Offensive Security with Metasploit

•

4 gefällt mir•1,062 views

egypt

Offensive Security
with Metasploit
15 October 2015
TX DIR Telecommunications Forum
1

James Lee
@egyp7
Metasploit Developer
Community Manager
# whoami
2

What is Metasploit?
A tool for
● Reconnaissance
● Exploitation
● Post-exploitation
A Data Clearinghouse
A framework for improving and automating all
of the above

Golden Era (up to mid-late 1990s)
Silver Era (mid-late 1990s to mid 2000s)
Modern Era (late 2000s to now)

Golden Era
Centralized Computing
Universities, Research Orgs

Golden Era Exploitation
Credentials
Configuration errors

Silver Era (mid 1990s)
Practical portable systems
Rise of WiFi
Much greater use of technical mitigation

Silver Era Exploitation
Credentials
The rise of client-sides
The rise of web exploitation

Email Worms
ILOVEYOU
Sircam
Sobig
MyDoom

Server-side Worms
ms00-078 IIS, solaris sadmin
ms01-033 IIS
(big list of vectors)
ms02-039 SQLServer
ms03-026 dcom
ms04-011 lsass
ms05-039
ms08-067
Sadmind
Code Red
Nimda
Slammer
Blaster
Sasser
Zotob
Conficker

The web is the Internet
Ubiquitous mobile computing
Secure Development Lifecycle (SDLC)
Modern Era

An exploit converts
illegitimate access into
legitimate access

If exploits are getting
harder, where do we go?

Back to Golden Era Exploitation
Credentials
Configuration errors

Modern Era Exploitation
Credentials
Configuration errors

Windows authentication
NTLM hashes stored in SAM
Logons handled by LSASS.exe
● Cached for Single Sign On

Mimikatz
In-memory Windows password stealer
● Plaintext password extraction
● Meterpreter extension

Core
Private
Public
Realm
Blank Username
SNMP Community
NTLM Hash
SMB Domain
Postgres DB
Username
Password
SSH Key
Non-replayable Hash
Oracle SID

SMB Authentication
Auth request; host:BOB

SMB Authentication
Auth request; host:BOB
Challenge

user:bob, bob’s hash encrypted with Challenge
SMB Authentication
Auth request; host:BOB
Challenge

SMB Authentication
Auth request; host:BOB
Challenge
Login successful
user:bob, bob’s hash encrypted with Challenge

SMB Relay
Auth
request;
host:BO
B
Auth request; host:BOB

SMB Relay
Auth request; host:BOB
Challenge
Auth
request;
host:BO
B

SMB Relay
Auth request; host:BOB
Challenge
Auth
request;
host:BO
B
Challenge

SMB Relay
Auth request; host:BOB
Challenge
user:bob, bob’s hash encrypted with
Challenge
Auth
request;
host:BO
B
Challenge

SMB Relay
Auth request; host:BOB
Challenge
user:bob, bob’s hash encrypted with
Challenge
Auth
request;
host:BO
B
Challenge
user:bob, bob’s
hash
encrypted
with
Challenge

SMB Relay
Auth request; host:BOB
Challenge
user:bob, bob’s hash encrypted with
Challenge
Login
successful
Auth
request;
host:BO
B
Challenge
user:bob, bob’s
hash
encrypted
with
Challenge

Pivoting
Two* methods in Metasploit
● Route
● Portfwd
* Mostly

SMB Relay
Disable WPAD
Block outbound SMB
Enforce SMB 2.x only
Require signing

Windows Authentication
Don’t give users Local Admin
LAPS - Local Administrator Password Solution

Password Theft
KB2871997
● Disables digest auth
● LSASS still has NTLM hashes
Don’t log into everything as DA

Pivoting
Segmentation
Egress filters
Audit logons

Weitere ähnliche Inhalte

Andere mochten auch

Metasploit for Penetration Testing: Beginner Class

Georgia Weidman

MAITAINING ACCESS

Tensor

Backtrak guide

Children International

Lateral Movement by Default

InnoTech

The 2014 was a dark period for the security of Linux systems and more, the year began with the heartbleed vulnerability that has plagued the OpenSSL library that was eventually identified a major flaw in the Bash shell. This vulnerability allows an attacker to execute arbitrary commands, commands that can allow an attacker to gain unauthorized access to a computer system. The main attackers exploited the vulnerability a few hours after its publication to create Botnets with server vulnerability; Yahoo was one of the biggest victims of this exploit.

