75
Metasploitation 4 Adults it’s not family affair… Murtuja Bharmal

Metasploitation part-1 (murtuja)

Embed Size (px)

DESCRIPTION

Slightly NSFW, be careful

Citation preview

Page 1: Metasploitation part-1 (murtuja)

Metasploitation 4 Adultsit’s not family affair…

Murtuja Bharmal

Page 2: Metasploitation part-1 (murtuja)

Disclaimer

Courtesy http://entertainment.desktopnexus.com_get_46421

Page 3: Metasploitation part-1 (murtuja)

About Me

• Now Work Busy Man….

• Unemployed….

• Interest…. /dev/random….

• Co-founder of null…. :-D

• X-IBMer’s …..

• Dal, Roti ka jugad, Security Consulting/Training

Page 4: Metasploitation part-1 (murtuja)

Agenda

Courtesy http://asonchua.com

Page 5: Metasploitation part-1 (murtuja)

Agenda

• Basics

• Metasploit Auxiliary

• Database Integration & Exploit Automation

• Client Side Exploit & Extended Usage

• Post Exploitation Fun

• Metasploit Add-ons

Page 6: Metasploitation part-1 (murtuja)

Basics

• What is vulnerability?

• What is Exploit?

• What is Payload?

• What is encoder?

Page 7: Metasploitation part-1 (murtuja)

Vulnerability

Courtesy http://harryjerry.com

Page 8: Metasploitation part-1 (murtuja)

Exploit

Courtesy http://entertainment.in.msn.com

Page 9: Metasploitation part-1 (murtuja)

Payload

• Use your imagination

Page 10: Metasploitation part-1 (murtuja)

Encoder

• Still Thinking? Ask me offline

Page 11: Metasploitation part-1 (murtuja)

Basics

• Vulnerability – Opportunity Window

• Exploit – En-cashing Opportunity

• Payload – En-cashment Window

• Encoder – Masking

Page 12: Metasploitation part-1 (murtuja)

How it works?

• Input malicious code Instead of Data

• Malicious code = Exploit Code + Payload

Page 13: Metasploitation part-1 (murtuja)

Payload + Exploit

Courtesy http://ivillage.comCourtesy http://guardian.co.uk

Sanitized

You should be at ClubHACK

Page 14: Metasploitation part-1 (murtuja)

Exploit Code

Courtesy 1. advice.eharmony.com 3. good-times.webshots.com2. superstock.com 4. sheknows.com

1 2

3 4

Page 15: Metasploitation part-1 (murtuja)

Metasploit Framework

• Open Source

• Developed in Ruby

• Easy to Use

• 600+ Exploits

• 200+ payloads

• 25+ encoders

• 300+ auxiliary

Page 16: Metasploitation part-1 (murtuja)

Metasploit Auxiliary

Courtesy http://www.flickr.com

Page 17: Metasploitation part-1 (murtuja)

Metasploit Architecture

Courtesy http://www.offensive-security.com

Page 18: Metasploitation part-1 (murtuja)

Directory Structure

Page 19: Metasploitation part-1 (murtuja)

Filesystem And Libraries

• lib: the 'meat' of the framework code base

• data: editable files used by Metasploit

• tools: various useful command-line utilities

• modules: the actual MSF modules

• plugins: plugins that can be loaded at run-time

• scripts: Meterpreter and other scripts

• external: source code and third-party libraries

Courtesy http://www.offensive-security.com/metasploit-unleashed

Page 20: Metasploitation part-1 (murtuja)

msfconsole

Page 21: Metasploitation part-1 (murtuja)

msfconsole

• It is the only supported way to access most of the features within Metasploit.

• Provides a console-based interface to the framework

• Contains the most features and is the most stable MSF interface

• Full readline support, tabbing, and command completion

• Execution of external commands in msfconsole is possible:

Courtesy http://www.offensive-security.com/metasploit-unleashed

Page 22: Metasploitation part-1 (murtuja)
Page 23: Metasploitation part-1 (murtuja)

Exploit Modules

Confused how to explain technically?

