Metasploit Pro

Certified Specialist

Copyright © 2017 Rapid7

Introductions

About your instructor

About you
• Who are you?
• Where do you work?
• What are your responsibilities?
• What is your experience level with Metasploit?
• What are you expecting to take away from this class?

2
Agenda
Day 1
• Metasploit Pro (MSP) Product
Overview
• Navigating the GUI
• Network Scanning and Imports
• Exploitation Techniques
• Maintaining and Extending Access
• Web Application Testing
Day 2
• Social Engineering
• Automating Metasploit Tasks
• Pivoting and Network Presence
• Troubleshooting and
Administration
• Reporting
• Certification Exam Overview
• Practice Exam

3
 Metasploit Pro (MSP) Product Overview

OBJECTIVES:
• UNDERSTAND THE USES FOR METASPLOIT PRO AND BECOME FAMILIAR WITH THE
METASPLOIT PRO WORKFLOW
Metasploit: Penetration Testing Software
• Automate repetitive tasks and leveraging multi-level attacks
• Assess the security of web applications, network devices, and
operating systems
• Emulate realistic network attacks based on the Metasploit Framework
• Test with the world's largest public database of quality assured exploits
• Perform social engineering campaigns to assess user awareness

5
Using Metasploit Pro (MSP)
Two methods of using MSP
• Web browser for the Graphical User Interface (GUI)
• Command line using msfconsole
Projects are created to separate data
• User-defined for ease of analysis or phases (e.g. Internal vs External)
MSP uses tasks for different components of a project
• Tasks are logged for accountability
Wizards are provided for certain tasks
• Simplify and speed up common tasks
• Pre-set most optional settings for reliability or best practices

6
Metasploit Pro Workflow

7
Before You Begin
Get written permission to perform testing
• Never accept verbal permission
Clearly define the scope and requirements for testing
• What to assess
• Scan windows
• Expected deliverables
Identify any testing restrictions such as black outs or DoS attacks
Discuss real-time disclosures of immediate risks
Establish an emergency escalation process

8
During Testing

• Know that not everyone may be aware of your testing

• Make sure the project scope is entered correctly in the project
settings
• Be careful impersonating actual third-party companies
• Get written permission before investigating vulnerable targets that
were not originally in scope

9
Navigating the GUI
OBJECTIVES:
• FAMILIARIZATION WITH THE METASPLOIT PRO WEB GUI
Metasploit Pro GUI: Overview
• Multi-user capable web interface
• Default listener on the localhost, port 3790
• Easy, fast, and flexible interface to operate Metasploit Pro
• Complementary to the command line features available in the
msfpro console
• Global settings stores settings for integration with Nexpose,
macros, persistent listeners, and more

11
Metasploit Pro GUI: Administration Settings
Software Updates
• Option to run a manual update
• No automatic update, by design
User Settings
• Additional users can be added (depends on the MSP licensing)
• Manage/edit user accounts by selecting or clicking on the username
Software License
• Manage licenses
• Upgrade versions

12
Metasploit Pro GUI: Administration Settings
Global Settings
• SMTP settings
• Nexpose console configuration
• Configure post exploitation macros
• Configure persistent listeners
• Backups

13
Metasploit Pro GUI: Projects
Consists of a name, network boundaries, and authorized users
• Network boundaries help you set and maintain scope
• Members can be added or removed from projects at any time
No limit to the number of projects you can create
• Create separate projects for each test (internal, external)
• Separate projects allow for more targeted reports
Select Project > Show All Projects from the Project menu or simply click on the
MSP logo to see a listing of all projects

14
Demo: Home Page and Administrative
Settings

15
Lab 1: Login, Global Settings and New Project

16
Network Scanning and Imports
OBJECTIVES:
• SCAN THE NETWORK FOR ACTIVE HOSTS
• RUN ON-DEMAND NEXPOSE SCANS
• IMPORT EXISTING SCAN DATA FROM OTHER PRODUCTS
Before You Scan
Gather knowledge of the environment
• Network configuration
• Relevant DNS domain(s)/IPs
• Accessible ports
• Publicly accessible services
Know if stealth is required
Determine what the scanning windows are

18
Discovery Options
3 options for discovery
• Scan: uses Nmap plus Metasploit Pro extensions
• Import: uses other scanner data
• Nexpose: launches on-demand scan
Scans cannot be paused once launched
Run time for scans or imports varies
Vulnerability scanner results provide more comprehensive data

19
Port Scanning
Active recon
Potentially noisy, may set off alerts to
an attentive target
Identifies live hosts, open ports, and
listening services
Sends traffic to a host on each
specified port and determines the
state of that port based on the
response

20
Nmap Capabilities
• Host discovery
• Port Scanning
• OS Detection
• Service/Version Checking
• Script Checks
• Scripted checks for other various useful pieces of information such as high risk
vulnerabilities
• Example: Script check for the MS08-067 vulnerability the conficker worm used to spread
back in 2008.