[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...

Andrea Draghetti

mimikatz @ phdays

Benjamin Delpy

CyberLab CCEH Session - 19 Penetration Testing

CyberLab

Lateral Movement - Phreaknik 2016

Xavier Ashe

Post Exploitation Using Meterpreter

mimikatz @ asfws

Shellcode mastering

Exploitation

Reverse engineering - Shellcodes techniques

Eran Goldstein

Golden ticket, pass the ticket mi tm kerberos attacks explained

Peter Swedin

HIPAA & HITECH Made Easy for Behavioral Health Professionals 1-Hour Webinar At the TeleMental Health institute, we have the option for you to earn CEUs while you learn thee updates of HIPAA and HITECH: For 1 CEU for mental health professionals and nurses, go to this page: for details: http://telehealth.org/hipaa-hitech Join the innovative group of over 1,200 mental health professionals at the TeleMental Health Institute: www.telehealth.org

HIPAA & HITECH Made Easy for Behavioral Health Professionals -- Marlene Maheu

Marlene Maheu

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

Leonardo Nve Egea

HIPAA HITECH training 7-9-12

O2 TESTING SERVICES

HIPAA

Karna *

Ceh v5 module 22 penetration testing

Vi Tính Hoàng Nam

As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers. Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year. Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul. https://www.tinfoilsecurity.com/blog/cross-platform-exploitation

One Shellcode to Rule Them All: Cross-Platform Exploitation

Quinn Wilton

Andere mochten auch (20)

Metasploit for Penetration Testing: Beginner Class

MAITAINING ACCESS

Backtrak guide

Lateral Movement by Default

[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...

mimikatz @ phdays

CyberLab CCEH Session - 19 Penetration Testing

Lateral Movement - Phreaknik 2016

Post Exploitation Using Meterpreter

mimikatz @ asfws

Shellcode mastering

Exploitation

Reverse engineering - Shellcodes techniques

Golden ticket, pass the ticket mi tm kerberos attacks explained

HIPAA & HITECH Made Easy for Behavioral Health Professionals -- Marlene Maheu

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014

HIPAA HITECH training 7-9-12

HIPAA

Ceh v5 module 22 penetration testing

One Shellcode to Rule Them All: Cross-Platform Exploitation

Ähnlich wie Offensive Security with Metasploit

Web Application Security

MarketingArrowECS_CZ

Securing your web infrastructure

WP Engine

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Rob Fuller

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Chris Gates

Atelier Technique CISCO ACSS 2018

African Cyber Security Summit

In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps. The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them? If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more! Delivered at JokerConf on October 28, 2021 at 11am MDT: https://jokerconf.com/en/talks/lock-that-sh*t-down-auth-security-patterns-for-apps-apis-and-infra/

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...

Matt Raible

Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...

Matt Raible

Speaker: Steffan Mejia In this session, we provide a practical and tactical overview of securing your MongoDB infrastructure. We will address the fundamentals of security and security philosophy. Specifically, we'll look at firewalls, managing logins, encryption, and securing backups. Some of the technologies we'll cover include AppArmor / SELinux, SSH/TLS, and LDAP. We will discuss security practices for MongoDB access control, auditing, at-rest encryption, key management, and securing backups. At the application layer, we will discuss how to avoid CSRF, and command injection.

It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...

