You are on page 1of 188

Metasploit Pro v4.

11
Installation and Usage Class

Michael Lai
Senior Security Sales Engineer
CISSP, CISA, MBA, MSc, BEng(hons)

©Rapid7, LLC 2015 All Material is Privileged & Confidential
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

2
Unified Vulnerability Management
Nexpose offers an all-In-One Solution for Scanning Your Entire Network
• Includes web application security, database security, network security and penetration testing
capabilities

• Allows users to secure more assets with fewer resources despite the rapidly changing threat
landscape

Rapid7 Nexpose, which received the highest
rating of “Strong Positive” in Gartner’s
Market scope for Vulnerability Assessment
2010-2013, leverages one of the largest
vulnerabilities databases to identify
vulnerabilities that represent the greatest
threat to your organization.

3
Metasploit Pro
Metasploit Pro is enterprise-grade software for security professionals who specialize in
penetration testing and require an advanced solution for multi-level attacks that
enables them to get deeper into networks more efficiently.
• Emulate realistic network attacks based on the leading Metasploit Framework

• Test with the world's largest public database of quality assured exploits

• Complete penetration test assignments faster by automating repetitive tasks and leveraging
multi-level attacks

• Assess the security of Web applications, network and endpoint systems, as well as email users

• Tunnel any traffic through compromised targets to pivot deeper into the network

• Collaborate more effectively with team members in concerted network tests

• Customize the content and template of executive, audit and technical reports

4
Some vital vocabulary…

Vulnerability - a security hole in a piece of software, hardware or operating system that
provides a potential angle to attack the system.
• A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection
vulnerabilities.

Exploit - a small and highly specialized computer program whose only reason of being is to
take advantage of a specific vulnerability and to provide access to a computer system.
• Exploits often deliver a payload to the target system to grant the attacker access to the system.

Payload - the piece of software that lets you control a computer system after it’s been
exploited.
• The payload is typically attached to and delivered by the exploit.

5
Vulnerability Detection & Verification
Verification and Exception: Vulnerability reference, Metasploit integration,
individual/site/global exception

Risk Assessment
System and vulnerability

Vulnerability Management Penetration Testing
& Configuration & Threat Validation
Assessment

Risk Validation
Exception list and exploited group
6 6
Metasploit Pro Workflow

7
Lab Environment

Metasploit – Metasploit server
Metasploitable – Linux with vulnerability for attack
WinXP – Window with vulnerability for attack

8
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

9
Initial Setup, User & Project
Student will know how make the Metasploit ready
- How to run initial setup

- How to manage user

- How to build a project
Metasploit Pro Workflow – Launch Metasploit
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

11 Use Web
Exploiting
Initial Setup
Go to “Administration > Software Updates”
Ensure all information is correct
• Product Key

• Product Edition

• Registered To

• License Expiration Date

Run “Check for Updates”
Ensure that host can access
updates.metasploits.com (may be blocked
by URL filtering as hacker category)
12
User Manager
Go to “Administration > User Administration”
Manage user (e.g. add/delete), need extra user license
“Administrator” role can access all projects, manage users, and apply
software updates

13
Metasploit Pro Workflow – Create a Project
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

14 Use Web
Exploiting
Working with Projects in Metasploit Pro
Projects provide a way to organize your penetration test
• Consists of a name, network boundaries, and users authorized to work on them

• Network boundaries help you set and maintain scope

• Individuals can be added or removed from projects

• Anyone is granted to access to a project will have full privilege on this project

15
Create A Project
On the home page, click “New
Project”

Input name and IP range
“Restrict to network range” will
limit to exploit the input IP range
only (e.g. cannot go further via
VPN Pivoting)

16
Project Management
By clicking the “Home”, all available projects will be shown
Individual project can be selected under the “Project”
Select a project to go to it, delete it or edit it

17
Metasploit Pro Look & Feel
The GUI is designed according to the penetration test workflow.

18
LAB - Project

Each student create a project to cover the targeted IP (Metasploitable2
and Windows XP)
To access the project dashboard

19
Questions

Which IP(s) or IP range(s) is included in the project?
What you can see on the Dashboard?

20
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

21
Discover Devices
Student will know how to run scan to fit for his need (environment
limitation) and collect the information for further exploit.
- How to run a scan

- How to import scan result

- How to integrate with Nexpose

- How to find vulnerability
Host Discovery

Three ways to perform host discovery
• Scan using built-in tools and modules

• Import results from other tools

• Nexpose the target network

Choosing the right approach
• The built-in Scan is comprehensive and configurable

• Import works when you already have scan data

• Nexpose is great when you want a full assessment

23
Metasploit Pro Workflow – Use the Scan option
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

24 Use Web
Exploiting
Discovery Devices: Scan

Go to the project and click button
Input the address (range), press at bottom right

25
Advanced Target Settings
Go to the scan page again and click
Nmap parameter and the ports setting can be customized
Click the “?” for more of the field

26
Scan
Scan is optimized for fast and accurate discovery
• All TCP ports are used to send SYN probes, includes ICMP (3 types), UDP, and ACK probes

• Great at detecting firewalled systems

Make sure all common ports are used
• Identify a few systems by hand and scan 65535 ports

• Add any extra open/allowed ports to the list

Useful options for additional discovery
• Specify the TCP source port of the probes

• Custom Nmap command line arguments

27
Discovery Settings
Portscan speed and timeout will affect the network utilization
Extend the host timeout for large or slow network
• Nmap throws away partial results on timeout, set longer timeout

Stealth: is it necessary?
• Any firewall, IPS, flow control

“Dry run” will simulate the scan and
show task log
More options selected, more operation
will be run hence slower the scan

28
Discovery Credentials and Automatic Tagging
SMB credential will be used for share and username discovery on a Windows
network , or on hosts running Samba.
OS tag (e.g. os_windows) can be added automatically.
Web scan will be covered later.