21
Service Fingerprinting
Nmap ships with a database mapping services to the ports they are commonly
bound to. This is used as a fallback to identify the service
Nmap will grab any banners the service responds with when a connection is
established
Nmap has a database of various probes that will help determine what software is
listening on a given port, and even what version of that software

22
OS Fingerprinting
Nmap sends dozens of network tests to the host to analyze the behavior of the
network stack
Based on that analysis it makes an educated guess about what OS the host is
running
For technical details on how this OS detection works see:
https://nmap.org/book/osdetect.html

23
Nmap in the Metasploit Pro Discover Scan
Metasploit Pro’s Discover scan uses a highly customized Nmap scan by default for
TCP
Tuned performance and timing options
Targeted port scanning based on existing Metasploit modules
• All targeted ports are are explicitly relevant
• All relevant ports will be scanned
Nmap OS Detection is enabled for IPV4 networks

24
Metasploit Pro – Host Discovery
Uses all Nmap Host Discovery Options
• Ping, Echo/Timestamp requests
• UDP Ping
• ACK Ping for ports 20,53,80,113,443,5060,10043
• SYN Ping for a large number of ports
• ARP Ping
Makes discovery a little slower but gives best possible chance of discovering live
hosts

25
Metasploit Pro – UDP Scanning
Pro does not use Nmap’s UDP scans
Runs custom Metasploit UDP probe sweeper on selected ports
Faster and much more efficient than running a full UDP scan with Nmap

26
Service Fingerprinting
Avoids scanning ports with known-fragile services
Printer ports, netBIOS, DNS, RSH
This avoids probing services that might respond in unpredictable ways
Runs a second Nmap scan targeting the found hosts and ports

27
Metasploit Pro Discovery Scan
Does SMB Enumeration and Discovery
Does SNMP discovery and limited bruteforce (defaults)
Looks for Database Servers and collects info on them
Finds Java RMI servers and checks if they are vulnerable
Checks for WinRM servers and sees if we can bruteforce them
Does information gathering on web servers

28
Running a Metasploit Pro Discovery Scan
Enter your target IP address range and click the Launch button
• Will auto-populate with project scope
Settings are pre-set so scans can work out of the box
Advanced Options will provide the user with more granular control of the Nmap
scan
After a scan is launched, user will be taken to the Task Log

29
Importing Scan Data
Completed scans can be imported
directly into Metasploit Pro
• Hosts, ports, and services will be
imported
Additional vulnerability information
captured in vulnerability scanners will
be imported
More robust data means higher quality
results
Supported File Types
• Metasploit Zip Export and XML
• Nexpose Simple XML and XML Export
• Burp Session XML
• Core Impact XML
• Critical Watch Fusion VM reports
• Foundstone Network Inventory XML
• IP Address List (One Address Per Line)
•
Libpcap Network Capture
• Nessus XML (v1 & v2)
• Nmap XML
• Qualys Asset XML and Scan XML
• nCircle IP360 (XML v3 & ASPL)
• And more!
30
Nexpose Integration
You can define the target hosts, scan template, and credentials
Provides centralized repository of vulnerability data
Creates a more accurate attack plan
Vulnerabilities can be excluded after manual verification they can not be exploited
using Metasploit

31
Vulnerability Validation
Nexpose and Metasploit Pro seamlessly integrate to streamline the
vulnerability validation workflow.
It creates a closed-loop security risk assessment solution so that you can
find potential vulnerabilities, exploit them, and identify the security flaws
that pose a real threat to a network.

