The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
Introduction To Exploitation & Metasploit
1.
2. What is penetration testing ?
It’s the process to identify security vulnerabilities in an
application by evaluating the system or network with
various malicious techniques.
A penetration testing is a method of evaluating the
security of a computer system.
Purpose of this test is to secure important data from
outsiders like hackers who can have unauthorized
access to system.
3. What is penetration testing ?
Once vulnerability is identified it is used to exploit
system in order to gain access to sensitive information.
Causes of vulnerabilities:
- Design and development errors
- Poor system configuration
- Human errors
4. Why conduct a penetration
testing?
Government data must be secured while transferring
between different systems.
Protecting your brand by avoiding loss of consumer
confidence and business reputation.
To secure user data.
To find security vulnerabilities in an application.
5. What can be tested ?
Operating system, applications, database, networking
equipments etc.
Dynamic websites, in-house applications etc.
Telephony (war-dialing, remote access etc.)
Personnel (screening process, social engineering etc.)
Physical (access controls, dumpster diving etc.)
Wireless (wifi, Bluetooth, IR, GSM, RFID etc.)
6. What is metasploit ?
The Metasploit project is an open-source, computer
security project which provides information about
security vulnerabilities and aids in penetration testing
and IDS signature development.
Metasploit is an framework which is used for the
hacking of different kinds of applications, operating
systems, web applications etc.
7. What is metasploit ?
Metasploit contain various exploits, payloads, modules
etc.
Metasploit Framework is especially used by many of
the hackers to generate payloads and attack the
systems.
As Metasploit is an open source where any one can use
it. This framework supports different operating
systems like windows, linux ,mac os x etc.
8. Metasploit terms
Exploit used to take advantage of a security flaw
within a system, network, or application.
Payload is code that our victim computer to
execute by the Metasploit framework.
Module a small piece of code that can be added to
the Metasploit framework to execute an attack.
Shell-code a small piece of code used as a payload.
9. What is a vulnerability?
A vulnerability is a security hole in a piece of software,
hardware or operating system that provides a potential
angle to attack the system.
A vulnerability can be as simple as weak passwords or
as complex as buffer overflows or SQL injection
vulnerabilities.
10. What is an exploit?
To take advantage of a vulnerability, you often need an
exploit, a small and highly specialized computer
program whose only reason of being is to take
advantage of a specific vulnerability and to provide
access to a computer system.
Exploits often deliver a payload to the target system to
grant the attacker access to the system.
11. What is a payload?
A payload is the piece of software that lets you control
a computer system after it’s been exploited.
The payload is typically attached to and delivered by
the exploit.
Metasploit most popular payload is called Meterpreter,
which enables you to do all sorts of funky stuff on the
target system. For example, you can upload and
download files from the system, take screenshots, and
collect password hashes etc.
12. What is msfconsole ?
MSFconsole is an all-in-one interface to most of the
features in Metasploit.
MSFconsole can be used to launch attacks, creating
listeners, and much, much more.
Commands :
Show exploits
Show payloads
Show options
Use exploit
13. Commands
set payload
Set LHOST
Set RHOST
Back
Info
Session
Session –l
Session –i 1
14. Meterpreter commands
Getuid -> show uid
Ps -> show active process
Migrate -> command used when hacker want to
migrate his process to any administrative privileges
process.
Hashdump -> to dump password hash.
Screenshot -> to take screenshot of victim.
Shell -> to enter into the victim shell.
download C:<file name>
upload C:<file name>