29
Task
The Tasks page is a real-time log of user-initiated activities (e.g., discovery,
bruteforce, exploit, and cleanup), their completion status, and the duration
of completed tasks.
Task(s) can be stopped or replayed. But you cannot pause and resume it.

30
Discovery Devices: Scan Task
• Once starting a scan, the Discovering task will be shown
Green Messages – Good status indicator, designed step can be run
Red Messages – Bad status indicator, designed step cannot go further
Yellow Messages – Successful operation then can go further such as service scanned, exploit
indicator, credential found or session built

31
Passive Discovery
Metasploit will discover the host by monitoring the network traffic. No network
connection will be built in the scan process to avoid detection.
By default, broadcasting traffic is monitored. Specific traffic (e.g. HTTP) can
be monitored but you need to ensure that Metasploit can view it (e.g. mirror).

32
LAB – Discover Device

Scan the two IP in the lab
Disable all the options in Discovery Settings
Enable the “Automatically tag by OS”
Check the result on “Analysis > Hosts”

33
Questions

Where shows the time used to scan?
Where shows any new host found?
Can you see the OS tag? What are they?
Can Metasploit scan find out any vulnerability?

34
Metasploit Pro Workflow – Import your own scan data
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

35 Use Web
Exploiting
Import

Click Import on the manual bar, select the
file, site, etc
Click the question mark to see the supported
file types
Not all data formats are created the same
• If the import is hostname, ensure that it can be
resolved in Metasploit

• OS information is often wrong due to bad sigs and
service information is not as deep as Scan

36
Metasploit Pro Workflow – Use the Nexpose scan
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

37 Use Web
Exploiting
Nexpose
Launch Nexpose scans directly from Metasploit Pro
• Works with Nexpose to find out not only host information but also vulnerability

• Configure the scan targets, template, and credential

• Benefit: offload the scanning job to Nexpose (image you have deployed 100+ Nexpose
scan engine for 20K+ IP in 100+ network segments)

Useful for quick vulnerability assessments
• Large scans are better done through Import to avoid time out issue

• Two supported import formats: XML (Export) – Enterprise Edition only, XML (Simple) –
Supported by Community

• Protip: Choose Export over Simple

38
Add Nexpose Console
Add the Nexpose Console connection under “Administration > Global Settings”
Click “Configure a Nexpose Console” to add or edit
The logic is Metaploit controls Nexpose

39
Nexpose Launcher
Click “Nexpose” on the manual bar to launch
Nexpose scan template can be selected

40
Nexpose Scan Task
A scan task will show the real time finding
Different from Metasploit scan, Nexpose scan will find the vulnerabilies

41
Active Recon: Viewing Vulnerability
Go to “Analysis > Vulnerabilities”
The vulnerabilities found for all hosts will be shown
Click reference icon to check the vulnerability info from Web

42
LAB - Nexpose

Add a Nexpose Console
Launch a Nexpose scan “Penetration Test Audit”

43
Questions

What is the main difference between Nexpose scan and Metasploit scan
in discovery phase?
How can you check the vulnerability information?
If you need to share the Metasploit scan with your colleague and each
of you has an independent Metasploit installation, what can you do?

44
Metasploit Pro Workflow – Import your own scan data
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

45 Use Web
Exploiting
Scan Results
The hosts tab (Analysis > Hosts) will display the detected nodes.
The OS tags will be shown if “Automatically tag by OS” is enabled
Vulnerability will be shown if scanned by Nexpose or host is exploited

46
Hosts Status

A Hosts Status is at the rightmost column
The statuses are:
• 1. Scanned – A device has been discovered.

• 2. Cracked – Credentials were bruteforced but no session
was obtained.

• 3. Shelled – An open session was obtained on the device.

• 4. Looted – Evidence has been collected from the device.

47
Network Topology

Network Topology tag will show how you reach the devices, e.g.
direct, through a router or firewall

48
Host Tagging
Host tagging is assigned as an identifier with a description to the host(s).
Tags can be used to organize assets, create work queues, and track findings
for automatic inclusion into the generated reports.
Click the hosts and click “Tag” on the manual bar to add.
2

1
3

5
4

49
Host Information
Click an address to the host detail
Tag can be added, host information can be edited.

50
Host Sessions
The Sessions tag shows the active/completed sessions and applied module
Proof of gaining access to a host (more in next section “Gaining Access”)
Click the active session to run payload (e.g. collect evidence)

51
Host Vulnerabilities
The scanned vulnerability and success module to exploited are shown
Click the reference icons to access more information from web

52
Modules
The modules associated to the scanned vulnerabilities are shown
It can be launched to validate the vulnerability

53
LAB - Hosts

Add a tag to group two hosts
Add a comment to a host
Locate a vulnerability and check the information on web.

