Professional Documents
Culture Documents
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
The
SMFE
course
material
is
made
available
en:rely
FREE
to
the
community.
Please
feel
free
to
download
and
distribute
the
videos
as
you
please.
©SecurityTube.net
Demo
of
RPC
DCOM
• Lab Setup:
©SecurityTube.net
Understanding
Basic
Terms
©SecurityTube.net
How
does
Exploita:on
work?
1. Vulnerability
2.
Exploit
3.
Payload
©SecurityTube.net
On
a
more
serious
note
…
Exploit + Payload
Data
Download,
Malware,
Rootkit
etc.
Vulnerable
ACacker
computer
©SecurityTube.net
Typical
Process
of
a
Compromise
©SecurityTube.net
Scan
for
Ports
and
Services
©SecurityTube.net
Finding
Open
Ports
©SecurityTube.net
Service
Fingerprin:ng
©SecurityTube.net
Finding
a
Vulnerability
©SecurityTube.net
Technical
Details
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
©SecurityTube.net
Any
Hackers
out
there?
©SecurityTube.net
Running
RPC
DCOM
Exploit
©SecurityTube.net
Uh-‐Oh?
©SecurityTube.net
Example
–
RPC
DCOM
• Vulnerability
– hCp://www.microso`.com/technet/security/
Bulle:n/MS03-‐026.mspx
©SecurityTube.net
Challenges
in
using
individual
Exploits
Enter Metasploit!
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
1
Exploita:on
Basics
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
2
Why
Metasploit?
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Lesson
Lab
Setup
©SecurityTube.net
Challenges
in
using
individual
Exploits
Enter Metasploit!
©SecurityTube.net
Metasploit
Framework
• Tool
for
development
and
tes:ng
of
vulnerabili:es
©SecurityTube.net
Metasploit
for
Pentes:ng!
©SecurityTube.net
Demo
of
Portscan
with
Metasploit
©SecurityTube.net
Demo
of
RPC
DCOM
using
Metasploit
©SecurityTube.net
Semng
the
Payload
©SecurityTube.net
Exploit!
©SecurityTube.net
Using
More
Exploits
-‐
Netapi
©SecurityTube.net
Same
Exploit
Different
Payload
©SecurityTube.net
Demo
–
Metasploit
Add
User
©SecurityTube.net
Limita:ons
of
using
specific
Payloads
• Individual
payloads
can
only
do
single
tasks
– Adduser
– Bind
shell
to
port
– …
• Most
exploits
include
a
remote
shell
(command
interpreter)
crea:ng
payload
• Disadvantages:
– Crea:on
of
new
process
may
trigger
alarm
– For
chrooted
apps,
even
execu:on
of
command
interpreter
may
not
be
possible
– Limited
by
commands
the
shell
can
run
©SecurityTube.net
What
we
need
is
…
• A
payload
which:
– Avoid
crea:on
of
a
new
process
– Should
run
in
the
exploited
process’
context
– Should
not
create
a
new
file
on
disk
(an:-‐AV)
– Creates
a
“planorm”
which
allows
import
more
func:onality
remotely
(“extending”)
– Allows
for
wri:ng
scripts
which
can
leverage
this
planorm
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
2
Why
Metasploit?
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
3
Meterpreter
Basics
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Lesson
Lab
Setup
©SecurityTube.net
What
we
need
is
…
• A
payload
which:
– Avoid
crea:on
of
a
new
process
– Should
run
in
the
exploited
process’
context
– Should
not
create
a
new
file
on
disk
(an:-‐AV)
– Creates
a
“planorm”
which
allows
import
more
func:onality
remotely
(“extending”)
– Allows
for
wri:ng
scripts
which
can
leverage
this
planorm
• Meta-‐Interpreter
• Post
exploita:on
tool
• Works
by
using
in
memory
DLL
injec:on
and
na:ve
shared
object
format
– hCp://www.securitytube.net/DLL-‐Injec:on-‐Basics-‐
video.aspx
Prasanna
K
• Does
not
create
any
files
on
disk
• Uses
encrypted
communica:on
• Provides
a
planorm
to
write
extensions
• Stable,
flexible
and
extensible
©SecurityTube.net
Meterpreter
• Resembles
a
command
interpreter
• Ships
with
default
set
of
core
commands
• Can
be
extended
at
run:me
by
shipping
DLLs
to
the
vic:ms
•
large
list
of
things
you
can
do
with
the
Meterperter:
– Command
execu:on
– In-‐memory
process
migra:on
– Registry
read/write
– File
system
access
– Pivo:ng
– …
endless
possibili:es
using
custom
extensions
©SecurityTube.net
How
does
it
all
it
work?