The Vulnerability Validation Wizard can:

• Import Nexpose data to auto-exploiting vulnerabilities
• Send the validation results back to Nexpose
• Define exceptions for vulnerabilities that were not successfully exploited
• Generate a report that details the vulnerability testing results

32
Vulnerability Validation

33
Host Tags
A host tag is an identifier that lets you easily search for hosts, organize assets,
create work queues, and track findings for automatic inclusion in reports
Search for hosts and apply tags manually, tag during import, or tag during
discovery scanning
Tags can be used to target scans, exploits, and reporting
No limit to the number of tags that can be applied to a host

34
Analysis
Analysis tab provides details on hosts discovered within the project
See status, notes, services, vulnerabilities, captured data, and a logical map of the
discovered network.
See host status:
• Scanned – Host details have been discovered
• Shelled – Host has been successfully exploited
• Looted – Host data has been collected
• Cracked – Host details have been compromised

35
Network Topology
Logical map of discovered network
Launch scans and other attacks from here against each discovered host

36
Lab 2: Network Scanning and Nexpose
Validation

37
Demo: Analysis Tab and Manual Tagging

38
Exploitation Techniques

OBJECTIVES:
• FAMILIARIZATION WITH EXPLOITATION ACTIVITIES TYPICALLY PERFORMED DURING
PENETRATION TESTING
• COMPARE THE ADDITIONAL FEATURES AVAILABLE FOR A METERPRETER SESSION TO A
TYPICAL COMMAND SHELL
Exploits

An exploit is a program that takes advantage of a specific vulnerability and

provides an attacker with access to the target system
Exploits can be remote or client side
• Remote exploits target services on network connected devices
• Client side exploits take advantage of vulnerabilities in locally installed software and must
be run locally to a system.
Exploits can be automated or manual
• Metasploit Pro uses automated exploits to build an attack plan based on service, operating
system, and vulnerability information for a target
• Manual exploits are modules that you can select and run individually.

40
Exploiting Hosts
Metasploit Pro provides smart exploitation plus individual attack modules
Smart Exploitation - the red exploit button adds automation
• How low is your pain threshold for reliability?
• Concurrent exploitation?
• Payloads, listeners, and connection types (reverse or bind)
• Active ports on target hosts matched to exploits based on selected reliability
All of the previous work and fingerprinting pays off here
Traditional modules and MetaModules extend functionality

41
Attack Plan
Generated at the start of Smart Exploitation
‘Dry run’ option allows you to review the Attack Plan without launching exploits
Attack Plan matches exploits to targets based on:
• Host OS, ports, services, all data gathered during Discovery
• Exploit applicability – OS, service, etc.
• Exploit reliability
More comprehensive Discovery Data -> More accurate Attack Plan

42
Modules
Metasploit modules provide granular control over selected exploits
Modules are searchable using key search terms (e.g. CVE-2013)
Include all of the Metasploit Framework modules
• Exploits
• Auxiliary
• Post

https://www.rapid7.com/db/modules/

43
Payloads
A payload, delivered with an exploit, is executable code that performs a malicious
action such as executing a remote shell.
Payload options in Metasploit include:
• Bind Payloads - A bind shell attaches a command prompt to a listening port on the
exploited system and waits for a connection from the attacking machine.
• Reverse Payloads - A reverse shell creates a connection from the target machine back to
you as a command prompt.
• Meterpreter – A payload proprietary to Metasploit which runs entirely in memory.
• Dynamic Payloads – Dynamically generated binaries for A/V evasion.

44
Payload Generator
Create a dynamic or classic payload
Can be customized depending on the payload chosen
Use when a standalone binary file is needed to deliver a custom-built payload
Usually delivered via a client-side exploit
Not tied to any specific project

45
Bruteforcing Hosts The Bruteforce task attempts a large number
of common username and password
combinations to gain access
Preset bruteforce profiles available to tailor
the attack to the depth which controls the
number of password and user name
combinations to the appropriate environment
(e.g. dictionary size/complexity)
Attack vector of last resort – noisy and time
consuming
Metasploit Pro will color-code bruteforce task
logs to help you identify successes and failures.
All successes will be recorded in the database
as authentication notes, and you will be
alerted via the Hosts Tab
46
Bruteforcing Hosts
• After you select the hosts that you want to attack, you need to choose the
service logins you want to bruteforce. The services that bruteforce targets are
limited to the following:
• AFP, DB2, FTP, HTTP, HTTPS, MSSQL, MySQL, POP3, PostgreSQL, SMB, SNMP,
SSH, Telnet, VNC, and WinRM.
• You can choose to target all services, or you can choose any combination of
them.
• A login attempt only occurs if the service is open on the host. Otherwise, it is
skipped.

