The document discusses exploiting vulnerabilities using Metasploits, including an introduction to exploits and payloads, an overview of the Metasploit framework, examples of using exploits like windows/dcerpc/ms03_026_dcom with payloads like windows/meterpreter/bind_tcp, and a discussion of pivoting and using compromised systems to attack other targets on the same network.
The following paper was submitted as my thesis for the RWSP certification. Thought others may find interest in it.
Abstract
Research indicates that current trends in information security threats outpaces the security controls that reduce and or eliminate information security vulnerabilities. This document examines the approach of achieving maximum information security defensibility, by utilizing effective offensive testing. Compared are the differences in the effectiveness of security testing by performing a controlled test – referred to as “vanilla” testing, and a responsibly orchestrated blackhat test. Contrary to popular industry belief, realistic “adversarial” testing can be accomplished in a responsible manner without the consequences of “bringing down the house,” contrary to popular belief. Offered, are arguments, costs associated with testing, and counterpoints against organizational decisions that disallow certain types of testing. Blackhat based testing is similar to what a malicious and structured attacker would perform and it is believed that by performing “blackhat” testing, we are taking a “realistic” approach to vulnerability testing. This is the proper route to take to ensure fully scoping the potential vulnerabilities in a given environment in an effort to maintain proper defensibility.
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
The following paper was submitted as my thesis for the RWSP certification. Thought others may find interest in it.
Abstract
Research indicates that current trends in information security threats outpaces the security controls that reduce and or eliminate information security vulnerabilities. This document examines the approach of achieving maximum information security defensibility, by utilizing effective offensive testing. Compared are the differences in the effectiveness of security testing by performing a controlled test – referred to as “vanilla” testing, and a responsibly orchestrated blackhat test. Contrary to popular industry belief, realistic “adversarial” testing can be accomplished in a responsible manner without the consequences of “bringing down the house,” contrary to popular belief. Offered, are arguments, costs associated with testing, and counterpoints against organizational decisions that disallow certain types of testing. Blackhat based testing is similar to what a malicious and structured attacker would perform and it is believed that by performing “blackhat” testing, we are taking a “realistic” approach to vulnerability testing. This is the proper route to take to ensure fully scoping the potential vulnerabilities in a given environment in an effort to maintain proper defensibility.
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
A Comparative Study between Vulnerability Assessment and Penetration TestingYogeshIJTSRD
The Internet has drastically changed in the past decade. Now internet has more business than before and therefore there is a increase in Advanced Persistent Threat groups and Adversaries. After all the advancement in technology and innovation Web application Security is still a challenge for most of the organization all over the world, Because every time APT’s groups and Threat actors uses different Tactics Techniques and Procedure TTPs for exploiting any organization. There can be many techniques to mitigate such attacks such as defensive coding, hardening system firewall, implementing IDS and IPS using of SIEM tools etc. The solution contains monitoring different logs, events and regular assessment of organizations network which is known as Vulnerability Assessment which is a generalized or a sequenced review of a security system and the other one is penetration testing also known popularly as ethical hacking or red teaming assessment where the client’s poses themselves as real Hackers and try to penetrate into the company’s network to check if it’s really secure or not.In this paper we will be comparing these two methods and techniques and also decide at the end which of the above two method is more superior and why. Sharique Raza | Feon Jaison "A Comparative Study between Vulnerability Assessment and Penetration Testing" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-3 , April 2021, URL: https://www.ijtsrd.com/papers/ijtsrd41145.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/41145/a-comparative-study-between-vulnerability-assessment-and-penetration-testing/sharique-raza
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
While a lot of attention is devoted to the mitigation of previously unknown attack methods ("0 days"), many of today's high-profile breaches are caused by "Known Vulnerabilities" in the application's components, also referred to as "vulnerabilities in third-party components." Attackers are quickly moving to exploit applications built with vulnerable components and are inflicting serious data loss and/or hijacking entire servers in the process. The rising popularity of third-party components in application development enables attackers to quickly and repeatedly locate and exploit vulnerabilities in application components - making these attacks widespread and extremely hazardous. This presentation will: (1) explore the recent growth of "Known Vulnerabilities" and examine the scope of the problem (2) examine how attackers are able to quickly "weaponize" these vulnerabilities for immediate profit (3) reveal techniques for limiting the damage resulting from "Known Vulnerabilities" exploitation.