©SecurityTube.net
Source:
nymissa.org/wp-‐content/uploads/2008/03/msf_no_speaker_notes.ppt
Communica:on
between
Meterpreter
Client
–
Server
• Communica:on
is
Encrypted
• In
the
form
of
TLVs
(Type-‐Length-‐Value)
• Mul:ple
channels
of
communica:on
can
use
the
same
client-‐server
connec:on
– TLV
allows
for
tagging
of
data
with
channel
numbers
– Allows
for
mul:ple
programs
running
on
the
vic:m
to
communicate
at
the
same
:me
– Demo
of
channels
©SecurityTube.net
Demo
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
3
Why
Metasploit?
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
4
Framework
Organiza:on
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Accessing
Metasploit
Msfd
Msfconsole
Armitage
• Modular
Architecture
• Modules
– Exploits
– Auxiliary
– Payload
– Encoder
Source:
Metasploit
Unleashed
– Nops
©SecurityTube.net
Msfconsole
Basics
©SecurityTube.net
Exploring
the
Metasploit
Directory
©SecurityTube.net
Exploit
Modules
©SecurityTube.net
Payload
Modules
©SecurityTube.net
Payloads
In-‐depth
• Singles
– Self-‐contained
payloads
which
do
a
specific
task
e.g.
create
user,
bind
a
shell
– E.g.
windows/adduser
• Stagers
– Required
as
Singles
cannot
deliver
arbitrarily
large
payload
at
one
shot
depending
on
exploit
– Creates
a
network
connec:on
between
aCacker
and
vic:m
– This
is
used
to
download
Stages
payloads
– E.g.
windows/shell/bind_tcp
(Bind
TCP
Stager)
• Stages
– Downloaded
by
the
Stagers
and
executed
– Typically
do
complex
tasks
like
VNC,
Meterpreter
etc.
– E.g.
windows/shell/bind_tcp
(Windows
Command
Shell)
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
4
Framework
Organiza:on
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
5
Post
Exploita:on
Kung-‐Fu
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Phases
of
Post-‐Exploita:on
©SecurityTube.net
Understanding
the
Vic:m
BeCer
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
5
Post
Exploita:on
Kung-‐Fu
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
6
Post
Exploita:on
Privilege
Escala:on
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Phases
of
Post-‐Exploita:on
©SecurityTube.net
Privilege
Escala:on
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
6
Post
Exploita:on
Privilege
Escala:on
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
7
Post
Exploita:on
–
Kill
AV
and
Firewall
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Phases
of
Post-‐Exploita:on
©SecurityTube.net
Log
Dele:on
and
AV
Killing
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
7
Post
Exploita:on
–
Kill
AV
and
Firewall
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
8
Post
Exploita:on
–
Stdapi
and
Priv
Extensions
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Phases
of
Post-‐Exploita:on
©SecurityTube.net
Collec:ng
Data
and
Running
Programs
on
Vic:m
• Search
for
a
file
– .doc,
.ppt
• Download
files
• Download
registry
• Download
applica:on
data
– Outlook
pst
– Browser
passwords/sessions
– Other
so`ware
data
…
vmware,
puCy
etc.
©SecurityTube.net
Running
programs
on
the
remote
computer
• Running
programs
already
available
©SecurityTube.net
Understanding
Windows
Desktops
• Session
0
typically
represents
the
console
– Others
represent
remote
desktop
sessions
©SecurityTube.net
Stdapi
commands
for
desktop
• Enumdesktops
• Getdesktop
• Setdesktop
©SecurityTube.net
Priv
commands
• Usernames
and
Password
hashes
are
stored
in
the
SAM
file
– Hashdump
– Crack
using
Ophcrack
and
other
tools
• Gemng
System
– Getsystem
– Tokens
and
impersona:on
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
8
Post
Exploita:on
–
Meterpreter
Extensions
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
9
Post
Exploita:on
–
Token
Stealing
and
Incognito
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Phases
of
Post-‐Exploita:on
©SecurityTube.net
Incognito
Extension
©SecurityTube.net
Windows
Security
• Every
user
on
a
windows
system
is
iden:fied
by
a
unique
Security
Iden8fier
(SID)
• SID
is
of
the
form:
S-‐Revision
Level
–
iden:fied
Authority
Value
–
domain
or
local
ID
–
Rela:ve
ID
e.g.
