0
Metasploitation 4 Adults  it’s not family affair…     Murtuja Bharmal
Disclaimer   Courtesy http://entertainment.desktopnexus.com_get_4642 1
About Me•   Now Work Busy Man….•   Unemployed….•   Interest…. /dev/random….•   Co-founder of null…. :-D•   X-IBMer’s …....
Agenda         Courtesy http://asonchua.com
Agenda•   Basics•   Metasploit Auxiliary•   Database Integration & Exploit Automation•   Client Side Exploit & Extended Us...
Basics•   What is vulnerability?•   What is Exploit?•   What is Payload?•   What is encoder?
Vulnerability                Courtesy http://harryjerry.com
Exploit          Courtesy http://entertainment.in.msn.com
Payload• Use your imagination
Encoder• Still Thinking? Ask me offline
Basics•   Vulnerability – Opportunity Window•   Exploit – En-cashing Opportunity•   Payload – En-cashment Window•   Encode...
How it works?• Input malicious code Instead of Data• Malicious code = Exploit Code + Payload
Payload + Exploit   Sanitized     You should be at ClubHACKCourtesy http://guardian.co.uk                       Courtesy h...
Exploit Code 1                                                              23                                            ...
Metasploit Framework•   Open Source•   Developed in Ruby•   Easy to Use•   600+ Exploits•   200+ payloads•   25+ encoders•...
Metasploit Auxiliary                  Courtesy http://www.flickr.com
Metasploit Architecture                Courtesy http://www.offensive-security.com
Directory Structure
Filesystem And Libraries•    lib: the meat of the framework code base•   data: editable files used by Metasploit•   tools:...
msfconsole
msfconsole• It is the only supported way to access most of the  features within Metasploit.• Provides a console-based inte...
Exploit ModulesConfused how to explain technically?                           Courtesy http://www.sunpacmortgage.com
Metasploit – Exploit & Payloads• Exploit   – Active   – Passive• Payload Types   –   Inline ( Non Staged)   –   Staged   –...
Exploit DEMO
Metasploit Auxiliary• Helper modules for pre-exploitation phase  – Admin, DOS, Fuzzers, Gather, Scanner, Server,    Spoof,...
We will cover•   SCANNER•   MSSQL•   SNMP•   FTP
Auxiliarry DEMO
Database Integration and Exploit          Automation
Data       Courtesy http://www.joy2day.com
Need of DatabaseSanitizedYou should be at ClubHACK
Need of Database• Network Penetration Testing• Easy management/storage of result• Report Generation
Database Integration& Exploit             Automation• Database Support• Nmap• Nessus Bridge
Supported Database• Mysql - BackTrack 4 r2, MYSQL and Metasploit work  together "out of the box“• Postgres• Sqlite3 – file...
Nmap• db_nmap command to scan host/network• Result will be stored in database• Can view the result using db_hosts and  db_...
NMAP Demo
Nessus Bridge• Can perform vulnerability scan inside  msfconsole• Supported using nessus bridge plugin• Use xmlrpc to conn...
Nessus Bridge Demo
In a Finger tip• db_autopwn  – Automate exploitation process  – Take target /service/vulnerability info from    database  ...
db_autopwn Demo
Client Side Exploit & Extended             Usage
Client Side Exploit
Client Side Exploit & Extended Usage•   Browser autopwn•   Exploiting PDF•   Payload Generation & Back-dooring EXE•   Linu...
Browser autopwn• Automate browser based vulnerability  exploitation• Perform browser finger printing• Auxiliary module ser...
Browser autopwn Demo
Exploiting PDF• Most exploited software since last 2 years• Universally used software for document  format• Favorite carri...
What all PDF do?• JavaScript runs under the context of App  Object Model• File Attachment• XML, SOAP capabilities• Forms• ...
What’s cracking up?• Vulnerable APIs     – util.printf() (CVE-2008-2992)     – getIcons() (CVE-2009-0927)     – getAnnots(...
PDF exploitation Demo
Payload Generation and Backdooring                EXE• Payload can be converted to various file  format i.e. exe, dll, jav...
msfpayload & msfencode
Linux Backdoor• Back-dooring payload with linux package• Embed payload with deb installation package
Linux Backdooring Demo
Metasploit Add-ons
Metasploit Add-ons             Courtesy http://draftblogmm.blogspot.com
Fast-Track• Easy Automation• Utilize Metaspolit Framework on Backend• Modes  – Interactive  – Web interface
Fast-Track Demo
SET(Social Engineering Toolkit)• Weakest link in the information security chain  is the natural human willingness to accep...
SET(Social Engineering Toolkit)• Operational Mode  – Interactive  – Web Interface• Configuration file - config/set_config
SET Demo
Post Exploitation Fun
Post Exploitation Fun
What next after getting a Shell?• One can run the command supported by  command prompt/shell.• So what extra bit control n...
Meterpreter•   Meta Interpreter•   Post exploitation payload(tool)•   Uses in-memory DLL injection stagers•   Can be exten...
What can be done?•   Command execution•   File Upload/Download•   Process migration•   Log Deletion•   Privilege escalatio...
Demo Meterpreter
Channels• Communication using TLV (Type-Length-Value)• Tagging of data with channel number• Multiple program can be run at...
Pivoting               2               1             LAN                     INTERNETLocal Lan                      Firewa...
Demo Pivoting
Courtesy• http://www.metasploit.com/• http://www.backtrack-linux.org• http://www.offensive-security.com/metasploit-  unlea...
Thank You     Murtuja Bharmal          void@null.co.in               Courtesy http://blingboo.com
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
Upcoming SlideShare
Loading in...5
×