As the software world evolves, more and more companies rely on 3rd party applications and software components as part of their infrastructure. However, this approach does not come without risks.
The implementation of 3rd party applications has its advantages, chief among them shortened development time frames and increased software maturity. Despite these obvious benefits, organizations must remain aware of potential security implications. This presentation will:
- Explain how 3rd party software vulnerabilities might lead to a data breach
- Deliver examples of incidents and how they occur
- Discuss the effectiveness of patching
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationCSCJournals
Internet attacks are continuously increasing in the last years, in terms of scale and complexity, challenging the existing defense solutions with new complications and making them almost ineffective against multi-stage attacks, in particular the intrusion detection systems which fail to identify such complex attacks. Attack graph is a modeling technique used to visualize the different steps an attacker might select to achieve his end game, based on existing vulnerabilities and weaknesses in the system. This paper studies the application of attack graphs in intrusion detection and prevention systems (IDS/IPS) in order to better identify complex attacks based on predefined models, configurations, and alerts. As a “proof of concept”, a tool is developed which interfaces with the well-known SNORT [1] intrusion detection system and matches the alerts with an attack graph generated using the NESSUS [2] vulnerability scanner (maintained up-to-date using the National Vulnerability Database (NVD) [3]) and the MULVAL [4] attack graph generation library. The tool allows to keep track with the attacker activities along the different stages of the attack graph.
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls.
Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page.
This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
This white paper focuses on the dramatic growth in the number and severity of software vulnerabilities, and discusses how multilayered endpoint security is needed to mitigate the threats they pose.
A Security Analysis Framework Powered by an Expert SystemCSCJournals
Today\'s IT systems are facing a major challenge in confronting the fast rate of emerging security threats. Although many security tools are being employed within organizations in order to standup to these threats, the information revealed is very inferior in providing a rich understanding to the consequences of the discovered vulnerabilities. We believe expert systems can play an important role in capturing any security expertise from various sources in order to provide the informative deductions we are looking for from the supplied inputs. Throughout this research effort, we have built the Open Security Knowledge Engineered (OpenSKE) framework (http://code.google.com/p/openske), which is a security analysis framework built around an expert system in order to reason over the security information collected from external sources. Our implementation has been published online in order to facilitate and encourage online collaboration to increase the practical research within the field of security analysis.
Vulnerability scanners a proactive approach to assess web application securityijcsa
With the increasing concern for security in the network, many approaches are laid out that try to protect
the network from unauthorised access. New methods have been adopted in order to find the potential
discrepancies that may damage the network. Most commonly used approach is the vulnerability
assessment. By vulnerability, we mean, the potential flaws in the system that make it prone to the attack.
Assessment of these system vulnerabilities provide a means to identify and develop new strategies so as to
protect the system from the risk of being damaged. This paper focuses on the usage of various vulnerability
scanners and their related methodology to detect the various vulnerabilities available in the web
applications or the remote host across the network and tries to identify new mechanisms that can be
deployed to secure the network.
A Comparative Study between Vulnerability Assessment and Penetration TestingYogeshIJTSRD
The Internet has drastically changed in the past decade. Now internet has more business than before and therefore there is a increase in Advanced Persistent Threat groups and Adversaries. After all the advancement in technology and innovation Web application Security is still a challenge for most of the organization all over the world, Because every time APT’s groups and Threat actors uses different Tactics Techniques and Procedure TTPs for exploiting any organization. There can be many techniques to mitigate such attacks such as defensive coding, hardening system firewall, implementing IDS and IPS using of SIEM tools etc. The solution contains monitoring different logs, events and regular assessment of organizations network which is known as Vulnerability Assessment which is a generalized or a sequenced review of a security system and the other one is penetration testing also known popularly as ethical hacking or red teaming assessment where the client’s poses themselves as real Hackers and try to penetrate into the company’s network to check if it’s really secure or not.In this paper we will be comparing these two methods and techniques and also decide at the end which of the above two method is more superior and why. Sharique Raza | Feon Jaison "A Comparative Study between Vulnerability Assessment and Penetration Testing" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-3 , April 2021, URL: https://www.ijtsrd.com/papers/ijtsrd41145.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/41145/a-comparative-study-between-vulnerability-assessment-and-penetration-testing/sharique-raza
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
While a lot of attention is devoted to the mitigation of previously unknown attack methods ("0 days"), many of today's high-profile breaches are caused by "Known Vulnerabilities" in the application's components, also referred to as "vulnerabilities in third-party components." Attackers are quickly moving to exploit applications built with vulnerable components and are inflicting serious data loss and/or hijacking entire servers in the process. The rising popularity of third-party components in application development enables attackers to quickly and repeatedly locate and exploit vulnerabilities in application components - making these attacks widespread and extremely hazardous. This presentation will: (1) explore the recent growth of "Known Vulnerabilities" and examine the scope of the problem (2) examine how attackers are able to quickly "weaponize" these vulnerabilities for immediate profit (3) reveal techniques for limiting the damage resulting from "Known Vulnerabilities" exploitation.
