08448380779 Call Girls In Greater Kailash - I Women Seeking Men
DefCamp 2013 - MSF Into The Worm Hole
1.
2. Who Is This Ugly Dude In Front of Me?
Kizz MyAnthia
Senior Penetration Tester
HP Fortify – ShadowLabs
@Kizz_My_Anthia
www.KizzMyAnthia.com
3. Who Is This Ugly Dude In Front of Me?
• Background:
• Penetration Tester for 13 years
• Network Engineer for 15 years
• In IT for 18 years
• Regulatory Technology Tester for 5 years
• Specializes in mobile technologies and communications
• Social Engineering
• Physical Security
4. • Introduction
• PWN Bones
• Metasploit Framework Parts
• Metasploit for Web PenTesting
• Direct Exploits
• Browser Exploits
• HeySexxyLady.pwnme
• Client-side Attacks
• Wrap Up
6. The PWN Bone is connected to the ‘sploit
bone
• Metasploit is a Framework built like a skeletal structure
• Each part builds on the others
•
•
•
•
•
•
•
•
Exploit
Payload
Shellcode
Modules
Listeners
Auxiliary Modules
Plugins
Utilities
7. PWN Bones
• Exploit
• The means by which an attacker, or pen tester, takes advantage of a flaw
within a system, application, or service.
• Common eploits include:
• Buffer Overflows
• SQL Injections
• Configuration Errors
8. PWN Bones
• Payload
• Code that is executed within an exploit
• These are selected and delivered by the Metasploit Framework
• Reverse Shell
• The payload creates a connection from the target machine back to the attacker
• Bind Shell
• “Binds” a command prompt to a listening port on the target machine that the attacker
can connect to
10. PWN Bones
• Modules
• Whereas Metasploit is concerned, Modules are the pieces of software used
by the framework to perform a specific task
• Exploit Modules
• Auxiliary Modules
11. PWN Bones
• Listeners
• A Metasploit Framework component
• Waits for incoming connections or Reverse Payloads
• Handles the remote connection
13. PWN Bones
• Plugins
• Applications that leverage the Metasploit Framework for exploitation
• SET
• Social Engineers Toolkit
• WMAP
• Web Application Scanner
• Fast-track
• Open source Python based tool to help perform advanced penetration testing techniques
15. PWN Bones – WMAP
• WMAP
• Web Application “Scanner”
• Focuses on utilizing the MSF Web Scanning & Data Collection Modules
• Not a “Real” scanner
16. PWN Bones - SET
• SET – Social Engineers Toolkit – Social-Engineer.org
• Conceived by Chris Hadnagy (loganWHD)
• Written by David Kennedy
• Used to perform attacks against human weaknesses exploiting curiosity,
credibility, avarice and human stupidity
18. Metasploit For Web PenTesting
• Direct Exploits
• Host/Server Exploits
• Service Exploits
• “Feature” Exploits
• Browser Exploits
• MS10-002 “Aurora”
• Tab Nabbing
• Browser AutoPWN
19. Metasploit For Web PenTesting
• Direct Exploits
• will exploit a specific host, run until completion, and then exit
20. Metasploit For Web PenTesting
• Passive exploits wait for incoming hosts and exploit them as
they connect. Passive exploits almost always focus on clients
such as web browsers, FTP clients, etc.
• They can also be used in conjunction with email exploits, waiting for connections.
• Passive exploits report shells as they happen can be enumerated by passing '-l' to the
sessions command. Passing '-i' will interact with a shell.
21. Metasploit For Web PenTesting
• So how does this help me?
• This sounds cool, but your full of shit….. Metasploit only works on
NetPen tests
23. Metasploit For Web PenTesting
• MSFPayload
• a command-line instance of Metasploit that is used to generate and output all
of the various types of shellcode that are available in Metasploit.
30. OSINT – Information Gathering
• Information Gathering or Intelligence Gathering
• Create a plan of attack
• Gain an in-depth knowledge of the target
• Record information for later use
31. OSINT – Information Gathering
• Metasploit & Nmap
• Uses Metasploit DB Connection
• Stores Target information
•
•
•
•
Ports
Version
Banners
Scan Details
32. OSINT – Information Gathering
• We need to create a Metasploit Framework DB and DB Connection
• First we need to start the DB
• service postgressql start
33. OSINT – Information Gathering
• Launch MSFConsole and Connect to the DB
• msfconsole
34. OSINT – Information Gathering
• Connect to newly created DB
• db_connect msfdev1:Password1@localhost:5432/msfdev2
35. OSINT – Information Gathering
• Closer than Bert and Ernie
• Metasploit Framework and Nmap
36. OSINT – Information Gathering
• Calling Nmap from Metasploit Framework
• nmap –PN –vvv …..
• Nmap can be called from within MSF and run natively
• db_nmap –PN –vvv …..
• db_nmap will store the returned Nmap data to the MSF DB for
use later
37. OSINT – Information Gathering
• Metasploit Framework has many other Information Gathering
Auxiliary Modules available
•
•
•
•
•
SMB scanning
SQL scanning
SSH scanning
FTP scanning
SNMP scanning
40. HeySexxyLady.pwnme
• Browser Based Exploits
• Heap Spraying
• “Heap”
• Memory that is unallocated and used by the application as needed for the duration of the
program’s runtime
• NOP
• No-Operation Instructions
• Assembly Instruction to do Nothing until the next instruction
• NOP Slide
• Multiple NOP instructions in succession
56. Wrap Up
• Where can I get more information?
• http://www.offensive-security.com/metasploit-unleashed/Introduction
• Metasploit: The Penetration Tester's Guide
• http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X
• www.KizzMyAnthia.com