Metasploitation 4 Adultsit’s not family affair…

Murtuja Bharmal

Disclaimer

Courtesy http://entertainment.desktopnexus.com_get_46421

About Me

• Now Work Busy Man….

• Unemployed….

• Interest…. /dev/random….

• Co-founder of null…. :-D

• X-IBMer’s …..

• Dal, Roti ka jugad, Security Consulting/Training

Agenda

Courtesy http://asonchua.com

Agenda

• Basics

• Metasploit Auxiliary

• Database Integration & Exploit Automation

• Client Side Exploit & Extended Usage

• Post Exploitation Fun

• Metasploit Add-ons

Basics

• What is vulnerability?

• What is Exploit?

• What is Payload?

• What is encoder?

Vulnerability

Courtesy http://harryjerry.com

Exploit

Courtesy http://entertainment.in.msn.com

Payload

• Use your imagination

Encoder

• Still Thinking? Ask me offline

Basics

• Vulnerability – Opportunity Window

• Exploit – En-cashing Opportunity

• Payload – En-cashment Window

• Encoder – Masking

How it works?

• Input malicious code Instead of Data

• Malicious code = Exploit Code + Payload

Payload + Exploit

Courtesy http://ivillage.comCourtesy http://guardian.co.uk

Sanitized

You should be at ClubHACK

Exploit Code

Courtesy 1. advice.eharmony.com 3. good-times.webshots.com2. superstock.com 4. sheknows.com

1 2

3 4

Metasploit Framework

• Open Source

• Developed in Ruby

• Easy to Use

• 600+ Exploits

• 200+ payloads

• 25+ encoders

• 300+ auxiliary

Metasploit Auxiliary

Courtesy http://www.flickr.com

Metasploit Architecture

Courtesy http://www.offensive-security.com

Directory Structure

Filesystem And Libraries

• lib: the 'meat' of the framework code base

• data: editable files used by Metasploit

• tools: various useful command-line utilities

• modules: the actual MSF modules

• plugins: plugins that can be loaded at run-time

• scripts: Meterpreter and other scripts

• external: source code and third-party libraries

Courtesy http://www.offensive-security.com/metasploit-unleashed

msfconsole

msfconsole

• It is the only supported way to access most of the features within Metasploit.

• Provides a console-based interface to the framework

• Contains the most features and is the most stable MSF interface

• Full readline support, tabbing, and command completion

• Execution of external commands in msfconsole is possible:

Courtesy http://www.offensive-security.com/metasploit-unleashed

Exploit Modules

Confused how to explain technically?

Courtesy http://www.sunpacmortgage.com

Metasploit – Exploit & Payloads

• Exploit– Active– Passive

• Payload Types– Inline ( Non Staged)– Staged– Meterpreter– PassiveX– NoNX– Ord– IPv6– Reflective DLL injection

Exploit DEMO

Metasploit Auxiliary

• Helper modules for pre-exploitation phase

– Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc.

• 300+ Auxiliary modules

We will cover

• SCANNER

• MSSQL

• SNMP

• FTP

Auxiliarry DEMO

Database Integration and Exploit Automation

Data

Courtesy http://www.joy2day.com

Need of Database

SanitizedYou should be at ClubHACK

Need of Database

• Network Penetration Testing

• Easy management/storage of result

• Report Generation

Database Integration& Exploit Automation

• Database Support

• Nmap

• Nessus Bridge

Supported Database

• Mysql - BackTrack 4 r2, MYSQL and Metasploit work

together "out of the box“

• Postgres

• Sqlite3 – file based database, might be pull-off in future

Nmap

• db_nmap command to scan host/network

• Result will be stored in database

• Can view the result using db_hosts and db_services command

NMAP Demo

Nessus Bridge

• Can perform vulnerability scan inside msfconsole

• Supported using nessus bridge plugin

• Use xmlrpc to connect with nessusd

Nessus Bridge Demo

In a Finger tip

• db_autopwn

– Automate exploitation process

– Take target /service/vulnerability info from database

– Spawns a meterpeter shell on success

– Noisy

db_autopwn Demo

Client Side Exploit & Extended Usage

Client Side Exploit

Client Side Exploit & Extended Usage

• Browser autopwn

• Exploiting PDF

• Payload Generation & Back-dooring EXE

• Linux Backdoor

Browser autopwn

• Automate browser based vulnerability exploitation

• Perform browser finger printing

• Auxiliary module server/browser_autopwnle

Browser autopwn Demo

Exploiting PDF

• Most exploited software since last 2 years

• Universally used software for document format

• Favorite carrier for commercial malware toolkit

What all PDF do?

• JavaScript runs under the context of App Object Model

• File Attachment

• XML, SOAP capabilities

• Forms

• Web Services

• Database connections(ADBC)

What’s cracking up?

• Vulnerable APIs– util.printf() (CVE-2008-2992)– getIcons() (CVE-2009-0927)– getAnnots() (CVE-20091492)– customDictionaryOpen() (CVE-2009-1493)– Doc.media.newPlayer (CVE-2009-4324)

• File parsing vulnerabilities – JBIG2( Over a dozen CVE)– libTiff (CVE-2010-0188)

• Social engineered arbit. command execution– PDF escape by Didier Stevens– Not a bug (feature)– Exploitation in the wild

• Embedded Files– libTiff (CVE-2010-0188)

PDF exploitation Demo

Payload Generation and BackdooringEXE

• Payload can be converted to various file format i.e. exe, dll, javascript etc.

• Encode payload to evade antivirus

• Can be embed with third party software/utility

msfpayload & msfencode

Linux Backdoor

• Back-dooring payload with linux package

• Embed payload with deb installation package

Linux Backdooring Demo

Metasploit Add-ons

Metasploit Add-ons

Courtesy http://draftblogmm.blogspot.com

Fast-Track

• Easy Automation

• Utilize Metaspolit Framework on Backend

• Modes

– Interactive

– Web interface

Fast-Track Demo

SET(Social Engineering Toolkit)

• Weakest link in the information security chain is the natural human willingness to accept someone at their word.

• SET focuses on attacking the human element

• Develop in python

• Very easy to use

• Utilize Metaspolit Framework on Backend

SET(Social Engineering Toolkit)

• Operational Mode

– Interactive

– Web Interface

• Configuration file - config/set_config

SET Demo

Post Exploitation Fun

Post Exploitation Fun

What next after getting a Shell?

• One can run the command supported by command prompt/shell.

• So what extra bit control needed to en-cash the opportunity?

Meterpreter

• Meta Interpreter

• Post exploitation payload(tool)

• Uses in-memory DLL injection stagers

• Can be extended over the run time

• Encrypted communication

What can be done?

• Command execution• File Upload/Download• Process migration• Log Deletion• Privilege escalation• Registry modification• Deleting logs and killing antivirus• Backdoors and Rootkits• Pivoting• …..etc.

Demo Meterpreter

Channels

• Communication using TLV (Type-Length-Value)

• Tagging of data with channel number

• Multiple program can be run at victim machine using different channel

Local Lan

Firewall/IPS

INTERNET

DMZ

LAN

12

34

Pivoting

Web Server

Database Server

Demo Pivoting

Courtesy

• http://www.metasploit.com/• http://www.backtrack-linux.org• http://www.offensive-security.com/metasploit-

unleashed/• http://www.secmaniac.com/• http://securitytube.net/• http://vimeo.com/• http://www.irongeek.com/• http://www.windowsecurity.com/whitepapers/Social-

Engineering-The-Weakest-Link.html• http://www.google.co.in

Thank You

Murtuja Bharmalvoid@null.co.in

Courtesy http://blingboo.com