MongoDB

NPTs

Brandon Levene

The immense potential unlocked by SSI in content-centric social networks (forums) is largely unaddressed by the recent wave of decentralized social networks. Enter ZKorum - a network of verifiable communities where members create anonymous polls and discussions. In this episode, Nicolas Gimenez, the Co-Founder and CTO of ZKorum, unveils the Alpha version and delves into its architecture, drawing inspiration from SSI, DWeb, and Password Managers.

ZKorum: Building the Next Generation eAgora powered by SSI

SSIMeetup

DDoS attacks are bigger and more sophisticated than ever before. Odds are your business is going to be attacked – and without an effective mitigation strategy, you don't stand a chance. In this webinar Andrew Shoemaker a DDoS simulation expert from NimbusDDOS gives you a rare glimpse into how hackers find the weak points in your defenses and exploit them to level devastating DDoS attacks. You'll see real world examples of the tactics and methods used to create tailored DDoS attacks that can bring down a targeted network or application, and learn how best to defend them.

[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...

Imperva Incapsula

No more ARP : Another MiTm Attacks

Khajornchol Puwarang

In recent years it became the norm to wake up to news about hackers, cyber attacks, ransom campaigns and NSA. Since 2003 the Open Web Application Security Project (OWASP) is the go-to reference to learn more about security vulnerabilities. OWASP published a list of the Top 10 most common security issues for Web. In this talk, we will review the list to learn the details and discuss how to harden and defend our Web applications from those vulnerabilities. If you care about your product and customer's data, want to become a better developer or are simply interested in the kind of cyber attacks delinquents use to compromise websites, this talk is for you.

Security Vulnerabilities: How to Defend Against Them

Martin Vigo

Reducing Your Attack Surface & Your Role in Cloud Workload Protection

Alert Logic

Bitcoin's future threats: what’s real and what’s not? Audience votes after panelists release a whitepaper and overview key case studies on: remote exploitation(31), mining resources theft(17), wallet theft(10), fraud or scam(10), crime or terrorism(10), insider threat(8), DDoS(7), phishing(6), coin loss(4), software bug or human error(3), social engineering(1), 51% attack(1), government bans(1). - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1710/bitcoins-future-threats-experts-roundtable-based-on#sthash.MtLRNA1w.dpuf

RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies

Wayne Huang

Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra

VMware Tanzu

In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps. The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them? If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...

Matt Raible

La Revolución de la Ciberseguridad!

Cristian Garcia G.

MSP360 Cybersecurity Master Class part 2

MSP360

CrowdSec A-Round Fundraising Deck

CrowdSec

Ähnlich wie Offensive Security with Metasploit (20)

Web Application Security

Securing your web infrastructure

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Atelier Technique CISCO ACSS 2018

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...

Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...

It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...

NPTs

ZKorum: Building the Next Generation eAgora powered by SSI

[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...

No more ARP : Another MiTm Attacks

Security Vulnerabilities: How to Defend Against Them

Reducing Your Attack Surface & Your Role in Cloud Workload Protection

RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies

Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...

La Revolución de la Ciberseguridad!

MSP360 Cybersecurity Master Class part 2

CrowdSec A-Round Fundraising Deck

Mehr von egypt

Privilege Escalation with Metasploit

egypt

The State of the Metasploit Framework.pdf

egypt

New Shiny in the Metasploit Framework

egypt

Open Source, Security, and Open Source Security.pdf

egypt

Authenticated Code Execution by Design.pptx

egypt

One-Liners to Rule Them All

egypt

Shiny

egypt

State of the Framework Address: Recent Developments in the Metasploit Framework

egypt

Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework

egypt

Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...

egypt

Mehr von egypt (10)

Privilege Escalation with Metasploit

The State of the Metasploit Framework.pdf

New Shiny in the Metasploit Framework

Open Source, Security, and Open Source Security.pdf

Authenticated Code Execution by Design.pptx

One-Liners to Rule Them All

Shiny

State of the Framework Address: Recent Developments in the Metasploit Framework

Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework

Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...