54
Questions

Why does a host have “Looted” status?
If you want to group some hosts, what you should do?

55
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

56
Exploit Basic
After this section, student will know the basic components to manage
exploit and bruteforce
- What is payload

- What is module

- What are client-side attack and server-side attack
Understand Payload
Payload is the code run at the exploited host to deliver a shell to you
Two payload options for exploit and bruteforce
• Meterpreter enables users to control the screen of a device using VNC and to browse,
upload and download files.

• Command Shell enables users to run collection scripts or run arbitrary commands against
the host.

If Meterpreter is selected and it fails, then Command Shell will be used
More discussion in “Take Control of Sessions”

58
Meterpreter: What Is It?

Meterpreter is an advanced dynamically extensible payload that uses in-
memory DLL injection stagers (Windows Only).

Stealthy: Powerful:
• only in memory nothing to disk • channelized communication system

• no process is created • extension are loaded over TLV (TLS/1.0)

• encrypted communication

Extensible:
• features can be loaded over the network to the target

• new features can be added to Meterpreter without rebuilding it

59
Modules
Anyone can develop a module contributed to the community
Leverage all Metasploit modules from one place
• Simple to use search interface with keywords

• All standard exploits extended to target a range

• Use any modules you already know and love

Granular control of module options
• Specify and override any standard options

• Exposes the Advanced and Evasion options

Payload selection is nearly automatic
• Choose Meterpreter vs Shell, choose Reverse vs Bind , select the port range

60
Modules
Click the “Modules” on the top manual bar
Module statics and search keyword format are shown, e.g. CVE, EDB
4+ stars reliable to be used in production (6 levels: 5 - Excellent, 4 -
Great, 3 - Good, 2 - Normal, 1 - Average, 0 - Low)

61
Server Side Attack
Metasploit acts as a client to exploit a server
E.g. a Win XP is exploited - MS10_061 which is a vulnerability on SMB port 445.

62
Client Side Attack
Metasploit acts as a (web) server to exploit the client connecting to it.
Example, a Win7 is exploited via a vulnerability in IE

63
LAB – Module and Exploit

Search “app:server” for Server-Side Attack module
Search the module about “Aurora”
Check the detail of Aurora

64
Questions

For Server-Side Attack, do you need to setup listening IP and port?
What is the CVE code of Aurora?
Is Aurora a “Client-Side Attack” or a “Server-Side Attack”?
Is there a listening port for Aurora?

65
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

66
Gaining Access
After this section, student will know the two methods (Bruteforce and
Exploit) used by Metasploit to gain access (session built)
- How to exploit

- How to run Bruteforce
Metasploit Pro Workflow – Run Automated Exploits
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

68 Use Web
Exploiting
Automated Exploit A Host For Server Side Vulnerability
Select a host then click “exploit
2

1

Select the “Minimum Reliability”
• Low – all matched modules

• Excellent – only matched never crash modules

• Other – between Low and Excellent
4
Click “Show Advanced Options” 3

69
Exploit: Targeting, Payload
Ignore known-fragile devices: weak devices are
selected by the device fingerprint
Payload controls
• If Meterpreter fails, then will try Command Shell

• Select Auto, Bind or Reverse

• Listener Ports and Host are for reverse connection

• Macro is a set of operation to be run

Dynamic Stagers to generate different payloads
to avoid AV detected
Stage Encoding encodes payload in transmission
70
Smart Exploit – Match & Apply
Matching
• OS
• open port (service)
• vulnerability reference (from Nexpose)

Priority
1. Vulnerability reference
2. Reliability
3. Oldest

Apply – Avoid concurrent exploit of the
same host and port
Sessions appear as the exploits succeed
71
Exploit Advanced Settings
Set concurrent exploit, timeout and limit one session only
Transport Evasion (TCP, UDP, SMB, DCERPC): "Low" inserts delays between TCP
packets, "Medium" sends small TCP packets, "High" applies both.
Application Evasion (Fragments): For DCERPC, SMB, and HTTP-based exploits.
Higher levels of evasion indicate more aggressive evasion options.
“Dry run”: run an exploit correlation, print a transcript of the selected exploits,
and immediately quit.

72
LAB - Exploit

Select hosts WinXP and Metasploitable and exploit with “Great Reliability”
Check the sessions on these two hosts

73
Questions

What is the proof of a successful exploit?
If you want to exploit a fragile host, what configuration you need to
set?

74
Metasploit Pro Workflow – Run Manual Exploits
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

75 Use Web
Exploiting
Module Search Example
Search a module
• “name: vulnerability_keyword”
1
• “cve-xxxx-xxxx”

Click the module link use the
module 2
Input the necessary setting
such as Target IP
Click Advanced and Evasion
to fine tune the module
Click Run Module to start 3
4
76
Re-open Session Via Module
Go to the “Sessions” page
Click one “Attack Module” for Metasploitable2 under “Closed Sessions”
You can re-run a successful module to validate the vulnerability has
been fixed or not.

