DefCamp 2013 - MSF Into The Worm Hole

840 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
840
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
43
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

DefCamp 2013 - MSF Into The Worm Hole

  1. 1. Who Is This Ugly Dude In Front of Me? Kizz MyAnthia Senior Penetration Tester HP Fortify – ShadowLabs @Kizz_My_Anthia www.KizzMyAnthia.com
  2. 2. Who Is This Ugly Dude In Front of Me? • Background: • Penetration Tester for 13 years • Network Engineer for 15 years • In IT for 18 years • Regulatory Technology Tester for 5 years • Specializes in mobile technologies and communications • Social Engineering • Physical Security
  3. 3. • Introduction • PWN Bones • Metasploit Framework Parts • Metasploit for Web PenTesting • Direct Exploits • Browser Exploits • HeySexxyLady.pwnme • Client-side Attacks • Wrap Up
  4. 4. PWN Bones
  5. 5. The PWN Bone is connected to the ‘sploit bone • Metasploit is a Framework built like a skeletal structure • Each part builds on the others • • • • • • • • Exploit Payload Shellcode Modules Listeners Auxiliary Modules Plugins Utilities
  6. 6. PWN Bones • Exploit • The means by which an attacker, or pen tester, takes advantage of a flaw within a system, application, or service. • Common eploits include: • Buffer Overflows • SQL Injections • Configuration Errors
  7. 7. PWN Bones • Payload • Code that is executed within an exploit • These are selected and delivered by the Metasploit Framework • Reverse Shell • The payload creates a connection from the target machine back to the attacker • Bind Shell • “Binds” a command prompt to a listening port on the target machine that the attacker can connect to
  8. 8. PWN Bones • Shellcode • A set of instructions used as a payload when exploitation occurs
  9. 9. PWN Bones • Modules • Whereas Metasploit is concerned, Modules are the pieces of software used by the framework to perform a specific task • Exploit Modules • Auxiliary Modules
  10. 10. PWN Bones • Listeners • A Metasploit Framework component • Waits for incoming connections or Reverse Payloads • Handles the remote connection
  11. 11. PWN Bones • Auxiliary Modules • • • • Reconnaissance Brute-force Fuzzers Custom
  12. 12. PWN Bones • Plugins • Applications that leverage the Metasploit Framework for exploitation • SET • Social Engineers Toolkit • WMAP • Web Application Scanner • Fast-track • Open source Python based tool to help perform advanced penetration testing techniques
  13. 13. PWN Bones • Utilities • MSFPayload • MSFEncode • MSFVenom
  14. 14. PWN Bones – WMAP • WMAP • Web Application “Scanner” • Focuses on utilizing the MSF Web Scanning & Data Collection Modules • Not a “Real” scanner
  15. 15. PWN Bones - SET • SET – Social Engineers Toolkit – Social-Engineer.org • Conceived by Chris Hadnagy (loganWHD) • Written by David Kennedy • Used to perform attacks against human weaknesses exploiting curiosity, credibility, avarice and human stupidity
  16. 16. Metasploit For Web PenTesting
  17. 17. Metasploit For Web PenTesting • Direct Exploits • Host/Server Exploits • Service Exploits • “Feature” Exploits • Browser Exploits • MS10-002 “Aurora” • Tab Nabbing • Browser AutoPWN
  18. 18. Metasploit For Web PenTesting • Direct Exploits • will exploit a specific host, run until completion, and then exit
  19. 19. Metasploit For Web PenTesting • Passive exploits wait for incoming hosts and exploit them as they connect. Passive exploits almost always focus on clients such as web browsers, FTP clients, etc. • They can also be used in conjunction with email exploits, waiting for connections. • Passive exploits report shells as they happen can be enumerated by passing '-l' to the sessions command. Passing '-i' will interact with a shell.