As the software world evolves, more and more companies rely on 3rd party applications and software components as part of their infrastructure. However, this approach does not come without risks.
The implementation of 3rd party applications has its advantages, chief among them shortened development time frames and increased software maturity. Despite these obvious benefits, organizations must remain aware of potential security implications. This presentation will:
- Explain how 3rd party software vulnerabilities might lead to a data breach
- Deliver examples of incidents and how they occur
- Discuss the effectiveness of patching
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationCSCJournals
Internet attacks are continuously increasing in the last years, in terms of scale and complexity, challenging the existing defense solutions with new complications and making them almost ineffective against multi-stage attacks, in particular the intrusion detection systems which fail to identify such complex attacks. Attack graph is a modeling technique used to visualize the different steps an attacker might select to achieve his end game, based on existing vulnerabilities and weaknesses in the system. This paper studies the application of attack graphs in intrusion detection and prevention systems (IDS/IPS) in order to better identify complex attacks based on predefined models, configurations, and alerts. As a “proof of concept”, a tool is developed which interfaces with the well-known SNORT [1] intrusion detection system and matches the alerts with an attack graph generated using the NESSUS [2] vulnerability scanner (maintained up-to-date using the National Vulnerability Database (NVD) [3]) and the MULVAL [4] attack graph generation library. The tool allows to keep track with the attacker activities along the different stages of the attack graph.
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls.
Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page.
This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
This white paper focuses on the dramatic growth in the number and severity of software vulnerabilities, and discusses how multilayered endpoint security is needed to mitigate the threats they pose.
A Security Analysis Framework Powered by an Expert SystemCSCJournals
Today\'s IT systems are facing a major challenge in confronting the fast rate of emerging security threats. Although many security tools are being employed within organizations in order to standup to these threats, the information revealed is very inferior in providing a rich understanding to the consequences of the discovered vulnerabilities. We believe expert systems can play an important role in capturing any security expertise from various sources in order to provide the informative deductions we are looking for from the supplied inputs. Throughout this research effort, we have built the Open Security Knowledge Engineered (OpenSKE) framework (http://code.google.com/p/openske), which is a security analysis framework built around an expert system in order to reason over the security information collected from external sources. Our implementation has been published online in order to facilitate and encourage online collaboration to increase the practical research within the field of security analysis.
Vulnerability scanners a proactive approach to assess web application securityijcsa
With the increasing concern for security in the network, many approaches are laid out that try to protect
the network from unauthorised access. New methods have been adopted in order to find the potential
discrepancies that may damage the network. Most commonly used approach is the vulnerability
assessment. By vulnerability, we mean, the potential flaws in the system that make it prone to the attack.
Assessment of these system vulnerabilities provide a means to identify and develop new strategies so as to
protect the system from the risk of being damaged. This paper focuses on the usage of various vulnerability
scanners and their related methodology to detect the various vulnerabilities available in the web
applications or the remote host across the network and tries to identify new mechanisms that can be
deployed to secure the network.
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
Linux Operating System is being reverenced by many professionals because of its versatile nature. As many network security professionals ,particularly those of ethical hackers use linux in an extensive way, did we ever observe how and why the number of hackers were enhancing day to day. Not only professionals ,every one are unleashing their hacking potentials with the help of Backtrack5R3 operating system which is a comprehensive tool kit for security auditing. This paper emphasizes on the so called SET (Social Engineering Toolkit).In a pen-testing scenario, alongside uncovering vulnerabilities in the hardware and software systems and exploiting them ,the most effective of all is penetrating the human mind to extract the desire information. Such devious technics are known as social engineering ,and computer based software tools to facilitate this form the basis of Social Engineering Toolkit
The project entitled with “Network Security System” is related to hacking attacks in computer systems over internet. In today’s world many of the computer systems and servers are not secure because of increasing the hacking attacks or hackers with growing information, so information security specialist’s requirement has gone high.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits.
http://hakin9.org/theultimat/
System hacking is the way hackers get access to individual computers on a network. ... This course explains the main methods of system hacking—password cracking, privilege escalation, spyware installation, and keylogging—and the countermeasures IT security professionals can take to fight these attacks.