77
Metasploit Pro Workflow – Bruteforce Targets
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

78 Use Web
Exploiting
Why Bruteforce

Most incidents are due to break into an account
To test the weak password
To test the downloaded dictionary
To validate the old password has been changed at all devices
To test the impact if a credential is disclosed

79
Credential Management – Manual Input

To add your credential to test
Click “Credentials > Manage” and 1
2
then “+Add”
For “Manual” input, you need to
select the “Realm Type”. If only
text, set “Realm Type” to “None”. 4

“Public” is the login ID and
5
“Private” is the secret such as 3
password, SSH key and Hash.

80
Credential Management – Export
You select credential to be exported or just click “Export” to export all
Choose the format and export all rows or selected rows
Save and open the export file, you will get the csv file format to upload your
credential

2
3

1
5 4

81
Credential Management - Import
Add your credentials to the CSV file, the uploaded CSV file must be zipped
A message of successful import and the new credential will be shown

1

2

5

3

4

82
Credential Reuse – TARGETS
To use the credential collected from an exploited host and added/imported
A table of scanned services is listed, filter can be applied
Select the target(s) and add target(s) to the list 1

2
4

3

5

83
Credential Reuse – CREDENTIALS
The credentials added/imported manually and collected from exploited host are
listed. Filter can be applied.
Tips: click will show the advanced filter (also for TARGETS)
Select the credentials and add them to the credential list

4 2
1

3

84
5
Credential Reuse – REVIEW
Review the targets and the credentials, delete the item if needed
“Validate only one credential per service” Once a credential has been validated
for a service, Credentials Reuse will stop testing with other credentials.
Be careful that some accounts will be locked after a few login failure
Timeout can be set
4
Click LAUNCH to start

3

2

85
1
Credential Reuse – LAUNCH
Statistics include attempt times, validated credentials, validated targets and
number of successful logins.
All tested credentials and result shown in the table which can be exported.

1

2

86
Bruteforce - TARGETS

Click “Credentials > Manage” 1

“All hosts” will set all the discovered hosts as targets
Target host and service must have been discovered. If
2
input a host not on the project host list, then
bruteforce cannot start.
3
More services selected, longer time is needed.
Beware that some services (e.g. SSH, Telnet) will take
long time to test.

4
87
Bruteforce - CREDENTIALS

“All credentials in this project” will apply all input 1
and collected credentials in this project
2
“Attempt factory defaults” will use the built-in
dictionary, including the factory default e.g. Cisco 3

You can input up to 100 lines of extra credentials
4
You can upload your dictionary with the format shown
in the “Credentials” text box.
5
Select “Use <BLANK> as password” and “Use
username as password” to fit for the uploaded file. 6

88
Bruteforce - OPTIONS
Set the timeout and “Time Between Attempts” to avoid account locked
Mutation will amend the existing password to create new one, e.g. base on
“password” to create “password1”
You can stop bruteforce once a login is successful
Different from REUSE, session can be built by Bruteforce hence payload can be
set 1
4
2

89 3
Bruteforce - Task
The “SUCCESSFUL LOGINS” tag shows the successful information
If a session can be built, the “Attack Module” will be something like
LOGIN_CREDENTIAL

1

2

3

90
LAB - Bruteforce

Run a Bruteforce task
• On the target WinXP and Metasploitable

• Only select services “SMB” and “SSH”

• Select “All credentials in this project” and “Attempt factory defaults”

• Select “Get session if possible” and “Obtain only one session per host”

Check the host “Status”, the host “Credential” tag and the active
sessions on two targets

91
Questions

If you want to test any Window Domain user is using blank password,
what should you do?
If you want to test any device or application which is using factory
setting password, what should you do?
If your company has some common passwords used in lab, how can you
check them in production environment?
Can you login the Metasploitable now? If yes, what is the login ID and
password?

92
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

93
Take Control of Sessions
Student will know what can be done at the target
- More about payload (Meterpreter, Command Shell)

- How to build session from a module

- What can be done on a session
Metasploit Pro Workflow – Take Control of Sessions
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

95 Use Web
Exploiting
Meterpreter Session Example
Under “Sessions”, click an active 1
session
2
Session type (e.g. Meterpreter),
privilege acquired and module used
will be shown 3

A list of available actions are
shown (will discuss below)

96
Session History
The “Session History” tag shows what command (e.g. VNC) and script (e.g.
VPN.rb) have been run, and also the output (e.g. browse file system)
Useful for auditing: what has been done.

