2. We’ve completed our recon and learned as
much about the organization and network as
we could by visiting public sites
We’ve verified targets and identified services
used and potential vulnerabilities via ping
sweeps, port scans, OS fingerprinting, and
banner grabbing
Now the real fun begins…
3. Exploits may have unintended consequences
(e.g., crashing a service or a server)
Mitigate such risks by:
Obtaining your exploit tools from reliable
sources. If the site provides a hash value,
verify the integrity of your downloads
Experiment with the tools in a lab
environment which mimics the client’s
production network as closely as possible
Explain risks to client before executing
exploits
4. Large number of nmap scripts
◦ Used to find exploitable vulnerabilities
◦ Written in the NASL scripting language
To execute all nmap scripts:
nmap –A IP-address
5. Nessus by Tenable
◦ Automatic vulnerability scanning tool
◦ Used to be free to all; now free (with limitations) for
home use, otherwise commercial (license >=$1,500
per year)
Open Vulnerability Assessment System
(OpenVAS)
◦ Free
◦ Branched off from Nessus when the latter went
commercial
◦ Fewer and different plug-ins than Nessus
6. Brute Force login attacks (password guessing)
◦ medusa
◦ THC Hydra
Password cracking and rainbow tables will be
discussed in chapter 10
7. Fuzzing: Providing a program with different
data in the hopes of finding usable anomalies
◦ Often used in web attacks, but can be used
anywhere there is user input
◦ Note: This is a very noisy type of attack
JBroFuzz attempts to find directories located
on a web server by fuzzing directory names
◦ Available via the Open Web Application Security
Project (OWASP)
8. Tool beloved by security experts and black
hats alike
Community edition is free for students and
small companies
Framework which gives one access to
hundreds of different exploits and payloads,
with more being added daily
◦ Exploit: The code that lets you use a vulnerability to
deliver a payload (think: bomber)
◦ Payload: The code that you are trying to get to run
(think: bomb). Common payloads are a reverse shell
and the meterpreter
9. Launch Metasploit
◦ Msfconsole
Explore exploits (optional) and payloads
◦ show exploits
◦ show payloads
◦ search type:exploit search-string
Specify exploit
◦ use path/exploitname
◦ use auxiliary/scanner/ftp/anonymous
Specify payload
◦ set PAYLOAD path/payloadname
10. Explore exploit options (optional)
◦ show options
Provide values for options
◦ set RHOSTS 70.0.0.3
◦ set RPORT 21
◦ set LHOST 192.168.0.4
◦ set LHOST 3456
Execute the exploit
◦ Exploit
11. Background a meterpreter session
◦ CTRL^z
Show list of sessions
◦ sessions –l (That is a lower case el, not the
number 1)
Interact with a session (e.g., session 2)
◦ sessions –i 2
Quit the program
◦ Exit
12. Metasploit is extremely powerful and versatile.
The book shows a few sample exploits. As you
have time, explore additional exploits and their
options. We’ll be looking at payloads next
chapter
13. www.exploit-db.com (Note that the book has
a typo on page 236)
Beware of downloaded code!
◦ Consider the source
◦ Examine it
◦ Check its hash if appropriate
◦ Run it in a test environment first
14. Remember the SANS Top 10?
Service misconfiguration
Overflow flaw
Information leakage