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
Vulnerability and exploitation framework designed to ease the burden on security professionals when it comes to performing security assessments.
One of the single most useful auditing tools freely available to security professionals today
Contains an extensive library of "modules.“
Each module has a function, and they are divided up into "exploits", "auxiliary", "post" (post exploitation), "payloads", "encoders", and "nops.
1. 1 | P a g e
A
Project Report
On
“ Exploiting Vulnerabilities Of Operating System Using
Metasploits”
Submitted
By
Mr.Amit Vikas Kumbhar
To
Mr.Sandeep Kumar
Appin Technology Lab
Jayanagar, Banglore
IT Security and Ethical Hacking
2. 2 | P a g e
Introduction.
Exploits.
Classification
Metasploit.
Histry of Metasploit
Use Of Metasploit
Metasploit Framework
Exploit.
Definition
Types Of Exploits
Payload.
Definition
Types Of Payload
Functions Of Payload
Graphical Overview of Metasploit
Steps for exploiting Vulnerabilities
Pre–Exploting Phase
Lab setup
Example 1)
Exploit :
Payload :
Example 2)
Exploit :
Payload :
Contents
Classification.
Histry of Metasploit.
Use Of Metasploit.
Metasploit Framework.
Definition.
Types Of Exploits.
Definition.
Types Of Payload.
Functions Of Payload.
Graphical Overview of Metasploit.
Steps for exploiting Vulnerabilities
Exploting Phase.
Exploit :- windows/dcerpc/ms03_026_dcom
Payload :- windows/add_user
Exploit :- windows/dcerpc/ms03_026_dcom
Payload :- windows/generic_shell_bind_tcp
windows/dcerpc/ms03_026_dcom
windows/dcerpc/ms03_026_dcom
windows/generic_shell_bind_tcp
3. 3 | P a g e
Example 3)
Exploit :- windows/dcerpc/ms03_026_dcom
Payload :- windows/meterpreter/bind_tcp
4. 4 | P a g e
Introduction :-
How tough is it to really compromise a system? Most security professionals are
aware attacking and penetrating network devices is getting easier and attack
sophistication is getting more complex. In large part this phenomenon is due to the
old adage of "standing on the shoulders of giants." Many system researchers have
uncovered the security weakness is common system design years ago, and as
security professionals they shared the information. This allows someone with little
understanding of system architecture to be able to perform more complex attacks
than ever though possible.
For a security professional it is possible to compromise a system without spending
months learning a programming language and years learning system architecture.
We can actually use technology to assist in performing penetration system
penetration. Products like Core Security's Core Impact and Immunity's Canvas
products have been providing this type of functionality for a few years now. These
manufacturers do not just provide the technology, but they also provide training
and support of their products to allow a qualified professional to perform a more
methodological penetration test. It makes the task of compromising a system easier
for a security administrator.
The previously mentioned utilities are both fee based products, but more
recently an open source product has become a common sight in penetration
testing kits. This utility is called Metasploit™. Both Windows and Linux users can
take advantage of the Metasploit™ product to perform a penetration test or system
compromise. The utility itself is written in many programming languages including
perl, C, and assembler.
This environment provides many ready to use exploits and also allows for the
security tester to customize them or to create their own exploit. The basic process
for using the Metasploit™ console is not the most intuitive, but I think this was
done to discourage the least skilled script kiddies from attempting to penetrate the
system using this specific utility.
5. 5 | P a g e
Exploit s:
An exploit (from the same word in the French language, meaning "achievement",
or "accomplishment") is a piece of software, a chunk of data, or sequence of
commands that take advantage of a bug, glitch or vulnerability in order to cause
unintended or unanticipated behavior to occur on computer software, hardware,
or something electronic (usually computerised). This frequently includes such
things as gaining control of a computer system or allowing privilege escalation or
a denial of service attack.