S-‐1-‐5-‐21-‐3623811015-‐3361044348-‐30300820-‐1013
©SecurityTube.net
Understanding
Tokens
• SID
• Groups
User
Primary
Token
• Privileges
Process
• Other
info…
Required Privileges
©SecurityTube.net
Impersona:on
Tokens
user1
user2
• SID
user3
• Groups
FTP
Server
Primary
Token
• Privileges
Process
• Other
info…
©SecurityTube.net
ACacks
on
Impersona:on
Tokens
©SecurityTube.net
Local
Privilege
Escala:on
Impersona:on
Thread
1
Token
for
Admin
Server
Process
• Service
with
low
privilege
allows
users
including
admin
to
login
using
windows
creden:als
• Creates
a
thread
for
each
user
and
impersonates
him
• ACacker
exploits
the
service
• ACacker
has
access
to
all
tokens
being
impersonated
by
the
service
• E.g.
SQL
Server
where
one
may
connect
as
Admin
using
Windows
Auth
©SecurityTube.net
Domain
Privilege
Escala:on
Impersona:on
Thread
1
Token
with
Delega:on
for
Server
Admin
Process
• Once
hacker
gets
his
hands
on
an
Impersona:on
token
with
delega:on
allowed
he
uses
it
to
get
access
to
other
machines
in
the
domain
• Impersona:on
tokens
with
delega:on
are
generally
created
for
interac:ve
sessions
• Might
use
the
admin’s
worksta:on
as
the
star:ng
point
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
9
Post
Exploita:on
–
Token
Stealing
and
Incognito
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
10
Post
Exploita:on
–
Espia
and
Sniffer
Extensions
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Meterpreter
Espia
Extension
©SecurityTube.net
Meterpreter
Sniffer
Extension
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
10
Post
Exploita:on
–
Espia
and
Sniffer
Extensions
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
11
Post
Exploita:on
–
Backdoors
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Phases
of
Post-‐Exploita:on
©SecurityTube.net
Persistence
-‐
Backdoor
©SecurityTube.net
Demo
©SecurityTube.net
Metsvc
-‐
Backdoors
©SecurityTube.net
Demo
©SecurityTube.net
3rd
Party
Backdoors
and
Rootkits
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
End
of
SecurityTube
Metasploit
Framework
Expert
Part
11
Post
Exploita:on
–
Backdoors
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
12
Post
Exploita:on
-‐
Pivo:ng
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Phases
of
Post-‐Exploita:on
©SecurityTube.net
Pivo:ng
Internet
Server
1
Server
2
©SecurityTube.net
Pivo:ng
ACack
Demo
Server 1 Server 2
Internet
10.10.10.20
192.168.1.10
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
13
Post
Exploita:on
–
Port
Forwarding
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Phases
of
Post-‐Exploita:on
©SecurityTube.net
Port
Forwarding
meterpreter
Internet
Server
1
Server
2
Local
Listener
©SecurityTube.net
Port
Forwarding
ACack
Demo
Internet
Server
1
Server
2
Local
Listener
Port
25000
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
14
Client
Side
Exploits
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
It’s
a
Client
side
World!
©SecurityTube.net
Browser
Exploits
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
15
Backdoor
Executable
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Backdoor
Executable
©SecurityTube.net
Msfpayload
Summary
©SecurityTube.net
Stand
Alone
Binary
©SecurityTube.net
Setup
a
Web
Server
©SecurityTube.net
Access
over
the
HTTP
Server
©SecurityTube.net
Semng
up
Metasploit
©SecurityTube.net
Windows/shell/reverse_tcp
©SecurityTube.net
Receiving
it
©SecurityTube.net
Executable
Template
©SecurityTube.net
Packing
Executables
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
16
Exploit
Research
with
Metasploit
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Exploit
Research
©SecurityTube.net
Exploit
Research
Megaprimer
©SecurityTube.net
SMFE
Exam
Inclusions
©SecurityTube.net
Never
end
without
a
demo!
J
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
17
Railgun
Basics
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Meterpreter
Scripts
and
Post
Exploita:on
Modules
• Ability
to
run
code
on
the
remote
system
• Can
we
load
any
DLL
on
the
remote
system
and
run
code
from
it?