Metasploitation part-1 (murtuja)

3,183

Published on

Slightly NSFW, be careful

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,183
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
189
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Metasploitation part-1 (murtuja)"

  1. 1. Metasploitation 4 Adults it’s not family affair… Murtuja Bharmal
  2. 2. Disclaimer Courtesy http://entertainment.desktopnexus.com_get_4642 1
  3. 3. About Me• Now Work Busy Man….• Unemployed….• Interest…. /dev/random….• Co-founder of null…. :-D• X-IBMer’s …..• Dal, Roti ka jugad, Security Consulting/Training
  4. 4. Agenda Courtesy http://asonchua.com
  5. 5. Agenda• Basics• Metasploit Auxiliary• Database Integration & Exploit Automation• Client Side Exploit & Extended Usage• Post Exploitation Fun• Metasploit Add-ons
  6. 6. Basics• What is vulnerability?• What is Exploit?• What is Payload?• What is encoder?
  7. 7. Vulnerability Courtesy http://harryjerry.com
  8. 8. Exploit Courtesy http://entertainment.in.msn.com
  9. 9. Payload• Use your imagination
  10. 10. Encoder• Still Thinking? Ask me offline
  11. 11. Basics• Vulnerability – Opportunity Window• Exploit – En-cashing Opportunity• Payload – En-cashment Window• Encoder – Masking
  12. 12. How it works?• Input malicious code Instead of Data• Malicious code = Exploit Code + Payload
  13. 13. Payload + Exploit Sanitized You should be at ClubHACKCourtesy http://guardian.co.uk Courtesy http://ivillage.com
  14. 14. Exploit Code 1 23 4Courtesy 1. advice.eharmony.com 2. superstock.com 3. good-times.webshots.com 4. sheknows.com
  15. 15. Metasploit Framework• Open Source• Developed in Ruby• Easy to Use• 600+ Exploits• 200+ payloads• 25+ encoders• 300+ auxiliary
  16. 16. Metasploit Auxiliary Courtesy http://www.flickr.com
  17. 17. Metasploit Architecture Courtesy http://www.offensive-security.com
  18. 18. Directory Structure
  19. 19. Filesystem And Libraries• lib: the meat of the framework code base• data: editable files used by Metasploit• tools: various useful command-line utilities• modules: the actual MSF modules• plugins: plugins that can be loaded at run-time• scripts: Meterpreter and other scripts• external: source code and third-party libraries Courtesy http://www.offensive-security.com/metasploit-unleashed
  20. 20. msfconsole
  21. 21. msfconsole• It is the only supported way to access most of the features within Metasploit.• Provides a console-based interface to the framework• Contains the most features and is the most stable MSF interface• Full readline support, tabbing, and command completion• Execution of external commands in msfconsole is possible: Courtesy http://www.offensive-security.com/metasploit-unleashed
  22. 22. Exploit ModulesConfused how to explain technically? Courtesy http://www.sunpacmortgage.com
  23. 23. Metasploit – Exploit & Payloads• Exploit – Active – Passive• Payload Types – Inline ( Non Staged) – Staged – Meterpreter – PassiveX – NoNX – Ord – IPv6 – Reflective DLL injection
  24. 24. Exploit DEMO
  25. 25. Metasploit Auxiliary• Helper modules for pre-exploitation phase – Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc.• 300+ Auxiliary modules
  26. 26. We will cover• SCANNER• MSSQL• SNMP• FTP
  27. 27. Auxiliarry DEMO
  28. 28. Database Integration and Exploit Automation
  29. 29. Data Courtesy http://www.joy2day.com
  30. 30. Need of DatabaseSanitizedYou should be at ClubHACK
  31. 31. Need of Database• Network Penetration Testing• Easy management/storage of result• Report Generation
  32. 32. Database Integration& Exploit Automation• Database Support• Nmap• Nessus Bridge
  33. 33. Supported Database• Mysql - BackTrack 4 r2, MYSQL and Metasploit work together "out of the box“• Postgres• Sqlite3 – file based database, might be pull-off in future
  34. 34. Nmap• db_nmap command to scan host/network• Result will be stored in database• Can view the result using db_hosts and db_services command
  35. 35. NMAP Demo