Vulnerability :-
Vulnerability is a weakness which allows attacker to break into
or compremise system security.
Classification :-
There are several methods of classifying exploits. The most common is by how the
exploit contacts the vulnerable software. A 'remote exploit' works over a network
and exploits the security vulnerability without any prior access to the vulnerable
system. A 'local exploit' requires prior access to the vulnerable system and usually
increases the privileges of the person running the exploit past those granted by the
system administrator. Exploits against client application lso exist, usually
consisting of modified servers that send an exploit if accessed with client
application. Exploits against client applications may also require some interaction
with the user and thus may be used in combination with social engineering method.
This is the hacker way of getting into computers and websites for stealing data.
Another classification is by the action against vulnerable system: unauthorised data
access,arbitrary code execution ,denial of service.
Many exploits are designed to provide superuser -level access to a computer
system. However, it is also possible to use several exploits, first to gain low-level
access, then to escalate privileges repeatedly until one reaches root.
Normally a single exploit can only take advantage of a specific software
vulnerability. Often, when an exploit is published, the vulnerability is fixed
through a patch and the exploit becomes obsolete for newer versions of the
6. 6 | P a g e
software. This is the reason why some blackhat hackers do not publish their
exploits but keep them private to themselves or other crackers. Such exploits are
referred to as zero day exploits' and to obtain access to such exploits is the primary
desire of unskilled attackers, often nicknamed script kiddies.
Types :-
Exploits are commonly categorized and named by these criteria:
The type of vulnerability they exploit (See the article on vulnerabilities for a
list)
Whether they need to be run on the same machine as the program that has
the vulnerability (local) or can be run on one machine to attack a program
running on another machine (remote).
The result of running the exploit (Eop, Dos, Spoofing, etc...)
Pivoting :- Pivoting refers to method used by Penetration Testers that uses
compromised system to attack other systems on the same network to avoid
restrictions such as firewall configurations, which may prohibit direct access to all
machines. For example, an attacker compromises a web server on a corporate
network, the attacker can then use the compromised web server to attack other
systems on the network. These types of attacks are often called multi-layered
attacks. Pivoting is also known as island hopping.
Pivoting can further be distinguished into proxy pivoting and VPN pivoting:
Proxy pivoting generally describes the practice channeling traffic through a
compromised target using a proxy payload on the machine and launching attacks
from this computer. This type of pivoting is restricted to certain TCP and UDP
ports that are supported by the proxy.
VPN pivoting enables the attacker to create an encrypted layer 2 tunnel into
the compromised machine to route any network traffic through that target
machine, for example to run a vulnerability scan on the internal network
through the compromised machine, effectively giving the attacker full
network access as if she were behind the firewall.
Typically, the proxy or VPN applications enabling pivoting are executed on the
target computer as the Payload (software) of an exploit.
7. 7 | P a g e
“The Metasploit Framework is a development platform for creating security
tools and exploits. The framework is used by network security professionals
to perform penetration tests, system administrators to verify patch
installations, product vendors to perform regression testing,and security
researchers world-wide.”
History of Metasploit :-
The Metasploit project was originally started as a network security game by four
core developers.
It then developed gradually to a Perl-based framework for running, configuring,
and developing exploits for well-known vulnerabilities.The 2.1 stable version of
the product was released in June 2004. Since then, the development of the product
and the addition of new exploits and payloads have rapidly increased.
The Metasploit Project is an open-source computer security project which
provides information about security vulnerabilities and aids in penetration testing
and IDS signature development. Its most well-known sub-project is the Metasploit
Framework, a tool for developing and executing exploit code against a remote
target machine. Other important sub-projects include the Opcode Database,
shellcode archive, and security research.
The Metasploit Project is also well-known for anti-forensic and evasion tools,
some of which are built into the Metasploit Framework.
Metasploit was created by HD Moore in 2003 as a portable network game using
the Perl scripting language. Later, the Metasploit Framework was then completely
rewritten in the Ruby programming language. It is most notable for releasing some
of the most technically sophisticated exploits to public security vulnerabilities. In
addition, it is a powerful tool for third-party security researchers to investigate
potential vulnerabilities. On October 21, 2009 the Metasploit Project announced
that it had been acquired by Rapid7, a security company that provides unified
vulnerability management solutions.
