ payloads• 25+ encoders• 300+ auxiliary
    • Metasploit Auxiliary Courtesy http://www.flickr.com
    • Metasploit Architecture Courtesy http://www.offensive-security.com
    • Directory Structure
    • Filesystem And Libraries• lib: the meat of the framework code base• data: editable files used by Metasploit• tools: various useful command-line utilities• modules: the actual MSF modules• plugins: plugins that can be loaded at run-time• scripts: Meterpreter and other scripts• external: source code and third-party libraries Courtesy http://www.offensive-security.com/metasploit-unleashed
    • msfconsole
    • msfconsole• It is the only supported way to access most of the features within Metasploit.• Provides a console-based interface to the framework• Contains the most features and is the most stable MSF interface• Full readline support, tabbing, and command completion• Execution of external commands in msfconsole is possible: Courtesy http://www.offensive-security.com/metasploit-unleashed
    • Exploit ModulesConfused how to explain technically? Courtesy http://www.sunpacmortgage.com
    • Metasploit – Exploit & Payloads• Exploit – Active – Passive• Payload Types – Inline ( Non Staged) – Staged – Meterpreter – PassiveX – NoNX – Ord – IPv6 – Reflective DLL injection
    • Exploit DEMO
    • Metasploit Auxiliary• Helper modules for pre-exploitation phase – Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc.• 300+ Auxiliary modules
    • We will cover• SCANNER• MSSQL• SNMP• FTP
    • Auxiliarry DEMO
    • Database Integration and Exploit Automation
    • Data Courtesy http://www.joy2day.com
    • Need of DatabaseSanitizedYou should be at ClubHACK
    • Need of Database• Network Penetration Testing• Easy management/storage of result• Report Generation
    • Database Integration& Exploit Automation• Database Support• Nmap• Nessus Bridge
    • Supported Database• Mysql - BackTrack 4 r2, MYSQL and Metasploit work together "out of the box“• Postgres• Sqlite3 – file based database, might be pull-off in future
    • Nmap• db_nmap command to scan host/network• Result will be stored in database• Can view the result using db_hosts and db_services command
    • NMAP Demo
    • Nessus Bridge• Can perform vulnerability scan inside msfconsole• Supported using nessus bridge plugin• Use xmlrpc to connect with nessusd
    • Nessus Bridge Demo
    • In a Finger tip• db_autopwn – Automate exploitation process – Take target /service/vulnerability info from database – Spawns a meterpeter shell on success – Noisy
    • db_autopwn Demo
    • Client Side Exploit & Extended Usage
    • Client Side Exploit
    • Client Side Exploit & Extended Usage• Browser autopwn• Exploiting PDF• Payload Generation & Back-dooring EXE• Linux Backdoor
    • Browser autopwn• Automate browser based vulnerability exploitation• Perform browser finger printing• Auxiliary module server/browser_autopwnle
    • Browser autopwn Demo
    • Exploiting PDF• Most exploited software since last 2 years• Universally used software for document format• Favorite carrier for commercial malware toolkit
    • What all PDF do?• JavaScript runs under the context of App Object Model• File Attachment• XML, SOAP capabilities• Forms• Web Services• Database connections(ADBC)
    • What’s cracking up?• Vulnerable APIs – util.printf() (CVE-2008-2992) – getIcons() (CVE-2009-0927) – getAnnots() (CVE-20091492) – customDictionaryOpen() (CVE-2009-1493) – Doc.media.newPlayer (CVE-2009-4324)• File parsing vulnerabilities – JBIG2( Over a dozen CVE) – libTiff (CVE-2010-0188)• Social engineered arbit. command execution – PDF escape by Didier Stevens – Not a bug (feature) – Exploitation in the wild• Embedded Files – libTiff (CVE-2010-0188)
    • PDF exploitation Demo
    • Payload Generation and Backdooring EXE• Payload can be converted to various file format i.e. exe, dll, javascript etc.• Encode payload to evade antivirus• Can be embed with third party software/utility
    • msfpayload & msfencode
    • Linux Backdoor• Back-dooring payload with linux package• Embed payload with deb installation package
    • Linux Backdooring Demo
    • Metasploit Add-ons
    • Metasploit Add-ons Courtesy http://draftblogmm.blogspot.com
    • Fast-Track• Easy Automation• Utilize Metaspolit Framework on Backend• Modes – Interactive – Web interface
    • Fast-Track Demo
    • SET(Social Engineering Toolkit)• Weakest link in the information security chain is the natural human willingness to accept someone at their word.• SET focuses on attacking the human element• Develop in python• Very easy to use• Utilize Metaspolit Framework on Backend
    • SET(Social Engineering Toolkit)• Operational Mode – Interactive – Web Interface• Configuration file - config/set_config
    • SET Demo
    • Post Exploitation Fun
    • Post Exploitation Fun
    • What next after getting a Shell?• One can run the command supported by command prompt/shell.• So what extra bit control needed to en-cash the opportunity?
    • Meterpreter• Meta Interpreter• Post exploitation payload(tool)• Uses in-memory DLL injection stagers• Can be extended over the run time• Encrypted communication
    • What can be done?• Command execution• File Upload/Download• Process migration• Log Deletion• Privilege escalation• Registry modification• Deleting logs and killing antivirus• Backdoors and Rootkits• Pivoting• …..etc.
    • Demo Meterpreter
    • Channels• Communication using TLV (Type-Length-Value)• Tagging of data with channel number• Multiple program can be run at victim machine using different channel
    • Pivoting 2 1 LAN INTERNETLocal Lan Firewall/IPS4 3 Web Database Server DMZ Server
    • Demo Pivoting
    • Courtesy• http://www.metasploit.com/• http://www.backtrack-linux.org• http://www.offensive-security.com/metasploit- unleashed/• http://www.secmaniac.com/• http://securitytube.net/• http://vimeo.com/• http://www.irongeek.com/• http://www.windowsecurity.com/whitepapers/Social- Engineering-The-Weakest-Link.html• http://www.google.co.in
    • Thank You Murtuja Bharmal void@null.co.in Courtesy http://blingboo.com