97
Metasploit Pro Workflow – Collect evidence
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

98 Use Web
Exploiting
Collecting Evidence
Metasploit can collect system data as evidence
Automatically collect system data from exploits on target systems after
gaining access
Evidence can be used for further analysis and penetration
The evidence typically includes:
• System information

• Screenshots

• Password hashes

• SSH keys

• Some files and data

99
Collect System Data
Collect System Data:
• System Information (OS information), Passwords,
Screenshots, SSH Keys, etc

• Download files matching a pattern

Password and SSH Key collection
• Automatically escalates to SYSTEM

• Registry-based hashdump collection

• Grabs passwd/shadow files on Unix

• Hashes/Keys can be replayed

• Everything stored as evidence

• Can be used in bruteforcing
100
Metasploit Pro Workflow – Meterpreter
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

101 Use Web
Exploiting
VNC Session

Meterpreter sessions allows you to obtain a VNC session
You are provided with two methods of connecting to the remote desktop:
• connect to the desktop using the provided address configuration

• connect using a Java Applet

Metasploit Pro has a VNC client in the form of a Java applet. Please install the
latest Java for your platform
An external client (VNC Viewer) can be used

102
Access Filesystem

Shows all mapped drives to your
current user session*
Browse directories, download,
upload, and delete
All uploads/downloads are logged
as evidence

103
Search Filesystem

Quickly find sensitive documents
Click the file to download it

1

2

3
104
Command Shell

Use “help” to show the available command, Meterpreter Payload has
its own command set. Command Shell Payload will use the OS shell
command.
Meterpreter Command Shell

105
Metasploit Pro Workflow – Create Proxy or VPN Pivots
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

106 Use Web
Exploiting
Pivoting through Sessions
Proxy Pivoting
• No encryption

• For TCP/UDP only, scan is not able to use SYN/ICMP scanning

• Reverse connections not automatically pivoted

• Objective is hiding Metasploit

VPN Pivoting
• Encrypted communication

• Creates a fully-functional interface on the Pro system

• Treat it like any other network interface, transparent, works by relaying Ethernet frames

• Objective is accessing a network that Metasploit does not connect to
107
Proxy Pivot
1
2

3
Using Proxy Pivoting
• Choose the Session you wish to pivot through • Active Pivot indicated in the top-left

• Click the Proxy Pivot action button • Disable pivoting by action button

• All tasks will route through the Pivot • Session termination stops pivot

Proxy Pivoting Tips
• Switch all exploits to use the Bind connection type

• Reduce the number of concurrent scans/exploits
108
Proxy Pivot Example
Without Proxy Pivot: if exploiting the Metasploitable, packet is between
192.168.152.10 (Metasploit Pro) and the target 192.168.152.129 (Metasploitable)
directly.
If Proxy Pivot is enabled at 192.168.152.133 (WinXP)
Metasploit Pro (192.168.152.10) runs an exploit to target Metasploitable (192.168.152.129)
via the Proxy Pivot at WinXP (192.168.152.133)

• According to the package captured at the Metasploitable, packets are only exchanged with
WinXP instead of Metasploit Pro.

109
VPN Pivot Workflow
1. The target must have two interfaces connecting to two different networks.
2. Exploit public facing system and deliver Meterpreter
3. Create VPN Pivot
4. VPN Pivot creates interface on attack machine with connection on far side of
compromised host

2

Public Private
Address Address Enterprise Network
1
Maintenance
Internet Interface
Attacker
DMZ

3

110
VPN Pivot 1
To build the VPN tunnel, you
need to select the remote
available network interface (the 2
remote network IP is shown)
If successful, a Tunneling task
will be run 3

The Metasploit host OS will have
the routing table updated
Be careful of the “Restrict to 4
network range” setting at the
5
project
111
Metasploit Pro Workflow – Post-Exploitation Modules
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

112 Use Web
Exploiting
Post-Exploitation Modules
“Post-Exploitation Modules”
tag lists all the available
modules that can be run on
this session
Some need searching manually

Module Name What it does
persistence_agent Script to carry across reboots

packetrecorder Packet capturing
keylogrecorder Record keylogging to file

webcam New script to grab images or video from webcam
113
Post- Exploitation Modules Example
Find the “Windows Gather
Product Key” and click it
Click “Run Module”
If success, the key will be shown
on “Stored Data & Files” tag

114
Clean Up: Terminate Sessions
At individual session, click “Terminate session”
Or go to the “Sessions” page, click “Cleanup”.
Select the active sessions and then click “Cleanup Sessions”.
No more active session and all sessions are closed

1

3

2
4

115
LAB - Exploit

Create a proxy pivot and exploit the Metasploitable again. At Metasploitable,
use tcpdump to monitor connecion. The command is
• “sudo –i” + password “msfadmin” to switch to root

• “tcpdump –npi eth0” to capture the packet at interface eth0

Run “Collect System Data” on both two targets.
Run module “Windows Gather Credential Collector”

116
Questions

Which system user ID is used to build the session?
How can you take a screen shot?
How many credential (login ID + hash) can be collected?
Can you build the VPN pivot? Why?

117
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

118
Web Application Testing
Student will know how to use Metasploit to exploit a web application”.
- The workflow to exploit a web application

- The common web application attack

- How to prove a web application is exploitable
Web Vulnerability Basic
Layer Example Solution Highlight
User Interface Web page, form, e.g. query page Customer needs to define the solution such as a
Code Self developed code, e.g. Java policy at the WAF or recoding.

Middleware Web service, e.g. Apache Vulnerability from the common software, usually
OS OS platform, e.g. Linux have well known solution, e.g. have CVE and
patch.