8. 8 | P a g e
Like comparable commercial products such as Immunity's Canvas or Core Security
Technologies'Core Impact, Metasploit can be used to test the vulnerability of
computer systems in order to protect them, and it can be used to break into remote
systems. Like many information security tools, Metasploit can be used for both
legitimate and unauthorized activities. Since the acquisition of the Metasploit
Framework, Rapid7 has added an commercial edition called Metasploit Express,
while keeping the Metasploit Framework updated and free.
Metasploit's emerging position as the de facto vulnerability development
framework has led in recent times to the release of software vulnerability
advisories often accompanied by a third party Metasploit exploit module that
highlights the exploitability, risk, and remediation of that particular bug.
Metasploit 3.0 (Ruby language) is also beginning to include fuzzing tools, to
discover software vulnerabilities in the first instance, rather than merely writing
exploits for currently public bugs. This new avenue has been seen with the
integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November,
2006.
Metasploit use :-
Metasploit came about primarily to provide a framework for penetration testers to
develop exploits.The typical life cycle of a vulnerability and its exploitation is as
follows:
1. Discovery :- A security researcher or the vendor discovers a critical security
vulnerability in the software.
2. Disclosure :-The security researcher either adheres to a responsible disclosure
policy and informs the vendor, or discloses it on a public mailing list. Either way,
the vendor needs to come up with a patch for the vulnerability.
3. Analysis :-The researcher or others across the world begin analyzing the
vulnerability to determine its exploitability. Can it be exploited? Remotely? Would
the exploitation result in remote code execution, or would it simply crash the
remote service? What is the length of the exploit code that can be injected? This
phase also involves debugging the vulnerable application as malicious input is
injected to the vulnerable piece of code.
9. 9 | P a g e
4. Exploit Development :- Once the answers to the key questions are determined,
the process of developing the exploit begins.This has usually been considered a bit
of a black art, requiring an in-depth understanding of the processor’s registers,
assembly code, offsets, and payloads.
www.syngress.com
5. Testing :- This is the phase where the coder now checks the exploit code against
various platforms, service pack, or patches, and possibly even for different
processors (e.g., Intel, Sparc, and so on).
6. Release:- Once the exploit is tested, and the specific parameters required for its
successful execution have been determined, the coder releases the exploit, either
privately or on a public forum. Often, the exploit is tweaked so that it does not
work right out of the box.This is usually done to dissuade script kiddies from
simply downloading the exploit and running it against a vulnerable system.
10. 10 | P a g e
Metasploit Framework
This modularity of allowing to combine any exploit with any
advantage of the Framework: it facilitates the tasks of attackers, exploit writers,
and payload writers.
Versions of the Metasploit Framework since v3.0 are written in the
Programming Language. The previous version 2.7, was implem
runs on all versions of Unix (including Linux and Mac OS X), and also on
Windows. It includes two command line interfaces
native GUI. The web interface is intended to be run from the attacker's computer.
The Metasploit Framework can be extended to use external add
languages.
To choose an exploit and payload, some information about the target system is
needed such as operating system version and installed network services. This
information can be gleaned with
as nmap. Nessus can, in addition, detect the target system's
Metasploit Framework :
This modularity of allowing to combine any exploit with any payload is the major
advantage of the Framework: it facilitates the tasks of attackers, exploit writers,
Versions of the Metasploit Framework since v3.0 are written in the Ruby
. The previous version 2.7, was implemented in
runs on all versions of Unix (including Linux and Mac OS X), and also on
command line interfaces , a web-based interface and a
native GUI. The web interface is intended to be run from the attacker's computer.
Metasploit Framework can be extended to use external add-ons in multiple
To choose an exploit and payload, some information about the target system is
needed such as operating system version and installed network services. This
information can be gleaned with Port scanning and OS fingerprinting
in addition, detect the target system's vulnerabilities
payload is the major
advantage of the Framework: it facilitates the tasks of attackers, exploit writers,
Ruby
ented in Perl. It
runs on all versions of Unix (including Linux and Mac OS X), and also on
based interface and a
native GUI. The web interface is intended to be run from the attacker's computer.
ons in multiple
To choose an exploit and payload, some information about the target system is
needed such as operating system version and installed network services. This
OS fingerprinting tools such
vulnerabilities.
11. 11 | P a g e
In April 2010, Rapid7 released Metaploit Express, which is a commercial version
of Metasploit. Based on the Metasploit Framework, it offers a graphical user
interface, integrates nmap for discovery, and adds smart bruteforcing as well as
automated evidence collection. Rapid7 has a full-featured 7-day trial for Metasploit
Express.