• Enter Railgun!
hCp://dev.metasploit.com/redmine/projects/
framework/wiki/RailgunUsage
©SecurityTube.net
Railgun
©SecurityTube.net
Using
Railgun
©SecurityTube.net
Using
Railgun
with
Func:on
Arguments
client.railgun.(DLL
Name).(Func:on
Name)(arg1,
arg2
…)
e.g.
client.railgun.netapi32.NetUserDel(arg1,
arg2)
©SecurityTube.net
Argument
Direc:on
• IN
parameters
– Memory
alloca:on
is
managed
for
Data
Pointers
– All
others
encoded
in
machine
readable
form
• OUT
parameters
– Data
Pointers
– Specify
size
of
the
OUT
parameter
in
func:on
call
• Railgun
manages
memory
alloca:on
©SecurityTube.net
Accessing
Return
Values
©SecurityTube.net
Using
Railgun
with
Func:on
Arguments
client.railgun.(DLL
Name).(Func:on
Name)(arg1,
arg2
…)
e.g.
client.railgun.netapi32.NetUserDel(arg1,
arg2)
©SecurityTube.net
More
Fun
Stuff
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
18
Railgun
Adding
Func:ons
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Too
Good
to
be
True?
©SecurityTube.net
Not
All
Func:ons
in
the
DLL
are
Defined
©SecurityTube.net
Adding
New
Func:on
Defini:ons
©SecurityTube.net
Adding
Func:on
Defini:ons
on
the
Fly
©SecurityTube.net
Adding
Func:on
Defini:ons
Ahead
of
Time
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
19a
Railgun
Adding
New
DLLs
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Finding
List
of
Exis:ng
DLLs
©SecurityTube.net
Adding
DLL
Defini:ons
on
the
fly
• Use
client.railgun.add_dll(DLL_NAME,
DLL_LOCATION_PATH)
©SecurityTube.net
Mpr.dll
(WNetGetUser)
©SecurityTube.net
Adding
Support
for
Mpr.dll
• Add
DLL
client.railgun.add_dll("mpr",
"c:\\windows\\system32\
\mpr.dll")
• Add
Func:on
client.railgun.add_func:on("mpr",
"WNetGetUserW",
"DWORD",
[
["PWCHAR",
"a",
"in"
],
[
"PWCHAR",
"b",
"out"],
[
"PDWORD",
"c",
"inout"
]
])
©SecurityTube.net
Adding
DLL
Defini:ons
Ahead
of
Time
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
20
Resource
Scripts
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Resource
Scripts
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
21
Database
Support
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Why
Database
Support?
©SecurityTube.net
Database
Support
©SecurityTube.net
Hosts,
Services
and
Vuls
table
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
22
Using
Plugins
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Best
of
All
Worlds!
• How
do
you
bring
the
best
of
all
worlds
to
Metasploit?
– Enter
Plugins!
©SecurityTube.net
Plugins
©SecurityTube.net
Available
Plugins
• Nmap
• Nessus
• Nexpose
• Wmap
• …
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
23
Meterpreter
API
Basics
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Meterpreter
©SecurityTube.net
Exploring
the
Meterpreter
Codebase
• Core
Codebase
– lib/rex/
• Meterpreter
Related
– lib/rex/post/meterpreter/
©SecurityTube.net
Use
(client_core.rb)
©SecurityTube.net
Migrate
(client_core.rb)
©SecurityTube.net
Stdapi
• Fs
– Dir,
File,
Filestat
• Sys
– Config,
process,
registry,
eventlog,
power
• Net
– config,
socket
• Railgun
• Webcam
• Ui
©SecurityTube.net
Fs
(stdapi)
• Client.fs.dir.pwd
• client.fs.dir.entries_with_info()
• …
©SecurityTube.net
Sys
(stdapi)
• Client.sys.config.sysinfo
• Client.sys.config.sysinfo[“OS”]
• …
©SecurityTube.net
Net
(Stdapi)
• Client.net.config.get_interfaces
• Client. onet.cnfig.get_routes
• …
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
24
Meterpreter
Scrip:ng
–
Migrate
Clone
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Meterpreter
Scrip:ng
• Locate APIs
©SecurityTube.net
Cloning
Migrate
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
25
Meterpreter
Scrip:ng
–
Process
Name
Search
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Process
Name
Search
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
Part
26
Social
Engineering
Toolkit
Vivek
Ramachandran
Founder,
SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube
Metasploit
Framework
Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek
Ramachandran
Course
Instructor
©SecurityTube.net
SecurityTube
Cer:fica:ons
©SecurityTube.net
SecurityTube
Vision
©SecurityTube.net
Social
Engineering
Toolkit
©SecurityTube.net
Tons
of
Op:ons
©SecurityTube.net
Social
Engineering
ACacks
©SecurityTube.net
Website
ACack
Vector
©SecurityTube.net