Courtesy http://www.sunpacmortgage.com

Page 24: Metasploitation part-1 (murtuja)

Metasploit – Exploit & Payloads

• Exploit– Active– Passive

• Payload Types– Inline ( Non Staged)– Staged– Meterpreter– PassiveX– NoNX– Ord– IPv6– Reflective DLL injection

Page 25: Metasploitation part-1 (murtuja)

Exploit DEMO

Page 26: Metasploitation part-1 (murtuja)

Metasploit Auxiliary

• Helper modules for pre-exploitation phase

– Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc.

• 300+ Auxiliary modules

Page 27: Metasploitation part-1 (murtuja)

We will cover

• SCANNER

• MSSQL

• SNMP

• FTP

Page 28: Metasploitation part-1 (murtuja)

Auxiliarry DEMO

Page 29: Metasploitation part-1 (murtuja)

Database Integration and Exploit Automation

Page 30: Metasploitation part-1 (murtuja)

Data

Courtesy http://www.joy2day.com

Page 31: Metasploitation part-1 (murtuja)

Need of Database

SanitizedYou should be at ClubHACK

Page 32: Metasploitation part-1 (murtuja)

Need of Database

• Network Penetration Testing

• Easy management/storage of result

• Report Generation

Page 33: Metasploitation part-1 (murtuja)

Database Integration& Exploit Automation

• Database Support

• Nmap

• Nessus Bridge

Page 34: Metasploitation part-1 (murtuja)

Supported Database

• Mysql - BackTrack 4 r2, MYSQL and Metasploit work

together "out of the box“

• Postgres

• Sqlite3 – file based database, might be pull-off in future

Page 35: Metasploitation part-1 (murtuja)
Page 36: Metasploitation part-1 (murtuja)

Nmap

• db_nmap command to scan host/network

• Result will be stored in database

• Can view the result using db_hosts and db_services command

Page 37: Metasploitation part-1 (murtuja)

NMAP Demo

Page 38: Metasploitation part-1 (murtuja)

Nessus Bridge

• Can perform vulnerability scan inside msfconsole

• Supported using nessus bridge plugin

• Use xmlrpc to connect with nessusd

Page 39: Metasploitation part-1 (murtuja)
Page 40: Metasploitation part-1 (murtuja)
Page 41: Metasploitation part-1 (murtuja)

Nessus Bridge Demo

Page 42: Metasploitation part-1 (murtuja)

In a Finger tip

• db_autopwn

– Automate exploitation process

– Take target /service/vulnerability info from database

– Spawns a meterpeter shell on success

– Noisy

Page 43: Metasploitation part-1 (murtuja)
Page 44: Metasploitation part-1 (murtuja)

db_autopwn Demo

Page 45: Metasploitation part-1 (murtuja)

Client Side Exploit & Extended Usage

Page 46: Metasploitation part-1 (murtuja)

Client Side Exploit

Page 47: Metasploitation part-1 (murtuja)

Client Side Exploit & Extended Usage

• Browser autopwn

• Exploiting PDF

• Payload Generation & Back-dooring EXE

• Linux Backdoor

Page 48: Metasploitation part-1 (murtuja)

Browser autopwn

• Automate browser based vulnerability exploitation

• Perform browser finger printing

• Auxiliary module server/browser_autopwnle

Page 49: Metasploitation part-1 (murtuja)

Browser autopwn Demo

Page 50: Metasploitation part-1 (murtuja)

Exploiting PDF

• Most exploited software since last 2 years

• Universally used software for document format

• Favorite carrier for commercial malware toolkit

Page 51: Metasploitation part-1 (murtuja)

What all PDF do?

• JavaScript runs under the context of App Object Model

• File Attachment

• XML, SOAP capabilities

• Forms

• Web Services

• Database connections(ADBC)

Page 52: Metasploitation part-1 (murtuja)

What’s cracking up?