Exploits :-
It is a code which allows an attacker to take advantage of vulnerable
System.
Exploit Types :-
Pretty much any protocol UDP, TCP, SMB, HTTP, FTP, SMTP, TFTP,
SSH, etc
Active, Passive, Brute-Force
Remote, Local, User-Interaction (technically remote category)
Remote: windows/dcerpc/ms03_026_dcom
Local: no real local examples, but doable
User-Interaction--All your browser, “have to click on something,” type
exploits
windows/browser/ms06_013_createtextrange
Payloads :-
Payload is Arbitrary code that is to be executed upon successful exploitation.It is
a acutal code which run on the system after exploitation.
Types Of Payloads :-
1) Single [shell_reverse_tcp = inline (single)] :-
A self-contained payload that performs a specific task
Size varies depending on the task
Example: Reverse or bind command shell
12. 12 | P a g e
2) Stager [shell/reverse_tcp = stager] :-
A stub payload that loads / bootstraps a stage
Size generally much smaller than single payloads
Passes connection information onto the stage
3) Stage :-
Similar to a single payload, but takes advantage of staging.
Uses connection passed from the stager.
Not subject to size limitations of individual vulnerabilities
A stager can also be a stage
Functions of Payloads :-
Bind Shell: setup a socket, bind it to a specific port and listen for connection.
Upon accepting a connection spawn a shell. Victim has to allow incoming
connections on selected port.
Reverse Shell: instead of binding to a port waiting for connection, the shellcode
simply connect to a predefined IP and port number and spawn a shell.
Find Tag: find socket style payloads that search for a socket based on the
presence of a tag on the wire.
Find_Port: payloads that search for a socket by comparing peer port names
relative to the target machine.
Ordinal Payloads: Uses static ordinals in WS2_32.DLL to locate symbol
addresses. Leads to very tiny win32 stagers (92 byte reverse, 93 byte findsock)
Reverse Http: called PassiveX payloads in 2.x. Tunnel communication over
HTTP using IE 6. Payload modifies registry and launches IE, IE loads custom
ActiveX control to stage the payload, Uses standard IE proxy and authorization
settings, Can be used to inject VNC, Meterpreter, custom dlls.
Adduser: Executes the net user x x /add & net localgroup administrators x /add
Downloadexec: Download a .exe from a URL and execute it
13. 13 | P a g e
Uploadexec: uploads a .exe from local computer and executes
Exec: execute a command of your choice
Dllinject: injects a custom dll (you'll have to supply the dll)
VNCinject: injects a custom VNC server dll into memory
Meterpreter: the super payload, custom dll injected into memory (more on
Day2); tons of postexploitation tools
Opcode Database
The Opcode Database is an important resource for writers of new exploits. Buffer
overflow exploits on Windows often require precise knowledge of the position of
certain machine language opcodes in the attacked program or included DLLs.
These positions differ in the various versions and patch-levels of a given operating
system, and they are all documented and conveniently searchable in the Opcode
Database. This allows one to write buffer overflow exploits which work across
different versions of the target operating system.
Shellcode Database
The Shellcode database contains the payloads (also known as shellcode) used by
the Metasploit Framework. These are written in assembly language and full source
code is available.
14. 14 | P a g e
Graphical Overview of Metasploit :-
Steps for exploiting Vulnerabilities :-
1. Choosing and configuring an exploit(code that enters a target system by
taking advantage of one of its bugs; about 300 different exploits for
windows, Unix/Linux and Mac OS systems are included);
2. Checking whether the intended target system is susceptible to the chosen
exploit (optional);
3. Choosing and configuring a Payload (code that will be executed on the
target system upon successful entry, for instance a remote shell or aVNC
Server);
4. Choosing the encoding technique to encode the payload so that the Intrusion
Prevention System (IPS) will not catch the encoded payload;
5. Executing the exploit.
15. 15 | P a g e
Pre–Exploiting Phase :-
Using exploit for penetration testing is legal, hence if you
want to penetratate your own system environment will not be
illegal. But as I don’t have the real time environment I have
created it using some third party softwares and operating systems
as given below.
1) Install Vmware/Virtual PC which allows you to install
various operating systems to use it at the same time.These
softwares also creates a virtual network between the host
operating systems and the own operating system.so the
beginners can do the real practices or penetration on his own.