If there is a vulnerability at the middleware, it may appear at different
parameters on multiple web pages.
Some web vulnerabilities can be exploited such as SQLi and XSS.
Some web vulnerabilities can be used directly without any exploitation such
as sensitive information disclosure.
Some web vulnerabilities are configuration issue such as weak encryption.
120
Web Application Testing in Metasploit Pro
Integrated into the product under the Web Apps tab:
• Web Application Scanning: spidering web pages, looking for forms and active content,
detecting sensitive data leakage and configuration isssue

• Web Application Auditing: searching for exploitable vulnerabilities in those forms

• Web Application Exploitation: exploiting found vulnerabilities

121
Metasploit Pro Workflow – Use Web Scanning
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

122 Use Web
Exploiting
WebScan
You can start at
3
• Under a project “Web Apps > WebScan” (1, 2)
4
• “WebScan” on the project page (3)

• On the project page, click “Scan”, “Web Scan
Setting” and “Web Crawler Settings” will be shown
under “Show Advanced Options”. (4, 5)
5

1

2
123
WebScan
Seed URLs (URLs here is not
restricted by the project setting)
Max request per pages (more you set,
more your find)
Max amount of time per pages (longer
you set, more your find)
# of concurrent requests per website
Select the discovered web services
from previous scan or import

124
Advanced Options: URL access and Transport Layer Security

Sensitive data and controlled URL can be defined
If the weak encryption is due to known vulnerability (e.g. FREAK), it can be A9-Using
Components with Known Vulnerabilities
125
WebScan: Web Crawler Settings

Path can be excluded (e.g. *logout*)
Credential for HTTP basic/digest
authentication can be set (e.g. AD
authentication enabled on IIS)
Cookie is supported (only support static
cookie), you can login with a browser and
then copy the cookie here
HTTP user agent can be customized

126
Web Apps Found
The Web Scan finding will be shown on “Web Apps” tag
IP address, Web site URL, service name, number of pages and forms are shown
Form is where Metasploit will audit
Click “Show All” at the right to access the scanned vulnerability (more later)

1

127
Metasploit Pro Workflow – Use Web Auditing
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

128 Use Web
Exploiting
Running a Web Audit
1
Click “Audit Web Apps”
Audit will test the Web Apps by sending
2
common attack input (e.g. some charachers)
Max concurrent HTTP requests: higher it is,
faster the audit
Time limit/form: higher it is, more
vulnerability will be found
Select the Target Web Apps: Metasploit will
send different input to test the vulnerability
Check for insecure direct object reference:
129 A4 of OWASP 2013
Web Audit Result
Web audit result will be updated on the “Web Apps” page
The number of vulnerability is shown (e.g. 8 in example below)
Click the “High” under “Risk” column or “Show All” under “Vulns” column
to view the vulnerabilities.
1

2

130
Metasploit Pro Workflow – Use Web Exploiting
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

131 Use Web
Exploiting
Exploiting Web Applications
The web app with vulnerability is shown with kind of vulnerability (e.g.
SQLi, XSS), path, confidence level, method involved, parameter and proof
Click the “Path” URL for vulnerability detail (e.g. the XSS)

1

132
Web Applications Vulnerability detail
You can customize the field and replay the attack
For example, <script>alert(“Xssed”)</script> to test XSS, if it is GET,
then you can see the script on the URL
3
1

4
2

133
LAB – Web Apps

Run a “Web Scan” to find the web application running on the
Metasploitable.
Select the URL http://IP/mutillidae/ run the “Web Audit” for 10 minutes
(if using default to scan all web applications, it may take a few hours)
Try to replay a XSS attack with a customized words
• E.g. <script>alert(“Xssed”)</script>

134
Questions

What three steps are used in Metaploit to exploit web application?
Can you name some OWASP Top 10 2013 vulnerabilities?
What web vulnerability(s) can be detected during web scan?
In actual XSS attack, what is usually injected instead of Alert(“Xssed”)
which is used in the example?

135
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

136
Reports
Student will have ability to take out data or information from
Metasploit.
- How to generate a report

- How to customize a report

- How to export data
Metasploit Pro Workflow – Generate Live Reports
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

138 Use Web
Exploiting
Reporting: Translating Results into Actions

2 1

Reporting can export the information you need
for further action
3
Click “Reports” tag to generate and view report
Click “Standard Report” to generate report 4
Different report types have different file format
options and different setting shown below
Give a name of the report
5 139
Some Report Setting Examples
Customized logo can be uploaded
Different report type has different sections
available
“Mask discovered credential” may be a good
practice
Result ordering is for Web App Assessment report
Report can be sent to some recipients once it is
generated, need to setup SMTP server in
“Administration > Global Settings”

140
Report Sample
Creating report will take some time (1)
Once created, the number of new available report will be shown (2)
You can click the report to view it (3)

2
1

3

141
Report Sample

The report view allow you to generate
other file format (1)
You can select the report and send to
other recipient (2, 3, 4)
You can download the report and delete 2

it (4)

1
4

3
5
142
Customized Reports
• Click the “Create Custom Report” to upload your report collateral (1)
• Report can be customized by Jasper iReport and template can be downloaded
at the bottom of the “Reports” page (2)
• Logo file and report template can be uploaded (3, 4)

1 4

3

2
143
Export Data
Project data can be export in XML and Zip Workspace to share finding with
another auditor
Password Dump can be reused in bruteforce
Replay script is used in console mode (command line)

1 3

2

4
144
LAB - Reports

In order to save time, please only select one host for below operations
Generate a standard report
Upload a logo and generate a custom report
Try to run “Export Data”

145
Questions

Can you generate a report in multiple formats?
Which standard report type should be used to view the detailed
credential found?
What format of export data should be selected for exporting NTLM
password hash?