• Vulnerable APIs– util.printf() (CVE-2008-2992)– getIcons() (CVE-2009-0927)– getAnnots() (CVE-20091492)– customDictionaryOpen() (CVE-2009-1493)– Doc.media.newPlayer (CVE-2009-4324)

• File parsing vulnerabilities – JBIG2( Over a dozen CVE)– libTiff (CVE-2010-0188)

• Social engineered arbit. command execution– PDF escape by Didier Stevens– Not a bug (feature)– Exploitation in the wild

• Embedded Files– libTiff (CVE-2010-0188)

Page 53: Metasploitation part-1 (murtuja)

PDF exploitation Demo

Page 54: Metasploitation part-1 (murtuja)

Payload Generation and BackdooringEXE

• Payload can be converted to various file format i.e. exe, dll, javascript etc.

• Encode payload to evade antivirus

• Can be embed with third party software/utility

Page 55: Metasploitation part-1 (murtuja)

msfpayload & msfencode

Page 56: Metasploitation part-1 (murtuja)

Linux Backdoor

• Back-dooring payload with linux package

• Embed payload with deb installation package

Page 57: Metasploitation part-1 (murtuja)

Linux Backdooring Demo

Page 58: Metasploitation part-1 (murtuja)

Metasploit Add-ons

Page 59: Metasploitation part-1 (murtuja)

Metasploit Add-ons

Courtesy http://draftblogmm.blogspot.com

Page 60: Metasploitation part-1 (murtuja)

Fast-Track

• Easy Automation

• Utilize Metaspolit Framework on Backend

• Modes

– Interactive

– Web interface

Page 61: Metasploitation part-1 (murtuja)

Fast-Track Demo

Page 62: Metasploitation part-1 (murtuja)

SET(Social Engineering Toolkit)

• Weakest link in the information security chain is the natural human willingness to accept someone at their word.

• SET focuses on attacking the human element

• Develop in python

• Very easy to use

• Utilize Metaspolit Framework on Backend

Page 63: Metasploitation part-1 (murtuja)

SET(Social Engineering Toolkit)

• Operational Mode

– Interactive

– Web Interface

• Configuration file - config/set_config

Page 64: Metasploitation part-1 (murtuja)

SET Demo

Page 65: Metasploitation part-1 (murtuja)

Post Exploitation Fun

Page 66: Metasploitation part-1 (murtuja)

Post Exploitation Fun

Page 67: Metasploitation part-1 (murtuja)

What next after getting a Shell?

• One can run the command supported by command prompt/shell.

• So what extra bit control needed to en-cash the opportunity?

Page 68: Metasploitation part-1 (murtuja)

Meterpreter

• Meta Interpreter

• Post exploitation payload(tool)

• Uses in-memory DLL injection stagers

• Can be extended over the run time

• Encrypted communication

Page 69: Metasploitation part-1 (murtuja)

What can be done?

• Command execution• File Upload/Download• Process migration• Log Deletion• Privilege escalation• Registry modification• Deleting logs and killing antivirus• Backdoors and Rootkits• Pivoting• …..etc.

Page 70: Metasploitation part-1 (murtuja)

Demo Meterpreter

Page 71: Metasploitation part-1 (murtuja)

Channels

• Communication using TLV (Type-Length-Value)

• Tagging of data with channel number

• Multiple program can be run at victim machine using different channel

Page 72: Metasploitation part-1 (murtuja)

Local Lan

Firewall/IPS

INTERNET

DMZ

LAN

12

34

Pivoting

Web Server

Database Server

Page 73: Metasploitation part-1 (murtuja)

Demo Pivoting

Page 74: Metasploitation part-1 (murtuja)

Courtesy

• http://www.metasploit.com/• http://www.backtrack-linux.org• http://www.offensive-security.com/metasploit-

unleashed/• http://www.secmaniac.com/• http://securitytube.net/• http://vimeo.com/• http://www.irongeek.com/• http://www.windowsecurity.com/whitepapers/Social-

Engineering-The-Weakest-Link.html• http://www.google.co.in

Page 75: Metasploitation part-1 (murtuja)

Thank You

Murtuja [email protected]

Courtesy http://blingboo.com