2) Install Metasploit Framework on the attackers system and
start penetrating systems on the host operating systems
installed in vmware.
Lab Setup
Own operating system – Windows XP professional
Service pack 3
IP Address – 192.168.23.1
Host operating system 1 – Windows XP professional 2002
Services pack 1
IP Address – 192.168.23.131
Host operating system 2 – Windows XP professional
Services pack 2
IP Address – 192.168.23.133
16. 16 | P a g e
Exploiting Vulnerability :-
1) Exploit :- windows/dcerpc/ms03_026_dcom
Payload :- Windows/adduser
Rort :- 135
Rhost :- 192.168.23.131
Steps - Click on msfconsole on program list on start buttons.it show the below,
17. 17 | P a g e
Steps – use any exploit from list of exploits using keyword “use” following with
exploit name.
18. 18 | P a g e
Steps – watch exploits options “show options” to fill with appropriate values with
“set ” keyword.
19. 19 | P a g e
Steps – This is the target host operating system on vmware on whos IP address is
192.168.23.131
20. 20 | P a g e
Steps – set the value of RHOST with target IP address. set other default values if
you want to change.
21. 21 | P a g e
Steps - To see the list of PAYLOADS use command “Show payloads” and select
the PAYLOAD you want to set with keyword following with PAYLOAD name.
22. 22 | P a g e
Steps - Type “show option ” again to set values of PAYLOADS and set it
appropriately. set TARGET the same as the target operating system if there are
multiple targets shown in options .
23. 23 | P a g e
Steps - To exploit the vulnerability type the keyword “exploit” it will start
attacking on the given target system.
24. 24 | P a g e
Steps – Target system after exploiting the vulnerability it created a new user
account “Metasploit ” with password “metasploit” with administrator privileges.
25. 25 | P a g e
2) Exploit :- windows/dcerpc/ms03_026_dcom
Payload :- generic/shell_bind_tcp
Rort :- 135
Rhost :- 192.168.23.131
Steps – select any exploit.
27. 27 | P a g e
Step - set IP address of target system as “set HOST ” following with ip.
28. 28 | P a g e
Step – set PAYLOAD generic/shell_bind_tcp
29. 29 | P a g e
Step :- use exploits to execute attack on the Target system
30. 30 | P a g e
Step :- Browsing the target system. Created a Folder named “system
Hacked” on the Desktop.
31. 31 | P a g e
Screen shot :- These is the screen shot of the target system after attack where
you can see the folder named “Hacked system” which is remotely created by the
attacker which identifies the system is vulnerable.
Remotely created folder on target system
32. 32 | P a g e
3) Exploit :- windows/dcerpc/ms03_026_dcom
Payload :- Windows/meterpreter/bind_tcp
Rort :- 135
Rhost :- 192.168.23.133
Windows/dcerpc/ms-3_026_dcom exploit is selected to exploit the target
system vulnerabilities.
33. 33 | P a g e
Here the options are checked using the command show options
34. 34 | P a g e
In this step the PAYLOAD windows/meterpreter/bind_tcp is set to attack on
the target system.
35. 35 | P a g e
This step starts exploiting the target system.
36. 36 | P a g e
Here Using “ipconfig ” command the IP address and other useful
information is carried out.
37. 37 | P a g e
Using metasploit core commands we can read,write or delete the data on
the target sytem as show below.
38. 38 | P a g e
Here as per the file extension type or file name type we can search any file
on any directory as show below I typed “search –d c: -f * .txt” to search
all text files which shows following result.
39. 39 | P a g e
As per search I found some file named “Confidential.txt” on the desktop of
user “meet” so I went on the path where the file exsist and Downloaded
with the command “Download confidential.txt”
40. 40 | P a g e
Previously downloaded file is copided in the local attackers system in the
folder of the “Metasploit” in Program Files as show below,
Downloaded confidential file from Target system remotely
41. 41 | P a g e
Here is the file we downloaded from the attackers system as we can see it
resides on the desktop.
42. 42 | P a g e
Here we deleted that file from the storage device of the target system.
43. 43 | P a g e
Now you can see that the file we deleted is not visible on the desktop
as we know it is deleted.
44. 44 | P a g e
Bibilography
www.exploits.com
www.google.com
www.wikipedia.com