146
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

147
Social Engineering
Students will know Social Engineering is more about idea to find out
vulnerability at human (not system) to let him fall in the trap
- “Campaigns” is used to launch Social Engineering in Metasploit Pro

- How to use Web, Email and USB in Campaigns

- Common way to attract user
Metasploit Pro Workflow – Social Engineering
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

149 Use Web
Exploiting
Email Tricks and Delivering Executables
Why email?
• It is one of the fastest and easiest ways to create a data breach (if done right)

• Many people do not take the time to ensure that the sender is legit

• A response can be instant

A few tricks…
• Targets still trust .PDF

• You can create a fake email chain

• Play to the season

Delivery…
• Link sending user to malicious website

• Embedded payload downloadable from link within the email itself
150
Campaigns
Social Engineering in Metasploit Pro, click “Campaigns”“ on the manual bar
• Client-side exploits available via Modules • Customize web and email

• Web, Email, and USB modes • Easily combine all three

The objective of using campaigns is to test the users’ security awareness
and exploiting client system

151
Typical Phishing Campaigns

Give a name and select Phishing Campaign
Workflow:
• Send the phish email with phisling link (landing page)

• User open the email

• User click the link to the landing page (usually a form to
ask for sensitive data or with exploit stores)

• User input data to the form

• Use will be redirected to another page (e.g. show warning
message)

152
Phishing E-mail General Settings
Fill the General (envelope information): Subject, From address and
From name.
Tips: copy from real

153
Target List

Phishing email will be sent to the email address on the target list
The three fields (Email Address, First Name and Last Name) can be
used as variables in the content.

154
Phishing E-mail Content
Content supports rich text and plain text, you can copy from a real email
Insert the landing page URL to the correct item such as button
Customizing the space, add the variables: {{first_name}}, {{last_name}},
{{email_address}}.
Preview and save the E-mail
Plain text edit may be needed

155
Landing Page Settings
Click “Landing Page” to configure the web page content.
Set the path at the web server and redirect URL.
A good practice is set up a false login page and redirect to the real login page.
If “Campaign Redirect Page” is selected, you need to setup the redirect page on
the same web server.

156
Landing Page Content
Click “Landing Page” to configure the web page content.
Or you can clone the content from another Website.
Don’t forget the Preview

157
Configure E-mail Server and Web Server
Set up the E-mail Server (SMTP gateway) to send out email. Connection
will be tested once “Save” is clicked.
Web server must be the same IP/host of the Metasploit but you can set
any hostname. Support HTTP or HTTPS at any port.

158
Launch The Campaign
If everything is correct, the campaign is “Launchable” and it can be started.
Connection to the E-mail server will be tested once “Save” is clicked

159
Custom Campaign
Custom campaign has three components: Email, Web and Portable File (USB).
You can run component independently, e.g. only Web.
There are more attack type other than “phishing” for web.

160
Custom Web Campaign – Exploit & Autopwn
Exploit allows you to load one client side attack module
“Browser Autopwn” will fingerprint HTTP clients to exploit them automatically.
Next is 'DefangedDetection' which does only the fingerprinting part. Lastly, 'list'
simply prints the names of all exploit modules that would be used by the
WebServer action given the current MATCH and EXCLUDE options.

161
Custom Web Campaign – Serve File
“.exe agent” will place an agent exe file on the URL, usually this file will be
detected as backdoor code.
“.File format exploit” will load the selected File Format Exploit module which
usually will be detected as backdoor code too.
“User supplied file” allows you to upload a file to be loaded at the URL.

162
Custom Web Campaign – Java Signed Applet
Module “Java Signed Applet Social Engineering Code Execution” will run in the
background, exploiting client systems as they connect.
This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin,
then signs the it. The resulting signed applet is presented to the victim via a
web page with an applet tag. The victim's JVM will pop a dialog asking if they
trust the signed applet.

163
Start The Custom Web Campaign

Once a campaign is ready,
you can start it.
For attack type is Java
Signed Applet, a java
security warning will be
shown.

164
Real Time Campaign Status
Once a campaign is started, the “Findings” dashboard will come out to the
status such as module used, session built, email sent, etc.

165
Campaign Task Log
The task log shows the URL, loaded module for exploit attack type,
connected IP, email sent, etc.

166
Campaign Report
There is dedicated campaign called “Social Engineering Campaign Details”.
Select the Campaign’s data used in the report

167
Reusable Resources
The email templates, web templates and malicious files can be uploaded and
reused in any campaign.
Email target list can also be built here.