  36. 36. Nessus Bridge• Can perform vulnerability scan inside msfconsole• Supported using nessus bridge plugin• Use xmlrpc to connect with nessusd
  37. 37. Nessus Bridge Demo
  38. 38. In a Finger tip• db_autopwn – Automate exploitation process – Take target /service/vulnerability info from database – Spawns a meterpeter shell on success – Noisy
  39. 39. db_autopwn Demo
  40. 40. Client Side Exploit & Extended Usage
  41. 41. Client Side Exploit
  42. 42. Client Side Exploit & Extended Usage• Browser autopwn• Exploiting PDF• Payload Generation & Back-dooring EXE• Linux Backdoor
  43. 43. Browser autopwn• Automate browser based vulnerability exploitation• Perform browser finger printing• Auxiliary module server/browser_autopwnle
  44. 44. Browser autopwn Demo
  45. 45. Exploiting PDF• Most exploited software since last 2 years• Universally used software for document format• Favorite carrier for commercial malware toolkit
  46. 46. What all PDF do?• JavaScript runs under the context of App Object Model• File Attachment• XML, SOAP capabilities• Forms• Web Services• Database connections(ADBC)
  47. 47. What’s cracking up?• Vulnerable APIs – util.printf() (CVE-2008-2992) – getIcons() (CVE-2009-0927) – getAnnots() (CVE-20091492) – customDictionaryOpen() (CVE-2009-1493) – Doc.media.newPlayer (CVE-2009-4324)• File parsing vulnerabilities – JBIG2( Over a dozen CVE) – libTiff (CVE-2010-0188)• Social engineered arbit. command execution – PDF escape by Didier Stevens – Not a bug (feature) – Exploitation in the wild• Embedded Files – libTiff (CVE-2010-0188)
  48. 48. PDF exploitation Demo
  49. 49. Payload Generation and Backdooring EXE• Payload can be converted to various file format i.e. exe, dll, javascript etc.• Encode payload to evade antivirus• Can be embed with third party software/utility
  50. 50. msfpayload & msfencode
  51. 51. Linux Backdoor• Back-dooring payload with linux package• Embed payload with deb installation package
  52. 52. Linux Backdooring Demo
  53. 53. Metasploit Add-ons
  54. 54. Metasploit Add-ons Courtesy http://draftblogmm.blogspot.com
  55. 55. Fast-Track• Easy Automation• Utilize Metaspolit Framework on Backend• Modes – Interactive – Web interface
  56. 56. Fast-Track Demo
  57. 57. SET(Social Engineering Toolkit)• Weakest link in the information security chain is the natural human willingness to accept someone at their word.• SET focuses on attacking the human element• Develop in python• Very easy to use• Utilize Metaspolit Framework on Backend
  58. 58. SET(Social Engineering Toolkit)• Operational Mode – Interactive – Web Interface• Configuration file - config/set_config
  59. 59. SET Demo
  60. 60. Post Exploitation Fun
  61. 61. Post Exploitation Fun
  62. 62. What next after getting a Shell?• One can run the command supported by command prompt/shell.• So what extra bit control needed to en-cash the opportunity?
  63. 63. Meterpreter• Meta Interpreter• Post exploitation payload(tool)• Uses in-memory DLL injection stagers• Can be extended over the run time• Encrypted communication
  64. 64. What can be done?• Command execution• File Upload/Download• Process migration• Log Deletion• Privilege escalation• Registry modification• Deleting logs and killing antivirus• Backdoors and Rootkits• Pivoting• …..etc.
  65. 65. Demo Meterpreter
  66. 66. Channels• Communication using TLV (Type-Length-Value)• Tagging of data with channel number• Multiple program can be run at victim machine using different channel
  67. 67. Pivoting 2 1 LAN INTERNETLocal Lan Firewall/IPS4 3 Web Database Server DMZ Server
  68. 68. Demo Pivoting
  69. 69. Courtesy• http://www.metasploit.com/• http://www.backtrack-linux.org• http://www.offensive-security.com/metasploit- unleashed/• http://www.secmaniac.com/• http://securitytube.net/• http://vimeo.com/• http://www.irongeek.com/• http://www.windowsecurity.com/whitepapers/Social- Engineering-The-Weakest-Link.html• http://www.google.co.in
  70. 70. Thank You Murtuja Bharmal void@null.co.in Courtesy http://blingboo.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×