  20. 20. Metasploit For Web PenTesting • So how does this help me? • This sounds cool, but your full of shit….. Metasploit only works on NetPen tests
  21. 21. Metasploit For Web PenTesting
  22. 22. Metasploit For Web PenTesting • MSFPayload • a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit.
  23. 23. Metasploit For Web PenTesting
  24. 24. Metasploit For Web PenTesting
  25. 25. Metasploit For Web PenTesting • Start the Metasploit Listener • Use exploit/multi/handler
  26. 26. Metasploit For Web PenTesting
  27. 27. Metasploit For Web PenTesting
  28. 28. OSINT – Information Gathering
  29. 29. OSINT – Information Gathering • Information Gathering or Intelligence Gathering • Create a plan of attack • Gain an in-depth knowledge of the target • Record information for later use
  30. 30. OSINT – Information Gathering • Metasploit & Nmap • Uses Metasploit DB Connection • Stores Target information • • • • Ports Version Banners Scan Details
  31. 31. OSINT – Information Gathering • We need to create a Metasploit Framework DB and DB Connection • First we need to start the DB • service postgressql start
  32. 32. OSINT – Information Gathering • Launch MSFConsole and Connect to the DB • msfconsole
  33. 33. OSINT – Information Gathering • Connect to newly created DB • db_connect msfdev1:Password1@localhost:5432/msfdev2
  34. 34. OSINT – Information Gathering • Closer than Bert and Ernie • Metasploit Framework and Nmap
  35. 35. OSINT – Information Gathering • Calling Nmap from Metasploit Framework • nmap –PN –vvv ….. • Nmap can be called from within MSF and run natively • db_nmap –PN –vvv ….. • db_nmap will store the returned Nmap data to the MSF DB for use later
  36. 36. OSINT – Information Gathering • Metasploit Framework has many other Information Gathering Auxiliary Modules available • • • • • SMB scanning SQL scanning SSH scanning FTP scanning SNMP scanning
  37. 37. HeySexxyLady.pwnme
  38. 38. HeySexxyLady.pwnme • Metasploit Client-side Attacks • Browser Attacks • Buffer Overflow • Code Injection • Heap Spraying
  39. 39. HeySexxyLady.pwnme • Browser Based Exploits • Heap Spraying • “Heap” • Memory that is unallocated and used by the application as needed for the duration of the program’s runtime • NOP • No-Operation Instructions • Assembly Instruction to do Nothing until the next instruction • NOP Slide • Multiple NOP instructions in succession
  40. 40. HeySexxyLady.pwnme • NOP Slide
  41. 41. HeySexxyLady.pwnme • Create Payload • msfpayload windows/shell/bind_tcp LPORT=443 C
  42. 42. HeySexxyLady.pwnme • Copy the “Stage 1” Binary code
  43. 43. HeySexxyLady.pwnme • Copy & Edit the Binary Payload • Remove all un-needed characters • “ • x • Add “90”s to create NOP Slide
  44. 44. HeySexxyLady.pwnme • Load IE In Immunity Debugger
  45. 45. HeySexxyLady.pwnme • Paste the Binary Payload Into the Debugger
  46. 46. HeySexxyLady.pwnme • When Internet Explorer is run within Immunity Debugger the code will be executed
  47. 47. HeySexxyLady.pwnme • Does this work in the real world?
  48. 48. HeySexxyLady.pwnme • MS10-002 “Aurora”
  49. 49. HeySexxyLady.pwnme • Aurora In The Browser
  50. 50. HeySexxyLady.pwnme
  51. 51. HeySexxyLady.pwnme
  52. 52. HeySexxyLady.pwnme
  53. 53. HeySexxyLady.pwnme
  54. 54. Wrap Up Metasploit = Power
  55. 55. Wrap Up • Where can I get more information? • http://www.offensive-security.com/metasploit-unleashed/Introduction • Metasploit: The Penetration Tester's Guide • http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X • www.KizzMyAnthia.com

×