168
Spear Phishing
Targeted approach to phishing
Use information gathered from passive recon prep work done when
beginning the audit
Requires specific knowledge many times
Tactics used:
• Join similar social networks • Phone phishing

• Bribes and bargaining

Using MSP to Spear Phish…
• Look at the project view from a big picture to understand opportunities

• Attack related targets • Numerous potential payloads
169
LAB – Social Engineering

Set up a Custom Web Campaign
Set the Attack type as “Browser Autopwn”
User browser to connect to the web campaign URL and check the log
Generate the report “Social Engineering Campaign Details”.

170
Questions

Will the out-of-the Phishing campaign run exploit code at the target?
Which attack type will try multiple client side exploit module?

171
Agenda
Introduction Take Control Of Sessions
Initial Setup, User & Project Web Application Testing
Discover Devices Reports
Exploit Basic Social Engineering
Gaining Access Advanced Techniques

172
Advanced Techniques
Students will learn the technique of some automated work to improve
the efficiency
- Payload Preference

- Post-Exploitation Macros

- Persistent Agent
Global Settings
Click “Administration > Global Settings”
HTTP payload are useful for client-side attacks or social engineering campaigns,
it will help to build the connection if the victim is behind a proxy
HTTPS will encrypt the connection but may not work via proxy
“Updates” will check any new update available and show notification icon, you
can set using proxy to check update (proxy set under Software Update)

1

174
Post-Exploitation Macros

Automatically launch post-exploit modules once a host is exploited
“Administration > Global Settings > Post-Exploitation Macros”, click “New Macro”
Input a name and click “Save” hence the module table will be shown

1
3

4
2

175
Post-Exploitation Macros
Search filter can be applied
Move the mouse on the module, the green plus icon will be shown at the
right, click it to add this module
A module configuration will be shown, click “Add Action” to add it
Click “Update Macro” to save the new added module
1

2
3

4

176
Persistence Listener
Persistence listener is a service running at Metasploit to
accept the payload connection, it must be associated 3
with a project.
Select the payload connection, e.g. HTTPS on IPv4
If the post exploitation module “Persistent Agent” is run,
a listener will be launched automatically
1

2

177
Persistence Agent
“Persistent Agent” is a post exploitation module which will make the target
connect back to Metasploit after reboot
You can set agent age or use “Persistent Agent Cleaner” later to remove it
Task log will show the copy of the agent file
1

5
3

2 4

178
Payload Generator
Payload can be a code (e.g. exe file) to be run directly at the target, it will
connect back to a listener at Metasploit (1)
Classic has more configuration, Dynamic generates payload avoid AV detection (2)
“Payload Generator” can generate payload for different OS (3), connection type
(4) must match with the listener (5)
2
3 4 3
1 4

5

179
Nexpose Vulnerability Validation
A Nexpose console must been added in “Administration > Global Settings >
Nexpsoe Console”
“Vulnerability Validation” wizards on the home page
A new project will be created and you need to give a name to it
You can import an site from Nexpose, all hosts in the site will be have auto-
exploitation applied. Or you can select a scan template for Nexpose to scan on
the target(s)
2
3

3 4
3
1
4 5
180
Nexpose Vulnerability Validation
Exploit is pretty much the same as “Exploit a host” discussed above except
there is an option of “Clean up session when done”
Report can be generated after the validation automatically but only two types
can be chosen

181
Exception Feedback
Select the green tick vulnerabilities, then click “Nexpose Exception”.
Select the Nexpose Console where to feedback exception list. You can
configure the exception such as expiration date.
For each vulnerability, select the reason. Then click “Create Exceptions”.

182
LAB – Advanced Techniques

Add a Macro with exploit “Windows Gather Credential”
Add a Persistence Listener with the new added Macro
Implement the persistence agent on the WinXP
Restart and login the WinXP, then check the session
Run a Vulnerability Validation Wizard by importing the site from
Nexpose

183
Questions

If you want to run the same post-exploitation modules every time a
device is exploited, what should you do?
In the lab, after the WinXP rebooted, what information you can find
that the agent is working?

184
Summary

185
Metasploit Pro Workflow – Launch Metasploit
0. Launch 1. Create a 2. Discover 3. Gain Access to 4. Take Control of 5. Gather
Metasploit Project Devices Hosts Sessions Evidence

Collect system
Use the Scan Run Automated Use Command
evidence from
option Exploits Shell
sessions

Import your own Run Manual Use the Virtual Generate Live
scan data Exploits Desktop Reports

Access/Search
Use the Nexpose Filesystem
Bruteforce Targets
scan

Create Proxy or
VPN Pivots
Use Web Scanning Use Web Auditing

Post-Exploitation
Modules
Social
Engineering

186 Use Web
Exploiting
Resource

Metasploit home site: product news, search module, download
• http://www.metasploit.com

Metasploit community: documents, information sharing, ask questions,
videos
• https://community.rapid7.com/community/metasploit

Technical Support email:
• support@rapid7.com

187
Metasploit Professional Training
Congratulation! Training Completed!

188