• https://help.rapid7.com/metasploit/Content/bruteforce-
credentials/bruteforce.html

47
Collecting Evidence
Metasploit Pro refers to collected system data as evidence or loot
MSP can automatically collect system data from compromised targets
Evidence provides proof of successful exploitation
• Aides further analysis and penetration attacks
Evidence typically includes:
• System information, Screenshots, Password Hashes
• SSH keys, and other sensitive information
Collected data can be reviewed from several locations
• The ‘Reports’ area of the project
• The Capture Data tab on the Analysis and Host Details pages

48
Meterpreter
Meterpreter is a Metasploit payload that provides an interactive shell to the
attacker (automatically provided for sessions obtained for Windows, Java, and
PHP)
Can be used to run scripts automating exploits within the network
Capable of numerous post exploitation tasks and customizations
Generates its own payload, uploads the payload and configures it in such a manner
to provide the attacker with a way back in to the system

49
Benefits of Using Meterpreter

New process is avoided as Meterpreter executes in the context of the exploited

process avoiding issues with chroot
Extensions and server itself run completely from memory reducing HIDS/HIPS
detections
Encrypted communications avoids network detections
Numerous prebuilt scripts as well as the ability to port scripts across platforms

Confidential and Proprietary 50

Using Command Shell vs. Meterpreter
Command shell sessions will be created under the following conditions:
• Successful exploit on *nix
• SSH bruteforce on *nix
• Telnet bruteforce on *nix
• Tomcat bruteforce on *nix
Meterpreter sessions will be created under the following conditions:
• Successful exploit on Windows, Java, or PHP
• SSH bruteforce on Windows
• Telnet bruteforce on Windows
• SMB bruteforce on Windows
• Tomcat bruteforce on Windows

51
Selecting the Meterpreter Session
Session screen presents both status and options
Meterpreter session is active and accessible via the “Command Shell” button
Other options for host pivoting and exploration are also provided

52
Interacting with Meterpreter
Begin by typing ‘help’ as shown at the bottom to view available commands
Not a true interactive shell like a telnet session but fully functional
Migrate to different processes, hashdump, keyscan logger, and more!

53
Maintaining Access using Meterpreter
Meterpreter can migrate processes to stable and interactive ones
Also gain privileged access through:
• Discovery of username/password combinations
• Discovery of blank password or default passwords in system accounts
• Exploiting vendor default settings
Generate and upload a payload using msfpayload or the USB campaign in social
engineering
Both Meterpreter sessions and command line FTP make upload and download
simple

54
Process Migration
Pick a target process which will have full privileges for the target user
Pick a network-privileged target process
Pick a stable target process
Generally explorer.exe is a good bet
Stays open as long as the user is logged in

55
Demo: Exploitation Tools

56
Lab 3: Basic Exploitation
Gaining Access/Creating a Classic Payload

57
Maintaining and Extending Access

OBJECTIVES:
• UNDERSTAND PRIVILEGE ESCALATION
• UNDERSTAND POST EXPLOITATION ACTIONS (PEA)
• UNDERSTAND AND RUN PASS THE HASH
• UNDERSTAND AND RUN CREDENTIAL METAMODULES
Privilege Escalation
The “foot in the door” is a typical scenario testers will run into
Operating systems offers opportunities to open privilege escalation holes in the
target system
Often times low level access is gained initially with privilege escalation being the
ultimate goal
Opportunities are numerous but typically subtle
Meterpreter has built-in privilege escalation, which tries to get Local System on
Windows

59
Privilege Escalation

Meterpreter ‘getsystem’ command – automatically tries to escalate privileges from

local admin to NT AUTHORITY\System using a variety of well known techniques
Post exploitation module “Bypasses Windows User Account Control” - creates a
new meterpreter session without UAC restrictions
Other local exploits – there are a number of ‘local’ exploits which will create a new
session with enhance privileges once we have our initial session

60
Post Exploitation Modules
Discovery of new targets through network exploration and analysis
Password gathering (cached, local, keylogged, sniffed)
Pivoting attacks for deeper compromise & Compromised host analysis

61
Running Modules
From the Modules tab
• Search using “type:post”
From the Sessions tab
• Run post exploitation modules directly from your session screen
• Click the preferred module and it launches with the target IP address already loaded
• Configure any advanced settings (optional)
• Launch module

