Metasploitation part-1 (murtuja)
-
Upload
clubhack -
Category
Technology
-
view
3.153 -
download
0
description
Transcript of Metasploitation part-1 (murtuja)
Metasploitation 4 Adultsit’s not family affair…
Murtuja Bharmal
Disclaimer
Courtesy http://entertainment.desktopnexus.com_get_46421
About Me
• Now Work Busy Man….
• Unemployed….
• Interest…. /dev/random….
• Co-founder of null…. :-D
• X-IBMer’s …..
• Dal, Roti ka jugad, Security Consulting/Training
Agenda
Courtesy http://asonchua.com
Agenda
• Basics
• Metasploit Auxiliary
• Database Integration & Exploit Automation
• Client Side Exploit & Extended Usage
• Post Exploitation Fun
• Metasploit Add-ons
Basics
• What is vulnerability?
• What is Exploit?
• What is Payload?
• What is encoder?
Vulnerability
Courtesy http://harryjerry.com
Exploit
Courtesy http://entertainment.in.msn.com
Payload
• Use your imagination
Encoder
• Still Thinking? Ask me offline
Basics
• Vulnerability – Opportunity Window
• Exploit – En-cashing Opportunity
• Payload – En-cashment Window
• Encoder – Masking
How it works?
• Input malicious code Instead of Data
• Malicious code = Exploit Code + Payload
Payload + Exploit
Courtesy http://ivillage.comCourtesy http://guardian.co.uk
Sanitized
You should be at ClubHACK
Exploit Code
Courtesy 1. advice.eharmony.com 3. good-times.webshots.com2. superstock.com 4. sheknows.com
1 2
3 4
Metasploit Framework
• Open Source
• Developed in Ruby
• Easy to Use
• 600+ Exploits
• 200+ payloads
• 25+ encoders
• 300+ auxiliary
Metasploit Auxiliary
Courtesy http://www.flickr.com
Metasploit Architecture
Courtesy http://www.offensive-security.com
Directory Structure
Filesystem And Libraries
• lib: the 'meat' of the framework code base
• data: editable files used by Metasploit
• tools: various useful command-line utilities
• modules: the actual MSF modules
• plugins: plugins that can be loaded at run-time
• scripts: Meterpreter and other scripts
• external: source code and third-party libraries
Courtesy http://www.offensive-security.com/metasploit-unleashed
msfconsole
msfconsole
• It is the only supported way to access most of the features within Metasploit.
• Provides a console-based interface to the framework
• Contains the most features and is the most stable MSF interface
• Full readline support, tabbing, and command completion
• Execution of external commands in msfconsole is possible:
Courtesy http://www.offensive-security.com/metasploit-unleashed
Exploit Modules
Confused how to explain technically?
Courtesy http://www.sunpacmortgage.com
Metasploit – Exploit & Payloads
• Exploit– Active– Passive
• Payload Types– Inline ( Non Staged)– Staged– Meterpreter– PassiveX– NoNX– Ord– IPv6– Reflective DLL injection
Exploit DEMO
Metasploit Auxiliary
• Helper modules for pre-exploitation phase
– Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc.