Offensive Security with Metasploit

1. Offensive Security with Metasploit 15 October 2015 TX DIR Telecommunications Forum 1

2. James Lee @egyp7 Metasploit Developer Community Manager # whoami 2

3. I Think Like an Attacker

4. What is Metasploit? A tool for ● Reconnaissance ● Exploitation ● Post-exploitation A Data Clearinghouse A framework for improving and automating all of the above

5. A Brief History of Exploitation

6. Golden Era (up to mid-late 1990s) Silver Era (mid-late 1990s to mid 2000s) Modern Era (late 2000s to now)

7. Golden Era Centralized Computing Universities, Research Orgs

9. Golden Era Exploitation Credentials Configuration errors

10. Silver Era (mid 1990s) Practical portable systems Rise of WiFi Much greater use of technical mitigation

11. Silver Era Exploitation Credentials The rise of client-sides The rise of web exploitation

12. The Age of Worms

13. Email Worms ILOVEYOU Sircam Sobig MyDoom

14. Server-side Worms ms00-078 IIS, solaris sadmin ms01-033 IIS (big list of vectors) ms02-039 SQLServer ms03-026 dcom ms04-011 lsass ms05-039 ms08-067 Sadmind Code Red Nimda Slammer Blaster Sasser Zotob Conficker

15. The web is the Internet Ubiquitous mobile computing Secure Development Lifecycle (SDLC) Modern Era

16. An exploit converts illegitimate access into legitimate access

17. If exploits are getting harder, where do we go?

18.

19.

20.

21. What do they all have in common?

22. Hint:

23. Authenticated Code Execution by Design

24. Back to Golden Era Exploitation Credentials Configuration errors

25. Modern Era Exploitation Credentials Configuration errors

26. Credentials

27. Windows authentication NTLM hashes stored in SAM Logons handled by LSASS.exe ● Cached for Single Sign On

28. Mimikatz In-memory Windows password stealer ● Plaintext password extraction ● Meterpreter extension

29. Mimikatz in action

30. Core Private Public Realm Blank Username SNMP Community NTLM Hash SMB Domain Postgres DB Username Password SSH Key Non-replayable Hash Oracle SID

31.

32.

33.

34. SMB Authentication Auth request; host:BOB

35. SMB Authentication Auth request; host:BOB Challenge

36. user:bob, bob’s hash encrypted with Challenge SMB Authentication Auth request; host:BOB Challenge

37. SMB Authentication Auth request; host:BOB Challenge Login successful user:bob, bob’s hash encrypted with Challenge

38. windows/smb/smb_relay

39. SMB Relay Auth request; host:BOB

40. SMB Relay Auth request; host:BO B Auth request; host:BOB

41. SMB Relay Auth request; host:BOB Challenge Auth request; host:BO B

42. SMB Relay Auth request; host:BOB Challenge Auth request; host:BO B Challenge

43. SMB Relay Auth request; host:BOB Challenge user:bob, bob’s hash encrypted with Challenge Auth request; host:BO B Challenge

44. SMB Relay Auth request; host:BOB Challenge user:bob, bob’s hash encrypted with Challenge Auth request; host:BO B Challenge user:bob, bob’s hash encrypted with Challenge

45. SMB Relay Auth request; host:BOB Challenge user:bob, bob’s hash encrypted with Challenge Login successful Auth request; host:BO B Challenge user:bob, bob’s hash encrypted with Challenge

46. SMB Relay Auth request; host:BOB Challenge user:bob, bob’s hash encrypted with Challenge Login successful Auth request; host:BO B Challenge user:bob, bob’s hash encrypted with Challenge Login Failed go away

47. exploit/windows/smb/smb_relay

48. An exploit converts illegitimate access into legitimate access

49. Post Exploitation

50. The Ps Presence Persistence Pivoting

51. Presence

52. Presence: Processes

53. Persistence

54. Pivoting

55. Pivoting Two* methods in Metasploit ● Route ● Portfwd * Mostly

56.

57. Exploit

58. Payload Reverse Payload