62
Pass the Hash (PTH)
A remote system authentication attack leveraging NTLM (NT Lan Manager) hashes
No need for password cracking – saves time!
Attack works against very long passwords, smart cards, and many other logon
tokens
NTLM hashes were originally used in Windows; now almost every operating
system supports their use
“Vulnerable by Design” – this is a fundamental part of NTLM architecture

63
Obtaining Hashes
From meterpreter:
Run ‘hashdump’ or
Run ‘run hashdump’
From the Active Session View:
Use the ‘Collect System Data’
button
Make sure the ‘Collect System
Passwords’ setting is enabled

Confidential and Proprietary 64

Running PTH
Load the exploit/windows/smb/psexec module
In the module options, enter the hash for the SMBpass and the associated username for the
SMBUser
Use the ‘Pass the Hash’ MetaModule

65
Lab 4: Leveraging Credentials - Pass the Hash

66
Cracking Password Hashes
NTLM Hashes can be cracked
Metasploit Pro will attempt to crack weak LANMAN/NTLM hashes
Uses John the Ripper
Only targets weak hashing algorithms for speed
For more complex hashes and advanced cracking options, Export credentials from
Metasploit Pro for use with dedicated cracking tools

67
More Credential Sources
Lots of Post modules for windows and Linux that steal credentials, including
passwords and SSH Keys
Targeted Software includes
• Outlook
• VNC Servers
• Filezilla
• WinSCP
• McAfee
• Skype
• And many more…

68
The Value of Credentials
Use of legitimate authentication methods for system access
No reliance on exploits
Diverse options for gathering credentials (i.e. Social Engineering)
Harder to detect compared to traditional exploitation methods
Longevity of access – doesn’t rely on a particular running application
• Possible to set up custom user accounts on the target systems for future use

69
Lab 5: Leveraging Credentials - Known Credentials
Intrusion

70
Web Application Testing

OBJECTIVES:
• UNDERSTAND WEB APPLICATION TESTING PROCESS
• PERFORM SCAN, AUDIT AND EXPLOITATION OF WEB APPLICATIONS
Web Application Testing Introduction
Critical testing to ensure proper security over your web servers, web sites and
web-based applications
Often based on the OWASP framework
• Configuration Management
• Business Logic Testing
• Authentication Testing
• Authorization Testing
• Session Management Testing
• Data Validation Testing
• Denial of Service Testing

72
Web Application Testing in Metasploit Pro
Integrated into the product under the Web Apps tab:
Web Application Scanning
• spidering web pages
• looking for forms and active content
Web Application Auditing
• searching for vulnerabilities in those forms
Web application exploitation
• exploiting found vulnerabilities

73
Web Application Testing Process
Web scan
• Click “Web Scan” button
• Performs a web spider of web application
Audit Web apps
• Scans active web content and forms for vulnerabilities, such as remote code execution,
cross-site scripting, and SQL injection vulnerabilities
• Matches exploits to identified vulnerabilities.
• Can be bypassed along with web scan if there is data that can be imported
Exploit Web apps

74
Lab 6: Exploiting Web Apps, Nexpose Integration

75
Social Engineering

OBJECTIVES:
• BECOME FAMILIAR WITH METASPLOIT PRO SOCIAL ENGINEERING CAMPAIGNS
Client Side Exploits
An exploit that takes advantage of desktop software, such as web browsers, mail
clients, or document viewers and editors
Client side exploits have high success rates because of the multiple products
involved
System is only as secure as its ‘weakest link’
A cornerstone of social engineering

77
Social Engineering
MSP was created to allow users additional advanced techniques and social
engineering capabilities
There are now 328 current client-side exploits available
Some of the ways to leverage these capabilities includes:
• Browser autopwn
• Signed Java applet
• Creating payloads
• Encoding payloads
• Email, Web and USB attacks

78
Browser Autopwn (BAP)
Client-side auto attack system will send exploits automatically against a user's
browser with the goal of providing a shell
Only relevant exploits are sent after the browser and OS are fingerprinted
Historically not a penetration tester’s first choice, but when options ran a bit low
this was a nice to have
Browser Autopwn 2 has been released, with numerous improvements

79
Browser Autopwn 2 (BAP2)
A complete overhaul of Browser Autopwn
Released July 2015
Separates work into 2 components:
• BrowserExploitServer (BES) gathers information about target browsers
• Browser Autopwn 2 runs the exploit code
Reflects advances in modern web exploitation