• 300+ Auxiliary modules
We will cover
• SCANNER
• MSSQL
• SNMP
• FTP
Auxiliarry DEMO
Database Integration and Exploit Automation
Data
Courtesy http://www.joy2day.com
Need of Database
SanitizedYou should be at ClubHACK
Need of Database
• Network Penetration Testing
• Easy management/storage of result
• Report Generation
Database Integration& Exploit Automation
• Database Support
• Nmap
• Nessus Bridge
Supported Database
• Mysql - BackTrack 4 r2, MYSQL and Metasploit work
together "out of the box“
• Postgres
• Sqlite3 – file based database, might be pull-off in future
Nmap
• db_nmap command to scan host/network
• Result will be stored in database
• Can view the result using db_hosts and db_services command
NMAP Demo
Nessus Bridge
• Can perform vulnerability scan inside msfconsole
• Supported using nessus bridge plugin
• Use xmlrpc to connect with nessusd
Nessus Bridge Demo
In a Finger tip
• db_autopwn
– Automate exploitation process
– Take target /service/vulnerability info from database
– Spawns a meterpeter shell on success
– Noisy
db_autopwn Demo
Client Side Exploit & Extended Usage
Client Side Exploit
Client Side Exploit & Extended Usage
• Browser autopwn
• Exploiting PDF
• Payload Generation & Back-dooring EXE
• Linux Backdoor
Browser autopwn
• Automate browser based vulnerability exploitation
• Perform browser finger printing
• Auxiliary module server/browser_autopwnle
Browser autopwn Demo
Exploiting PDF
• Most exploited software since last 2 years
• Universally used software for document format
• Favorite carrier for commercial malware toolkit
What all PDF do?
• JavaScript runs under the context of App Object Model
• File Attachment
• XML, SOAP capabilities
• Forms
• Web Services
• Database connections(ADBC)
What’s cracking up?
• Vulnerable APIs– util.printf() (CVE-2008-2992)– getIcons() (CVE-2009-0927)– getAnnots() (CVE-20091492)– customDictionaryOpen() (CVE-2009-1493)– Doc.media.newPlayer (CVE-2009-4324)
• File parsing vulnerabilities – JBIG2( Over a dozen CVE)– libTiff (CVE-2010-0188)
• Social engineered arbit. command execution– PDF escape by Didier Stevens– Not a bug (feature)– Exploitation in the wild
• Embedded Files– libTiff (CVE-2010-0188)
PDF exploitation Demo
Payload Generation and BackdooringEXE
• Payload can be converted to various file format i.e. exe, dll, javascript etc.
• Encode payload to evade antivirus
• Can be embed with third party software/utility
msfpayload & msfencode
Linux Backdoor
• Back-dooring payload with linux package
• Embed payload with deb installation package
Linux Backdooring Demo
Metasploit Add-ons
Metasploit Add-ons
Courtesy http://draftblogmm.blogspot.com
Fast-Track
• Easy Automation
• Utilize Metaspolit Framework on Backend
• Modes
– Interactive
– Web interface
Fast-Track Demo
SET(Social Engineering Toolkit)
• Weakest link in the information security chain is the natural human willingness to accept someone at their word.
• SET focuses on attacking the human element
• Develop in python
• Very easy to use
• Utilize Metaspolit Framework on Backend
SET(Social Engineering Toolkit)
• Operational Mode
– Interactive
– Web Interface
• Configuration file - config/set_config
SET Demo
Post Exploitation Fun
Post Exploitation Fun
What next after getting a Shell?
• One can run the command supported by command prompt/shell.
• So what extra bit control needed to en-cash the opportunity?
Meterpreter
• Meta Interpreter
• Post exploitation payload(tool)
• Uses in-memory DLL injection stagers
• Can be extended over the run time
• Encrypted communication
What can be done?
• Command execution• File Upload/Download• Process migration• Log Deletion• Privilege escalation• Registry modification• Deleting logs and killing antivirus• Backdoors and Rootkits• Pivoting• …..etc.
Demo Meterpreter
Channels
• Communication using TLV (Type-Length-Value)
• Tagging of data with channel number
• Multiple program can be run at victim machine using different channel
Local Lan
Firewall/IPS
INTERNET
DMZ
LAN
12
34
Pivoting
Web Server
Database Server
Demo Pivoting
Courtesy
• http://www.metasploit.com/• http://www.backtrack-linux.org• http://www.offensive-security.com/metasploit-
unleashed/• http://www.secmaniac.com/• http://securitytube.net/• http://vimeo.com/• http://www.irongeek.com/• http://www.windowsecurity.com/whitepapers/Social-
Engineering-The-Weakest-Link.html• http://www.google.co.in