Advertisement
DefCamp 2013 - MSF Into The Worm Hole
Dec. 18, 2013•0 likes•1,074 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
DefCampFollow
DefCampAdvertisement
Advertisement
Advertisement
DefCamp 2013 - MSF Into The Worm Hole
- Who Is This Ugly Dude In Front of Me? Kizz MyAnthia Senior Penetration Tester HP Fortify – ShadowLabs @Kizz_My_Anthia www.KizzMyAnthia.com
- Who Is This Ugly Dude In Front of Me? • Background: • Penetration Tester for 13 years • Network Engineer for 15 years • In IT for 18 years • Regulatory Technology Tester for 5 years • Specializes in mobile technologies and communications • Social Engineering • Physical Security
- • Introduction • PWN Bones • Metasploit Framework Parts • Metasploit for Web PenTesting • Direct Exploits • Browser Exploits • HeySexxyLady.pwnme • Client-side Attacks • Wrap Up
- PWN Bones
- The PWN Bone is connected to the ‘sploit bone • Metasploit is a Framework built like a skeletal structure • Each part builds on the others • • • • • • • • Exploit Payload Shellcode Modules Listeners Auxiliary Modules Plugins Utilities
- PWN Bones • Exploit • The means by which an attacker, or pen tester, takes advantage of a flaw within a system, application, or service. • Common eploits include: • Buffer Overflows • SQL Injections • Configuration Errors
- PWN Bones • Payload • Code that is executed within an exploit • These are selected and delivered by the Metasploit Framework • Reverse Shell • The payload creates a connection from the target machine back to the attacker • Bind Shell • “Binds” a command prompt to a listening port on the target machine that the attacker can connect to
- PWN Bones • Shellcode • A set of instructions used as a payload when exploitation occurs
- PWN Bones • Modules • Whereas Metasploit is concerned, Modules are the pieces of software used by the framework to perform a specific task • Exploit Modules • Auxiliary Modules
- PWN Bones • Listeners • A Metasploit Framework component • Waits for incoming connections or Reverse Payloads • Handles the remote connection
- PWN Bones • Auxiliary Modules • • • • Reconnaissance Brute-force Fuzzers Custom
- PWN Bones • Plugins • Applications that leverage the Metasploit Framework for exploitation • SET • Social Engineers Toolkit • WMAP • Web Application Scanner • Fast-track • Open source Python based tool to help perform advanced penetration testing techniques
- PWN Bones • Utilities • MSFPayload • MSFEncode • MSFVenom
- PWN Bones – WMAP • WMAP • Web Application “Scanner” • Focuses on utilizing the MSF Web Scanning & Data Collection Modules • Not a “Real” scanner
- PWN Bones - SET • SET – Social Engineers Toolkit – Social-Engineer.org • Conceived by Chris Hadnagy (loganWHD) • Written by David Kennedy • Used to perform attacks against human weaknesses exploiting curiosity, credibility, avarice and human stupidity
- Metasploit For Web PenTesting
- Metasploit For Web PenTesting • Direct Exploits • Host/Server Exploits • Service Exploits • “Feature” Exploits • Browser Exploits • MS10-002 “Aurora” • Tab Nabbing • Browser AutoPWN
- Metasploit For Web PenTesting • Direct Exploits • will exploit a specific host, run until completion, and then exit
- Metasploit For Web PenTesting • Passive exploits wait for incoming hosts and exploit them as they connect. Passive exploits almost always focus on clients such as web browsers, FTP clients, etc. • They can also be used in conjunction with email exploits, waiting for connections. • Passive exploits report shells as they happen can be enumerated by passing '-l' to the sessions command. Passing '-i' will interact with a shell.
- Metasploit For Web PenTesting • So how does this help me? • This sounds cool, but your full of shit….. Metasploit only works on NetPen tests
- Metasploit For Web PenTesting
- Metasploit For Web PenTesting • MSFPayload • a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit.
- Metasploit For Web PenTesting
- Metasploit For Web PenTesting
- Metasploit For Web PenTesting • Start the Metasploit Listener • Use exploit/multi/handler
- Metasploit For Web PenTesting
- Metasploit For Web PenTesting
- OSINT – Information Gathering
- OSINT – Information Gathering • Information Gathering or Intelligence Gathering • Create a plan of attack • Gain an in-depth knowledge of the target • Record information for later use
- OSINT – Information Gathering • Metasploit & Nmap • Uses Metasploit DB Connection • Stores Target information • • • • Ports Version Banners Scan Details
- OSINT – Information Gathering • We need to create a Metasploit Framework DB and DB Connection • First we need to start the DB • service postgressql start
- OSINT – Information Gathering • Launch MSFConsole and Connect to the DB • msfconsole
- OSINT – Information Gathering • Connect to newly created DB • db_connect msfdev1:Password1@localhost:5432/msfdev2
- OSINT – Information Gathering • Closer than Bert and Ernie • Metasploit Framework and Nmap
- OSINT – Information Gathering • Calling Nmap from Metasploit Framework • nmap –PN –vvv ….. • Nmap can be called from within MSF and run natively • db_nmap –PN –vvv ….. • db_nmap will store the returned Nmap data to the MSF DB for use later
- OSINT – Information Gathering • Metasploit Framework has many other Information Gathering Auxiliary Modules available • • • • • SMB scanning SQL scanning SSH scanning FTP scanning SNMP scanning
- HeySexxyLady.pwnme
- HeySexxyLady.pwnme • Metasploit Client-side Attacks • Browser Attacks • Buffer Overflow • Code Injection • Heap Spraying
- HeySexxyLady.pwnme • Browser Based Exploits • Heap Spraying • “Heap” • Memory that is unallocated and used by the application as needed for the duration of the program’s runtime • NOP • No-Operation Instructions • Assembly Instruction to do Nothing until the next instruction • NOP Slide • Multiple NOP instructions in succession
- HeySexxyLady.pwnme • NOP Slide
- HeySexxyLady.pwnme • Create Payload • msfpayload windows/shell/bind_tcp LPORT=443 C
- HeySexxyLady.pwnme • Copy the “Stage 1” Binary code
- HeySexxyLady.pwnme • Copy & Edit the Binary Payload • Remove all un-needed characters • “ • x • Add “90”s to create NOP Slide
- HeySexxyLady.pwnme • Load IE In Immunity Debugger
- HeySexxyLady.pwnme • Paste the Binary Payload Into the Debugger
- HeySexxyLady.pwnme • When Internet Explorer is run within Immunity Debugger the code will be executed
- HeySexxyLady.pwnme • Does this work in the real world?
- HeySexxyLady.pwnme • MS10-002 “Aurora”
- HeySexxyLady.pwnme • Aurora In The Browser
- HeySexxyLady.pwnme
- HeySexxyLady.pwnme
- HeySexxyLady.pwnme
- HeySexxyLady.pwnme
- Wrap Up Metasploit = Power
- Wrap Up • Where can I get more information? • http://www.offensive-security.com/metasploit-unleashed/Introduction • Metasploit: The Penetration Tester's Guide • http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X • www.KizzMyAnthia.com
Advertisement