80
Browser Autopwn 2 (BAP2)
Faster
Better Module Management
• Prioritizes higher ranking (more reliable) exploits
• Prioritizes newer exploits
• This adds a dynamic element to BAP2
Ease of Use Improvements
Dry-Run Option

81
Lab 7: Browser AutoPwn

82
Successful Campaigns
Fake password reset portal
• Email users to have them enroll
Infected machine
• Find helpdesk staff and impersonate them, ask end user to run your payload
New website
• Craft a new company website and ask a target to review it
Snail mail
• Mail CDs or USBs containing your payload and provide a forged letter or documentation to
gain credibility

83
Spear Phishing
Targeted approach to phishing
Use information gathered from passive recon phase of project
Generally requires specific knowledge
Tactics used:
• Join similar social networks
• Bribes and bargaining
• Phone phishing

84
Email Tricks
Why email?
One of the fastest and easiest ways to create a data breach (if done right)
Many people do not take the time to ensure that the sender is legit
Response can be instant
Very versatile
A few tricks…
Targets still trust common files (PDF, JPG, ZIP)
You can create a fake email chain
Play to the season, region, or company

85
Offline Delivery Mechanisms
Exploits can be delivered via removable media as well:
• USB
• CD / DVD
Metasploit has a Campaign option for creating USB exploit carriers
This sort of campaign offers little control down the road
• You can’t just recall those USB sticks
• Somebody could plug those infected USB sticks in to a system months or years later

86
USB Attacks
Most people view USB as passive form of memory
• Not just for file storage– you can also run programs directly from the device
• Autorun capabilities to initiate an attack without the user even knowing it.
Good (but manual) exercise when trying to penetrate a client’s network and other
options have failed
You can setup an attack through the Campaign tab, then delivery the USB keys to
the victims using real mail, sprinkled about in the break area or parking lot

87
Demo: Campaigns

88
Lab 8: Phishing Campaign

89
Automating Metasploit Tasks

OBJECTIVES:
• RUN AN END-TO-END PENETRATION TEST WITH THE QUICKPENTEST WIZARD
• UNDERSTAND METAMODULE CAPABILITIES
• UNDERSTAND TASK CHAIN AUTOMATION
• SET UP AND USE A PERSISTENT AGENT & LISTENER
Quick Start Wizards
Streamlined for quick results without having detailed knowledge of or need to set
advanced options
A Target Profile uses the host information obtained by the scan to build an attack
plan based on the system and device type.
Full workflow automation for:
• Quick PenTest
• Phishing Campaign
• Web App Test
• Vulnerability Validation

91
Metamodules
Automation for individual penetration testing tasks
Full task automation for:
• Credentials Testing, SSH Key Testing
• Known Credentials Intrusion, Pass The Hash, Credentials Domino
• Passive Network Discovery
• Network Segmentation & Firewall Testing

92
Task Chains
Allow discrete Metasploit tasks to be orchestrated in sequence
Can launch full-lifecycle tasks:
• Discovery
• Access
• Control
• Evidence
Easily re-run entire penetration testing workflows
Schedule task chains to run at set times or on recurring schedules

93
Demo: Quick Start, MetaModules, Task Chains

94
Persistent Agent
Automating post exploitation tasks against a particular target requires an active
session on that target.
If the session closes, your automated tasks may fail.
With a persistent agent, you can keep a session active even after a target system
reboot.

95
Persistent Agent
Configure a Persistent Listener in Metasploit
• This is a service which runs on your Metasploit Console and waits for the target to ‘phone
home’.
Possibility of AV detection
• This does involve installing an agent on the target system.
• Harder to detect if installed from a user account.

