Metasploitation part-1 (murtuja)

Metasploitation 4 Adults it’s not family affair… Murtuja Bharmal

Disclaimer Courtesy http://entertainment.desktopnexus.com_get_4642 1

About Me• Now Work Busy Man….• Unemployed….• Interest…. /dev/random….• Co-founder of null…. :-D• X-IBMer’s …..• Dal, Roti ka jugad, Security Consulting/Training

Agenda Courtesy http://asonchua.com

Agenda• Basics• Metasploit Auxiliary• Database Integration & Exploit Automation• Client Side Exploit & Extended Usage• Post Exploitation Fun• Metasploit Add-ons

Basics• What is vulnerability?• What is Exploit?• What is Payload?• What is encoder?

Vulnerability Courtesy http://harryjerry.com

Exploit Courtesy http://entertainment.in.msn.com

Payload• Use your imagination

Encoder• Still Thinking? Ask me offline

Basics• Vulnerability – Opportunity Window• Exploit – En-cashing Opportunity• Payload – En-cashment Window• Encoder – Masking

How it works?• Input malicious code Instead of Data• Malicious code = Exploit Code + Payload

Payload + Exploit Sanitized You should be at ClubHACKCourtesy http://guardian.co.uk Courtesy http://ivillage.com

Exploit Code 1 23 4Courtesy 1. advice.eharmony.com 2. superstock.com 3. good-times.webshots.com 4. sheknows.com

Metasploit Framework• Open Source• Developed in Ruby• Easy to Use• 600+ Exploits• 200+ payloads• 25+ encoders• 300+ auxiliary

Metasploit Auxiliary Courtesy http://www.flickr.com

Metasploit Architecture Courtesy http://www.offensive-security.com

Directory Structure

Filesystem And Libraries• lib: the meat of the framework code base• data: editable files used by Metasploit• tools: various useful command-line utilities• modules: the actual MSF modules• plugins: plugins that can be loaded at run-time• scripts: Meterpreter and other scripts• external: source code and third-party libraries Courtesy http://www.offensive-security.com/metasploit-unleashed

msfconsole

msfconsole• It is the only supported way to access most of the features within Metasploit.• Provides a console-based interface to the framework• Contains the most features and is the most stable MSF interface• Full readline support, tabbing, and command completion• Execution of external commands in msfconsole is possible: Courtesy http://www.offensive-security.com/metasploit-unleashed

Exploit ModulesConfused how to explain technically? Courtesy http://www.sunpacmortgage.com

Metasploit – Exploit & Payloads• Exploit – Active – Passive• Payload Types – Inline ( Non Staged) – Staged – Meterpreter – PassiveX – NoNX – Ord – IPv6 – Reflective DLL injection

Exploit DEMO

Metasploit Auxiliary• Helper modules for pre-exploitation phase – Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc.• 300+ Auxiliary modules

We will cover• SCANNER• MSSQL• SNMP• FTP

Auxiliarry DEMO

Database Integration and Exploit Automation

Data Courtesy http://www.joy2day.com

Need of DatabaseSanitizedYou should be at ClubHACK

Need of Database• Network Penetration Testing• Easy management/storage of result• Report Generation

Database Integration& Exploit Automation• Database Support• Nmap• Nessus Bridge

Supported Database• Mysql - BackTrack 4 r2, MYSQL and Metasploit work together "out of the box“• Postgres• Sqlite3 – file based database, might be pull-off in future

Nmap• db_nmap command to scan host/network• Result will be stored in database• Can view the result using db_hosts and db_services command

NMAP Demo

Nessus Bridge• Can perform vulnerability scan inside msfconsole• Supported using nessus bridge plugin• Use xmlrpc to connect with nessusd

Nessus Bridge Demo

In a Finger tip• db_autopwn – Automate exploitation process – Take target /service/vulnerability info from database – Spawns a meterpeter shell on success – Noisy

db_autopwn Demo

Client Side Exploit & Extended Usage

Client Side Exploit

Client Side Exploit & Extended Usage• Browser autopwn• Exploiting PDF• Payload Generation & Back-dooring EXE• Linux Backdoor

Browser autopwn• Automate browser based vulnerability exploitation• Perform browser finger printing• Auxiliary module server/browser_autopwnle

Browser autopwn Demo

Exploiting PDF• Most exploited software since last 2 years• Universally used software for document format• Favorite carrier for commercial malware toolkit

What all PDF do?• JavaScript runs under the context of App Object Model• File Attachment• XML, SOAP capabilities• Forms• Web Services• Database connections(ADBC)

What’s cracking up?• Vulnerable APIs – util.printf() (CVE-2008-2992) – getIcons() (CVE-2009-0927) – getAnnots() (CVE-20091492) – customDictionaryOpen() (CVE-2009-1493) – Doc.media.newPlayer (CVE-2009-4324)• File parsing vulnerabilities – JBIG2( Over a dozen CVE) – libTiff (CVE-2010-0188)• Social engineered arbit. command execution – PDF escape by Didier Stevens – Not a bug (feature) – Exploitation in the wild• Embedded Files – libTiff (CVE-2010-0188)

PDF exploitation Demo

Payload Generation and Backdooring EXE• Payload can be converted to various file format i.e. exe, dll, javascript etc.• Encode payload to evade antivirus• Can be embed with third party software/utility

msfpayload & msfencode

Linux Backdoor• Back-dooring payload with linux package• Embed payload with deb installation package

Linux Backdooring Demo

Metasploit Add-ons

Metasploit Add-ons Courtesy http://draftblogmm.blogspot.com

Fast-Track• Easy Automation• Utilize Metaspolit Framework on Backend• Modes – Interactive – Web interface

Fast-Track Demo

SET(Social Engineering Toolkit)• Weakest link in the information security chain is the natural human willingness to accept someone at their word.• SET focuses on attacking the human element• Develop in python• Very easy to use• Utilize Metaspolit Framework on Backend

SET(Social Engineering Toolkit)• Operational Mode – Interactive – Web Interface• Configuration file - config/set_config

SET Demo

Post Exploitation Fun

What next after getting a Shell?• One can run the command supported by command prompt/shell.• So what extra bit control needed to en-cash the opportunity?

Meterpreter• Meta Interpreter• Post exploitation payload(tool)• Uses in-memory DLL injection stagers• Can be extended over the run time• Encrypted communication

What can be done?• Command execution• File Upload/Download• Process migration• Log Deletion• Privilege escalation• Registry modification• Deleting logs and killing antivirus• Backdoors and Rootkits• Pivoting• …..etc.

Demo Meterpreter

Channels• Communication using TLV (Type-Length-Value)• Tagging of data with channel number• Multiple program can be run at victim machine using different channel

Pivoting 2 1 LAN INTERNETLocal Lan Firewall/IPS4 3 Web Database Server DMZ Server

Demo Pivoting

Courtesy• http://www.metasploit.com/• http://www.backtrack-linux.org• http://www.offensive-security.com/metasploit- unleashed/• http://www.secmaniac.com/• http://securitytube.net/• http://vimeo.com/• http://www.irongeek.com/• http://www.windowsecurity.com/whitepapers/Social- Engineering-The-Weakest-Link.html• http://www.google.co.in

Thank You Murtuja Bharmal void@null.co.in Courtesy http://blingboo.com

http://clubhack.com	396
http://www.clubhack.com	55
http://static.slidesharecdn.com	1
https://blue-box4.appspot.com	1
http://translate.googleusercontent.com	1

Metasploitation part-1 (murtuja)

by ClubHack

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 454

Statistics

Metasploitation part-1 (murtuja) Presentation Transcript