Metasploitation part-1 (murtuja)
Upcoming SlideShare
Loading in...5

Metasploitation part-1 (murtuja)



Slightly NSFW, be careful

Slightly NSFW, be careful



Total Views
Views on SlideShare
Embed Views



5 Embeds 475 396 76 1 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Metasploitation part-1 (murtuja) Metasploitation part-1 (murtuja) Presentation Transcript

    • Metasploitation 4 Adults it’s not family affair… Murtuja Bharmal
    • Disclaimer Courtesy http://entertainment.desktopnexus.com_get_4642 1
    • About Me• Now Work Busy Man….• Unemployed….• Interest…. /dev/random….• Co-founder of null…. :-D• X-IBMer’s …..• Dal, Roti ka jugad, Security Consulting/Training
    • Agenda Courtesy
    • Agenda• Basics• Metasploit Auxiliary• Database Integration & Exploit Automation• Client Side Exploit & Extended Usage• Post Exploitation Fun• Metasploit Add-ons
    • Basics• What is vulnerability?• What is Exploit?• What is Payload?• What is encoder?
    • Vulnerability Courtesy
    • Exploit Courtesy
    • Payload• Use your imagination
    • Encoder• Still Thinking? Ask me offline
    • Basics• Vulnerability – Opportunity Window• Exploit – En-cashing Opportunity• Payload – En-cashment Window• Encoder – Masking
    • How it works?• Input malicious code Instead of Data• Malicious code = Exploit Code + Payload
    • Payload + Exploit Sanitized You should be at ClubHACKCourtesy Courtesy
    • Exploit Code 1 23 4Courtesy 1. 2. 3. 4.
    • Metasploit Framework• Open Source• Developed in Ruby• Easy to Use• 600+ Exploits• 200+ payloads• 25+ encoders• 300+ auxiliary
    • Metasploit Auxiliary Courtesy
    • Metasploit Architecture Courtesy
    • Directory Structure
    • Filesystem And Libraries• lib: the meat of the framework code base• data: editable files used by Metasploit• tools: various useful command-line utilities• modules: the actual MSF modules• plugins: plugins that can be loaded at run-time• scripts: Meterpreter and other scripts• external: source code and third-party libraries Courtesy
    • msfconsole
    • msfconsole• It is the only supported way to access most of the features within Metasploit.• Provides a console-based interface to the framework• Contains the most features and is the most stable MSF interface• Full readline support, tabbing, and command completion• Execution of external commands in msfconsole is possible: Courtesy
    • Exploit ModulesConfused how to explain technically? Courtesy
    • Metasploit – Exploit & Payloads• Exploit – Active – Passive• Payload Types – Inline ( Non Staged) – Staged – Meterpreter – PassiveX – NoNX – Ord – IPv6 – Reflective DLL injection
    • Exploit DEMO
    • Metasploit Auxiliary• Helper modules for pre-exploitation phase – Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc.• 300+ Auxiliary modules
    • We will cover• SCANNER• MSSQL• SNMP• FTP
    • Auxiliarry DEMO
    • Database Integration and Exploit Automation
    • Data Courtesy
    • Need of DatabaseSanitizedYou should be at ClubHACK
    • Need of Database• Network Penetration Testing• Easy management/storage of result• Report Generation
    • Database Integration& Exploit Automation• Database Support• Nmap• Nessus Bridge
    • Supported Database• Mysql - BackTrack 4 r2, MYSQL and Metasploit work together "out of the box“• Postgres• Sqlite3 – file based database, might be pull-off in future
    • Nmap• db_nmap command to scan host/network• Result will be stored in database• Can view the result using db_hosts and db_services command
    • NMAP Demo
    • Nessus Bridge• Can perform vulnerability scan inside msfconsole• Supported using nessus bridge plugin• Use xmlrpc to connect with nessusd
    • Nessus Bridge Demo
    • In a Finger tip• db_autopwn – Automate exploitation process – Take target /service/vulnerability info from database – Spawns a meterpeter shell on success – Noisy
    • db_autopwn Demo
    • Client Side Exploit & Extended Usage
    • Client Side Exploit
    • Client Side Exploit & Extended Usage• Browser autopwn• Exploiting PDF• Payload Generation & Back-dooring EXE• Linux Backdoor
    • Browser autopwn• Automate browser based vulnerability exploitation• Perform browser finger printing• Auxiliary module server/browser_autopwnle
    • Browser autopwn Demo
    • Exploiting PDF• Most exploited software since last 2 years• Universally used software for document format• Favorite carrier for commercial malware toolkit
    • What all PDF do?• JavaScript runs under the context of App Object Model• File Attachment• XML, SOAP capabilities• Forms• Web Services• Database connections(ADBC)
    • What’s cracking up?• Vulnerable APIs – util.printf() (CVE-2008-2992) – getIcons() (CVE-2009-0927) – getAnnots() (CVE-20091492) – customDictionaryOpen() (CVE-2009-1493) – (CVE-2009-4324)• File parsing vulnerabilities – JBIG2( Over a dozen CVE) – libTiff (CVE-2010-0188)• Social engineered arbit. command execution – PDF escape by Didier Stevens – Not a bug (feature) – Exploitation in the wild• Embedded Files – libTiff (CVE-2010-0188)
    • PDF exploitation Demo
    • Payload Generation and Backdooring EXE• Payload can be converted to various file format i.e. exe, dll, javascript etc.• Encode payload to evade antivirus• Can be embed with third party software/utility
    • msfpayload & msfencode
    • Linux Backdoor• Back-dooring payload with linux package• Embed payload with deb installation package
    • Linux Backdooring Demo
    • Metasploit Add-ons
    • Metasploit Add-ons Courtesy
    • Fast-Track• Easy Automation• Utilize Metaspolit Framework on Backend• Modes – Interactive – Web interface
    • Fast-Track Demo
    • SET(Social Engineering Toolkit)• Weakest link in the information security chain is the natural human willingness to accept someone at their word.• SET focuses on attacking the human element• Develop in python• Very easy to use• Utilize Metaspolit Framework on Backend
    • SET(Social Engineering Toolkit)• Operational Mode – Interactive – Web Interface• Configuration file - config/set_config
    • SET Demo
    • Post Exploitation Fun
    • Post Exploitation Fun
    • What next after getting a Shell?• One can run the command supported by command prompt/shell.• So what extra bit control needed to en-cash the opportunity?
    • Meterpreter• Meta Interpreter• Post exploitation payload(tool)• Uses in-memory DLL injection stagers• Can be extended over the run time• Encrypted communication
    • What can be done?• Command execution• File Upload/Download• Process migration• Log Deletion• Privilege escalation• Registry modification• Deleting logs and killing antivirus• Backdoors and Rootkits• Pivoting• …..etc.
    • Demo Meterpreter
    • Channels• Communication using TLV (Type-Length-Value)• Tagging of data with channel number• Multiple program can be run at victim machine using different channel
    • Pivoting 2 1 LAN INTERNETLocal Lan Firewall/IPS4 3 Web Database Server DMZ Server
    • Demo Pivoting
    • Courtesy••• unleashed/••••• Engineering-The-Weakest-Link.html•
    • Thank You Murtuja Bharmal Courtesy