96
Lab 9: QuickPenTest and Agent Persistence

97
Pivoting and Network Presence

OBJECTIVES:
• USE AN EXPLOITED SYSTEM TO LAUNCH ADDITIONAL ATTACKS
Proxy Pivoting
Creates a gateway on the compromised host
Leverages port forwarding to route traffic
Target becomes an effective SOCKS proxy

99
VPN Pivoting
Metasploit Pro only feature
Creates VPN tunnel from compromised machine back to attacker
Point-to-Point tunnel allows Metasploit to act as if it is on the same internal
network as the victim
Allows us to talk to everything they can talk to
Allows us to keep digging deeper and deeper into the network

100
Lab 10: Pivoting

101
Reporting

OBJECTIVES:
• UNDERSTAND METASPLOIT PRO’S BUILT IN REPORTS
• UNDERSTAND DATA EXPORT FORMATS
• BACK UP AND RESTORE A PROJECT
Automated Report Generation
Generally, reporting is up to 40% of time spent during a penetration test
Automated reporting allows the tester to spend more time doing actual testing
and less time on reporting
The business value of penetration testing is dependent on communicating
information and acting on it

103
Built-in Reports
Metasploit Pro has built-in reporting
Configurable reporting options
Collects full penetration testing results for
easy distribution

104
Advanced Reporting
Create custom reports
Custom reports leverage user provided templates and logos
Requires using JasperReports iReport design tool to create templates

105
Data Exports
Back up complete data sets in ZIP format
Export credentials for specialized password cracking tools
Export replay scripts for full task history backup and reuse

106
Lab 11: Reports, Exports and Backup

107
Troubleshooting and Administration

OBJECTIVES:
• KNOW THE NAMES AND LOCATIONS OF LOG FILES
• KNOW THE NAMES AND LOCATIONS OF METASPLOIT PRO SERVICES
Metasploit Pro Services Locations
Linux Installations:
/<installation directory>/metasploit/ctlscript.sh start

/etc/init.d/metasploit.rc start

service metasploit start

Windows Installations
Start -> Programs -> Metasploit -> Services -> Stop Services, Start Services

109
Metasploit Pro Services
• Metasploit services include the following:
• Prosvc – RPC Server

• Nginx – Web server for the Metasploit UI

• Postgres – Database for all project data

• Your browser must have javascript enabled so that the Metasploit user
interface displays and functions correctly.

110
Log Files
The follow logs are available for you to use to troubleshoot issues:
• Framework log: This log contains information about loading the Metasploit Framework.
You can view this log to troubleshoot issues that you may have with running modules.
The Framework log is located in /metasploit/apps/pro/engine/config/logs/framework.
• License log: This log contains the events related to product licensing and product
updates. You can view this log to troubleshoot problems that you may have applying a
license key or installing an update. The license log is located in
/metasploit/apps/pro/engine.
• PostgreSQL log: This log documents the start up and shutdown notices. You can view
this log to track the latest events in the database. The PostgreSQL log is located in
/metasploit/postgresql.
• Production log: This log contains all Rails events. You can use this log to troubleshoot
Rails issues, such as routing errors, and to trace the actions that were taken for a
particular connection. The production log is located in /metaploit/apps/pro/ui/log.

111
Log Files - continued
The follow logs are available for you to use to troubleshoot issues:
• Pro service log: This log contains the events for Pro service. You can view this
log to troubleshoot errors with the Metasploit service. The Pro service log is
located in /metasploit/apps/pro/engine.
• Thin log: This log contains the events for Thin service. You can view this log to
diagnose issues between Rails and Nginx. The Thin log is located in
/metasploit/apps/pro/ui/log.
• Web server error log: This log contains all Nginx errors and warnings. You can
view this log to identify if an issue is related to Nginx rather than Rails or Pro
Service. The error log is located in /metasploit/apps/pro/nginx/log.
• Web server access log: This log contains every GET and POST request to Nginx
and logs successful HTTP requests. Use this log to track down Rails issues. The
access log is located in /metasploit/apps/pro/nginx/log.
112
What if I get locked out?
If you need to reset the password for a user account, you will need to run the resetpw script.
The resetpw script generates a random password for the user account that is currently active.

From the Linux console, enter the following command:

When the Metasploit Password Reset screen appears, it alerts you that the password for the
user account will be changed. Enter yes to continue. A new password is generated.

113
MPCS Certification & Practice Exam

OBJECTIVES:
• REVIEW THE EXAM DETAILS
• COMPLETE AND REVIEW A PRACTICE EXAM
 MPCS Certification
This course includes one attempt at
the MPCS exam
• Online exam, 2 hours to complete
• 75 questions
• Passing score of 80%
• Certificate will be located under
“Completed”
• Open book/documentation/notes

115
 Practice Exam

OBJECTIVE:
 ANSWER SAMPLE QUESTIONS FROM THE MPCS EXAM
Practice Exam
1. What is the definition of an exploit?
a. A security flaw or weakness in an application or system that enables an
attacker to compromise the target system.
b. A program that takes advantage of a specific vulnerability and provides an
attacker with access to the target system.
c. Information returned from a system, which aids in identifying potential
weaknesses
d. Code that is executed on a compromised system, usually used to increase
access, such as through a shell or creation of an account, or to retrieve
sensitive information.

117
Practice Exam
2. For client-side exploitation, a ________ can be used to receive inbound
connections from persistent agents on compromised systems.

118
Practice Exam
3. A persistent listener can be configured:
a. In the Global Settings page
b. In the Project Settings page
c. In the Quick PenTest Wizard
d. None of the above

119
Practice Exam
4. The primary network tool Metasploit Pro uses for discovery:
a. netstat
b. Nexpose
c. nmap
d. Netcat
e. None of the Above

120
Practice Exam
5. Match the following host statuses to their description:

Status Name Description

1- Cracked a. Host has been exploited successfully
2- Shelled b. Host data has been collected
3- Scanned c. Host credentials have been compromised
4- Looted d. Host details have been discovered

121
Practice Exam
6. Metasploit Pro refers to collected system data as _______.
a. rubble
b. creds
c. stash
d. loot

122
Practice Exam
7. Metasploit Pro offers the following type of social engineering techniques,
EXCEPT for:
a. Phishing
b. Client-side exploits
c. Cloud connection
d. USB storage
e. All are offered by MSP

123
Practice Exam
8. What is the definition of a client-side exploit?
a. An exploit that targets workstations over the network with vulnerable
services.
b. An exploit that takes advantage of desktop software, such as web
browsers, mail clients, or document viewers and editors.
c. An exploit that cannot be used against a server target under any
circumstances.
d. None of the above

124
Practice Exam
9. When running automated exploits, the _________ defines the exploit
modules that Metasploit Pro will use to attack the target system.
a. Scan data
b. Network map
c. Vulnerability analysis
d. Attack plan

125
Practice Exam
10. The _________ uses a compromised system to route network traffic.
a. Botnet
b. Meterpreter
c. VPN Pivot
d. Routing Module

126
Practice Exam
11. _______ is an attack method that attempts to use a looted password hash to
authenticate to a remote system.
a. Hash authenticate module
b. Pass the Hash
c. Loot authenticate
d. Hash login
e. None of these

127
Practice Exam
12. By default, Metasploit Pro automatically updates.
a. True
b. False

128
Practice Exam
13. Project data can be exported as XML.
a. True
b. False

129
Practice Exam
14. You can get a session via SQL Injections.
a. True
b. False

130
Practice Exam
15. Match the Web Application task to its definition:

Task Name Definition

1-Web Scan A-Takes advantage of known vulnerabilities

2-Web Exploit B-Performs vulnerability checks for injection flaws

3-Web Audit C-Recursively parses website to find valid URLs

131
Practice Exam
16. Meterpreter can only be run on Windows Targets.
a. True
b. False

132
Practice Exam
17. During a Phishing campaign, the Target Addresses are automatically restricted
to the network range of the project.
a. True
b. False

133
Practice Exam
18. What are the two Pivot types in Metasploit Pro?
a. Forward and Reverse
b. SSH and Telnet
c. VPN and Proxy
d. All of the above are valid
e. None of the above are valid

134
Practice Exam
19. How does the Browser autopwn work?
a. It sends all known exploits at a targeted browser
b. Only relevant exploits are sent after the browser and OS are fingerprinted
c. A Java applet is sent to all browsers
d. All of the above are features of the browser autopwn

135
Practice Exam
20. Metasploit Projects require that a specified network range is entered.
a. True
b. False

136
Additional Resources

• Metasploit Pro Getting Started Guide

• https://community.rapid7.com/docs/DOC-1570
• Metasploit User Guide
• https://community.rapid7.com/docs/DOC-1567
• Metasploit Community
• https://community.rapid7.com/community/metasploit

137
 Thank you and join us at
Seaport Boston Hotel and World Trade Center

Attend Pre-Conference Training and

attend the Full Conference for Free

www.unitedsummit.org
We want your feedback!!

Please take 3-5 minutes to fill out this survey about the class:

https://www.surveygizmo.com/s3/2181474/Rapid-7-Training-Feedback-
Survey

Copyright© Rapid7 2016 139

Thank you!